restReqClientCertSANGet (Function)

 Top  Previous  Next

Architecture:

NX32L

Device support:

ALL

Firmware version:

2.10.00

This function will read a Subject Alternative Name (SAN) from the client certificate.

The SAN is a DNS hostname, email address, IP address or other kind of name that the certificate is valid for.

The type of the SAN will be returned from the function. The value of the SAN will be read for some supported SAN types.

 

As a certificate can contain multiple SAN, it can be necessary to iterate over them to find the needed SAN.

 

 

Input:

req : SYSHANDLE

A handle to the request.

 

idx : INT (Default 0)

The index of the SAN to read, starting at 0.

 

Output:

san : STRING

The SAN as a string, if it is possible for the given type, see below.

 

 

Returns: INT

8

- XMPP. san is empty.

7

- Distinguished name. san contains the name.

6

- Othername. san is empty.

5

- IP v6 address. san is empty.

4

- IP v4 address. san contains the address in the socket address format, soAddrToIP can be used to convert it to a DINT.

3

- URI. san contains the URI.

2

- RFC822 name (e-mail). san contains the name.

1

- DNS name. san contains the name.

0

- Not supported

-1

- Invalid request

-5

- Not an incoming request

-6

- Request does not contain a client certificate.

-21

- SAN not found at the given index, the last SAN might have been read.

 

 

Declaration:

FUNCTION restReqClientCertSANGet : INT;
VAR_INPUT
  req            : SYSHANDLE;
  idx            : INT;
  san            : ACCESS STRING;
END_VAR;

 

 

Example:

FUNCTION dumpCert;
VAR_INPUT
  req : SYSHANDLE;
  rip : DINT;
END_VAR;
VAR
  rc  : INT;
  str : STRING;
  d   : DINT;
  i   : INT;
  ip  : DINT;
END_VAR;
  rc := restReqClientCertPresent(req:=req);
  IF rc = 1 THEN
    DebugFmt(message:="Client cert present");
    rc := restReqClientCertSubjectGet(req := req, str := str);
    DebugFmt(message:=" Subject: "+str+": \1", v1 := rc);
    rc := restReqClientCertSubjectCNGet(req := req, str := str);
    DebugFmt(message:=" CN: "+str+": \1", v1 := rc);
    rc := restReqClientCertIssuerGet(req := req, str := str);
    DebugFmt(message:=" Issuer: "+str+": \1", v1 := rc);
    rc := restReqClientCertVersionGet(req := req);
    DebugFmt(message:=" Version: \1", v1 := rc);
    d := restReqClientCertValidFrom(req := req);
    DebugFmt(message:=" Valid from: \4, "+linsecToStr(linsec := d), v4 := d);
    d := restReqClientCertValidTo(req := req);
    DebugFmt(message:=" Valid to: \4, "+linsecToStr(linsec := d), v4 := d);
    rc := restReqClientCertSerialGet(req := req, str := str);
    DebugFmt(message:=" Serial: "+str+": \1", v1 := rc);
    rc := restReqClientCertFingerprintGet(req := req, type := 0, str := str);
    DebugFmt(message:=" SHA1  : "+str+": \1", v1 := rc);
    rc := restReqClientCertFingerprintGet(req := req, type := 1, str := str);
    DebugFmt(message:=" MD51  : "+str+": \1", v1 := rc);
     
    rc := restReqClientCertCheckHostname(req := req, hostname := "localhost");
    DebugFmt(message:=" Match localhost(\2): \1", v1 := rc, v2 := i);
       
    rc := restReqClientCertCheckEmail(req := req, email := "test@example.com");
    DebugFmt(message:=" Match test@example.com: \1", v1 := rc);
     
     
    i := 0;    
    REPEAT
        rc := restReqClientCertSANGet(req := req, idx := i, san := str);
        DebugFmt(message:= "  SAN[\1]: \2: "+str, v1 := i, v2 := rc);
        IF rc = 4 THEN
          ip := soAddrToIP(address := str);
          IF ip = rip THEN
              DebugMsg(message:="   Matching IP found: "+str);
          END_IF;
        END_IF;
        i := i + 1;
    UNTIL rc = -21
    END_REPEAT;
     
  ELSE
    DebugFmt(message:="No client cert present: \1", v1 := rc);
  END_IF;
END_FUNCTION;