"known in advance" public key authentication?

Ivan Shmakov oneingray at gmail.com
Mon Nov 19 08:09:21 CET 2012

>>>>> Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:
>>>>> On 11/13/2012 09:01 PM, Ivan Shmakov wrote:


 >> Then, however, gnutls_handshake () fails with
 >> GNUTLS_E_PK_SIG_VERIFY_FAILED.  Do I understand it correctly that
 >> such an error points to some bug in the certificate signing part?

 > It means that the TLS signature in the session cannot be verified
 > using the provided certificate.

	ACK, thanks.

 > Could it be a mismatch between your certificate and the private key?
 > Did you try with certtool generated certificates?

	I did it the other way around: added a gnutls_x509_crt_export ()
	call to my code, and investigated the result with certtool(1).

 > I'd suggest to increase verbosity in order to find out what is the
 > actual reason of failure.

	The problem was that I've embedded the key pairs into the code
	roughly as follows:

   char x[]
     = ("\x1337\xcafe" ...);

	Somewhat surprisingly, the compiler interpreted that as:

   char x[]
     = { 0x1337, 0xcafe, ... };     /* IOW, { 0x37, 0xfe, ... } */

	instead of the intended:

   char x[]
     = { 0x13, '3', '7', 0xca, 'f', 'e', ... };

	After I've made the code less ambiguous, the issue was no more:

$ ./cbx34kx8szoy1wgdshn99dhz4d 
We're the Client; xfd =  3
We're the Server; xfd =  4
S: gnutls_handshake () => 0 (Success.) ; 2 (No such file or directory)
C: gnutls_handshake () => 0 (Success.) ; 2 (No such file or directory)
Read     4 bytes, starting with 13 37 ffffffca fffffffe

	(The code above uses socketpair (AF_UNIX, ...) to establish a
	connection to run GnuTLS over.)

FSF associate member #7257

More information about the Gnutls-help mailing list