[gnutls-devel] GnuTLS | WIP: pkcs11: decline client auth if RSA-PSS cannot be performed by the PKCS#11 token where certificate comes from (!967)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Mon Apr 1 18:10:22 CEST 2019
New Merge Request !967
Branches: tmp-client-auth-decline to master
Author: Daiki Ueno
Approvers: Simon Josefsson, Nikos Mavrogiannopoulos, Dmitry Eremin-Solenikov, Hubert Kario (@mention me if you need reply), Tim Rühsen, Andreas Metzler, Tom, Ander Juaristi, Tomáš Mráz, Anderson Sasaki, GnuTLS devel mailing list and GnuTLS bot
In TLS 1.3, the client shall decline authentication request by sending a Certificate message with no certificate, immediately followed by Finished. This should also be the case when the server sends a Certificate Request with only RSA-PSS in signature_schemes and the client doesn't have a PKCS#11 token capable of RSA-PSS.
I'm marking this WIP until we come up with how to test this in the CI.
* [x] Commits have `Signed-off-by:` with name/author being identical to the commit author
* [ ] Code modified for feature
* [ ] Test suite updated with functionality tests
* [ ] Test suite updated with negative tests
* [ ] Documentation updated / NEWS entry present (for non-trivial changes)
## Reviewer's checklist:
* [ ] Any issues marked for closing are addressed
* [ ] There is a test suite reasonably covering new functionality or modifications
* [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md`
* [ ] This feature/change has adequate documentation added
* [ ] No obvious mistakes in the code
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/967
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel