January 1999, Available from
@url{http://www.ietf.org/rfc/rfc2246.txt}.
+@item @anchor{RFC4514}[RFC4514]
+Kurt D. Zeilenga, "Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names",
+June 2006, Available from
+@url{http://www.ietf.org/rfc/rfc4513.txt}.
+
@item @anchor{RFC4346}[RFC4346]
Tim Dierks and Eric Rescorla, "The TLS Protocol Version 1.1", Match
2006, Available from @url{http://www.ietf.org/rfc/rfc4346.txt}.
@menu
* X.509 certificate structure::
+* X.509 distinguished names::
* Verifying X.509 certificate paths::
* Verifying a certificate in the context of TLS session::
@end menu
demonstrate the @acronym{X.509} parsing capabilities can be found at
@ref{ex:x509-info}.
+@node X.509 distinguished names
+@subsection X.509 distinguished names
+@cindex X.509 distinguished name
+
+The ``subject'' of an X.509 certificate is not described by
+a single name, but rather with a distinguished name. This in
+X.509 terminology is a list of strings each associated an object
+identifier. To make things simple GnuTLS provides @funcref{gnutls_x509_crt_get_dn}
+which follows the rules in @xcite{RFC4514} and returns a single
+string. Access to each string by individual object identifiers
+can be accessed using @funcref{gnutls_x509_crt_get_dn_by_oid}.
+
+@showfuncdesc{gnutls_x509_crt_get_dn}
+@showfuncdesc{gnutls_x509_crt_get_dn_by_oid}
+@showfuncdesc{gnutls_x509_crt_get_dn_oid}
+
+The more powerful @funcref{gnutls_x509_crt_get_subject} and
+@funcref{gnutls_x509_dn_get_rdn_ava} provide efficient access
+to the contents of the distinguished name structure.
+
+@showfuncdesc{gnutls_x509_crt_get_subject}
+@showfuncdesc{gnutls_x509_dn_get_rdn_ava}
+
+Similar functions exist to access the distinguished name
+of the issuer of the certificate.
+
+@showfuncD{gnutls_x509_crt_get_issuer_dn,gnutls_x509_crt_get_issuer_dn_by_oid,gnutls_x509_crt_get_issuer_dn_oid,gnutls_x509_crt_get_issuer}
+
@node Verifying X.509 certificate paths
@subsection Verifying @acronym{X.509} certificate paths
@cindex verifying certificate paths
url = "http://www.ietf.org/rfc/rfc2246.txt"
}
+@Misc{ RFC4514,
+ author = "Kurt D. Zeilenga",
+ title = "{Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names}",
+ month = "June",
+ year = "2006",
+ note = "Available from \url{http://www.ietf.org/rfc/rfc4514.txt}",
+ url = "http://www.ietf.org/rfc/rfc4514.txt"
+}
+
@misc{RFC3820,
author="Steven Tuecke and Von Welch and Doug Engert and Laura Pearlman and Mary Thompson",
title="Internet {X.509} Public Key Infrastructure {(PKI)} Proxy Certificate Profile",
func) _GNUTLS_GCC_ATTR_DEPRECATED;
/* External signing callback. No longer supported because it
- * was deprecated by the PKCS #11 API and gnutls_privkey_t. */
+ * was deprecated by the PKCS #11 API or gnutls_privkey_import_ext. */
typedef int (*gnutls_sign_func) (gnutls_session_t session,
void *userdata,
gnutls_certificate_type_t cert_type,
*
* This function will copy the name of the CRL issuer in the provided
* buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as
- * described in RFC2253. The output string will be ASCII or UTF-8
+ * described in RFC4514. The output string will be ASCII or UTF-8
* encoded, depending on the certificate data.
*
* If buf is %NULL then only the size will be filled.
*
* This function will extract the part of the name of the CRL issuer
* specified by the given OID. The output will be encoded as described
- * in RFC2253. The output string will be ASCII or UTF-8 encoded,
+ * in RFC4514. The output string will be ASCII or UTF-8 encoded,
* depending on the certificate data.
*
* Some helper macros with popular OIDs can be found in gnutls/x509.h
* If raw flag is (0), this function will only return known OIDs as
- * text. Other OIDs will be DER encoded, as described in RFC2253 -- in
- * hex format with a '\#' prefix. You can check about known OIDs
+ * text. Other OIDs will be DER encoded, as described in RFC4514 -- in
+ * hex format with a '#' prefix. You can check about known OIDs
* using gnutls_x509_dn_oid_known().
*
* If buf is null then only the size will be filled.
return oid;
}
-/* Escapes a string following the rules from RFC2253.
+/* Escapes a string following the rules from RFC4514.
*/
static char *
str_escape (char *str, char *buffer, unsigned int buffer_size)
*
* This function will return the name of the given RDN sequence. The
* name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in
- * RFC2253.
+ * RFC4514.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, or
* %GNUTLS_E_SHORT_MEMORY_BUFFER is returned and *@sizeof_buf is
*
* This function will return the name of the given Object identifier,
* of the RDN sequence. The name will be encoded using the rules
- * from RFC2253.
+ * from RFC4514.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, or
* %GNUTLS_E_SHORT_MEMORY_BUFFER is returned and *@sizeof_buf is
*
* This function will copy the name of the Certificate issuer in the
* provided buffer. The name will be in the form
- * "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string
+ * "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string
* will be ASCII or UTF-8 encoded, depending on the certificate data.
*
* If @buf is null then only the size will be filled.
*
* This function will extract the part of the name of the Certificate
* issuer specified by the given OID. The output, if the raw flag is not
- * used, will be encoded as described in RFC2253. Thus a string that is
+ * used, will be encoded as described in RFC4514. Thus a string that is
* ASCII or UTF-8 encoded, depending on the certificate data.
*
* Some helper macros with popular OIDs can be found in gnutls/x509.h
* If raw flag is (0), this function will only return known OIDs as
- * text. Other OIDs will be DER encoded, as described in RFC2253 --
- * in hex format with a '\#' prefix. You can check about known OIDs
+ * text. Other OIDs will be DER encoded, as described in RFC4514 --
+ * in hex format with a '#' prefix. You can check about known OIDs
* using gnutls_x509_dn_oid_known().
*
* If @buf is null then only the size will be filled. If the @raw_flag
*
* This function will copy the name of the Certificate in the provided
* buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as
- * described in RFC2253. The output string will be ASCII or UTF-8
+ * described in RFC4514. The output string will be ASCII or UTF-8
* encoded, depending on the certificate data.
*
* If @buf is null then only the size will be filled.
*
* This function will extract the part of the name of the Certificate
* subject specified by the given OID. The output, if the raw flag is
- * not used, will be encoded as described in RFC2253. Thus a string
+ * not used, will be encoded as described in RFC4514. Thus a string
* that is ASCII or UTF-8 encoded, depending on the certificate data.
*
* Some helper macros with popular OIDs can be found in gnutls/x509.h
* If raw flag is (0), this function will only return known OIDs as
- * text. Other OIDs will be DER encoded, as described in RFC2253 --
- * in hex format with a '\#' prefix. You can check about known OIDs
+ * text. Other OIDs will be DER encoded, as described in RFC4514 --
+ * in hex format with a '#' prefix. You can check about known OIDs
* using gnutls_x509_dn_oid_known().
*
* If @buf is null then only the size will be filled. If the @raw_flag