Re: Negotiating the SCRAM channel binding type

On Wed, Jul 11, 2018 at 04:00:47PM +0300, Heikki Linnakangas wrote:
> In a nutshell, to get the token for tls-server-end-point, you need to get
> the peer's certificate from the TLS library, in raw DER format, and
> calculate a hash over it. The hash algorithm depends on the
> signatureAlgorithm in the certificate, so you need to parse the certificate
> to extract that. We don't want to re-implement X509 parsing, so
> realistically we need the TLS library to have support functions for that.
>
> Looking at the GnuTLS docs, I believe it has everything we need.
> gnutls_certificate_get_peers() and gnutls_certificate_get_ours() can be used
> to get the certificate, and gnutls_x509_crt_get_signature_algorithm() gets
> the signatureAlgorithm.
>
> The macOS Secure Transport documentation is a bit harder to understand, but
> I think it has everything we need as well.
> SSLCopyPeerTrust()+SecTrustGetCertificateAtIndex()+SecCertificateCopyData()
> functions get you the certificate in DER format. You can get the signature
> algorithm with SecCertificateCopyValues(), with the right constants.
>
> Am I missing something? I think we can support tls-server-end-point with all
> TLS implementations we might care about.

That seems right to me.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +