Couple of minor points...

On Mon, Apr 07, 2008, Victor Duchovni wrote:
>
> To parse subjectAlternativeName entries:
>
> X509 *cert;
> STACK_OF(GENERAL_NAME) * gens;
> const GENERAL_NAME *gn;
> int num;
> int len;
> char *dnsname;
>
> gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
> num = sk_GENERAL_NAME_num(gens);
>
> for (i = 0; i < num; ++i) {
> gn = sk_GENERAL_NAME_value(gens, i);
> ...
> if (gn->type != GEN_DNS)
> /* fatal error */


This isn't really a fatal error you should just continue and go on to the next
entry.

> if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
> /* malformed cert */
>


Also this test is unnecesary because only type IA5String is allowed, the way
the structure is formed means it will always be true.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org