Loading credentials in verify callback just as needed ?

Tim Ruehsen tim.ruehsen at gmx.de
Fri Aug 31 17:45:17 CEST 2012

Am Thursday 30 August 2012 schrieb Nikos Mavrogiannopoulos:
> > There are 150 certs at the moment.
> > GnuTLS 3.0.22 uses ~1.8 millions of malloc()s to read these files in.
> > OpenSSL just ~5.000.
> Ouch. It's the libtasn1's operation that uses quite excessively malloc
> to parse the X.509 structures and create a tree, but 1.8 million for 150
> certificates seems too much. Most probably an optimization there would
> eliminate the issue you see.
> > On my rather old AMD 2000+ it takes ~1s to load these.
> > Using valgrind for development (wget1.14), it takes around 30-40s.
> > See some output at the end of my inital post (i meant to write Wget1.14
> > there, not mget1.14).
> Ouch.

Yes, ouch ;-)

I took a look at libtasn1, and yes, the best thing would be a partial rewrite.
Unlikely someone is doing that... a quicker way to speed up would be the use 
of memory pools in libtasn1.
If there is some potential within the GnuTLS sources, I can't say.

> >> GnuTLS doesn't have something similar to that, like loading the CA
> >> file on demand.
> >> You could of course simulate that functionality by using the
> >> certificate's authority key identifier, or the issuer's name.
> > 
> > Here is exactly the point, where you could help me.
> > I would like to do that.
> > But when the verification callback function is called (set by
> > gnutls_certificate_set_verify_function()), information about the key id
> > or issuer seem not to be available.
> You can obtain the peer's certificate. gnutls_certificate_get_peers()
> convert it to a gnutls_x509_crt_t and then read the key id or issuer.

Sorry, Nikos, for being my "rubber duck" ;-)

I found the problem some minutes ago while writing this email.
I used
	gnutls_x509_crt_import(cert, &cert_list[it], GNUTLS_X509_FMT_PEM)
instead of
	gnutls_x509_crt_import(cert, &cert_list[it], GNUTLS_X509_FMT_DER)

Now I am getting issuer and DN etc.

I let you know if and when the 'lazy loading' works and how it performs.
But still: optimizing libtasn1 is an issue...

     Tim Rühsen

More information about the Gnutls-devel mailing list