Re: get subjectAltName

Wed, 22 Sep 2010 06:46:54 -0700 

Attaching  the PEM format certificate used ,
We need to convert it to DER before using it with the below given code.
Command to convert PEM to DER
openssl x509 -inform PEM -in KDC.pem -outform DER -out KDC.cer

Thanks and Regards
Naveen
Naveen B.N wrote:

Thank you Christian,
your suggestions helped us to get the position but as you mentioned the problem of resolving to kerberos principal name, i tried Google and added a piece of code 
but i am not getting the out put  as  shown below .

#include <stdio.h>
#include <string.h>

#include <openssl/sha.h>
#include <openssl/hmac.h>
#include <openssl/evp.h>
#include <openssl/bio.h>
#include <openssl/buffer.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>

#define CERT_INFO_MAX_ENTRIES 15
#define CERT_INFO_SIZE 10
static char **cert_info_kpn(X509 *x509) {
       int i,j;
           static char *entries[CERT_INFO_SIZE];
           STACK_OF(GENERAL_NAME) *gens;
           GENERAL_NAME *name;
           ASN1_OBJECT *krb5PrincipalName;
printf("Trying to find a Kerberos Principal Name in certificate"); gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL); 
           krb5PrincipalName = OBJ_txt2obj("1.3.6.1.5.2.2", 1);
           if (!gens) {
                   printf("No alternate name extensions");
                   return NULL; /* no alternate names */
           }
           if (!krb5PrincipalName) {
                   printf("Cannot map KPN object");
                   return NULL;
           }
for (i=0,j=0; (i < sk_GENERAL_NAME_num(gens)) && (j<CERT_INFO_MAX_ENTRIES); i++) { 
               name = sk_GENERAL_NAME_value(gens, i);
if ( name && name->type==GEN_OTHERNAME ) { /* test for UPN */ if (OBJ_cmp(name->d.otherName->type_id, krb5PrincipalName)) continue; /* object is not a UPN */ 
                   else {
                       /* NOTE:
from PKINIT RFC, I deduce that stored format for kerberos Principal Name is ASN1_STRING, but not sure at 100% 
                       Any help will be granted
                       */
                       unsigned char *txt;
                       ASN1_TYPE *val = name->d.otherName->value;
                       ASN1_STRING *str= val->value.asn1_string;
                       printf("Found Kerberos Principal Name ");
                       if ( ( ASN1_STRING_to_UTF8(&txt, str) ) < 0) {
printf("ASN1_STRING_to_UTF8() failed: %s", ERR_error_string(ERR_get_error(),NULL)); 
                       } else {
                           printf("Adding KPN entry: %s",txt);
                           //entries[j++]= clone_str((const char *)txt);
                       }
                   }
               }
           }
           sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
           ASN1_OBJECT_free(krb5PrincipalName);
           if(j==0) {
               printf("Certificate does not contain a KPN entry");
               return NULL;
           }
           return entries;
}

int find_root_cert(const unsigned char **in,int len)
{
   X509 *cert1=NULL;
   X509_NAME *name;
   char *buffer;      X509_EXTENSION *ext=NULL;
   char *test;
   int pos=0,nid;

   cert1=d2i_X509(NULL,in,len);
   printf("\n cert=%x ", cert1);
   name=X509_get_subject_name(cert1);
   buffer=X509_NAME_oneline(name, 0, 0);
   if(strstr(buffer,"CN=kdc.globaledgesoft.com")==NULL)
       return -1;
   else
   {   #if 0
       pos=X509_get_ext_by_NID(cert1,NID_subject_alt_name, -1);
       if (pos == -1){
           printf("\n pos == -1 \n");
           return -1;
       }
         ext=X509_get_ext(cert1,pos);
       if(ext!=NULL){
test=(char *)d2i_ASN1_IA5STRING((ASN1_IA5STRING **)&ext->value->data,NULL,0); 
       printf("\n test =%s ", test);
       }
#endif
   cert_info_kpn(cert1);
       return 0;
   }
}

int main(int argc, char **argv)
{
   const unsigned char *in ;
   int len,size,ret;
   X509 *cert1=NULL;
   X509 *cert2=NULL;
   FILE   *fp;
   struct stat st;

   fp = fopen("KDC.cer","r");
   stat ( (const char *)"KDC.cer",&st);
   size = st.st_size;
   in=(unsigned char *)malloc(++size);
   printf("\n length = %d ",size);
   len=fread((void *)in,1,size,fp);
       fclose(fp);
   printf("\n Len =%d",len);
   printf("\n cert=%x ", cert1);
   if(find_root_cert(&in,len)==0)
       printf("\n This is the Root\n");
   else
       printf("\n No match was found \n");
}


/* output */

length = 1001
Len =1000
cert=0
cert=86da458 Trying to find a Kerberos Principal Name in certificateFound Kerberos Principal Name ASN1_STRING_to_UTF8() failed: error:00000000:lib(0):func(0):reason(0)Certificate does not contain a KPN entry 
This is the Root

Thanks in advance .

Regards
Naveen


Christian Hohnstaedt wrote:

On Wed, Sep 22, 2010 at 02:40:26PM +0530, Naveen B.N wrote:

Hello,
I am using Linux.
I am trying to print the subjectAltName present in the certificate, but i am seeing crash in /lib/libcrypto.so.6 
core was generated by `./a.out'.
Program terminated with signal 11, Segmentation fault.
#0  0x058b8a03 in OBJ_cmp () from /lib/libcrypto.so.6
(gdb) bt
#0  0x058b8a03 in OBJ_cmp () from /lib/libcrypto.so.6
#1  0x0593a786 in X509v3_get_ext_by_OBJ () from /lib/libcrypto.so.6
#2  0x0593a7ce in X509v3_get_ext_by_NID () from /lib/libcrypto.so.6
#3 0x08048870 in find_root_cert (in=0x9445a72 "", len=1002) at find_root.c:37 
#4  0x080489af in main () at find_root.c:65
Help me to solve this issue. Please guide, if any other alternative to method to achieve the same 
Please find the code used below.


First hint: look at the warnings issued by the compiler.
They usually indicate you are doing something wrong.


Thanks and Regards
Naveen
/************ Start code ***************/int find_root_cert(char *in,int len) 
{
   X509 *cert1=NULL;
   X509_NAME *name;
   char *buffer;       X509_EXTENSION *ext=NULL;
   char *test;
   int pos=0,nid;

   cert1=d2i_X509(NULL,&in,len);
   printf("\n cert=%x ", cert1);
   name=X509_get_subject_name(cert1);
   buffer=X509_NAME_oneline(name, 0, 0);
   if(strstr(buffer,"CN=kdc.globaledgesoft.com")==NULL)
       return -1;
   else
   {        *   nid=OBJ_sn2nid("subjectAltName");
pos=X509v3_get_ext_by_NID (cert1,OBJ_sn2nid("subjectAltName"), -1); 

/* no need to translate constant string ("subjectAltName") to NID
   Use the nid constant directly: NID_subject_alt_name
   X509v3_get_ext_by_NID() expects a pointer to extensions
   X509_get_ext_by_NID() expects a cert as first argument
*/
pos=X509_get_ext_by_NID (cert1, NID_subject_alt_name, -1);

/* need to check for existance of subjectAltName */
if (pos == -1)
   ERROR();

         ext=X509v3_get_ext(cert1,pos);


Same as above: use X509_get_ext() instead.
The compiler told you about incompatible pointer types. Don't ignore it.


       if(ext!=NULL){
       test=d2i_ASN1_IA5STRING(&ext->value->data,NULL,0);


It is not that easy....

The subaltname is tagged as otherName in the kdc.cer
You need to parse the othername, which contains the OID
1.3.6.1.5.2.2
which indicates a DER encoded KRB5PrincipalName
search Google for the OID


Cheers
    Christian
______________________________________________________________________ 
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Attachment: KDC.pem
Description: application/x509-ca-cert

Reply via email to