Am Tuesday 04 September 2012 schrieb Nikos Mavrogiannopoulos: > On Tue, Sep 4, 2012 at 3:48 PM, Tim Ruehsen <[email protected]> wrote: > > Right now, after having taken a deeper look into the sources, I > > personally dislike the source code. > > You're not alone. Unfortunately it is the easiest to use ASN.1 parser. > > > It is unnecessary complex, i would say hard to > > maintain. I really can't find any of the stated "high quality" code. > > Who states that?
see http://www.gnu.org/software/libtasn1 The part i am referring to is titled "High Quality". Well the clang analyser is mentioned... since the last check, some time may have been passed ... using it, you will at least find one serious memory error. > > Tree structure handling and content handling should be seperated. > > Aren't there any well-tested tree library routines (e.g. GNU t* > > functions) that could be used for adding, deleting, searching and > > walking ?. > > Could be. However, the author of this code is no longer interested in > improving it. Unless there is someone willing to rewrite (simply > patching may not work), it would be hard to improve. That's my opinion as well. > > I think, GnuTLS should have a tool to be able to convert .PEM files into > > simple text files which could be read into a simple C structure by a > > trivial routine. That would massively reduce complexity and resource > > usage (CPU, Memory) and speed up GnuTLS startup. > > This isn't trivial. ASN.1 structures can be overly complex and they > rarely map to C structure (see PKCS #12 for an example). If you try to > parse complex structures like that with other approaches (e.g. the > libtomcrypt asn.1 parser functions) you'll become insane. Libtasn.1's > advantage is _a very good_ interface for accessing elements within the > structure. Unfortunately it is supported by very complex code. Hey Nikos. This mentioned tool could use libtasn1. Impact doesn't matter since the certificates seldom change. The X509 certificate format is well defined in RFC 5280 and it should be easy to output these values into a text format like: -------- tbsCertificate.version 2 tbsCertificate.serialNumber 85:bd:4b:f3:d8:da:e3:69:f6:94:d7:5f:c3:a5:44:23 tbsCertificate.signature sha1WithRSAEncryption tbsCertificate.issuer C=US, O=America Online Inc., CN=America Online Root Certification Authority 1 ... signatureAlgorithm sha1WithRSAEncryption signatureValue 7c:8a:d1:1f:18:37:82:e0:b8:b0:a3:ed:56:95:c8:62:61:9c: ... -------- OpenSSL already has a tool to convert .PEM into a (human readable) text: openssl x509 -text -noout -in <filename> Maybe there already is a similar GnuTLS tool which we can extend a bit to produce machine readable text. Regards, Tim
