[Help-gnutls] Re: Verifying subjectAltNames
m at tthias.eu
Fri Jan 26 22:03:04 CET 2007
Simon Josefsson schrieb:
> Hi! I think we should improve gnutls_x509_crt_get_subject_alt_name()
> here -- it doesn't support otherName SAN's, which is what RFC 3920 is
> using. I'd expect that you got the GNUTLS_E_X509_UNKNOWN_SAN error?
Yes, that's what I got.
>> So I tried to use gnutls_x509_crt_get_extension_by_oid() which returns
>> me the subjectAltName extension, that contains what I am looking
>> for. The question now is: does GnuTLS support me processing the
>> returned DER data, or do I have to use libtasn for further processing?
> No, GnuTLS doesn't support that. Using libtasn1 to do this is
> possible, but it is easier to add the functionality to GnuTLS itself.
For me as a library user anyway :-) I don't usurp to use libtasn1 directly.
> I'm not sure what a good API would be, maybe you could suggest
Well for my purpose / the purpose of using GnuTLS for XMPP (RFC 3920)
the best would be to have a higher level function like
gnutls_x509_crt_check_hostname(), e.g. gnutls_x509_crt_check_jid() where
instead of a hostname, a JID (= XMPP address) is passed in.
If the JID contains an '@' or '/' sign, the JID is only checked against
the id-on-xmppAddr. Else the JID is an IDN, which is checked (as UTF-8
value) against the id-on-xmppAddr or (after punicode-encoding) against
dNSName. If neither id-on-xmppAddr nor dNSName is present in the
certificate, a check against CN is done.
But sure this is only a solution for XMPP, and it might be good to have
an interface to access arbitrary otherNames ...
> What is missing is a field to return the OID of the
> otherName data. Perhaps we could add a function like:
> gnutls_x509_crt_get_subject_alt_name2 (gnutls_x509_crt_t cert,
> unsigned int seq,
> void *ret,
> size_t * ret_size,
> void *oid,
> size_t *oid_size,
> unsigned int *critical)
> If the SAN is an otherName, it would return the OID.
Maybe gnutls_x509_crt_get_subject_alt_name() could return an error code
indicating, that it is an otherName. In that case the user could have
two functions: one to get the oid of the otherName, and another to get
> What would the simplest API be for you? Maybe one that searched
> through the entire SAN for a particular otherName OID?
The best API for me would be the one I described above. But a function,
that allows me to check for otherName/id-on-xmppAddr extenions would be
okay for me as well.
Matthias Wimmer Fon +49-700 77 00 77 70
Züricher Str. 243 Fax +49-89 95 89 91 56
81476 München http://ma.tthias.eu/
More information about the Gnutls-help