Hello, I was trying to use the GNUTLS_SAN_IPADDRESS type for the API gnutls_x509_crt_set_subject_alternative_name( ).
I notice that when a X509v3 Certificate is created using certool API, the IP ADDRESS field in the packet is not being parsed by the openssl or XCA tool (OpenSSL shows the field as invalid). On further investigation, I got the following percept from the RFC 2459 ( for x509): RFC 2459 Internet X.509 Public Key Infrastructure January 1999 " When the subjectAltName extension contains a iPAddress, the address MUST be stored in the octet string in "network byte order," as specified in RFC 791 [RFC 791]. The least significant bit (LSB) of each octet is the LSB of the corresponding byte in the network address. For IP Version 4, as specified in RFC 791, the octet string MUST contain exactly four octets. " But I see from the GNUTLS and CERTTOOL source code that we never convert the char* to a network-byte-ordered-octet (for the IPADDRESS) (I traced from gnutls_x509_crt_set_subject_alternative_name in the gnutls source code) . We just go ahead with encoding the char* data in the certificate. Is there something that I am missing? Or is it a bug? If yes, could you please tell me an alternative method to have an IP address in the subject alternative name? Any help here is very valuable to me and is appreciated. Thanks, Mahesh. _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
