Re: get subjectAltName
Thank you Christian, it helped to decode the kerberos principal name . The code worked. Regards Naveen Christian Hohnstaedt wrote: On Wed, Sep 22, 2010 at 05:48:07PM +0530, Naveen B.N wrote: Thank you Christian, your suggestions helped us to get the position but as you mentioned the problem of resolving to kerberos principal name, i tried Google and added a piece of code but i am not getting the out put as shown below . #include #include #include #include #include #include #include #include #include #include #include #include #define CERT_INFO_MAX_ENTRIES 15 #define CERT_INFO_SIZE 10 /* http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html KRB5PrincipalName ::= SEQUENCE { realm [0] Realm, principalName [1] PrincipalName } Maybe this is already defined somewhere in OpenSSL - I didn't find it. */ typedef struct kdc_princname_st { ASN1_GENERALSTRING *realm; KRB5_PRINCNAME *princname; } KDC_PRINCNAME; ASN1_SEQUENCE(KDC_PRINCNAME) = { ASN1_EXP(KDC_PRINCNAME, realm, ASN1_GENERALSTRING, 0), ASN1_EXP(KDC_PRINCNAME, princname, KRB5_PRINCNAME, 1) } ASN1_SEQUENCE_END(KDC_PRINCNAME) IMPLEMENT_ASN1_FUNCTIONS(KDC_PRINCNAME) static char **cert_info_kpn(X509 *x509) { int i,j; static char *entries[CERT_INFO_SIZE]; STACK_OF(GENERAL_NAME) *gens; GENERAL_NAME *name; ASN1_OBJECT *krb5PrincipalName; printf("Trying to find a Kerberos Principal Name in certificate"); gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL); krb5PrincipalName = OBJ_txt2obj("1.3.6.1.5.2.2", 1); if (!gens) { printf("No alternate name extensions"); return NULL; /* no alternate names */ } if (!krb5PrincipalName) { printf("Cannot map KPN object"); return NULL; } for (i=0,j=0; (i < sk_GENERAL_NAME_num(gens)) && (j name = sk_GENERAL_NAME_value(gens, i); if ( name && name->type==GEN_OTHERNAME ) { /* test for UPN */ if (OBJ_cmp(name->d.otherName->type_id, krb5PrincipalName)) continue; /* object is not a UPN */ else { /* NOTE: from PKINIT RFC, I deduce that stored format for kerberos Principal Name is ASN1_STRING, but not sure at 100% Any help will be granted */ unsigned char *txt; ASN1_TYPE *val = name->d.otherName->value; ASN1_STRING *str= val->value.asn1_string; printf("Found Kerberos Principal Name "); unsigned char * p = str->data; KDC_PRINCNAME *pn = d2i_KDC_PRINCNAME(NULL, &p, str->length); KRB5_PRINCNAME *princname = pn->princname; printf("Realm '%*s'\nNAMETYPE: %ld\n", pn->realm->length, pn->realm->data, ASN1_INTEGER_get(princname->nametype)); for (j=0; jnamestring); j++) { ASN1_GENERALSTRING *gs = sk_ASN1_GENERALSTRING_value(princname->namestring,j); printf("[%i] %*s\n", j, gs->length, gs->data); } Cheers Christian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: get subjectAltName
Attaching the PEM format certificate used , We need to convert it to DER before using it with the below given code. Command to convert PEM to DER openssl x509 -inform PEM -in KDC.pem -outform DER -out KDC.cer Thanks and Regards Naveen Naveen B.N wrote: Thank you Christian, your suggestions helped us to get the position but as you mentioned the problem of resolving to kerberos principal name, i tried Google and added a piece of code but i am not getting the out put as shown below . #include #include #include #include #include #include #include #include #include #include #include #include #define CERT_INFO_MAX_ENTRIES 15 #define CERT_INFO_SIZE 10 static char **cert_info_kpn(X509 *x509) { int i,j; static char *entries[CERT_INFO_SIZE]; STACK_OF(GENERAL_NAME) *gens; GENERAL_NAME *name; ASN1_OBJECT *krb5PrincipalName; printf("Trying to find a Kerberos Principal Name in certificate"); gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL); krb5PrincipalName = OBJ_txt2obj("1.3.6.1.5.2.2", 1); if (!gens) { printf("No alternate name extensions"); return NULL; /* no alternate names */ } if (!krb5PrincipalName) { printf("Cannot map KPN object"); return NULL; } for (i=0,j=0; (i < sk_GENERAL_NAME_num(gens)) && (j name = sk_GENERAL_NAME_value(gens, i); if ( name && name->type==GEN_OTHERNAME ) { /* test for UPN */ if (OBJ_cmp(name->d.otherName->type_id, krb5PrincipalName)) continue; /* object is not a UPN */ else { /* NOTE: from PKINIT RFC, I deduce that stored format for kerberos Principal Name is ASN1_STRING, but not sure at 100% Any help will be granted */ unsigned char *txt; ASN1_TYPE *val = name->d.otherName->value; ASN1_STRING *str= val->value.asn1_string; printf("Found Kerberos Principal Name "); if ( ( ASN1_STRING_to_UTF8(&txt, str) ) < 0) { printf("ASN1_STRING_to_UTF8() failed: %s", ERR_error_string(ERR_get_error(),NULL)); } else { printf("Adding KPN entry: %s",txt); //entries[j++]= clone_str((const char *)txt); } } } } sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free); ASN1_OBJECT_free(krb5PrincipalName); if(j==0) { printf("Certificate does not contain a KPN entry"); return NULL; } return entries; } int find_root_cert(const unsigned char **in,int len) { X509 *cert1=NULL; X509_NAME *name; char *buffer; X509_EXTENSION *ext=NULL; char *test; int pos=0,nid; cert1=d2i_X509(NULL,in,len); printf("\n cert=%x ", cert1); name=X509_get_subject_name(cert1); buffer=X509_NAME_oneline(name, 0, 0); if(strstr(buffer,"CN=kdc.globaledgesoft.com")==NULL) return -1; else { #if 0 pos=X509_get_ext_by_NID(cert1,NID_subject_alt_name, -1); if (pos == -1){ printf("\n pos == -1 \n"); return -1; } ext=X509_get_ext(cert1,pos); if(ext!=NULL){ test=(char *)d2i_ASN1_IA5STRING((ASN1_IA5STRING **)&ext->value->data,NULL,0); printf("\n test =%s ", test); } #endif cert_info_kpn(cert1); return 0; } } int main(int argc, char **argv) { const unsigned char *in ; int len,size,ret; X509 *cert1=NULL; X509 *cert2=NULL; FILE *fp; struct stat st; fp = fopen("KDC.cer","r"); stat ( (const char *)"KDC.cer",&st); size = st.st_size; in=(unsigned char *)malloc(++size); printf("\n length = %d ",size); len=fread((void *)in,1,size,fp); fclose(fp); printf("\n Len =%d",len); printf("\n cert=%x ", cert1); if(find_root_cert(&in,len)==0) printf("\n This is the Root\n"); else printf("\n No match was found \n"); } /* output */ length = 1001 Len =1000 cert=0 cert=86da458 Trying to find a Kerberos Principal Name in certificateFound Kerberos Principal Name ASN1_STRING_to_UTF8() failed: error::lib(0):func(0):reason(0)Certificate does not contain a KPN entry This is the Root Thanks in advance . Regards Naveen Christian Hohnstaedt wrote: On Wed, Sep 22, 2010 at 02:40:26PM +0530, Nave
Re: get subjectAltName
Thank you Christian, your suggestions helped us to get the position but as you mentioned the problem of resolving to kerberos principal name, i tried Google and added a piece of code but i am not getting the out put as shown below . #include #include #include #include #include #include #include #include #include #include #include #include #define CERT_INFO_MAX_ENTRIES 15 #define CERT_INFO_SIZE 10 static char **cert_info_kpn(X509 *x509) { int i,j; static char *entries[CERT_INFO_SIZE]; STACK_OF(GENERAL_NAME) *gens; GENERAL_NAME *name; ASN1_OBJECT *krb5PrincipalName; printf("Trying to find a Kerberos Principal Name in certificate"); gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL); krb5PrincipalName = OBJ_txt2obj("1.3.6.1.5.2.2", 1); if (!gens) { printf("No alternate name extensions"); return NULL; /* no alternate names */ } if (!krb5PrincipalName) { printf("Cannot map KPN object"); return NULL; } for (i=0,j=0; (i < sk_GENERAL_NAME_num(gens)) && (j name = sk_GENERAL_NAME_value(gens, i); if ( name && name->type==GEN_OTHERNAME ) { /* test for UPN */ if (OBJ_cmp(name->d.otherName->type_id, krb5PrincipalName)) continue; /* object is not a UPN */ else { /* NOTE: from PKINIT RFC, I deduce that stored format for kerberos Principal Name is ASN1_STRING, but not sure at 100% Any help will be granted */ unsigned char *txt; ASN1_TYPE *val = name->d.otherName->value; ASN1_STRING *str= val->value.asn1_string; printf("Found Kerberos Principal Name "); if ( ( ASN1_STRING_to_UTF8(&txt, str) ) < 0) { printf("ASN1_STRING_to_UTF8() failed: %s", ERR_error_string(ERR_get_error(),NULL)); } else { printf("Adding KPN entry: %s",txt); //entries[j++]= clone_str((const char *)txt); } } } } sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free); ASN1_OBJECT_free(krb5PrincipalName); if(j==0) { printf("Certificate does not contain a KPN entry"); return NULL; } return entries; } int find_root_cert(const unsigned char **in,int len) { X509 *cert1=NULL; X509_NAME *name; char *buffer; X509_EXTENSION *ext=NULL; char *test; int pos=0,nid; cert1=d2i_X509(NULL,in,len); printf("\n cert=%x ", cert1); name=X509_get_subject_name(cert1); buffer=X509_NAME_oneline(name, 0, 0); if(strstr(buffer,"CN=kdc.globaledgesoft.com")==NULL) return -1; else { #if 0 pos=X509_get_ext_by_NID(cert1,NID_subject_alt_name, -1); if (pos == -1){ printf("\n pos == -1 \n"); return -1; } ext=X509_get_ext(cert1,pos); if(ext!=NULL){ test=(char *)d2i_ASN1_IA5STRING((ASN1_IA5STRING **)&ext->value->data,NULL,0); printf("\n test =%s ", test); } #endif cert_info_kpn(cert1); return 0; } } int main(int argc, char **argv) { const unsigned char *in ; int len,size,ret; X509 *cert1=NULL; X509 *cert2=NULL; FILE *fp; struct stat st; fp = fopen("KDC.cer","r"); stat ( (const char *)"KDC.cer",&st); size = st.st_size; in=(unsigned char *)malloc(++size); printf("\n length = %d ",size); len=fread((void *)in,1,size,fp); fclose(fp); printf("\n Len =%d",len); printf("\n cert=%x ", cert1); if(find_root_cert(&in,len)==0) printf("\n This is the Root\n"); else printf("\n No match was found \n"); } /* output */ length = 1001 Len =1000 cert=0 cert=86da458 Trying to find a Kerberos Principal Name in certificateFound Kerberos Principal Name ASN1_STRING_to_UTF8() failed: error::lib(0):func(0):reason(0)Certificate does not contain a KPN entry This is the Root Thanks in advance . Regards Naveen Christian Hohnstaedt wrote: On Wed, Sep 22, 2010 at 02:40:26PM +0530, Naveen B.N wrote: Hello, I am using Linux. I am trying to print the subjectAltName present in the certificate, but i am seeing crash in /lib/libcrypto.so.6 core was generated by `./a.out'. Program terminated with signal 11, Segmentation fault. #0
get subjectAltName
Hello, I am using Linux. I am trying to print the subjectAltName present in the certificate, but i am seeing crash in /lib/libcrypto.so.6 core was generated by `./a.out'. Program terminated with signal 11, Segmentation fault. #0 0x058b8a03 in OBJ_cmp () from /lib/libcrypto.so.6 (gdb) bt #0 0x058b8a03 in OBJ_cmp () from /lib/libcrypto.so.6 #1 0x0593a786 in X509v3_get_ext_by_OBJ () from /lib/libcrypto.so.6 #2 0x0593a7ce in X509v3_get_ext_by_NID () from /lib/libcrypto.so.6 #3 0x08048870 in find_root_cert (in=0x9445a72 "", len=1002) at find_root.c:37 #4 0x080489af in main () at find_root.c:65 Help me to solve this issue. Please guide, if any other alternative to method to achieve the same Please find the code used below. Thanks and Regards Naveen / Start code ***/int find_root_cert(char *in,int len) { X509 *cert1=NULL; X509_NAME *name; char *buffer; X509_EXTENSION *ext=NULL; char *test; int pos=0,nid; cert1=d2i_X509(NULL,&in,len); printf("\n cert=%x ", cert1); name=X509_get_subject_name(cert1); buffer=X509_NAME_oneline(name, 0, 0); if(strstr(buffer,"CN=kdc.globaledgesoft.com")==NULL) return -1; else {* nid=OBJ_sn2nid("subjectAltName"); pos=X509v3_get_ext_by_NID (cert1,OBJ_sn2nid("subjectAltName"), -1); ext=X509v3_get_ext(cert1,pos); if(ext!=NULL){ test=d2i_ASN1_IA5STRING(&ext->value->data,NULL,0); printf("\n test =%s ", test);* } return 0; } } int main(int argc, char **argv) { const unsigned char *in ; int len,size,ret; X509 *cert1=NULL; X509 *cert2=NULL; FILE *fp; struct stat st; fp = fopen("kdc.cer","r"); stat ( (const char *)"kdc.cer",&st); size = st.st_size; in=(unsigned char *)malloc(++size); printf("\n length = %d ",size); len=fread(in,1,size,fp); fclose(fp); printf("\n Len =%d",len); printf("\n cert=%x ", cert1); if(find_root_cert(in,len)==0) printf("\n This is the Root\n"); else printf("\n No match was found \n"); } /* End / __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: get subjectAltName
Resending with attachment .. Naveen B.N wrote: Hello, I am using Linux. I am trying to print the subjectAltName present in the certificate, but i am seeing crash in /lib/libcrypto.so.6 core was generated by `./a.out'. Program terminated with signal 11, Segmentation fault. #0 0x058b8a03 in OBJ_cmp () from /lib/libcrypto.so.6 (gdb) bt #0 0x058b8a03 in OBJ_cmp () from /lib/libcrypto.so.6 #1 0x0593a786 in X509v3_get_ext_by_OBJ () from /lib/libcrypto.so.6 #2 0x0593a7ce in X509v3_get_ext_by_NID () from /lib/libcrypto.so.6 #3 0x08048870 in find_root_cert (in=0x9445a72 "", len=1002) at find_root.c:37 #4 0x080489af in main () at find_root.c:65 Help me to solve this issue. Please guide, if any other alternative to method to achieve the same Please find the code used below and certificate is attached. Thanks and Regards Naveen / Start code ***/int find_root_cert(char *in,int len) { X509 *cert1=NULL; X509_NAME *name; char *buffer; X509_EXTENSION *ext=NULL; char *test; int pos=0,nid; cert1=d2i_X509(NULL,&in,len); printf("\n cert=%x ", cert1); name=X509_get_subject_name(cert1); buffer=X509_NAME_oneline(name, 0, 0); if(strstr(buffer,"CN=kdc.globaledgesoft.com")==NULL) return -1; else { * nid=OBJ_sn2nid("subjectAltName"); pos=X509v3_get_ext_by_NID (cert1,OBJ_sn2nid("subjectAltName"), -1); ext=X509v3_get_ext(cert1,pos); if(ext!=NULL){ test=d2i_ASN1_IA5STRING(&ext->value->data,NULL,0); printf("\n test =%s ", test);* } return 0; } } int main(int argc, char **argv) { const unsigned char *in ; int len,size,ret; X509 *cert1=NULL; X509 *cert2=NULL; FILE *fp; struct stat st; fp = fopen("kdc.cer","r"); stat ( (const char *)"kdc.cer",&st); size = st.st_size; in=(unsigned char *)malloc(++size); printf("\n length = %d ",size); len=fread(in,1,size,fp); fclose(fp); printf("\n Len =%d",len); printf("\n cert=%x ", cert1); if(find_root_cert(in,len)==0) printf("\n This is the Root\n"); else printf("\n No match was found \n"); } /* End / kdc.cer Description: application/x509-ca-cert