[Help-gnutls] Encoding of Subject Alternative Name having GNUTLS_SAN_IPADDRESS as data type.

Mahesh Nayak mahesh.nayak at gmail.com
Wed Sep 12 17:45:28 CEST 2007


I was trying to use the GNUTLS_SAN_IPADDRESS type for the API
gnutls_x509_crt_set_subject_alternative_name( ).

I notice that when a  X509v3 Certificate is created using certool API,
the IP ADDRESS field in the  packet is not being parsed by the openssl
or XCA tool (OpenSSL shows the field  as invalid). On further
investigation, I got the following percept from the RFC  2459 ( for

RFC 2459        Internet X.509 Public Key Infrastructure    January  1999
When the subjectAltName extension contains a iPAddress, the address
MUST be stored in the octet string in "network byte order," as
specified in  RFC 791 [RFC 791]. The least significant bit (LSB) of
each octet is the LSB of  the corresponding byte in the network
address. For IP Version 4, as specified in  RFC 791, the octet string
MUST contain exactly four octets. "

But I see  from the GNUTLS and CERTTOOL source code that we never
convert the char* to a  network-byte-ordered-octet (for the IPADDRESS)
(I traced from  gnutls_x509_crt_set_subject_alternative_name in the
gnutls source code) . We  just go ahead with encoding the char* data
in the certificate.

Is there  something that I am missing? Or is it a bug?

If yes, could you please  tell me an alternative method to have an IP address in
the subject  alternative name?

Any help here is very valuable to me and is  appreciated.


More information about the Gnutls-help mailing list