lua-openssl icon indicating copy to clipboard operation
lua-openssl copied to clipboard
verified publisher icon zhaozg

How to read certificate fields (including subject, ... and other extensions) easily?

Open ttyS0 opened this issue 4 years ago • 3 comments

Hi, I'm just wondering if there is an easy way to read subject and extensions from a certificate.

What I did to retrieve these is to:

  • for subject, x509:subject():get_text(identid) [ does the library offer some constants here like 13 for common name etc. ? ]
  • for extensions, I wrote a procedure similar to the test file https://github.com/zhaozg/lua-openssl/blob/master/test/2.asn1.lua
function _M.asn1parse(data)
    local function asn1parse_sub(data, start, stop)
        level = level or 0
        start = start or 1
        stop = stop or #data
        if start > stop then return {} end
        local collection = {}
        while true do
            -- here i implement a function that packs result of asn1.get_object and get tag/class name by asn1.tostring
            local o = my_asn1_get_object(data, start)
            if o == nil then break end
            local e
            if o.constructed then
                print(o.tag, o.start, o.stop)
                e = {
                    tag = o.tag,
                    tag_name = o.tag_name,
                    constructed = o.constructed,
                    children = asn1parse_sub(data, o.start, o.stop)
                }
            else
                e = {
                    tag = o.tag,
                    tag_name = o.tag_name,
                    length = o.stop - o.start + 1,
                    value = data:sub(o.start, o.stop)
                }
            end
            table.insert(collection, e)
            start = o.stop + 1
            if start >= stop then break end
        end
        return collection
    end
    return asn1parse_sub(data)
end

Is there any out-of-box function to directly parse these extensions defined in RFC 5280? I'm not quite familiar with OpenSSL C Library, and would just like to use this Lua binding to implement a tiny PKI system. It will be great if I can directly derive structure from the certificate, for example:

  • for basicConstraints, I can retrieve { ca = true, pathlen = 2 } (if not set, options could have a fallback decided by coder)
  • for SAN, I can retrieve { san1, san2, ... }
  • etc.

ttyS0 avatar Feb 02 '21 12:02 ttyS0

@siger-young see if this code helps: https://stackoverflow.com/a/66037478/1003113

namedgraph avatar Feb 04 '21 09:02 namedgraph

@siger-young see if this code helps: https://stackoverflow.com/a/66037478/1003113

:confused: I've already implemented a parser by myself. It really helps me understand ASN.1 structures and come familar with X.509.

It never happens to me that these things can be retrieved by only iterating pairs. Thanks a lot :smile:

ttyS0 avatar Feb 04 '21 12:02 ttyS0

@siger-young see if this code helps: https://stackoverflow.com/a/66037478/1003113

In fact, this only resolves subjectAltName. Some extensions like basicConstraints, keyUsage etc. require some extra work (e.g. write an ASN.1 parser like me) to resolve.

ttyS0 avatar May 24 '21 12:05 ttyS0