[gnutls-help] HPKH style (pin-sha256) peer verification in gnutls_certificate_verify_function callback

Ondřej Surý ondrej at sury.org
Sun Jul 17 22:49:19 CEST 2016


during the IETF hackathon I implemented DNS over TLS (RFC 7858) for kdig
utility in Knot DNS[1] and now I am implementing the different TLS
Privacy Profiles (Section 4).

Using the excellent examples and documentation[*] I was able to

- Opportunistic Privacy Profile (just return 0)
- hostname verification with system ca-file
- custom ca-file

and now I would like to implement verification of pin-sha256
user-provided values. Could you please guide me to a place where I
should start looking? Is there already some other program that
implemented HSTS/HPKP using GnuTLS? And if not than a pointer to
documentation for SPKI retrieval would be nice (not quite sure
https://www.gnutls.org/manual/html_node/X509-certificate-API.html is the
right place and what function am I looking for).

* - please bear in mind this is my first code longer than few lines in
years... and my first encounter with GnuTLS programming, so be nice to

1. https://gitlab.labs.nic.cz/labs/knot/commits/dns-over-tls

Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Potřeby pro pečení chleba
všeho druhu

More information about the Gnutls-help mailing list