Experiments with GnuTLS and Qt
Nikos Mavrogiannopoulos
nmav at gnutls.org
Mon Jan 9 13:50:48 CET 2012
On Sun, Jan 8, 2012 at 11:00 PM, Richard Moore <rich at kde.org> wrote:
> I've been evaluating using GnuTLS with Qt this weekend. There's a
> basic tool that prints out cert info and converts from some Qt data
> types like QDateTime etc. at
> http://xmelegance.org/devel/cert-prototype.tar.bz2 I'm just posting it
> here in case it happens to be useful to anyone. Issues I've
> encountered are documented in the NOTES file.
Hello,
Interesting comments.
- The docs say to report bugs to one place, but they also seem to use the bug
reporting tool from savanah. No indication of which is the one to use. It
seems the bug report email actually goes to the development list.
Actually both end up in the development list and are treated equally.
- Getting at the subject/issuer details seems a bit tricky. There seem to be
errors in the docs here which doesn't help. Also seems to be using a mixture
of void * and char * to hold oids which means we'll need some casts.
Would you like to elaborate on that? Is there is something we should
fix (in the
documentation or code)?
- There appears to be no method to map oids to human readable names, there's
some internal functions for it but nothing public.
Are you referring to the DN oids? If this is the case and it is an interesting
feature we could consider exporting the known OIDs. However this cannot
be a general OID -> string convertion.
- Both subject/issuer (distinguished name) and extensions APIs seem to involve
querying the oids and passing them around. This is likely to be slow since
we're talking string comparisions (and even worse the part of the string
that varies is at the end though this might be worked around internally
since we provide a length).
To which functions do you refer to? In general I try to promote the
gnutls_x509_crt_get_dn() that provides an RFC2253 compliant single
string to describe the DN.
It appears there's another way to get this info
gnutls_x509_crt_get_subject() no idea if this is a better mechanism at this
time.
If less string comparisons is your goal this looks like an alternative. However,
unless you expect millions of DN queries I wouldn't worry about string
comparisons.
Its impact would be minimal to the cost of DER decoding overhead.
- No support for OCSP in the released version, OCSP code appears to be under
active development in a branch of the git repo.
It is expected to be merged soon.
regards,
Nikos
More information about the Gnutls-help
mailing list