TLS 1.2 with standard signature? Why hash->size == 36??
Carolin Latze
carolin.latze at unifr.ch
Thu Nov 26 14:31:22 CET 2009
Hi Simon,
yup, it is perfectly working now (I tested with 2.9.10)! Thanks a lot
for fixing that!!!
Cheers
Carolin
Simon Josefsson wrote:
> Carolin,
>
> I just re-ran the x509signself self-test with gnutls 2.9.x and the hash
> size passed to the function is now 20 bytes. I suppose GnuTLS adds the
> right PKCS#1 ASN.1 OID internally. It occurs to me that perhaps the
> callback should receive the entire PKCS#1 blob, to avoid having the
> callback reconstruct it, instead of just the hash value, but maybe this
> is sufficient to make things work for you? I'll release 2.9.9 in a few
> minutes with some minor fixes, please test it.
>
> /Simon
>
> Carolin Latze <carolin.latze at unifr.ch> writes:
>
>
>> Hi Simon,
>>
>> I tried to use TLS 1.2 with and without sign callback, and I still see a
>> signature of 36 bytes... Even if there is a leading SHA-1 OID, shouldn't
>> it be max 35 then? Maybe we should check, whether I check the right
>> variables:
>>
>> In gnutls_sig.c, method _gnutls_tls_sign_hdata, there is a structure
>> called dconcat. dconcat.size holds the hash size, right? and
>> dconcat.data should hold the hash itself? dconcat.size has a value of 36
>> for me...
>>
>> If I use the sign callback, I print the value of hash->size (=36) and
>> hash->data (cannot see the OID included in that value, so for me it
>> looks like it is really not SHA-1 only).
>>
>> Maybe I check the wrong values?
>>
>> BTW: I used the latest Snapshot, 2.9.8 to test it.
>>
>> Sorry... :-/
>> Carolin
>>
>> Simon Josefsson wrote:
>>
>>> Carolin Latze <carolin.latze at unifr.ch> writes:
>>>
>>>
>>>
>>>> Hi all,
>>>>
>>>> according to RFC 5246, TLS 1.2 should use a standard signature, but if
>>>> I enable TLS 1.2 in GnuTLS and print out the hash size it says
>>>> 36... that does not sound like a standard signature.. I would expect
>>>> something like 20 for SHA1. Am I wrong?
>>>>
>>>>
>>> Hi! With GnuTLS 2.9.7 I hope this should work better -- could you take
>>> a look? It should have more solid TLS 1.2 support.
>>>
>>> Thanks,
>>> Simon
>>>
>>>
--
Carolin Latze
PhD Student ICT Engineer
Department of Computer Science Swisscom Strategy and Innovation
Boulevard de Pérolles 90 Ostermundigenstrasse 93
CH-1700 Fribourg CH-3006 Bern
phone: +41 26 300 83 30 +41 79 72 965 27
homepage: http://diuf.unifr.ch/people/latzec
More information about the Gnutls-help
mailing list