[Help-gnutls] Need a little help with gnutls_certificate_server_set_retrieve_function

Nikos Mavroyanopoulos nmav at gnutls.org
Fri Jul 30 23:59:02 CEST 2004 

On Saturday 31 July 2004 00:17, Gergely Nagy wrote:
> Hi!

> In the documentation, one can read this:
> gnutls_certificate_server_set_retrieve_function
> ...
> This function sets a callback to be called in order to retrieve the
> certificate to be used in the handshake. The callback's function
> prototype is: int (*callback)(gnutls_session, const gnutls_datum*
> req_ca_dn, int nreqs, gnutls_pk_algorithm* pk_algos, int
> pk_algos_length, gnutls_retr_st st);
Ooops. This is the prototype for the client side. It seems I copied
the above documentation and I missed that.

> However, the gnutls/gnutls.h header contains:
> typedef int gnutls_certificate_server_retrieve_function(gnutls_session,
>         gnutls_retr_st *);
This is the correct one.

> Which is a wee-bit different. I checked the gnutls_retr_st structure,
> and to be honest, I cannot figure out how my program is supposed to
> select the appropriate certificate - or how to get the information to
> begin with..

The gnutls-cli program in the cvs uses this callback.
See 
http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/gnutls/src/cli.c?rev=2.241&cvsroot=GNU+TLS+Library&content-type=text/vnd.viewcvs-markup

In brief to fill the retr_st structure you need to specify
the certificate you're returning in type, the number
of certificates in ncerts, the actual certificate list
in cert.x509 (or cert.pgp), and the corresponding private key
in key.x509 (or key.pgp). 

Note that the certificates are of type gnutls_x509_crt
which means you'll need to import your certificates in this
format using gnutls_x509_crt_import() and gnutls_x509_privkey_import()
for x509.

This is might be more burden, although it does not demand
to load any certificates and keys in the credentials structure.
But the main reason I changed the callback is that this one does not 
force you to parse all the loaded DER encoded certificates
to select one. That is you could have already mapped certain
certificates with hostnames, so once in the callback you send
the appropriate with no DER parsing taking place.

> Thanks,

-- 
Nikos Mavroyanopoulos

More information about the Gnutls-help mailing list