[Help-gnutls] X.509 certificates around JUST A PUBLIC key... can it be done?

[Zach C.]

So here's the dilemma.

I am writing a library/interface for the iPhone to work in Linux. I'm currently working on the pairing functionality; I'm trying to repeat the process as exactly as possible to iTunes's implementation.

Here's what happens:

iTunes asks device for its public key.
iPhone responds with its public key.
iTunes generates a root certificate (CA certificate) with (root) private key, host certificate (presumably for encrypted communications) with (host) private key, and device certificate, whose public key info is the public key sent by the iPhone. All three certificates are signed with the root private key. iTunes then generates a UUID and sends out a PairRecord containing all three certificates and that UUID as a HostID.
The iPhone will then verify the certificates against the root certificate (presumably, or maybe more specifically the public key in the root certificate), and if everything is in order (i.e. the root certificate really was used to sign the others), it will send a "pair successful" message back.

I'm fully aware that I can currently generate the Root and Host certificates without a problem in GnuTLS. The problem I'm having, though, is that I *need* to be able to generate a certificate around the public key sent by the iPhone and then sign that certificate with the root private key. I'm wondering if that's possible in GnuTLS... I was considering doing a gnutls_x509_privkey_import_rsa_raw and only setting the modulus and public exponent (however I would get them), but I'm not sure if that would work or if GnuTLS would throw an error out about it. And if it did it properly, whether setting the new "private key" struct on a new certificate would do what I'm describing here.

Thanks in advance! :)