[gnutls-devel] GnuTLS | RFC7250 Raw public keys (!650)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue Nov 27 15:44:58 CET 2018


Nikos Mavrogiannopoulos started a new discussion on lib/cert-cred-rawpk.c:

> + * #gnutls_certificate_credentials_t type to be used for authentication
> + * and/or encryption. @subject_public_key_info and @privkey should match
> + * otherwise set signatures cannot be validated. This function should
> + * be called once for the client because there is currently no mechanism
> + * to determine which raw public-key to select for the peer when there
> + * are multiple present. Multiple raw public keys for the server can be
> + * distinghuished by setting the @names.
> + *
> + * Note here that @subject_public_key_info is a raw public-key as defined
> + * in RFC7250. It means that there is no surrounding certificate that
> + * holds the public key and that there is therefore no direct mechanism
> + * to prove the authenticity of this key. The keypair can be used during
> + * a TLS handshake but its authenticity should be established via a
> + * different mechanism (e.g. TOFU or known fingerprint).
> + *
> + * The supported formats are basic unencrypted key, PKCS8, PKCS12,

If the PKCS#12 or PKCS#8 file have the necessary parameters to determine the public key, would I need to specify a separate public key?

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/650#note_120442991
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20181127/0205e781/attachment.html>


More information about the Gnutls-devel mailing list