[Modules] [monkeysphere] mod_gnutls/libmsv
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu May 5 12:32:49 EDT 2011
On 05/05/2011 11:18 AM, Clint Adams wrote:
> I'm trying to get mod_gnutls to use libmsv for an alternate
> X.509 validation method.
>
> Can someone advise on how to do this better?
from a monkeysphere perspective, it'd be nice to see libmsv in use for
OpenPGP certificates as well as X.509 certificates.
Is there a reason you have dynamically-allocated buf? it would seem
simpler to put it directly on the stack if you're going to keep it
fixed-size anyway.
your use of gnutls_x509_crt_get_subject_alt_othername_oid seems
problematic to me, since the docs say:
This function is only useful if
gnutls_x509_crt_get_subject_alt_name() returned
GNUTLS_SAN_OTHERNAME.
but it doesn't look like you've tested for this condition.
In general, i'm concerned about the use of this function, actually,
since it implies that it might change its behavior based on the version
of gnutls (depending on the known OIDs compiled into gnutls).
Are you expecting client certificates to supply some sort of
monkeysphere-specific OID in SAN? If so, what is that OID? we have OID
space allocated for the monkeysphere project -- i'd be happy to allocate
an OID if there's a clear definition.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
Url : http://lists.outoforder.cc/pipermail/modules/attachments/20110505/3ef932b2/attachment.bin
More information about the Modules
mailing list