Re: Getting hostname with openssl library
On 2009.10.19 at 17:40:11 -0400, Victor Duchovni wrote: On Mon, Oct 19, 2009 at 01:34:38PM -0500, William wrote: I am looking for the way to read a certificate from disk in C code and get the hostname (CN) inside that certificate in the C code using the openssl library. Sadly, a rather complex task in general: - The subject DN could contain multiple CN values, what does such a certificate mean? - The certificate may have a subjectAlternativeName extension, that lists a set of hostname values valid for the certificate. There is function X509_get1_email in the Openssl crypto library, which does almost same thing for E-mail addresses as Victor requested for the hostnames. May be looking into source code of this function would be helpful. But it should be noted that there is more than one field type in the GENERAL_NAME, which can hold hostnames. For some applications it would be URI field type, for other may be dnsName. - The certificate CN may be encoded via a multi-byte encoding. This is no problem, It is what ASN1_STRING_to_UTF8 function is for. BTW may someone point me to some document which specifies how IDN should be represented in the certificate - should they be specified in their human-readable form or in the representation used for DNS lookups? - The CN or subjectAltName may contain embedded NUL bytes. You can compare return value of ASN1_STRING_to_UTF8 (which is number of characters in the converted string) with result of strlen on resulting string and if they don't match ring a bell. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Getting hostname with openssl library
A better question is to match a given hostname against a certificate and determine whether it obeys the https rules. There can be multiple hostnames and wild cards. The code implemented by curl is a complete way to do this. /PS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Getting hostname with openssl library
On 2009.10.20 at 10:11:46 +0200, Peter Sylvester wrote: A better question is to match a given hostname against a certificate and determine whether it obeys the https rules. There can be multiple hostnames and wild cards. The code implemented by curl is a complete way to do this. Hmm, license of CURL seems to not have any incompatibilites with OpenSSL license. May be this code should be considered to be moved into openssl library? At least to the set of examples provided with OpenSSL. Better - as API function is libssl with appropriate switch in the s_client utility. So all users of the library can use robust and well tested code. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Getting hostname with openssl library
On Tue, Oct 20, 2009 at 10:11:46AM +0200, Peter Sylvester wrote: A better question is to match a given hostname against a certificate and determine whether it obeys the https rules. There can be multiple hostnames and wild cards. The code implemented by curl is a complete way to do this. This code only handles the NUL byte issue in the latest 7.19.6 release, so don't copy the code from earlier versions. It does not support subjectAltName extensions. Otherwise, it is indeed essentially what is required. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Getting hostname with openssl library
It does not support subjectAltName extensions. SubjectAltName extension is supported since an eternity, more than 5 years ??? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Getting hostname with openssl library
On Tue, Oct 20, 2009 at 05:46:56PM +0200, Peter Sylvester wrote: It does not support subjectAltName extensions. SubjectAltName extension is supported since an eternity, more than 5 years ??? Oops, sorry, you are right, I failed to notice the code that does this just above the CN code. So, indeed this looks fairly complete, provided one is using the latest version. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Getting hostname with openssl library
I am looking for the way to read a certificate from disk in C code and get the hostname (CN) inside that certificate in the C code using the openssl library. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Getting hostname with openssl library
On Mon, Oct 19, 2009 at 01:34:38PM -0500, William wrote: I am looking for the way to read a certificate from disk in C code and get the hostname (CN) inside that certificate in the C code using the openssl library. Sadly, a rather complex task in general: - The subject DN could contain multiple CN values, what does such a certificate mean? - The certificate may have a subjectAlternativeName extension, that lists a set of hostname values valid for the certificate. - The certificate CN may be encoded via a multi-byte encoding. - The CN or subjectAltName may contain embedded NUL bytes. If you only look at certificates generated in a closed environment, you can eliminate some of these complications. For dealing with certs of potentially hostile entities, you need a reasonably defensive approach. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org