Commit 8911fedcda for openssl.org
commit 8911fedcda3075bdcd172fb9f6f1425b87b58bdf
Author: Tomas Mraz <tomas@openssl.org>
Date: Tue Mar 17 12:37:11 2026 +0100
ca.c: Partially revert incorrect simplification of string check
Fixes 25c2ada89
Fixes Coverity 1688667
Reviewed-by: Saša NedvÄ›dický <sashan@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Mar 18 13:32:01 2026
(Merged from https://github.com/openssl/openssl/pull/30460)
diff --git a/apps/ca.c b/apps/ca.c
index 208d22286d..d167b21d43 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1522,14 +1522,16 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
"\nemailAddress type needs to be of type IA5STRING\n");
goto end;
}
- j = ASN1_PRINTABLE_type(ASN1_STRING_get0_data(str),
- ASN1_STRING_length(str));
- if ((type == V_ASN1_T61STRING && j != V_ASN1_T61STRING)
- || (type == V_ASN1_IA5STRING && type == V_ASN1_PRINTABLESTRING)) {
- BIO_puts(bio_err,
- "\nThe string contains characters that are illegal for the"
- " ASN.1 type\n");
- goto end;
+ if (type != V_ASN1_BMPSTRING && type != V_ASN1_UTF8STRING) {
+ j = ASN1_PRINTABLE_type(ASN1_STRING_get0_data(str),
+ ASN1_STRING_length(str));
+ if ((j == V_ASN1_T61STRING && type != V_ASN1_T61STRING)
+ || (j == V_ASN1_IA5STRING && type == V_ASN1_PRINTABLESTRING)) {
+ BIO_puts(bio_err,
+ "\nThe string contains characters that are illegal for the"
+ " ASN.1 type\n");
+ goto end;
+ }
}
if (default_op)