[PATCH] Provide a gnutls_x509_crt_verify_hash
simon at josefsson.org
Thu Apr 23 16:50:34 CEST 2009
Cedric BAIL <moa.bluebugs at gmail.com> writes:
> I am currently using gnutls_x509_crt_verify_data to check the
> signature of a file generated with a GNUTLS_DIG_SHA1. After that I
> compare the SHA1 of the file in a database. So with the current API I
> wasn't able to find a way to do SHA1 computation only one time.
I'm going back and trying to understand your actual use-case here... why
don't you use a detached OpenPGP or CMS signature? I'm not sure it is a
good idea to add the API to GnuTLS. It may encourage people to do
things which lead to poor security. File signatures using a X.509
certificate isn't as simple as doing a public key signature on it and
storing the hash. OpenPGP/CMS was designed to solve those problems.
More information about the Gnutls-devel