Getting Subject Alternate Names with Pkcs10CertificationRequest

Question

I\'m currently able to decode a CSR\'s values except for Requested Extensions, specifically X509v3 Subject Alternative Name. Here\'s the relevant part of my `

Answer 1

I made it work with the following code :

public static void DecodeCsr(string csr)
{
    csr = Regex.Replace(csr, @"-----[^-]+-----", String.Empty).Trim().Replace(" ", "").Replace(Environment.NewLine, "");

    PemObject pem = new PemObject("CSR", Convert.FromBase64String(csr));
    Pkcs10CertificationRequest request = new Pkcs10CertificationRequest(pem.Content);
    CertificationRequestInfo requestInfo = request.GetCertificationRequestInfo();

    // an Attribute is a collection of Sequence which contains a collection of Asn1Object
    // let's find the sequence that contains a DerObjectIdentifier with Id of "1.2.840.113549.1.9.14"
    DerSequence extensionSequence = requestInfo.Attributes.OfType<DerSequence>()
                                                          .First(o => o.OfType<DerObjectIdentifier>()
                                                                       .Any(oo => oo.Id == "1.2.840.113549.1.9.14"));

    // let's get the set of value for this sequence
    DerSet extensionSet = extensionSequence.OfType<DerSet>().First();

    // estensionSet = [[2.5.29.17, #30158208746573742e636f6d820974657374322e636f6d]]]
    // extensionSet contains nested sequence ... let's use a recursive method 
    DerOctetString str = GetAsn1ObjectRecursive<DerOctetString>(extensionSet.OfType<DerSequence>().First(), "2.5.29.17");

    GeneralNames names = GeneralNames.GetInstance(Asn1Object.FromByteArray(str.GetOctets()));
    Console.WriteLine(names.ToString());
}

static T GetAsn1ObjectRecursive<T>(DerSequence sequence, String id) where T : Asn1Object
{
    if (sequence.OfType<DerObjectIdentifier>().Any(o => o.Id == id))
    {
        return sequence.OfType<T>().First();
    }

    foreach (DerSequence subSequence in sequence.OfType<DerSequence>())
    {
        T value = GetAsn1ObjectRecursive<T>(subSequence, id);
        if (value != default(T))
        {
            return value;
        }
    }

    return default(T);
}

The tricky part is that BouncyCastle works with collection everywhere and the requested value is inside a nested nested collection. I use a recursive function because I'm not sure if your CSR will always have this value as nested.

Answer 2

As requested in the comments, here's a Java version (with Bouncy Castle 1.57).

One detail is that I had to format your CSR to make it work (I couldn't read it when it's all in one line):

-----BEGIN CERTIFICATE REQUEST-----
MIIC1DCCAbwCAQAwXjELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExEDAO
BgNVBAcMB0F0bGFudGExDTALBgNVBAoMBFRlc3QxHDAaBgNVBAMME3d3dy50aGlz
aXNhdGVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFU4pX
LB3d8csjvRIkIdZfUF2m9sijtk1bqYohqVwYr3+OyDRkfRuTCni8RJS9VOcl6n5a
UiK27P4s5j9LqqfL0vS8B949P/ewb2ip2BGB1sEmxKcsEoZYNNEhMm9p7yNTAEqJ
/WN0N1CpKBFV1J/w6xiQy5tUyUe7C9c8DX6K1uhEDF9pfeTaCNxYBShm0JFuAIqn
6Z+RzbC7tdwc0KgN/bhx3bEvg8b0p/hgxd2veuUmB/fcIPsFawkGFPcQzLpSbc1V
b+zru40HAbRflyQckA3ZgRsa1OHsdiOyb8vpV7dUm4VHOm38bw2wVImRMfRtNZXr
L/WiWcGadtFV8nxXAgMBAAGgMTAvBgkqhkiG9w0BCQ4xIjAgMB4GA1UdEQQXMBWC
CHRlc3QuY29tggl0ZXN0Mi5jb20wDQYJKoZIhvcNAQELBQADggEBAKXxHlruiqtT
wB1Ov17K+mz03EidfecdW+9u8gcLdOOLKn5kCg6RuC0mCjGHvFGjE6ljFc5cyUFb
fdqzd8QXh1f3AgxveR+oq1wExJNr0Yl6kjVEdtndvHhSzUmZZ02EcPbIq/eY5KST
dKidjvIJMwTUtIyUQ71y/vSVn0YavvXYo/re57kC7chW/Ns/hZmHrZ6GvMWE9ea3
P3jOKPyXCULJlbQCjXc6CQJAkBlcKpvnW6kU2PjreDWzRMhzqZzUqhc6RsGzz84/
xwBsrYXfTj91FQd9+w15CYzBEJOv/Iz3CfVGb4s1+yUPVxgei2ezTjfQVcQgq4Cu
sRnDU5/7lmE=
-----END CERTIFICATE REQUEST-----

That's how I could read the attributes from the CSR:

import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;

String csr = // Base 64 CSR
PemReader reader = new PemReader(new StringReader(csr));
PemObject object = reader.readPemObject();
reader.close();

PKCS10CertificationRequest req = new PKCS10CertificationRequest(object.getContent());

Attribute[] attributes = req.getAttributes();
for (Attribute at : attributes) {
    if ("1.2.840.113549.1.9.14".equals(at.getAttrType().getId())) { // extension request
        // there's a sequence inside another sequence
        DERSequence seq = (DERSequence) at.getAttrValues().getObjectAt(0);
        seq = (DERSequence) seq.getObjectAt(0);

        ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) seq.getObjectAt(0);
        if ("2.5.29.17".equals(oid.getId())) { // 2.5.29.17 = subject alternative name
            DEROctetString str = (DEROctetString) seq.getObjectAt(1);

            GeneralNames names = GeneralNames.getInstance(str.getOctets());
            System.out.println(names.toString());
        }
    }
}

The output is:

GeneralNames:
    2: test.com
    2: test2.com

The tag 2 is the dnsName (as stated by the RFC 5280).

PS: this code is a simple version that assumes there's only one attribute value (when I call at.getAttrValues().getObjectAt(0)). If there are more attributes, probably the getAttrValues() will have more elements and a loop will be better instead of just getting the first element.