[gnutls-help] Detect whether certificate is self-signed

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Dec 21 07:44:38 CET 2014

On Fri, 2014-12-19 at 18:10 +0100, David Engster wrote:
> What is the best way with libgnutls do see whether a certificate is
> self-signed? I'm guessing you have to compare issuer with subject, but
> is there a preferred way to do that? From RFC5280 it seems to me that
> this comparison is not trivial to do, but maybe for self-signed they
> really always match byte for byte?

gnutls doesn't follow the rfc5280 comparison for DNs. It does a memcmp()
to check if they are identical, and you are safe if you do that too. For
two reasons, (1) adding an elaborate parsing layer to ensure identify
may introduce bugs which allow false positives in the comparison, (2) it
is unnecessary; there is no software that generates certificates with
spacing differences or case-differences on the DN, that is the relic
from the time where DNs were copied by a human using a keyboard and not
by memcpy().

Said that, the easiest way to check for a self-signed certificate is
using gnutls_x509_crt_check_issuer() against itself.


More information about the Gnutls-help mailing list