它看起來像OpenSSL總是顯示「不受支持」的subjectAltName爲「otherName」。從「subjectAltName」證書擴展中讀取「otherName」值
被寫入(均通過M2Crypto,並直接經由openssl.cnf中命令行)的字符串:
1.2.3.4;UTF8:some other identifier
甩(OpenSSL的X509 -in test.crt -noout -text):
c3:88:36:93:82:58:0c:08:7f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
othername:<unsupported>
Signature Algorithm: sha1WithRSAEncryption
05:76:d5:fc:d0:44:50:af:39:76:05:b4:cb:b6:99:9f:7c:c0:
通過OpenSSL的源爲 「英文別名」 Grepping,這個站在給我看(在v3_alt.c):
1:
STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret)
{
unsigned char *p;
char oline[256], htmp[5];
int i;
switch (gen->type)
{
case GEN_OTHERNAME:
X509V3_add_value("othername","<unsupported>", &ret);
break;
case GEN_X400:
X509V3_add_value("X400Name","<unsupported>", &ret);
break;
case GEN_EDIPARTY:
X509V3_add_value("EdiPartyName","<unsupported>", &ret);
break;
2:
int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
{
unsigned char *p;
int i;
switch (gen->type)
{
case GEN_OTHERNAME:
BIO_printf(out, "othername:<unsupported>");
break;
case GEN_X400:
BIO_printf(out, "X400Name:<unsupported>");
break;
case GEN_EDIPARTY:
/* Maybe fix this: it is supported now */
BIO_printf(out, "EdiPartyName:<unsupported>");
break;
所以,我敢打賭,這兩種及以上的從我的嘗試來的經驗知識的意思是我不應該指望的「中文別名」值將可以通過命令行或庫調用正確呈現。這可能是因爲它們是實際編碼的ASN.1字符串。那麼,我該怎麼做呢?人們如何提取這些值?如果它們是實際的ASN.1字符串,是否需要開發人員對它們進行解碼?
的OpenSSL 1.0.1包括用於'OBJ_ms_upn'和'NID_ms_upn'的定義,這稍微簡化了這一點。 – davenpcj