X509 Subject Formatting

Problem this snippet solves: TMOS v12.1.4.1 and v13 have a change where the output of X509::subject is formatted to match OpenSSL output. See https://cdn.f5.com/product/bugtracker/ID607410.html ...
Published Oct 18, 2019
Version 1.0
application delivery
iRules
TMOS
X509 SSL
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Feb 24, 2020

Hi  , I had the same requirement and it seems the change is the following:

<= TMOS v12 is CN=LASTNAME\, FIRSTNAME,OU=CONTRACTOR,OU=PKI,OU=DEPT,O=COMPANY,C=US

>= TMOS v13 is C=US, O=COMPANY, OU=DEPT, OU=PKI, OU=CONTRACTOR, CN="LASTNAME, FIRSTNAME"

So differences are:

  • Reverse Ordered elements (full reverse may be better than defining the order in the irule)
  • space after comma separator
  • double quotes around fields with special characters (like comma)
  • unescaped special character between double quotes

I wrote following procs to manage conversion from v12 to v13 and from v13 to v12 :

proc subject_v13_to_v12 {subject_openssl} {
    # Create the empty subject
    set new_subject ""
    # For each subject element, do the following actions:
    # - remove double quotes arround the value
    # - escape the comma character
    # - remove space around comma separator
    # Insert the value at the begining of the subject (to reverse order)
    foreach {type value} [ split  [regsub -all {(".*?),(.*?")} $subject_openssl "\\1--COMMA--\\2"] ",=" ] {
        set new_subject "{[string trim $type]=[string trim [string map {"--COMMA--" "\\," "+" "\\+" "\\" "\\\\" "<" "\\<" ">" "\\>" ";" "\\;" } [string trim $value {"}]]]} $new_subject"
    }
    # Return the joined values with comma
    return [join  $new_subject ","]
}
proc subject_v12_to_v13 {subject_rfc2253} {
    # Create the empty subject
    set new_subject ""
    # For each subject element, do the following actions:
    # - add double quotes arround the value
    # - unescape the comma character
    # - Add space around comma separator
    # Insert the value at the begining of the subject (to reverse order)
    foreach {type value} [ split  [string map {"\\," "--COMMA--"} $subject_rfc2253] ",=" ] {
        set new_subject "{[string trim $type]=[expr {[string match "*--COMMA--*" $value] ? "\"[string trim [string map {"--COMMA--" ","} $value]]\""  : [string trim $value] }]} $new_subject"
    }
    # Return the joined values with comma and space
    return [join  $new_subject ", "]
}

I got the following results:

 subject_v12_to_v13 {CN=F5lab\, local,OU=TEST,O=Foo,L=Bar,ST=London\, City of,C=GB}
C=GB, ST="London, City of", L=Bar, O=Foo, OU=TEST, CN="F5lab, local"
 
% subject_v13_to_v12 {C=GB, ST="London, City of", L=Bar, O=Foo, OU=TEST, CN="F5lab, local"}
CN=F5lab\, local,OU=TEST,O=Foo,L=Bar,ST=London\, City of,C=GB