"known in advance" public key authentication?

[Nikos Mavrogiannopoulos]

On Sun, Nov 11, 2012 at 3:59 PM, Ivan Shmakov <oneingray at gmail.com> wrote:

>  > Currently you cannot avoid using a container for the public keys,
>  > either X.509 or Openpgp.
>         Do I understand it correctly that it's a requirement of the TLS
>         protocol itself?

Yes.

>         As for the implementation, gnutls_certificate_set_x509_key ()
>         assumes that at least one certificate is available, and, AIUI,
>         GnuTLS will try to find the “best” matching certificate
>         associated with the credentials sometime later (during
>         handshake?)

Best matching means that it matches the algorithms requested by the
peer. Typically RSA certificates work with everyone.

>         I guess, it'd be something along the lines of:
>   gnutls_x509_crt_t crt;
>   {
>     /* craft a dummy certificate */
>     int ra
>       = gnutls_x509_crt_init (&crt);
>     assert (ra == 0);
>     int rb
>       = gnutls_x509_crt_set_key (crt, priv);
>     assert (rb == 0);
>     /* NB: doesn't accept empty strings */
>     int rc
>       = gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_X520_COMMON_NAME,

You'll have to sign it using gnutls_x509_crt_privkey_sign(). It is
better the check the certtool source for other possible options.

regards,
Nikos