[gnutls-devel] Speedup idea...
n.mavrogiannopoulos at gmail.com
Fri Aug 5 14:30:52 CEST 2016
On Fri, Aug 5, 2016 at 2:04 PM, Tim Ruehsen <tim.ruehsen at gmx.de> wrote:
> On Wednesday, August 3, 2016 10:19:54 AM CEST Tim Ruehsen wrote:
>> My goal is to only load that CA cert(s) that really have to be checked
>> against. I need to create a hash from the server certs which 'point' to the
>> CA cert files on disk, like OpenSSL already does. Well, we talked about
>> that in the past and you pointed me to p11kit... but in fact, I so far do
>> not really have a 'big picture' - the p11kit docs are mostly technical
>> details, no understandable explanation what 's it all about.
> Hi Nikos,
> maybe you can help me.
> I found no OpenSSL-like subject hashing in p11kit, so I looked at the source -
> and it *basically* does a sha1 sum of the certificate subject.
There is p11_openssl_symlink() which does some magic there, including
md5 hashes. This may be out-of-date though as this bug indicates .
> Doing the same in GnuTLS certtool fails (but I am close:).
> The 'subject' in OpenSSL (same cert) has 95 bytes and looks slightly different
> than what GnuTLS gives me (97 bytes).
Did you try using gnutls_x509_crt_get_raw_dn() or the issuer equivalent?
> The hexdump of OpenSSL's subject:
> The hexdump of GnuTLS's subject:
> With GnuTLS, I used
> asn1_der_coding(cert->cert, ""tbsCertificate.subject", ...)
> Well, is there some kind of 'ASN.1 normalization', or how can I retrieve the
> same bytes that OpenSSL shows ?
It seems the latter includes the SEQUENCE bytes of RDNSequence, while
the former has these removed. It seems (without having fully checked
it) that p11_openssl_canon_name_der() in p11-kit's trust module does
something similar. The comment: "Yes the OpenSSL canon strangeness, is
of all the RelativeDistinguishedName DER encodings, without an outside
wrapper." implies that.
More information about the Gnutls-devel