GnuTLS Petr Ročkai GnuTLS 1/11 December 6, 2017 GnuTLS User Tools • certtool – X.509 certi icate manipulation − -p to generate an RSA keypairs − -s to generate a self-signed certi icate • tpmtool – talking to TPM chips • p11tool – talking to PKCS#11 smart cards GnuTLS 2/11 December 6, 2017 Exercise 1 • log in to aisa using ssh (holds for all exercises today) • use certtool to generate a self-signed cert • generate an RSA keypair irst (-p --outfile foo.key) • generate the cert itself -s --load-privkey foo.key − make a certi icate for an HTTPS server − let the certi icate expire in 30 days − set the DNS name to example.com GnuTLS 3/11 December 6, 2017 GnuTLS API • #include • build with gcc src.c -lgnutls • there are additional headers you may need − #include − #include − and so on, depending on application GnuTLS 4/11 December 6, 2017 GnutLS API Modules • crypto.h – symmetric cryptography − gnutls_cipher_* functions − GNUTLS_CIPHER_* macros − AES, ChaCha20, Salsa20, Camellia, … − CBC, GCM, CCM • abstract.h – abstract key operations − gnutls_privkey_* and gnutls_pubkey_* − asymmetric crypto – private and public keys − RSA, DSA, ECDSA GnuTLS 5/11 December 6, 2017 GnutLS API Modules (cont’d) • x509.h – X.509 certi icates − gnutls_x509_* − includes another set of privkey/pubkey functions • pkcs11.h – smart cards − gnutls_pkcs11_* • and a number of other modules − tpm.h – trusted platform module − pkcs7.h − pkcs12.h − dtls.h − openpgp.h GnuTLS 6/11 December 6, 2017 GnuTLS Documentation • available from https://gnutls.org • also doc/examples in the source tarball GnuTLS 7/11 December 6, 2017 Exercise 2 • download and con igure libnettle 3.4 − wget .../nettle-3.4.tar.gz − tar xzf nettle-3.4.tar.gz − cd nettle-3.4 − ./configure --prefix=$HOME/nettle • build and install − make && make install − NETTLE=$HOME/nettle − export PKG_CONFIG_PATH=$NETTLE/lib64/pkgconfig − export LD_LIBRARY_PATH=$NETTLE/lib64 GnuTLS 8/11 December 6, 2017 Exercise 2 (cont’d) • download gnutls 3.5.16 & con igure it − tar xaf gnutls-3.5.16.tar.xz − run ./configure (see below for args) − pass --with-included-libtasn1 − and --with-included-unistring − and --without-p11-kit − and --prefix=$HOME/gnutls • run make && make install − add $HOME/gnutls/lib to your LD_LIBRARY_PATH GnuTLS 9/11 December 6, 2017 Exercise 3 • write a small app that uses gnutls • you will need to pass some lags to gcc − -I$HOME/gnutls/include − -L$HOME/gnutls/lib − don’t forget -lgnutls • compute HMAC of a ile using a ixed key − you will need gnutls_hmac_* from crypto.h − use SHA-256 as the algorithm GnuTLS 10/11 December 6, 2017 Assignment • same as lab 6 but with gnutls • part 1: 128b AES-CBC [5pt] − use the same key / IV as for lab 6 − cross-check with your openssl implementation − use gnutls_cipher_* • part 2: RSA keypair generation [5pt] − no restriction on the public exponent − use gnutls_privkey_generate − print all key data to the screen GnuTLS 11/11 December 6, 2017 Assignment Hints • look at src/certtool-common.c − in the gnutls source code − you can copy print_rsa_pkey Deadline • only one week this time • December 13th 2017, midnight • the exercise should be easy enough