[Help-gnutls] Re: Verifying subjectAltNames

Simon Josefsson simon at josefsson.org
Fri Jan 26 16:35:45 CET 2007 

Matthias Wimmer <m at tthias.eu> writes:

> Hi!
>
> I am trying to find out how to verify subjectAltNames using
> GnuTLS. For that I need to check the id-on-xmppAddr as a UTF8String
> inside a otherName entity which again is inside this subjectAltName
> extension. (This is needed by a server implementation of RFC 3920
> which I am porting from OpenSSL to GnuTLS.)
>
> I first tried to do this using gnutls_x509_crt_get_subject_alt_name()
> is the comments on this function tell:
> "GNUTLS will return the Alternative name (2.5.29.17), or a negativ
> error code."
>
> This does not seem to be true, as this function does not return
> complete subjectAltName data, but only parts of it (the
> hostname). When trying to read id-on-xmppAddr data inside otherName,
> GnuTLS just returns an error. I would highly recomment, that the
> function description should be adopted to note, that this function
> cannot be used to access arbitrary subjectAltName extensions.

Hi!  I think we should improve gnutls_x509_crt_get_subject_alt_name()
here -- it doesn't support otherName SAN's, which is what RFC 3920 is
using.  I'd expect that you got the GNUTLS_E_X509_UNKNOWN_SAN error?

> So I tried to use gnutls_x509_crt_get_extension_by_oid() which returns
> me the subjectAltName extension, that contains what I am looking
> for. The question now is: does GnuTLS support me processing the
> returned DER data, or do I have to use libtasn for further processing?

No, GnuTLS doesn't support that.  Using libtasn1 to do this is
possible, but it is easier to add the functionality to GnuTLS itself.

I'm not sure what a good API would be, maybe you could suggest
something?  What is missing is a field to return the OID of the
otherName data.  Perhaps we could add a function like:

int
gnutls_x509_crt_get_subject_alt_name2 (gnutls_x509_crt_t cert,
                                       unsigned int seq,
                                       void *ret,
                                       size_t * ret_size,
                                       void *oid,
                                       size_t *oid_size,
                                       unsigned int *critical)

If the SAN is an otherName, it would return the OID.

A problem with this API is that an GNUTLS_E_SHORT_MEMORY_BUFFER error
could mean that either the RET or the OID variable was too small.  I
think this API is a bad idea, but I'm not sure what a better one could
be.

What would the simplest API be for you?  Maybe one that searched
through the entire SAN for a particular otherName OID?

int
gnutls_x509_crt_search_san_othername (gnutls_x509_crt_t cert,
                                      const char *oid,
                                      unsigned int seq,
                                      void *ret,
                                      size_t * ret_size,
                                      unsigned int *critical)

It is not completely flexible, but it may be simpler for you.

/Simon

More information about the Gnutls-help mailing list