[gnutls-devel] GnuTLS | RFC7250 Raw public keys (!650)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue Nov 20 21:47:21 CET 2018

Tom commented on a discussion on lib/ext/client_cert_type.c:

>  	ssize_t len = data_size;
>  	const uint8_t* pdata = data;
> -	/* Only activate this extension if cert type negotiation is enabled
> -	 * and we have cert credentials set */
> -	if (!_gnutls_has_negotiate_ctypes(session) ||
> -			_gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE) == NULL)
> +	/* Only activate this extension if we have cert credentials set */
> +	if (_gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE) == NULL)

We discussed this in the comments above. we concluded that these extensions would always be enabled and that other cert types would need to be explicitly enabled via init flags. That means that in this case raw public keys are only enabled when you pass the `ENABLE_RAWPK` flag. These extensions will only negotiate enabled cert types. In case only the default is enabled then these extensions will not send anything. This is default behaviour according to the spec.

We also agreed on removed the old flag to enable these extensions explicitly because this is not needed anymore when we explicitly enable cert types via their own dedicated flags.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/650#note_118859403
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20181120/d4ffbb04/attachment.html>

More information about the Gnutls-devel mailing list