[Help-gnutls] loading psk credentials from encrypted file

Michael Weiser michael at dinsnail.net
Tue Dec 23 14:13:22 CET 2008


I've written a small program that uses gnutls for authentication. I've
chosen to use PSK authentication because it is simple to implement (no
certificate checking and the like) and fits my use case well (single
user). Now I've got a small usability problem:

On the client side I have to enter a password to derive the PSK key
from. Whether I've entered it correctly or not can only be determined by
trying a handshake. With my application this can be some time after I've
entered the password and can be confused with connectivity and other
problems on the network or server side.

So I'd like to enter the password just once, derive the PSK key from it
and store it in an AES-encrypted file. When starting my client
application, it would then ask for the passphrase of that file and could
immediately determine if the file can be decrypted using that key. This
way it can produce a proper error message or just ask for the passphrase

(This would be analogous to using an encrypted RSA private key for X509
authentication and being asked for its passphrase.)

Is this directly supported by gnutls?
How would I best go about implementing it?
Is this a case for enhancing gnutls or should I rather implement the
neccessary logic in my application?
Thanks in advance,

More information about the Gnutls-help mailing list