Thank you very much Steve, I did it succesfully... We are issuing certificates because we're trying to realize our own CA look www.openca.org , in particular i'm working at ocsp responder, and e-mail is still in subject name in our certs. I'll write you soon with other questions..:) bye -----Messaggio originale----- Da: Dr Stephen Henson <[EMAIL PROTECTED]> A: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Data: domenica 9 maggio 1999 15.18 Oggetto: Re: get e-mail and name from cert >> Andrea e Luca Giacobazzi wrote: >> >> Hi everybody, >> I'm working inside the routine ssl_callback_verify, in module >> ssl_engine_kernel.c >> and I need to get subject e-mail, subject name (which are inside >> X509_NAME structure) >> and certificate serial number from the X509* xs data. Exactly I catch >> X509_NAME* with >> routine X509_get_subject_name(X509* xs), and then I need to extract CN >> (common name) >> and E-Mail from X509_NAME and put them in two string (char*) in C >> language. >> Any suggestion ? >> > >Have a look at the stuff in crypto/x509/x509name.c there are several >functions in there that do what you want. > >For CN you can start with: > >len = X509_NAME_get_text_by_NID(subj, NID_comonName, NULL, 0) >to get the length, then: >X509_NAME_get_text_by_NID(subj, NID_comonName, buf, len) > >This will work provided the CN is one of the ASCII compatible types, >that is not a BMPSTRING of UTF8String, if it is you'll need to get the >index using X509_NAME_get_index_by_NID(), the entry with >X509_NAME_get_entry() and the ASN1_STRING value with >X509_NAME_ENTRY_get_data() then you can check the type and do any ASCII >conversion needed. You'll need to do this anyway if there is more than >one CN in the certificate. > >Email is a bit easier because its an ASCII type (IA5STRING) and you can >do: >len = X509_NAME_get_text_by_NID(subj, NID_pkcs9_emailAddress, NULL, 0); >etc. > >If there is more than one email address then you can use the >X509_NAME_get_index_by_NID() stuff to get each one as above. > >That's not the complete story though. PKIX recommends that the email >address is *NOT* placed in the subject name but instead places in the >issuer alternative name extension. Not many certificates follow this >convention (yet) but if you come across one you might need to handle >this. If you do come across one like this then you need to use the >extension code to access the extension and decode it and finally look >through the STACK_OF(GENERAL_NAME) for the email entry or entries. Doing >this is currently a bit messy: I'll add a few extension helper functions >to make this a bit easier. > >Steve. >-- >Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ >Personal Email: [EMAIL PROTECTED] >Senior crypto engineer, Celo Communications: http://www.celocom.com/ >Core developer of the OpenSSL project: http://www.openssl.org/ >Business Email: [EMAIL PROTECTED] PGP key: via homepage. > >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >Development Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
