Bear Giles wrote: > > > > Trust, BTW, could rather easily be handled by attaching internal > > attributes to certificates with extra information. Those attributes > > are not part of the certificate itself, of course. Was that > > approximately the way you saw this being done as well? > > What will this do to the whole-cert hash value? >
Nothing. The trust settings aren't part of the certificate encoding. The current trust handling stores these after the main encoding only if the *TRUST() functions are used. > (I assume that the whole-cert hash is computed as the SHA-1 hash on > the ASN.1 encoding of the cert... something that I can compute with > ASN1_write_bio(), a mem BIO and a sha1 BIO. Or by another library > crunching on an DER-encoded certificate in the underlying database.) > The whole certificate hash value can be computed in several ways X509_digest() for example. This has the advantage that if trust information is added it is excluded from the calculation. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
