[gnutls-devel] Speedup idea...

Tim Ruehsen tim.ruehsen at gmx.de
Fri Aug 5 14:04:00 CEST 2016

On Wednesday, August 3, 2016 10:19:54 AM CEST Tim Ruehsen wrote:
> My goal is to only load that CA cert(s) that really have to be checked
> against. I need to create a hash from the server certs which 'point' to the
> CA cert files on disk, like OpenSSL already does. Well, we talked about
> that in the past and you pointed me to p11kit... but in fact, I so far do
> not really have a 'big picture' - the p11kit docs are mostly technical
> details, no understandable explanation what 's it all about.

Hi Nikos,

maybe you can help me.

I found no OpenSSL-like subject hashing in p11kit, so I looked at the source - 
and it *basically* does a sha1 sum of the certificate subject.

Doing the same in GnuTLS certtool fails (but I am close:).
The 'subject' in OpenSSL (same cert) has 95 bytes and looks slightly different 
than what GnuTLS gives me (97 bytes).

The hexdump of OpenSSL's subject:

The hexdump of GnuTLS's subject:

With GnuTLS, I used
  asn1_der_coding(cert->cert, ""tbsCertificate.subject", ...)

Well, is there some kind of 'ASN.1 normalization', or how can I retrieve the 
same bytes that OpenSSL shows ?

Regards, Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20160805/577be8cd/attachment.sig>

More information about the Gnutls-devel mailing list