From 38f1b01896c3cc37bd0535d870106061a83f720c Mon Sep 17 00:00:00 2001 From: Titouan Soulard <titouan.soulard@rapid.space> Date: Wed, 13 Mar 2024 10:57:26 +0100 Subject: [PATCH] recipe/certificate_authority: use UTF-8 for CA certificate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The CertificateAuthority tool in ERP5 uses UTF8 encoding for certificates, but by default OpenSSL does not. This cause an error when using non-ascii characters: ``` The localityName field is different between CA certificate and the request ``` To solve the problem, the Certificate Authority recipe should use the same encoding as ERP5, which requires adding `-utf8` option when invoking OpenSSL. For instance, creating a certificate with `localityName` 袦芯褋泻胁邪 will give the following with the default OpenSSL encoding: `\C3\90\C2\9C\C3\90\C2\BE\C3\91\C2\81\C3\90\C2\BA\C3\90\C2\B2\C3\90\C2\B0`. UTF8-encoding this same string gives `\D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0`, which is what ERP5 expects. --- .../certificate_authority/certificate_authority.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/slapos/recipe/certificate_authority/certificate_authority.py b/slapos/recipe/certificate_authority/certificate_authority.py index 956264b57..d9d071fbf 100644 --- a/slapos/recipe/certificate_authority/certificate_authority.py +++ b/slapos/recipe/certificate_authority/certificate_authority.py @@ -45,10 +45,11 @@ class CertificateAuthority: os.unlink(f) try: # no CA, let us create new one - popenCommunicate([self.openssl_binary, 'req', '-nodes', '-config', - self.openssl_configuration, '-new', '-x509', '-extensions', - 'v3_ca', '-keyout', self.key, '-out', self.certificate, - '-days', '10950'], 'Certificate Authority %s\n' % uuid.uuid1()) + popenCommunicate([self.openssl_binary, 'req', '-utf8', '-nodes', + '-config', self.openssl_configuration, '-new', '-x509', + '-extensions', 'v3_ca', '-keyout', self.key, '-out', + self.certificate, '-days', '10950'], + 'Certificate Authority %s\n' % uuid.uuid1()) except: try: for f in file_list: -- 2.30.9