[Help-gnutls] Parsing certificate extensions and issuer alt names
Brad Hards
bradh at frogmouth.net
Tue Jul 14 12:05:19 CEST 2009
On Tuesday 14 July 2009 19:46:10 Brad Hards wrote:
> On Monday 13 July 2009 16:33:48 Nikos Mavrogiannopoulos wrote:
> > Actually I think it might be much easier to do that inside gnutls by
> > extending get_subject_alt_name() to be able to accept the OID as
> > parameter to parse the 2.5.29.18 extension as well. Then would be easy
> > to submit a gnutls_x509_crt_get_issuer_alt_name that can be added to
> > gnutls.
>
> I had a first cut at this. See attached patch.
[I realise this can't be applied yet - I'm just looking for feedback]
Here is an example that I was sent a while ago, and what I see running it through
certtool. Do you think it is worth adding that as a unit test?
$ ./src/certtool --infile ~/devel/kde-src/kdesupport/qca/unittest/certunittest/certs/76.pem -i
X.509 Certificate Information:
Version: 3
Serial Number (hex): 76
Issuer: C=SE,O=Stockholms universitet,CN=Stockholm University CA
Validity:
Not Before: Wed Mar 22 09:15:28 UTC 2006
Not After: Thu Mar 22 09:15:28 UTC 2007
Subject: C=SE,O=Stockholms universitet,CN=sip1.su.se
Subject Public Key Algorithm: RSA
Modulus (bits 1024):
ad:4c:d7:4c:3d:fa:64:ae:c2:c1:92:47:fd:f6:94:35
37:1d:6a:a3:3b:27:28:99:b1:fa:ce:ef:4d:dd:ed:c4
ff:6c:9d:f0:2b:14:fc:b6:b3:8e:87:f3:ae:5b:08:06
15:7d:be:af:bc:a4:ba:7d:da:21:45:d4:b8:3d:77:62
57:bf:c8:7a:87:ff:88:3d:bd:65:fb:51:e1:42:06:54
88:d2:d0:31:9e:5a:ad:d1:0a:a5:3e:04:9d:18:b1:dc
a0:ee:0f:3f:28:e8:9f:d8:e3:d0:0f:f3:a4:91:99:1e
24:54:0a:8a:28:eb:76:2a:13:d3:18:7e:be:47:05:f9
Exponent (bits 24):
01:00:01
Extensions:
Key Usage (not critical):
Digital signature.
Non repudiation.
Key encipherment.
Key Purpose (not critical):
TLS WWW Server.
TLS WWW Client.
Subject Key Identifier (not critical):
3a5c5cd1cc2c9edf73f73bd81b59b1eab83035c5
Authority Key Identifier (not critical):
9e2e30ba37d95144c99dbf1821f1bd7eeeb58648
CRL Distribution points (not critical):
URI: http://ca.su.se/2005-1/crl-v2.crl
Unknown extension 2.5.29.32 (not critical):
ASCII: 0p0n..*.p+....0b0...+.........http://ca.su.se/CPS0?..+.......03.1Limited Liability, see http://www.swupki.su.se/CP
Hexdump:
3070306e06082a85702b020101013062301f06082b060105050702011613687474703a2f2f63612e73752e73652f435053303f06082b0601050507020230331a314c696d69746564204c696162696c6974792c2073656520687474703a2f2f7777772e737775706b692e73752e73652f4350
Issuer Alternative Name (not critical):
RFC822name: ca at su.se
URI: http://ca.su.se
Subject Alternative Name (not critical):
DNSname: incomingproxy.sip.su.se
DNSname: incomingproxy1.sip.su.se
DNSname: outgoingproxy.sip.su.se
DNSname: outgoingproxy1.sip.su.se
DNSname: out.sip.su.se
DNSname: appserver.sip.su.se
DNSname: appserver1.sip.su.se
DNSname: sip1.su.se
Signature Algorithm: RSA-SHA
Signature:
11:15:88:3b:ca:d7:29:87:41:3b:5a:6b:cc:e3:80:0d
ff:ca:ab:bb:bb:51:5f:a6:92:15:6a:e3:2f:25:6b:ff
55:a4:e2:9a:c2:2b:8c:b9:26:97:cd:c3:97:61:f5:9f
1f:fe:0c:85:b2:bd:62:16:c6:fa:7d:2d:e7:25:34:dd
dd:f5:65:59:17:dc:34:21:88:c7:98:3c:2a:e4:9b:de
ee:9f:ed:5c:e7:90:63:9e:89:13:11:11:24:1c:d4:6f
01:7a:1d:33:6d:d6:52:ec:16:0e:da:0f:44:2a:56:c6
49:3e:4f:c1:09:dc:e2:0f:4a:ee:9a:8f:c8:a4:8d:56
4c:db:eb:43:6e:8e:0f:fe:a9:88:de:ec:c0:9c:37:e6
51:9d:40:68:e9:4d:8d:67:4e:bf:40:45:05:9b:eb:94
22:16:7c:20:63:35:80:b7:a1:0b:b4:37:1b:8f:9d:e1
cd:fc:08:32:71:42:74:8f:3a:05:a2:5e:e4:af:86:14
26:28:3b:1b:ac:ac:d1:69:e0:51:87:97:84:25:b4:e4
03:c0:e9:d0:49:9b:d1:4a:e4:45:58:62:c5:e8:3d:ee
cb:71:51:c0:13:02:37:46:96:32:7d:30:b9:ee:1d:79
c8:ee:28:46:75:47:e0:e6:af:f5:d3:9b:e9:b1:0a:4e
Other Information:
MD5 fingerprint:
146193ad068b89c90caee8405bcd8949
SHA-1 fingerprint:
f196cc4bf2376499987cc412eccd1ce019c39b38
Public Key Id:
5fccf39f1d88719c0ba62c5df5f45c6d717172a5
-----BEGIN CERTIFICATE-----
MIIE6zCCA9OgAwIBAgIBdjANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJTRTEf
MB0GA1UEChMWU3RvY2tob2xtcyB1bml2ZXJzaXRldDEgMB4GA1UEAxMXU3RvY2to
b2xtIFVuaXZlcnNpdHkgQ0EwHhcNMDYwMzIyMDkxNTI4WhcNMDcwMzIyMDkxNTI4
WjBDMQswCQYDVQQGEwJTRTEfMB0GA1UEChMWU3RvY2tob2xtcyB1bml2ZXJzaXRl
dDETMBEGA1UEAxMKc2lwMS5zdS5zZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEArUzXTD36ZK7CwZJH/faUNTcdaqM7JyiZsfrO703d7cT/bJ3wKxT8trOOh/Ou
WwgGFX2+r7ykun3aIUXUuD13Yle/yHqH/4g9vWX7UeFCBlSI0tAxnlqt0QqlPgSd
GLHcoO4PPyjon9jj0A/zpJGZHiRUCooo63YqE9MYfr5HBfkCAwEAAaOCAl8wggJb
MAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYD
VR0OBBYEFDpcXNHMLJ7fc/c72BtZseq4MDXFMH8GA1UdIwR4MHaAFJ4uMLo32VFE
yZ2/GCHxvX7utYZIoVukWTBXMQswCQYDVQQGEwJTRTEYMBYGA1UEChMPVW1lYSBV
bml2ZXJzaXR5MRMwEQYDVQQLEwpTd1VQS0ktUENBMRkwFwYDVQQDExBTd1VQS0kg
UG9saWN5IENBggEQMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jYS5zdS5zZS8y
MDA1LTEvY3JsLXYyLmNybDB5BgNVHSAEcjBwMG4GCCqFcCsCAQEBMGIwHwYIKwYB
BQUHAgEWE2h0dHA6Ly9jYS5zdS5zZS9DUFMwPwYIKwYBBQUHAgIwMxoxTGltaXRl
ZCBMaWFiaWxpdHksIHNlZSBodHRwOi8vd3d3LnN3dXBraS5zdS5zZS9DUDAkBgNV
HRIEHTAbgQhjYUBzdS5zZYYPaHR0cDovL2NhLnN1LnNlMIG3BgNVHREEga8wgayC
F2luY29taW5ncHJveHkuc2lwLnN1LnNlghhpbmNvbWluZ3Byb3h5MS5zaXAuc3Uu
c2WCF291dGdvaW5ncHJveHkuc2lwLnN1LnNlghhvdXRnb2luZ3Byb3h5MS5zaXAu
c3Uuc2WCDW91dC5zaXAuc3Uuc2WCE2FwcHNlcnZlci5zaXAuc3Uuc2WCFGFwcHNl
cnZlcjEuc2lwLnN1LnNlggpzaXAxLnN1LnNlMA0GCSqGSIb3DQEBBQUAA4IBAQAR
FYg7ytcph0E7WmvM44AN/8qru7tRX6aSFWrjLyVr/1Wk4prCK4y5JpfNw5dh9Z8f
/gyFsr1iFsb6fS3nJTTd3fVlWRfcNCGIx5g8KuSb3u6f7VznkGOeiRMRESQc1G8B
eh0zbdZS7BYO2g9EKlbGST5PwQnc4g9K7pqPyKSNVkzb60Nujg/+qYje7MCcN+ZR
nUBo6U2NZ06/QEUFm+uUIhZ8IGM1gLehC7Q3G4+d4c38CDJxQnSPOgWiXuSvhhQm
KDsbrKzRaeBRh5eEJbTkA8Dp0Emb0UrkRVhixeg97stxUcATAjdGljJ9MLnuHXnI
7ihGdUfg5q/105vpsQpO
-----END CERTIFICATE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 76.pem
Type: application/x-x509-ca-cert
Size: 5129 bytes
Desc: not available
URL: </pipermail/attachments/20090714/6dffd41d/attachment.crt>
More information about the Gnutls-help
mailing list