diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2004-06-12 09:38:22 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2004-06-12 09:38:22 +0000 |
commit | d656a27a2163cc1f0681cb13bde94dae83cdc87c (patch) | |
tree | eefad7e5fd273227bde8aee9eb571c11ee6a8b72 | |
parent | 929c2be43d85501a74d8eb8c91b8e60c0a245b31 (diff) | |
download | gnutls-d656a27a2163cc1f0681cb13bde94dae83cdc87c.tar.gz |
Added gnutls_openpgp_keyring_check_id()
-rw-r--r-- | libextra/openpgp/Makefile.am | 2 | ||||
-rw-r--r-- | libextra/openpgp/verify.c | 260 |
2 files changed, 156 insertions, 106 deletions
diff --git a/libextra/openpgp/Makefile.am b/libextra/openpgp/Makefile.am index 55013f1155..742c868d8e 100644 --- a/libextra/openpgp/Makefile.am +++ b/libextra/openpgp/Makefile.am @@ -1,4 +1,4 @@ -INCLUDES = -I. -I../ -I../../includes/ -I../../lib -I../../lib/minitasn1 $(LIBOPENCDK_CFLAGS) $(LIBGCRYPT_CFLAGS) $(LIBTASN1_CFLAGS) -I../opencdk/ +INCLUDES = -I. -I../ -I../../includes/ -I../../lib -I../../lib/minitasn1 -I../opencdk/ $(LIBOPENCDK_CFLAGS) $(LIBGCRYPT_CFLAGS) $(LIBTASN1_CFLAGS) EXTRA_DIST = openpgp.h gnutls_openpgp.h noinst_LTLIBRARIES = libpgp.la diff --git a/libextra/openpgp/verify.c b/libextra/openpgp/verify.c index 9c54e77c95..81646f4e9b 100644 --- a/libextra/openpgp/verify.c +++ b/libextra/openpgp/verify.c @@ -27,54 +27,83 @@ #include <gnutls_int.h> #include <gnutls_errors.h> #include <gnutls_openpgp.h> +#include <gnutls_num.h> #include <openpgp.h> static int -openpgp_get_key_trust( gnutls_openpgp_trustdb trustdb, - gnutls_openpgp_key key, unsigned int *r_trustval ) +openpgp_get_key_trust(gnutls_openpgp_trustdb trustdb, + gnutls_openpgp_key key, unsigned int *r_trustval) { cdk_packet_t pkt; cdk_pkt_pubkey_t pk = NULL; int flags = 0, ot = 0; int rc = 0; - if( !trustdb || !key || !r_trustval ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + if (!trustdb || !key || !r_trustval) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } *r_trustval = 0; - pkt = cdk_kbnode_find_packet( key->knode, CDK_PKT_PUBLIC_KEY ); - if( !pkt ) { - rc = GNUTLS_E_NO_CERTIFICATE_FOUND; - goto leave; + pkt = cdk_kbnode_find_packet(key->knode, CDK_PKT_PUBLIC_KEY); + if (!pkt) { + rc = GNUTLS_E_NO_CERTIFICATE_FOUND; + goto leave; } pk = pkt->pkt.public_key; - rc = cdk_trustdb_get_ownertrust( trustdb->st, pk, &ot, &flags ); + rc = cdk_trustdb_get_ownertrust(trustdb->st, pk, &ot, &flags); - if ( rc ) { /* no ownertrust record was found */ - rc = 0; - goto leave; + if (rc) { /* no ownertrust record was found */ + rc = 0; + goto leave; } - if( flags & CDK_TFLAG_DISABLED ) { - *r_trustval |= GNUTLS_CERT_INVALID; - goto leave; + if (flags & CDK_TFLAG_DISABLED) { + *r_trustval |= GNUTLS_CERT_INVALID; + goto leave; } - - if( flags & CDK_TFLAG_REVOKED ) { - *r_trustval |= GNUTLS_CERT_REVOKED; + + if (flags & CDK_TFLAG_REVOKED) { + *r_trustval |= GNUTLS_CERT_REVOKED; } - + rc = 0; -leave: + leave: return rc; } /** + * gnutls_openpgp_keyring_check_id - Check if a key id exists in the keyring + * @ring: holds the keyring to check against + * @keyid: will hold the keyid to check for. + * @flags: unused (should be 0) + * + * Check if a given key ID exists in the keyring. + * + * Returns 0 on success (if keyid exists) and a negative error code + * on failure. + */ +int gnutls_openpgp_keyring_check_id( gnutls_openpgp_keyring ring, + const unsigned char keyid[8], unsigned int flags) +{ +int rc; +cdk_pkt_pubkey_t sig_pk; +uint32 id[2]; + + id[0] = _gnutls_read_uint32( keyid); + id[1] = _gnutls_read_uint32( &keyid[4]); + + rc = cdk_keydb_get_pk( ring->hd, id, &sig_pk); + if (!rc) + return 0; + else + return GNUTLS_E_NO_CERTIFICATE_FOUND; +} + +/** * gnutls_openpgp_key_verify_ring - Verify all signatures in the key * @key: the structure that holds the key. * @keyring: holds the keyring to check against @@ -82,7 +111,6 @@ leave: * @verify: will hold the certificate verification output. * * Verify all signatures in the key, using the given set of keys (keyring). - * If a signer key is not available, the signature is skipped. * * The key verification output will be put in @verify and will be * one or more of the gnutls_certificate_status enumerated elements bitwise or'd. @@ -96,45 +124,66 @@ leave: * * Returns 0 on success. **/ -int gnutls_openpgp_key_verify_ring( gnutls_openpgp_key key, - gnutls_openpgp_keyring keyring, - unsigned int flags, unsigned int *verify) +int gnutls_openpgp_key_verify_ring(gnutls_openpgp_key key, + gnutls_openpgp_keyring keyring, + unsigned int flags, unsigned int *verify) { int rc = 0; int status = 0; - - if( !key || !keyring ) { - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; + opaque id[8]; + + if (!key || !keyring) { + gnutls_assert(); + return GNUTLS_E_NO_CERTIFICATE_FOUND; } - + *verify = 0; - rc = cdk_pk_check_sigs( key->knode, keyring->hd, &status ); - if( rc == CDK_Error_No_Key ) { - rc = GNUTLS_E_NO_CERTIFICATE_FOUND; - gnutls_assert(); - return rc; + rc = cdk_pk_check_sigs(key->knode, keyring->hd, &status); + if (rc == CDK_Error_No_Key) { + rc = GNUTLS_E_NO_CERTIFICATE_FOUND; + gnutls_assert(); + return rc; } - if( rc) { - rc = _gnutls_map_cdk_rc(rc); - gnutls_assert(); - return rc; + if (rc) { + rc = _gnutls_map_cdk_rc(rc); + gnutls_assert(); + return rc; } - if (status & CDK_KEY_INVALID) *verify |= GNUTLS_CERT_INVALID; - if (status & CDK_KEY_REVOKED) *verify |= GNUTLS_CERT_REVOKED; - if (status & CDK_KEY_NOSIGNER) *verify |= GNUTLS_CERT_SIGNER_NOT_FOUND; + if (status & CDK_KEY_INVALID) + *verify |= GNUTLS_CERT_INVALID; + if (status & CDK_KEY_REVOKED) + *verify |= GNUTLS_CERT_REVOKED; + if (status & CDK_KEY_NOSIGNER) + *verify |= GNUTLS_CERT_SIGNER_NOT_FOUND; + + /* Check if the key is included in the ring. + */ + rc = gnutls_openpgp_key_get_id( key, id); + if (rc < 0) { + gnutls_assert(); + return rc; + } + rc = gnutls_openpgp_keyring_check_id( keyring, + id, 0); + + /* if it exists in the keyring don't treat it + * as unknown. + */ + if (rc == 0 && *verify & GNUTLS_CERT_SIGNER_NOT_FOUND) + *verify ^= GNUTLS_CERT_SIGNER_NOT_FOUND; + return 0; } -int _cdk_sig_check( cdk_pkt_pubkey_t pk, cdk_pkt_signature_t sig, - cdk_md_hd_t digest, int * r_expired ); -cdk_md_hd_t cdk_md_open( int algo, unsigned int flags ); -void cdk_md_close( cdk_md_hd_t hd ); +int _cdk_sig_check(cdk_pkt_pubkey_t pk, cdk_pkt_signature_t sig, + cdk_md_hd_t digest, int *r_expired); +cdk_md_hd_t cdk_md_open(int algo, unsigned int flags); +void cdk_md_close(cdk_md_hd_t hd); /** * gnutls_openpgp_key_verify_self - Verify the self signature on the key @@ -150,8 +199,9 @@ void cdk_md_close( cdk_md_hd_t hd ); * * Returns 0 on success. **/ -int gnutls_openpgp_key_verify_self( gnutls_openpgp_key key, - unsigned int flags, unsigned int *verify) +int gnutls_openpgp_key_verify_self(gnutls_openpgp_key key, + unsigned int flags, + unsigned int *verify) { opaque key_id[8]; cdk_kbnode_t k; @@ -161,63 +211,63 @@ int gnutls_openpgp_key_verify_self( gnutls_openpgp_key key, cdk_packet_t pk = NULL; *verify = 0; - - pk = cdk_kbnode_get_packet( key->knode); + + pk = cdk_kbnode_get_packet(key->knode); if (!pk) { gnutls_assert(); return GNUTLS_E_INTERNAL_ERROR; } - rc = gnutls_openpgp_key_get_id( key, key_id); + rc = gnutls_openpgp_key_get_id(key, key_id); if (rc < 0) { - gnutls_assert(); - goto leave; + gnutls_assert(); + goto leave; } k = key->knode; - while( (k = cdk_kbnode_find_next( k, CDK_PKT_SIGNATURE)) != NULL) { + while ((k = cdk_kbnode_find_next(k, CDK_PKT_SIGNATURE)) != NULL) { - packet = cdk_kbnode_get_packet( k); - if (!packet) { + packet = cdk_kbnode_get_packet(k); + if (!packet) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (memcmp(key_id, packet->pkt.signature->keyid, 8) == 0) { + /* found the self signature. + */ + md = cdk_md_open(packet->pkt.signature->digest_algo, 0); + if (!md) { gnutls_assert(); - return GNUTLS_E_INTERNAL_ERROR; - } - - if (memcmp( key_id, packet->pkt.signature->keyid, 8)==0) { - /* found the self signature. - */ - md = cdk_md_open( packet->pkt.signature->digest_algo, 0); - if (!md) { - gnutls_assert(); - rc = GNUTLS_E_INTERNAL_ERROR; - goto leave; - } - - cdk_kbnode_hash( key->knode, md, 0, 0, 0 ); - - rc = _cdk_sig_check( pk->pkt.public_key, packet->pkt.signature, - md, &expired); - - if (rc != 0) { - *verify |= GNUTLS_CERT_INVALID; - } - - break; + rc = GNUTLS_E_INTERNAL_ERROR; + goto leave; + } + + cdk_kbnode_hash(key->knode, md, 0, 0, 0); + + rc = _cdk_sig_check(pk->pkt.public_key, packet->pkt.signature, + md, &expired); + + if (rc != 0) { + *verify |= GNUTLS_CERT_INVALID; } - - cdk_pkt_free( packet); - packet = NULL; + + break; + } + + cdk_pkt_free(packet); + packet = NULL; } rc = 0; - leave: - - cdk_pkt_free( packet); - cdk_pkt_free( pk); - cdk_md_close( md ); + leave: + + cdk_pkt_free(packet); + cdk_pkt_free(pk); + cdk_md_close(md); return rc; } @@ -241,32 +291,32 @@ int gnutls_openpgp_key_verify_self( gnutls_openpgp_key key, * * Returns 0 on success. **/ -int gnutls_openpgp_key_verify_trustdb( gnutls_openpgp_key key, - gnutls_openpgp_trustdb trustdb, - unsigned int flags, unsigned int *verify) +int gnutls_openpgp_key_verify_trustdb(gnutls_openpgp_key key, + gnutls_openpgp_trustdb trustdb, + unsigned int flags, + unsigned int *verify) { int rc = 0; - - if( !key) { - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; + + if (!key) { + gnutls_assert(); + return GNUTLS_E_NO_CERTIFICATE_FOUND; } - if( !trustdb) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; + if (!trustdb) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; } - rc = openpgp_get_key_trust( trustdb, key, verify); - if( rc) - goto leave; + rc = openpgp_get_key_trust(trustdb, key, verify); + if (rc) + goto leave; rc = 0; - -leave: - if( rc ) { - gnutls_assert(); + + leave: + if (rc) { + gnutls_assert(); } return rc; } - |