[PATCH] Provide a gnutls_x509_crt_verify_hash

Simon Josefsson simon at josefsson.org
Thu Apr 23 16:50:34 CEST 2009

Cedric BAIL <moa.bluebugs at gmail.com> writes:

> Hi,
>    I am currently using gnutls_x509_crt_verify_data to check the
> signature of a file generated with a GNUTLS_DIG_SHA1. After that I
> compare the SHA1 of the file in a database. So with the current API I
> wasn't able to find a way to do SHA1 computation only one time.

I'm going back and trying to understand your actual use-case here... why
don't you use a detached OpenPGP or CMS signature?  I'm not sure it is a
good idea to add the API to GnuTLS.  It may encourage people to do
things which lead to poor security.  File signatures using a X.509
certificate isn't as simple as doing a public key signature on it and
storing the hash.  OpenPGP/CMS was designed to solve those problems.


More information about the Gnutls-devel mailing list