This function will read a Subject Alternative Name (SAN) from the client certificate.
The SAN is a DNS hostname, email address, IP address or other kind of name that the certificate is valid for.
The type of the SAN will be returned from the function. The value of the SAN will be read for some supported SAN types.
As a certificate can contain multiple SAN, it can be necessary to iterate over them to find the needed SAN.
Input:
req : SYSHANDLE
A handle to the request.
idx : INT (Default 0)
The index of the SAN to read, starting at 0.
Output:
san : STRING
The SAN as a string, if it is possible for the given type, see below.
Returns: INT
8
|
|
- XMPP. san is empty.
|
7
|
|
- Distinguished name. san contains the name.
|
6
|
|
- Othername. san is empty.
|
5
|
|
- IP v6 address. san is empty.
|
4
|
|
- IP v4 address. san contains the address in the socket address format, soAddrToIP can be used to convert it to a DINT.
|
3
|
|
- URI. san contains the URI.
|
2
|
|
- RFC822 name (e-mail). san contains the name.
|
1
|
|
- DNS name. san contains the name.
|
0
|
|
- Not supported
|
-1
|
|
- Invalid request
|
-5
|
|
- Not an incoming request
|
-6
|
|
- Request does not contain a client certificate.
|
-21
|
|
- SAN not found at the given index, the last SAN might have been read.
|
Declaration:
FUNCTION restReqClientCertSANGet : INT;
VAR_INPUT
req : SYSHANDLE;
idx : INT;
san : ACCESS STRING;
END_VAR;
Example:
FUNCTION dumpCert;
VAR_INPUT
req : SYSHANDLE;
rip : DINT;
END_VAR;
VAR
rc : INT;
str : STRING;
d : DINT;
i : INT;
ip : DINT;
END_VAR;
rc := restReqClientCertPresent(req:=req);
IF rc = 1 THEN
DebugFmt(message:="Client cert present");
rc := restReqClientCertSubjectGet(req := req, str := str);
DebugFmt(message:=" Subject: "+str+": \1", v1 := rc);
rc := restReqClientCertSubjectCNGet(req := req, str := str);
DebugFmt(message:=" CN: "+str+": \1", v1 := rc);
rc := restReqClientCertIssuerGet(req := req, str := str);
DebugFmt(message:=" Issuer: "+str+": \1", v1 := rc);
rc := restReqClientCertVersionGet(req := req);
DebugFmt(message:=" Version: \1", v1 := rc);
d := restReqClientCertValidFrom(req := req);
DebugFmt(message:=" Valid from: \4, "+linsecToStr(linsec := d), v4 := d);
d := restReqClientCertValidTo(req := req);
DebugFmt(message:=" Valid to: \4, "+linsecToStr(linsec := d), v4 := d);
rc := restReqClientCertSerialGet(req := req, str := str);
DebugFmt(message:=" Serial: "+str+": \1", v1 := rc);
rc := restReqClientCertFingerprintGet(req := req, type := 0, str := str);
DebugFmt(message:=" SHA1 : "+str+": \1", v1 := rc);
rc := restReqClientCertFingerprintGet(req := req, type := 1, str := str);
DebugFmt(message:=" MD51 : "+str+": \1", v1 := rc);
rc := restReqClientCertCheckHostname(req := req, hostname := "localhost");
DebugFmt(message:=" Match localhost(\2): \1", v1 := rc, v2 := i);
rc := restReqClientCertCheckEmail(req := req, email := "test@example.com");
DebugFmt(message:=" Match test@example.com: \1", v1 := rc);
i := 0;
REPEAT
rc := restReqClientCertSANGet(req := req, idx := i, san := str);
DebugFmt(message:= " SAN[\1]: \2: "+str, v1 := i, v2 := rc);
IF rc = 4 THEN
ip := soAddrToIP(address := str);
IF ip = rip THEN
DebugMsg(message:=" Matching IP found: "+str);
END_IF;
END_IF;
i := i + 1;
UNTIL rc = -21
END_REPEAT;
ELSE
DebugFmt(message:="No client cert present: \1", v1 := rc);
END_IF;
END_FUNCTION;
|