[Help-gnutls] Verifying subjectAltNames

Matthias Wimmer m at tthias.eu
Fri Jan 26 02:26:47 CET 2007


I am trying to find out how to verify subjectAltNames using GnuTLS. For 
that I need to check the id-on-xmppAddr as a UTF8String inside a 
otherName entity which again is inside this subjectAltName extension. 
(This is needed by a server implementation of RFC 3920 which I am 
porting from OpenSSL to GnuTLS.)

I first tried to do this using gnutls_x509_crt_get_subject_alt_name() is 
the comments on this function tell:
"GNUTLS will return the Alternative name (, or a negativ error 

This does not seem to be true, as this function does not return complete 
subjectAltName data, but only parts of it (the hostname). When trying to 
read id-on-xmppAddr data inside otherName, GnuTLS just returns an error. 
I would highly recomment, that the function description should be 
adopted to note, that this function cannot be used to access arbitrary 
subjectAltName extensions.

So I tried to use gnutls_x509_crt_get_extension_by_oid() which returns 
me the subjectAltName extension, that contains what I am looking for. 
The question now is: does GnuTLS support me processing the returned DER 
data, or do I have to use libtasn for further processing?

Thank you for any feed-back


Matthias Wimmer      Fon +49-700 77 00 77 70
Züricher Str. 243    Fax +49-89 95 89 91 56
81476 München        http://ma.tthias.eu/

More information about the Gnutls-help mailing list