[Modules] [monkeysphere] mod_gnutls/libmsv

[Clint Adams]

On Thu, May 05, 2011 at 12:32:49PM -0400, Daniel Kahn Gillmor wrote:
> from a monkeysphere perspective, it'd be nice to see libmsv in use for
> OpenPGP certificates as well as X.509 certificates.

In that case, what should be passed to MSVA as the peername?

> Is there a reason you have dynamically-allocated buf?  it would seem
> simpler to put it directly on the stack if you're going to keep it
> fixed-size anyway.

Ideally it should resize buf if
gnutls_x509_crt_get_subject_alt_othername_oid returns
GNUTLS_E_SHORT_MEMORY_BUFFER, unless you want an arbitrary
length limit on peername.

> your use of gnutls_x509_crt_get_subject_alt_othername_oid seems
> problematic to me, since the docs say:
> 
>    This function is only useful if
>    gnutls_x509_crt_get_subject_alt_name() returned
>    GNUTLS_SAN_OTHERNAME.
> 
> but it doesn't look like you've tested for this condition.

Presumably gnutls_x509_crt_get_subject_alt_othername_oid() will
fail if no SAN is present, with or without the
gnutls_x509_crt_get_subject_alt_name() check.

> In general, i'm concerned about the use of this function, actually,
> since it implies that it might change its behavior based on the version
> of gnutls (depending on the known OIDs compiled into gnutls).
> 
> Are you expecting client certificates to supply some sort of
> monkeysphere-specific OID in SAN?  If so, what is that OID?  we have OID
> space allocated for the monkeysphere project -- i'd be happy to allocate
> an OID if there's a clear definition.

I'm not sure where the peername should go, since email appears
to be forbidden in the DN.

Since my version of gnutls will return GNUTLS_SAN_OTHERNAME
for any oid but GNUTLS_SAN_OTHERNAME_XMPP, I think both known
and unknown oids can be handled.