[PATCH] add gnutls_certificate_find_issuer

Simon Josefsson simon at josefsson.org
Thu Feb 21 11:12:35 CET 2008


Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> Joe Orton wrote:
>> On Wed, Feb 20, 2008 at 02:52:54PM +0200, Nikos Mavrogiannopoulos wrote:
>>> On Feb 19, 2008 11:33 PM, Joe Orton <jorton at redhat.com> wrote:
>>>> With respect to exposing structure contents directly, I would generally
>>>> advocate exposing functions instead where possible, since structures
>>>> bring restrictive ABI constraints.
>>> Indeed but I'm thinking that someone might do more than check a single
>>> issuer. He might want to print the whole imported list. In that case
>>> I'd use something like gnutls_certificate_export_x509_cas() that will
>>> return the whole list of issuers, and your check can be done at the
>>> application level. Would something like this suit you?
>>
>> Yes, that certainly sounds fine too.
>
> I've done a commit at:
> http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=a259726327bf193e9c83f7473d517502ba8a879b

Seems useful.  But what about using *_get_* instead of *_export_* in the
function names?  The few functions with _export_ in the names appear to
extract (i.e. copy) the values, but these functions appear to just
export pointers.  There is also the confusion with export restrictions,
which some function names with _export_ in them refer to.  So _get_
might be more appropriate.  What do you think?

Hm.  Some function names use *_trust* rather than *_cas* too.  Should
gnutls_certificate_export_x509_cas be gnutls_certificate_get_x509_trust?
There is a lack of plural there, and we already have one function with
_cas in it -- gnutls_certificate_free_cas -- so maybe
gnutls_certificate_get_x509_cas is simpler.

> However these functions will restrict us on a rewrite of
> certificate_credentials... but it doesn't seem likely.

That is too late anyway, there is gnutls_certificate_set_x509_key and
friends...

/Simon





More information about the Gnutls-devel mailing list