We have a port of GNUtls support for OpenLDAP underway. Their certificate DN parsing APIs are pretty bad. Rather than use their APIs I've modified libldap's ldap_X509dn2bv function to take a DN in DER form, directly from the certificate, and parse it directly using liblber. For that purpose I've needed to add a few new tag definitions as well as a decoder for BER-encoded OIDs.
Not sure if these should be ber_pvt definitions or just public. Since a typical LDAP program rarely is faced with real ASN.1 structures it seems we don't need to expose them. Comments?
Also as a side-effect, we can support certificate parsing, to implement the certificate-related component matching rules, without needing OpenSSL or any other crypto library. I.e., I have a complete certificate parser using liblber. (The code is trivial. We probably should have done this from the start...)
Something I'd like to revisit - when using liblber and parsing in-place, our parse is destructive because we NUL-terminate all octet strings. I'm considering changing this behavior, to leave the original BER data unmodified. At present it seems this change would have the greatest effect on Debug output, where we pass ber->bv_val's for printing without any further qualification. Any thoughts?
as an aside - the fact that GNUtls' certificate DN handling is broken is worrisome, since issuer DNs are an integral part of certificate path validation. Until we have time to dig deeper into that code and patch all the problems, it would be a good idea to avoid using GNUtls.
Howard Chu writes:
as an aside - the fact that GNUtls' certificate DN handling is broken is worrisome, since issuer DNs are an integral part of certificate path validation. Until we have time to dig deeper into that code and patch all the problems, it would be a good idea to avoid using GNUtls.
Sounds to me like it's better to wait for GNUtls to be fixed before supporting it. If it's that broken, it seems likely that there are bugs which you haven't found too, which maybe someone can exploit. TLS is not something one it's nice to expecet bugs in...
Or if you need to support if for some reason, maybe don't support a configure option, just something like env ol_cv_use_broken_gnutls ./configure