Skip to content

Print DirName differently in SAN's #20317

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
StephenWall wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Print DirName differently in SAN's #20317

StephenWall wants to merge 1 commit into from
+21 −1

Conversation

@StephenWall
Copy link
Contributor

@StephenWall StephenWall commented Oct 28, 2025
edited
Loading

When printing SubjectAlternativeNames, print the details of DirName entries in a different format than GENERAL_NAME_print() to avoid parsing issues due to commas.

Fixes #20312

@StephenWall StephenWall requested a review from bukka as a code owner October 28, 2025 12:39
@StephenWall StephenWall force-pushed the dirname branch 5 times, most recently from 29a812d to beace30 Compare October 30, 2025 14:33
@StephenWall
Print DirName differently in SAN's
916fe52 
When printing SubjectAlternativeNames, print the details of DirName entries in a different format than GENERAL_NAME_print() to avoid parsing issues due to commas.
@bukka
Copy link
Member

bukka commented Dec 9, 2025

This is indeed better but I'm a bit worried about BC impact as it can break already the implementation parsing the current format. I know that openssl_parse_x509 docs note that it is deliberately not documented but considering that it has been like this for ages, it's quite possible that changes in it will break code so I'm not sure we should change it.

I was thinking about this in past and thought about introducing some extra flag after $short_names that would allow switching the format. We have got more use cases for it. I'm not sure if it's a great API so something like this might potentially need internals discussion / RFC.

@StephenWall
Copy link
Contributor Author

StephenWall commented Dec 9, 2025
edited
Loading

I do have a different approach to SANs, which returns comprehensive info about the SAN in an easily parsed format. I asked on the internals list if I should create an RFC on this, or just post a pull request, and if it should be included in the x509 parse output, or in a new function call, but got no response.

Array
(
    [name] => ...
    ...
    [extensions] => Array
        (
            [subjectAltName] =>
                DNS:www.good.org,
                email:[email protected],
                IP Address:192.168.0.1,
                othername:<unsupported>,
                othername:SmtpUTF8Mailbox:[email protected],
                URI:sip:[email protected],
                DirName:/C=US/ST=CA/L=San Francisco/O=Example Company/OU=Example Company Unit/CN=Bob,
                Registered ID:1.2.3.4.5
        )

    [subjectAlternativeName] => Array
        (
            [0] => Array
                (
                    [type] => DNS
                    [value] => www.good.org
                )

            [1] => Array
                (
                    [type] => email
                    [value] => [email protected]
                )

            [2] => Array
                (
                    [type] => IP Address
                    [value] => 192.168.0.1
                )

            [3] => Array
                (
                    [type] => othername
                    [value] => Array
                        (
                            [1.3.6.1.5.5.7.8.7] => [email protected]
                        )
                )

            [4] => Array
                (
                    [type] => othername
                    [value] => Array
                        (
                            [1.3.6.1.5.5.7.8.9] => [email protected]
                        )
                )

            [5] => Array
                (
                    [type] => URI
                    [value] => sip:[email protected]
                )

            [6] => Array
                (
                    [type] => DirName
                    [value] => Array
                        (
                            [2.5.4.6] => US
                            [2.5.4.8] => CA
                            [2.5.4.7] => San Francisco
                            [2.5.4.10] => Example Company
                            [2.5.4.11] => Example Company Unit
                            [2.5.4.3] => Bob
                        )

                )

            [7] => Array
                (
                    [type] => Registered ID
                    [value] => 1.2.3.4.5
                )

        )```
(sorry for the length :)

@bukka
Copy link
Member

bukka commented Dec 9, 2025

Yeah I think subjectAlternativeName field could be acceptable and helpful for users.

@bukka
Copy link
Member

bukka commented Dec 9, 2025

About the process for merging, it works that if there are no objections from any core developer, features like this can be merged without RFC.

Sorry I was a bit busy with other stuff so didn't have time to replay to your email and do the reviews sooner. It might take me some time again to do the another round of reviews but it should be all fine to get to 8.6 unless there are some objections.

@StephenWall
Copy link
Contributor Author

StephenWall commented Dec 10, 2025

Would you like me to close out this pull, and create a new one with the "subjectAlternativeName" as I described above?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bukka bukka Awaiting requested review from bukka bukka is a code owner

Assignees

No one assigned

Labels

Extension: openssl

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

The DirName format in a subjectAltName makes parsing difficult

2 participants

@StephenWall @bukka