[gnutls-help] Certificate callback questions

[Nikos Mavrogiannopoulos]

On Wed, Apr 22, 2015 at 2:31 AM, Lavrentiev, Anton (NIH/NLM/NCBI) [C]
<lavr at ncbi.nlm.nih.gov> wrote:
> Hi,
> I've been using basic GnuTLS features until a recent fallout with certificate-based connection authentication prompted
> me to look into more advanced techniques such as callbacks.  I would appreciate if somebody could answer these questions:

> 1. It's unclear to me why "gnutls_certificate_set_verify_function()" is a function of credentials rather than a session:
>    I assumed that the same credentials added to a session via "gnutls_credentials_set()" can be reused.  Which means that
>    certificate verification will be done on any such session rather than selected on a per-session basis.  I think my
>    understanding is incomplete (yet API documentation does not provide any insight here).

It was designed with the server mainly in mind which will typically
have the same verify function for all possible clients. You can still
however differentiate between sessions using
gnutls_session_set/get_ptr(). Do you see an issue with this approach?

> 2. There's something odd with the description of the "gnutls_certificate_set_retrieve_function*()" API:
>    callbacks are documented as:
>    int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn,...)
>    but parameter descriptions that follow (for either call) refer to nonexistent name "req_ca_cert".  I assume "req_ca_dn"
>    was meant to be there, but I'm not sure.  Please confirm.

Confirmed. I've fixed it.

>    Also, is there the word "key" missing after "public" in the following description:
>    "pcert should contain a single certificate and public or a list of them."

Thanks. Fixed too.

> 3. Can you please explain this phrase to me: "Contains a list with the CA names that the server considers trusted.
>    Normally we should send a certificate that is signed by one of these CAs."  Is this a requirement?  In other
>    words, if my server tells me it wants a GoDaddy's issued cert, and I send a Digicert's one instead, then I should
>    expect the server to drop the connection on me?

It's up to the server to decide. You can send whatever you desire in
the certificate field, but the server will have to accept it. The
values you get in this callback are hints; you may use them or ignore
them.

Said that, for most applications the server will require a certificate
that is signed by a CA it controls or trusts to authenticate its
users. So sending him any random certificate wouldn't be useful to it.

> 4. Is there a way to pass some context to a callback that is set with "gnutls_certificate_set_retrieve_function*()"?
>    I.e. similar to "gnutls_session_set_ptr()" but for credentials.

Since you get a pointer to the session you can use the
gnutls_session_set/get_ptr() for that. There is also
gnutls_credentials_get() since gnutls 3.3.3, if I correctly understand
what you mean.

> 5. If there is a certificate set in credentials (e.g. such as with "gnutls_certificate_set_x509_simple_pkcs12_file()")
>    along with a certificate retrieval callback, what wins?

Interesting question. The callback always take precedence.

> I apologize if my questions are naïve but I would appreciate any help I can get on this list.

They are not. They certainly helped improve the documentation :)

regards,
Nikos