[gnutls-devel] Hashing CA certs 'subject' to avoid cert preloading
Tim Ruehsen
tim.ruehsen at gmx.de
Mon Oct 5 10:14:38 CEST 2015
Hi Nikos, hi list members,
I asked for this a while ago but have to come back to this.
The following is a description based on my observations and assumptions:
OpenSSL provides 'c_rehash' to create hashes for the system CA certs. These
hashes are based on 'subject' (what else ?) and are used as symbolic links to
the CA certs (e.g. on Debian in /etc/ssl/certs).
To check a server cert on TLS connect, one just have to hash the 'issuer' and
load the CA cert via the symbolic 'hash' link.
This allows for a very fast TLS application startup (leaving away the
preloading of ~180 CA certs).
If possible, the hash/symlink utility should be compatible with OpenSSL's
r_rehash. They use SHA1 hashing over 'canonicalized' data structures (ASN.1,
DER, CER ? - I have not enough knowledge in that area).
I am willing to write such a hashing tool (using C) and to implement this
'CACert load on demand' feature into Wget (just working on wget2 / libwget).
What I need from you is:
- API function creating 'subject' hash from a given cert.
- API function creating 'issuer' hash from a given cert.
- Example code loading a cert on demand (extending gnutls-cli).
What do you think ?
Regards,
Tim
More information about the Gnutls-devel
mailing list