[gnutls-devel] GnuTLS | OCSP response manipulation & signing support (#859)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Wed Nov 6 09:25:17 CET 2019
Mario Biberhofer commented on a discussion: https://gitlab.com/gnutls/gnutls/issues/859#note_240646770
> int gnutls_ocsp_resp_set_responder_raw_id(gnutls_ocsp_resp_t resp, unsigned type, gnutls_datum_t raw); The third option it is more consistent with the rest of the API to be a pointer to datum_t.
All right, I'll change that.
> gnutls_ocsp_resp_sign This sign function cannot handle RSA-PSS or changing signature algorithm (RSA-SHA256 vs RSA-SHA512). An update may be to be similar to gnutls_privkey_sign_hash2 and have as input the specific signature algorithm gnutls_sign_algorithm_t and flags.
Ah, I'll take a look at `gnutls_privkey_sign_hash2` then. Currently I expected the signature algorithm to be set using `gnutls_ocsp_resp_set_signature_algorithm` before calculating and appending the signature using `gnutls_ocsp_resp_sign` (it throws an error if the signature algorithm is not set in the given `gnutls_ocsp_resp_t` data)
I guess I could remove `gnutls_ocsp_resp_set_signature_algorithm` and `gnutls_ocsp_resp_set_signature` from the public API then? Should I keep it for testing/toy purposes?
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/859#note_240646770
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel