Getting Subject Alternate Names with Pkcs10CertificationRequest

Question

I\'m currently able to decode a CSR\'s values except for Requested Extensions, specifically X509v3 Subject Alternative Name. Here\'s the relevant part of my `

Answer 1

As requested in the comments, here's a Java version (with Bouncy Castle 1.57).

One detail is that I had to format your CSR to make it work (I couldn't read it when it's all in one line):

-----BEGIN CERTIFICATE REQUEST-----
MIIC1DCCAbwCAQAwXjELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExEDAO
BgNVBAcMB0F0bGFudGExDTALBgNVBAoMBFRlc3QxHDAaBgNVBAMME3d3dy50aGlz
aXNhdGVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFU4pX
LB3d8csjvRIkIdZfUF2m9sijtk1bqYohqVwYr3+OyDRkfRuTCni8RJS9VOcl6n5a
UiK27P4s5j9LqqfL0vS8B949P/ewb2ip2BGB1sEmxKcsEoZYNNEhMm9p7yNTAEqJ
/WN0N1CpKBFV1J/w6xiQy5tUyUe7C9c8DX6K1uhEDF9pfeTaCNxYBShm0JFuAIqn
6Z+RzbC7tdwc0KgN/bhx3bEvg8b0p/hgxd2veuUmB/fcIPsFawkGFPcQzLpSbc1V
b+zru40HAbRflyQckA3ZgRsa1OHsdiOyb8vpV7dUm4VHOm38bw2wVImRMfRtNZXr
L/WiWcGadtFV8nxXAgMBAAGgMTAvBgkqhkiG9w0BCQ4xIjAgMB4GA1UdEQQXMBWC
CHRlc3QuY29tggl0ZXN0Mi5jb20wDQYJKoZIhvcNAQELBQADggEBAKXxHlruiqtT
wB1Ov17K+mz03EidfecdW+9u8gcLdOOLKn5kCg6RuC0mCjGHvFGjE6ljFc5cyUFb
fdqzd8QXh1f3AgxveR+oq1wExJNr0Yl6kjVEdtndvHhSzUmZZ02EcPbIq/eY5KST
dKidjvIJMwTUtIyUQ71y/vSVn0YavvXYo/re57kC7chW/Ns/hZmHrZ6GvMWE9ea3
P3jOKPyXCULJlbQCjXc6CQJAkBlcKpvnW6kU2PjreDWzRMhzqZzUqhc6RsGzz84/
xwBsrYXfTj91FQd9+w15CYzBEJOv/Iz3CfVGb4s1+yUPVxgei2ezTjfQVcQgq4Cu
sRnDU5/7lmE=
-----END CERTIFICATE REQUEST-----

That's how I could read the attributes from the CSR:

import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;

String csr = // Base 64 CSR
PemReader reader = new PemReader(new StringReader(csr));
PemObject object = reader.readPemObject();
reader.close();

PKCS10CertificationRequest req = new PKCS10CertificationRequest(object.getContent());

Attribute[] attributes = req.getAttributes();
for (Attribute at : attributes) {
    if ("1.2.840.113549.1.9.14".equals(at.getAttrType().getId())) { // extension request
        // there's a sequence inside another sequence
        DERSequence seq = (DERSequence) at.getAttrValues().getObjectAt(0);
        seq = (DERSequence) seq.getObjectAt(0);

        ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) seq.getObjectAt(0);
        if ("2.5.29.17".equals(oid.getId())) { // 2.5.29.17 = subject alternative name
            DEROctetString str = (DEROctetString) seq.getObjectAt(1);

            GeneralNames names = GeneralNames.getInstance(str.getOctets());
            System.out.println(names.toString());
        }
    }
}

The output is:

GeneralNames:
    2: test.com
    2: test2.com

The tag 2 is the dnsName (as stated by the RFC 5280).

PS: this code is a simple version that assumes there's only one attribute value (when I call at.getAttrValues().getObjectAt(0)). If there are more attributes, probably the getAttrValues() will have more elements and a loop will be better instead of just getting the first element.