[gnutls-devel] GnuTLS | RFC7250 Raw public keys (!650)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Thu Nov 29 10:29:36 CET 2018
Nikos Mavrogiannopoulos commented on a discussion on lib/cert-cred-rawpk.c:
> + * #gnutls_certificate_credentials_t type to be used for authentication
> + * and/or encryption. @subject_public_key_info and @privkey should match
> + * otherwise set signatures cannot be validated. This function should
> + * be called once for the client because there is currently no mechanism
> + * to determine which raw public-key to select for the peer when there
> + * are multiple present. Multiple raw public keys for the server can be
> + * distinghuished by setting the @names.
> + *
> + * Note here that @subject_public_key_info is a raw public-key as defined
> + * in RFC7250. It means that there is no surrounding certificate that
> + * holds the public key and that there is therefore no direct mechanism
> + * to prove the authenticity of this key. The keypair can be used during
> + * a TLS handshake but its authenticity should be established via a
> + * different mechanism (e.g. TOFU or known fingerprint).
> + *
> + * The supported formats are basic unencrypted key, PKCS8, PKCS12,
ok, that could be an optimization to consider in the future. Resolving.
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/650#note_121004200
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel