| [ << ] | [ < ] | [ Up ] | [ > ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
6.12.2.1 Trust on first use
The GnuTLS library includes functionlity to use an SSH-like trust on first use authentication. The available functions to store and verify public keys are listed below.
- Function: int gnutls_verify_stored_pubkey (const char * db_name, gnutls_tdb_t tdb, const char * host, const char * service, gnutls_certificate_type_t cert_type, const gnutls_datum_t * cert, unsigned int flags)
db_name: A file specifying the stored keys (use NULL for the default)
tdb: A storage structure or NULL to use the default
host: The peer’s name
service: non-NULL if this key is specific to a service (e.g. http)
cert_type: The type of the certificate
cert: The raw (der) data of the certificate
flags: should be 0.
This function will try to verify the provided (raw or DER-encoded) certificate using a list of stored public keys. The
servicefield if non-NULL should be a port number.The
retrievevariable if non-null specifies a custom backend for the retrieval of entries. If it is NULL then the default file backend will be used. In POSIX-like systems the file backend uses the $HOME/.gnutls/known_hosts file.Note that if the custom storage backend is provided the retrieval function should return
GNUTLS_E_CERTIFICATE_KEY_MISMATCHif the host/service pair is found but key doesn’t match,GNUTLS_E_NO_CERTIFICATE_FOUNDif no such host/service with the given key is found, and 0 if it was found. The storage function should return 0 on success.Returns: If no associated public key is found then
GNUTLS_E_NO_CERTIFICATE_FOUNDwill be returned. If a key is found but does not matchGNUTLS_E_CERTIFICATE_KEY_MISMATCHis returned. On success,GNUTLS_E_SUCCESS(0) is returned, or a negative error value on other errors.Since: 3.0.13
- Function: int gnutls_store_pubkey (const char * db_name, gnutls_tdb_t tdb, const char * host, const char * service, gnutls_certificate_type_t cert_type, const gnutls_datum_t * cert, time_t expiration, unsigned int flags)
db_name: A file specifying the stored keys (use NULL for the default)
tdb: A storage structure or NULL to use the default
host: The peer’s name
service: non-NULL if this key is specific to a service (e.g. http)
cert_type: The type of the certificate
cert: The data of the certificate
expiration: The expiration time (use 0 to disable expiration)
flags: should be 0.
This function will store the provided (raw or DER-encoded) certificate to the list of stored public keys. The key will be considered valid until the provided expiration time.
The
storevariable if non-null specifies a custom backend for the storage of entries. If it is NULL then the default file backend will be used.Returns: On success,
GNUTLS_E_SUCCESS(0) is returned, otherwise a negative error value.Since: 3.0.13
In addition to the above the gnutls_store_commitment can be used to implement a key-pinning architecture as in [KEYPIN]. This provides a way for web server to commit on a public key that is not yet active.
- Function: int gnutls_store_commitment (const char * db_name, gnutls_tdb_t tdb, const char * host, const char * service, gnutls_digest_algorithm_t hash_algo, const gnutls_datum_t * hash, time_t expiration, unsigned int flags)
db_name: A file specifying the stored keys (use NULL for the default)
tdb: A storage structure or NULL to use the default
host: The peer’s name
service: non-NULL if this key is specific to a service (e.g. http)
hash_algo: The hash algorithm type
hash: The raw hash
expiration: The expiration time (use 0 to disable expiration)
flags: should be 0.
This function will store the provided hash commitment to the list of stored public keys. The key with the given hash will be considered valid until the provided expiration time.
The
storevariable if non-null specifies a custom backend for the storage of entries. If it is NULL then the default file backend will be used.Note that this function is not thread safe with the default backend.
Returns: On success,
GNUTLS_E_SUCCESS(0) is returned, otherwise a negative error value.Since: 3.0
The storage and verification functions may be used with the default text file based back-end, or another back-end may be specified. That should contain storage and retrieval functions and specified as below.
int gnutls_tdb_init (gnutls_tdb_t * tdb)void gnutls_tdb_deinit (gnutls_tdb_t tdb)void gnutls_tdb_set_verify_func (gnutls_tdb_t tdb, gnutls_tdb_verify_func verify)void gnutls_tdb_set_store_func (gnutls_tdb_t tdb, gnutls_tdb_store_func store)void gnutls_tdb_set_store_commitment_func (gnutls_tdb_t tdb, gnutls_tdb_store_commitment_func cstore)
| [ << ] | [ < ] | [ Up ] | [ > ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
This document was generated on May 31, 2014 using texi2html 5.0.