[Help-gnutls] Parsing certificate extensions and issuer alt names

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Jul 13 08:33:48 CEST 2009

Brad Hards wrote:
> Hi,
> I'm trying to provide a GnuTLS backend for the Qt Cryptographic Architecture.
> It is going OK (not really "going well", but I'm still making progress).
> I have a question about how to parse out something that doesn't really have 
> support in GnuTLS. My need at the moment is to handle OID 
> (Certificate Policies) and OID (Issuer Alternative Name).
> Issuer Alt Name is very similar to Subject Alt Name.
> So far, I think I need to use gnutls_x509_crt_get_extension_by_oid() to get 
> the ASN.1, and then I need to decode it. Its the decoding bit that I'm 
> uncertain about.


Actually I think it might be much easier to do that inside gnutls by
extending get_subject_alt_name() to be able to accept the OID as
parameter to parse the extension as well. Then would be easy
to submit a gnutls_x509_crt_get_issuer_alt_name that can be added to gnutls.

> I had no idea about how to start the Certificate Policies.

For that you might want to see dn.c:gnutls_x509_rdn_get function that
parses the rdnSequence of PKIX. It is mostly libtasn1 stuff you'd need
but indeed the policies extension looks not to be the easier structure
to parse.


More information about the Gnutls-help mailing list