IP addresses in certificates' altName should be decoded

Description

IP addresses can be encoded in subjectAltNames, but are in a binary format where distinguishing IPv4 from IPv6 requires using the value's length.

This isn't convenient, especially for humans.

Expected behaviour

The decoding should be done by Crypt::OpenSSL::X509. A sample certificate with ipAddresses is attached.

Actual behaviour

Binary, as described.

Attached patch incorporates #116 and provides a both formats: ipAddress and ipAddress_txt, so it is compatible with any existing users of the binary format.

The text format for IPv6 does not use compression (to produce the short - :: - form). There are many utilities (such as Net::IP) that can do that, and the uncompressed form is legal.

Step by step guide to reproducing the issue

perl -MCrypt::OpenSSL::X509 -MData::Dumper -e'$Data::Dumper::Useqq=1; print Dumper( Crypt::OpenSSL::X509->new_from_file("ipacert.pem")->subjectaltname)'
$VAR1 = [
          {
            "dNSName" => "example.net"
          },
          {
            "iPAddress_txt" => "192.0.0.1",
            "iPAddress" => "\300\0\0\1"
          },
          {
            "iPAddress_txt" => "192.0.0.2",
            "iPAddress" => "\300\0\0\2"
          },
          {
            "iPAddress_txt" => "2001:db8:123:0:0:0:0:4",
            "iPAddress" => " \1\r\270\1#\0\0\0\0\0\0\0\0\0\4"
          },
          {
            "iPAddress_txt" => "2001:2b8:123:0:0:0:0:5",
            "iPAddress" => " \1\2\270\1#\0\0\0\0\0\0\0\0\0\5"
          }
        ];

Attached files Crypt_OpenSSL_X509_subjectaltnameIP.patch

ipacert.pem

dsully / perl-crypt-openssl-x509