fix encoding BMPString in x509 name entries (#4321)

Previously we encoded them as UTF-8, but as best I can tell in reality a
BMPString is fixed-width basic multilingual plane big endian encoding.
This is basically UCS-2 (aka original Unicode). However, Python doesn't
support UCS-2 encoding so we need to use utf_16_be. This means you can encode
surrogate code points that are invalid in the context of what a
BMPString is supposed to be, but in reality I strongly suspect the sane
encoding ship has sailed and dozens if not hundreds of implementations
both do this and expect other systems to handle their nonsense.

1 files changed, 18 insertions, 0 deletions

diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
index 7f9f1830..fe57784a 100644
--- a/tests/x509/test_x509.py
+++ b/tests/x509/test_x509.py
@@ -4092,6 +4092,24 @@ class TestName(object):
             b"b060355040a0c0450794341"
         )
 
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_bmpstring_bytes(self, backend):
+        # For this test we need an odd length string. BMPString is UCS-2
+        # encoded so it will always be even length and OpenSSL will error if
+        # you pass an odd length string without encoding it properly first.
+        name = x509.Name([
+            x509.NameAttribute(
+                NameOID.COMMON_NAME,
+                u'cryptography.io',
+                _ASN1Type.BMPString
+            ),
+            x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
+        ])
+        assert name.public_bytes(backend) == binascii.unhexlify(
+            b"30383127302506035504031e1e00630072007900700074006f00670072006100"
+            b"7000680079002e0069006f310d300b060355040a0c0450794341"
+        )
+
 
 def test_random_serial_number(monkeypatch):
     sample_data = os.urandom(20)