[gnutls-devel] GnuTLS | OCSP response manipulation & signing support (#859)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Wed Nov 6 09:25:17 CET 2019




Mario Biberhofer commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/859#note_240646770

>  int gnutls_ocsp_resp_set_responder_raw_id(gnutls_ocsp_resp_t resp, unsigned type, gnutls_datum_t raw); The third option it is more consistent with the rest of the API to be a pointer to datum_t.

All right, I'll change that.

> gnutls_ocsp_resp_sign This sign function cannot handle RSA-PSS or changing signature algorithm (RSA-SHA256 vs RSA-SHA512). An update may be to be similar to gnutls_privkey_sign_hash2 and have as input the specific signature algorithm gnutls_sign_algorithm_t and flags.

Ah, I'll take a look at `gnutls_privkey_sign_hash2` then. Currently I expected the signature algorithm to be set using `gnutls_ocsp_resp_set_signature_algorithm` before calculating and appending the signature using `gnutls_ocsp_resp_sign` (it throws an error if the signature algorithm is not set in the given `gnutls_ocsp_resp_t` data)

I guess I could remove `gnutls_ocsp_resp_set_signature_algorithm` and `gnutls_ocsp_resp_set_signature` from the public API then? Should I keep it for testing/toy purposes?

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/859#note_240646770
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191106/5e2997be/attachment.html>


More information about the Gnutls-devel mailing list