From: Nikos Mavrogiannopoulos Date: Mon, 9 Jan 2012 23:38:54 +0000 (+0100) Subject: Added discussion of distinguished names. X-Git-Tag: gnutls-3_0_12~56 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=009593680ab18c42bc6b80766285ddacde10c01a;p=thirdparty%2Fgnutls.git Added discussion of distinguished names. --- diff --git a/doc/cha-bib.texi b/doc/cha-bib.texi index b9791df246..40848dbdea 100644 --- a/doc/cha-bib.texi +++ b/doc/cha-bib.texi @@ -27,6 +27,11 @@ Tim Dierks and Christopher Allen, "The TLS Protocol Version 1.0", January 1999, Available from @url{http://www.ietf.org/rfc/rfc2246.txt}. +@item @anchor{RFC4514}[RFC4514] +Kurt D. Zeilenga, "Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names", +June 2006, Available from +@url{http://www.ietf.org/rfc/rfc4513.txt}. + @item @anchor{RFC4346}[RFC4346] Tim Dierks and Eric Rescorla, "The TLS Protocol Version 1.1", Match 2006, Available from @url{http://www.ietf.org/rfc/rfc4346.txt}. diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi index 03748bc4ed..8dcb6e94db 100644 --- a/doc/cha-cert-auth.texi +++ b/doc/cha-cert-auth.texi @@ -35,6 +35,7 @@ acceptable. The framework is illustrated on @ref{fig:x509}. @menu * X.509 certificate structure:: +* X.509 distinguished names:: * Verifying X.509 certificate paths:: * Verifying a certificate in the context of TLS session:: @end menu @@ -143,6 +144,34 @@ their prototypes in @file{gnutls/x509.h}. An example program to demonstrate the @acronym{X.509} parsing capabilities can be found at @ref{ex:x509-info}. +@node X.509 distinguished names +@subsection X.509 distinguished names +@cindex X.509 distinguished name + +The ``subject'' of an X.509 certificate is not described by +a single name, but rather with a distinguished name. This in +X.509 terminology is a list of strings each associated an object +identifier. To make things simple GnuTLS provides @funcref{gnutls_x509_crt_get_dn} +which follows the rules in @xcite{RFC4514} and returns a single +string. Access to each string by individual object identifiers +can be accessed using @funcref{gnutls_x509_crt_get_dn_by_oid}. + +@showfuncdesc{gnutls_x509_crt_get_dn} +@showfuncdesc{gnutls_x509_crt_get_dn_by_oid} +@showfuncdesc{gnutls_x509_crt_get_dn_oid} + +The more powerful @funcref{gnutls_x509_crt_get_subject} and +@funcref{gnutls_x509_dn_get_rdn_ava} provide efficient access +to the contents of the distinguished name structure. + +@showfuncdesc{gnutls_x509_crt_get_subject} +@showfuncdesc{gnutls_x509_dn_get_rdn_ava} + +Similar functions exist to access the distinguished name +of the issuer of the certificate. + +@showfuncD{gnutls_x509_crt_get_issuer_dn,gnutls_x509_crt_get_issuer_dn_by_oid,gnutls_x509_crt_get_issuer_dn_oid,gnutls_x509_crt_get_issuer} + @node Verifying X.509 certificate paths @subsection Verifying @acronym{X.509} certificate paths @cindex verifying certificate paths diff --git a/doc/latex/gnutls.bib b/doc/latex/gnutls.bib index a0c9f6313f..1eac296093 100644 --- a/doc/latex/gnutls.bib +++ b/doc/latex/gnutls.bib @@ -7,6 +7,15 @@ url = "http://www.ietf.org/rfc/rfc2246.txt" } +@Misc{ RFC4514, + author = "Kurt D. Zeilenga", + title = "{Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names}", + month = "June", + year = "2006", + note = "Available from \url{http://www.ietf.org/rfc/rfc4514.txt}", + url = "http://www.ietf.org/rfc/rfc4514.txt" +} + @misc{RFC3820, author="Steven Tuecke and Von Welch and Doug Engert and Laura Pearlman and Mary Thompson", title="Internet {X.509} Public Key Infrastructure {(PKI)} Proxy Certificate Profile", diff --git a/lib/includes/gnutls/compat.h b/lib/includes/gnutls/compat.h index d18424b34f..58d55efe91 100644 --- a/lib/includes/gnutls/compat.h +++ b/lib/includes/gnutls/compat.h @@ -192,7 +192,7 @@ void func) _GNUTLS_GCC_ATTR_DEPRECATED; /* External signing callback. No longer supported because it - * was deprecated by the PKCS #11 API and gnutls_privkey_t. */ + * was deprecated by the PKCS #11 API or gnutls_privkey_import_ext. */ typedef int (*gnutls_sign_func) (gnutls_session_t session, void *userdata, gnutls_certificate_type_t cert_type, diff --git a/lib/x509/crl.c b/lib/x509/crl.c index d8056d3cf6..895addd5cf 100644 --- a/lib/x509/crl.c +++ b/lib/x509/crl.c @@ -168,7 +168,7 @@ cleanup: * * This function will copy the name of the CRL issuer in the provided * buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as - * described in RFC2253. The output string will be ASCII or UTF-8 + * described in RFC4514. The output string will be ASCII or UTF-8 * encoded, depending on the certificate data. * * If buf is %NULL then only the size will be filled. @@ -204,13 +204,13 @@ gnutls_x509_crl_get_issuer_dn (const gnutls_x509_crl_t crl, char *buf, * * This function will extract the part of the name of the CRL issuer * specified by the given OID. The output will be encoded as described - * in RFC2253. The output string will be ASCII or UTF-8 encoded, + * in RFC4514. The output string will be ASCII or UTF-8 encoded, * depending on the certificate data. * * Some helper macros with popular OIDs can be found in gnutls/x509.h * If raw flag is (0), this function will only return known OIDs as - * text. Other OIDs will be DER encoded, as described in RFC2253 -- in - * hex format with a '\#' prefix. You can check about known OIDs + * text. Other OIDs will be DER encoded, as described in RFC4514 -- in + * hex format with a '#' prefix. You can check about known OIDs * using gnutls_x509_dn_oid_known(). * * If buf is null then only the size will be filled. diff --git a/lib/x509/dn.c b/lib/x509/dn.c index fd9052ea4b..32f52ba4e9 100644 --- a/lib/x509/dn.c +++ b/lib/x509/dn.c @@ -50,7 +50,7 @@ oid2ldap_string (const char *oid) return oid; } -/* Escapes a string following the rules from RFC2253. +/* Escapes a string following the rules from RFC4514. */ static char * str_escape (char *str, char *buffer, unsigned int buffer_size) @@ -1030,7 +1030,7 @@ gnutls_x509_dn_deinit (gnutls_x509_dn_t dn) * * This function will return the name of the given RDN sequence. The * name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in - * RFC2253. + * RFC4514. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, or * %GNUTLS_E_SHORT_MEMORY_BUFFER is returned and *@sizeof_buf is @@ -1090,7 +1090,7 @@ gnutls_x509_rdn_get (const gnutls_datum_t * idn, * * This function will return the name of the given Object identifier, * of the RDN sequence. The name will be encoded using the rules - * from RFC2253. + * from RFC4514. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, or * %GNUTLS_E_SHORT_MEMORY_BUFFER is returned and *@sizeof_buf is diff --git a/lib/x509/x509.c b/lib/x509/x509.c index 9ed1764871..0d61c1a29d 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -254,7 +254,7 @@ cleanup: * * This function will copy the name of the Certificate issuer in the * provided buffer. The name will be in the form - * "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string + * "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string * will be ASCII or UTF-8 encoded, depending on the certificate data. * * If @buf is null then only the size will be filled. @@ -289,13 +289,13 @@ gnutls_x509_crt_get_issuer_dn (gnutls_x509_crt_t cert, char *buf, * * This function will extract the part of the name of the Certificate * issuer specified by the given OID. The output, if the raw flag is not - * used, will be encoded as described in RFC2253. Thus a string that is + * used, will be encoded as described in RFC4514. Thus a string that is * ASCII or UTF-8 encoded, depending on the certificate data. * * Some helper macros with popular OIDs can be found in gnutls/x509.h * If raw flag is (0), this function will only return known OIDs as - * text. Other OIDs will be DER encoded, as described in RFC2253 -- - * in hex format with a '\#' prefix. You can check about known OIDs + * text. Other OIDs will be DER encoded, as described in RFC4514 -- + * in hex format with a '#' prefix. You can check about known OIDs * using gnutls_x509_dn_oid_known(). * * If @buf is null then only the size will be filled. If the @raw_flag @@ -364,7 +364,7 @@ gnutls_x509_crt_get_issuer_dn_oid (gnutls_x509_crt_t cert, * * This function will copy the name of the Certificate in the provided * buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as - * described in RFC2253. The output string will be ASCII or UTF-8 + * described in RFC4514. The output string will be ASCII or UTF-8 * encoded, depending on the certificate data. * * If @buf is null then only the size will be filled. @@ -399,13 +399,13 @@ gnutls_x509_crt_get_dn (gnutls_x509_crt_t cert, char *buf, * * This function will extract the part of the name of the Certificate * subject specified by the given OID. The output, if the raw flag is - * not used, will be encoded as described in RFC2253. Thus a string + * not used, will be encoded as described in RFC4514. Thus a string * that is ASCII or UTF-8 encoded, depending on the certificate data. * * Some helper macros with popular OIDs can be found in gnutls/x509.h * If raw flag is (0), this function will only return known OIDs as - * text. Other OIDs will be DER encoded, as described in RFC2253 -- - * in hex format with a '\#' prefix. You can check about known OIDs + * text. Other OIDs will be DER encoded, as described in RFC4514 -- + * in hex format with a '#' prefix. You can check about known OIDs * using gnutls_x509_dn_oid_known(). * * If @buf is null then only the size will be filled. If the @raw_flag