[Help-gnutls] Re: Verifying subjectAltNames

[Matthias Wimmer]

Simon Josefsson schrieb:
> Hi!  I think we should improve gnutls_x509_crt_get_subject_alt_name()
> here -- it doesn't support otherName SAN's, which is what RFC 3920 is
> using.  I'd expect that you got the GNUTLS_E_X509_UNKNOWN_SAN error?

Yes, that's what I got.

>> So I tried to use gnutls_x509_crt_get_extension_by_oid() which returns
>> me the subjectAltName extension, that contains what I am looking
>> for. The question now is: does GnuTLS support me processing the
>> returned DER data, or do I have to use libtasn for further processing?
> 
> No, GnuTLS doesn't support that.  Using libtasn1 to do this is
> possible, but it is easier to add the functionality to GnuTLS itself.

For me as a library user anyway :-) I don't usurp to use libtasn1 directly.

> I'm not sure what a good API would be, maybe you could suggest
> something?

Well for my purpose / the purpose of using GnuTLS for XMPP (RFC 3920) 
the best would be to have a higher level function like 
gnutls_x509_crt_check_hostname(), e.g. gnutls_x509_crt_check_jid() where 
instead of a hostname, a JID (= XMPP address) is passed in.

If the JID contains an '@' or '/' sign, the JID is only checked against 
the id-on-xmppAddr. Else the JID is an IDN, which is checked (as UTF-8 
value) against the id-on-xmppAddr or (after punicode-encoding) against 
dNSName. If neither id-on-xmppAddr nor dNSName is present in the 
certificate, a check against CN is done.

But sure this is only a solution for XMPP, and it might be good to have 
an interface to access arbitrary otherNames ...

> What is missing is a field to return the OID of the
> otherName data.  Perhaps we could add a function like:
> 
> int
> gnutls_x509_crt_get_subject_alt_name2 (gnutls_x509_crt_t cert,
>                                        unsigned int seq,
>                                        void *ret,
>                                        size_t * ret_size,
>                                        void *oid,
>                                        size_t *oid_size,
>                                        unsigned int *critical)
> 
> If the SAN is an otherName, it would return the OID.

Maybe gnutls_x509_crt_get_subject_alt_name() could return an error code 
indicating, that it is an otherName. In that case the user could have 
two functions: one to get the oid of the otherName, and another to get 
the value!?

> What would the simplest API be for you?  Maybe one that searched
> through the entire SAN for a particular otherName OID?

The best API for me would be the one I described above. But a function, 
that allows me to check for otherName/id-on-xmppAddr extenions would be 
okay for me as well.


Matthias

-- 
Matthias Wimmer      Fon +49-700 77 00 77 70
Züricher Str. 243    Fax +49-89 95 89 91 56
81476 München        http://ma.tthias.eu/