[gnutls-help] HPKH style (pin-sha256) peer verification in gnutls_certificate_verify_function callback
Ondřej Surý
ondrej at sury.org
Sun Jul 17 22:49:19 CEST 2016
Hey,
during the IETF hackathon I implemented DNS over TLS (RFC 7858) for kdig
utility in Knot DNS[1] and now I am implementing the different TLS
Privacy Profiles (Section 4).
Using the excellent examples and documentation[*] I was able to
implement:
- Opportunistic Privacy Profile (just return 0)
- hostname verification with system ca-file
- custom ca-file
and now I would like to implement verification of pin-sha256
user-provided values. Could you please guide me to a place where I
should start looking? Is there already some other program that
implemented HSTS/HPKP using GnuTLS? And if not than a pointer to
documentation for SPKI retrieval would be nice (not quite sure
https://www.gnutls.org/manual/html_node/X509-certificate-API.html is the
right place and what function am I looking for).
* - please bear in mind this is my first code longer than few lines in
years... and my first encounter with GnuTLS programming, so be nice to
me
1. https://gitlab.labs.nic.cz/labs/knot/commits/dns-over-tls
Cheers,
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Potřeby pro pečení chleba
všeho druhu
More information about the Gnutls-help
mailing list