Re: how to use gnutls_privkey_import_ext

[Carolin Latze]

I am sorry, but this still causes me some troubles.

As far as I understand it, the hash in PKCS#1 is:

bytes 00 - 14: algorithm identifier + some more bytes
bytes 15 - 20: the hash

So I thought it might be sufficient do define a new gnutls_datum_t vdata 
with

vdata.data = &raw_data->data[15]
vdata.size = raw_data->size-15

Did not work :) The TPM was happy, but the TLS handshake ended with 
"Public key signature verification has failed."

Next try:

  r=asn1_der_decoding(&dinfo,raw_data->data,raw_data->size,NULL);
  if (r!=ASN1_SUCCESS) printf("ERROR: asn1_der_decoding: %s\n",asn2err(r));

  r=asn1_read_value(dinfo,"digest",&vdata.data,&vdata.size);
  if (r!=ASN1_SUCCESS) printf("ERROR: asn1_read_value: %s\n",asn2err(r));

However, this  (=both functions) ends with 
GNUTLS_E_ASN1_ELEMENT_NOT_FOUND. When I check decode_ber_digest_info in 
the GnuTLS code I see that you initialize it first, probably with the 
GnuTLS ASN.1 type. So this is probably the reason for this error, 
however I see no easy way to initialize it in my code. Is there any 
function that does that already?

On 06/10/2012 05:25 PM, Nikos Mavrogiannopoulos wrote:
> On 06/10/2012 05:08 PM, Carolin Latze wrote:
>
>    
> > shy question: what type of hashes will be delivered with RSA-SHA1? I get
> > a hash of 35 bytes length, which is a bit too long for a standard SHA1.
> > And it is too short for the old SHA1+MD5 hash that used to used in TLS.
> >      
>
> It should be the PKCS #1 encoding applied after hashing. It includes an
> algorithm identifier.
>
>
>