Loading credentials in verify callback just as needed ?

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Aug 30 22:55:56 CEST 2012

On 08/30/2012 01:07 PM, Tim Ruehsen wrote:

>> I'm surprised that this function takes long for you. How many
>> certificates do you have an which version of gnutls is that?
> There are 150 certs at the moment.
> GnuTLS 3.0.22 uses ~1.8 millions of malloc()s to read these files in.
> OpenSSL just ~5.000.

Ouch. It's the libtasn1's operation that uses quite excessively malloc
to parse the X.509 structures and create a tree, but 1.8 million for 150
certificates seems too much. Most probably an optimization there would
eliminate the issue you see.

> On my rather old AMD 2000+ it takes ~1s to load these.
> Using valgrind for development (wget1.14), it takes around 30-40s.
> See some output at the end of my inital post (i meant to write Wget1.14 there, 
> not mget1.14).


>> GnuTLS doesn't have something similar to that, like loading the CA
>> file on demand.
>> You could of course simulate that functionality by using the
>> certificate's authority key identifier, or the issuer's name.
> Here is exactly the point, where you could help me.
> I would like to do that.
> But when the verification callback function is called (set by 
> gnutls_certificate_set_verify_function()), information about the key id or 
> issuer seem not to be available.

You can obtain the peer's certificate. gnutls_certificate_get_peers()
convert it to a gnutls_x509_crt_t and then read the key id or issuer.


More information about the Gnutls-devel mailing list