dsully
IP addresses in certificates' altName should be decoded
Description
IP addresses can be encoded in subjectAltNames, but are in a binary format where distinguishing IPv4 from IPv6 requires using the value's length.
This isn't convenient, especially for humans.
Expected behaviour
The decoding should be done by Crypt::OpenSSL::X509. A sample certificate with ipAddresses is attached.
Actual behaviour
Binary, as described.
Attached patch incorporates #116 and provides a both formats: ipAddress and ipAddress_txt, so it is compatible with any existing users of the binary format.
The text format for IPv6 does not use compression (to produce the short - :: - form). There are many utilities (such as Net::IP) that can do that, and the uncompressed form is legal.
Step by step guide to reproducing the issue
perl -MCrypt::OpenSSL::X509 -MData::Dumper -e'$Data::Dumper::Useqq=1; print Dumper( Crypt::OpenSSL::X509->new_from_file("ipacert.pem")->subjectaltname)'
$VAR1 = [
{
"dNSName" => "example.net"
},
{
"iPAddress_txt" => "192.0.0.1",
"iPAddress" => "\300\0\0\1"
},
{
"iPAddress_txt" => "192.0.0.2",
"iPAddress" => "\300\0\0\2"
},
{
"iPAddress_txt" => "2001:db8:123:0:0:0:0:4",
"iPAddress" => " \1\r\270\1#\0\0\0\0\0\0\0\0\0\4"
},
{
"iPAddress_txt" => "2001:2b8:123:0:0:0:0:5",
"iPAddress" => " \1\2\270\1#\0\0\0\0\0\0\0\0\0\5"
}
];
Attached files Crypt_OpenSSL_X509_subjectaltnameIP.patch
I have modified your patch and sent a PR that outputs:
$VAR1 = [
{
"dNSName" => "example.net"
},
{
"iPAddress" => "192.0.0.1"
},
{
"iPAddress" => "192.0.0.2"
},
{
"iPAddress" => "2001:db8:123:0:0:0:0:4"
},
{
"iPAddress" => "2001:2b8:123:0:0:0:0:5"
}
];
