[gnutls-dev] External signing API
simon at josefsson.org
Fri Aug 10 15:52:28 CEST 2007
"Alon Bar-Lev" <alon.barlev at gmail.com> writes:
> You need a way get the userdata (gnutls_sign_callback_get).
Hi! The userdata is passed to the callback, see the prototype. Do you
think another function is needed anyway?
> I guess integrating between certificate and private key to a single
> object will take time... But it will be the simplest solution as they
> are the same entity.
Yeah, I think the callback is in the best position to select the best
key, by looking at the certificate. Anyway, I don't see how GnuTLS
could implement that choice easily.
> Please also add something like:
> #define GNUTLS_E_LIBEXTESION_DEFINED_BASE -2000
> #define GNUTLS_E_USER_DEFINED_BASE -3000
> So that external library/user may define its own set of codes.
Hm, exactly what use do you see for this? Returning various different
PKCS#11 errors? That makes sense...
However, the return code from the signing callback influence the TLS
handshake logic, some return codes leads to disconnect, some don't
(although I'm having a hard time understanding how the state machine
would recover). See gnutls_error_is_fatal. Looking at that function,
it seems it has the wrong default: if an error code isn't known to
gnutls, it is classified as non-fatal. That is likely incorrect, the
internal logic needs to understand how to recover from non-fatal error
cases, and will thus need to know about the error code. I've changed
> Best Regards,
> Alon Bar-Lev.
> On 8/10/07, Simon Josefsson <simon at josefsson.org> wrote:
>> I'm now finally working on integrating the external signing API into the
>> main branch. Here is what I've came up with API-wise. The names are
>> intentionally slightly different from any other existing namespace since
>> this is an experimental interface. Do you need any other parameters?
>> /* External signing callback. Experimental. */
>> typedef int (*gnutls_sign_func) (gnutls_session_t session,
>> void *userdata,
>> gnutls_certificate_type_t cert_type,
>> gnutls_datum_t cert,
>> const gnutls_datum_t hash,
>> gnutls_datum_t * signature);
>> void gnutls_sign_callback_set (gnutls_session_t session,
>> gnutls_sign_func sign_func,
>> void *userdata);
>> Gnutls-dev mailing list
>> Gnutls-dev at gnupg.org
More information about the Gnutls-devel