Skip to content

Instantly share code, notes, and snippets.

@spalladino

spalladino/san.msupn.rb

Last active March 20, 2018 13:38
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save spalladino/4665290 to your computer and use it in GitHub Desktop.
Save spalladino/4665290 to your computer and use it in GitHub Desktop.
Download ZIP
Extracting Subject Alternative Name Other Name (1.3.6.1.4.1.311.20.2.3) from Microsoft authorization client certificates
Raw
san.msupn.rb
cert = OpenSSL::X509::Certificate.new(certificate_string)
subject_alt_name = cert.extensions.find {|e| e.oid == "subjectAltName"}
# Parse the subject alternate name certificate extension as ASN1, first value should be the key
asn_san = OpenSSL::ASN1.decode(subject_alt_name)
raise "Expected ASN1 Subject Alternate Name extension key to be subjectAltName but was #{asn_san.value[0].value}" if asn_san.value[0].value != 'subjectAltName'
# And the second value should be a nested ASN1 sequence
asn_san_sequence = OpenSSL::ASN1.decode(asn_san.value[1].value)
# Iterate through the ASN1 sequence looking for the msUPN key
asn_san_sequence.each do |asn_data|
# As before, first value is the key
key = asn_data.value[0].value
next if key != 'msUPN'
# And second value contains the actual data, return it if the key was msUPN
email = asn_data.value[1].value[0].value
return email
end
# Raise if we iterated through the sequence and did not find the key
raise "Extension msUPN not found"
Raw
san.std.rb
cert = OpenSSL::X509::Certificate.new(certificate_string)
subject_alt_name = cert.extensions.find {|e| e.oid == "subjectAltName"}
return subject_alt_name.value
# On a standard certificate...
# 'email:user@example.com'
# On a MS certificate...
# 'othername:<unsupported>, othername:<unsupported>'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment