Re: SubjectAlternativeName support (0_9_8l version)

Sat, 02 Jan 2010 04:11:54 -0800 

On Fri, Jan 01, 2010, Martin Kaiser wrote:

> Hi Michael, all,
> 
> Thus wrote michaelfmichaelf (michael_fur...@hotmail.com):
> 
> > 2) Where can I find the example for otherName in ASN1 format?
> > Unfortunately, the example shown in the link above does not contain the ASN1
> > format:
> 
> > subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
> 
> I've never actually used this so I can just make some guesses. According
> to RFC3280, the ASN.1 definition of otherName is
> 
>    OtherName ::= SEQUENCE {
>         type-id    OBJECT IDENTIFIER,
>         value      [0] EXPLICIT ANY DEFINED BY type-id }
> 
> So the example above seems to point in the right direction. I've just
> done a test with
> 
> mar...@askja:~/tmp$ cat alt.ext 
> subjectAltName=otherName:1.3.6.1.5.5.7.1.99;BITSTRING:deadbeef
> 
> mar...@askja:~/tmp$ openssl x509 -req -in testReq.pem -out testCert.pem \
>                     -signkey testKey.pem -extfile alt.ext
> Signature ok
> subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
> Getting Private key
> 
> This seemed to work. ASN.1 part of the certificate is as follows
> 
>  513    3:           OBJECT IDENTIFIER subjectAltName (2 5 29 17)
>     <04 1B>
>  518   27:           OCTET STRING, encapsulates {
>     <30 19>
>  520   25:             SEQUENCE {
>     <A0 17>
>  522   23:               [0] {
>     <06 08>
>  524    8:                 OBJECT IDENTIFIER '1 3 6 1 5 5 7 1 26'
>     <A0 0B>
>  534   11:                 [0] {
>     <03 09>
>  536    9:                   BIT STRING 'deadbeef'
>          :                   }
>          :                 }
>          :               }
>          :             }
> 
> Unfortunately, 
> 
> mar...@askja:~/tmp$ openssl x509 -in testCert.pem -noout -text
> 
> just displays
> 
>         X509v3 extensions:
>             X509v3 Subject Alternative Name: 
>                 othername:<unsupported>
> 
> 
> Which information do you want to encode in otherName?
> 

Currently OpenSSL doesn't display any otherName values. It can't know the
preceise meaning of that field in general because the format could be totally
arbitrary. At best it could asn1parse the contents.

More extensive documentation on the format is here:

http://www.openssl.org/docs/crypto/ASN1_generate_nconf.html#

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to