On Sun, 2016-07-17 at 22:49 +0200, Ondřej Surý wrote: > Hey, > > during the IETF hackathon I implemented DNS over TLS (RFC 7858) for > kdig > utility in Knot DNS[1] and now I am implementing the different TLS > Privacy Profiles (Section 4). > > Using the excellent examples and documentation[*] I was able to > implement: > > - Opportunistic Privacy Profile (just return 0) > - hostname verification with system ca-file > - custom ca-file > > and now I would like to implement verification of pin-sha256 > user-provided values. Could you please guide me to a place where I > should start looking? Is there already some other program that > implemented HSTS/HPKP using GnuTLS? > And if not than a pointer to > documentation for SPKI retrieval would be nice (not quite sure > https://www.gnutls.org/manual/html_node/X509-certificate-API.html is > the > right place and what function am I looking for).
If what you want to is to obtain the DER SPKI format you can import the certificate to gnutls_pubkey_t structure and export that one to get the DER SPKI. The gnutls_pubkey_import_x509_raw() is the function you most likely neeed. Not sure if it is related to your use case, but there is the trust on first use API which can be used to pin certificates and keys (i.e., gnutls_store_pubkey and gnutls_verify_stored_pubkey). regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
