[gnutls-devel] Hashing CA certs 'subject' to avoid cert preloading

Tim Ruehsen tim.ruehsen at gmx.de
Mon Oct 5 10:14:38 CEST 2015

Hi Nikos, hi list members,

I asked for this a while ago but have to come back to this.

The following is a description based on my observations and assumptions:

OpenSSL provides 'c_rehash' to create hashes for the system CA certs. These 
hashes are based on 'subject' (what else ?) and are used as symbolic links to 
the CA certs (e.g. on Debian in /etc/ssl/certs).

To check a server cert on TLS connect, one just have to hash the 'issuer' and 
load the CA cert via the symbolic 'hash' link.

This allows for a very fast TLS application startup (leaving away the 
preloading of ~180 CA certs).

If possible, the hash/symlink utility should be compatible with OpenSSL's 
r_rehash. They use SHA1 hashing over 'canonicalized' data structures (ASN.1, 
DER, CER ? - I have not enough knowledge in that area).

I am willing to write such a hashing tool (using C) and to implement this 
'CACert load on demand' feature into Wget (just working on wget2 / libwget).

What I need from you is:
- API function creating 'subject' hash from a given cert.
- API function creating 'issuer' hash from a given cert.
- Example code loading a cert on demand (extending gnutls-cli).

What do you think ?



More information about the Gnutls-devel mailing list