[gnutls-devel] GnuTLS | RFC7250 Raw public keys (!650)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Thu Nov 29 00:18:52 CET 2018


Tom commented on a discussion on lib/cert-cred-rawpk.c:

> + * #gnutls_certificate_credentials_t type to be used for authentication
> + * and/or encryption. @subject_public_key_info and @privkey should match
> + * otherwise set signatures cannot be validated. This function should
> + * be called once for the client because there is currently no mechanism
> + * to determine which raw public-key to select for the peer when there
> + * are multiple present. Multiple raw public keys for the server can be
> + * distinghuished by setting the @names.
> + *
> + * Note here that @subject_public_key_info is a raw public-key as defined
> + * in RFC7250. It means that there is no surrounding certificate that
> + * holds the public key and that there is therefore no direct mechanism
> + * to prove the authenticity of this key. The keypair can be used during
> + * a TLS handshake but its authenticity should be established via a
> + * different mechanism (e.g. TOFU or known fingerprint).
> + *
> + * The supported formats are basic unencrypted key, PKCS8, PKCS12,

I don't know a lot about these formats. Since I used the same function as the X509 routines to import the keys I also copied the same comment from these functions with respect to the supported formats.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/650#note_120908892
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20181128/51698894/attachment-0001.html>


More information about the Gnutls-devel mailing list