On Thu, Jan 24, 2013 at 02:49:25PM +0100, Dr. Stephen Henson wrote:
> > This is a rather non-obvious interface, and X509_get_X509_PUBKEY() is
> > not documented.
> >
>
> I make no claim this is obvious but...
>
> It should be possible to do this in a single call using the ASN1_item_verify
> interface like this:
>
> rv = ASN1_item_verify(ASN1_ITEM_rptr(X509_PUBKEY), digest,
> (void
> *)X509_get_X509_PUBKEY(cert), &digest_len);
>
I assume you meant ASN1_item_digest(), rather than ASN1_item_verify().
Is this (and the required ASN1_ITEM_rptr(X509_PUBKEY) parameter)
part of the public OpenSSL interface?
I did see these functions, when reading the source of X509_digest()
but was concerned that ASN1_ITEM_rptr looked like an implementation
artifact of the current ASN.1 encoder/decoder, and might change in
a future overhaulf of the ASN.1 internals of the library.
If these are public interfaces, and especially if they become
documented, this seems the better way to go than putting it all
together by hand.
> > I'd like to request that the existing X509_pubkey_digest() be
> > renamed to something like x509_pubkey_identifier() just for
> > internal use by the library.
> >
>
> The problem with renaming or changing existing functions is that it will break
> binary compatibility and potentially break applications too.
I understand the concern. My worry is that incorrect usage of
X509_pubkey_digest() will likely outnumber correct usage. It looks
like a trap for the unweary.
> We could however provide an additional function to hash the whole public key
> digest and document the behaviour of both.
Documentation will definitely help, I would probably not have misused
X509_pubkey_digest() if had a manpage that explains when to use it, and
also explains what to use to get a digest of the complete key.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
