[gnutls-dev] External signing API

Simon Josefsson simon at josefsson.org
Mon Aug 13 13:04:33 CEST 2007

"Alon Bar-Lev" <alon.barlev at gmail.com> writes:

> On 8/12/07, Simon Josefsson <simon at josefsson.org> wrote:
>> > 3. What do you expect the cert_type to be used? Can't it queried out the cert?
>> No, the cert may be a PGP key, and this needs to be indicated somehow.
>> I haven't tested that PGP signing works through this interface yet, but
>> I think it makes sense to have cert_type there in case we support
>> external signing for PGP keys in the future.
> I don't understand why the type is not part of the certificate object...
> type = gnutls_get_cert_type (cert);
> This should be much cleaner than passing two variable to each method.

The cert in the sign callback is 'gnutls_datum_t', i.e., a raw binary
blob with the X.509 certificate or OpenPGP key.  Binary data doesn't
know its own type, so it needs an out-of-band signal to denote the kind
of data it is.

There is no function gnutls_get_cert_type(binary_blob) that guesses
whether some binary blob is X.509 or OpenPGP, is adding such a function
what you are proposing?  It seems rather fragile to me.

Btw, I reviewed the call-path for PGP authentication, and it seems this
callback function should function right now, if someone can write a
OpenPGP callback signer.  I added gnutls_openpgp_privkey_sign_hash that
should be useful in the callback function.  I'm not sure how useful this
will be though.


More information about the Gnutls-devel mailing list