[Help-gnutls] Encoding of Subject Alternative Name having GNUTLS_SAN_IPADDRESS as data type.
mahesh.nayak at gmail.com
Wed Sep 12 17:45:28 CEST 2007
I was trying to use the GNUTLS_SAN_IPADDRESS type for the API
I notice that when a X509v3 Certificate is created using certool API,
the IP ADDRESS field in the packet is not being parsed by the openssl
or XCA tool (OpenSSL shows the field as invalid). On further
investigation, I got the following percept from the RFC 2459 ( for
RFC 2459 Internet X.509 Public Key Infrastructure January 1999
When the subjectAltName extension contains a iPAddress, the address
MUST be stored in the octet string in "network byte order," as
specified in RFC 791 [RFC 791]. The least significant bit (LSB) of
each octet is the LSB of the corresponding byte in the network
address. For IP Version 4, as specified in RFC 791, the octet string
MUST contain exactly four octets. "
But I see from the GNUTLS and CERTTOOL source code that we never
convert the char* to a network-byte-ordered-octet (for the IPADDRESS)
(I traced from gnutls_x509_crt_set_subject_alternative_name in the
gnutls source code) . We just go ahead with encoding the char* data
in the certificate.
Is there something that I am missing? Or is it a bug?
If yes, could you please tell me an alternative method to have an IP address in
the subject alternative name?
Any help here is very valuable to me and is appreciated.
More information about the Gnutls-help