Re: "known in advance" public key authentication?

[Ivan Shmakov]

>>>>> Nikos Mavrogiannopoulos <address@hidden> writes:

[…]

 > You'll have to sign it using gnutls_x509_crt_privkey_sign ().  It is
 > better the check the certtool source for other possible options.

        ACK, thanks.

        So, I've ended up with the code MIME'd.  Then, however,
        gnutls_handshake () fails with GNUTLS_E_PK_SIG_VERIFY_FAILED.
        Do I understand it correctly that such an error points to some
        bug in the certificate signing part?

-- 
FSF associate member #7257      np. emphutured.mod

  gnutls_x509_crt_t crt;
  {
    /* craft a dummy certificate */
    int ra
      = gnutls_x509_crt_init (&crt);
    assert (ra == 0);
    int rb
      = gnutls_x509_crt_set_key (crt, priv);
    assert (rb == 0);
    /* NB: doesn't accept empty strings */
    int rc
      = gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_X520_COMMON_NAME,
                                       0, "Foo!", 4);
    assert (rc == 0);
    char ser[]
      = { 0, 0x0f, 0x00 };
    int rd
      = gnutls_x509_crt_set_serial (crt, ser, sizeof (ser));
    assert (rd == 0);
    int re
      = gnutls_x509_crt_set_pubkey (crt, pubk);
    assert (re == 0);
    int rf
      = gnutls_x509_crt_set_activation_time (crt, 0);
    assert (rf == 0);
    int rg
      = gnutls_x509_crt_set_expiration_time (crt, 0x7fffffff);
    assert (rg == 0);
  }

  {
    /* self-sign the certificate */
    gnutls_privkey_t pkey;
    int ra
      = gnutls_privkey_init (&pkey);
    assert (ra == 0);
    int rb
      = gnutls_privkey_import_x509 (pkey, priv, 0);
    assert (rb == 0);
    int rc
      = gnutls_x509_crt_privkey_sign (crt, crt, pkey,
                                      GNUTLS_DIG_SHA256, 0);
    assert (rc == 0);
    gnutls_privkey_deinit (pkey);
  }