[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_4-7-gfe3124f
|
From: |
Simon Josefsson |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_4-7-gfe3124f |
|
Date: |
Thu, 10 Sep 2009 06:25:15 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=fe3124f0c1f8fbb198b0d2d9e97472410e80466d
The branch, master has been updated
via fe3124f0c1f8fbb198b0d2d9e97472410e80466d (commit)
via e32fdab4f2e42d90638cd514012a42953278fb7c (commit)
via 6d53cd6b1ef73cd239f29df42ca07c9d6f0cd107 (commit)
from 36db99c522b5edb2221e9fd23f53f63aacd43f9f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit fe3124f0c1f8fbb198b0d2d9e97472410e80466d
Author: Simon Josefsson <address@hidden>
Date: Thu Sep 10 08:25:01 2009 +0200
Indent.
commit e32fdab4f2e42d90638cd514012a42953278fb7c
Author: Simon Josefsson <address@hidden>
Date: Thu Sep 10 08:24:47 2009 +0200
Move the new ABIs to the GNUTLS_2_10 section.
commit 6d53cd6b1ef73cd239f29df42ca07c9d6f0cd107
Author: Brad Hards <address@hidden>
Date: Wed Sep 9 21:57:06 2009 +1000
Add X509 Issuer Altname functions
Signed-off-by: Simon Josefsson <address@hidden>
-----------------------------------------------------------------------
Summary of changes:
doc/manpages/Makefile.am | 3 +
lib/includes/gnutls/x509.h | 15 +++++
lib/libgnutls.map | 3 +
lib/x509/output.c | 113 +++++++++++++++++++++------------
lib/x509/x509.c | 151 +++++++++++++++++++++++++++++++++++++++----
tests/Makefile.am | 2 +-
tests/x509_altname.c | 119 ++++++++++++++++++++++++++++++++++
7 files changed, 349 insertions(+), 57 deletions(-)
create mode 100644 tests/x509_altname.c
diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
index 4c0ff22..b894f7e 100644
--- a/doc/manpages/Makefile.am
+++ b/doc/manpages/Makefile.am
@@ -431,8 +431,11 @@ APIMANS += gnutls_x509_crt_get_subject_key_id.3
APIMANS += gnutls_x509_crt_get_authority_key_id.3
APIMANS += gnutls_x509_crt_get_pk_algorithm.3
APIMANS += gnutls_x509_crt_get_subject_alt_name.3
+APIMANS += gnutls_x509_crt_get_issuer_alt_name.3
APIMANS += gnutls_x509_crt_get_subject_alt_name2.3
+APIMANS += gnutls_x509_crt_get_issuer_alt_name2.3
APIMANS += gnutls_x509_crt_get_subject_alt_othername_oid.3
+APIMANS += gnutls_x509_crt_get_issuer_alt_othername_oid.3
APIMANS += gnutls_x509_crt_get_basic_constraints.3
APIMANS += gnutls_x509_crt_get_ca_status.3
APIMANS += gnutls_x509_crt_get_key_usage.3
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 2a87cba..e61ef25 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -198,6 +198,21 @@ extern "C"
void *ret,
size_t * ret_size);
+ int gnutls_x509_crt_get_issuer_alt_name (gnutls_x509_crt_t cert,
+ unsigned int seq, void *ret,
+ size_t * ret_size,
+ unsigned int *critical);
+ int gnutls_x509_crt_get_issuer_alt_name2 (gnutls_x509_crt_t cert,
+ unsigned int seq, void *ret,
+ size_t * ret_size,
+ unsigned int *ret_type,
+ unsigned int *critical);
+
+ int gnutls_x509_crt_get_issuer_alt_othername_oid (gnutls_x509_crt_t cert,
+ unsigned int seq,
+ void *ret,
+ size_t * ret_size);
+
int gnutls_x509_crt_get_ca_status (gnutls_x509_crt_t cert,
unsigned int *critical);
int gnutls_x509_crt_get_basic_constraints (gnutls_x509_crt_t cert,
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 100ac67..89474be 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -576,6 +576,9 @@ GNUTLS_2_10
gnutls_session_ticket_key_generate;
gnutls_session_ticket_enable_client;
gnutls_session_ticket_enable_server;
+ gnutls_x509_crt_get_issuer_alt_name2;
+ gnutls_x509_crt_get_issuer_alt_name;
+ gnutls_x509_crt_get_issuer_alt_othername_oid;
} GNUTLS_2_8;
GNUTLS_PRIVATE {
diff --git a/lib/x509/output.c b/lib/x509/output.c
index 854affb..34bdc6c 100644
--- a/lib/x509/output.c
+++ b/lib/x509/output.c
@@ -212,6 +212,10 @@ print_ski (gnutls_string * str, gnutls_x509_crt_t cert)
#define TYPE_CRT 2
#define TYPE_CRQ 3
+#define TYPE_CRT_SAN TYPE_CRT
+#define TYPE_CRQ_SAN TYPE_CRQ
+#define TYPE_CRT_IAN 4
+
typedef union
{
gnutls_x509_crt_t crt;
@@ -359,8 +363,7 @@ print_crldist (gnutls_string * str, gnutls_x509_crt_t cert)
if ((err == GNUTLS_SAN_DNSNAME
|| err == GNUTLS_SAN_RFC822NAME
- || err == GNUTLS_SAN_URI) &&
- strlen (buffer) != size)
+ || err == GNUTLS_SAN_URI) && strlen (buffer) != size)
{
adds (str, _("warning: distributionPoint contains an embedded NUL, "
"replacing with '!'\n"));
@@ -510,27 +513,31 @@ print_basic (gnutls_string * str, const char *prefix, int
type,
static void
-print_san (gnutls_string * str, const char *prefix, int type,
- cert_type_t cert)
+print_altname (gnutls_string * str, const char *prefix, int altname_type,
+ cert_type_t cert)
{
- unsigned int san_idx;
+ unsigned int altname_idx;
char str_ip[64];
char *p;
- for (san_idx = 0;; san_idx++)
+ for (altname_idx = 0;; altname_idx++)
{
char *buffer = NULL;
size_t size = 0;
int err;
- if (type == TYPE_CRT)
+ if (altname_type == TYPE_CRT_SAN)
err =
- gnutls_x509_crt_get_subject_alt_name (cert.crt, san_idx, buffer,
+ gnutls_x509_crt_get_subject_alt_name (cert.crt, altname_idx, buffer,
&size, NULL);
- else if (type == TYPE_CRQ)
+ else if (altname_type == TYPE_CRQ_SAN)
err =
- gnutls_x509_crq_get_subject_alt_name (cert.crq, san_idx, buffer,
+ gnutls_x509_crq_get_subject_alt_name (cert.crq, altname_idx, buffer,
&size, NULL, NULL);
+ else if (altname_type == TYPE_CRT_IAN)
+ err =
+ gnutls_x509_crt_get_issuer_alt_name (cert.crt, altname_idx, buffer,
+ &size, NULL);
else
return;
@@ -538,7 +545,7 @@ print_san (gnutls_string * str, const char *prefix, int
type,
break;
if (err != GNUTLS_E_SHORT_MEMORY_BUFFER)
{
- addf (str, "error: get_subject_alt_name: %s\n",
+ addf (str, "error: get_subject/issuer_alt_name: %s\n",
gnutls_strerror (err));
return;
}
@@ -551,29 +558,31 @@ print_san (gnutls_string * str, const char *prefix, int
type,
return;
}
- if (type == TYPE_CRT)
+ if (altname_type == TYPE_CRT_SAN)
err =
- gnutls_x509_crt_get_subject_alt_name (cert.crt, san_idx, buffer,
+ gnutls_x509_crt_get_subject_alt_name (cert.crt, altname_idx, buffer,
&size, NULL);
- else if (type == TYPE_CRQ)
+ else if (altname_type == TYPE_CRQ_SAN)
err =
- gnutls_x509_crq_get_subject_alt_name (cert.crq, san_idx, buffer,
+ gnutls_x509_crq_get_subject_alt_name (cert.crq, altname_idx, buffer,
&size, NULL, NULL);
+ else if (altname_type == TYPE_CRT_IAN)
+ err = gnutls_x509_crt_get_issuer_alt_name (cert.crt, altname_idx,
+ buffer, &size, NULL);
if (err < 0)
{
gnutls_free (buffer);
- addf (str, "error: get_subject_alt_name2: %s\n",
+ addf (str, "error: get_subject/issuer_alt_name2: %s\n",
gnutls_strerror (err));
return;
}
if ((err == GNUTLS_SAN_DNSNAME
|| err == GNUTLS_SAN_RFC822NAME
- || err == GNUTLS_SAN_URI) &&
- strlen (buffer) != size)
+ || err == GNUTLS_SAN_URI) && strlen (buffer) != size)
{
- adds (str, _("warning: SAN contains an embedded NUL, "
+ adds (str, _("warning: altname contains an embedded NUL, "
"replacing with '!'\n"));
while (strlen (buffer) < size)
buffer[strlen (buffer)] = '!';
@@ -586,7 +595,8 @@ print_san (gnutls_string * str, const char *prefix, int
type,
break;
case GNUTLS_SAN_RFC822NAME:
- addf (str, "%s\t\t\tRFC822name: %.*s\n", prefix, (int) size, buffer);
+ addf (str, "%s\t\t\tRFC822name: %.*s\n", prefix, (int) size,
+ buffer);
break;
case GNUTLS_SAN_URI:
@@ -611,17 +621,21 @@ print_san (gnutls_string * str, const char *prefix, int
type,
size_t oidsize;
oidsize = 0;
- if (type == TYPE_CRT)
+ if (altname_type == TYPE_CRT_SAN)
err = gnutls_x509_crt_get_subject_alt_othername_oid
- (cert.crt, san_idx, oid, &oidsize);
- else if (type == TYPE_CRQ)
+ (cert.crt, altname_idx, oid, &oidsize);
+ else if (altname_type == TYPE_CRQ_SAN)
err = gnutls_x509_crq_get_subject_alt_othername_oid
- (cert.crq, san_idx, oid, &oidsize);
+ (cert.crq, altname_idx, oid, &oidsize);
+ else if (altname_type == TYPE_CRT_IAN)
+ err = gnutls_x509_crt_get_issuer_alt_othername_oid
+ (cert.crt, altname_idx, oid, &oidsize);
if (err != GNUTLS_E_SHORT_MEMORY_BUFFER)
{
gnutls_free (buffer);
- addf (str, "error: get_subject_alt_othername_oid: %s\n",
+ addf (str,
+ "error: get_subject/issuer_alt_othername_oid: %s\n",
gnutls_strerror (err));
return;
}
@@ -635,12 +649,16 @@ print_san (gnutls_string * str, const char *prefix, int
type,
return;
}
- if (type == TYPE_CRT)
+ if (altname_type == TYPE_CRT_SAN)
err = gnutls_x509_crt_get_subject_alt_othername_oid
- (cert.crt, san_idx, oid, &oidsize);
- else if (type == TYPE_CRQ)
+ (cert.crt, altname_idx, oid, &oidsize);
+ else if (altname_type == TYPE_CRQ_SAN)
err = gnutls_x509_crq_get_subject_alt_othername_oid
- (cert.crq, san_idx, oid, &oidsize);
+ (cert.crq, altname_idx, oid, &oidsize);
+ else if (altname_type == TYPE_CRT_IAN)
+ err = gnutls_x509_crt_get_issuer_alt_othername_oid
+ (cert.crt, altname_idx, oid, &oidsize);
+
if (err < 0)
{
gnutls_free (buffer);
@@ -654,7 +672,7 @@ print_san (gnutls_string * str, const char *prefix, int
type,
{
if (strlen (buffer) != size)
{
- adds (str, _("warning: SAN contains an embedded NUL, "
+ adds (str, _("warning: altname contains an embedded NUL, "
"replacing with '!'\n"));
while (strlen (buffer) < size)
buffer[strlen (buffer)] = '!';
@@ -678,7 +696,7 @@ print_san (gnutls_string * str, const char *prefix, int
type,
break;
default:
- addf (str, "error: unknown SAN\n");
+ addf (str, "error: unknown altname\n");
break;
}
@@ -692,6 +710,7 @@ print_extensions (gnutls_string * str, const char *prefix,
int type,
{
int i, err;
int san_idx = 0;
+ int ian_idx = 0;
int proxy_idx = 0;
int basic_idx = 0;
int keyusage_idx = 0;
@@ -824,10 +843,25 @@ print_extensions (gnutls_string * str, const char
*prefix, int type,
addf (str, _("%s\t\tSubject Alternative Name (%s):\n"), prefix,
critical ? _("critical") : _("not critical"));
- print_san (str, prefix, type, cert);
+ print_altname (str, prefix, type, cert);
san_idx++;
}
+ else if (strcmp (oid, "2.5.29.18") == 0)
+ {
+ if (ian_idx)
+ {
+ addf (str, "error: more than one Issuer AltName extension\n");
+ continue;
+ }
+
+ addf (str, _("%s\t\tIssuer Alternative Name (%s):\n"), prefix,
+ critical ? _("critical") : _("not critical"));
+
+ print_altname (str, prefix, TYPE_CRT_IAN, cert);
+
+ ian_idx++;
+ }
else if (strcmp (oid, "2.5.29.31") == 0)
{
if (crldist_idx)
@@ -1039,8 +1073,7 @@ print_cert (gnutls_string * str, gnutls_x509_crt_t cert,
int notsigned)
{
err = gnutls_x509_crt_get_dn (cert, dn, &dn_size);
if (err < 0)
- addf (str, "error: get_dn: %s\n",
- gnutls_strerror (err));
+ addf (str, "error: get_dn: %s\n", gnutls_strerror (err));
else
addf (str, _("\tSubject: %s\n"), dn);
gnutls_free (dn);
@@ -1261,8 +1294,7 @@ print_oneline (gnutls_string * str, gnutls_x509_crt_t
cert)
{
err = gnutls_x509_crt_get_dn (cert, dn, &dn_size);
if (err < 0)
- addf (str, "unknown subject (%s), ",
- gnutls_strerror (err));
+ addf (str, "unknown subject (%s), ", gnutls_strerror (err));
else
addf (str, "subject `%s', ", dn);
gnutls_free (dn);
@@ -1289,8 +1321,7 @@ print_oneline (gnutls_string * str, gnutls_x509_crt_t
cert)
{
err = gnutls_x509_crt_get_issuer_dn (cert, dn, &dn_size);
if (err < 0)
- addf (str, "unknown issuer (%s), ",
- gnutls_strerror (err));
+ addf (str, "unknown issuer (%s), ", gnutls_strerror (err));
else
addf (str, "issuer `%s', ", dn);
gnutls_free (dn);
@@ -1314,8 +1345,7 @@ print_oneline (gnutls_string * str, gnutls_x509_crt_t
cert)
err = gnutls_x509_crt_get_signature_algorithm (cert);
if (err < 0)
- addf (str, "unknown signature algorithm (%s), ",
- gnutls_strerror (err));
+ addf (str, "unknown signature algorithm (%s), ", gnutls_strerror (err));
else
{
const char *name = gnutls_sign_algorithm_get_name (err);
@@ -1833,8 +1863,7 @@ print_crq (gnutls_string * str, gnutls_x509_crq_t cert)
{
err = gnutls_x509_crq_get_dn (cert, dn, &dn_size);
if (err < 0)
- addf (str, "error: get_dn: %s\n",
- gnutls_strerror (err));
+ addf (str, "error: get_dn: %s\n", gnutls_strerror (err));
else
addf (str, _("\tSubject: %s\n"), dn);
gnutls_free (dn);
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index a65626b..f0508a4 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -214,8 +214,8 @@ gnutls_x509_crt_import (gnutls_x509_crt_t cert,
if (cert->cert)
{
/* Any earlier asn1_der_decoding will modify the ASN.1
- structure, so we need to replace it with a fresh
- structure. */
+ structure, so we need to replace it with a fresh
+ structure. */
asn1_delete_structure (&cert->cert);
result = asn1_create_element (_gnutls_get_pkix (),
@@ -1110,10 +1110,10 @@ _gnutls_parse_general_name (ASN1_TYPE src, const char
*src_name,
}
static int
-get_subject_alt_name (gnutls_x509_crt_t cert,
- unsigned int seq, void *ret,
- size_t * ret_size, unsigned int *ret_type,
- unsigned int *critical, int othername_oid)
+get_alt_name (gnutls_x509_crt_t cert, const char *extension_id,
+ unsigned int seq, void *ret,
+ size_t * ret_size, unsigned int *ret_type,
+ unsigned int *critical, int othername_oid)
{
int result;
gnutls_datum_t dnsname;
@@ -1132,7 +1132,7 @@ get_subject_alt_name (gnutls_x509_crt_t cert,
*ret_size = 0;
if ((result =
- _gnutls_x509_crt_get_extension (cert, "2.5.29.17", 0, &dnsname,
+ _gnutls_x509_crt_get_extension (cert, extension_id, 0, &dnsname,
critical)) < 0)
{
return result;
@@ -1144,8 +1144,18 @@ get_subject_alt_name (gnutls_x509_crt_t cert,
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
- result = asn1_create_element
- (_gnutls_get_pkix (), "PKIX1.SubjectAltName", &c2);
+ if (strcmp ("2.5.29.17", extension_id) == 0)
+ result = asn1_create_element (_gnutls_get_pkix (),
+ "PKIX1.SubjectAltName", &c2);
+ else if (strcmp ("2.5.29.18", extension_id) == 0)
+ result = asn1_create_element (_gnutls_get_pkix (),
+ "PKIX1.IssuerAltName", &c2);
+ else
+ {
+ gnutls_assert ();
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+
if (result != ASN1_SUCCESS)
{
gnutls_assert ();
@@ -1219,7 +1229,51 @@ gnutls_x509_crt_get_subject_alt_name (gnutls_x509_crt_t
cert,
size_t * ret_size,
unsigned int *critical)
{
- return get_subject_alt_name (cert, seq, ret, ret_size, NULL, critical, 0);
+ return get_alt_name (cert, "2.5.29.17", seq, ret, ret_size, NULL, critical,
+ 0);
+}
+
+/**
+ * gnutls_x509_crt_get_issuer_alt_name - Get certificate's issuer alternative
name, if any
+ * @cert: should contain a #gnutls_x509_crt_t structure
+ * @seq: specifies the sequence number of the alt name (0 for the first one,
1 for the second etc.)
+ * @ret: is the place where the alternative name will be copied to
+ * @ret_size: holds the size of ret.
+ * @critical: will be non zero if the extension is marked as critical (may be
null)
+ *
+ * This function will return the issuer alternative names, contained in the
+ * given certificate.
+ *
+ * This is specified in X509v3 Certificate Extensions. GNUTLS will
+ * return the Isssuer Alternative name (2.5.29.18), or a negative error code.
+ *
+ * When the SAN type is otherName, it will extract the data in the
+ * otherName's value field, and %GNUTLS_SAN_OTHERNAME is returned.
+ * You may use gnutls_x509_crt_get_subject_alt_othername_oid() to get
+ * the corresponding OID and the "virtual" SAN types (e.g.,
+ * %GNUTLS_SAN_OTHERNAME_XMPP).
+ *
+ * If an otherName OID is known, the data will be decoded. Otherwise
+ * the returned data will be DER encoded, and you will have to decode
+ * it yourself. Currently, only the RFC 3920 id-on-xmppAddr Issuer AltName
+ * is recognized.
+ *
+ * Returns: the alternative issuer name type on success, one of the
+ * enumerated #gnutls_x509_subject_alt_name_t. It will return
+ * %GNUTLS_E_SHORT_MEMORY_BUFFER if @ret_size is not large enough
+ * to hold the value. In that case @ret_size will be updated with
+ * the required size. If the certificate does not have an
+ * Alternative name with the specified sequence number then
+ * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
+ **/
+int
+gnutls_x509_crt_get_issuer_alt_name (gnutls_x509_crt_t cert,
+ unsigned int seq, void *ret,
+ size_t * ret_size,
+ unsigned int *critical)
+{
+ return get_alt_name (cert, "2.5.29.18", seq, ret, ret_size, NULL, critical,
+ 0);
}
/**
@@ -1253,8 +1307,43 @@ gnutls_x509_crt_get_subject_alt_name2 (gnutls_x509_crt_t
cert,
unsigned int *ret_type,
unsigned int *critical)
{
- return get_subject_alt_name (cert, seq, ret, ret_size, ret_type, critical,
- 0);
+ return get_alt_name (cert, "2.5.29.17", seq, ret, ret_size, ret_type,
+ critical, 0);
+}
+
+/**
+ * gnutls_x509_crt_get_issuer_alt_name2 - Get certificate issuer's alternative
name, if any
+ * @cert: should contain a #gnutls_x509_crt_t structure
+ * @seq: specifies the sequence number of the alt name (0 for the first one, 1
for the second etc.)
+ * @ret: is the place where the alternative name will be copied to
+ * @ret_size: holds the size of ret.
+ * @ret_type: holds the type of the alternative name (one of
gnutls_x509_subject_alt_name_t).
+ * @critical: will be non zero if the extension is marked as critical (may be
null)
+ *
+ * This function will return the alternative names, contained in the
+ * given certificate. It is the same as
+ * gnutls_x509_crt_get_issuer_alt_name() except for the fact that it
+ * will return the type of the alternative name in @ret_type even if
+ * the function fails for some reason (i.e. the buffer provided is
+ * not enough).
+ *
+ * Returns: the alternative issuer name type on success, one of the
+ * enumerated #gnutls_x509_subject_alt_name_t. It will return
+ * %GNUTLS_E_SHORT_MEMORY_BUFFER if @ret_size is not large enough
+ * to hold the value. In that case @ret_size will be updated with
+ * the required size. If the certificate does not have an
+ * Alternative name with the specified sequence number then
+ * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
+ **/
+int
+gnutls_x509_crt_get_issuer_alt_name2 (gnutls_x509_crt_t cert,
+ unsigned int seq, void *ret,
+ size_t * ret_size,
+ unsigned int *ret_type,
+ unsigned int *critical)
+{
+ return get_alt_name (cert, "2.5.29.18", seq, ret, ret_size, ret_type,
+ critical, 0);
}
/**
@@ -1288,7 +1377,41 @@ gnutls_x509_crt_get_subject_alt_othername_oid
(gnutls_x509_crt_t cert,
unsigned int seq,
void *ret, size_t * ret_size)
{
- return get_subject_alt_name (cert, seq, ret, ret_size, NULL, NULL, 1);
+ return get_alt_name (cert, "2.5.29.17", seq, ret, ret_size, NULL, NULL, 1);
+}
+
+/**
+ * gnutls_x509_crt_get_issuer_alt_othername_oid - Get Issuer AltName otherName
OID
+ * @cert: should contain a #gnutls_x509_crt_t structure
+ * @seq: specifies the sequence number of the alt name (0 for the first one, 1
for the second etc.)
+ * @ret: is the place where the otherName OID will be copied to
+ * @ret_size: holds the size of ret.
+ *
+ * This function will extract the type OID of an otherName Subject
+ * Alternative Name, contained in the given certificate, and return
+ * the type as an enumerated element.
+ *
+ * This function is only useful if
+ * gnutls_x509_crt_get_issuer_alt_name() returned
+ * %GNUTLS_SAN_OTHERNAME.
+ *
+ * Returns: the alternative issuer name type on success, one of the
+ * enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it
+ * will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types,
+ * e.g. %GNUTLS_SAN_OTHERNAME_XMPP, and %GNUTLS_SAN_OTHERNAME for
+ * unknown OIDs. It will return %GNUTLS_E_SHORT_MEMORY_BUFFER if
+ * @ret_size is not large enough to hold the value. In that case
+ * @ret_size will be updated with the required size. If the
+ * certificate does not have an Alternative name with the specified
+ * sequence number and with the otherName type then
+ * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
+ **/
+int
+gnutls_x509_crt_get_issuer_alt_othername_oid (gnutls_x509_crt_t cert,
+ unsigned int seq,
+ void *ret, size_t * ret_size)
+{
+ return get_alt_name (cert, "2.5.29.18", seq, ret, ret_size, NULL, NULL, 1);
}
/**
@@ -2356,7 +2479,7 @@ gnutls_x509_crt_check_revocation (gnutls_x509_crt_t cert,
int
gnutls_x509_crt_get_verify_algorithm (gnutls_x509_crt_t crt,
const gnutls_datum_t * signature,
- gnutls_digest_algorithm_t *hash)
+ gnutls_digest_algorithm_t * hash)
{
if (crt == NULL)
{
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 5538fb7..4779c64 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -58,7 +58,7 @@ ctests = simple gc set_pkcs12_cred certder mpi
\
finished hostname-check cve-2008-4989 pkcs12_s2k chainverify \
crq_key_id x509sign-verify cve-2009-1415 cve-2009-1416 \
crq_apis init_roundtrip pkcs12_s2k_pem dn2 mini-eagain \
- nul-in-x509-names
+ nul-in-x509-names x509_altname
if ENABLE_OPENSSL
ctests += openssl
diff --git a/tests/x509_altname.c b/tests/x509_altname.c
new file mode 100644
index 0000000..ef99bae
--- /dev/null
+++ b/tests/x509_altname.c
@@ -0,0 +1,119 @@
+/*
+ * Copyright (C) 2006, 2007, 2008 Free Software Foundation
+ * Author: Simon Josefsson, Howard Chu
+ *
+ * This file is part of GNUTLS.
+ *
+ * GNUTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GNUTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GNUTLS; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <stdio.h>
+
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include "utils.h"
+
+static char pem[] =
+"-----BEGIN CERTIFICATE-----\n"
+"MIIE6zCCA9OgAwIBAgIBdjANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJTRTEf\n"
+"MB0GA1UEChMWU3RvY2tob2xtcyB1bml2ZXJzaXRldDEgMB4GA1UEAxMXU3RvY2to\n"
+"b2xtIFVuaXZlcnNpdHkgQ0EwHhcNMDYwMzIyMDkxNTI4WhcNMDcwMzIyMDkxNTI4\n"
+"WjBDMQswCQYDVQQGEwJTRTEfMB0GA1UEChMWU3RvY2tob2xtcyB1bml2ZXJzaXRl\n"
+"dDETMBEGA1UEAxMKc2lwMS5zdS5zZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC\n"
+"gYEArUzXTD36ZK7CwZJH/faUNTcdaqM7JyiZsfrO703d7cT/bJ3wKxT8trOOh/Ou\n"
+"WwgGFX2+r7ykun3aIUXUuD13Yle/yHqH/4g9vWX7UeFCBlSI0tAxnlqt0QqlPgSd\n"
+"GLHcoO4PPyjon9jj0A/zpJGZHiRUCooo63YqE9MYfr5HBfkCAwEAAaOCAl8wggJb\n"
+"MAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYD\n"
+"VR0OBBYEFDpcXNHMLJ7fc/c72BtZseq4MDXFMH8GA1UdIwR4MHaAFJ4uMLo32VFE\n"
+"yZ2/GCHxvX7utYZIoVukWTBXMQswCQYDVQQGEwJTRTEYMBYGA1UEChMPVW1lYSBV\n"
+"bml2ZXJzaXR5MRMwEQYDVQQLEwpTd1VQS0ktUENBMRkwFwYDVQQDExBTd1VQS0kg\n"
+"UG9saWN5IENBggEQMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jYS5zdS5zZS8y\n"
+"MDA1LTEvY3JsLXYyLmNybDB5BgNVHSAEcjBwMG4GCCqFcCsCAQEBMGIwHwYIKwYB\n"
+"BQUHAgEWE2h0dHA6Ly9jYS5zdS5zZS9DUFMwPwYIKwYBBQUHAgIwMxoxTGltaXRl\n"
+"ZCBMaWFiaWxpdHksIHNlZSBodHRwOi8vd3d3LnN3dXBraS5zdS5zZS9DUDAkBgNV\n"
+"HRIEHTAbgQhjYUBzdS5zZYYPaHR0cDovL2NhLnN1LnNlMIG3BgNVHREEga8wgayC\n"
+"F2luY29taW5ncHJveHkuc2lwLnN1LnNlghhpbmNvbWluZ3Byb3h5MS5zaXAuc3Uu\n"
+"c2WCF291dGdvaW5ncHJveHkuc2lwLnN1LnNlghhvdXRnb2luZ3Byb3h5MS5zaXAu\n"
+"c3Uuc2WCDW91dC5zaXAuc3Uuc2WCE2FwcHNlcnZlci5zaXAuc3Uuc2WCFGFwcHNl\n"
+"cnZlcjEuc2lwLnN1LnNlggpzaXAxLnN1LnNlMA0GCSqGSIb3DQEBBQUAA4IBAQAR\n"
+"FYg7ytcph0E7WmvM44AN/8qru7tRX6aSFWrjLyVr/1Wk4prCK4y5JpfNw5dh9Z8f\n"
+"/gyFsr1iFsb6fS3nJTTd3fVlWRfcNCGIx5g8KuSb3u6f7VznkGOeiRMRESQc1G8B\n"
+"eh0zbdZS7BYO2g9EKlbGST5PwQnc4g9K7pqPyKSNVkzb60Nujg/+qYje7MCcN+ZR\n"
+"nUBo6U2NZ06/QEUFm+uUIhZ8IGM1gLehC7Q3G4+d4c38CDJxQnSPOgWiXuSvhhQm\n"
+"KDsbrKzRaeBRh5eEJbTkA8Dp0Emb0UrkRVhixeg97stxUcATAjdGljJ9MLnuHXnI\n"
+"7ihGdUfg5q/105vpsQpO\n"
+"-----END CERTIFICATE-----\n";
+
+#define MAX_DATA_SIZE 1024
+
+void
+doit (void)
+{
+ int ret;
+ gnutls_datum_t derCert = { pem, sizeof (pem) };
+ gnutls_x509_crt_t cert;
+ size_t data_len = MAX_DATA_SIZE;
+ char data[ MAX_DATA_SIZE ];
+ unsigned int critical = 0;
+ int alt_name_count = 0;
+
+ ret = gnutls_global_init ();
+ if (ret < 0)
+ fail ("init %d\n", ret);
+
+ ret = gnutls_x509_crt_init (&cert);
+ if (ret < 0)
+ fail ("crt_init %d\n", ret);
+
+ ret = gnutls_x509_crt_import (cert, &derCert, GNUTLS_X509_FMT_PEM);
+ if (ret < 0)
+ fail ("crt_import %d\n", ret);
+
+ for (alt_name_count = 0; ; ++alt_name_count) {
+ ret = gnutls_x509_crt_get_issuer_alt_name (cert, alt_name_count, data,
&data_len, &critical);
+ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+ break;
+
+ if (ret < 0)
+ fail ("get_issuer_alt_name: %d\n", ret);
+
+ // TODO: print out / check results
+ if (GNUTLS_SAN_URI == ret) {
+ if (strcmp( data, "http://ca.su.se"; ) != 0) {
+ fail("unexpected issuer GNUTLS_SAN_URI: %s\n", data);
+ }
+ } else if (GNUTLS_SAN_RFC822NAME == ret) {
+ if (strcmp( data, "address@hidden" ) != 0) {
+ fail("unexpected issuer GNUTLS_SAN_RFC822NAME: %s\n", data);
+ }
+ } else {
+ fail("unexpected alt name type: %d\n", ret);
+ }
+ data_len = MAX_DATA_SIZE;
+ }
+
+ if (alt_name_count !=2) {
+ fail("unexpected number of alt names: %i\n", alt_name_count);
+ }
+
+ success ("done\n");
+
+ gnutls_x509_crt_deinit (cert);
+ gnutls_global_deinit ();
+}
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_9_4-7-gfe3124f,
Simon Josefsson <=