diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-08-17 22:48:50 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-08-17 22:49:20 +0200 |
| commit | b726f19b9e821db6fdc0a3b335e7cc5b191de6a8 (patch) | |
| tree | 6238a74bc28f1292680b31703021616749813609 | |
| parent | 8361e8735c5c27fae542a87c14886a788735d65e (diff) | |
| download | gnutls-b726f19b9e821db6fdc0a3b335e7cc5b191de6a8.tar.gz | |
Use the preferred key ID when reading the pk_algorithm in openpgp keys.
gnutls_openpgp_*_get_pk_algorithm() returns the algorithm of the preferred
key ID if set.
| -rw-r--r-- | lib/auth/cert.h | 3 | ||||
| -rw-r--r-- | lib/gnutls_cert.c | 17 | ||||
| -rw-r--r-- | lib/gnutls_x509.c | 17 | ||||
| -rw-r--r-- | lib/openpgp/gnutls_openpgp.c | 7 | ||||
| -rw-r--r-- | lib/openpgp/pgp.c | 26 | ||||
| -rw-r--r-- | lib/openpgp/privkey.c | 26 |
6 files changed, 64 insertions, 32 deletions
diff --git a/lib/auth/cert.h b/lib/auth/cert.h index a5a80c0903..a11caba327 100644 --- a/lib/auth/cert.h +++ b/lib/auth/cert.h @@ -162,4 +162,7 @@ int _gnutls_selected_cert_supported_kx (struct gnutls_session_int *session, gnutls_kx_algorithm_t * alg, int *alg_size); +int +_gnutls_check_key_cert_match (gnutls_certificate_credentials_t res); + #endif diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 9be2f03c3b..00bd72d17d 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -825,4 +825,21 @@ gnutls_sign_callback_get (gnutls_session_t session, void **userdata) return session->internals.sign_func; } +/* returns error if the certificate has different algorithm than + * the given key parameters. + */ +int +_gnutls_check_key_cert_match (gnutls_certificate_credentials_t res) +{ + int pk = gnutls_pubkey_get_pk_algorithm(res->certs[res->ncerts-1].cert_list[0].pubkey, NULL); + int pk2 = gnutls_privkey_get_pk_algorithm (res->pkey[res->ncerts - 1], NULL); +fprintf(stderr, "pk(pub): %d, pk(priv): pk2\n", pk); + if (pk2 != pk) + { + gnutls_assert (); + return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; + } + + return 0; +} diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index a443cd1e00..b9719de807 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -193,23 +193,6 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session, * Read certificates and private keys, from files, memory etc. */ -/* returns error if the certificate has different algorithm than - * the given key parameters. - */ -static int -_gnutls_check_key_cert_match (gnutls_certificate_credentials_t res) -{ - int pk = gnutls_pubkey_get_pk_algorithm(res->certs[res->ncerts-1].cert_list[0].pubkey, NULL); - - if (gnutls_privkey_get_pk_algorithm (res->pkey[res->ncerts - 1], NULL) != - pk) - { - gnutls_assert (); - return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; - } - - return 0; -} /* Returns the name of the certificate of a null name */ diff --git a/lib/openpgp/gnutls_openpgp.c b/lib/openpgp/gnutls_openpgp.c index 7065bf2af4..ceb53c4a6c 100644 --- a/lib/openpgp/gnutls_openpgp.c +++ b/lib/openpgp/gnutls_openpgp.c @@ -157,7 +157,12 @@ gnutls_certificate_set_openpgp_key (gnutls_certificate_credentials_t res, res->ncerts++; - /* FIXME: Check if the keys match. */ + ret = _gnutls_check_key_cert_match (res); + if (ret < 0) + { + gnutls_assert (); + return ret; + } return 0; diff --git a/lib/openpgp/pgp.c b/lib/openpgp/pgp.c index 7ace55da5f..fb77087722 100644 --- a/lib/openpgp/pgp.c +++ b/lib/openpgp/pgp.c @@ -367,7 +367,8 @@ gnutls_openpgp_crt_get_pk_algorithm (gnutls_openpgp_crt_t key, unsigned int *bits) { cdk_packet_t pkt; - int algo; + int algo = 0, ret; + uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE]; if (!key) { @@ -375,13 +376,24 @@ gnutls_openpgp_crt_get_pk_algorithm (gnutls_openpgp_crt_t key, return GNUTLS_PK_UNKNOWN; } - algo = 0; - pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_PUBLIC_KEY); - if (pkt) + ret = gnutls_openpgp_crt_get_preferred_key_id (key, keyid); + if (ret == 0) { - if (bits) - *bits = cdk_pk_get_nbits (pkt->pkt.public_key); - algo = _gnutls_openpgp_get_algo (pkt->pkt.public_key->pubkey_algo); + int idx; + + idx = gnutls_openpgp_crt_get_subkey_idx (key, keyid); + algo = + gnutls_openpgp_crt_get_subkey_pk_algorithm (key, idx, NULL); + } + else + { + pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_PUBLIC_KEY); + if (pkt) + { + if (bits) + *bits = cdk_pk_get_nbits (pkt->pkt.public_key); + algo = _gnutls_openpgp_get_algo (pkt->pkt.public_key->pubkey_algo); + } } return algo; diff --git a/lib/openpgp/privkey.c b/lib/openpgp/privkey.c index 8870ef6707..bd04b21969 100644 --- a/lib/openpgp/privkey.c +++ b/lib/openpgp/privkey.c @@ -253,7 +253,8 @@ gnutls_openpgp_privkey_get_pk_algorithm (gnutls_openpgp_privkey_t key, unsigned int *bits) { cdk_packet_t pkt; - int algo; + int algo = 0, ret; + uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE]; if (!key) { @@ -261,13 +262,24 @@ gnutls_openpgp_privkey_get_pk_algorithm (gnutls_openpgp_privkey_t key, return GNUTLS_PK_UNKNOWN; } - algo = 0; - pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_SECRET_KEY); - if (pkt) + ret = gnutls_openpgp_privkey_get_preferred_key_id (key, keyid); + if (ret == 0) { - if (bits) - *bits = cdk_pk_get_nbits (pkt->pkt.secret_key->pk); - algo = _gnutls_openpgp_get_algo (pkt->pkt.secret_key->pk->pubkey_algo); + int idx; + + idx = gnutls_openpgp_privkey_get_subkey_idx (key, keyid); + algo = + gnutls_openpgp_privkey_get_subkey_pk_algorithm (key, idx, NULL); + } + else + { + pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_SECRET_KEY); + if (pkt) + { + if (bits) + *bits = cdk_pk_get_nbits (pkt->pkt.secret_key->pk); + algo = _gnutls_openpgp_get_algo (pkt->pkt.secret_key->pk->pubkey_algo); + } } return algo; |