[gnutls-devel] Speedup idea...
tim.ruehsen at gmx.de
Fri Aug 5 14:04:00 CEST 2016
On Wednesday, August 3, 2016 10:19:54 AM CEST Tim Ruehsen wrote:
> My goal is to only load that CA cert(s) that really have to be checked
> against. I need to create a hash from the server certs which 'point' to the
> CA cert files on disk, like OpenSSL already does. Well, we talked about
> that in the past and you pointed me to p11kit... but in fact, I so far do
> not really have a 'big picture' - the p11kit docs are mostly technical
> details, no understandable explanation what 's it all about.
maybe you can help me.
I found no OpenSSL-like subject hashing in p11kit, so I looked at the source -
and it *basically* does a sha1 sum of the certificate subject.
Doing the same in GnuTLS certtool fails (but I am close:).
The 'subject' in OpenSSL (same cert) has 95 bytes and looks slightly different
than what GnuTLS gives me (97 bytes).
The hexdump of OpenSSL's subject:
The hexdump of GnuTLS's subject:
With GnuTLS, I used
asn1_der_coding(cert->cert, ""tbsCertificate.subject", ...)
Well, is there some kind of 'ASN.1 normalization', or how can I retrieve the
same bytes that OpenSSL shows ?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part.
More information about the Gnutls-devel