Nikos Mavrogiannopoulos writes: > On Fri, 2014-12-19 at 18:10 +0100, David Engster wrote: >> What is the best way with libgnutls do see whether a certificate is >> self-signed? I'm guessing you have to compare issuer with subject, but >> is there a preferred way to do that? From RFC5280 it seems to me that >> this comparison is not trivial to do, but maybe for self-signed they >> really always match byte for byte? > > gnutls doesn't follow the rfc5280 comparison for DNs. It does a memcmp() > to check if they are identical, and you are safe if you do that too. For > two reasons, (1) adding an elaborate parsing layer to ensure identify > may introduce bugs which allow false positives in the comparison, (2) it > is unnecessary; there is no software that generates certificates with > spacing differences or case-differences on the DN, that is the relic > from the time where DNs were copied by a human using a keyboard and not > by memcpy().
Yes, I already wondered how that could happen in the first place. But... > Said that, the easiest way to check for a self-signed certificate is > using gnutls_x509_crt_check_issuer() against itself. ...that's way simpler. :-) Thanks! -David _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
