[gnutls-dev] External signing API
Simon Josefsson
simon at josefsson.org
Fri Aug 10 15:52:28 CEST 2007
"Alon Bar-Lev" <alon.barlev at gmail.com> writes:
> Hi!
>
> You need a way get the userdata (gnutls_sign_callback_get).
Hi! The userdata is passed to the callback, see the prototype. Do you
think another function is needed anyway?
> I guess integrating between certificate and private key to a single
> object will take time... But it will be the simplest solution as they
> are the same entity.
Yeah, I think the callback is in the best position to select the best
key, by looking at the certificate. Anyway, I don't see how GnuTLS
could implement that choice easily.
> Please also add something like:
> #define GNUTLS_E_LIBEXTESION_DEFINED_BASE -2000
> #define GNUTLS_E_USER_DEFINED_BASE -3000
>
> So that external library/user may define its own set of codes.
Hm, exactly what use do you see for this? Returning various different
PKCS#11 errors? That makes sense...
However, the return code from the signing callback influence the TLS
handshake logic, some return codes leads to disconnect, some don't
(although I'm having a hard time understanding how the state machine
would recover). See gnutls_error_is_fatal. Looking at that function,
it seems it has the wrong default: if an error code isn't known to
gnutls, it is classified as non-fatal. That is likely incorrect, the
internal logic needs to understand how to recover from non-fatal error
cases, and will thus need to know about the error code. I've changed
this.
/Simon
>
> Best Regards,
> Alon Bar-Lev.
>
> On 8/10/07, Simon Josefsson <simon at josefsson.org> wrote:
>> I'm now finally working on integrating the external signing API into the
>> main branch. Here is what I've came up with API-wise. The names are
>> intentionally slightly different from any other existing namespace since
>> this is an experimental interface. Do you need any other parameters?
>>
>> /* External signing callback. Experimental. */
>> typedef int (*gnutls_sign_func) (gnutls_session_t session,
>> void *userdata,
>> gnutls_certificate_type_t cert_type,
>> gnutls_datum_t cert,
>> const gnutls_datum_t hash,
>> gnutls_datum_t * signature);
>>
>> void gnutls_sign_callback_set (gnutls_session_t session,
>> gnutls_sign_func sign_func,
>> void *userdata);
>>
>> Thanks,
>> Simon
>>
>> _______________________________________________
>> Gnutls-dev mailing list
>> Gnutls-dev at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnutls-dev
>>
More information about the Gnutls-dev
mailing list