diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-06-16 09:03:05 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-06-16 15:31:51 +0200 |
commit | 72aaf102929121513a91b69a9808f6e3c669655d (patch) | |
tree | 466def07918a5c6bbe36d46108b60d0241699f74 | |
parent | 4ad76785ef2feec7af64f3821edd8eb67de88762 (diff) | |
download | gnutls-72aaf102929121513a91b69a9808f6e3c669655d.tar.gz |
tools: removed options for openpgp support
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | src/certtool-args.def | 21 | ||||
-rw-r--r-- | src/certtool.c | 320 | ||||
-rw-r--r-- | src/cli-args.def | 39 | ||||
-rw-r--r-- | src/cli.c | 157 | ||||
-rw-r--r-- | src/common.c | 115 | ||||
-rw-r--r-- | src/serv-args.def | 67 | ||||
-rw-r--r-- | src/serv.c | 45 |
7 files changed, 11 insertions, 753 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def index 437ecbef74..e2d29090af 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -276,20 +276,6 @@ flag = { }; flag = { - name = pgp-certificate-info; - descrip = "Print information on the given OpenPGP certificate"; - doc = ""; - deprecated; -}; - -flag = { - name = pgp-ring-info; - descrip = "Print information on the given OpenPGP keyring structure"; - doc = ""; - deprecated; -}; - -flag = { name = crl-info; value = l; descrip = "Print information on the given CRL structure"; @@ -397,13 +383,6 @@ flag = { }; flag = { - name = pgp-key-info; - descrip = "Print information on an OpenPGP private key"; - doc = ""; - deprecated; -}; - -flag = { name = pubkey-info; descrip = "Print information on a public key"; doc = "The option combined with --load-request, --load-pubkey, --load-privkey and --load-certificate will extract the public key of the object in question."; diff --git a/src/certtool.c b/src/certtool.c index 1eb4f9b808..abaac83d62 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -1136,8 +1136,7 @@ static void cmd_parser(int argc, char **argv) stdlog = stderr; } - if (HAVE_OPT(GENERATE_PRIVKEY) || HAVE_OPT(GENERATE_REQUEST) || - HAVE_OPT(KEY_INFO) || HAVE_OPT(PGP_KEY_INFO)) + if (HAVE_OPT(GENERATE_PRIVKEY) || HAVE_OPT(GENERATE_REQUEST)) privkey_op = 1; if (HAVE_OPT(HEX_NUMBERS)) @@ -1414,14 +1413,6 @@ static void cmd_parser(int argc, char **argv) smime_to_pkcs7(); else if (HAVE_OPT(TO_P8)) generate_pkcs8(&cinfo); -#ifdef ENABLE_OPENPGP - else if (HAVE_OPT(PGP_CERTIFICATE_INFO)) - pgp_certificate_info(); - else if (HAVE_OPT(PGP_KEY_INFO)) - pgp_privkey_info(); - else if (HAVE_OPT(PGP_RING_INFO)) - pgp_ring_info(); -#endif else if (HAVE_OPT(CRQ_INFO)) crq_info(); else @@ -1500,315 +1491,6 @@ void certificate_info(int pubkey, common_info_st * cinfo) gnutls_free(crts); } -#ifdef ENABLE_OPENPGP - -void pgp_certificate_info(void) -{ - gnutls_openpgp_crt_t crt; - size_t size; - int ret; - gnutls_datum_t pem, out_data; - unsigned int verify_status; - - pem.data = (void *) fread_file(infile, &size); - pem.size = size; - - if (!pem.data) { - fprintf(stderr, "%s", infile ? "file" : "standard input"); - app_exit(1); - } - - ret = gnutls_openpgp_crt_init(&crt); - if (ret < 0) { - fprintf(stderr, "openpgp_crt_init: %s\n", - gnutls_strerror(ret)); - app_exit(1); - } - - ret = gnutls_openpgp_crt_import(crt, &pem, incert_format); - - if (ret < 0) { - fprintf(stderr, "import error: %s\n", gnutls_strerror(ret)); - app_exit(1); - } - - free(pem.data); - - if (outcert_format == GNUTLS_OPENPGP_FMT_BASE64) { - ret = gnutls_openpgp_crt_print(crt, 0, &out_data); - - if (ret == 0) { - fprintf(outfile, "%s\n", out_data.data); - gnutls_free(out_data.data); - } - } - - - ret = gnutls_openpgp_crt_verify_self(crt, 0, &verify_status); - if (ret < 0) { - { - fprintf(stderr, "verify signature error: %s\n", - gnutls_strerror(ret)); - app_exit(1); - } - } - - if (verify_status & GNUTLS_CERT_INVALID) { - fprintf(outcert_format == GNUTLS_OPENPGP_FMT_RAW ? stderr : outfile, - "Self Signature verification: failed\n\n"); - } else { - fprintf(outcert_format == GNUTLS_OPENPGP_FMT_RAW ? stderr : outfile, - "Self Signature verification: ok (%x)\n\n", - verify_status); - } - - size = lbuffer_size; - ret = - gnutls_openpgp_crt_export(crt, outcert_format, lbuffer, &size); - if (ret < 0) { - fprintf(stderr, "export error: %s\n", gnutls_strerror(ret)); - app_exit(1); - } - - fprintf(outfile, "%s\n", lbuffer); - gnutls_openpgp_crt_deinit(crt); -} - -void pgp_privkey_info(void) -{ - gnutls_openpgp_privkey_t key; - unsigned char keyid[GNUTLS_OPENPGP_KEYID_SIZE]; - size_t size; - int ret, i, subkeys, bits = 0; - gnutls_datum_t pem; - const char *cprint; - - size = fread(lbuffer, 1, lbuffer_size - 1, infile); - lbuffer[size] = 0; - - gnutls_openpgp_privkey_init(&key); - - pem.data = lbuffer; - pem.size = size; - - ret = gnutls_openpgp_privkey_import(key, &pem, incert_format, - NULL, 0); - - if (ret < 0) { - fprintf(stderr, "import error: %s\n", gnutls_strerror(ret)); - app_exit(1); - } - - /* Public key algorithm - */ - subkeys = gnutls_openpgp_privkey_get_subkey_count(key); - if (subkeys < 0) { - fprintf(stderr, "privkey_get_subkey_count: %s\n", - gnutls_strerror(subkeys)); - app_exit(1); - } - - for (i = -1; i < subkeys; i++) { - - if (i != -1) - fprintf(outfile, "Subkey[%d]:\n", i); - - fprintf(outfile, "Public Key Info:\n"); - - if (i == -1) - ret = - gnutls_openpgp_privkey_get_pk_algorithm(key, - NULL); - else - ret = - gnutls_openpgp_privkey_get_subkey_pk_algorithm - (key, i, NULL); - - fprintf(outfile, "\tPublic Key Algorithm: "); - cprint = gnutls_pk_algorithm_get_name(ret); - fprintf(outfile, "%s\n", cprint ? cprint : "Unknown"); - fprintf(outfile, "\tKey Security Level: %s\n", - gnutls_sec_param_get_name - (gnutls_openpgp_privkey_sec_param(key))); - - /* Print the raw public and private keys - */ - - if (ret == GNUTLS_PK_RSA) { - gnutls_datum_t m, e, d, p, q, u; - - if (i == -1) - ret = - gnutls_openpgp_privkey_export_rsa_raw - (key, &m, &e, &d, &p, &q, &u); - else - ret = - gnutls_openpgp_privkey_export_subkey_rsa_raw - (key, i, &m, &e, &d, &p, &q, &u); - if (ret < 0) - fprintf(stderr, - "Error in key RSA data export: %s\n", - gnutls_strerror(ret)); - else - print_rsa_pkey(outfile, &m, &e, &d, &p, &q, - &u, NULL, NULL, - HAVE_OPT(CPRINT)); - - bits = m.size * 8; - } else if (ret == GNUTLS_PK_DSA) { - gnutls_datum_t p, q, g, y, x; - - if (i == -1) - ret = - gnutls_openpgp_privkey_export_dsa_raw - (key, &p, &q, &g, &y, &x); - else - ret = - gnutls_openpgp_privkey_export_subkey_dsa_raw - (key, i, &p, &q, &g, &y, &x); - if (ret < 0) - fprintf(stderr, - "Error in key DSA data export: %s\n", - gnutls_strerror(ret)); - else - print_dsa_pkey(outfile, &x, &y, &p, &q, &g, - HAVE_OPT(CPRINT)); - - bits = y.size * 8; - } - - fprintf(outfile, "\n"); - - size = lbuffer_size; - if (i == -1) - ret = - gnutls_openpgp_privkey_get_key_id(key, keyid); - else - ret = - gnutls_openpgp_privkey_get_subkey_id(key, i, - keyid); - - if (ret < 0) { - fprintf(stderr, - "Error in key id calculation: %s\n", - gnutls_strerror(ret)); - } else { - fprintf(outfile, "Public key ID: %s\n", - raw_to_string(keyid, 8)); - } - - size = lbuffer_size; - if (i == -1) - ret = - gnutls_openpgp_privkey_get_fingerprint(key, - lbuffer, - &size); - else - ret = - gnutls_openpgp_privkey_get_subkey_fingerprint - (key, i, lbuffer, &size); - - if (ret < 0) { - fprintf(stderr, - "Error in fingerprint calculation: %s\n", - gnutls_strerror(ret)); - } else { - gnutls_datum_t art; - - fprintf(outfile, "Fingerprint: %s\n", - raw_to_string(lbuffer, size)); - } - } - - size = lbuffer_size; - ret = gnutls_openpgp_privkey_export(key, GNUTLS_OPENPGP_FMT_BASE64, - NULL, 0, lbuffer, &size); - if (ret < 0) { - fprintf(stderr, "export error: %s\n", gnutls_strerror(ret)); - app_exit(1); - } - - fprintf(outfile, "\n%s\n", lbuffer); - - gnutls_openpgp_privkey_deinit(key); -} - -void pgp_ring_info(void) -{ - gnutls_openpgp_keyring_t ring; - gnutls_openpgp_crt_t crt; - size_t size; - int ret, i, count; - gnutls_datum_t pem; - - pem.data = (void *) fread_file(infile, &size); - pem.size = size; - - if (!pem.data) { - fprintf(stderr, "%s", infile ? "file" : "standard input"); - app_exit(1); - } - - ret = gnutls_openpgp_keyring_init(&ring); - if (ret < 0) { - fprintf(stderr, "openpgp_keyring_init: %s\n", - gnutls_strerror(ret)); - app_exit(1); - } - - ret = gnutls_openpgp_keyring_import(ring, &pem, incert_format); - - if (ret < 0) { - fprintf(stderr, "import error: %s\n", gnutls_strerror(ret)); - app_exit(1); - } - - free(pem.data); - - count = gnutls_openpgp_keyring_get_crt_count(ring); - if (count >= 0) - fprintf(outfile, - "Keyring contains %d OpenPGP certificates\n\n", - count); - else { - fprintf(stderr, "keyring error: %s\n", - gnutls_strerror(count)); - app_exit(1); - } - - for (i = 0; i < count; i++) { - ret = gnutls_openpgp_keyring_get_crt(ring, i, &crt); - if (ret < 0) { - fprintf(stderr, "export error: %s\n", - gnutls_strerror(ret)); - app_exit(1); - } - - size = lbuffer_size; - ret = gnutls_openpgp_crt_export(crt, outcert_format, - lbuffer, &size); - if (ret < 0) { - fprintf(stderr, "export error: %s\n", - gnutls_strerror(ret)); - app_exit(1); - } - - fwrite(lbuffer, 1, size, outfile); - fprintf(outfile, "\n\n"); - - gnutls_openpgp_crt_deinit(crt); - - - } - - gnutls_openpgp_keyring_deinit(ring); -} - - -#endif - - - static void print_certificate_info(gnutls_x509_crt_t crt, FILE * out, unsigned int all) { diff --git a/src/cli-args.def b/src/cli-args.def index 69917596f2..f2e1ce1cc5 100644 --- a/src/cli-args.def +++ b/src/cli-args.def @@ -141,13 +141,6 @@ flag = { }; flag = { - name = fingerprint; - value = f; - descrip = "Send the openpgp fingerprint, instead of the key"; - doc = ""; -}; - -flag = { name = print-cert; descrip = "Print peer's certificate in PEM format"; doc = ""; @@ -202,31 +195,6 @@ flag = { }; flag = { - name = pgpkeyfile; - arg-type = file; - file-exists = yes; - descrip = "PGP Key file to use"; - doc = ""; -}; - -flag = { - name = pgpkeyring; - arg-type = file; - file-exists = yes; - descrip = "PGP Key ring file to use"; - doc = ""; -}; - -flag = { - name = pgpcertfile; - arg-type = file; - file-exists = yes; - descrip = "PGP Public Key (certificate) file to use"; - doc = ""; - flags-must = pgpkeyfile; -}; - -flag = { name = x509keyfile; arg-type = string; descrip = "X.509 key file or PKCS #11 URL to use"; @@ -242,13 +210,6 @@ flag = { }; flag = { - name = pgpsubkey; - arg-type = string; - descrip = "PGP subkey to use (hex or auto)"; - doc = ""; -}; - -flag = { name = srpusername; arg-type = string; descrip = "SRP username to use"; @@ -50,7 +50,6 @@ #include <gnutls/abstract.h> #include <gnutls/dtls.h> #include <gnutls/x509.h> -#include <gnutls/openpgp.h> #include <gnutls/pkcs11.h> #include <gnutls/crypto.h> #include <gnutls/socket.h> @@ -82,7 +81,6 @@ int resume, starttls, insecure, ranges, rehandshake, udp, mtu, char *hostname = NULL; char service[32]=""; int record_max_size; -int fingerprint; int crlf; int fastopen; unsigned int verbose = 0; @@ -90,9 +88,6 @@ int print_cert; const char *srp_passwd = NULL; const char *srp_username = NULL; -const char *pgp_keyfile = NULL; -const char *pgp_certfile = NULL; -const char *pgp_keyring = NULL; const char *x509_keyfile = NULL; const char *x509_certfile = NULL; const char *x509_cafile = NULL; @@ -129,29 +124,6 @@ static unsigned int x509_crt_size; static gnutls_pcert_st x509_crt[MAX_CRT]; static gnutls_privkey_t x509_key = NULL; -static gnutls_pcert_st pgp_crt; -static gnutls_privkey_t pgp_key = NULL; - -#ifdef ENABLE_OPENPGP -static void get_keyid(gnutls_openpgp_keyid_t keyid, const char *str) -{ - size_t keyid_size = GNUTLS_OPENPGP_KEYID_SIZE; - - if (strlen(str) != 16) { - fprintf(stderr, - "The OpenPGP subkey ID has to be 16 hexadecimal characters.\n"); - exit(1); - } - - if (gnutls_hex2bin(str, strlen(str), keyid, &keyid_size) < 0) { - fprintf(stderr, "Error converting hex string: %s.\n", str); - exit(1); - } - - return; -} -#endif - /* Load the certificate and the private key. */ static void load_keys(void) @@ -161,9 +133,6 @@ static void load_keys(void) unsigned int i; gnutls_datum_t data = { NULL, 0 }; gnutls_x509_crt_t crt_list[MAX_CRT]; -#ifdef ENABLE_OPENPGP - unsigned char keyid[GNUTLS_OPENPGP_KEYID_SIZE]; -#endif if (x509_certfile != NULL && x509_keyfile != NULL) { #ifdef ENABLE_PKCS11 @@ -288,91 +257,6 @@ static void load_keys(void) "Processed %d client X.509 certificates...\n", x509_crt_size); } - -#ifdef ENABLE_OPENPGP - if (HAVE_OPT(PGPSUBKEY)) { - get_keyid(keyid, OPT_ARG(PGPSUBKEY)); - } - - if (pgp_certfile != NULL && pgp_keyfile != NULL) { - gnutls_openpgp_crt_t tmp_pgp_crt; - - ret = gnutls_load_file(pgp_certfile, &data); - if (ret < 0) { - fprintf(stderr, - "*** Error loading PGP cert file.\n"); - exit(1); - } - - gnutls_openpgp_crt_init(&tmp_pgp_crt); - - ret = - gnutls_pcert_import_openpgp_raw(&pgp_crt, &data, - GNUTLS_OPENPGP_FMT_BASE64, - HAVE_OPT(PGPSUBKEY) ? - keyid : NULL, 0); - if (ret < 0) { - fprintf(stderr, - "*** Error loading PGP cert file: %s\n", - gnutls_strerror(ret)); - exit(1); - } - - gnutls_free(data.data); - - ret = gnutls_privkey_init(&pgp_key); - if (ret < 0) { - fprintf(stderr, "*** Error initializing key: %s\n", - gnutls_strerror(ret)); - exit(1); - } - - gnutls_privkey_set_pin_function(pgp_key, pin_callback, - NULL); - - if (gnutls_url_is_supported(pgp_keyfile)) { - ret = - gnutls_privkey_import_url(pgp_key, pgp_keyfile, - 0); - if (ret < 0) { - fprintf(stderr, - "*** Error loading url: %s\n", - gnutls_strerror(ret)); - exit(1); - } - } else { - ret = gnutls_load_file(pgp_keyfile, &data); - if (ret < 0) { - fprintf(stderr, - "*** Error loading key file.\n"); - exit(1); - } - - if (HAVE_OPT(PGPSUBKEY)) - ret = - gnutls_privkey_import_openpgp_raw - (pgp_key, &data, x509ctype, keyid, - NULL); - else - ret = - gnutls_privkey_import_openpgp_raw - (pgp_key, &data, x509ctype, NULL, - NULL); - if (ret < 0) { - fprintf(stderr, - "*** Error loading url: %s\n", - gnutls_strerror(ret)); - exit(1); - } - - gnutls_free(data.data); - } - - - fprintf(stdout, "Processed 1 client PGP certificate...\n"); - } -#endif - } #define IS_NEWLINE(x) ((x[0] == '\n') || (x[0] == '\r')) @@ -649,14 +533,6 @@ cert_callback(gnutls_session_t session, *pcert_length = x509_crt_size; *pcert = x509_crt; } - - } else if (cert_type == GNUTLS_CRT_OPENPGP) { - if (pgp_key != NULL) { - *pkey = pgp_key; - - *pcert_length = 1; - *pcert = &pgp_crt; - } } printf("- Successfully sent %u certificate(s) to server.\n", @@ -737,13 +613,6 @@ gnutls_session_t init_tls_session(const char *host) gnutls_certificate_set_verify_function(xcred, cert_verify_callback); - /* send the fingerprint */ -#ifdef ENABLE_OPENPGP - if (fingerprint != 0) - gnutls_openpgp_send_cert(session, - GNUTLS_OPENPGP_CERT_FINGERPRINT); -#endif - /* use the max record size extension */ if (record_max_size > 0 && disable_extensions == 0) { if (gnutls_record_set_max_size(session, record_max_size) < @@ -1590,8 +1459,6 @@ static void cmd_parser(int argc, char **argv) record_max_size = OPT_VALUE_RECORDSIZE; - fingerprint = HAVE_OPT(FINGERPRINT); - if (HAVE_OPT(X509FMTDER)) x509ctype = GNUTLS_X509_FMT_DER; else @@ -1615,12 +1482,6 @@ static void cmd_parser(int argc, char **argv) if (HAVE_OPT(X509CERTFILE)) x509_certfile = OPT_ARG(X509CERTFILE); - if (HAVE_OPT(PGPKEYFILE)) - pgp_keyfile = OPT_ARG(PGPKEYFILE); - - if (HAVE_OPT(PGPCERTFILE)) - pgp_certfile = OPT_ARG(PGPCERTFILE); - if (HAVE_OPT(PSKUSERNAME)) psk_username = OPT_ARG(PSKUSERNAME); @@ -1630,9 +1491,6 @@ static void cmd_parser(int argc, char **argv) } else psk_key.size = 0; - if (HAVE_OPT(PGPKEYRING)) - pgp_keyring = OPT_ARG(PGPKEYRING); - crlf = HAVE_OPT(CRLF); #ifdef TCP_FASTOPEN @@ -1700,7 +1558,7 @@ int do_handshake(socket_st * socket) if (ret == 0) { /* print some information */ - print_info(socket->session, verbose, (HAVE_OPT(X509CERTFILE)||HAVE_OPT(PGPCERTFILE))?P_WAIT_FOR_CERT:0); + print_info(socket->session, verbose, HAVE_OPT(X509CERTFILE)?P_WAIT_FOR_CERT:0); socket->secure = 1; } else { gnutls_alert_send_appropriate(socket->session, ret); @@ -1871,19 +1729,6 @@ static void init_global_tls_stuff(void) load_keys(); -#ifdef ENABLE_OPENPGP - if (pgp_keyring != NULL) { - ret = - gnutls_certificate_set_openpgp_keyring_file(xcred, - pgp_keyring, - GNUTLS_OPENPGP_FMT_BASE64); - if (ret < 0) { - fprintf(stderr, - "Error setting the OpenPGP keyring file\n"); - } - } -#endif - #ifdef ENABLE_SRP if (srp_username && srp_passwd) { /* SRP stuff */ diff --git a/src/common.c b/src/common.c index 4bf7ba4f53..28d60514f6 100644 --- a/src/common.c +++ b/src/common.c @@ -33,7 +33,6 @@ #include <string.h> #include <gnutls/gnutls.h> #include <gnutls/x509.h> -#include <gnutls/openpgp.h> #include <gnutls/crypto.h> #include <time.h> #include <common.h> @@ -236,110 +235,6 @@ print_x509_info(gnutls_session_t session, FILE *out, int flag, int print_cert) } } -#ifdef ENABLE_OPENPGP -static void print_openpgp_info_compact(gnutls_session_t session) -{ - - gnutls_openpgp_crt_t crt; - const gnutls_datum_t *cert_list; - unsigned int cert_list_size = 0; - int ret; - - cert_list = gnutls_certificate_get_peers(session, &cert_list_size); - - if (cert_list_size > 0) { - gnutls_datum_t cinfo; - - gnutls_openpgp_crt_init(&crt); - ret = gnutls_openpgp_crt_import(crt, &cert_list[0], - GNUTLS_OPENPGP_FMT_RAW); - if (ret < 0) { - fprintf(stderr, "Decoding error: %s\n", - gnutls_strerror(ret)); - return; - } - - ret = - gnutls_openpgp_crt_print(crt, GNUTLS_CRT_PRINT_COMPACT, - &cinfo); - if (ret == 0) { - printf("- OpenPGP cert: %s\n", cinfo.data); - gnutls_free(cinfo.data); - } - - gnutls_openpgp_crt_deinit(crt); - } -} - -static void -print_openpgp_info(gnutls_session_t session, FILE *out, int flag, int print_cert) -{ - - gnutls_openpgp_crt_t crt; - const gnutls_datum_t *cert_list; - unsigned int cert_list_size = 0; - int ret; - - fprintf(out, "- Certificate type: OpenPGP\n"); - - cert_list = gnutls_certificate_get_peers(session, &cert_list_size); - - if (cert_list_size > 0) { - gnutls_datum_t cinfo; - - gnutls_openpgp_crt_init(&crt); - ret = gnutls_openpgp_crt_import(crt, &cert_list[0], - GNUTLS_OPENPGP_FMT_RAW); - if (ret < 0) { - fprintf(stderr, "Decoding error: %s\n", - gnutls_strerror(ret)); - return; - } - - ret = gnutls_openpgp_crt_print(crt, flag, &cinfo); - if (ret == 0) { - fprintf(out, "- %s\n", cinfo.data); - gnutls_free(cinfo.data); - } - - if (print_cert) { - size_t size = 0; - char *p = NULL; - - ret = - gnutls_openpgp_crt_export(crt, - GNUTLS_OPENPGP_FMT_BASE64, - p, &size); - if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { - p = malloc(size); - if (!p) { - fprintf(stderr, "gnutls_malloc\n"); - exit(1); - } - - ret = - gnutls_openpgp_crt_export(crt, - GNUTLS_OPENPGP_FMT_BASE64, - p, &size); - } - if (ret < 0) { - fprintf(stderr, "Encoding error: %s\n", - gnutls_strerror(ret)); - return; - } - - fputs(p, out); - fputs("\n", out); - - gnutls_free(p); - } - - gnutls_openpgp_crt_deinit(crt); - } -} - -#endif - /* returns false (0) if not verified, or true (1) otherwise */ int cert_verify(gnutls_session_t session, const char *hostname, const char *purpose) @@ -694,11 +589,6 @@ void print_cert_info2(gnutls_session_t session, int verbose, FILE *out, int prin case GNUTLS_CRT_X509: print_x509_info(session, out, flag, print_cert); break; -#ifdef ENABLE_OPENPGP - case GNUTLS_CRT_OPENPGP: - print_openpgp_info(session, out, flag, print_cert); - break; -#endif default: printf("Unknown type\n"); break; @@ -715,11 +605,6 @@ void print_cert_info_compact(gnutls_session_t session) case GNUTLS_CRT_X509: print_x509_info_compact(session); break; -#ifdef ENABLE_OPENPGP - case GNUTLS_CRT_OPENPGP: - print_openpgp_info_compact(session); - break; -#endif default: printf("Unknown type\n"); break; diff --git a/src/serv-args.def b/src/serv-args.def index 8900047140..0e13cbf140 100644 --- a/src/serv-args.def +++ b/src/serv-args.def @@ -156,22 +156,7 @@ flag = { file-exists = yes; descrip = "PGP Key file to use"; doc = ""; -}; - -flag = { - name = pgpkeyring; - arg-type = file; - file-exists = yes; - descrip = "PGP Key ring file to use"; - doc = ""; -}; - -flag = { - name = pgpcertfile; - arg-type = file; - file-exists = yes; - descrip = "PGP Public Key (certificate) file to use"; - doc = ""; + deprecated; }; flag = { @@ -227,13 +212,6 @@ flag = { }; flag = { - name = pgpsubkey; - arg-type = string; - descrip = "PGP subkey to use (hex or auto)"; - doc = ""; -}; - -flag = { name = srppasswd; arg-type = file; file-exists = yes; @@ -395,42 +373,17 @@ $ gnutls-serv --http \ Try connecting to the server using your web browser. Note that the server listens to port 5556 by default. -While you are at it, to allow connections using DSA, you can also -create a DSA key and certificate for the server. These credentials +While you are at it, to allow connections using ECDSA, you can also +create a ECDSA key and certificate for the server. These credentials will be used in the final example below. @example -$ certtool --generate-privkey --dsa > x509-server-key-dsa.pem -$ certtool --generate-certificate --load-privkey x509-server-key-dsa.pem \ +$ certtool --generate-privkey --ecdsa > x509-server-key-ecc.pem +$ certtool --generate-certificate --load-privkey x509-server-key-ecc.pem \ --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \ - --template server.tmpl --outfile x509-server-dsa.pem -@end example - -The next step is to create OpenPGP credentials for the server. - -@example -gpg --gen-key -Enter whatever details you want, use 'test.gnutls.org' as name... + --template server.tmpl --outfile x509-server-ecc.pem @end example -Make a note of the OpenPGP key identifier of the newly generated key, -here it was @code{5D1D14D8}. You will need to export the key for -GnuTLS to be able to use it. - -@example -gpg -a --export 5D1D14D8 > openpgp-server.txt -gpg --export 5D1D14D8 > openpgp-server.bin -gpg --export-secret-keys 5D1D14D8 > openpgp-server-key.bin -gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt -@end example - -Let's start the server with support for OpenPGP credentials: - -@example -gnutls-serv --http --priority NORMAL:+CTYPE-OPENPGP \ - --pgpkeyfile openpgp-server-key.txt \ - --pgpcertfile openpgp-server.txt -@end example The next step is to add support for SRP authentication. This requires an SRP password file created with @code{srptool}. @@ -454,14 +407,12 @@ Finally, we start the server with all the earlier parameters and you get this command: @example -gnutls-serv --http --priority NORMAL:+PSK:+SRP:+CTYPE-OPENPGP \ +gnutls-serv --http --priority NORMAL:+PSK:+SRP \ --x509cafile x509-ca.pem \ --x509keyfile x509-server-key.pem \ --x509certfile x509-server.pem \ - --x509dsakeyfile x509-server-key-dsa.pem \ - --x509dsacertfile x509-server-dsa.pem \ - --pgpkeyfile openpgp-server-key.txt \ - --pgpcertfile openpgp-server.txt \ + --x509keyfile x509-server-key-ecc.pem \ + --x509certfile x509-server-ecc.pem \ --srppasswdconf srp-tpasswd.conf \ --srppasswd srp-passwd.txt \ --pskpasswd psk-passwd.txt diff --git a/src/serv.c b/src/serv.c index 2ed184c270..63138a509e 100644 --- a/src/serv.c +++ b/src/serv.c @@ -34,7 +34,6 @@ #include <string.h> #include <gnutls/gnutls.h> #include <gnutls/dtls.h> -#include <gnutls/openpgp.h> #include <sys/time.h> #include <sys/select.h> #include <fcntl.h> @@ -67,9 +66,6 @@ int disable_client_cert; const char *psk_passwd = NULL; const char *srp_passwd = NULL; const char *srp_passwd_conf = NULL; -const char *pgp_keyring = NULL; -const char *pgp_keyfile = NULL; -const char *pgp_certfile = NULL; const char **x509_keyfile = NULL; const char **x509_certfile = NULL; unsigned x509_certfile_size = 0; @@ -1073,39 +1069,6 @@ int main(int argc, char **argv) printf("Processed %d CRL(s).\n", ret); } } -#ifdef ENABLE_OPENPGP - if (pgp_keyring != NULL) { - ret = - gnutls_certificate_set_openpgp_keyring_file(cert_cred, - pgp_keyring, - GNUTLS_OPENPGP_FMT_BASE64); - if (ret < 0) { - fprintf(stderr, - "Error setting the OpenPGP keyring file\n"); - GERR(ret); - } - } - - if (pgp_certfile != NULL && pgp_keyfile != NULL) { - if (HAVE_OPT(PGPSUBKEY)) - ret = gnutls_certificate_set_openpgp_key_file2 - (cert_cred, pgp_certfile, pgp_keyfile, - OPT_ARG(PGPSUBKEY), - GNUTLS_OPENPGP_FMT_BASE64); - else - ret = gnutls_certificate_set_openpgp_key_file - (cert_cred, pgp_certfile, pgp_keyfile, - GNUTLS_OPENPGP_FMT_BASE64); - - if (ret < 0) { - fprintf(stderr, - "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n", - ret, pgp_certfile, pgp_keyfile); - GERR(ret); - } else - cert_set = 1; - } -#endif if (x509_certfile_size > 0 && x509_keyfile_size > 0) { unsigned i; @@ -1672,14 +1635,6 @@ static void cmd_parser(int argc, char **argv) if (HAVE_OPT(X509CRLFILE)) x509_crlfile = OPT_ARG(X509CRLFILE); - if (HAVE_OPT(PGPKEYFILE)) - pgp_keyfile = OPT_ARG(PGPKEYFILE); - if (HAVE_OPT(PGPCERTFILE)) - pgp_certfile = OPT_ARG(PGPCERTFILE); - - if (HAVE_OPT(PGPKEYRING)) - pgp_keyring = OPT_ARG(PGPKEYRING); - if (HAVE_OPT(SRPPASSWD)) srp_passwd = OPT_ARG(SRPPASSWD); if (HAVE_OPT(SRPPASSWDCONF)) |