Reputation: 10276
It looks like OpenSSL always shows "unsupported" for a subjectAltName of "otherName".
The string that was written (both via M2Crypto, and directly at the commandline via openssl.cnf):
1.2.3.4;UTF8:some other identifier
Dumped (openssl x509 -in test.crt -noout -text):
c3:88:36:93:82:58:0c:08:7f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
othername:<unsupported>
Signature Algorithm: sha1WithRSAEncryption
05:76:d5:fc:d0:44:50:af:39:76:05:b4:cb:b6:99:9f:7c:c0:
Grepping through the OpenSSL source for "otherName", this stood out to me (in v3_alt.c):
1:
STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret)
{
unsigned char *p;
char oline[256], htmp[5];
int i;
switch (gen->type)
{
case GEN_OTHERNAME:
X509V3_add_value("othername","<unsupported>", &ret);
break;
case GEN_X400:
X509V3_add_value("X400Name","<unsupported>", &ret);
break;
case GEN_EDIPARTY:
X509V3_add_value("EdiPartyName","<unsupported>", &ret);
break;
2:
int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
{
unsigned char *p;
int i;
switch (gen->type)
{
case GEN_OTHERNAME:
BIO_printf(out, "othername:<unsupported>");
break;
case GEN_X400:
BIO_printf(out, "X400Name:<unsupported>");
break;
case GEN_EDIPARTY:
/* Maybe fix this: it is supported now */
BIO_printf(out, "EdiPartyName:<unsupported>");
break;
So, I'm willing to bet that both this and the empirical knowledge coming from my attempts above mean that I shouldn't ever expect that the "otherName" values will ever be properly rendered via the command-line or library calls. This might be because they're actual, encoded ASN.1 strings. So, how can I do it? How do people extract these values? If they are actual ASN.1 strings, is it up to the developer to decode them?
Upvotes: 5
Views: 10754
Reputation: 6308
I would recommend certtool
from GnuTLS.
certtool -i --infile mycert.pem
It will show the content of the otherName section:
Extensions: Issuer Alternative Name (not critical): otherName OID: 2.5.4.45 otherName DER: 03220002aaecf7af6223c412bd6f258e5f5faf3155e3376eeb58636af107944b2d343892 otherName ASCII: ."......b#...o%.__.1U.7n.Xcj...K-48. otherName OID: 2.5.4.46 otherName DER: 130b444751342d444758372d32 otherName ASCII: ..DGQ4-DGX7-2
Install it in Ubuntu/Debian with:
apt-get install gnutls-bin
Other distros (Fedoro Homebrew, ...) name the package gnutls
or gnutls-utils
.
Upvotes: 2
Reputation: 625
Found a way to print the otherName
via command line:
https://serverfault.com/a/1018912/467108
Upvotes: 0
Reputation: 341
It's true that the command-line utility does not support subjectAlternateName (SAN) in a meaningful way. But the library does support accessing these values, with programming effort.
Before I get to your specific question, please take a look at Zakir Durumeric's helpful post on OpenSSL certificate parsing. That article provides a number of helpful tips.
Here's a complete program which I tested on Linux/OpenSSL 1.0.1h. It demonstrates how to access the User Principle Name (UPN), which is found in the SAN. The OID for UPN is 1.3.6.1.4.1.311.20.2.3. If you need to find a different OID, then add your own calls to OBJ_create as I've demonstrated below.
#include <stdio.h>
#include <stdlib.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
static const unsigned char test_cert_der[] = {
/* hex bytes of a cert in DER format */
};
int main() {
/* In this example, we're looking for the Microsoft UPN, which is present
* in X.509v3 certificates suitable for certificate-based authentication.
*/
int upn_nid = OBJ_create("1.3.6.1.4.1.311.20.2.3", "UPN", "userPrincipleName");
const unsigned char* in = test_cert_der;
X509 *cert = d2i_X509(NULL, &in, sizeof(test_cert_der));
if (cert == NULL) {
printf("Error\n");
return 1;
}
int version = ((int) X509_get_version(cert)) + 1;
if (version < 3) {
printf("Not a version 3 or later certificate.\n");
return 1;
}
/* Now, we can look at the extensions. These are already parsed into an internal
* format, a result of the call to d2i_X509(). We just need to loop through them,
* looking for the SAN.
*/
X509_EXTENSION *ext;
int next = X509_get_ext_count(cert);
int i;
for (i=0; i < next; i++) {
ext = X509_get_ext(cert, i);
if (OBJ_obj2nid(ext->object) == NID_subject_alt_name) {
/* OK, we found the SAN. Now parse its value as a stack of general names.
*/
in = ext->value->data;
GENERAL_NAMES *names = d2i_GENERAL_NAMES(NULL, &in, ext->value->length);
if (names == NULL) {
printf("GENERAL_NAMES not found\n");
continue;
}
int nbr_of_names = sk_GENERAL_NAME_num(names);
int j, nid;
char *astr;
for (j=0; j<nbr_of_names; j++) {
/* Each general name has an implicit context tag that identifies its
* type.
*/
const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(names, j);
if (current_name == NULL) {
continue;
}
switch (current_name->type) {
case GEN_OTHERNAME:
/* Is this a UPN? */
nid = OBJ_obj2nid(current_name->d.otherName->type_id);
if (nid == upn_nid) {
astr = (char*)ASN1_STRING_data(current_name->d.otherName->
value->value.asn1_string);
} else {
/* TODO: add support for other OIDs here. */
astr = "GEN_OTHERNAME";
}
break;
case GEN_EMAIL:
astr = (char*)ASN1_STRING_data(current_name->d.rfc822Name);
break;
case GEN_DNS:
astr = (char*)ASN1_STRING_data(current_name->d.dNSName);
break;
case GEN_X400:
/* TODO: add support for X400 names here. */
astr = "GEN_X400";
break;
case GEN_DIRNAME:
/* TODO: add support for directory names here. */
astr = "GEN_DIRNAME";
break;
case GEN_EDIPARTY:
/* TODO: add support for EDI party names here. */
astr = "GEN_EDIPARTY";
break;
case GEN_URI:
astr = (char*)ASN1_STRING_data(current_name->d.uniformResourceIdentifier);
break;
case GEN_IPADD:
/* TODO: add support for IP addresses here. */
astr = "GEN_IPADD";
break;
case GEN_RID:
/* TODO: add support for registered IDs here. */
astr = "GEN_RID";
break;
default:
astr = "Unknown name type";
break;
}
printf("name #%d: %s\n", j, astr);
}
GENERAL_NAMES_free(names);
}
}
X509_free(cert);
/* free any resources consumed by call(s) to OBJ_create */
OBJ_cleanup();
return 0;
}
Upvotes: 8