[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Encoding of Subject Alternative Name having GNUTLS_SAN_IPA
From: |
Mahesh Nayak |
Subject: |
[Help-gnutls] Encoding of Subject Alternative Name having GNUTLS_SAN_IPADDRESS as data type. |
Date: |
Wed, 12 Sep 2007 10:45:28 -0500 |
Hello,
I was trying to use the GNUTLS_SAN_IPADDRESS type for the API
gnutls_x509_crt_set_subject_alternative_name( ).
I notice that when a X509v3 Certificate is created using certool API,
the IP ADDRESS field in the packet is not being parsed by the openssl
or XCA tool (OpenSSL shows the field as invalid). On further
investigation, I got the following percept from the RFC 2459 ( for
x509):
RFC 2459 Internet X.509 Public Key Infrastructure January 1999
"
When the subjectAltName extension contains a iPAddress, the address
MUST be stored in the octet string in "network byte order," as
specified in RFC 791 [RFC 791]. The least significant bit (LSB) of
each octet is the LSB of the corresponding byte in the network
address. For IP Version 4, as specified in RFC 791, the octet string
MUST contain exactly four octets. "
But I see from the GNUTLS and CERTTOOL source code that we never
convert the char* to a network-byte-ordered-octet (for the IPADDRESS)
(I traced from gnutls_x509_crt_set_subject_alternative_name in the
gnutls source code) . We just go ahead with encoding the char* data
in the certificate.
Is there something that I am missing? Or is it a bug?
If yes, could you please tell me an alternative method to have an IP address in
the subject alternative name?
Any help here is very valuable to me and is appreciated.
Thanks,
Mahesh.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Help-gnutls] Encoding of Subject Alternative Name having GNUTLS_SAN_IPADDRESS as data type.,
Mahesh Nayak <=