Issue #4805 has been updated by Martin Bosslet.

Assignee changed from Martin Bosslet to Hiroshi NAKAMURA

Hiroshi NAKAMURA wrote:

>  They're using the hash of name for c_rehash. You see files something
>  like hex encoded in certs dir of OpenSSL;
>  
>  d2adc77d.0@
>  d537fba6.0@
>  d78a75c7.0@
>  d8274e24.0@
>  ddc328ff.0@
>  
>  (e.g. /etc/ssl/certs/ in Ubuntu)
>  
>  For that purpose, algorithm should be fixed so they don't get Digester
>  as a parameter for X509_NAME_hash and X509_NAME_hash_old I guess.

OK, I see, thanks for the info! X509_NAME_hash(_old) has a special meaning
internally. I checked, there also exists X509_NAME_digest for the general 
purpose usage I was thinking of. It's also what they use internally to 
create the CertIDs in their OCSP implementation. 
  
>  Besides this, I don't know the reason why they change base digester
>  from MD5 to SHA1 at the version bump from 0.9.8 to 1.0.0.

I could imagine that they changed for some sort of security reasons - a lot
of official recommendations/guidelines advise to refrain from using MD5, so
it could be a political reason...
  

> I like 'X509::Name#hash' to be a wrapper of 'X509_NAME_hash' and
> 'X509::Name#hash_old' is for 'X509::Name::hash_old'. I prefer to have
> another name for hashing X509::Name if it's needed.

Now that I have a better understanding of the context I completely agree.
If we feel the need for a general-purpose method, we could probably also use
X509::Name#digest in analogy to OpenSSL.
 

If you'd like me to apply the patch, please feel free to reassign to me!

Regards,
Martin

----------------------------------------
Feature #4805: Add X509::Name#hash_old for 0.9.X compat
http://redmine.ruby-lang.org/issues/4805

Author: Hiroshi NAKAMURA
Status: Open
Priority: Normal
Assignee: Hiroshi NAKAMURA
Category: ext
Target version: 1.9.3


X509::Name#hash with OpenSSL 1.0.0 returns different value than with OpenSSL 0.9.X.
Attached patch adds X509::Name#hash_old when you need MD5 based same X509_NAME_hash value as OpenSSL 0.9.X.

Martin, how do you think about adding it?


-- 
http://redmine.ruby-lang.org