Re: Practical impediment to supporting multiple SSL libraries

On Wed, Apr 12, 2006 at 08:14:58PM +0200, Magnus Hagander wrote:
> > Other than DN and CN, what else would people want?
>
> Issuer (name and certificate), validity dates, basic constraints, key
> usage, posslby fingerprint.

GnuTLS handles this with just one function:

gnutls_x509_crt_get_dn_by_oid( cert, oid, index, raw, &data, &length )

And a whole pile of #defines

#define GNUTLS_OID_X520_COUNTRY_NAME            "2.5.4.6"
#define GNUTLS_OID_X520_ORGANIZATION_NAME       "2.5.4.10"
#define GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME "2.5.4.11"

etc...

Which is nice because then end users can code in the attributes they
want and we don't have to deal with the endless variations. I don't
however know enough to know if this (with a function to get OIDs by
index) is sufficient to extract all the information from the
certificate.

Presumably OpenSSL can do this too...
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.