[gnutls-devel] Hashing CA certs 'subject' to avoid cert preloading

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue Oct 6 09:40:13 CEST 2015


On Mon, Oct 5, 2015 at 10:14 AM, Tim Ruehsen <tim.ruehsen at gmx.de> wrote:
> Hi Nikos, hi list members,
> I asked for this a while ago but have to come back to this.
> The following is a description based on my observations and assumptions:
> OpenSSL provides 'c_rehash' to create hashes for the system CA certs. These
> hashes are based on 'subject' (what else ?) and are used as symbolic links to
> the CA certs (e.g. on Debian in /etc/ssl/certs).
> To check a server cert on TLS connect, one just have to hash the 'issuer' and
> load the CA cert via the symbolic 'hash' link.
> This allows for a very fast TLS application startup (leaving away the
> preloading of ~180 CA certs).
> If possible, the hash/symlink utility should be compatible with OpenSSL's
> r_rehash. They use SHA1 hashing over 'canonicalized' data structures (ASN.1,
> DER, CER ? - I have not enough knowledge in that area).

Stef Walter has reimplemented the rehash algorithm for p11-kit trust
module, you may want to take a look there.

> I am willing to write such a hashing tool (using C) and to implement this
> 'CACert load on demand' feature into Wget (just working on wget2 / libwget).

The problem with that format is that it is undocumented and changes
with different versions of openssl (Stef has two versions in p11-kit).
For gnutls, I am already encouraging the usage of the p11-kit trust
module for verification (Fedora already ships with that and my
understanding from debconf15 is that Debian plans to switch to that
too), so any improvements with cert loading outside p11-kit will
disappear at some point. I'm not really sure which format p11-kit uses
for certificate loading, but my take would be to improve that one as
it affects equally gnutls and nss applications.

Said that, for a quick fix I think we can get away with a gnutls
verification callback which calculates the rehash value using the code
from p11-kit, then loads only the certificates that have this suffix
using gnutls_certificate_set_x509_trust_file(), and using the normal
verification functions after that. That of course would not be
thread-safe.
The DN of the certificates you can get it using
gnutls_x509_crt_get_raw_issuer_dn(), and you'll have to read the
issuer DN of all certificates in the chain as returned by
gnutls_certificate_get_peers().

The above should work, but not sure whether it is complete (i.e., if
there are cases where the issuer cannot be found).
Once you have some proof of concept code with the above that, we could
consider to add that in gnutls, but I'm not sure how easy is that, as
this approach breaks basic assumptions such as that the certificate
credentials are read-only for sessions.

regards,
Nikos



More information about the Gnutls-devel mailing list