How do you parse the Subject Alternate Names from an X509Certificate2?

Question

Is there an easy way to get the Subject Alternate Names from an X509Certificate2 object?

        foreach (X509Extension ext in certificate.Extensions)
               


        

Answer 1

All of the answers here are either platform or OS language specific or are able to retrieve only one alternative subject name so I wrote my own parser by reverse engineering raw data which can parse DNS and IP Addresses and suits my needs:

private const string SAN_OID = "2.5.29.17";

private static int ReadLength(ref Span span)
{
    var length = (int)span[0];
    span = span[1..];
    if ((length & 0x80) > 0)
    {
        var lengthBytes = length & 0x7F;
        length = 0;
        for (var i = 0; i < lengthBytes; i++)
        {
            length = length * 0x100 + span[0];
            span = span[1..];
        }
    }
    return length;
}

public static IList ParseSubjectAlternativeNames(byte[] rawData)
{
    var result = new List(); // cannot yield results when using Span yet
    if (rawData.Length < 1 || rawData[0] != '0')
    {
        throw new InvalidDataException("They told me it will start with zero :(");
    }

    var data = rawData.AsSpan(1);
    var length = ReadLength(ref data);
    if (length != data.Length)
    {
        throw new InvalidDataException("I don't know who I am anymore");
    }

    while (!data.IsEmpty)
    {
        var type = data[0];
        data = data[1..];

        var partLength = ReadLength(ref data);
        if (type == 135) // ip
        {
            result.Add(new IPAddress(data[0..partLength]).ToString());
        } else if (type == 160) // upn
        {
            // not sure how to parse the part before \f
            var index = data.IndexOf((byte)'\f') + 1;
            var upnData = data[index..];
            var upnLength = ReadLength(ref upnData);
            result.Add(Encoding.UTF8.GetString(upnData[0..upnLength]));
        } else // all other
        {
            result.Add(Encoding.UTF8.GetString(data[0..partLength]));
        }
        data = data[partLength..];
    }
    return result;
}

public static IEnumerable ParseSubjectAlternativeNames(X509Certificate2 cert)
{
    return cert.Extensions
        .Cast()
        .Where(ext => ext.Oid.Value.Equals(SAN_OID))
        .SelectMany(x => ParseSubjectAlternativeNames(x.RawData));
}

I also found this test in corefx repo itself: https://github.com/dotnet/corefx/blob/master/src/System.Security.Cryptography.Encoding/tests/AsnEncodedData.cs#L38

The idea there is to just split the asnData.Format result on ':', '=', ',' and take every other value which is a much easier approach:

byte[] sanExtension =
{
    0x30, 0x31, 0x82, 0x0B, 0x65, 0x78, 0x61, 0x6D,
    0x70, 0x6C, 0x65, 0x2E, 0x6F, 0x72, 0x67, 0x82,
    0x0F, 0x73, 0x75, 0x62, 0x2E, 0x65, 0x78, 0x61,
    0x6D, 0x70, 0x6C, 0x65, 0x2E, 0x6F, 0x72, 0x67,
    0x82, 0x11, 0x2A, 0x2E, 0x73, 0x75, 0x62, 0x2E,
    0x65, 0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2E,
    0x6F, 0x72, 0x67,
};

AsnEncodedData asnData = new AsnEncodedData(
    new Oid("2.5.29.17"),
    sanExtension);

string s = asnData.Format(false);
// Windows says: "DNS Name=example.org, DNS Name=sub.example.org, DNS Name=*.sub.example.org"
// X-Plat (OpenSSL) says: "DNS:example.org, DNS:sub.example.org, DNS:*.sub.example.org".
// This keeps the parsing generalized until we can get them to converge
string[] parts = s.Split(new[] { ':', '=', ',' }, StringSplitOptions.RemoveEmptyEntries);
// Parts is now { header, data, header, data, header, data }.
string[] output = new string[parts.Length / 2];

for (int i = 0; i < output.Length; i++)
{
    output[i] = parts[2 * i + 1];
}