[gnutls-devel] Speedup idea...

[Tim Ruehsen]

On Friday, August 5, 2016 2:30:52 PM CEST Nikos Mavrogiannopoulos wrote:
> On Fri, Aug 5, 2016 at 2:04 PM, Tim Ruehsen <tim.ruehsen at gmx.de> wrote:
> > On Wednesday, August 3, 2016 10:19:54 AM CEST Tim Ruehsen wrote:
> >> My goal is to only load that CA cert(s) that really have to be checked
> >> against. I need to create a hash from the server certs which 'point' to
> >> the
> >> CA cert files on disk, like OpenSSL already does. Well, we talked about
> >> that in the past and you pointed me to p11kit... but in fact, I so far do
> >> not really have a 'big picture' - the p11kit docs are mostly technical
> >> details, no understandable explanation what 's it all about.
> > 
> > Hi Nikos,
> > 
> > maybe you can help me.
> > 
> > I found no OpenSSL-like subject hashing in p11kit, so I looked at the
> > source - and it *basically* does a sha1 sum of the certificate subject.
> 
> There is p11_openssl_symlink() which does some magic there, including
> md5 hashes. This may be out-of-date though as this bug indicates [0].
> [0]. https://bugzilla.redhat.com/show_bug.cgi?id=1053882

Nice ! In fact I oversaw p11_openssl_symlink().
It does both, the old md5 hash symlink and the current sha1 hash.

> > Doing the same in GnuTLS certtool fails (but I am close:).
> > The 'subject' in OpenSSL (same cert) has 95 bytes and looks slightly
> > different than what GnuTLS gives me (97 bytes).
> 
> Did you try using gnutls_x509_crt_get_raw_dn() or the issuer equivalent?

P11-kit has the code, though I have no idea if p11-kit uses these hashes to 
find the CA certs from the servers certs received during handshake.

I am clueless, if anything else is needed. I guess, GnuTLS doesn't need an API 
for that... but how do I convert GnuTLS structures into p11-kit structures to 
use p11 API directly ?
Was your recent question about "exposing low level handles from pkcs11" ?
If yes, that is what I need...

> > The hexdump of OpenSSL's subject:
> > 310B300906035504060C02757331173015060355040A0C0E766572697369676E2C20696E63
> > 2E31373035060355040B0C2E636C6173732033207075626C6963207072696D617279206365
> > 7274696669636174696F6E20617574686F72697479
> > 
> > The hexdump of GnuTLS's subject:
> > 305F310B300906035504061302555331173015060355040A130E566572695369676E2C2049
> > 6E632E31373035060355040B132E436C6173732033205075626C6963205072696D61727920
> > 43657274696669636174696F6E20417574686F72697479
> > 
> > With GnuTLS, I used
> > 
> >   asn1_der_coding(cert->cert, ""tbsCertificate.subject", ...)
> > 
> > Well, is there some kind of 'ASN.1 normalization', or how can I retrieve
> > the same bytes that OpenSSL shows ?
> 
> It seems the latter includes the SEQUENCE bytes of RDNSequence, while
> the former has these removed. It seems (without having fully checked
> it) that p11_openssl_canon_name_der() in p11-kit's trust module does
> something similar. The comment: "Yes the OpenSSL canon strangeness, is
> a concatenation
> of all the RelativeDistinguishedName DER encodings, without an outside
> wrapper." implies that.

I see that now, thanks.

Regards, Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20160805/c36b6b90/attachment-0001.sig>