[Swan-dev] match_certs_id()

D. Hugh Redelmeier hugh at mimosa.com
Thu Feb 7 15:39:01 UTC 2019

This routine is given a list of certs and a peer's ID (struct id *)
and is supposed to tell the caller if there was a match.

As a side-effect, if the peer's ID was %fromcert, it will be
permanently updated to the name gleaned from the certificate:
	.kind = ID_DER_ASN1_DN,
	.name = same_secitem_as_chunk(end_cert->derSubject)
(I discussed this aspect in my previous message to the list.)

My current concern is that match_certs_id only uses the first element
on the list of certs.

- the callers ensure that there is at least one.

- they sometimes call it with a list of more than one cert.
  (I know this because I planted a pexpect to test for this.)

Should match_certs_id be changed to accept any cert on that list?  If
so, should it somehow indicate which cert(s) matched?

Alternatively, should we require that only one cert be on the list?

PS: why must there be at least one cert?  Because some of the
%fromcert logic would fail if there were none.  This could be handled
in a more elegant way.

More information about the Swan-dev mailing list