[gnutls-devel] GnuTLS | WIP: RFC7250 Raw public keys (!650)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Fri Sep 14 13:21:40 CEST 2018
Nikos Mavrogiannopoulos started a new discussion on lib/pcert.c:
> /* Converts the first certificate for the cert_auth_info structure
> * to a pcert.
> + *
> + * REMARK 1: why limit ourselves to only be able to convert the first cert in the chain?
> + * REMARK 2: there is a lot of conversion between a raw cert / cert chain (gnutls_datum_t)
> + * and gnutls_pcert_st going on (e.g. cert_auth_info to pcert). There is also quite some
> + * overlap in data between these two types. The difference is that pcert holds only 1 cert
> + * and cert_auth_info has the entire chain. During cert reception (in e.g. _gnutls_proc_x509_server_crt)
> + * we also convert from raw to pcert. First we call gnutls_pcert_import_x509_raw to get a list with pcerts.
> + * Then we call check_pk_compat to do some checks. Finally we call _gnutls_pcert_to_auth_info to save all
> + * certs as raw again (we retrieve only the raw data from the pcert). Later on e.g. in
> + * _gnutls_proc_dhe_signature() we need a pcert again and convert back via our function below.
> + * Why not internally store all certs / cert chains as pcerts? That migth save some conversion
> + * work and simplifies things.
I'm for any optimizations. Not sure if they are possible though (few of the `get` functions assumed specific types to be present).
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/650#note_101411165
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel