[Help-gnutls] Re: Verifying subjectAltNames

Simon Josefsson simon at josefsson.org
Mon Feb 12 14:54:11 CET 2007

Matthias Wimmer <m at tthias.eu> writes:

> A okay, I did not read this paragraph at the first time. I think it
> should be stripped as it is also stripped when non-otherName values
> are returned.

I agree, and I have changed this.  Data for known otherName OID's
should now be decoded.  In the future, it won't be possible to decode
all data, I think, since they may be structured, but we'll handle that
problem when it comes to it.  This data happened to be non-structured.

'certtool -i' on the jabber.org XMPP certificate will now say:

                Subject Alternative Name (not critical):
                        XMPP Address: jabber.org
                        DNSname: jabber.org
                        DNSname: *.jabber.org

Which seems quite nice.  The relevant code is in lib/x509/output.c:

      err = gnutls_x509_crt_get_subject_alt_name (cert, san_idx,
						  buffer, &size, NULL);
      if (err < 0)
      switch (err)
	    err = gnutls_x509_crt_get_subject_alt_othername_oid
	      (cert, san_idx, oid, &oidsize);
	    if (err < 0)

	      addf (str, "\t\t\tXMPP Address: %.*s\n", size, buffer);
		addf (str, "\t\t\totherName OID: %.*s\n", oidsize, oid);
		addf (str, "\t\t\totherName DER: ");
		hexprint (str, buffer, size);
		addf (str, "\n\t\t\totherName ASCII: ");
		asciiprint (str, buffer, size);
		addf (str, "\n");


More information about the Gnutls-help mailing list