[Help-gnutls] X.509 certificates around JUST A PUBLIC key... can it be done?

[Zach C.]

So here's the dilemma.

I am writing a library/interface for the iPhone to work in Linux. I'm
currently working on the pairing functionality; I'm trying to repeat the
process as exactly as possible to iTunes's implementation.

Here's what happens:

iTunes asks device for its public key.
iPhone responds with its public key.
iTunes generates a root certificate (CA certificate) with (root) private
key, host certificate (presumably for encrypted communications) with (host)
private key, and device certificate, whose public key info *is* the public
key sent by the iPhone. All three certificates are signed with the root
private key. iTunes then generates a UUID and sends out a PairRecord
containing all three certificates and that UUID as a HostID.
The iPhone will then verify the certificates against the root certificate
(presumably, or maybe more specifically the public key in the root
certificate), and if everything is in order (i.e. the root certificate
really was used to sign the others), it will send a "pair successful"
message back.

I'm fully aware that I can currently generate the Root and Host certificates
without a problem in GnuTLS. The problem I'm having, though, is that I
*need* to be able to generate a certificate around the public key sent by
the iPhone and then sign that certificate with the root private key. I'm
wondering if that's possible in GnuTLS... I was considering doing a
gnutls_x509_privkey_import_rsa_raw and *only* setting the modulus and public
exponent (however I would get them), but I'm not sure if that would work or
if GnuTLS would throw an error out about it. And if it did it properly,
whether setting the new "private key" struct on a new certificate would do
what I'm describing here.

Thanks in advance! :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080729/24c9cbde/attachment.htm>