[Help-gnutls] Re: Verifying subjectAltNames

Simon Josefsson simon at josefsson.org
Mon Feb 12 14:54:11 CET 2007


Matthias Wimmer <m at tthias.eu> writes:

> A okay, I did not read this paragraph at the first time. I think it
> should be stripped as it is also stripped when non-otherName values
> are returned.

I agree, and I have changed this.  Data for known otherName OID's
should now be decoded.  In the future, it won't be possible to decode
all data, I think, since they may be structured, but we'll handle that
problem when it comes to it.  This data happened to be non-structured.

'certtool -i' on the jabber.org XMPP certificate will now say:

                Subject Alternative Name (not critical):
                        XMPP Address: jabber.org
                        DNSname: jabber.org
                        DNSname: *.jabber.org

Which seems quite nice.  The relevant code is in lib/x509/output.c:

      err = gnutls_x509_crt_get_subject_alt_name (cert, san_idx,
						  buffer, &size, NULL);
      if (err < 0)
...
      switch (err)
	{
...
	case GNUTLS_SAN_OTHERNAME:
...
	    err = gnutls_x509_crt_get_subject_alt_othername_oid
	      (cert, san_idx, oid, &oidsize);
	    if (err < 0)
...

	    if (err == GNUTLS_SAN_OTHERNAME_XMPP)
	      addf (str, "\t\t\tXMPP Address: %.*s\n", size, buffer);
	    else
	      {
		addf (str, "\t\t\totherName OID: %.*s\n", oidsize, oid);
		addf (str, "\t\t\totherName DER: ");
		hexprint (str, buffer, size);
		addf (str, "\n\t\t\totherName ASCII: ");
		asciiprint (str, buffer, size);
		addf (str, "\n");
	      }

/Simon





More information about the Gnutls-help mailing list