On Mon, Mar 24, 2003, Naomaru Itoi wrote: > Hi, everyone, > > Please excuse me if my question is silly; I am new to ASN1. > > I am trying to read the "UPN" of a certificate issued by a Microsoft CA, > that is, otherName in subjectAltName. > >From the following post by Steve, I thought OpenSSL-0.9.8's parser can now > read otherName. So I downloaded openssl-SNAP-20030322 and tested it. > However, it prints out the hex dump of subjectAltName. I assume the parser > did not understand GeneralString or something. Is that right? > > naomaru% openssl asn1parse -in ~/openssl/naomaru_pmlab-fixed.pem > ... > 1361:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject > Alternative Name > 1366:d=5 hl=2 l= 47 prim: OCTET STRING [HEX > DUMP]:302DA02B060A2B060104018237140203A01D0C1B6E616F6D6172754070736C61622E61 > 63746976636172642E636F6D > 1415:d=1 hl=2 l= 13 cons: SEQUENCE > > Am I doing something wrong, or OpenSSL 0.9.8 doesn't support reading > otherName yet? > If latter, what can I do to make it possible? >
OpenSSL 0.9.8 supports generation of otherName. Printing of otherName is another matter, to handle this fully would require code being added to every single otherName OID because *anything* can be in there. It should asn1parse otherName I suppose but that would require quite a bit of revision to the extension code. OpenSSLs asn1parse will always print something like the above though because that's how certificate extensions are encoded: the extension encoding is stuffed into an OCTET STRING. If you want to see what's inside use the -strparse XXXX option. Where XXXX is the OCTET STRING offset: 1366 in your example above. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
