Getting Subject Alternate Names with Pkcs10CertificationRequest

Question

I'm currently able to decode a CSR's values except for Requested Extensions, specifically X509v3 Subject Alternative Name. Here's the relevant part of my `DecodeCSR(string csr):

public void DecodeCsr(string csrStr){
//getting just csr
var csrChars = Regex.Replace(csrStr, @"-----[^-]+-----", "").Trim().Replace(" ", "").Replace(Environment.NewLine, "").ToCharArray();
//converting that string into a byte array
byte[] csrEncode = Convert.FromBase64CharArray(csrChars, 0, csrChars.Length);
//giving decodeCsr the byte array
Pkcs10CertificationRequest decodeCsr = new Pkcs10CertificationRequest(csrEncode);
//getting a string of subject information
string subject = decodeCsr.GetCertificationRequestInfo().Subject.ToString();
//here's how I'm getting a DerSet of attribute
DerSet atts = (DerSet)decodeCsr.GetCertificationRequestInfo().Attributes;
}

Here's a test csr with SANs:

string csr = "-----BEGIN CERTIFICATE REQUEST-----MIIC1DCCAbwCAQAwXjELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExDTALBgNVBAoMBFRlc3QxHDAaBgNVBAMME3d3dy50aGlzaXNhdGVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFU4pXLB3d8csjvRIkIdZfUF2m9sijtk1bqYohqVwYr3+OyDRkfRuTCni8RJS9VOcl6n5aUiK27P4s5j9LqqfL0vS8B949P/ewb2ip2BGB1sEmxKcsEoZYNNEhMm9p7yNTAEqJ/WN0N1CpKBFV1J/w6xiQy5tUyUe7C9c8DX6K1uhEDF9pfeTaCNxYBShm0JFuAIqn6Z+RzbC7tdwc0KgN/bhx3bEvg8b0p/hgxd2veuUmB/fcIPsFawkGFPcQzLpSbc1Vb+zru40HAbRflyQckA3ZgRsa1OHsdiOyb8vpV7dUm4VHOm38bw2wVImRMfRtNZXrL/WiWcGadtFV8nxXAgMBAAGgMTAvBgkqhkiG9w0BCQ4xIjAgMB4GA1UdEQQXMBWCCHRlc3QuY29tggl0ZXN0Mi5jb20wDQYJKoZIhvcNAQELBQADggEBAKXxHlruiqtTwB1Ov17K+mz03EidfecdW+9u8gcLdOOLKn5kCg6RuC0mCjGHvFGjE6ljFc5cyUFbfdqzd8QXh1f3AgxveR+oq1wExJNr0Yl6kjVEdtndvHhSzUmZZ02EcPbIq/eY5KSTdKidjvIJMwTUtIyUQ71y/vSVn0YavvXYo/re57kC7chW/Ns/hZmHrZ6GvMWE9ea3P3jOKPyXCULJlbQCjXc6CQJAkBlcKpvnW6kU2PjreDWzRMhzqZzUqhc6RsGzz84/xwBsrYXfTj91FQd9+w15CYzBEJOv/Iz3CfVGb4s1+yUPVxgei2ezTjfQVcQgq4CusRnDU5/7lmE=-----END CERTIFICATE REQUEST-----";

The information I can get from decodeCsr.GetCertificationRequestInfo().Attributes is an Org.BouncyCastle.Asn1.DerSet that looks like this:

DerSet atts = (DerSet)decodeCsr.GetCertificationRequestInfo().Attributes;

This is what it looks like in debug mode(a picture of the overal object is below):

atts    {[[1.2.840.113549.1.9.14, [[[2.5.29.17, #3026820a61757374696e2e636f6d820b61757374696e322e636f6d820b61757374696e342e636f6d]]]]]} Org.BouncyCastle.Asn1.DerSet

I can see the DerOctetString in debug mode, however I have no idea how to get to it. I believe if i can get that far Hugo's answer may be applicable, there is a DerOctetStringParser but at the moment I have nothing to give it.

I've tried to treat atts as a string removed the OIDs get the value exactly like the DerOctetString in debug mode and cast it as a DerOctetString that didn't work, and I don't believe that answer scales well.

Answer 1

I made it work with the following code :

public static void DecodeCsr(string csr)
{
    csr = Regex.Replace(csr, @"-----[^-]+-----", String.Empty).Trim().Replace(" ", "").Replace(Environment.NewLine, "");

    PemObject pem = new PemObject("CSR", Convert.FromBase64String(csr));
    Pkcs10CertificationRequest request = new Pkcs10CertificationRequest(pem.Content);
    CertificationRequestInfo requestInfo = request.GetCertificationRequestInfo();

    // an Attribute is a collection of Sequence which contains a collection of Asn1Object
    // let's find the sequence that contains a DerObjectIdentifier with Id of "1.2.840.113549.1.9.14"
    DerSequence extensionSequence = requestInfo.Attributes.OfType<DerSequence>()
                                                          .First(o => o.OfType<DerObjectIdentifier>()
                                                                       .Any(oo => oo.Id == "1.2.840.113549.1.9.14"));

    // let's get the set of value for this sequence
    DerSet extensionSet = extensionSequence.OfType<DerSet>().First();

    // estensionSet = [[2.5.29.17, #30158208746573742e636f6d820974657374322e636f6d]]]
    // extensionSet contains nested sequence ... let's use a recursive method 
    DerOctetString str = GetAsn1ObjectRecursive<DerOctetString>(extensionSet.OfType<DerSequence>().First(), "2.5.29.17");

    GeneralNames names = GeneralNames.GetInstance(Asn1Object.FromByteArray(str.GetOctets()));
    Console.WriteLine(names.ToString());
}

static T GetAsn1ObjectRecursive<T>(DerSequence sequence, String id) where T : Asn1Object
{
    if (sequence.OfType<DerObjectIdentifier>().Any(o => o.Id == id))
    {
        return sequence.OfType<T>().First();
    }

    foreach (DerSequence subSequence in sequence.OfType<DerSequence>())
    {
        T value = GetAsn1ObjectRecursive<T>(subSequence, id);
        if (value != default(T))
        {
            return value;
        }
    }

    return default(T);
}

The tricky part is that BouncyCastle works with collection everywhere and the requested value is inside a nested nested collection. I use a recursive function because I'm not sure if your CSR will always have this value as nested.

Answer 2

As requested in the comments, here's a Java version (with Bouncy Castle 1.57).

One detail is that I had to format your CSR to make it work (I couldn't read it when it's all in one line):

-----BEGIN CERTIFICATE REQUEST-----
MIIC1DCCAbwCAQAwXjELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExEDAO
BgNVBAcMB0F0bGFudGExDTALBgNVBAoMBFRlc3QxHDAaBgNVBAMME3d3dy50aGlz
aXNhdGVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFU4pX
LB3d8csjvRIkIdZfUF2m9sijtk1bqYohqVwYr3+OyDRkfRuTCni8RJS9VOcl6n5a
UiK27P4s5j9LqqfL0vS8B949P/ewb2ip2BGB1sEmxKcsEoZYNNEhMm9p7yNTAEqJ
/WN0N1CpKBFV1J/w6xiQy5tUyUe7C9c8DX6K1uhEDF9pfeTaCNxYBShm0JFuAIqn
6Z+RzbC7tdwc0KgN/bhx3bEvg8b0p/hgxd2veuUmB/fcIPsFawkGFPcQzLpSbc1V
b+zru40HAbRflyQckA3ZgRsa1OHsdiOyb8vpV7dUm4VHOm38bw2wVImRMfRtNZXr
L/WiWcGadtFV8nxXAgMBAAGgMTAvBgkqhkiG9w0BCQ4xIjAgMB4GA1UdEQQXMBWC
CHRlc3QuY29tggl0ZXN0Mi5jb20wDQYJKoZIhvcNAQELBQADggEBAKXxHlruiqtT
wB1Ov17K+mz03EidfecdW+9u8gcLdOOLKn5kCg6RuC0mCjGHvFGjE6ljFc5cyUFb
fdqzd8QXh1f3AgxveR+oq1wExJNr0Yl6kjVEdtndvHhSzUmZZ02EcPbIq/eY5KST
dKidjvIJMwTUtIyUQ71y/vSVn0YavvXYo/re57kC7chW/Ns/hZmHrZ6GvMWE9ea3
P3jOKPyXCULJlbQCjXc6CQJAkBlcKpvnW6kU2PjreDWzRMhzqZzUqhc6RsGzz84/
xwBsrYXfTj91FQd9+w15CYzBEJOv/Iz3CfVGb4s1+yUPVxgei2ezTjfQVcQgq4Cu
sRnDU5/7lmE=
-----END CERTIFICATE REQUEST-----

That's how I could read the attributes from the CSR:

import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;

String csr = // Base 64 CSR
PemReader reader = new PemReader(new StringReader(csr));
PemObject object = reader.readPemObject();
reader.close();

PKCS10CertificationRequest req = new PKCS10CertificationRequest(object.getContent());

Attribute[] attributes = req.getAttributes();
for (Attribute at : attributes) {
    if ("1.2.840.113549.1.9.14".equals(at.getAttrType().getId())) { // extension request
        // there's a sequence inside another sequence
        DERSequence seq = (DERSequence) at.getAttrValues().getObjectAt(0);
        seq = (DERSequence) seq.getObjectAt(0);

        ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) seq.getObjectAt(0);
        if ("2.5.29.17".equals(oid.getId())) { // 2.5.29.17 = subject alternative name
            DEROctetString str = (DEROctetString) seq.getObjectAt(1);

            GeneralNames names = GeneralNames.getInstance(str.getOctets());
            System.out.println(names.toString());
        }
    }
}

The output is:

GeneralNames:
    2: test.com
    2: test2.com

The tag 2 is the dnsName (as stated by the RFC 5280).

PS: this code is a simple version that assumes there's only one attribute value (when I call at.getAttrValues().getObjectAt(0)). If there are more attributes, probably the getAttrValues() will have more elements and a loop will be better instead of just getting the first element.