How to parse SAN from CSR using java or bouncy castle?

Question

I have generated the CSR using the openssl. Now i want to parse the CSR and display the ipaddress, Othername available in CSR.

I have written following code. It is able to display the dns, url properly but i am not able to display ipaddress and othername in correct format.

  public static void testReadCertificateSigningRequest()  {
     String csrPEM = null;
     try {
      FileInputStream fis = new FileInputStream("E://test.txt");
      csrPEM = IOUtils.toString(fis);
     } catch (Exception e) {
    // TODO Auto-generated catch block
    e.printStackTrace();
     }  

PKCS10CertificationRequest csr = convertPemToPKCS10CertificationRequest(csrPEM);

X500Name x500Name = csr.getSubject();
System.out.println("x500Name is: " + x500Name + "\n");


 Attribute[] certAttributes = csr.getAttributes();
 for (Attribute attribute : certAttributes) {
     if (attribute.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
         Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0));
         //Extension ext = extensions.getExtension(Extension.subjectAlternativeName);
         GeneralNames gns = GeneralNames.fromExtensions(extensions,Extension.subjectAlternativeName);
         GeneralName[] names = gns.getNames();
         for(int k=0; k < names.length; k++) {
             String title = "";
             if(names[k].getTagNo() == GeneralName.dNSName) {
                 title = "dNSName";
             }
             else if(names[k].getTagNo() == GeneralName.iPAddress) {
                 title = "iPAddress";
                 names[k].toASN1Object();
             }
             else if(names[k].getTagNo() == GeneralName.otherName) {
                 title = "otherName";
             }
             System.out.println(title + ": "+ names[k].getName());
         } 
     }
}

}


// Method to convert PEM to PKCS10CertificationRequest
private static PKCS10CertificationRequest convertPemToPKCS10CertificationRequest(String pem) {
    PEMParser pRd = new PEMParser(new StringReader(pem));
    org.bouncycastle.pkcs.PKCS10CertificationRequest csr = null;
    try {
        csr = (org.bouncycastle.pkcs.PKCS10CertificationRequest) pRd.readObject();
    } catch (IOException e) {
        e.printStackTrace();
    } 
    return csr;
}

Above code prints iPAddress, otherName as per below:

iPAddress: #c0a80701 iPAddress: #00130000000000000000000000000017 otherName: [1.2.3.4, [0]some other identifier]

How can i retrieve ipAdress and othername in correct format?

Thanks.

Answer 1

That is the 'correct' format. There is no other way besides a manual conversion as the other answer suggests.

BouncyCastle encodes this internally in the GeneralName.java class constructor.

  153           else if (tag == iPAddress)
  154           {
  155               byte[] enc = toGeneralNameEncoding(name);
  156               if (enc != null)
  157               {
  158                   this.obj = new DEROctetString(enc);
  159               }
  160               else
  161               {
  162                   throw new IllegalArgumentException("IP Address is invalid");
  163               }
  164           }

See: http://www.docjar.org/html/api/org/bouncycastle/asn1/x509/GeneralName.java.html

When you extract the GeneralNames from the CSR to incorporate them into the certificate, BouncyCastle also decodes it again so the original value ends up in the final certificate.

Regarding the otherName property: "For x400Address, otherName and ediPartyName there is no common string format defined." So there is no 'correct' format there.

See: http://www.eecs.berkeley.edu/~jonah/javadoc/org/bouncycastle/asn1/x509/GeneralName.html

Answer 2

For converting the iPAddress from Hex format into dotted format I found this solution: Convert hexadecimal string to IP Address

InetAddress a = InetAddress.getByAddress(DatatypeConverter.parseHexBinary(names[k].getName().toString().substring(1)));

and then

name = a.toString();