[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: Verifying subjectAltNames
|
From: |
Simon Josefsson |
|
Subject: |
[Help-gnutls] Re: Verifying subjectAltNames |
|
Date: |
Mon, 12 Feb 2007 14:54:11 +0100 |
|
User-agent: |
Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.93 (gnu/linux) |
Matthias Wimmer <address@hidden> writes:
> A okay, I did not read this paragraph at the first time. I think it
> should be stripped as it is also stripped when non-otherName values
> are returned.
I agree, and I have changed this. Data for known otherName OID's
should now be decoded. In the future, it won't be possible to decode
all data, I think, since they may be structured, but we'll handle that
problem when it comes to it. This data happened to be non-structured.
'certtool -i' on the jabber.org XMPP certificate will now say:
Subject Alternative Name (not critical):
XMPP Address: jabber.org
DNSname: jabber.org
DNSname: *.jabber.org
Which seems quite nice. The relevant code is in lib/x509/output.c:
err = gnutls_x509_crt_get_subject_alt_name (cert, san_idx,
buffer, &size, NULL);
if (err < 0)
...
switch (err)
{
...
case GNUTLS_SAN_OTHERNAME:
...
err = gnutls_x509_crt_get_subject_alt_othername_oid
(cert, san_idx, oid, &oidsize);
if (err < 0)
...
if (err == GNUTLS_SAN_OTHERNAME_XMPP)
addf (str, "\t\t\tXMPP Address: %.*s\n", size, buffer);
else
{
addf (str, "\t\t\totherName OID: %.*s\n", oidsize, oid);
addf (str, "\t\t\totherName DER: ");
hexprint (str, buffer, size);
addf (str, "\n\t\t\totherName ASCII: ");
asciiprint (str, buffer, size);
addf (str, "\n");
}
/Simon