Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Reading an "otherName" value from a "subjectAltName" certificate extension

304 views
Skip to first unread message

Dustin Oprea

unread,
Apr 9, 2014, 10:59:24 AM4/9/14
to
It looks like OpenSSL always shows "unsupported" for a subjectAltName of "otherName".

The string that was written (both via M2Crypto, and directly at the commandline via openssl.cnf):

    1.2.3.4;UTF8:some other identifier

Dumped (openssl x509 -in test.crt -noout -text):

                    c3:88:36:93:82:58:0c:08:7f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
        05:76:d5:fc:d0:44:50:af:39:76:05:b4:cb:b6:99:9f:7c:c0:

Grepping through the OpenSSL source for "otherName", this stood out to me (in v3_alt.c):

1:

    STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
                    GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret)
    {
        unsigned char *p;
        char oline[256], htmp[5];
        int i;
        switch (gen->type)
        {
            case GEN_OTHERNAME:
            X509V3_add_value("othername","<unsupported>", &ret);
            break;

            case GEN_X400:
            X509V3_add_value("X400Name","<unsupported>", &ret);
            break;

            case GEN_EDIPARTY:
            X509V3_add_value("EdiPartyName","<unsupported>", &ret);
            break;

2:

    int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
    {
        unsigned char *p;
        int i;
        switch (gen->type)
        {
            case GEN_OTHERNAME:
            BIO_printf(out, "othername:<unsupported>");
            break;

            case GEN_X400:
            BIO_printf(out, "X400Name:<unsupported>");
            break;

            case GEN_EDIPARTY:
            /* Maybe fix this: it is supported now */
            BIO_printf(out, "EdiPartyName:<unsupported>");
            break;

So, I'm willing to bet that both this and the empirical knowledge coming from my attempts above mean that I shouldn't ever expect that the "otherName" values will *ever* be properly rendered via the command-line or library calls. This might be because they're actual, encoded ASN.1 strings. So, how can I do it? How do people extract these values? If they are actual ASN.1 strings, is it up to the developer to decode them?



Dustin



0 new messages