On Tue, Apr 08, 2008 at 12:22:34AM +0200, Dr. Stephen Henson wrote:

> Couple of minor points...
>
> On Mon, Apr 07, 2008, Victor Duchovni wrote:
> >
> > To parse subjectAlternativeName entries:
> >
> > X509 *cert;
> > STACK_OF(GENERAL_NAME) * gens;
> > const GENERAL_NAME *gn;
> > int num;
> > int len;
> > char *dnsname;
> >
> > gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
> > num = sk_GENERAL_NAME_num(gens);
> >
> > for (i = 0; i < num; ++i) {
> > gn = sk_GENERAL_NAME_value(gens, i);
> > ...
> > if (gn->type != GEN_DNS)
> > /* fatal error */

>
> This isn't really a fatal error you should just continue and go on to the next
> entry.


Yes, sorry, taken out of context, in the Postfix code on which this is based,
there a test for GEN_DNS earlier, so the second test makes sense, but indeed
there can be a variety of alternative names.

> > if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
> > /* malformed cert */
> >

>
> Also this test is unnecesary because only type IA5String is allowed, the way
> the structure is formed means it will always be true.


When you say "formed" do you mean when certs are created, or when certs are
deserialized into an "X509" structure? If altName extensions of type GEN_DNS
are guaranteed by the parser to always V_ASN1_IA5STRING objects, the check
morphs from malformed cert to fatal error...

I think that before assuming that the ASN.1 value has given type, the
type should always be checked. Thanks for the clarification.

--
Viktor.
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org