[gnutls-dev] External signing API

Simon Josefsson simon at josefsson.org
Fri Aug 10 15:52:28 CEST 2007


"Alon Bar-Lev" <alon.barlev at gmail.com> writes:

> Hi!
>
> You need a way get the userdata (gnutls_sign_callback_get).

Hi!  The userdata is passed to the callback, see the prototype.  Do you
think another function is needed anyway?

> I guess integrating between certificate and private key to a single
> object will take time... But it will be the simplest solution as they
> are the same entity.

Yeah, I think the callback is in the best position to select the best
key, by looking at the certificate.  Anyway, I don't see how GnuTLS
could implement that choice easily.

> Please also add something like:
> #define GNUTLS_E_LIBEXTESION_DEFINED_BASE -2000
> #define GNUTLS_E_USER_DEFINED_BASE -3000
>
> So that external library/user may define its own set of codes.

Hm, exactly what use do you see for this?  Returning various different
PKCS#11 errors?  That makes sense...

However, the return code from the signing callback influence the TLS
handshake logic, some return codes leads to disconnect, some don't
(although I'm having a hard time understanding how the state machine
would recover).  See gnutls_error_is_fatal.  Looking at that function,
it seems it has the wrong default: if an error code isn't known to
gnutls, it is classified as non-fatal.  That is likely incorrect, the
internal logic needs to understand how to recover from non-fatal error
cases, and will thus need to know about the error code.  I've changed
this.

/Simon

>
> Best Regards,
> Alon Bar-Lev.
>
> On 8/10/07, Simon Josefsson <simon at josefsson.org> wrote:
>> I'm now finally working on integrating the external signing API into the
>> main branch.  Here is what I've came up with API-wise.  The names are
>> intentionally slightly different from any other existing namespace since
>> this is an experimental interface.  Do you need any other parameters?
>>
>>   /* External signing callback.  Experimental. */
>>   typedef int (*gnutls_sign_func) (gnutls_session_t session,
>>                                    void *userdata,
>>                                    gnutls_certificate_type_t cert_type,
>>                                    gnutls_datum_t cert,
>>                                    const gnutls_datum_t hash,
>>                                    gnutls_datum_t * signature);
>>
>>   void gnutls_sign_callback_set (gnutls_session_t session,
>>                                  gnutls_sign_func sign_func,
>>                                  void *userdata);
>>
>> Thanks,
>> Simon
>>
>> _______________________________________________
>> Gnutls-dev mailing list
>> Gnutls-dev at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnutls-dev
>>



More information about the Gnutls-dev mailing list