Howard Chu wrote:
masarati@aero.polimi.it wrote:
- masarati@aero.polimi.it [2010-01-24 16:01:23 +0100]:
Funny enough, the same thing is dealt with correctly in certificate validation/normalization in slapd/schema_init.c
That was a result of ITS#5070 (which you filed).
right :)
Maybe there is an opportunity for refactoring, but I wouldn't be a good judge of that.
I don't quite bother about refactoring to minimize code duplication. Rather, I think the libldap function x509_cert_get_dn() should first validate the certificate, much like slapd's certificateValidate() does.
Since the cert was obtained thru a TLS handshake, we assume it has already been validated by the TLS library. Further validation is not needed.
What I mean is that the TLS library may handle certificates that our function does not like (as in this case). Slapd's code, while skipping fields, checks their tags. We should do the same here, IMHO.
p.
-
masaratiļ¼ aero.polimi.it