[gnutls-help] Detect whether certificate is self-signed

David Engster deng at randomsample.de
Sun Dec 21 18:19:38 CET 2014


Nikos Mavrogiannopoulos writes:
> On Fri, 2014-12-19 at 18:10 +0100, David Engster wrote:
>> What is the best way with libgnutls do see whether a certificate is
>> self-signed? I'm guessing you have to compare issuer with subject, but
>> is there a preferred way to do that? From RFC5280 it seems to me that
>> this comparison is not trivial to do, but maybe for self-signed they
>> really always match byte for byte?
>
> gnutls doesn't follow the rfc5280 comparison for DNs. It does a memcmp()
> to check if they are identical, and you are safe if you do that too. For
> two reasons, (1) adding an elaborate parsing layer to ensure identify
> may introduce bugs which allow false positives in the comparison, (2) it
> is unnecessary; there is no software that generates certificates with
> spacing differences or case-differences on the DN, that is the relic
> from the time where DNs were copied by a human using a keyboard and not
> by memcpy().

Yes, I already wondered how that could happen in the first place. But...

> Said that, the easiest way to check for a self-signed certificate is
> using gnutls_x509_crt_check_issuer() against itself.

...that's way simpler. :-)

Thanks!

-David



More information about the Gnutls-help mailing list