[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gnutls-dev] External signing API

From: Simon Josefsson
Subject: Re: [gnutls-dev] External signing API
Date: Mon, 13 Aug 2007 13:04:33 +0200
User-agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

"Alon Bar-Lev" <address@hidden> writes:

> On 8/12/07, Simon Josefsson <address@hidden> wrote:
>> > 3. What do you expect the cert_type to be used? Can't it queried out the 
>> > cert?
>> No, the cert may be a PGP key, and this needs to be indicated somehow.
>> I haven't tested that PGP signing works through this interface yet, but
>> I think it makes sense to have cert_type there in case we support
>> external signing for PGP keys in the future.
> I don't understand why the type is not part of the certificate object...
> type = gnutls_get_cert_type (cert);
> This should be much cleaner than passing two variable to each method.

The cert in the sign callback is 'gnutls_datum_t', i.e., a raw binary
blob with the X.509 certificate or OpenPGP key.  Binary data doesn't
know its own type, so it needs an out-of-band signal to denote the kind
of data it is.

There is no function gnutls_get_cert_type(binary_blob) that guesses
whether some binary blob is X.509 or OpenPGP, is adding such a function
what you are proposing?  It seems rather fragile to me.

Btw, I reviewed the call-path for PGP authentication, and it seems this
callback function should function right now, if someone can write a
OpenPGP callback signer.  I added gnutls_openpgp_privkey_sign_hash that
should be useful in the callback function.  I'm not sure how useful this
will be though.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]