[gnutls-dev] External signing API

Simon Josefsson simon at josefsson.org
Tue Aug 14 11:39:21 CEST 2007

"Alon Bar-Lev" <alon.barlev at gmail.com> writes:

> On 8/12/07, Simon Josefsson <simon at josefsson.org> wrote:
>> > 3. What do you expect the cert_type to be used? Can't it queried out the cert?
>> No, the cert may be a PGP key, and this needs to be indicated somehow.
>> I haven't tested that PGP signing works through this interface yet, but
>> I think it makes sense to have cert_type there in case we support
>> external signing for PGP keys in the future.
> Wow... I was so confused!
> Providing certificate as blob will force the routine to parse it...
> This takes a lot of resources... If you wish to pass the certificate,
> it should be already parsed.

Not all application callbacks will need to parse it.  The parsing needs
to happen somewhere, and if the application doesn't do it, GnuTLS would
have to do it.  With the current approach, the application can chose
whether to parse it or not.  Only the application knows whether it needs
to parse the certificate.

Oh, and parsing is not that complicated, gnutls-cli in the old pkcs11
branch did this:

  if (verbose)
      int ret;
      gnutls_datum_t out;
      gnutls_x509_crt_t crt;

      ret = gnutls_x509_crt_init (&crt);
      if (ret < 0)
	return ret;

      ret = gnutls_x509_crt_import (crt, cert, GNUTLS_X509_FMT_DER);
      if (ret < 0)
	return ret;

      ret = gnutls_x509_crt_print (crt, GNUTLS_X509_CRT_ONELINE, &out);
      if (ret < 0)
	return ret;

      printf ("*** PKCS#11 signing using credential: %s\n", out.data);

      gnutls_free (out.data);
      gnutls_x509_crt_deinit (crt);

That's all that is required.  It takes some resources, but I don't think
it is a lot compare to other operations (network latency, RSA/DSA
signing operations, ...).

> But anyway... Why do you need the public part for signature anyway?

To find which private key should be used.  The application may have
multiple user certificates and private keys.  Without knowing which user
certificate should be used, the application can't select the appropriate

> I guess the private key will be more useful...

The idea with the external signing interface is that GnuTLS shouldn't
have to deal with private keys.  If you want to trust your private keys
to Gnutls, you can use the normal APIs which are in use today.

> But correct me if I am wrong here... Having the session handle allows
> you to pull these two anyway, right?

Hm, yes, you probably could.  But it seems more elegant to provide the
callback with the data it needs to do its job.  The callback doesn't
have to use the data.


More information about the Gnutls-devel mailing list