> Andrea e Luca Giacobazzi wrote:
>
> Hi everybody,
> I'm working inside the routine ssl_callback_verify, in module
> ssl_engine_kernel.c
> and I need to get subject e-mail, subject name (which are inside
> X509_NAME structure)
> and certificate serial number from the X509* xs data. Exactly I catch
> X509_NAME* with
> routine X509_get_subject_name(X509* xs), and then I need to extract CN
> (common name)
> and E-Mail from X509_NAME and put them in two string (char*) in C
> language.
> Any suggestion ?
>
Have a look at the stuff in crypto/x509/x509name.c there are several
functions in there that do what you want.
For CN you can start with:
len = X509_NAME_get_text_by_NID(subj, NID_comonName, NULL, 0)
to get the length, then:
X509_NAME_get_text_by_NID(subj, NID_comonName, buf, len)
This will work provided the CN is one of the ASCII compatible types,
that is not a BMPSTRING of UTF8String, if it is you'll need to get the
index using X509_NAME_get_index_by_NID(), the entry with
X509_NAME_get_entry() and the ASN1_STRING value with
X509_NAME_ENTRY_get_data() then you can check the type and do any ASCII
conversion needed. You'll need to do this anyway if there is more than
one CN in the certificate.
Email is a bit easier because its an ASCII type (IA5STRING) and you can
do:
len = X509_NAME_get_text_by_NID(subj, NID_pkcs9_emailAddress, NULL, 0);
etc.
If there is more than one email address then you can use the
X509_NAME_get_index_by_NID() stuff to get each one as above.
That's not the complete story though. PKIX recommends that the email
address is *NOT* placed in the subject name but instead places in the
issuer alternative name extension. Not many certificates follow this
convention (yet) but if you come across one you might need to handle
this. If you do come across one like this then you need to use the
extension code to access the extension and decode it and finally look
through the STACK_OF(GENERAL_NAME) for the email entry or entries. Doing
this is currently a bit messy: I'll add a few extension helper functions
to make this a bit easier.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
