bool Comm::isAltNameMatch(X509 *certificate, const char *nodeName) {
// there is alternative code on page 136 of O'Reilly OpenSSL unsigned char *pBuffer = NULL; int length = 0; GENERAL_NAMES *subjectAltNames; bool b; subjectAltNames = (GENERAL_NAMES*) X509_get_ext_d2i(certificate, NID_subject_alt_name, NULL, NULL); if ( subjectAltNames ) { int numberOfAlts; int i; // get number of names. Supposed to be at least one, but don't count on it numberOfAlts = sk_GENERAL_NAME_num (subjectAltNames); // loop through all of the alternate names for ( i = 0; i < numberOfAlts; i++) { // get a handle to alternative name i const GENERAL_NAME *pName = sk_GENERAL_NAME_value (subjectAltNames, i); // what did we get? switch (pName->type) { case GEN_DNS: case GEN_URI: case GEN_IPADD: ASN1_STRING_to_UTF8(&pBuffer, pName->d.ia5); b = isWildcardedCNcompare(reinterpret_cast<char *>(pBuffer), nodeName); OPENSSL_free(pBuffer); if ( b ) return true; break; case GEN_OTHERNAME: case GEN_EMAIL: case GEN_X400: case GEN_DIRNAME: case GEN_EDIPARTY: case GEN_RID: default: break; } } } // fall through or no alt names return false; } Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Kenneth Goldman Sent: Tuesday, September 11, 2012 2:14 PM To: openssl-users@openssl.org Subject: Parsing X509 certificate subjectAltName I'm 90% deep into parsing an X509 certificate, but I can't find sample code for the last piece. I found the extension, and located the ASN1_OBJECT with nid 85, OID 2.5.29.17, the subjectAltName. From the dumpasn output, I see that this is an octet string of a sequence, etc. I have to pull out the three OIDs '2.23.133.2. [1, 2, and 3]' which are presumably in the ASN1_OBJECT. Can anyone point me to sample code or a hint? ~~ 515 3: . . . . . OBJECT IDENTIFIER subjectAltName (2 5 29 17) : . . . . . . (X.509 extension) <01 01 FF> 520 1: . . . . . BOOLEAN TRUE <04 4A 30 48 A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A> 523 74: . . . . . OCTET STRING, encapsulates { <30 48 A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37> 525 72: . . . . . . SEQUENCE { <A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35> 527 70: . . . . . . . [4] { <30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33> 529 68: . . . . . . . . SEQUENCE { <31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 30 30> 531 66: . . . . . . . . . SET { <30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 30 30> 533 20: . . . . . . . . . . SEQUENCE { <06 05 67 81 05 02 01> 535 5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 1' <13 0B 69 64 3A 35 37 34 35 34 33 30 30> 542 11: . . . . . . . . . . . PrintableString 'id:57454300' : . . . . . . . . . . . } <30 18 06 05 67 81 05 02 02 13 0F 4E 50 43 54 34 32 78 2F 4E 50 43 54 35> 555 24: . . . . . . . . . . SEQUENCE { <06 05 67 81 05 02 02> 557 5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 2' <13 0F 4E 50 43 54 34 32 78 2F 4E 50 43 54 35 30 78> 564 15: . . . . . . . . . . . PrintableString 'NPCT42x/NPCT50x' : . . . . . . . . . . . } <30 10 06 05 67 81 05 02 03 13 07 69 64 3A 30 33 39 31> 581 16: . . . . . . . . . . SEQUENCE { <06 05 67 81 05 02 03> 583 5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 3' <13 07 69 64 3A 30 33 39 31> 590 7: . . . . . . . . . . . PrintableString 'id:0391' : . . . . . . . . . . . } : . . . . . . . . . . } : . . . . . . . . . } : . . . . . . . . } : . . . . . . . } : . . . . . . } : . . . . . } -- Ken Goldman kgold...@us.ibm.com 914-945-2415 (862-2415)