X509::subject¶
Description¶
Returns the subject of the specified X509 certificate.
Syntax¶
X509::subject <X509 certificate>
# v16.1.3
X509::subject <X509 certificate> commonName
X509::subject <X509 certificate> commonName¶
- Returns the subject commonName (CN) found in the specified X509 certificate in UTF8 format.
Note¶
- This is introduced in 16.1.3.
Examples¶
when CLIENTSSL_HANDSHAKE {
# Check if the client supplied one or more client certs
if {[SSL::cert count] > 0}{
# Check the first client cert subject
if { [X509::subject [SSL::cert 0]] equals "someSubject" } {
log local0. "X509 Certificate Subject [X509::subject [SSL::cert 0]]"
pool my_pool
}
# Check the first client cert subject commonName
if { [X509::subject [SSL::cert 0] commonName] equals "someCommonName" } {
log local0. "X509 Certificate Subject [X509::subject [SSL::cert 0] commonName]"
pool my_pool
}
}
}
This procedure extracts a specific DN.
# note that RFC 2253 special characters are transcoded internally
#
#x509SubjectExtract "C=US,O=Biz.\\,Inc.,OU=UNIT\\=foo,CN=NAME" "O"
#returns Biz.\,Inc.
#x509SubjectExtract "C=US,O=Biz.\\,Inc.,OU=UNIT\\=foo,CN=NAME" "OU"
#returns UNIT\=foo
#
# of course this means %f5equals5% or %f5kommaf5% must not occur in the input string
proc x509SubjectExtract { str sfield } {
set res "$sfield notFound"
set str [ regsub -all {\\,} $str "%f5kommaf5%" ]
foreach field [ split $str ","] {
set field [ regsub -all {\\=} $field "%f5equals5%" ]
foreach { fname fval } [ split $field "=" ] break
if { $fname eq $sfield } {
set res [ regsub -all {%f5equals5%} $fval \\= ]
break
}
}
set res [ regsub -all {%f5kommaf5%} $res \\, ]
return $res
}
Note¶
There is a behavior changed in BIGIP-9.3.0 to support multiple
languages and RFC 2253 compliance.
Before the change
/CN=Name/OU=UNIT/O=Biz.,Inc./C=US
After the change
C=US,O=Biz.\,Inc.,OU=UNIT,CN=NAME
The output behavior changed again 13.0.0 due to fixes for ID 607410
(K81239824). It
still supports multiple languages and RFC 2253 compliance.
Comparison to a few OpenSSL output examples.
X509::subject
CN=Name, OU=UNIT, O="Biz.,Inc.", C=US
openssl x509 -in cert -noout -text | grep Subject
Subject: CN=Name, OU=UNIT, O=Biz.,Inc., C=US
openssl x509 -in cert -noout -subject
subject= /CN=Name/OU=UNIT/O=Biz.,Inc./C=US