[gnutls-devel] GnuTLS | Support for raw public keys for gnutls-cli and gnutls-serv (!1059)

[Development of GNU's TLS library]

Tom commented on a discussion on src/cli.c: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_213102536

>  const char *x509_cafile = NULL;
>  const char *x509_crlfile = NULL;
>  static int x509ctype;
> +const char *rawpk_keyfile = NULL;
> +const char *rawpk_file = NULL;
>  static int disable_extensions;
>  static int disable_sni;
> -static unsigned int init_flags = GNUTLS_CLIENT;
> +static unsigned int init_flags = GNUTLS_CLIENT | GNUTLS_ENABLE_RAWPK;

Not necessarily. The `GNUTLS_ENABLE_RAWPK` flag tells the library that raw public key functionality must be enabled. Applications that are capable of dealing / working with raw public keys can enable this functionality. Since gnutls-cli is able to handle raw public keys (as per this MR) we can safely enable this functionality in the library. This rationale follows the outcome of the discussion that we had regarding this flag. We concluded that it should be up to the application developer to decide whether the application is capable of handling raw public keys and therefore whether this functionality should be enabled in the library.

Of course you can change the init flags depending on the presence of raw pk key material but this introduces extra logic that is not necessary (IMO).

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1059#note_213102536
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190905/9a5b4c2e/attachment-0001.html>