[Help-gnutls] Re: Verifying subjectAltNames

Simon Josefsson simon at josefsson.org
Mon Jan 29 20:56:55 CET 2007 

Matthias Wimmer <m at tthias.eu> writes:

>> I'm not sure what a good API would be, maybe you could suggest
>> something?
>
> Well for my purpose / the purpose of using GnuTLS for XMPP (RFC 3920)
> the best would be to have a higher level function like
> gnutls_x509_crt_check_hostname(), e.g. gnutls_x509_crt_check_jid()
> where instead of a hostname, a JID (= XMPP address) is passed in.
>
> If the JID contains an '@' or '/' sign, the JID is only checked
> against the id-on-xmppAddr. Else the JID is an IDN, which is checked
> (as UTF-8 
> value) against the id-on-xmppAddr or (after punicode-encoding) against
> dNSName. If neither id-on-xmppAddr nor dNSName is present in the
> certificate, a check against CN is done.
>
> But sure this is only a solution for XMPP, and it might be good to
> have an interface to access arbitrary otherNames ...

GnuTLS currently doesn't do UTF-8 let alone any IDN stuff, and I think
it would be nice to keep that to a minimum, to reduce external
dependencies.  So that API isn't really a good solution.

>> What is missing is a field to return the OID of the
>> otherName data.  Perhaps we could add a function like:
>>
>> int
>> gnutls_x509_crt_get_subject_alt_name2 (gnutls_x509_crt_t cert,
>>                                        unsigned int seq,
>>                                        void *ret,
>>                                        size_t * ret_size,
>>                                        void *oid,
>>                                        size_t *oid_size,
>>                                        unsigned int *critical)
>>
>> If the SAN is an otherName, it would return the OID.
>
> Maybe gnutls_x509_crt_get_subject_alt_name() could return an error
> code indicating, that it is an otherName. In that case the user could
> have two functions: one to get the oid of the otherName, and another
> to get the value!?

Not very pretty, but it is a solution.  Patches welcome..

I just noticed that the current API is lacking another important
thing: you don't know what kind of SAN was returned.  There should be
an 'gnutls_x509_subject_alt_name_t' output variable.

>> What would the simplest API be for you?  Maybe one that searched
>> through the entire SAN for a particular otherName OID?
>
> The best API for me would be the one I described above. But a
> function, that allows me to check for otherName/id-on-xmppAddr
> extenions would be okay for me as well.

Ok.  I'll think some more on an API that would fix both these
problems...  and give you and others some more time to think about it
too.

/Simon

More information about the Gnutls-help mailing list