• From: Texas
  • Registered: 2020-08-17
  • Posts: 63

Topic: SetAlternateNames ..? HowTo

Hello,
See subject line...

I am creating a certificate, and signing it with an internal CA.  All is fine.  Except I need to also include alternate subject names.

I am using 4.7

This post:
https://www.wolfssl.com/forums/topic140 … l-api.html
Does not work.
The code block 

char myAltNames[] = {
                                 // SEQUENCE (2 elements)
                                 0x30, 0x14,
                                 // OBJECT IDENTIFIEER: 2.5.29.17 subjectAltName
                                 // (X.509 extension)
                                 0x06, 0x03, 0x55, 0x1D, 0x11,
                                 // OCTET STRING (1 element) 
.....

Is building the DER sequence structure for a single name.
And when this is copied in the CERT structure:

    memcpy(testcert.altNames, myAltNames, sizeof(myAltNames) );
    testcert.altNamesSz = (int) sizeof(myAltNames) ;

The cert has garbage (actually the DER OID information) in the Alternate Subject Name

                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
0...localhost   0...U...
    Signature Algorithm: sha1WithRSAEncryption
         c0:2b:4b:4d:b9:fd:1e:47:7b:0b:39:d9:17:72:6c:65:24:4e:

So the REAL solution appears to be something like 

    memcpy(testcert.altNames,"DNS:LocalHost", sizeof("DNS:LocalHost") - 1);
    testcert.altNamesSz = (int) sizeof("DNS:LocalHost") - 1;

(the -1 is to remove the trailing null terminator)
Because now the certificate dump is 

               Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:LocalHost.
    Signature Algorithm: sha1WithRSAEncryption
         83:bd:77:cd:3a:6a:f6:dc:ec:ab:63:cb:1c:3b:d4:39:02:4b:

Which pretty much "looks" correct, but I haven't tried it yet.

On the other hand, this doesn't work at all

    strcpy(testcert.subject.commonName, "www.whatever.com");
    strcpy(testcert.subject.email, "Info@whatever.com");
    wc_SetAltNames(&testcert, "localhost");

When I dump the generated and signed certificate, there is no X509 Extension Subject Alternative Name.

My question:
What is the correct way to set alternate names?
What is the correct way to set MULTIPLE alternate names?
What is the correct way to also set an IP address in the Subject Alternative Name field?

Short of studying the DER OID structures and mastering them (which I have done yet but I'm getting close to having to do), how can this field be set with multiple values and field types?

Scott

-Scott
<Code shown is not to scale>

Share

  • Registered: 2015-10-07
  • Posts: 430

Re: SetAlternateNames ..? HowTo

Hi Scott,

Did you see this example?
https://github.com/wolfSSL/wolfssl-exam … mes.c#L145

I will have another engineer provide some additional examples. For reference the test case I was using for Scott is posted here:
https://drive.google.com/file/d/15QOGFB … sp=sharing

Thanks,
David Garske, wolfSSL

Share

3 Reply by Scotty2541 (edited by Scotty2541 2021-06-07 11:05:30)

  • From: Texas
  • Registered: 2020-08-17
  • Posts: 63

Re: SetAlternateNames ..? HowTo

dgarske wrote:

Hi Scott,

Did you see this example?
https://github.com/wolfSSL/wolfssl-exam … mes.c#L145

No, none of my searching came up with that.

This one worked:  

                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:localhost, DNS:example.com, DNS:127.0.0.1, IP Address:127.0.0.1
    Signature Algorithm: sha1WithRSAEncryption
         a3:2f:fb:a5:0c:55:68:51:e5:da:a6:6f:4d:3d:f0:1d:9c:77:
        ....

dgarske wrote:

I will have another engineer provide some additional examples. For reference the test case I was using for Scott is posted here:
https://drive.google.com/file/d/15QOGFB … sp=sharing

Thanks,
David Garske, wolfSSL

Yeah, that's my test program I am working with.  All I needed at this stage was to be able to add a Subject Alternative Name

What's different between "myAltNames" in those two posts??
https://www.wolfssl.com/forums/topic140 … l-api.html
and
https://github.com/wolfSSL/wolfssl-exam … mes.c#L145

From what I can determine now, the opening sequence which includes the OID is NOT required in the second one.  But that opening sequence has a length requirement...  I guess internally it just adds 7 extra byte to it??  (The 5 byte OID identifier, and 2 byte STRING identifier plus the length)?

The DER/BER doc is spaghetti, and I can't tell when something is nested and when something isn't.  Nor can I find any definitions for those DNS (x2), IP (x7) IDs that are nested under other stuff... that I still can't figure out...
Since when is x08 an identifier for a string?  It's supposed to be x04...
The 0x08 data type isn't defined anywhere I can find in the DER/BER/ASN.1.

And when did a data type designators move to the upper nibble?

Somewhere, which I have yet to locate, there must be a definition of the sub sequences and their layouts for OID 2.5.29.17  (the Subject Alternative Name).

RFC 5280 specifies that an IP address in a Alternative name is designated as numeric, but the comment in the last entry of the "myAltNames" says it's a string, then uses 0x08 which is an undefined datatype (but uses it for both string and numbers...? )

        /* This is a string 0x08, it denotes an IP Address 0x07 -> 0x87 */
        /* This strings length is 4 (0x04) */
        0x87, 0x04,
        /* The IP address is 127 (0x7F), 0 (0x00), 0, (0x00), 1 (0x01) ->
        *  127.0.0.1
        */
        0x7F, 0x00, 0x00, 0x01

Well, this gives me something to work with, even if there isn't aren't definitions beyond the inline comments.

Thanks.

-Scott

-Scott
<Code shown is not to scale>

Share