X509::subject

Description

Returns the subject of the specified X509 certificate.

Syntax

X509::subject <X509 certificate>

X509::subject <X509 certificate>

  • Returns the subject of the specified X509 certificate.

Examples

when CLIENTSSL_HANDSHAKE {

  # Check if the client supplied one or more client certs
  if {[SSL::cert count] > 0}{

    # Check the first client cert subject
    if { [X509::subject [SSL::cert 0]] equals "someSubject" } {
      log local0. "X509 Certificate Subject [X509::subject [SSL::cert 0]]"
      pool my_pool
  }
}

This procedure extracts a specific DN.

# note that RFC 2253 special characters are transcoded internally
#
#x509SubjectExtract "C=US,O=Biz.\\,Inc.,OU=UNIT\\=foo,CN=NAME" "O"
#returns Biz.\,Inc.
#x509SubjectExtract "C=US,O=Biz.\\,Inc.,OU=UNIT\\=foo,CN=NAME" "OU"
#returns UNIT\=foo
#
# of course this means %f5equals5% or %f5kommaf5% must not occur in the input string


proc x509SubjectExtract { str sfield } {
    set res "$sfield notFound"
    set str [ regsub -all {\\,} $str  "%f5kommaf5%" ]
    foreach field [ split $str ","] {
        set field [ regsub -all {\\=} $field  "%f5equals5%" ]
        foreach { fname  fval } [ split $field "=" ]  break
        if { $fname eq $sfield } {
            set res [ regsub -all {%f5equals5%} $fval \\=  ]
            break
        }
    }
    set res [ regsub -all {%f5kommaf5%} $res  \\, ]
    return $res
}

Note

There is a behavior changed in BIGIP-9.3.0 to support multiple languages and RFC 2253 compliance.
Before the change
/CN=Name/OU=UNIT/O=Biz.,Inc./C=US

After the change

C=US,O=Biz.\,Inc.,OU=UNIT,CN=NAME

The output behavior changed again 13.0.0 due to fixes for ID 607410 (K81239824). It still supports multiple languages and RFC 2253 compliance.
Comparison to a few OpenSSL output examples.
X509::subject
CN=Name, OU=UNIT, O="Biz.,Inc.", C=US

openssl x509 -in cert -noout -text | grep Subject

Subject: CN=Name, OU=UNIT, O=Biz.,Inc., C=US

openssl x509 -in cert -noout -subject

subject= /CN=Name/OU=UNIT/O=Biz.,Inc./C=US