Hello Victor,
Thank you very much, the code you provide is extremely useful!
One more question: how do I, using the CA.pl script, generate a certificate with a subjectAltName extension of type dNSName? The ones I have already generated do not have this field set.
I suppose there is an openssl.cnf file setting for this purpose? I notice the line "#subjectAltName=email:copy" in the system's openssl.cnf file.
Thanks,
-David
Victor Duchovni <[EMAIL PROTECTED]> wrote:
Victor Duchovni <[EMAIL PROTECTED]> wrote:
On Thu, Jun 08, 2006 at 11:40:04AM -0700, david kine wrote:
> My code to retrieve the common name from the subject field is:
> X509 *cert = [code not shown]
> char pName[ 256 ];
> X509_NAME *subj;
> subj = X509_get_subject_name( cert );
> X509_NAME_get_text_by_NID( subj, NID_commonName, pName,
> 256);
The encoding of the resulting buffer is not necessarily correct, you are
getting the raw ASN.1 string contents, not its UTF8 representation. While
the CN is not typically encoded for hostnames, this code is not robust.
More robust logic can be found in the Postfix 2.3 snapshot release,
currently: 2.3-20060604
http://www.postfix.org/download.html
The function tls_text_name() in src/tls/tls_verify.c handles CommonName
extraction. This extracts the first commonName. Some suggest it should
be the last, others say you should match *any* CommonName in the DN. This
is a mess, the DNS name extension is a lot cleaner. Code to insist that
there is only CN is present "#ifdef 0".
Code to look at DNSNames is in verify_extract_peer(), in src/tls/tls_client.c
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
