diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2009-11-01 11:19:23 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2009-11-01 11:29:20 +0200 |
| commit | 4d5f721b3735743a60e9e6af6a605d9ce4c9e6c3 (patch) | |
| tree | ebfcf0cbf66feaf3005b2500136947757f34ea4e /doc | |
| parent | 6773d2ddb01d86fa283ce154b419e989916ab3f7 (diff) | |
| download | gnutls-4d5f721b3735743a60e9e6af6a605d9ce4c9e6c3.tar.gz | |
Final touch on signature algorithms in TLS 1.2 support. Added function gnutls_session_sign_algorithm_get_requested()
for callbacks to be able to verify they return a correct certificate as well as documentation for its usage.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/examples/ex-cert-select.c | 38 | ||||
| -rw-r--r-- | doc/gnutls.texi | 5 |
2 files changed, 43 insertions, 0 deletions
diff --git a/doc/examples/ex-cert-select.c b/doc/examples/ex-cert-select.c index 5e422a0766..714bdfe963 100644 --- a/doc/examples/ex-cert-select.c +++ b/doc/examples/ex-cert-select.c @@ -259,6 +259,44 @@ cert_callback (gnutls_session_t session, type = gnutls_certificate_type_get (session); if (type == GNUTLS_CRT_X509) { + /* check if the certificate we are sending is signed + * with an algorithm that the server accepts */ + gnutls_sign_algorithm_t cert_algo, req_algo; + int i, match = 0; + + ret = gnutls_x509_crt_get_signature_algorithm(crt); + if (ret < 0) + { + /* error reading signature algorithm + */ + return -1; + } + cert_algo = ret; + + i=0; + do { + ret = gnutls_session_sign_algorithm_get_requested(session, i, &req_algo); + if (ret >= 0 && cert_algo == req_algo) + { + match = 1; + break; + } + + /* server has not requested anything specific */ + if (i==0 && ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + { + match = 1; + break; + } + i++; + } while(ret >= 0); + + if (match == 0) + { + printf("- Could not find a suitable certificate to send to server\n"); + return -1; + } + st->type = type; st->ncerts = 1; diff --git a/doc/gnutls.texi b/doc/gnutls.texi index 5f168c56c8..422be26c57 100644 --- a/doc/gnutls.texi +++ b/doc/gnutls.texi @@ -1314,6 +1314,11 @@ callback can be set using the functions: @end itemize +Clients and servers that will select certificates using callback +functions should select a certificate according the peer's signature +algorithm preferences. To get those preferences use +@ref{gnutls_session_sign_algorithm_get_requested}. + Certificate verification is possible by loading the trusted authorities into the credentials structure by using @ref{gnutls_certificate_set_x509_trust_file} or |