> Its a bit broken for several reasons...
>
> The script that normally creates these things "c_rehash" looks like it
> will only ever create hashes ending in zero.
That can't be true:
11/05/99 3:15 1,314 23dbf167.0
12/09/99 0:54 4,306 37bb5c86.0
The .0 which is appended to the hash is used to differentiate
certificates from CRLs which get a .r appended to them.
> The code in get_cert_by_subject() in crypto/x509/x509_lu.c looks more
> than a bit odd. It seems like it loads the first certificate with a
> matching hash without attempting to check the subject name matches.
That could be because when symbolic links are used there can't be more
than one certificate that matches. This needs to be fixed.
> This method only works for lookup by subject name: any other kind of
> lookup wont work. You could have multiple links but that would rapidly
> get painful, particularly if you have to copy the certificate multiple
> times due to a lack of symbolic links.
Clearly, the use of the hash for file names is a nice trick that only
works well with small numbers of certificates. When you start to deal
with large numbers of certificates you want to be storing the certs
and crls in a database. Not a file system.
Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2
The Kermit Project * Columbia University
612 West 115th St #716 * New York, NY * 10025
http://www.kermit-project.org/k95.html * [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
