0

I am attempting to retrieve the subject alternative name from my client certificate. By running this command, I can see the SAN:

openssl x509 -noout -text -in certname.cert.pem
...
X509v3 Subject Alternative Name: 
IP Address:10.10.10.10

In a C file, I am trying to retrieve the client SAN, so that I can validate it with the server IP. Here is my attempt:

cert = X509_STORE_CTX_get_current_cert(x509Ctx);
int i;
int san_names_nb = -1;
STACK_OF(GENERAL_NAME) *san_names = NULL;

// Try to extract the names within the SAN extension from the certificate
san_names = (GENERAL_NAME*)X509_get_ext_d2i((X509 *) cert, NID_subject_alt_name, NULL, NULL);
if (san_names == NULL) 
{
   return Error;
}

Right now, my code is returning the error because san_names is NULL. Any guidance would be much appreciated. Thank you!

Colin Mai
  • 15
  • 1
  • 7

2 Answers2

0

The OpenSSL command itself gives the SAN as Null

X509v3 Subject Alternative Name: **<BLANK>**
IP Address:10.10.10.10

Can you just open the certificate and see if it contains the SAN. If not you will have to ask the team to add the SAN and create a new certificate again.

enter image description here

Sreeram Nair
  • 2,369
  • 12
  • 27
0

You are misusing X509_get_ext_d2i(). Per the OpenSSL documentation for X509_get_ext_d2i() (bolding mine):

If idx is NULL then only one occurrence of an extension is permissible otherwise the first extension after index *idx is returned and *idx updated to the location of the extension.

Depending on the version of OpenSSL you're using, the behavior might be slightly different. The above is the documented behavior for OpenSSL 1.1.0.

Since you are passing NULL as idx, if there's more than one SAN on the cert you'll get NULL from X509_get_ext_d2i().

You can get the OpenSSL error code with ERR_get_error().

Andrew Henle
  • 32,625
  • 3
  • 24
  • 56