Re: Trouble extracting DNS field from certificate

Wed, 12 May 2004 10:23:35 -0700 

> > > > 
> > > > I have some code to extract a DNS field from subjectAltName extensions
> > > > in X509v3 certificates in the function below. It is based on example 5-8
> > > > in the book "Network Security with OpenSSL" by Viega, Messier and
> > Chandra.

An extract from curl 
Copyright (c) 1996 - 2004, Daniel Stenberg, <[EMAIL PROTECTED]>.
All rights reserved.

  /* get a "list" of alternative names */
  altnames = X509_get_ext_d2i(server_cert, NID_subject_alt_name, NULL, NULL);
  
  if(altnames) {
    int hostlen = 0;
    int domainlen = 0;
    char *domain = NULL;
    int numalts;
    int i;
        
    if(GEN_DNS == target) {
      hostlen = (int)strlen(conn->hostname);
      domain = strchr(conn->hostname, '.');
      if(domain)
        domainlen = (int)strlen(domain);
    }

    /* get amount of alternatives, RFC2459 claims there MUST be at least
       one, but we don't depend on it... */
    numalts = sk_GENERAL_NAME_num(altnames);

    /* loop through all alternatives while none has matched */
    for (i=0; (i<numalts) && !matched; i++) {
      /* get a handle to alternative name number i */
      const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);

      /* only check alternatives of the same type the target is */
      if(check->type == target) {
        /* get data and length */
        const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
        const int altlen = ASN1_STRING_length(check->d.ia5);

        switch(target) {
        case GEN_DNS: /* name comparison */
          /* Is this an exact match? */
          if((hostlen == altlen) &&
             curl_strnequal(conn->hostname, altptr, hostlen))
            matched = TRUE;
        
          /* Is this a wildcard match? */
          else if((altptr[0] == '*') &&
                  (domainlen == altlen-1) &&
                  curl_strnequal(domain, altptr+1, domainlen))
            matched = TRUE;
          break;
          
        case GEN_IPADD: /* IP address comparison */          
          /* compare alternative IP address if the data chunk is the same size
             our server IP address is */
          if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
            matched = TRUE;
          break;
        }
      }
    }
    GENERAL_NAMES_free(altnames);
  }
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to