[gnutls-devel] GnuTLS | WIP: RFC7250 Raw public keys (!650)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sun Sep 16 19:11:41 CEST 2018


Tom commented on a discussion on lib/pcert.c:

>  
>  /* Converts the first certificate for the cert_auth_info structure
>   * to a pcert.
> + *
> + * REMARK 1: why limit ourselves to only be able to convert the first cert in the chain?
> + * REMARK 2: there is a lot of conversion between a raw cert / cert chain (gnutls_datum_t)
> + *   and gnutls_pcert_st going on (e.g. cert_auth_info to pcert). There is also quite some
> + *   overlap in data between these two types. The difference is that pcert holds only 1 cert
> + *   and cert_auth_info has the entire chain. During cert reception (in e.g. _gnutls_proc_x509_server_crt)
> + *   we also convert from raw to pcert. First we call gnutls_pcert_import_x509_raw to get a list with pcerts.
> + *   Then we call check_pk_compat to do some checks. Finally we call _gnutls_pcert_to_auth_info to save all
> + *   certs as raw again (we retrieve only the raw data from the pcert). Later on e.g. in
> + *   _gnutls_proc_dhe_signature() we need a pcert again and convert back via our function below.
> + *   Why not internally store all certs / cert chains as pcerts? That migth save some conversion
> + *   work and simplifies things.

I will look into it and, if possible, propose a solution via a different patch.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/650#note_101688278
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20180916/d7730844/attachment-0001.html>


More information about the Gnutls-devel mailing list