How to extract subjectAltName - Openssl

This is a discussion on How to extract subjectAltName - Openssl ; Hi, I try to read subjectAltName, but ASN1_STRING_to_UTF8 seems not to work. For the X509_NAME entries the same procedure works, but this ASN1_STRING seems to be different. In the debugger I can already see the ASN1_STRING: pString->length = 43 pString->type ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: How to extract subjectAltName

  1. How to extract subjectAltName

    Hi,

    I try to read subjectAltName, but ASN1_STRING_to_UTF8 seems not to work.
    For the X509_NAME entries the same procedure works,
    but this ASN1_STRING seems to be different.

    In the debugger I can already see the ASN1_STRING:
    pString->length = 43
    pString->type = 4
    pString->data = "0)*urn:xxxxx:bla‚ xxxxxxx"
    pString->flags = 0

    Code snippet:
    UaPkiCertificateInfo UaPkiCertificate::info() const
    {
    UaPkiCertificateInfo ret;
    X509_EXTENSION *pExt;
    char *pBuffer = 0;
    int length = 0;
    int loc = X509_get_ext_by_NID(m_pCert, NID_subject_alt_name, -1);
    pExt = X509_get_ext(m_pCert, loc);
    if (pExt)
    {
    ASN1_STRING *pString = X509_EXTENSION_get_data(pExt);
    length = ASN1_STRING_to_UTF8((unsigned char**)&pBuffer, pString);
    ret.subjectAltName = pBuffer;
    OPENSSL_free(pBuffer);
    }
    return ret;
    }

    regards,
    Gerhard
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. Re: How to extract subjectAltName

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Gerhard Gappmeier wrote:
    | Hi,
    Hello Gerhard,

    | I try to read subjectAltName, but ASN1_STRING_to_UTF8 seems not to work.
    | For the X509_NAME entries the same procedure works,
    | but this ASN1_STRING seems to be different.
    That is because only in the simple cases the extension data directly
    contains the readable extension.

    But the subjectAltName has the type "GeneralNames"
    and "GeneralNames" is a sequence of "GeneralName"

    So the way to decode a subjectAltName extension is to
    use the X509_get_ext_d2i() function:

    GeneralNames *names;
    STACK_OF(CONF_VALUE) *vals = sk_CONV_VALUE_new_null();

    names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
    if (names) {
    /* you now can use OpenSSL to transform the names into
    some printable format... */
    i2v_GENERAL_NAMES(NULL, names, vals);
    sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
    }

    for(int i = 0; i < sk_CONF_VALUE_num(vals); i++) {
    CONF_VALUE *conf = sk_CONF_VALUE_value(vals, i);
    ret.subjectAltName.appendNameValue(conf->name, conf->value);
    }
    sk_CONF_VALUE_pop_free(vals, CONF_VALUE_free);

    The following subject alt names can not be fetched because OpenSSL
    can not display them:
    ~ * otherName
    ~ * x400Address
    ~ * ediParityName

    The following values are simple text because they are of type ia5String:
    ~ * rfc822Name
    ~ * dNSName
    ~ * uniformResourceIdentifier
    Type ipAddress is also printed as simple text
    The type registeredID is also simple text.

    The type directoryName may have conversion errors (I didn't check).

    If you really need otherName, x400Adress or ediParityName,
    you have to implement their conversion methods on your own.

    For hints how to convert a GENERAL_NAME into something printable,
    crypto/x509v3/v3_alt.c is a starter...


    Goetz

    - --
    DMCA: The greed of the few outweighs the freedom of the many
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.4-svn0 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFIWDMK2iGqZUF3qPYRAmd5AJ4yh6NCZc3y89cejyS7MN mbD0CcegCfVWiJ
    FB3k+Q1He7JZ/kSPaoRMivk=
    =3oUz
    -----END PGP SIGNATURE-----
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. Re: How to extract subjectAltName

    Thanks for that tip.

    It works now this way:

    UaPkiCertificateInfo UaPkiCertificate::info() const
    {
    UaPkiCertificateInfo ret;
    X509_EXTENSION *pExt;
    char *pBuffer = 0;
    int length = 0;
    GENERAL_NAMES *subjectAltNames;

    subjectAltNames = ( GENERAL_NAMES* ) X509_get_ext_d2i ( m_pCert,
    NID_subject_alt_name, NULL, NULL );
    if ( subjectAltNames )
    {
    int numalts;
    int i;

    /* get amount of alternatives, RFC2459 claims there MUST be at least
    one, but we don't depend on it... */
    numalts = sk_GENERAL_NAME_num ( subjectAltNames );

    /* loop through all alternatives */
    for ( i=0; ( i {
    /* get a handle to alternative name number i */
    const GENERAL_NAME *pName = sk_GENERAL_NAME_value (
    subjectAltNames, i );

    switch ( pName->type )
    {
    case GEN_OTHERNAME:
    break;
    case GEN_EMAIL:
    ASN1_STRING_to_UTF8((unsigned char**)&pBuffer,
    pName->d.ia5);
    ret.eMail = pBuffer;
    OPENSSL_free(pBuffer);
    break;
    case GEN_DNS:
    ASN1_STRING_to_UTF8((unsigned char**)&pBuffer,
    pName->d.ia5);
    ret.DNS = pBuffer;
    OPENSSL_free(pBuffer);
    break;
    case GEN_X400:
    break;
    case GEN_DIRNAME:
    break;
    case GEN_EDIPARTY:
    break;
    case GEN_URI:
    ASN1_STRING_to_UTF8((unsigned char**)&pBuffer,
    pName->d.ia5);
    ret.URI = pBuffer;
    OPENSSL_free(pBuffer);
    break;
    case GEN_IPADD:
    ASN1_STRING_to_UTF8((unsigned char**)&pBuffer,
    pName->d.ia5);
    ret.IP = pBuffer;
    OPENSSL_free(pBuffer);
    break;
    case GEN_RID:
    break;
    }

    }
    }

    return ret;
    }

    On Tuesday 17 June 2008 23:56:26 Goetz Babin-Ebell wrote:
    > GeneralNames *names;
    > STACK_OF(CONF_VALUE) *vals = sk_CONV_VALUE_new_null();
    >
    > names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
    > if (names) {
    > ********/* you now can use OpenSSL to transform the names into
    > ******** * some printable format... */
    > ********i2v_GENERAL_NAMES(NULL, names, vals);
    > ********sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
    > }
    >
    > for(int i = 0; i < sk_CONF_VALUE_num(vals); i++) {
    > ********CONF_VALUE *conf = sk_CONF_VALUE_value(vals, i);
    > ********ret.subjectAltName.appendNameValue (conf->name, conf->value);
    > }
    > sk_CONF_VALUE_pop_free(vals, CONF_VALUE_free);




    --
    mit freundlichen Grüßen / best regards

    Gerhard Gappmeier
    ascolab GmbH - automation system communication laboratory
    Tel.: +49 9131 691 123
    Fax: +49 9131 691 128
    Web: http://www.ascolab.com
    GPG-Key: http://www.ascolab.com/gpg/gg.asc
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  4. Re: How to extract subjectAltName

    Gerhard Gappmeier wrote:
    > Hi,
    >
    > I try to read subjectAltName, but ASN1_STRING_to_UTF8 seems not to work.
    > For the X509_NAME entries the same procedure works,
    > but this ASN1_STRING seems to be different.
    >
    > In the debugger I can already see the ASN1_STRING:
    > pString->length = 43
    > pString->type = 4
    > pString->data = "0)*urn:xxxxx:bla‚ xxxxxxx"
    > pString->flags = 0
    >
    > Code snippet:
    > UaPkiCertificateInfo UaPkiCertificate::info() const
    > {
    > UaPkiCertificateInfo ret;
    > X509_EXTENSION *pExt;
    > char *pBuffer = 0;
    > int length = 0;
    > int loc = X509_get_ext_by_NID(m_pCert, NID_subject_alt_name, -1);
    > pExt = X509_get_ext(m_pCert, loc);
    > if (pExt)
    > {
    > ASN1_STRING *pString = X509_EXTENSION_get_data(pExt);
    > length = ASN1_STRING_to_UTF8((unsigned char**)&pBuffer, pString);
    > ret.subjectAltName = pBuffer;
    > OPENSSL_free(pBuffer);
    > }
    > return ret;
    > }
    >
    > regards,
    > Gerhard
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    >

    Hello,

    TO get data from X509V3 cert, i use bio function :

    BIO *bio = BIO_new(BIO_s_mem());
    X509_EXTENSION * ex = X509_get_ext( _d_cert,i); // get
    the type
    if(!X509V3_EXT_print(bio, ex, 0, 0)) // read the text of this
    extention
    M_ASN1_OCTET_STRING_print(bio,ex->value);
    len = BIO_read(bio, buffer, BUFFER_SIZE);// here buffer contain
    the text, len the lenght of it.
    buffer[len] = '\0'; // add the EOT sign, buffer
    contain a readable text.

    Hope it can help you
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  5. Re: How to unsubsribe from OpenSSL Users ML

    Send a message to openssl-users@openssl.org with the following text in the body.
    unsubscribe openssl-users

    For more info see below.
    I hope this helps you :-)


    --

    Welcome to the openssl-users mailing list!

    Please save this message for future reference. Thank you.

    If you ever want to remove yourself from this mailing list,
    you can send mail to with the following
    command in the body of your email message:

    unsubscribe openssl-users

    or from another account, besides gerhard.gappmeier@ascolab.com:

    unsubscribe openssl-users gerhard.gappmeier@ascolab.com

    If you ever need to get in contact with the owner of the list,
    (if you have trouble unsubscribing, or have questions about the
    list itself) send email to .
    This is the general rule for most mailing lists when you need
    to contact a human.

    Here's the general information for the list you've subscribed to,
    in case you don't already have it:

    This open mailing list is used for discussions between
    the OpenSSL users. Everyone can post.


    markgray111@aol.com schrieb:
    > *i have n o t one idea what that means... i got out on this list
    > by accident or type-o I have no way of looking at any of the
    > thousands of emails i have rec'd and been able to find one thing i
    > could understand..... please HELP*


    --
    mit freundlichen Grüßen / best regards

    *Gerhard Gappmeier*
    ascolab GmbH - automation systems communication laboratory
    Tel.: +49 9131 691 123
    Fax: +49 9131 691 128
    Web: http://www.ascolab.com
    GPG-Key: http://www.ascolab.com/gpg/gg.asc

    --
    *ascolab GmbH*
    Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß
    Sitz der Gesellschaft: Am Weichselgarten 7 • 91058 Erlangen • Germany
    Registernummer: HRB 9360
    Registergericht: Amtsgericht Fürth



  6. Re: How to unsubsribe from OpenSSL Users ML

    Ups, wrong address before.

    Send a message to majordomo@openssl.org with the following text in the body.
    unsubscribe openssl-users

    For more info see below.
    I hope this helps you :-)


    --

    Welcome to the openssl-users mailing list!

    Please save this message for future reference. Thank you.

    If you ever want to remove yourself from this mailing list,
    you can send mail to with the following
    command in the body of your email message:

    unsubscribe openssl-users

    or from another account, besides gerhard.gappmeier@ascolab.com:

    unsubscribe openssl-users gerhard.gappmeier@ascolab.com

    If you ever need to get in contact with the owner of the list,
    (if you have trouble unsubscribing, or have questions about the
    list itself) send email to .
    This is the general rule for most mailing lists when you need
    to contact a human.

    Here's the general information for the list you've subscribed to,
    in case you don't already have it:

    This open mailing list is used for discussions between
    the OpenSSL users. Everyone can post.


    markgray111@aol.com schrieb:
    > *i have n o t one idea what that means... i got out on this list
    > by accident or type-o I have no way of looking at any of the
    > thousands of emails i have rec'd and been able to find one thing i
    > could understand..... please HELP*


    --
    mit freundlichen Grüßen / best regards

    *Gerhard Gappmeier*
    ascolab GmbH - automation systems communication laboratory
    Tel.: +49 9131 691 123
    Fax: +49 9131 691 128
    Web: http://www.ascolab.com
    GPG-Key: http://www.ascolab.com/gpg/gg.asc

    --
    *ascolab GmbH*
    Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß
    Sitz der Gesellschaft: Am Weichselgarten 7 • 91058 Erlangen • Germany
    Registernummer: HRB 9360
    Registergericht: Amtsgericht Fürth



  7. Re: How to extract subjectAltName

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Gerhard Gappmeier wrote:
    | Thanks for that tip.
    |
    | It works now this way:
    |
    | UaPkiCertificateInfo UaPkiCertificate::info() const
    | {
    [...]

    | switch ( pName->type )
    | {
    | case GEN_OTHERNAME:
    | break;
    | case GEN_EMAIL:
    | ASN1_STRING_to_UTF8((unsigned char**)&pBuffer,
    | pName->d.ia5);
    ia5String is basically ASCII, especially in email, since email addresses
    are limited to the ASCII character set...
    And every ASCII character is also a valid UTF-8 character...

    | ret.eMail = pBuffer;
    | OPENSSL_free(pBuffer);
    | break;
    | case GEN_DNS:
    | ASN1_STRING_to_UTF8((unsigned char**)&pBuffer,
    | pName->d.ia5);
    also here...

    | ret.DNS = pBuffer;
    | OPENSSL_free(pBuffer);
    | break;
    | case GEN_X400:
    | break;
    | case GEN_DIRNAME:
    | break;
    | case GEN_EDIPARTY:
    | break;
    | case GEN_URI:
    | ASN1_STRING_to_UTF8((unsigned char**)&pBuffer,
    | pName->d.ia5);
    and here...
    | ret.URI = pBuffer;
    | OPENSSL_free(pBuffer);
    | break;
    | case GEN_IPADD:
    | ASN1_STRING_to_UTF8((unsigned char**)&pBuffer,
    | pName->d.ia5);
    here you are wrong.
    the IP address is stored as binary.
    So IPv4 -> 4 byte data, IPv6 -> 16 byte data...


    Bye

    Goetz

    - --
    DMCA: The greed of the few outweighs the freedom of the many
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.4-svn0 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFIWWg62iGqZUF3qPYRAhaYAJ45hFKmn7Vm87KLaG9oS/SuopcFhACfWNrQ
    CkV2vZpn+OzFacij2YxoRZ4=
    =2Qz7
    -----END PGP SIGNATURE-----
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread