On Wed, 14 Nov 2018, Dmitry Belyavsky wrote:
> OpenSSL team does not want to link OpenSSL with, say, libidn (and to
> implement IDN conversion inside the library for domains).
> I've found out that 2-3 functions inherited from RFC 3492 will fit all the
> purposes necessary to implement RFC 8399.
Wait -- surely you know that you can't just punycode any old UTF-8 and
expect it to work. I can understand why openssl wouldn't want all of
libidn2 but at least you need to check that the strings are all valid
IDNA2008 code points.
If you don't, you're going to have hard to find bugs with names that look
the same but aren't normalized so comparisons will fail.
If I read the RFC 8398 correctly, to verify the chain we do not need to punycode anything.
We need to unpunycode to compare email with nameConstraints.