Converted the pgp verification functions to the new API.

8 files changed, 46 insertions, 230 deletions

diff --git a/configure.in b/configure.in
index d6380848cc..e822d8f649 100644
--- a/configure.in
+++ b/configure.in
@@ -277,10 +277,10 @@ AC_ARG_ENABLE( openpgp-authentication, [  --disable-openpgp-authentication disab
 )
 if test x$ac_enable_openpgp != xno; then
  AC_MSG_RESULT(no)
- AM_PATH_LIBOPENCDK( 0.4.0, AC_DEFINE(HAVE_LIBOPENCDK, 1, [have libopencdk]),
+ AM_PATH_LIBOPENCDK( 0.5.2, AC_DEFINE(HAVE_LIBOPENCDK, 1, [have libopencdk]),
  AC_MSG_WARN([[
 ***
-*** libopencdk 0.4.0 was not found. You will not be able to use OpenPGP keys with gnutls.
+*** libopencdk 0.5.2 was not found. You will not be able to use OpenPGP keys with gnutls.
 ]]))
 else
  AC_MSG_RESULT(yes)
@@ -459,7 +459,7 @@ AC_CONFIG_COMMANDS([includes/gnutls/gnutls.h],[[
 ]],[[]])
 
 AC_CONFIG_FILES([Makefile src/Makefile libextra/Makefile lib/Makefile \
-lib/libgnutls-config libextra/libgnutls-extra-config \
+libextra/openpgp/Makefile lib/libgnutls-config libextra/libgnutls-extra-config \
 doc/Makefile src/x509/Makefile src/srp/Makefile src/openpgp/Makefile \
 doc/tex/Makefile doc/tex/cover.tex doc/scripts/Makefile \
 doc/examples/Makefile lib/minitasn1/Makefile lib/x509/Makefile \
diff --git a/includes/gnutls/openpgp.h b/includes/gnutls/openpgp.h
index 6767796a75..6fce2e5b05 100644
--- a/includes/gnutls/openpgp.h
+++ b/includes/gnutls/openpgp.h
@@ -79,11 +79,11 @@ int gnutls_openpgp_keyring_import(gnutls_openpgp_keyring ring,
  */
 struct gnutls_openpgp_trustdb;
 
-int gnutls_openpgp_trustdb_init( gnutls_openpgp_trustdb* ring);
-void gnutls_openpgp_trustdb_deinit(gnutls_openpgp_trustdb ring);
+int gnutls_openpgp_trustdb_init( gnutls_openpgp_trustdb* db);
+void gnutls_openpgp_trustdb_deinit(gnutls_openpgp_trustdb db);
 
-int gnutls_openpgp_trustdb_import(gnutls_openpgp_trustdb ring,
-	const gnutls_datum* data, gnutls_openpgp_key_fmt format);
+int gnutls_openpgp_trustdb_import(gnutls_openpgp_trustdb db,
+	const char* file);
 
 
 int gnutls_openpgp_key_verify_ring( 
@@ -92,7 +92,7 @@ int gnutls_openpgp_key_verify_ring(
 	unsigned int flags /* if not used reserved for future use,
 	unsigned int * verify /* the output of the verification */);
 
-int gnutls_openpgp_key_verify_db( 
+int gnutls_openpgp_key_verify_trustdb( 
 	gnutls_openpgp_key key, 
 	gnutls_openpgp_trustdb db,
 	unsigned int flags /* if not used reserved for future use,
diff --git a/libextra/Makefile.am b/libextra/Makefile.am
index c0999fd79a..2f9651df4b 100644
--- a/libextra/Makefile.am
+++ b/libextra/Makefile.am
@@ -1,6 +1,5 @@
 INCLUDES = -I../lib -I../includes -I../lib/minitasn1/
 bin_SCRIPTS = libgnutls-extra-config
-DIST_SUBDIRS = openpgp
 SUBDIRS = openpgp
 
 m4datadir = $(datadir)/aclocal
diff --git a/libextra/openpgp/Makefile.am b/libextra/openpgp/Makefile.am
index db5f86ec4f..787a84ae54 100644
--- a/libextra/openpgp/Makefile.am
+++ b/libextra/openpgp/Makefile.am
@@ -1,9 +1,9 @@
 INCLUDES = -I../ -I../../includes/ -I../../lib
-EXTRA_DIST = openpgp.h
+EXTRA_DIST = openpgp.h gnutls_openpgp.h
 
 noinst_LTLIBRARIES = libpgp.la
 
-COBJECTS = openpgp.c xml.c gnutls_openpgp.c
+COBJECTS = openpgp.c xml.c gnutls_openpgp.c verify.c extras.c
 
 libpgp_la_SOURCES = $(COBJECTS)
 
diff --git a/libextra/openpgp/gnutls_openpgp.c b/libextra/openpgp/gnutls_openpgp.c
index b10364dfb4..9930f9c51e 100644
--- a/libextra/openpgp/gnutls_openpgp.c
+++ b/libextra/openpgp/gnutls_openpgp.c
@@ -45,17 +45,6 @@
 
 #define datum_append(x, y, z) _gnutls_datum_append_m( x, y, z, gnutls_realloc )
 
-typedef struct {
-    int type;
-    int armored;
-    size_t size;
-    uint8 *data;
-} keybox_blob;
-
-typedef enum {
-    KBX_BLOB_FILE = 0x00,
-    KBX_BLOB_DATA = 0x01
-} keyring_blob_types;
 
 
 static void
@@ -122,7 +111,7 @@ kbx_blob_new( keybox_blob **r_ctx )
 }
 
 
-static void
+void
 kbx_blob_release( keybox_blob *ctx )
 {
     if( ctx ) {
@@ -132,7 +121,7 @@ kbx_blob_release( keybox_blob *ctx )
 }
 
 
-static cdk_keydb_hd_t
+cdk_keydb_hd_t
 kbx_to_keydb( keybox_blob *blob )
 {
     cdk_keydb_hd_t hd;
@@ -164,7 +153,7 @@ kbx_to_keydb( keybox_blob *blob )
 
 
 /* Extract a keybox blob from the given position. */
-static keybox_blob*
+keybox_blob*
 kbx_read_blob( const gnutls_datum* keyring, size_t pos )
 {
     keybox_blob *blob = NULL;
@@ -749,170 +738,6 @@ gnutls_openpgp_count_key_names( const gnutls_datum *cert )
 
 
 
-int
-_gnutls_openpgp_get_key_trust( const char *trustdb,
-                               const gnutls_datum *key,
-                               int *r_trustval )
-{
-    cdk_kbnode_t knode = NULL;
-    cdk_stream_t inp;
-    CDK_PACKET *pkt;
-    cdk_pkt_pubkey_t pk = NULL;
-    int flags = 0, ot = 0;
-    int rc = 0;
-
-    if( !trustdb || !key || !r_trustval ) {
-        gnutls_assert( );
-        return GNUTLS_E_INVALID_REQUEST;
-    }
-
-    *r_trustval = 0;
-
-    rc = cdk_kbnode_read_from_mem( &knode, key->data, key->size );
-    if( (rc = _gnutls_map_cdk_rc( rc )) )
-        return rc;
-
-    pkt = cdk_kbnode_find_packet( knode, CDK_PKT_PUBLIC_KEY );
-    if( !pkt ) {
-        rc = GNUTLS_E_OPENPGP_GETKEY_FAILED;
-        goto leave;
-    }
-    pk = pkt->pkt.public_key;
-
-    rc = cdk_stream_open( trustdb, &inp );
-    if( rc ) {
-        rc = _gnutls_map_cdk_rc( rc );
-        goto leave;
-    }
-    
-    rc = cdk_trustdb_get_ownertrust( inp, pk, &ot, &flags );
-    cdk_stream_close( inp );
-    if ( rc ) { /* no ownertrust record was found */
-        rc = 0;
-        *r_trustval = 0;
-        goto leave;
-    }
-
-    if( flags & CDK_TFLAG_DISABLED ) {
-        *r_trustval |= GNUTLS_CERT_NOT_TRUSTED;
-        *r_trustval |= GNUTLS_CERT_INVALID;
-        goto leave;
-    }
-    
-    if( flags & CDK_TFLAG_REVOKED ) {
-        *r_trustval |= GNUTLS_CERT_NOT_TRUSTED;
-        *r_trustval |= GNUTLS_CERT_REVOKED;
-    }
-    
-    switch( ot ) {
-    case CDK_TRUST_NEVER:
-        *r_trustval |= GNUTLS_CERT_NOT_TRUSTED;
-        break;
-    case CDK_TRUST_UNKNOWN:
-    case CDK_TRUST_UNDEFINED:
-    case CDK_TRUST_MARGINAL:
-    case CDK_TRUST_FULLY:
-    case CDK_TRUST_ULTIMATE:
-        *r_trustval |= 1; /* means okay */
-        rc = 0;
-        break;
-    }
-
-leave:
-    if( rc )
-        *r_trustval |= GNUTLS_CERT_NOT_TRUSTED;
-    cdk_kbnode_release( knode );
-    return rc;
-}
-
-
-/**
- * gnutls_openpgp_verify_key - Verify all signatures on the key
- * @cert_list: the structure that holds the certificates.
- * @cert_list_lenght: the items in the cert_list.
- *
- * Verify all signatures in the certificate list. When the key
- * is not available, the signature is skipped.
- *
- * When the trustdb parameter is used, the function checks the
- * ownertrust of the key before the signatures are checked. It
- * is possible that the key was disabled or the owner is not trusted
- * at all. Then we don't check the signatures because it makes no sense.
- *
- * The return value is one of the CertificateStatus entries.
- *
- * NOTE: this function does not verify using any "web of trust". You
- * may use GnuPG for that purpose, or any other external PGP application.
- **/
-int
-gnutls_openpgp_verify_key( const char *trustdb,
-                           const gnutls_datum* keyring,
-                           const gnutls_datum* cert_list,
-                           int cert_list_length )
-{
-    cdk_kbnode_t knode = NULL;
-    cdk_keydb_hd_t hd = NULL;
-    keybox_blob *blob = NULL;
-    int rc = 0;
-    int status = 0;
-  
-    if( !cert_list || cert_list_length != 1 || !keyring ) {
-        gnutls_assert();
-        return GNUTLS_E_NO_CERTIFICATE_FOUND;
-    }
-
-    if( !keyring->size && !trustdb ) {
-        gnutls_assert( );
-        return GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED;
-    }
-
-    blob = kbx_read_blob( keyring, 0 );
-    if( !blob ) {
-        gnutls_assert();
-        return GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED;
-    }
-    hd = kbx_to_keydb( blob );
-    if( !hd ) {
-        rc = GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED;
-        goto leave;
-    }
-
-    if( trustdb ) {
-        int ktrust;
-        rc = _gnutls_openpgp_get_key_trust( trustdb, cert_list, &ktrust );
-        if( rc || !ktrust )
-            goto leave;
-    }
-
-    rc = cdk_kbnode_read_from_mem( &knode, cert_list->data, cert_list->size );
-    if( (rc = _gnutls_map_cdk_rc( rc )) ) {
-        goto leave;
-        return GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED;
-    }
-
-    rc = cdk_pk_check_sigs( knode, hd, &status );
-    if( rc == CDK_Error_No_Key )
-        rc = 0; /* fixme */
-      
-    switch( status ) {
-    case CDK_KEY_INVALID:
-        rc = GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED;
-        break;
-      
-    case CDK_KEY_REVOKED:
-        rc = GNUTLS_CERT_REVOKED | GNUTLS_CERT_NOT_TRUSTED;
-        break;
-    }
-
-leave:
-    kbx_blob_release( blob );
-    cdk_free( hd );
-    cdk_kbnode_release( knode );
-    if( rc ) {
-        gnutls_assert();
-    }
-    return rc;
-}
 
 
 /*-
diff --git a/libextra/gnutls_openpgp.h b/libextra/openpgp/gnutls_openpgp.h
index 7f3b08f2df..e89708d10e 100644
--- a/libextra/gnutls_openpgp.h
+++ b/libextra/openpgp/gnutls_openpgp.h
@@ -3,6 +3,19 @@
 
 #include <gnutls/compat8.h>
 #include <auth_cert.h>
+#include <opencdk.h>
+
+typedef struct {
+    int type;
+    int armored;
+    size_t size;
+    uint8 *data;
+} keybox_blob;
+
+typedef enum {
+    KBX_BLOB_FILE = 0x00,
+    KBX_BLOB_DATA = 0x01
+} keyring_blob_types;
 
 /* OpenCDK compatible */
 typedef enum {
@@ -20,39 +33,6 @@ int gnutls_certificate_set_openpgp_key_file(
 int gnutls_openpgp_count_key_names(
     const gnutls_datum *cert );
      
-int gnutls_openpgp_extract_key_name(
-    const gnutls_datum *cert,
-    int idx,
-    gnutls_openpgp_name *dn );
-
-int gnutls_openpgp_extract_key_pk_algorithm(
-    const gnutls_datum *cert,
-    int *r_bits );
-
-int gnutls_openpgp_extract_key_version(
-    const gnutls_datum *cert );
-
-time_t gnutls_openpgp_extract_key_creation_time(
-    const gnutls_datum *cert );
-
-time_t gnutls_openpgp_extract_key_expiration_time(
-    const gnutls_datum  *cert );
-
-int gnutls_openpgp_verify_key(
-    const char *trustdb,
-    const gnutls_datum *keyring,
-    const gnutls_datum* cert_list,
-    int cert_list_length );
-
-int gnutls_openpgp_fingerprint(
-    const gnutls_datum *cert,
-    unsigned char *fpr,
-    size_t *fprlen );
-
-int gnutls_openpgp_extract_key_id(
-    const gnutls_datum *cert,
-    unsigned char keyid[8] );
-
 int gnutls_openpgp_add_keyring_mem(
     gnutls_datum *keyring,
     const opaque *data,
@@ -77,20 +57,12 @@ int gnutls_openpgp_get_key(
     key_attr_t by,
     opaque *pattern );
 
-int gnutls_openpgp_get_key_trust(
-    const char *trustdb,
-    gnutls_datum *key );
-
 int gnutls_openpgp_recv_key(
     const char *host,
     short port,
     uint32 keyid,
     gnutls_datum *key );
 
-int gnutls_openpgp_key_to_xml(
-    const gnutls_datum *cert,
-    gnutls_datum *xmlkey, int ext );
-     
 /* internal */
 int _gnutls_openpgp_cert2gnutls_cert(
     gnutls_cert *cert,
@@ -104,4 +76,9 @@ _gnutls_openpgp_request_key(
     opaque* key_fpr,
     int key_fpr_size );
 
+keybox_blob* kbx_read_blob( const gnutls_datum* keyring, size_t pos );
+cdk_keydb_hd_t kbx_to_keydb( keybox_blob *blob );
+void kbx_blob_release( keybox_blob *ctx );
+
+
 #endif /*GNUTLS_OPENPGP_H*/
diff --git a/libextra/openpgp/openpgp.c b/libextra/openpgp/openpgp.c
index f41962ef3a..c24c8a14f9 100644
--- a/libextra/openpgp/openpgp.c
+++ b/libextra/openpgp/openpgp.c
@@ -24,6 +24,9 @@
  */
 
 #include <gnutls_int.h>
+
+#ifdef HAVE_LIBOPENCDK
+
 #include <gnutls_datum.h>
 #include <gnutls_global.h>
 #include <gnutls_errors.h>
@@ -412,3 +415,4 @@ int gnutls_openpgp_key_check_hostname(gnutls_openpgp_key key,
    return 0;
 }
 
+#endif
diff --git a/libextra/openpgp/openpgp.h b/libextra/openpgp/openpgp.h
index 424a0a5b1d..b559522da7 100644
--- a/libextra/openpgp/openpgp.h
+++ b/libextra/openpgp/openpgp.h
@@ -7,10 +7,20 @@ typedef struct gnutls_openpgp_key_int {
 	cdk_kbnode_t knode;
 } gnutls_openpgp_key_int;
 
+typedef struct gnutls_openpgp_keyring_int {
+	cdk_keydb_hd_t hd;
+} gnutls_openpgp_keyring_int;
+
+typedef struct gnutls_openpgp_trustdb_int {
+	cdk_stream_t st;
+} gnutls_openpgp_trustdb_int;
+
 typedef enum gnutls_openpgp_key_fmt { GNUTLS_X509_FMT_RAW,
         GNUTLS_X509_FMT_BASE64 } gnutls_openpgp_key_fmt;
 
 typedef struct gnutls_openpgp_key_int *gnutls_openpgp_key;
+typedef struct gnutls_openpgp_keyring_int *gnutls_openpgp_keyring;
+typedef struct gnutls_openpgp_trustdb_int *gnutls_openpgp_trustdb;
 
 int
 _gnutls_map_cdk_rc( int rc);
@@ -19,4 +29,5 @@ gnutls_openpgp_key_get_name( gnutls_openpgp_key key,
 	int idx,
         char *buf, size_t *sizeof_buf);
 
+
 #endif