A request for some additional hashes.... I would submit some patches myself, but this stuff is so simple it would probably take longer to verify my patches than to code them directly. :-)
The hashes are mentioned in draft-ietf-pkix-certstore-http-00.txt, available at http://www.imc.org/draft-ietf-pkix-certstore-http. This is a draft for accessing a certificate store via HTTP, fleshing out RFC 2585 by detailing that you can use something like http://ca.example.com/certsearch?email="[EMAIL PROTECTED]"; or http://ca.example.com/crlsearch?name="Bob Smith" to get all matching certs or CRLs with the obvious patterns (subject email or common name). Four additional search keys specified are: iHash base64-encoded SHA-1 hash of the certificate's issuerName iAndSHash base64-encoded SHA-1 hash of certificate's issuerAndSerialNumber [RFC2630] sHash base64-encoded SHA-1 hash of the certificate's subjectName sKID base64-encoded certificate subjectKeyIdentifier and by obvious extension, aKID base64-encoded certificate authorityKeyIdentifier keyid The draft also mentions a base-64 encoded SHA-1 cert hash ("fingerprint") as a possible search key. iHash and sHash can be implemented as a variant of crypto/x509/x509_cmp.c, and sKID and aKID are obvious additions to the respective files in crypto/x509v3. iAndSHash is the only one that doesn't have an immediate analogue (AFAIK). In response, the server returns a (multipart) MIME message with content types "application/pkix-cert" or "application/pkix-crl". A trivial change will return "application/x-x509-user" and "application/x-x509-ca" for Netscape users. My libpkixpq library has already been modified to compute all but iAndSHash, and I hope to contribute a proof-of-principal java servlet that implements this draft by early next week. So I don't need the hashes for my code, but it would make life easier for someone querying the certstore. :-) ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
