I'll clarify what I said a bit here.
Yes it does use the hash of the DER encoding of the subject name. I've
re-read my original response and I may have given the impression that it
used a hash of the whole certificate.
The actual hash is the first four bytes of the MD5 hash interpreted as a
big endian integer and returned as an unsigned long. This is presumably
because it can be represented as an 8 character hex string and can thus
fit into 8+3 filenames.
Its a bit broken for several reasons...
The script that normally creates these things "c_rehash" looks like it
will only ever create hashes ending in zero.
The code in get_cert_by_subject() in crypto/x509/x509_lu.c looks more
than a bit odd. It seems like it loads the first certificate with a
matching hash without attempting to check the subject name matches.
This method only works for lookup by subject name: any other kind of
lookup wont work. You could have multiple links but that would rapidly
get painful, particularly if you have to copy the certificate multiple
times due to a lack of symbolic links.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
