[Date Prev][Date Next] [Chronological] [Thread] [Top]

liblber additions

We have a port of GNUtls support for OpenLDAP underway. Their certificate DN parsing APIs are pretty bad. Rather than use their APIs I've modified libldap's ldap_X509dn2bv function to take a DN in DER form, directly from the certificate, and parse it directly using liblber. For that purpose I've needed to add a few new tag definitions as well as a decoder for BER-encoded OIDs.

Not sure if these should be ber_pvt definitions or just public. Since a typical LDAP program rarely is faced with real ASN.1 structures it seems we don't need to expose them. Comments?

Also as a side-effect, we can support certificate parsing, to implement the certificate-related component matching rules, without needing OpenSSL or any other crypto library. I.e., I have a complete certificate parser using liblber. (The code is trivial. We probably should have done this from the start...)

Something I'd like to revisit - when using liblber and parsing in-place, our parse is destructive because we NUL-terminate all octet strings. I'm considering changing this behavior, to leave the original BER data unmodified. At present it seems this change would have the greatest effect on Debug output, where we pass ber->bv_val's for printing without any further qualification. Any thoughts?

as an aside - the fact that GNUtls' certificate DN handling is broken is worrisome, since issuer DNs are an integral part of certificate path validation. Until we have time to dig deeper into that code and patch all the problems, it would be a good idea to avoid using GNUtls.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
Chief Architect, OpenLDAP http://www.openldap.org/project/