Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to retrieve issuer alternative name for ssl certificate by openssl

Tags:

c

ssl

openssl

I can get the subject alternative name like

 X509_NAME_get_text_by_NID(X509_get_subject_name(x), NID_subject_alt_name, hc->https_domain_name, 256)

With same method by changing 2. parameter to NID_issuer_alt_name I am expecting to get issuer name like;

X509_NAME_get_text_by_NID(X509_get_subject_name(x), NID_issuer_alt_name, hc->https_ca_name, 256);

But instead I am getting a empty string . How can I retrieve issuer alternative name correctly?

like image 612
Kadir Erdem Demir Avatar asked Apr 08 '13 09:04

Kadir Erdem Demir


People also ask

What is CN name in certificate?

The Common Name (AKA CN) represents the server name protected by the SSL certificate. The certificate is valid only if the request hostname matches the certificate common name. Most web browsers display a warning message when connecting to an address that does not match the common name in the certificate.


1 Answers

You could try the following solution, as recommended in https://github.com/iSECPartners/ssl-conservatory :

static HostnameValidationResult matches_subject_alternative_name (const char *hostname, const X509 *server_cert) {
    HostnameValidationResult result = MatchNotFound;
    int i;
    int san_names_nb = -1;
    STACK_OF(GENERAL_NAME) *san_names = NULL;

    // Try to extract the names within the SAN extension from the certificate
    san_names = X509_get_ext_d2i((X509 *) server_cert, NID_subject_alt_name, NULL, NULL);
    if (san_names == NULL) {
        return NoSANPresent;
    }
    san_names_nb = sk_GENERAL_NAME_num(san_names);

    // Check each name within the extension
    for (i=0; i<san_names_nb; i++) {
        const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i);

        if (current_name->type == GEN_DNS) {
            // Current name is a DNS name, let's check it
            char *dns_name = (char *) ASN1_STRING_data(current_name->d.dNSName);

            // Make sure there isn't an embedded NUL character in the DNS name
            if (ASN1_STRING_length(current_name->d.dNSName) != strlen(dns_name)) {
                result = MalformedCertificate;
                break;
            }
            else { // Compare expected hostname with the DNS name
                if (strcasecmp(hostname, dns_name) == 0) {
                    result = MatchFound;
                    break;
                }
            }
        }
    }
    sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);

    return result;
}

Hope it helps !

like image 133
Paul Avatar answered Nov 11 '22 13:11

Paul