bool Comm::isAltNameMatch(X509 *certificate, const char *nodeName)
{
// there is alternative code on page 136 of O'Reilly OpenSSL
unsigned char *pBuffer = NULL;
int length = 0;
GENERAL_NAMES *subjectAltNames;
bool b;
subjectAltNames = (GENERAL_NAMES*)
X509_get_ext_d2i(certificate, NID_subject_alt_name, NULL, NULL);
if ( subjectAltNames )
{
int numberOfAlts;
int i;
// get number of names. Supposed to be at
least one, but don't count on it
numberOfAlts = sk_GENERAL_NAME_num
(subjectAltNames);
// loop through all of the alternate names
for ( i = 0; i < numberOfAlts; i++)
{
// get a handle to
alternative name i
const GENERAL_NAME *pName =
sk_GENERAL_NAME_value (subjectAltNames, i);
// what did we get?
switch (pName->type)
{
case GEN_DNS:
case GEN_URI:
case GEN_IPADD:
ASN1_STRING_to_UTF8(&pBuffer, pName->d.ia5);
b =
isWildcardedCNcompare(reinterpret_cast<char *>(pBuffer), nodeName);
OPENSSL_free(pBuffer);
if ( b )
return true;
break;
case GEN_OTHERNAME:
case GEN_EMAIL:
case GEN_X400:
case GEN_DIRNAME:
case GEN_EDIPARTY:
case GEN_RID:
default:
break;
}
}
}
// fall through or no alt names
return false;
}
Charles
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Kenneth Goldman
Sent: Tuesday, September 11, 2012 2:14 PM
To: openssl-users@openssl.org
Subject: Parsing X509 certificate subjectAltName
I'm 90% deep into parsing an X509 certificate, but I can't find sample code
for the last piece.
I found the extension, and located the ASN1_OBJECT with nid 85, OID
2.5.29.17, the subjectAltName. From the dumpasn output, I see that this is
an octet string of a sequence, etc.
I have to pull out the three OIDs '2.23.133.2. [1, 2, and 3]' which are
presumably in the ASN1_OBJECT.
Can anyone point me to sample code or a hint?
~~
515 3: . . . . . OBJECT IDENTIFIER subjectAltName (2 5 29 17)
: . . . . . . (X.509 extension)
<01 01 FF>
520 1: . . . . . BOOLEAN TRUE
<04 4A 30 48 A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64
3A>
523 74: . . . . . OCTET STRING, encapsulates {
<30 48 A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35
37>
525 72: . . . . . . SEQUENCE {
<A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34
35>
527 70: . . . . . . . [4] {
<30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34
33>
529 68: . . . . . . . . SEQUENCE {
<31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 30
30>
531 66: . . . . . . . . . SET {
<30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 30 30>
533 20: . . . . . . . . . . SEQUENCE {
<06 05 67 81 05 02 01>
535 5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 1'
<13 0B 69 64 3A 35 37 34 35 34 33 30 30>
542 11: . . . . . . . . . . . PrintableString 'id:57454300'
: . . . . . . . . . . . }
<30 18 06 05 67 81 05 02 02 13 0F 4E 50 43 54 34 32 78 2F 4E 50 43 54
35>
555 24: . . . . . . . . . . SEQUENCE {
<06 05 67 81 05 02 02>
557 5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 2'
<13 0F 4E 50 43 54 34 32 78 2F 4E 50 43 54 35 30 78>
564 15: . . . . . . . . . . . PrintableString 'NPCT42x/NPCT50x'
: . . . . . . . . . . . }
<30 10 06 05 67 81 05 02 03 13 07 69 64 3A 30 33 39 31>
581 16: . . . . . . . . . . SEQUENCE {
<06 05 67 81 05 02 03>
583 5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 3'
<13 07 69 64 3A 30 33 39 31>
590 7: . . . . . . . . . . . PrintableString 'id:0391'
: . . . . . . . . . . . }
: . . . . . . . . . . }
: . . . . . . . . . }
: . . . . . . . . }
: . . . . . . . }
: . . . . . . }
: . . . . . }
--
Ken Goldman kgold...@us.ibm.com
914-945-2415 (862-2415)
