Re: [Help-gnutls] Checking hostname against certificate

[Andrew McDonald]

On Mon, Jan 28, 2002 at 10:13:08AM +0200, Nikos Mavroyanopoulos wrote:
> On Sun, 27 Jan 2002 21:22:37 +0000 Andrew McDonald <address@hidden> wrote:
>
> > (Actually, might something along these lines be useful to put into
> > libgnutls itself?)
> Well X.509 is a REALLY bloated protocol. There are a lot of things that
> we should handle. An X.509 certificate may even contain videos, photographs 
> and anything that can get an OID.

So I discovered on reading Peter Gutmann's X.509 Style Guide.

> For gnutls I intend to add only basic functionality required to work.
> (Hopefully there is aegypten, but I don't know how far it can go
> yet.)

Yes, this does seem more to belong in libksba since it is purely an
'X.509 thing' rather than doing any TLS.

> > gnutls_x509pki_extract_subject_dns_name doesn't seem to be working.
> > As far as I understand it, this should extract a DNS name from a
> > Subject Alternative Name X.509v3 extension (as described in RFC2549,
> > section 4.2.1.7).
> This function was never tested.. Please, send me the certificate that
> contains the dnsname, email extensions, so I can give it a test (and a fix).
> 
> > 2.5.29.17 is the OID for an AltName extension. How does
> > _gnutls_get_extension know you want the dNSName?
> it does not :)

Ah. Good. I was a bit worried that I couldn't see how it could possibly
do what it was supposed to. :-)

I've attached imapd.pem, a test certificate (since this is a test key
I've included the private part as well to give you maximum flexibility
in testing). This was generated from the attached imapd.cnf using the
command:
openssl req -new -x509 -days 365 -nodes -out imapd.pem -keyout
imapd.pem -config imapd.cnf

Regards,


Andrew
-- 
Andrew McDonald
E-mail: address@hidden
http://www.mcdonald.org.uk/andrew/

imapd.pem
Description: Text document

imapd.cnf
Description: Text document