[gnutls-help] HPKH style (pin-sha256) peer verification in gnutls_certificate_verify_function callback

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Jul 18 21:26:26 CEST 2016

On Sun, 2016-07-17 at 22:49 +0200, Ondřej Surý wrote:
> Hey,
> during the IETF hackathon I implemented DNS over TLS (RFC 7858) for
> kdig
> utility in Knot DNS[1] and now I am implementing the different TLS
> Privacy Profiles (Section 4).
> Using the excellent examples and documentation[*] I was able to
> implement:
> - Opportunistic Privacy Profile (just return 0)
> - hostname verification with system ca-file
> - custom ca-file
> and now I would like to implement verification of pin-sha256
> user-provided values. Could you please guide me to a place where I
> should start looking? Is there already some other program that
> implemented HSTS/HPKP using GnuTLS?
>  And if not than a pointer to
> documentation for SPKI retrieval would be nice (not quite sure
> https://www.gnutls.org/manual/html_node/X509-certificate-API.html is
> the
> right place and what function am I looking for).

If what you want to is to obtain the DER SPKI format you can import the
certificate to gnutls_pubkey_t structure and export that one to get
the DER SPKI. The gnutls_pubkey_import_x509_raw() is the function you
most likely neeed.

Not sure if it is related to your use case, but there is the trust on
first use API which can be used to pin certificates and keys
(i.e., gnutls_store_pubkey and  gnutls_verify_stored_pubkey).


More information about the Gnutls-help mailing list