[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: "known in advance" public key authentication?
From: |
Ivan Shmakov |
Subject: |
Re: "known in advance" public key authentication? |
Date: |
Sun, 11 Nov 2012 21:59:34 +0700 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/23.2 (gnu/linux) |
>>>>> Nikos Mavrogiannopoulos <address@hidden> writes:
>>>>> On 11/07/2012 05:32 PM, Ivan Shmakov wrote:
[…]
>> To put it short, the application in question uses “self-certified
>> identifiers”; i. e., the public key /is/ the identifier of the peer.
>> Thus, there doesn't seem to be any reason whatsoever to sign the
>> public keys used, and both X.509 and OpenPGP hence become of little
>> use.
> Currently you cannot avoid using a container for the public keys,
> either X.509 or Openpgp.
Do I understand it correctly that it's a requirement of the TLS
protocol itself?
As for the implementation, gnutls_certificate_set_x509_key ()
assumes that at least one certificate is available, and, AIUI,
GnuTLS will try to find the “best” matching certificate
associated with the credentials sometime later (during
handshake?)
> You may completely ignore it after that and only compare the raw
> keys, or their identifiers e. g. with by using one of the
> _get_key_id () functions.
ACK, thanks!
What'd be the simplest code to craft a self-signed certificate
out of a gnutls_x509_privkey_t instance?
I guess, it'd be something along the lines of:
gnutls_x509_crt_t crt;
{
/* craft a dummy certificate */
int ra
= gnutls_x509_crt_init (&crt);
assert (ra == 0);
int rb
= gnutls_x509_crt_set_key (crt, priv);
assert (rb == 0);
/* NB: doesn't accept empty strings */
int rc
= gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_X520_COMMON_NAME,
0, "Foo!", 4);
assert (rc == 0);
/* FIXME: what else to call? */
}
--
FSF associate member #7257
- "known in advance" public key authentication?, Ivan Shmakov, 2012/11/07
- Re: "known in advance" public key authentication?, Graham Murray, 2012/11/07
- Re: "known in advance" public key authentication?, Daniel Kahn Gillmor, 2012/11/07
- Re: "known in advance" public key authentication?, Ivan Shmakov, 2012/11/07
- Re: "known in advance" public key authentication?, Daniel Kahn Gillmor, 2012/11/07
- Re: "known in advance" public key authentication?, Nikos Mavrogiannopoulos, 2012/11/07
- Re: "known in advance" public key authentication?,
Ivan Shmakov <=
- Re: "known in advance" public key authentication?, Nikos Mavrogiannopoulos, 2012/11/13
- Re: "known in advance" public key authentication?, Ivan Shmakov, 2012/11/13
- Re: "known in advance" public key authentication?, Nikos Mavrogiannopoulos, 2012/11/14
- Re: "known in advance" public key authentication?, Ivan Shmakov, 2012/11/19
Re: "known in advance" public key authentication?, Ivan Shmakov, 2012/11/07
Re: "known in advance" public key authentication?, Ilari Liusvaara, 2012/11/07
Re: "known in advance" public key authentication?, Florian Weimer, 2012/11/07