[gnutls-devel] Speedup idea...
Tim Ruehsen
tim.ruehsen at gmx.de
Fri Aug 5 14:04:00 CEST 2016
On Wednesday, August 3, 2016 10:19:54 AM CEST Tim Ruehsen wrote:
> My goal is to only load that CA cert(s) that really have to be checked
> against. I need to create a hash from the server certs which 'point' to the
> CA cert files on disk, like OpenSSL already does. Well, we talked about
> that in the past and you pointed me to p11kit... but in fact, I so far do
> not really have a 'big picture' - the p11kit docs are mostly technical
> details, no understandable explanation what 's it all about.
Hi Nikos,
maybe you can help me.
I found no OpenSSL-like subject hashing in p11kit, so I looked at the source -
and it *basically* does a sha1 sum of the certificate subject.
Doing the same in GnuTLS certtool fails (but I am close:).
The 'subject' in OpenSSL (same cert) has 95 bytes and looks slightly different
than what GnuTLS gives me (97 bytes).
The hexdump of OpenSSL's subject:
310B300906035504060C02757331173015060355040A0C0E766572697369676E2C20696E632E31373035060355040B0C2E636C6173732033207075626C6963207072696D6172792063657274696669636174696F6E20617574686F72697479
The hexdump of GnuTLS's subject:
305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F72697479
With GnuTLS, I used
asn1_der_coding(cert->cert, ""tbsCertificate.subject", ...)
Well, is there some kind of 'ASN.1 normalization', or how can I retrieve the
same bytes that OpenSSL shows ?
Regards, Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20160805/577be8cd/attachment.sig>
More information about the Gnutls-devel
mailing list