[gnutls-dev] Encoding of Subject Alternative Name having GNUTLS_SAN_IPADDRESS as data type.

Mahesh Nayak mahesh.nayak at mgl.com
Tue Sep 11 17:05:25 CEST 2007


Hello,
 

I was trying to use the GNUTLS_SAN_IPADDRESS type for the API
gnutls_x509_crt_set_subject_alternative_name(). 

I notice that when a X509v3 Certificate is created using certool API, the IP
ADDRESS field in the packet is not being parsed by the openssl or XCA tool
(OpenSSL shows the field as invalid). On further investigation, I got the
following percept from the RFC 2459 ( for x509):

RFC 2459        Internet X.509 Public Key Infrastructure    January 1999
“
When the subjectAltName extension contains a iPAddress, the address MUST be
stored in the octet string in "network byte order," as   specified in RFC 791
[RFC 791]. The least significant bit (LSB) of each octet is the LSB of the
corresponding byte in the network address. For IP Version 4, as specified in RFC
791, the octet string MUST contain exactly four octets. “

But I see from the GNUTLS and CERTTOOL source code that we never convert the
char* to a network-byte-ordered-octet (for the IPADDRESS) (I traced from
gnutls_x509_crt_set_subject_alternative_name in the gnutls source code) . We
just go ahead with encoding the char* data in the certificate.

Is there something that I am missing? Or is it a bug? 

If yes, could you please tell me an alternative method to have an IP address in
the subject alternative name?

Any help here is very valuable to me and is appreciated.

Thanks,
Mahesh.





More information about the Gnutls-dev mailing list