[gnutls-devel] Speedup idea...

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Fri Aug 5 14:30:52 CEST 2016

On Fri, Aug 5, 2016 at 2:04 PM, Tim Ruehsen <tim.ruehsen at gmx.de> wrote:
> On Wednesday, August 3, 2016 10:19:54 AM CEST Tim Ruehsen wrote:
>> My goal is to only load that CA cert(s) that really have to be checked
>> against. I need to create a hash from the server certs which 'point' to the
>> CA cert files on disk, like OpenSSL already does. Well, we talked about
>> that in the past and you pointed me to p11kit... but in fact, I so far do
>> not really have a 'big picture' - the p11kit docs are mostly technical
>> details, no understandable explanation what 's it all about.
> Hi Nikos,
> maybe you can help me.
> I found no OpenSSL-like subject hashing in p11kit, so I looked at the source -
> and it *basically* does a sha1 sum of the certificate subject.

There is p11_openssl_symlink() which does some magic there, including
md5 hashes. This may be out-of-date though as this bug indicates [0].
[0]. https://bugzilla.redhat.com/show_bug.cgi?id=1053882

> Doing the same in GnuTLS certtool fails (but I am close:).
> The 'subject' in OpenSSL (same cert) has 95 bytes and looks slightly different
> than what GnuTLS gives me (97 bytes).

Did you try using gnutls_x509_crt_get_raw_dn() or the issuer equivalent?

> The hexdump of OpenSSL's subject:
> 310B300906035504060C02757331173015060355040A0C0E766572697369676E2C20696E632E31373035060355040B0C2E636C6173732033207075626C6963207072696D6172792063657274696669636174696F6E20617574686F72697479
> The hexdump of GnuTLS's subject:
> 305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F72697479
> With GnuTLS, I used
>   asn1_der_coding(cert->cert, ""tbsCertificate.subject", ...)
> Well, is there some kind of 'ASN.1 normalization', or how can I retrieve the
> same bytes that OpenSSL shows ?

It seems the latter includes the SEQUENCE bytes of RDNSequence, while
the former has these removed. It seems (without having fully checked
it) that p11_openssl_canon_name_der() in p11-kit's trust module does
something similar. The comment: "Yes the OpenSSL canon strangeness, is
a concatenation
of all the RelativeDistinguishedName DER encodings, without an outside
wrapper." implies that.


More information about the Gnutls-devel mailing list