Re: "known in advance" public key authentication?

[Ivan Shmakov]

>>>>> Nikos Mavrogiannopoulos <address@hidden> writes:
>>>>> On 11/13/2012 09:01 PM, Ivan Shmakov wrote:

[…]

 >> Then, however, gnutls_handshake () fails with
 >> GNUTLS_E_PK_SIG_VERIFY_FAILED.  Do I understand it correctly that
 >> such an error points to some bug in the certificate signing part?

 > It means that the TLS signature in the session cannot be verified
 > using the provided certificate.

        ACK, thanks.

 > Could it be a mismatch between your certificate and the private key?
 > Did you try with certtool generated certificates?

        I did it the other way around: added a gnutls_x509_crt_export ()
        call to my code, and investigated the result with certtool(1).

 > I'd suggest to increase verbosity in order to find out what is the
 > actual reason of failure.

        The problem was that I've embedded the key pairs into the code
        roughly as follows:

   char x[]
     = ("\x1337\xcafe" ...);

        Somewhat surprisingly, the compiler interpreted that as:

   char x[]
     = { 0x1337, 0xcafe, ... };     /* IOW, { 0x37, 0xfe, ... } */

        instead of the intended:

   char x[]
     = { 0x13, '3', '7', 0xca, 'f', 'e', ... };

        After I've made the code less ambiguous, the issue was no more:

$ ./cbx34kx8szoy1wgdshn99dhz4d 
We're the Client; xfd =  3
We're the Server; xfd =  4
S: gnutls_handshake () => 0 (Success.) ; 2 (No such file or directory)
C: gnutls_handshake () => 0 (Success.) ; 2 (No such file or directory)
Read     4 bytes, starting with 13 37 ffffffca fffffffe
$ 

        (The code above uses socketpair (AF_UNIX, ...) to establish a
        connection to run GnuTLS over.)

-- 
FSF associate member #7257