Re: get subjectAltName
Thank you Christian, it helped to decode the kerberos principal name . The code worked. Regards Naveen Christian Hohnstaedt wrote: On Wed, Sep 22, 2010 at 05:48:07PM +0530, Naveen B.N wrote: Thank you Christian, your suggestions helped us to get the position but as you mentioned the problem of resolving to kerberos principal name, i tried Google and added a piece of code but i am not getting the out put as shown below . #include #include #include #include #include #include #include #include #include #include #include #include #define CERT_INFO_MAX_ENTRIES 15 #define CERT_INFO_SIZE 10 /* http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html KRB5PrincipalName ::= SEQUENCE { realm [0] Realm, principalName [1] PrincipalName } Maybe this is already defined somewhere in OpenSSL - I didn't find it. */ typedef struct kdc_princname_st { ASN1_GENERALSTRING *realm; KRB5_PRINCNAME *princname; } KDC_PRINCNAME; ASN1_SEQUENCE(KDC_PRINCNAME) = { ASN1_EXP(KDC_PRINCNAME, realm, ASN1_GENERALSTRING, 0), ASN1_EXP(KDC_PRINCNAME, princname, KRB5_PRINCNAME, 1) } ASN1_SEQUENCE_END(KDC_PRINCNAME) IMPLEMENT_ASN1_FUNCTIONS(KDC_PRINCNAME) static char **cert_info_kpn(X509 *x509) { int i,j; static char *entries[CERT_INFO_SIZE]; STACK_OF(GENERAL_NAME) *gens; GENERAL_NAME *name; ASN1_OBJECT *krb5PrincipalName; printf("Trying to find a Kerberos Principal Name in certificate"); gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL); krb5PrincipalName = OBJ_txt2obj("1.3.6.1.5.2.2", 1); if (!gens) { printf("No alternate name extensions"); return NULL; /* no alternate names */ } if (!krb5PrincipalName) { printf("Cannot map KPN object"); return NULL; } for (i=0,j=0; (i < sk_GENERAL_NAME_num(gens)) && (j name = sk_GENERAL_NAME_value(gens, i); if ( name && name->type==GEN_OTHERNAME ) { /* test for UPN */ if (OBJ_cmp(name->d.otherName->type_id, krb5PrincipalName)) continue; /* object is not a UPN */ else { /* NOTE: from PKINIT RFC, I deduce that stored format for kerberos Principal Name is ASN1_STRING, but not sure at 100% Any help will be granted */ unsigned char *txt; ASN1_TYPE *val = name->d.otherName->value; ASN1_STRING *str= val->value.asn1_string; printf("Found Kerberos Principal Name "); unsigned char * p = str->data; KDC_PRINCNAME *pn = d2i_KDC_PRINCNAME(NULL, &p, str->length); KRB5_PRINCNAME *princname = pn->princname; printf("Realm '%*s'\nNAMETYPE: %ld\n", pn->realm->length, pn->realm->data, ASN1_INTEGER_get(princname->nametype)); for (j=0; jnamestring); j++) { ASN1_GENERALSTRING *gs = sk_ASN1_GENERALSTRING_value(princname->namestring,j); printf("[%i] %*s\n", j, gs->length, gs->data); } Cheers Christian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: get subjectAltName
On Wed, Sep 22, 2010 at 05:48:07PM +0530, Naveen B.N wrote: > Thank you Christian, > your suggestions helped us to get the position but as you mentioned the > problem > of resolving to kerberos principal name, i tried Google and added a > piece of code > but i am not getting the out put as shown below . > > #include > #include > > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > > #define CERT_INFO_MAX_ENTRIES 15 > #define CERT_INFO_SIZE 10 /* http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html KRB5PrincipalName ::= SEQUENCE { realm [0] Realm, principalName [1] PrincipalName } Maybe this is already defined somewhere in OpenSSL - I didn't find it. */ typedef struct kdc_princname_st { ASN1_GENERALSTRING *realm; KRB5_PRINCNAME *princname; } KDC_PRINCNAME; ASN1_SEQUENCE(KDC_PRINCNAME) = { ASN1_EXP(KDC_PRINCNAME, realm, ASN1_GENERALSTRING, 0), ASN1_EXP(KDC_PRINCNAME, princname, KRB5_PRINCNAME, 1) } ASN1_SEQUENCE_END(KDC_PRINCNAME) IMPLEMENT_ASN1_FUNCTIONS(KDC_PRINCNAME) > static char **cert_info_kpn(X509 *x509) { >int i,j; >static char *entries[CERT_INFO_SIZE]; >STACK_OF(GENERAL_NAME) *gens; >GENERAL_NAME *name; >ASN1_OBJECT *krb5PrincipalName; >printf("Trying to find a Kerberos Principal Name in > certificate"); >gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL); >krb5PrincipalName = OBJ_txt2obj("1.3.6.1.5.2.2", 1); >if (!gens) { >printf("No alternate name extensions"); >return NULL; /* no alternate names */ >} >if (!krb5PrincipalName) { >printf("Cannot map KPN object"); >return NULL; >} >for (i=0,j=0; (i < sk_GENERAL_NAME_num(gens)) && > (jname = sk_GENERAL_NAME_value(gens, i); >if ( name && name->type==GEN_OTHERNAME ) { /* test for > UPN */ >if (OBJ_cmp(name->d.otherName->type_id, > krb5PrincipalName)) continue; /* object is not a UPN */ >else { >/* NOTE: >from PKINIT RFC, I deduce that stored format for > kerberos >Principal Name is ASN1_STRING, but not sure at 100% >Any help will be granted >*/ >unsigned char *txt; >ASN1_TYPE *val = name->d.otherName->value; >ASN1_STRING *str= val->value.asn1_string; >printf("Found Kerberos Principal Name "); unsigned char * p = str->data; KDC_PRINCNAME *pn = d2i_KDC_PRINCNAME(NULL, &p, str->length); KRB5_PRINCNAME *princname = pn->princname; printf("Realm '%*s'\nNAMETYPE: %ld\n", pn->realm->length, pn->realm->data, ASN1_INTEGER_get(princname->nametype)); for (j=0; jnamestring); j++) { ASN1_GENERALSTRING *gs = sk_ASN1_GENERALSTRING_value(princname->namestring,j); printf("[%i] %*s\n", j, gs->length, gs->data); } Cheers Christian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: get subjectAltName
Attaching the PEM format certificate used , We need to convert it to DER before using it with the below given code. Command to convert PEM to DER openssl x509 -inform PEM -in KDC.pem -outform DER -out KDC.cer Thanks and Regards Naveen Naveen B.N wrote: Thank you Christian, your suggestions helped us to get the position but as you mentioned the problem of resolving to kerberos principal name, i tried Google and added a piece of code but i am not getting the out put as shown below . #include #include #include #include #include #include #include #include #include #include #include #include #define CERT_INFO_MAX_ENTRIES 15 #define CERT_INFO_SIZE 10 static char **cert_info_kpn(X509 *x509) { int i,j; static char *entries[CERT_INFO_SIZE]; STACK_OF(GENERAL_NAME) *gens; GENERAL_NAME *name; ASN1_OBJECT *krb5PrincipalName; printf("Trying to find a Kerberos Principal Name in certificate"); gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL); krb5PrincipalName = OBJ_txt2obj("1.3.6.1.5.2.2", 1); if (!gens) { printf("No alternate name extensions"); return NULL; /* no alternate names */ } if (!krb5PrincipalName) { printf("Cannot map KPN object"); return NULL; } for (i=0,j=0; (i < sk_GENERAL_NAME_num(gens)) && (j name = sk_GENERAL_NAME_value(gens, i); if ( name && name->type==GEN_OTHERNAME ) { /* test for UPN */ if (OBJ_cmp(name->d.otherName->type_id, krb5PrincipalName)) continue; /* object is not a UPN */ else { /* NOTE: from PKINIT RFC, I deduce that stored format for kerberos Principal Name is ASN1_STRING, but not sure at 100% Any help will be granted */ unsigned char *txt; ASN1_TYPE *val = name->d.otherName->value; ASN1_STRING *str= val->value.asn1_string; printf("Found Kerberos Principal Name "); if ( ( ASN1_STRING_to_UTF8(&txt, str) ) < 0) { printf("ASN1_STRING_to_UTF8() failed: %s", ERR_error_string(ERR_get_error(),NULL)); } else { printf("Adding KPN entry: %s",txt); //entries[j++]= clone_str((const char *)txt); } } } } sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free); ASN1_OBJECT_free(krb5PrincipalName); if(j==0) { printf("Certificate does not contain a KPN entry"); return NULL; } return entries; } int find_root_cert(const unsigned char **in,int len) { X509 *cert1=NULL; X509_NAME *name; char *buffer; X509_EXTENSION *ext=NULL; char *test; int pos=0,nid; cert1=d2i_X509(NULL,in,len); printf("\n cert=%x ", cert1); name=X509_get_subject_name(cert1); buffer=X509_NAME_oneline(name, 0, 0); if(strstr(buffer,"CN=kdc.globaledgesoft.com")==NULL) return -1; else { #if 0 pos=X509_get_ext_by_NID(cert1,NID_subject_alt_name, -1); if (pos == -1){ printf("\n pos == -1 \n"); return -1; } ext=X509_get_ext(cert1,pos); if(ext!=NULL){ test=(char *)d2i_ASN1_IA5STRING((ASN1_IA5STRING **)&ext->value->data,NULL,0); printf("\n test =%s ", test); } #endif cert_info_kpn(cert1); return 0; } } int main(int argc, char **argv) { const unsigned char *in ; int len,size,ret; X509 *cert1=NULL; X509 *cert2=NULL; FILE *fp; struct stat st; fp = fopen("KDC.cer","r"); stat ( (const char *)"KDC.cer",&st); size = st.st_size; in=(unsigned char *)malloc(++size); printf("\n length = %d ",size); len=fread((void *)in,1,size,fp); fclose(fp); printf("\n Len =%d",len); printf("\n cert=%x ", cert1); if(find_root_cert(&in,len)==0) printf("\n This is the Root\n"); else printf("\n No match was found \n"); } /* output */ length = 1001 Len =1000 cert=0 cert=86da458 Trying to find a Kerberos Principal Name in certificateFound Kerberos Principal Name ASN1_STRING_to_UTF8() failed: error::lib(0):func(0):reason(0)Certificate does not contain a KPN entry This is the Root Thanks in advance . Regards Naveen Christian Hohnstaedt wrote: On Wed, Sep 22, 2010 at 02:40:26PM +0530, Naveen B.N wrote: Hello, I am using Linux. I am trying to print the subjectAltName present in the certificate, but i am seeing crash in /lib/libcrypto.so.6 core was generated by `./a.out'. Program terminated with signal 11, Segmentation fault. #0 0x058b8a03 in OBJ
Re: get subjectAltName
Thank you Christian, your suggestions helped us to get the position but as you mentioned the problem of resolving to kerberos principal name, i tried Google and added a piece of code but i am not getting the out put as shown below . #include #include #include #include #include #include #include #include #include #include #include #include #define CERT_INFO_MAX_ENTRIES 15 #define CERT_INFO_SIZE 10 static char **cert_info_kpn(X509 *x509) { int i,j; static char *entries[CERT_INFO_SIZE]; STACK_OF(GENERAL_NAME) *gens; GENERAL_NAME *name; ASN1_OBJECT *krb5PrincipalName; printf("Trying to find a Kerberos Principal Name in certificate"); gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL); krb5PrincipalName = OBJ_txt2obj("1.3.6.1.5.2.2", 1); if (!gens) { printf("No alternate name extensions"); return NULL; /* no alternate names */ } if (!krb5PrincipalName) { printf("Cannot map KPN object"); return NULL; } for (i=0,j=0; (i < sk_GENERAL_NAME_num(gens)) && (j name = sk_GENERAL_NAME_value(gens, i); if ( name && name->type==GEN_OTHERNAME ) { /* test for UPN */ if (OBJ_cmp(name->d.otherName->type_id, krb5PrincipalName)) continue; /* object is not a UPN */ else { /* NOTE: from PKINIT RFC, I deduce that stored format for kerberos Principal Name is ASN1_STRING, but not sure at 100% Any help will be granted */ unsigned char *txt; ASN1_TYPE *val = name->d.otherName->value; ASN1_STRING *str= val->value.asn1_string; printf("Found Kerberos Principal Name "); if ( ( ASN1_STRING_to_UTF8(&txt, str) ) < 0) { printf("ASN1_STRING_to_UTF8() failed: %s", ERR_error_string(ERR_get_error(),NULL)); } else { printf("Adding KPN entry: %s",txt); //entries[j++]= clone_str((const char *)txt); } } } } sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free); ASN1_OBJECT_free(krb5PrincipalName); if(j==0) { printf("Certificate does not contain a KPN entry"); return NULL; } return entries; } int find_root_cert(const unsigned char **in,int len) { X509 *cert1=NULL; X509_NAME *name; char *buffer; X509_EXTENSION *ext=NULL; char *test; int pos=0,nid; cert1=d2i_X509(NULL,in,len); printf("\n cert=%x ", cert1); name=X509_get_subject_name(cert1); buffer=X509_NAME_oneline(name, 0, 0); if(strstr(buffer,"CN=kdc.globaledgesoft.com")==NULL) return -1; else { #if 0 pos=X509_get_ext_by_NID(cert1,NID_subject_alt_name, -1); if (pos == -1){ printf("\n pos == -1 \n"); return -1; } ext=X509_get_ext(cert1,pos); if(ext!=NULL){ test=(char *)d2i_ASN1_IA5STRING((ASN1_IA5STRING **)&ext->value->data,NULL,0); printf("\n test =%s ", test); } #endif cert_info_kpn(cert1); return 0; } } int main(int argc, char **argv) { const unsigned char *in ; int len,size,ret; X509 *cert1=NULL; X509 *cert2=NULL; FILE *fp; struct stat st; fp = fopen("KDC.cer","r"); stat ( (const char *)"KDC.cer",&st); size = st.st_size; in=(unsigned char *)malloc(++size); printf("\n length = %d ",size); len=fread((void *)in,1,size,fp); fclose(fp); printf("\n Len =%d",len); printf("\n cert=%x ", cert1); if(find_root_cert(&in,len)==0) printf("\n This is the Root\n"); else printf("\n No match was found \n"); } /* output */ length = 1001 Len =1000 cert=0 cert=86da458 Trying to find a Kerberos Principal Name in certificateFound Kerberos Principal Name ASN1_STRING_to_UTF8() failed: error::lib(0):func(0):reason(0)Certificate does not contain a KPN entry This is the Root Thanks in advance . Regards Naveen Christian Hohnstaedt wrote: On Wed, Sep 22, 2010 at 02:40:26PM +0530, Naveen B.N wrote: Hello, I am using Linux. I am trying to print the subjectAltName present in the certificate, but i am seeing crash in /lib/libcrypto.so.6 core was generated by `./a.out'. Program terminated with signal 11, Segmentation fault. #0 0x058b8a03 in OBJ_cmp () from /lib/libcrypto.so.6 (gdb) bt #0 0x058b8a03 in OBJ_cmp () from /lib/libcrypto.so.6 #1 0x0593a786 in X509v3_get_ext_by_OBJ () from /lib/libcrypto.so.6 #2 0x0593a7ce in X509v3_get_ext_by_NID () from /lib/libcrypto.so.6 #3 0x08048870 in fin
Re: get subjectAltName
On Wed, Sep 22, 2010 at 02:40:26PM +0530, Naveen B.N wrote: > Hello, > I am using Linux. > I am trying to print the subjectAltName present in the certificate, but > i am seeing crash in /lib/libcrypto.so.6 > core was generated by `./a.out'. > Program terminated with signal 11, Segmentation fault. > #0 0x058b8a03 in OBJ_cmp () from /lib/libcrypto.so.6 > (gdb) bt > #0 0x058b8a03 in OBJ_cmp () from /lib/libcrypto.so.6 > #1 0x0593a786 in X509v3_get_ext_by_OBJ () from /lib/libcrypto.so.6 > #2 0x0593a7ce in X509v3_get_ext_by_NID () from /lib/libcrypto.so.6 > #3 0x08048870 in find_root_cert (in=0x9445a72 "", len=1002) at > find_root.c:37 > #4 0x080489af in main () at find_root.c:65 > > Help me to solve this issue. Please guide, if any other alternative to > method to achieve the same > Please find the code used below. First hint: look at the warnings issued by the compiler. They usually indicate you are doing something wrong. > > Thanks and Regards > Naveen > > / Start code ***/int find_root_cert(char > *in,int len) > { >X509 *cert1=NULL; >X509_NAME *name; >char *buffer; X509_EXTENSION *ext=NULL; >char *test; >int pos=0,nid; > >cert1=d2i_X509(NULL,&in,len); >printf("\n cert=%x ", cert1); >name=X509_get_subject_name(cert1); >buffer=X509_NAME_oneline(name, 0, 0); >if(strstr(buffer,"CN=kdc.globaledgesoft.com")==NULL) >return -1; >else >{* nid=OBJ_sn2nid("subjectAltName"); >pos=X509v3_get_ext_by_NID (cert1,OBJ_sn2nid("subjectAltName"), -1); /* no need to translate constant string ("subjectAltName") to NID Use the nid constant directly: NID_subject_alt_name X509v3_get_ext_by_NID() expects a pointer to extensions X509_get_ext_by_NID() expects a cert as first argument */ pos=X509_get_ext_by_NID (cert1, NID_subject_alt_name, -1); /* need to check for existance of subjectAltName */ if (pos == -1) ERROR(); > ext=X509v3_get_ext(cert1,pos); Same as above: use X509_get_ext() instead. The compiler told you about incompatible pointer types. Don't ignore it. >if(ext!=NULL){ >test=d2i_ASN1_IA5STRING(&ext->value->data,NULL,0); It is not that easy The subaltname is tagged as otherName in the kdc.cer You need to parse the othername, which contains the OID 1.3.6.1.5.2.2 which indicates a DER encoded KRB5PrincipalName search Google for the OID Cheers Christian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
get subjectAltName
Hello, I am using Linux. I am trying to print the subjectAltName present in the certificate, but i am seeing crash in /lib/libcrypto.so.6 core was generated by `./a.out'. Program terminated with signal 11, Segmentation fault. #0 0x058b8a03 in OBJ_cmp () from /lib/libcrypto.so.6 (gdb) bt #0 0x058b8a03 in OBJ_cmp () from /lib/libcrypto.so.6 #1 0x0593a786 in X509v3_get_ext_by_OBJ () from /lib/libcrypto.so.6 #2 0x0593a7ce in X509v3_get_ext_by_NID () from /lib/libcrypto.so.6 #3 0x08048870 in find_root_cert (in=0x9445a72 "", len=1002) at find_root.c:37 #4 0x080489af in main () at find_root.c:65 Help me to solve this issue. Please guide, if any other alternative to method to achieve the same Please find the code used below. Thanks and Regards Naveen / Start code ***/int find_root_cert(char *in,int len) { X509 *cert1=NULL; X509_NAME *name; char *buffer; X509_EXTENSION *ext=NULL; char *test; int pos=0,nid; cert1=d2i_X509(NULL,&in,len); printf("\n cert=%x ", cert1); name=X509_get_subject_name(cert1); buffer=X509_NAME_oneline(name, 0, 0); if(strstr(buffer,"CN=kdc.globaledgesoft.com")==NULL) return -1; else {* nid=OBJ_sn2nid("subjectAltName"); pos=X509v3_get_ext_by_NID (cert1,OBJ_sn2nid("subjectAltName"), -1); ext=X509v3_get_ext(cert1,pos); if(ext!=NULL){ test=d2i_ASN1_IA5STRING(&ext->value->data,NULL,0); printf("\n test =%s ", test);* } return 0; } } int main(int argc, char **argv) { const unsigned char *in ; int len,size,ret; X509 *cert1=NULL; X509 *cert2=NULL; FILE *fp; struct stat st; fp = fopen("kdc.cer","r"); stat ( (const char *)"kdc.cer",&st); size = st.st_size; in=(unsigned char *)malloc(++size); printf("\n length = %d ",size); len=fread(in,1,size,fp); fclose(fp); printf("\n Len =%d",len); printf("\n cert=%x ", cert1); if(find_root_cert(in,len)==0) printf("\n This is the Root\n"); else printf("\n No match was found \n"); } /* End / __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: get subjectAltName
Resending with attachment .. Naveen B.N wrote: Hello, I am using Linux. I am trying to print the subjectAltName present in the certificate, but i am seeing crash in /lib/libcrypto.so.6 core was generated by `./a.out'. Program terminated with signal 11, Segmentation fault. #0 0x058b8a03 in OBJ_cmp () from /lib/libcrypto.so.6 (gdb) bt #0 0x058b8a03 in OBJ_cmp () from /lib/libcrypto.so.6 #1 0x0593a786 in X509v3_get_ext_by_OBJ () from /lib/libcrypto.so.6 #2 0x0593a7ce in X509v3_get_ext_by_NID () from /lib/libcrypto.so.6 #3 0x08048870 in find_root_cert (in=0x9445a72 "", len=1002) at find_root.c:37 #4 0x080489af in main () at find_root.c:65 Help me to solve this issue. Please guide, if any other alternative to method to achieve the same Please find the code used below and certificate is attached. Thanks and Regards Naveen / Start code ***/int find_root_cert(char *in,int len) { X509 *cert1=NULL; X509_NAME *name; char *buffer; X509_EXTENSION *ext=NULL; char *test; int pos=0,nid; cert1=d2i_X509(NULL,&in,len); printf("\n cert=%x ", cert1); name=X509_get_subject_name(cert1); buffer=X509_NAME_oneline(name, 0, 0); if(strstr(buffer,"CN=kdc.globaledgesoft.com")==NULL) return -1; else { * nid=OBJ_sn2nid("subjectAltName"); pos=X509v3_get_ext_by_NID (cert1,OBJ_sn2nid("subjectAltName"), -1); ext=X509v3_get_ext(cert1,pos); if(ext!=NULL){ test=d2i_ASN1_IA5STRING(&ext->value->data,NULL,0); printf("\n test =%s ", test);* } return 0; } } int main(int argc, char **argv) { const unsigned char *in ; int len,size,ret; X509 *cert1=NULL; X509 *cert2=NULL; FILE *fp; struct stat st; fp = fopen("kdc.cer","r"); stat ( (const char *)"kdc.cer",&st); size = st.st_size; in=(unsigned char *)malloc(++size); printf("\n length = %d ",size); len=fread(in,1,size,fp); fclose(fp); printf("\n Len =%d",len); printf("\n cert=%x ", cert1); if(find_root_cert(in,len)==0) printf("\n This is the Root\n"); else printf("\n No match was found \n"); } /* End / kdc.cer Description: application/x509-ca-cert