Add proper SubjectAltName parsing #18121
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes #18079 by adding a proper ASN.1 parser using RASN1 for the x509 SubjectAltName field. Previously, the
icpr_cert
module would crash when extracting information from this structure if certain fields were set. This addresses the problem by adding a definition for the SubjectAltName field using RASN1. This is then used for the parsing allowing the module to correctly process the data and even extract additional information like DNS hostnames and email addresses.The x400Address field in the SubjectAltName is pretty complicated. All of the fields are modeled out according to the RFC and were tested using data generated using Python's
cryptoasn1
library and the following script. Currently, this will fail due to what I believe is an issue that needs to be resolved in the upstream project. A PR has been submitted already and once it's landed, the definitions should begin to just work. Until then, this issue shouldn't come up in theicpr_cert
module because that particular field isn't populated by AD CS.test_cert.py
Verification
certtmpl.msc
to make a copy of the User certificate.icpr_cert
module to issue that certificateIf you get this error:
It's because the Active Directory user does not have an email address specified. Open Active Directory Users and Computers, select the account and populate the "E-mail Address" field.
DNS
The DNS field is specified for computer accounts. If you want to test that one as well:
samr_computer
module to create a new computer account and note the passworddNSHostName
field.I'm pretty sure that computer accounts can't have an email set, or at least I don't know how to set it. This means that in certtmpl.msc you'll need to unselect E-mail and UPN and select just DNS instead. I was unable to find a way to populate the SPN field.
Demo