(ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName

[Howard Chu]

Nikos Mavrogiannopoulos wrote:
> On Friday 15 February 2008, Howard Chu wrote:
>> Nikos Mavrogiannopoulos wrote:
>>> Indeed I'll try to improve this patch to work only for formats known
>>> to be text.
>> The code was perfectly correct before this patch. Why do you want to change
>> anything here at all? I looked in the gnutls-devel archives and couldn't
>> find any discussion of this change. It would be nice to understand what
>> you're trying to accomplish here, given that there are large bodies of code
>> already written that expect the existing behavior of GnuTLS 2.1.7 and
>> older.
>
> Well, it depends on the definition of correct. It didn't null terminate
> printable strings, and this was so correct for me.

Fair enough, that's your definition. Most people coding for X.509 understand 
that it's ASN.1/DER and as such, they're accustomed to the fact that strings 
use counted lengths, not NUL terminators. As such, the old behavior was normal 
and expected. Also, the behavior you introduce here makes this particular API 
behave differently from every other API that extracts strings from 
certificates. Note - this is not a suggestion to you to now go and change all 
those other APIs.

> Anyway, does the attached
> patch solve your problem?

Not really. It still returns a size one byte larger than expected for the 
strings. Even in languages where NUL-terminated strings are the norm, the 
terminating byte is not included in the length.

The point is, we expect this API to return exactly the data that was in the 
certificate. If the caller wants to treat the data as a string, they can 
NUL-terminate it themselves. The manpage only says that the data will be 
returned, it does not say that it will be altered in any way.

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/