[Help-gnutls] Checking hostname against certificate

Nikos Mavroyanopoulos nmav at gnutls.org
Wed Feb 6 15:07:48 CET 2002 

On Mon, 28 Jan 2002 19:29:36 +0000 Andrew McDonald <andrew at mcdonald.org.uk> wrote:

> > This function was never tested.. Please, send me the certificate that
> > contains the dnsname, email extensions, so I can give it a test (and a fix).
> > > 2.5.29.17 is the OID for an AltName extension. How does
> > > _gnutls_get_extension know you want the dNSName?
> > it does not :)
> Ah. Good. I was a bit worried that I couldn't see how it could possibly
> do what it was supposed to. :-)
I've just commited a corrected function. The prototype is now:

typedef enum GNUTLS_X509_SUBJECT_ALT_NAME {
        GNUTLS_SAN_DNSNAME=1, GNUTLS_SAN_RFC822NAME,
        GNUTLS_SAN_URI, GNUTLS_SAN_IPADDRESS
} GNUTLS_X509_SUBJECT_ALT_NAME;

/**
  * gnutls_x509_extract_subject_alt_name - This function returns the peer's alt name, if any
  * @cert: should contain an X.509 DER encoded certificate
  * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
  * @type: Holds the alternative's name type
  * @ret: is the place where dns name will be copied to
  * @ret_size: holds the size of ret.
  *
  * This function will return the alternative name (the dns part of it), contained in the
  * given certificate.
  *
  * This is specified in X509v3 Certificate Extensions.
  * GNUTLS will return the Alternative name, or a negative
  * error code.
  * Returns GNUTLS_E_MEMORY_ERROR if ret_size is not enough to hold the alternative name,
  * or the size of alternative name if everything was ok.
  *
  * If the certificate does not have an Alternative name then returns GNUTLS_E_DATA_NOT_AVAILABLE;
  *
  **/
int gnutls_x509_extract_subject_alt_name(const gnutls_datum * cert, int seq, GNUTLS_X509_SUBJECT_ALT_NAME* type
                                            char *ret, int *ret_size);


I know this is more complex... but subjectAltName extension is also a complex one :)

> Regards,
> 
> 
> Andrew
> -- 
> Andrew McDonald
> E-mail: andrew at mcdonald.org.uk
> http://www.mcdonald.org.uk/andrew/
> 


-- 
Nikos Mavroyanopoulos
mailto:nmav at gnutls.org

More information about the Gnutls-help mailing list