[gnutls-dev] non-ASCII ASN.1 string types

Joe Orton joe at manyfish.co.uk
Sun Oct 17 16:26:27 CEST 2004


On Sun, Oct 17, 2004 at 03:03:57PM +0200, Nikos Mavrogiannopoulos wrote:
> On Sunday 17 October 2004 13:55, Joe Orton wrote:
> 
> > Well I guess the interface is simply not flexible enough for this to be
> > decided by the app, where ultimately it should be.  I have no need for
> > 2253-style formatting in neon, I'd prefer to be able to skip RDNs which
> > I can't produce human-readable strings from than show random hex strings
> > to the user.
> Well UCS-2 and UCS-4 certificates are quite rare to come by so in most of the
> cases you have a readable string. 
> 
> > Ah, yes, I couldn't work out at all what _get_dn_oid was putting the
> > passed-in buffer.  Can you explain how the OIDs are formatted in the
> > buffer, or give an example of how I'd do this?
> I don't have an example but in brief you call _get_dn_oid() using a counter
> for index. For value 0 of the counter you get the first OID, which will be 
> something like 1.2.3.4.5 (null terminated string).

So the void *oid parameter is really just supposed to be a preallocated
char array into which the OID is written out as a NUL-terminated dotted
decimal string?  For me it doesn't seem to put anything in the oid
buffer at all, it just updates the length parameter.  Am I doing
something wrong?  The lengths look right if they don't include the NUL
terminator, from countryName -> strlen(2.5.4.6) == 7 to emailAddress ->
strlen(1.2.840.113549.1.9.1) == 20.

The scratch code I'm trying is below:

    int ret, idx = 0;

    do {
        char oid[32] = {0};
        size_t oidlen = sizeof oid;
        
        ret = name->subject 
            ? gnutls_x509_crt_get_dn_oid(name->cert, idx, oid, &oidlen)
            : gnutls_x509_crt_get_issuer_dn_oid(name->cert, idx, oid, &oidlen);
        
        if (ret == 0) {
            NE_DEBUG(NE_DBG_SSL, "got oid idx %d, len = %u: [%.*s]: ", 
                     idx, oidlen, (int)oidlen, oid);
            NE_DEBUG(NE_DBG_SSL, "oid[0..3] is 0x%x 0x%x 0x%x 0x%x\n",
                     ((int)oid[0]),
                     ((int)oid[1]),
                     ((int)oid[2]),
                     ((int)oid[3]));
            idx++;
        }
    } while (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);

the debugging output is:

got oid idx 0, len = 7: []: oid[0..3] is 0x0 0x0 0x0 0x0
got oid idx 1, len = 7: []: oid[0..3] is 0x0 0x0 0x0 0x0
got oid idx 2, len = 7: []: oid[0..3] is 0x0 0x0 0x0 0x0
got oid idx 3, len = 8: []: oid[0..3] is 0x0 0x0 0x0 0x0
got oid idx 4, len = 8: []: oid[0..3] is 0x0 0x0 0x0 0x0
got oid idx 5, len = 7: []: oid[0..3] is 0x0 0x0 0x0 0x0
got oid idx 6, len = 20: []: oid[0..3] is 0x0 0x0 0x0 0x0




More information about the Gnutls-dev mailing list