[gnutls-devel] gnutls_certificate_verify_peers* question

Jaak Ristioja jaak.ristioja at cyber.ee
Tue Feb 19 14:49:54 CET 2013


On 19.02.2013 14:05, Nikos Mavrogiannopoulos wrote:
> On Tue, Feb 19, 2013 at 10:10 AM, Jaak Ristioja <jaak.ristioja at cyber.ee> wrote:
>> Hello!
>> If I use the gnutls_certificate_verify_peers2() or
>> gnutls_certificate_verify_peers3() functions in the callback set using
>> gnutls_certificate_set_verify_function(), do those functions also verify
>> that the peer has the private key corresponding to the public key in the
>> certificate, or is it done elsewhere outside of the callback?
> 
> Hello,
>  For simplicity I'll focus on the signing ciphersuites. In that case,
> during the handshake you receive a message from the peer that contains
> handshake parameters (it is the random nonces and DH params in server
> side) that are signed. This message is verified in gnutls_handshake()
> directly (i.e. you have no say on that). If that succeeds the callback
> takes control and verifies whether the parameters (i.e. the
> certificate) used in the previous signature verification are
> acceptable.

Do I understand it correctly, that once the callback (set using
gnutls_certificate_set_verify_function) is called during handshake, it
has already been verified that the peer holds the private key for the
public key in the certificate the peer provides?

Thanks,
Jaak




More information about the Gnutls-devel mailing list