000019423 - How to check the Common Name field of the server's certificate after the handshake when using RSA BSAFE SSL-C

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000019423
Applies ToRSA BSAFE SSL-C 2.0.1
IssueHow to check the Common Name field of the server's certificate after the handshake when using RSA BSAFE SSL-C
ResolutionChecking the common name in a server's certificate with RSA BSAFE SSL-C involves retrieving the subject distinguished name from the certificate and extracting the common name field and manually comparing it against a pre-determined name. This can be done after the SSL handshake has been completed. For example, on the client side, the first thing to do is to retrieve the server's certificate. If an abbreviated handshake occurs, retrieval of the server's certificate may not be possible:

/* Grab the certificate and check to see if we pass the authorization check */
 SSLCERT *sslCert = NULL;
 SSL *sslConnection = << previously initialized SSL connection >>

 /* The X509 structure and SSLCERT structure have runtime compatibility */
 sslCert = SSL_get_peer_certificate(sslConnection);
 
 if (sslCert == NULL) {
  
   printf("Fatal Error. The certificate is NULL!");
   exit(1);
   
 }
 
 authorizeSubjectName(sslCert);


An example implementation of authorizeSubjectName() appears below:

/*
* This function loops through the subject name and prints the attribute values. The subject name to check against
* appears as the value of the expectedName character array.
*/
void authorizeSubjectName(SSLCERT *sslCert) {
 
 SSLCERT_NAME *sslCertSubjectName = NULL;
 SSLCERT_NAME_ENTRY *sslCertNameEntry = NULL;
 
 unsigned int datatype;
 unsigned char *namepp = NULL;
 
 unsigned int oidtype;
 unsigned char *oidpp = NULL;
 long oidlen;
 char *oidString = NULL;
   
 char *cnString = "CN";

 /* This is the hard coded name to check against. That is, this name should appear in the
    subject common name field */

 char *expectedName ="www.foo.com";
             
 long nameDataLen;
 int subjectNameCount = 0;
 int ret = -1;
 int i=0;
 int j=0;
 

 /* Let's look at the subject name, entry by entry */
 
 /* First retrieve the subject name */
 sslCertSubjectName = SSLCERT_get_subject_name(sslCert);
   
 /* Next retrieve the number of entries in the subject name */
 subjectNameCount = SSLCERT_NAME_get_entry_count(sslCertSubjectName);
 
 printf("* The subject name has %d entries\n", subjectNameCount);
 
 for (i=0; i<subjectNameCount; i++) {
 
   /* Pull the first entry and get the data */
   sslCertNameEntry = SSLCERT_NAME_get_NAME_ENTRY(sslCertSubjectName,i);
   
   if (sslCertNameEntry == NULL) {
     printf("* Fatal Error obtaining name entry");
     exit(1);
   }
             
   ret = SSLCERT_NAME_ENTRY_get_oid_info(sslCertNameEntry, &oidtype, &oidpp, &oidlen);
   
   if (ret != 1) {
   
     printf("* Fatal Error obtaining OID");
     exit(1);
   
   }
 
   ret = SSLCERT_NAME_ENTRY_get_data_info(sslCertNameEntry,&datatype, &namepp, &nameDataLen);
   
   if (ret != 1) {
     
     printf("* Fatal Error obtaining data from name entry");    
     exit(1);
     
   }
                      
   oidString = SSLCERT_OID_to_string(oidpp, oidlen,1);                            
 
   if (strncmp(oidString, cnString, 2 ) == 0) {
         
     if (strncmp(namepp, expectedName, 16) != 0) {
       printf("Fatal Error. Aborting Connection. Server Unidentified!\n\n");
       printf("Found:\n");
       printBuf(namepp, nameDataLen,1);
       printf("Wanted:\n");
       printf("%s\n", expectedName);
       exit(1);
     }
     
   }
                        
   printf("%s: ", oidString );
       
   printBuf(namepp, nameDataLen,1);
   printf("\n");
            
 }

 /* Simple program to print the contents of a buffer */
 void printBuf(char buf[], int len, int mode) {

 // 1 for chars, 0 for hex

 int i=0;

 if (mode == 1) {
   for (i=0; i<len; i++)
   printf("%c", buf[i]);        
 }

 if (mode == 0) {
   for (i=0; i<len; i++)
   printf("%02x", buf[i] & 0xff);        
 }        
        
}
Legacy Article IDa9121

Attachments

    Outcomes