|
From: | Simon Josefsson |
Subject: | Re: [PATCH] Provide a gnutls_x509_crt_verify_hash |
Date: | Thu, 23 Apr 2009 16:50:34 +0200 |
User-agent: | Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.92 (gnu/linux) |
Cedric BAIL <address@hidden> writes: > Hi, > > I am currently using gnutls_x509_crt_verify_data to check the > signature of a file generated with a GNUTLS_DIG_SHA1. After that I > compare the SHA1 of the file in a database. So with the current API I > wasn't able to find a way to do SHA1 computation only one time. I'm going back and trying to understand your actual use-case here... why don't you use a detached OpenPGP or CMS signature? I'm not sure it is a good idea to add the API to GnuTLS. It may encourage people to do things which lead to poor security. File signatures using a X.509 certificate isn't as simple as doing a public key signature on it and storing the hash. OpenPGP/CMS was designed to solve those problems. /Simon
[Prev in Thread] | Current Thread | [Next in Thread] |