On Wed, Sep 22, 2010 at 05:48:07PM +0530, Naveen B.N wrote: > Thank you Christian, > your suggestions helped us to get the position but as you mentioned the > problem > of resolving to kerberos principal name, i tried Google and added a > piece of code > but i am not getting the out put as shown below . > > #include <stdio.h> > #include <string.h> > > #include <openssl/sha.h> > #include <openssl/hmac.h> > #include <openssl/evp.h> > #include <openssl/bio.h> > #include <openssl/buffer.h> > #include <openssl/x509.h> > #include <openssl/x509v3.h> > #include <sys/types.h> > #include <sys/stat.h> > #include <unistd.h> > > #define CERT_INFO_MAX_ENTRIES 15 > #define CERT_INFO_SIZE 10
/* http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html KRB5PrincipalName ::= SEQUENCE { realm [0] Realm, principalName [1] PrincipalName } Maybe this is already defined somewhere in OpenSSL - I didn't find it. */ typedef struct kdc_princname_st { ASN1_GENERALSTRING *realm; KRB5_PRINCNAME *princname; } KDC_PRINCNAME; ASN1_SEQUENCE(KDC_PRINCNAME) = { ASN1_EXP(KDC_PRINCNAME, realm, ASN1_GENERALSTRING, 0), ASN1_EXP(KDC_PRINCNAME, princname, KRB5_PRINCNAME, 1) } ASN1_SEQUENCE_END(KDC_PRINCNAME) IMPLEMENT_ASN1_FUNCTIONS(KDC_PRINCNAME) > static char **cert_info_kpn(X509 *x509) { > int i,j; > static char *entries[CERT_INFO_SIZE]; > STACK_OF(GENERAL_NAME) *gens; > GENERAL_NAME *name; > ASN1_OBJECT *krb5PrincipalName; > printf("Trying to find a Kerberos Principal Name in > certificate"); > gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL); > krb5PrincipalName = OBJ_txt2obj("1.3.6.1.5.2.2", 1); > if (!gens) { > printf("No alternate name extensions"); > return NULL; /* no alternate names */ > } > if (!krb5PrincipalName) { > printf("Cannot map KPN object"); > return NULL; > } > for (i=0,j=0; (i < sk_GENERAL_NAME_num(gens)) && > (j<CERT_INFO_MAX_ENTRIES); i++) { > name = sk_GENERAL_NAME_value(gens, i); > if ( name && name->type==GEN_OTHERNAME ) { /* test for > UPN */ > if (OBJ_cmp(name->d.otherName->type_id, > krb5PrincipalName)) continue; /* object is not a UPN */ > else { > /* NOTE: > from PKINIT RFC, I deduce that stored format for > kerberos > Principal Name is ASN1_STRING, but not sure at 100% > Any help will be granted > */ > unsigned char *txt; > ASN1_TYPE *val = name->d.otherName->value; > ASN1_STRING *str= val->value.asn1_string; > printf("Found Kerberos Principal Name "); unsigned char * p = str->data; KDC_PRINCNAME *pn = d2i_KDC_PRINCNAME(NULL, &p, str->length); KRB5_PRINCNAME *princname = pn->princname; printf("Realm '%*s'\nNAMETYPE: %ld\n", pn->realm->length, pn->realm->data, ASN1_INTEGER_get(princname->nametype)); for (j=0; j<sk_ASN1_GENERALSTRING_num(princname->namestring); j++) { ASN1_GENERALSTRING *gs = sk_ASN1_GENERALSTRING_value(princname->namestring,j); printf("[%i] %*s\n", j, gs->length, gs->data); } Cheers Christian ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
