Thank you Christian, it helped to decode the kerberos principal name .
The code worked.
Regards
Naveen
Christian Hohnstaedt wrote:
On Wed, Sep 22, 2010 at 05:48:07PM +0530, Naveen B.N wrote:
Thank you Christian,
your suggestions helped us to get the position but as you mentioned the
problem
of resolving to kerberos principal name, i tried Google and added a
piece of code
but i am not getting the out put as shown below .
#include <stdio.h>
#include <string.h>
#include <openssl/sha.h>
#include <openssl/hmac.h>
#include <openssl/evp.h>
#include <openssl/bio.h>
#include <openssl/buffer.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#define CERT_INFO_MAX_ENTRIES 15
#define CERT_INFO_SIZE 10
/*
http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html
KRB5PrincipalName ::= SEQUENCE {
realm [0] Realm,
principalName [1] PrincipalName
}
Maybe this is already defined somewhere in OpenSSL - I didn't find it.
*/
typedef struct kdc_princname_st
{
ASN1_GENERALSTRING *realm;
KRB5_PRINCNAME *princname;
} KDC_PRINCNAME;
ASN1_SEQUENCE(KDC_PRINCNAME) = {
ASN1_EXP(KDC_PRINCNAME, realm, ASN1_GENERALSTRING, 0),
ASN1_EXP(KDC_PRINCNAME, princname, KRB5_PRINCNAME, 1)
} ASN1_SEQUENCE_END(KDC_PRINCNAME)
IMPLEMENT_ASN1_FUNCTIONS(KDC_PRINCNAME)
static char **cert_info_kpn(X509 *x509) {
int i,j;
static char *entries[CERT_INFO_SIZE];
STACK_OF(GENERAL_NAME) *gens;
GENERAL_NAME *name;
ASN1_OBJECT *krb5PrincipalName;
printf("Trying to find a Kerberos Principal Name in
certificate");
gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL);
krb5PrincipalName = OBJ_txt2obj("1.3.6.1.5.2.2", 1);
if (!gens) {
printf("No alternate name extensions");
return NULL; /* no alternate names */
}
if (!krb5PrincipalName) {
printf("Cannot map KPN object");
return NULL;
}
for (i=0,j=0; (i < sk_GENERAL_NAME_num(gens)) &&
(j<CERT_INFO_MAX_ENTRIES); i++) {
name = sk_GENERAL_NAME_value(gens, i);
if ( name && name->type==GEN_OTHERNAME ) { /* test for
UPN */
if (OBJ_cmp(name->d.otherName->type_id,
krb5PrincipalName)) continue; /* object is not a UPN */
else {
/* NOTE:
from PKINIT RFC, I deduce that stored format for
kerberos
Principal Name is ASN1_STRING, but not sure at 100%
Any help will be granted
*/
unsigned char *txt;
ASN1_TYPE *val = name->d.otherName->value;
ASN1_STRING *str= val->value.asn1_string;
printf("Found Kerberos Principal Name ");
unsigned char * p = str->data;
KDC_PRINCNAME *pn = d2i_KDC_PRINCNAME(NULL, &p,
str->length);
KRB5_PRINCNAME *princname = pn->princname;
printf("Realm '%*s'\nNAMETYPE: %ld\n",
pn->realm->length, pn->realm->data,
ASN1_INTEGER_get(princname->nametype));
for (j=0;
j<sk_ASN1_GENERALSTRING_num(princname->namestring); j++) {
ASN1_GENERALSTRING *gs =
sk_ASN1_GENERALSTRING_value(princname->namestring,j);
printf("[%i] %*s\n", j, gs->length, gs->data);
}
Cheers
Christian
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
