summaryrefslogtreecommitdiff
path: root/doc/TODO
blob: 22172ca693a4d29960c89e74a09cf459986d7e96 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

If you want to contribute (implement something from the current list, or
anything), contact the developer's mailing list (gnutls-dev@lists.gnupg.org),
in order to avoid having people working on the same thing. 

Current list:
* Add API to allow multiplexing multiple streams under DTLS. The streams
  should be identified by the application using the raw packet, via a
  callback.
* Check https://github.com/yymax/x509test and evaluate whether it makes
  sense to include it in our self tests.
* gnutls-cli: Allow separation of the connecting IP and the hostname to
  advertize or check. That is, allow specifying an IP to connect to and
  a hostname to check.
* Allow the manipulation of certificates, i.e., allow to remove fields.
* Handle the following X.509 extensions:
   2.5.29.36: Policy Constraints
   2.5.29.33: Policy Mappings
   2.5.29.54: Inhibit Any-policy
   2.5.29.46: Freshest CRL
* Add support for RSA-PSS. This signature algorithm is seen in some
  passport CAs. Should be added in nettle and then in gnutls.
- Handle openconnect's TSS files in gnutls_certificate_set_x509_key_file().
- Allow setting a fixed key on the anonymous key exchange methods (to allow
  it being used with the tofu API).
- Add certificate image support (see RFC3709, RFC6170)
- RFC 3280 compliant certificate path validation.
  - Reject extensions in v1 certificates.
- Perform signature calculation in PKCS #11 using not plain
  RSA but rather the combination of RSA-SHA256, RSA-SHA1 etc.
  That will allow the usage of tokens that do not allow plain RSA.
- Support PKCS#8 DES-MD5 (tests/enc3pkcs8.pem) encrypted keys.
  (openssl seems to use DES-MD5 to encrypt keys by default)
- Document the format for the supported DN attributes.
- Audit the code
- Add function to extract the signers of an openpgp key. Should
  be similar to gnutls_x509_crt_get_dn_oid().
- Add function to verify an openpgp key against a plain key.
- Clean up name space of helper functions in library (memmem,
   firstElement, bit_mask, ...) for platforms that libtool's
   -export-symbols-regex doesn't work.
- Add Kerberos ciphersuites
- Update the current test suite, using the newest NIST's PKI Test vectors,
  see http://csrc.nist.gov/pki/testing/x509paths.html
- Make gnutls-cli-debug exit with better error messages if the
  handshake fails, rather than saying that the server doesn't support
  TLS.

(+) Means high priority 
(*) Means medium priority
(-) Means low priority (ie. nobody is interested to develop that)
View Lorry Controller Status