how to use gnutls_privkey_import_ext

Carolin Latze latze at
Sun Jun 10 19:36:58 CEST 2012

I am sorry, but this still causes me some troubles.

As far as I understand it, the hash in PKCS#1 is:

bytes 00 - 14: algorithm identifier + some more bytes
bytes 15 - 20: the hash

So I thought it might be sufficient do define a new gnutls_datum_t vdata 
with = &raw_data->data[15]
vdata.size = raw_data->size-15

Did not work :) The TPM was happy, but the TLS handshake ended with 
"Public key signature verification has failed."

Next try:

   if (r!=ASN1_SUCCESS) printf("ERROR: asn1_der_decoding: %s\n",asn2err(r));

   if (r!=ASN1_SUCCESS) printf("ERROR: asn1_read_value: %s\n",asn2err(r));

However, this  (=both functions) ends with 
GNUTLS_E_ASN1_ELEMENT_NOT_FOUND. When I check decode_ber_digest_info in 
the GnuTLS code I see that you initialize it first, probably with the 
GnuTLS ASN.1 type. So this is probably the reason for this error, 
however I see no easy way to initialize it in my code. Is there any 
function that does that already?

On 06/10/2012 05:25 PM, Nikos Mavrogiannopoulos wrote:
> On 06/10/2012 05:08 PM, Carolin Latze wrote:
>> shy question: what type of hashes will be delivered with RSA-SHA1? I get
>> a hash of 35 bytes length, which is a bit too long for a standard SHA1.
>> And it is too short for the old SHA1+MD5 hash that used to used in TLS.
> It should be the PKCS #1 encoding applied after hashing. It includes an
> algorithm identifier.

More information about the Gnutls-help mailing list