[Help-gnutls] Re: Verifying subjectAltNames
Simon Josefsson
simon at josefsson.org
Mon Feb 12 14:54:11 CET 2007
Matthias Wimmer <m at tthias.eu> writes:
> A okay, I did not read this paragraph at the first time. I think it
> should be stripped as it is also stripped when non-otherName values
> are returned.
I agree, and I have changed this. Data for known otherName OID's
should now be decoded. In the future, it won't be possible to decode
all data, I think, since they may be structured, but we'll handle that
problem when it comes to it. This data happened to be non-structured.
'certtool -i' on the jabber.org XMPP certificate will now say:
Subject Alternative Name (not critical):
XMPP Address: jabber.org
DNSname: jabber.org
DNSname: *.jabber.org
Which seems quite nice. The relevant code is in lib/x509/output.c:
err = gnutls_x509_crt_get_subject_alt_name (cert, san_idx,
buffer, &size, NULL);
if (err < 0)
...
switch (err)
{
...
case GNUTLS_SAN_OTHERNAME:
...
err = gnutls_x509_crt_get_subject_alt_othername_oid
(cert, san_idx, oid, &oidsize);
if (err < 0)
...
if (err == GNUTLS_SAN_OTHERNAME_XMPP)
addf (str, "\t\t\tXMPP Address: %.*s\n", size, buffer);
else
{
addf (str, "\t\t\totherName OID: %.*s\n", oidsize, oid);
addf (str, "\t\t\totherName DER: ");
hexprint (str, buffer, size);
addf (str, "\n\t\t\totherName ASCII: ");
asciiprint (str, buffer, size);
addf (str, "\n");
}
/Simon
More information about the Gnutls-help
mailing list