On Thu, Jun 08, 2006 at 11:40:04AM -0700, david kine wrote:
> My code to retrieve the common name from the subject field is:
> X509 *cert = [code not shown]
> char pName[ 256 ];
> X509_NAME *subj;
> subj = X509_get_subject_name( cert );
> X509_NAME_get_text_by_NID( subj, NID_commonName, pName,
> 256);
The encoding of the resulting buffer is not necessarily correct, you are
getting the raw ASN.1 string contents, not its UTF8 representation. While
the CN is not typically encoded for hostnames, this code is not robust.
More robust logic can be found in the Postfix 2.3 snapshot release,
currently: 2.3-20060604
http://www.postfix.org/download.html
The function tls_text_name() in src/tls/tls_verify.c handles CommonName
extraction. This extracts the first commonName. Some suggest it should
be the last, others say you should match *any* CommonName in the DN. This
is a mess, the DNS name extension is a lot cleaner. Code to insist that
there is only CN is present "#ifdef 0".
Code to look at DNSNames is in verify_extract_peer(), in src/tls/tls_client.c
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
