On 30/9/03 10:55 pm, Paul Bearer <[EMAIL PROTECTED]> wrote: > Hi Chris, > > Thank you for your quick response. I love the intricacies of ASN.1 :) > > My real goal here is to be able to enocode these SubjectAltName structures. > Would you > have any insight on the best way to create a structure like this? > > Anyways, the x509decode script can be found in the examples directory of your > Convert-ASN1 unpack directory. Here's a pointer to the script on CPAN. It > seems to > work OK for parsing a certificate: > > http://search.cpan.org/src/GBARR/Convert-ASN1-0.17/examples/x509decode
OK, and it turns out that the extension value really *is* encapsulated inside an OCTET STRING. (Typical X.509 brokenness.) Your value isn't actually a SubjectAltName extension, it is an Extensions structure, which is a SEQUENCE OF (ie array of) Extension, the array only containing one extension - a SubjectAltName. So to decode you need to do it in two steps. The first step is to decode and get the array of Extension, and the second step is to decode each Extension. Using Norbert's x509decode script as a basis, this seems to work: my $exts = $asn->find("Extensions"); my $san = $asn->find("SubjectAltName"); my $e = $exts->decode($binSan); # So we look at the first extension, and decode that as a SubjectAltName. # Ideally we'd check $e->[0]->{extnID} against '2.5.29.17' first.. my $s = $san->decode($e->[0]->{extnValue}); # $s->[0]->{dNSName} is 'test1.hp.com' # $s->[1]->{dNSName} is 'test2.hp.com' # $s->[2]->{dNSName} is 'test3.hp.com' Encoding a SubjectAltName is a simple matter of going in the opposite direction ;-) Cheers, Chris