[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6460) SASL EXTERNAL fails with long certificate serial numbers

Howard Chu wrote:
> masarati@aero.polimi.it wrote:
>>> * masarati@aero.polimi.it [2010-01-24 16:01:23 +0100]:
>>>> Funny enough, the same thing is dealt with correctly in certificate
>>>> validation/normalization in slapd/schema_init.c
>>> That was a result of ITS#5070 (which you filed).
>> right :)
>>> Maybe there is an
>>> opportunity for refactoring, but I wouldn't be a good judge of that.
>> I don't quite bother about refactoring to minimize code duplication. 
>> Rather, I think the libldap function x509_cert_get_dn() should first
>> validate the certificate, much like slapd's certificateValidate() does.
> Since the cert was obtained thru a TLS handshake, we assume it has already
> been validated by the TLS library. Further validation is not needed.

What I mean is that the TLS library may handle certificates that our 
function does not like (as in this case).  Slapd's code, while skipping 
fields, checks their tags.  We should do the same here, IMHO.