OpenSSL::X509 hash mystifications

ruby-talk
1

When doing peer certificate verifications, one should save the ca_certs
in the ca_path in a filename that matches the "hash" of the ca_cert with
the extension '.0'. This works ONLY if you calculate the hash from the
commandline. HOW DO YOU calculate the 'correct' hash from ruby?

Doing the hash-calculation on the commandline like this
  openssl x509 -hash -in ca_cert.pem

gives the result '4890865b'. Saving the cert as '4890865b.0' in the
ca_path works fine when doing verify peer.

But. Calculating the hash from ruby does not give the same answer.

cert = cert = OpenSSL::X509::Certificate.new File.read("ca_cert.pem")

puts cert.hash gives 3237948
printf "%x\n",cert.hash gives 31683c
puts cert.to_der.hash gives 1024038690
printf "%x\n",cert.to_der.hash gives 3d099722
puts cert.to_pem.hash gives 583322971
printf "%x\n",cert.to_pem.hash gives 22c4cd5b

So. Which hash am I supposed to calculate in ruby that gives 4890865b?

-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIBADANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzEN
MAsGA1UECgwEbnNmdzERMA8GA1UECwwIbnNmdy5zY2ExCzAJBgNVBAMMAkNBMB4X
DTA1MDMyMTE2MDYyNloXDTEwMDMyMTE2MDYyNlowPDELMAkGA1UEBhMCVVMxDTAL
BgNVBAoMBG5zZncxETAPBgNVBAsMCG5zZncuc2NhMQswCQYDVQQDDAJDQTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALaGZXzsf5xsyZZhT6SD2SD5R19W
UD8yuETMR2PfQ8X4Mrb30EDOOzyGGfQHYWziiM2gQDUIcv1SwTx/5FI5fTALY+pH
+edZchM+XaNLR7YeB5Hcv8fxU3nXNl76RM6ZZeM9lZ88JgRtlAYxMe6OWqMW+Ix2
snxch3owLgakvq7PQW5LPHD7JFiFOa3zo76ufrrJrooc1+6G91LqS4I1wLVyJ4KB
ljxRxUC+xw18sTlwx1tTBzuoT46eRSm6WkXqkIZSKma5KOE5CRKdDAw7LELZv13d
cxGwohX/CN8AznYiIaZ/6YH1Lsa5e4CAochIAq+4Ilr9wGYUgPbxCOmOxcsCAwEA
AaOB3DCB2TAPBgNVHRMBAf8EBTADAQH/MDEGCWCGSAGG+EIBDQQkFiJSdWJ5L09w
ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTc6Acd1pSILACY
cEy99uNrILEMIDAOBgNVHQ8BAf8EBAMCAQYwZAYDVR0jBF0wW4AU3OgHHdaUiCwA
mHBMvfbjayCxDCChQKQ+MDwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQKDARuc2Z3MREw
DwYDVQQLDAhuc2Z3LnNjYTELMAkGA1UEAwwCQ0GCAQAwDQYJKoZIhvcNAQEFBQAD
ggEBAFr1e8/TgwCF8/a+D8ZKH97Wj5T6mP9qI1puANCle3tgowCKSm/0LN7wKCmy
HmtWOFfdKdOoApY53i+sB/SaElXBMef3a452k4rt2J3LMoSMtdFRG0VyyQBwkU7y
npQlO3SMtt/pj65k9ymKXVihT84PzuNh51G17Pd9cVqzPkguRvqNwzenXb9ycA8e
ugWy9zscuyEzQocjhzATTWDl8IJEwz3ygEciPmMrF48Oo0/Kn4r+Gw5FZB93bXqm
UsHLI1K/YqEJoEJ2R20COiCH+B7dCu6lnXSikbYTFOkxsrRS5Dqp5RhDruDMrUH4
GJJc4Ix4estT601xChOWfteC4Gg=
-----END CERTIFICATE-----

-- magnus

2

Arrgh. Found it immediately after.
It is

printf "%x", cert.issuer.hash

(Sorry for the noise. At least this goes into the archives for future use)

-- magnus

···

On Tue, Mar 22, 2005 at 04:10:09AM +0900, Magnus Bodin wrote:

So. Which hash am I supposed to calculate in ruby that gives 4890865b?

3

Isn't the extension intended for dealing with collisions?

I.e. what are you supposed to do when you have two certificates in the
same "store" with the same hash, but entirely different DN's?
Increment it to .1?

Just curious,
Leon

···

On Tue, 22 Mar 2005 04:10:09 +0900, Magnus Bodin <magnus@bodin.org> wrote:

When doing peer certificate verifications, one should save the ca_certs
in the ca_path in a filename that matches the "hash" of the ca_cert with
the extension '.0'. This works ONLY if you calculate the hash from the
commandline. HOW DO YOU calculate the 'correct' hash from ruby?

4

Yes.

As it says in the openssl srcdocs; (doc/ssl/SSL_CTX_load_verify_locations.pod)

"If more than one CA certificate with the same name hash value exist, the
extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search
is performed in the ordering of the extension number, regardless of other
properties of the certificates."

-- magnus

···

On Wed, Mar 30, 2005 at 03:21:36PM +0900, leon breedt wrote:

I.e. what are you supposed to do when you have two certificates in the
same "store" with the same hash, but entirely different DN's?
Increment it to .1?