Reading an "otherName" value from a "subjectAltName" certificate extension

Question

It looks like OpenSSL always shows "unsupported" for a subjectAltName of "otherName".

The string that was written (both via M2Crypto, and directly at the commandline via openssl.cnf):

1.2.3.4;UTF8:some other identifier

Dumped (openssl x509 -in test.crt -noout -text):

                c3:88:36:93:82:58:0c:08:7f
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Subject Alternative Name: 
            othername:<unsupported>
Signature Algorithm: sha1WithRSAEncryption
    05:76:d5:fc:d0:44:50:af:39:76:05:b4:cb:b6:99:9f:7c:c0:

Grepping through the OpenSSL source for "otherName", this stood out to me (in v3_alt.c):

1:

STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
                GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret)
{
    unsigned char *p;
    char oline[256], htmp[5];
    int i;
    switch (gen->type)
    {
        case GEN_OTHERNAME:
        X509V3_add_value("othername","<unsupported>", &ret);
        break;

        case GEN_X400:
        X509V3_add_value("X400Name","<unsupported>", &ret);
        break;

        case GEN_EDIPARTY:
        X509V3_add_value("EdiPartyName","<unsupported>", &ret);
        break;

2:

int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
{
    unsigned char *p;
    int i;
    switch (gen->type)
    {
        case GEN_OTHERNAME:
        BIO_printf(out, "othername:<unsupported>");
        break;

        case GEN_X400:
        BIO_printf(out, "X400Name:<unsupported>");
        break;

        case GEN_EDIPARTY:
        /* Maybe fix this: it is supported now */
        BIO_printf(out, "EdiPartyName:<unsupported>");
        break;

So, I'm willing to bet that both this and the empirical knowledge coming from my attempts above mean that I shouldn't ever expect that the "otherName" values will ever be properly rendered via the command-line or library calls. This might be because they're actual, encoded ASN.1 strings. So, how can I do it? How do people extract these values? If they are actual ASN.1 strings, is it up to the developer to decode them?

Answer 1

I would recommend certtool from GnuTLS.

certtool -i --infile mycert.pem

It will show the content of the otherName section:

    Extensions:
            Issuer Alternative Name (not critical):
                    otherName OID: 2.5.4.45
                    otherName DER: 03220002aaecf7af6223c412bd6f258e5f5faf3155e3376eeb58636af107944b2d343892
                    otherName ASCII: ."......b#...o%.__.1U.7n.Xcj...K-48.
                    otherName OID: 2.5.4.46
                    otherName DER: 130b444751342d444758372d32
                    otherName ASCII: ..DGQ4-DGX7-2

Install it in Ubuntu/Debian with:

apt-get install gnutls-bin

Other distros (Fedoro Homebrew, ...) name the package gnutls or gnutls-utils.

Answer 2

Found a way to print the otherName via command line:
https://serverfault.com/a/1018912/467108

Answer 3

It's true that the command-line utility does not support subjectAlternateName (SAN) in a meaningful way. But the library does support accessing these values, with programming effort.

Before I get to your specific question, please take a look at Zakir Durumeric's helpful post on OpenSSL certificate parsing. That article provides a number of helpful tips.

Here's a complete program which I tested on Linux/OpenSSL 1.0.1h. It demonstrates how to access the User Principle Name (UPN), which is found in the SAN. The OID for UPN is 1.3.6.1.4.1.311.20.2.3. If you need to find a different OID, then add your own calls to OBJ_create as I've demonstrated below.

#include <stdio.h>
#include <stdlib.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>

static const unsigned char test_cert_der[] = {
    /* hex bytes of a cert in DER format */
};

int main() {
    /* In this example, we're looking for the Microsoft UPN, which is present
     * in X.509v3 certificates suitable for certificate-based authentication.
     */
    int upn_nid = OBJ_create("1.3.6.1.4.1.311.20.2.3", "UPN", "userPrincipleName");

    const unsigned char* in = test_cert_der;
    X509 *cert = d2i_X509(NULL, &in, sizeof(test_cert_der));
    if (cert == NULL) {
        printf("Error\n");
        return 1;
    }
    int version = ((int) X509_get_version(cert)) + 1;
    if (version < 3) {
        printf("Not a version 3 or later certificate.\n");
        return 1;
    }
    /* Now, we can look at the extensions. These are already parsed into an internal
     * format, a result of the call to d2i_X509(). We just need to loop through them,
     * looking for the SAN.
     */
    X509_EXTENSION *ext;
    int next = X509_get_ext_count(cert);
    int i;
    for (i=0; i < next; i++) {
        ext = X509_get_ext(cert, i);
        if (OBJ_obj2nid(ext->object) == NID_subject_alt_name) {
            /* OK, we found the SAN. Now parse its value as a stack of general names.
             */
            in = ext->value->data;
            GENERAL_NAMES *names = d2i_GENERAL_NAMES(NULL, &in, ext->value->length);
            if (names == NULL) {
                printf("GENERAL_NAMES not found\n");
                continue;
            }
            int nbr_of_names = sk_GENERAL_NAME_num(names);
            int j, nid;
            char *astr;
            for (j=0; j<nbr_of_names; j++) {
                /* Each general name has an implicit context tag that identifies its
                 * type.
                 */
                const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(names, j);
                if (current_name == NULL) {
                    continue;
                }
                switch (current_name->type) {
                    case GEN_OTHERNAME:
                        /* Is this a UPN? */
                        nid = OBJ_obj2nid(current_name->d.otherName->type_id);
                        if (nid == upn_nid) {
                            astr = (char*)ASN1_STRING_data(current_name->d.otherName->
                                    value->value.asn1_string);
                        } else {
                            /* TODO: add support for other OIDs here. */
                            astr = "GEN_OTHERNAME";
                        }
                        break;
                    case GEN_EMAIL:
                        astr = (char*)ASN1_STRING_data(current_name->d.rfc822Name);
                        break;
                    case GEN_DNS:
                        astr = (char*)ASN1_STRING_data(current_name->d.dNSName);
                        break;
                    case GEN_X400:
                        /* TODO: add support for X400 names here. */
                        astr = "GEN_X400";
                        break;
                    case GEN_DIRNAME:
                        /* TODO: add support for directory names here. */
                        astr = "GEN_DIRNAME";
                        break;
                    case GEN_EDIPARTY:
                        /* TODO: add support for EDI party names here. */
                        astr = "GEN_EDIPARTY";
                        break;
                    case GEN_URI:
                        astr = (char*)ASN1_STRING_data(current_name->d.uniformResourceIdentifier);
                        break;
                    case GEN_IPADD:
                        /* TODO: add support for IP addresses here. */
                        astr = "GEN_IPADD";
                        break;
                    case GEN_RID:
                        /* TODO: add support for registered IDs here. */
                        astr = "GEN_RID";
                        break;
                    default:
                        astr = "Unknown name type";
                        break;
                }
                printf("name #%d: %s\n", j, astr);
            }
            GENERAL_NAMES_free(names);
        }
    }
    X509_free(cert);
    /* free any resources consumed by call(s) to OBJ_create */
    OBJ_cleanup();
    return 0;
}