Re: How to extract subjectAltName

Tue, 17 Jun 2008 14:57:07 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gerhard Gappmeier wrote:
| Hi,
Hello Gerhard,

| I try to read subjectAltName, but ASN1_STRING_to_UTF8 seems not to work.
| For the X509_NAME entries the same procedure works,
| but this ASN1_STRING seems to be different.
That is because only in the simple cases the extension data directly
contains the readable extension.

But the subjectAltName has the type "GeneralNames"
and "GeneralNames" is a sequence of "GeneralName"

So the way to decode a subjectAltName extension is to
use the X509_get_ext_d2i() function:

GeneralNames *names;
STACK_OF(CONF_VALUE) *vals = sk_CONV_VALUE_new_null();

names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
if (names) {
        /* you now can use OpenSSL to transform the names into
           some printable format... */
        i2v_GENERAL_NAMES(NULL, names, vals);
        sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
}

for(int i = 0; i < sk_CONF_VALUE_num(vals); i++) {
        CONF_VALUE *conf = sk_CONF_VALUE_value(vals, i);
        ret.subjectAltName.appendNameValue(conf->name, conf->value);
}
sk_CONF_VALUE_pop_free(vals, CONF_VALUE_free);

The following subject alt names can not be fetched because OpenSSL
can not display them:
~ * otherName
~ * x400Address
~ * ediParityName

The following values are simple text because they are of type ia5String:
~ * rfc822Name
~ * dNSName
~ * uniformResourceIdentifier
Type ipAddress is also printed as simple text
The type registeredID is also simple text.

The type directoryName may have conversion errors (I didn't check).

If you really need otherName, x400Adress or ediParityName,
you have to implement their conversion methods on your own.

For hints how to convert a GENERAL_NAME into something printable,
crypto/x509v3/v3_alt.c is a starter...


Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIWDMK2iGqZUF3qPYRAmd5AJ4yh6NCZc3y89cejyS7MNmbD0CcegCfVWiJ
FB3k+Q1He7JZ/kSPaoRMivk=
=3oUz
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to