summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@gnutls.org>2012-10-11 22:03:11 +0200
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2012-10-11 22:06:06 +0200
commitaf6861a057a299493e0ce56ffc084945c3926ce1 (patch)
tree7d1358677efb6bfa7e2127dcc4d8dd3eb471730b
parent30145da642095d0e2043886db97a9ef2cc268091 (diff)
downloadgnutls-af6861a057a299493e0ce56ffc084945c3926ce1.tar.gz
Several OpenPGP updates.
Removed compatibility code with RFC5081. The gnutls_openpgp_*_get_subkey_*() functions return the master key parameters if provided with GNUTLS_OPENPGP_MASTER_KEYID_IDX.
Diffstat
-rw-r--r--NEWS3
-rw-r--r--lib/auth/cert.c115
-rw-r--r--lib/auth/cert.h1
-rw-r--r--lib/gnutls_pcert.c3
-rw-r--r--lib/gnutls_pubkey.c9
-rw-r--r--lib/includes/gnutls/openpgp.h3
-rw-r--r--lib/openpgp/pgp.c70
-rw-r--r--lib/openpgp/privkey.c86
8 files changed, 168 insertions, 122 deletions
diff --git a/NEWS b/NEWS
index e92b0d371a..efdd95c72f 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,9 @@ Reported by danblack at http://savannah.gnu.org/support/?108146
** libgnutls: Added gnutls_ocsp_resp_check_crt() to check whether the OCSP
response corresponds to the given certificate.
+** libgnutls: Compatibility code with RFC5081 was removed. The OpenPGP
+code now is RFC6091 compliant only.
+
** API and ABI modifications:
gnutls_ocsp_resp_check_crt: Added
diff --git a/lib/auth/cert.c b/lib/auth/cert.c
index 0e9e0d9825..9286fbb7d8 100644
--- a/lib/auth/cert.c
+++ b/lib/auth/cert.c
@@ -73,7 +73,7 @@ typedef enum CertificateSigType
* exported certificate struct (cert_auth_info_t)
*/
static int
-_gnutls_copy_certificate_auth_info (cert_auth_info_t info, gnutls_pcert_st * certs, size_t ncerts, int subkey_used, /* openpgp only */
+_gnutls_copy_certificate_auth_info (cert_auth_info_t info, gnutls_pcert_st * certs, size_t ncerts, /* openpgp only */
void *keyid)
{
/* Copy peer's information to auth_info_t
@@ -123,7 +123,6 @@ _gnutls_copy_certificate_auth_info (cert_auth_info_t info, gnutls_pcert_st * cer
#ifdef ENABLE_OPENPGP
if (certs[0].type == GNUTLS_CRT_OPENPGP)
{
- info->use_subkey = subkey_used;
if (keyid)
memcpy (info->subkey_id, keyid, GNUTLS_OPENPGP_KEYID_SIZE);
}
@@ -846,7 +845,7 @@ _gnutls_gen_x509_crt (gnutls_session_t session, gnutls_buffer_st * data)
}
enum PGPKeyDescriptorType
-{ PGP_KEY_FINGERPRINT, PGP_KEY, PGP_KEY_SUBKEY, PGP_KEY_FINGERPRINT_SUBKEY };
+{ PGP_EMPTY_KEY=1, PGP_KEY_SUBKEY, PGP_KEY_FINGERPRINT_SUBKEY };
#ifdef ENABLE_OPENPGP
static int
@@ -860,7 +859,6 @@ _gnutls_gen_openpgp_certificate (gnutls_session_t session,
uint8_t type;
uint8_t fpr[20];
size_t fpr_size;
- unsigned int use_subkey = 0;
/* find the appropriate certificate */
if ((ret =
@@ -880,12 +878,11 @@ _gnutls_gen_openpgp_certificate (gnutls_session_t session,
fpr_size = sizeof (fpr);
ret =
gnutls_pubkey_get_openpgp_key_id (apr_cert_list[0].pubkey, 0, fpr,
- &fpr_size, &use_subkey);
+ &fpr_size, NULL);
if (ret < 0)
return gnutls_assert_val (ret);
- if (use_subkey != 0)
- ret += 1 + fpr_size; /* for the keyid */
+ ret += 1 + fpr_size; /* for the keyid */
ret += apr_cert_list[0].cert.size;
}
@@ -897,25 +894,15 @@ _gnutls_gen_openpgp_certificate (gnutls_session_t session,
if (apr_cert_list_length > 0)
{
- if (use_subkey != 0)
- {
- type = PGP_KEY_SUBKEY;
+ type = PGP_KEY_SUBKEY;
- ret = _gnutls_buffer_append_data (data, &type, 1);
- if (ret < 0)
- return gnutls_assert_val (ret);
+ ret = _gnutls_buffer_append_data (data, &type, 1);
+ if (ret < 0)
+ return gnutls_assert_val (ret);
- ret = _gnutls_buffer_append_data_prefix (data, 8, fpr, fpr_size);
- if (ret < 0)
- return gnutls_assert_val (ret);
- }
- else
- {
- type = PGP_KEY;
- ret = _gnutls_buffer_append_data (data, &type, 1);
- if (ret < 0)
- return gnutls_assert_val (ret);
- }
+ ret = _gnutls_buffer_append_data_prefix (data, 8, fpr, fpr_size);
+ if (ret < 0)
+ return gnutls_assert_val (ret);
ret =
_gnutls_buffer_append_data_prefix (data, 24,
@@ -926,7 +913,7 @@ _gnutls_gen_openpgp_certificate (gnutls_session_t session,
}
else /* empty - no certificate */
{
- type = PGP_KEY;
+ type = PGP_EMPTY_KEY;
ret = _gnutls_buffer_append_data (data, &type, 1);
if (ret < 0)
@@ -950,7 +937,6 @@ _gnutls_gen_openpgp_certificate_fpr (gnutls_session_t session,
gnutls_pcert_st *apr_cert_list;
gnutls_privkey_t apr_pkey;
int apr_cert_list_length;
- unsigned int use_subkey = 0;
/* find the appropriate certificate */
if ((ret =
@@ -964,14 +950,12 @@ _gnutls_gen_openpgp_certificate_fpr (gnutls_session_t session,
fpr_size = sizeof (fpr);
ret =
gnutls_pubkey_get_openpgp_key_id (apr_cert_list[0].pubkey, 0, fpr,
- &fpr_size, &use_subkey);
+ &fpr_size, NULL);
if (ret < 0)
return gnutls_assert_val (ret);
packet_size = 3 + 1;
-
- if (use_subkey)
- packet_size += 1 + fpr_size; /* for the keyid */
+ packet_size += 1 + fpr_size; /* for the keyid */
/* Only v4 fingerprints are sent
*/
@@ -984,33 +968,10 @@ _gnutls_gen_openpgp_certificate_fpr (gnutls_session_t session,
if (ret < 0)
return gnutls_assert_val (ret);
- if (use_subkey)
- {
- type = PGP_KEY_FINGERPRINT_SUBKEY;
- ret = _gnutls_buffer_append_data (data, &type, 1);
- if (ret < 0)
- return gnutls_assert_val (ret);
-
- ret = _gnutls_buffer_append_data_prefix (data, 8, fpr, fpr_size);
- if (ret < 0)
- return gnutls_assert_val (ret);
- }
- else
- {
- type = PGP_KEY_FINGERPRINT; /* key fingerprint */
- ret = _gnutls_buffer_append_data (data, &type, 1);
- if (ret < 0)
- return gnutls_assert_val (ret);
- }
-
- fpr_size = sizeof (fpr);
- if ((ret =
- _gnutls_openpgp_fingerprint (&apr_cert_list[0].cert, fpr,
- &fpr_size)) < 0)
- {
- gnutls_assert ();
- return ret;
- }
+ type = PGP_KEY_FINGERPRINT_SUBKEY;
+ ret = _gnutls_buffer_append_data (data, &type, 1);
+ if (ret < 0)
+ return gnutls_assert_val (ret);
ret = _gnutls_buffer_append_data_prefix (data, 8, fpr, fpr_size);
if (ret < 0)
@@ -1182,7 +1143,7 @@ _gnutls_proc_x509_server_crt (gnutls_session_t session,
if ((ret =
_gnutls_copy_certificate_auth_info (info,
peer_certificate_list,
- peer_certificate_list_size, 0,
+ peer_certificate_list_size,
NULL)) < 0)
{
gnutls_assert ();
@@ -1220,7 +1181,6 @@ _gnutls_proc_openpgp_server_crt (gnutls_session_t session,
gnutls_pcert_st *peer_certificate_list = NULL;
gnutls_datum_t tmp, akey = { NULL, 0 };
uint8_t subkey_id[GNUTLS_OPENPGP_KEYID_SIZE];
- unsigned int subkey_id_set = 0;
cred = (gnutls_certificate_credentials_t)
_gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
@@ -1278,16 +1238,10 @@ _gnutls_proc_openpgp_server_crt (gnutls_session_t session,
DECR_LEN (dsize, GNUTLS_OPENPGP_KEYID_SIZE);
memcpy (subkey_id, p, GNUTLS_OPENPGP_KEYID_SIZE);
p += GNUTLS_OPENPGP_KEYID_SIZE;
-
- subkey_id_set = 1;
-
}
- /* read the actual key or fingerprint */
- if (key_type == PGP_KEY_FINGERPRINT ||
- key_type == PGP_KEY_FINGERPRINT_SUBKEY)
- { /* the fingerprint */
-
+ if (key_type == PGP_KEY_FINGERPRINT_SUBKEY)
+ {
DECR_LEN (dsize, 1);
len = (uint8_t) * p;
p++;
@@ -1311,7 +1265,7 @@ _gnutls_proc_openpgp_server_crt (gnutls_session_t session,
}
tmp = akey;
}
- else if (key_type == PGP_KEY || key_type == PGP_KEY_SUBKEY)
+ else if (key_type == PGP_KEY_SUBKEY)
{ /* the whole key */
/* Read the actual certificate */
@@ -1323,7 +1277,7 @@ _gnutls_proc_openpgp_server_crt (gnutls_session_t session,
{
gnutls_assert ();
/* no certificate was sent */
- return GNUTLS_E_NO_CERTIFICATE_FOUND;
+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
}
DECR_LEN (dsize, len);
@@ -1332,6 +1286,19 @@ _gnutls_proc_openpgp_server_crt (gnutls_session_t session,
tmp.data = p;
}
+ else if (key_type == PGP_EMPTY_KEY)
+ { /* the whole key */
+
+ /* Read the actual certificate */
+ DECR_LEN (dsize, 3);
+ len = _gnutls_read_uint24 (p);
+ p += 3;
+
+ if (len != 0) /* PGP_EMPTY_KEY */
+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+ else
+ return GNUTLS_E_NO_CERTIFICATE_FOUND;
+ }
else
{
gnutls_assert ();
@@ -1341,8 +1308,7 @@ _gnutls_proc_openpgp_server_crt (gnutls_session_t session,
/* ok we now have the peer's key in tmp datum
*/
peer_certificate_list =
- gnutls_calloc (1,
- sizeof (gnutls_pcert_st));
+ gnutls_calloc (1, sizeof (gnutls_pcert_st));
if (peer_certificate_list == NULL)
{
gnutls_assert ();
@@ -1354,7 +1320,7 @@ _gnutls_proc_openpgp_server_crt (gnutls_session_t session,
gnutls_pcert_import_openpgp_raw (&peer_certificate_list[0],
&tmp,
GNUTLS_OPENPGP_FMT_RAW,
- (subkey_id_set != 0) ? subkey_id : NULL,
+ subkey_id,
0);
if (ret < 0)
{
@@ -1365,10 +1331,7 @@ _gnutls_proc_openpgp_server_crt (gnutls_session_t session,
ret =
_gnutls_copy_certificate_auth_info (info,
peer_certificate_list,
- 1,
- subkey_id_set,
- (subkey_id_set !=
- 0) ? subkey_id : NULL);
+ 1, subkey_id);
if (ret < 0)
{
gnutls_assert ();
diff --git a/lib/auth/cert.h b/lib/auth/cert.h
index fd4e5a42be..310831ed65 100644
--- a/lib/auth/cert.h
+++ b/lib/auth/cert.h
@@ -112,7 +112,6 @@ typedef struct cert_auth_info_st
gnutls_certificate_type_t cert_type;
#ifdef ENABLE_OPENPGP
- int use_subkey;
uint8_t subkey_id[GNUTLS_OPENPGP_KEYID_SIZE];
#endif
} *cert_auth_info_t;
diff --git a/lib/gnutls_pcert.c b/lib/gnutls_pcert.c
index 1211e2d6fb..3a6b6fee5c 100644
--- a/lib/gnutls_pcert.c
+++ b/lib/gnutls_pcert.c
@@ -396,8 +396,7 @@ _gnutls_get_auth_info_pcert (gnutls_pcert_st* pcert,
return gnutls_pcert_import_openpgp_raw(pcert,
&info->raw_certificate_list[0],
GNUTLS_OPENPGP_FMT_RAW,
- info->use_subkey ? info->
- subkey_id : NULL, GNUTLS_PCERT_NO_CERT);
+ info->subkey_id, GNUTLS_PCERT_NO_CERT);
#endif
default:
gnutls_assert ();
diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c
index 9b029fa2be..5786b85611 100644
--- a/lib/gnutls_pubkey.c
+++ b/lib/gnutls_pubkey.c
@@ -408,14 +408,13 @@ gnutls_pubkey_import_openpgp (gnutls_pubkey_t key,
* replaced by the actual size of parameters)
* @subkey: Will be non zero if the key ID corresponds to a subkey
*
- * This function will return a unique ID the depends on the public
- * key parameters. This ID can be used in checking whether a
- * certificate corresponds to the given public key.
+ * This function returned the OpenPGP key ID of the corresponding key.
+ * The key is a unique ID the depends on the public
+ * key parameters.
*
* If the buffer provided is not long enough to hold the output, then
* *output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will
- * be returned. The output will normally be a SHA-1 hash output,
- * which is 20 bytes.
+ * be returned. The output is %GNUTLS_OPENPGP_KEYID_SIZE bytes long.
*
* Returns: In case of failure a negative error code will be
* returned, and 0 on success.
diff --git a/lib/includes/gnutls/openpgp.h b/lib/includes/gnutls/openpgp.h
index 1d4e0cd591..b53b165484 100644
--- a/lib/includes/gnutls/openpgp.h
+++ b/lib/includes/gnutls/openpgp.h
@@ -28,6 +28,7 @@
#define GNUTLS_OPENPGP_H
#include <gnutls/gnutls.h>
+#include <limits.h>
#ifdef __cplusplus
extern "C"
@@ -76,6 +77,8 @@ extern "C"
/* The key_usage flags are defined in gnutls.h. They are
* the GNUTLS_KEY_* definitions.
*/
+#define GNUTLS_OPENPGP_MASTER_KEYID_IDX INT_MAX
+
int gnutls_openpgp_crt_get_key_usage (gnutls_openpgp_crt_t key,
unsigned int *key_usage);
int gnutls_openpgp_crt_get_fingerprint (gnutls_openpgp_crt_t key, void *fpr,
diff --git a/lib/openpgp/pgp.c b/lib/openpgp/pgp.c
index 7ace55da5f..87587e377b 100644
--- a/lib/openpgp/pgp.c
+++ b/lib/openpgp/pgp.c
@@ -125,7 +125,7 @@ int
_gnutls_openpgp_export (cdk_kbnode_t node,
gnutls_openpgp_crt_fmt_t format,
void *output_data,
- size_t * output_data_size, int private)
+ size_t * output_data_size, int priv)
{
size_t input_data_size = *output_data_size;
size_t calc_size;
@@ -141,7 +141,7 @@ _gnutls_openpgp_export (cdk_kbnode_t node,
/* If the caller uses output_data == NULL then return what he expects.
*/
- if (!output_data)
+ if (!output_data && format != GNUTLS_OPENPGP_FMT_BASE64)
{
gnutls_assert ();
return GNUTLS_E_SHORT_MEMORY_BUFFER;
@@ -156,7 +156,7 @@ _gnutls_openpgp_export (cdk_kbnode_t node,
buffer is large enough. */
rc = cdk_armor_encode_buffer (in, *output_data_size,
NULL, 0, &calc_size,
- private ? CDK_ARMOR_SECKEY :
+ priv ? CDK_ARMOR_SECKEY :
CDK_ARMOR_PUBKEY);
if (rc || calc_size > input_data_size)
{
@@ -168,7 +168,7 @@ _gnutls_openpgp_export (cdk_kbnode_t node,
rc = cdk_armor_encode_buffer (in, *output_data_size,
output_data, input_data_size, &calc_size,
- private ? CDK_ARMOR_SECKEY :
+ priv ? CDK_ARMOR_SECKEY :
CDK_ARMOR_PUBKEY);
gnutls_free (in);
*output_data_size = calc_size;
@@ -189,7 +189,7 @@ _gnutls_openpgp_export (cdk_kbnode_t node,
* gnutls_openpgp_crt_export:
* @key: Holds the key.
* @format: One of gnutls_openpgp_crt_fmt_t elements.
- * @output_data: will contain the key base64 encoded or raw
+ * @output_data: will contain the raw or base64 encoded key
* @output_data_size: holds the size of output_data (and will
* be replaced by the actual size of parameters)
*
@@ -367,7 +367,8 @@ gnutls_openpgp_crt_get_pk_algorithm (gnutls_openpgp_crt_t key,
unsigned int *bits)
{
cdk_packet_t pkt;
- int algo;
+ int algo = 0, ret;
+ uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
if (!key)
{
@@ -375,7 +376,20 @@ gnutls_openpgp_crt_get_pk_algorithm (gnutls_openpgp_crt_t key,
return GNUTLS_PK_UNKNOWN;
}
- algo = 0;
+ ret = gnutls_openpgp_crt_get_preferred_key_id (key, keyid);
+ if (ret == 0)
+ {
+ int idx;
+
+ idx = gnutls_openpgp_crt_get_subkey_idx (key, keyid);
+ if (idx != GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ {
+ algo =
+ gnutls_openpgp_crt_get_subkey_pk_algorithm (key, idx, bits);
+ return algo;
+ }
+ }
+
pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_PUBLIC_KEY);
if (pkt)
{
@@ -799,6 +813,9 @@ gnutls_openpgp_crt_get_subkey_revoked_status (gnutls_openpgp_crt_t key,
return GNUTLS_E_INVALID_REQUEST;
}
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_crt_get_revoked_status(key);
+
pkt = _get_public_subkey (key, idx);
if (!pkt)
return GNUTLS_E_OPENPGP_GETKEY_FAILED;
@@ -840,6 +857,9 @@ gnutls_openpgp_crt_get_subkey_pk_algorithm (gnutls_openpgp_crt_t key,
return GNUTLS_PK_UNKNOWN;
}
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_crt_get_pk_algorithm(key, bits);
+
pkt = _get_public_subkey (key, idx);
algo = 0;
@@ -874,6 +894,9 @@ gnutls_openpgp_crt_get_subkey_creation_time (gnutls_openpgp_crt_t key,
if (!key)
return (time_t) - 1;
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_crt_get_creation_time(key);
+
pkt = _get_public_subkey (key, idx);
if (pkt)
timestamp = pkt->pkt.public_key->timestamp;
@@ -906,6 +929,9 @@ gnutls_openpgp_crt_get_subkey_expiration_time (gnutls_openpgp_crt_t key,
if (!key)
return (time_t) - 1;
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_crt_get_expiration_time(key);
+
pkt = _get_public_subkey (key, idx);
if (pkt)
expiredate = pkt->pkt.public_key->expiredate;
@@ -938,6 +964,9 @@ gnutls_openpgp_crt_get_subkey_id (gnutls_openpgp_crt_t key,
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
+
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_crt_get_key_id(key, keyid);
pkt = _get_public_subkey (key, idx);
if (!pkt)
@@ -977,6 +1006,9 @@ gnutls_openpgp_crt_get_subkey_fingerprint (gnutls_openpgp_crt_t key,
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
+
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_crt_get_fingerprint(key, fpr, fprlen);
*fprlen = 0;
@@ -1012,6 +1044,7 @@ gnutls_openpgp_crt_get_subkey_idx (gnutls_openpgp_crt_t key,
{
int ret;
uint32_t kid[2];
+ uint8_t master_id[GNUTLS_OPENPGP_KEYID_SIZE];
if (!key)
{
@@ -1019,6 +1052,12 @@ gnutls_openpgp_crt_get_subkey_idx (gnutls_openpgp_crt_t key,
return GNUTLS_E_INVALID_REQUEST;
}
+ ret = gnutls_openpgp_crt_get_key_id (key, master_id);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ if (memcmp(master_id, keyid, GNUTLS_OPENPGP_KEYID_SIZE)==0)
+ return GNUTLS_OPENPGP_MASTER_KEYID_IDX;
+
KEYID_IMPORT (kid, keyid);
ret = _gnutls_openpgp_find_subkey_idx (key->knode, kid, 0);
@@ -1059,6 +1098,9 @@ gnutls_openpgp_crt_get_subkey_usage (gnutls_openpgp_crt_t key,
return GNUTLS_E_INVALID_REQUEST;
}
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_crt_get_key_usage(key, key_usage);
+
pkt = _get_public_subkey (key, idx);
if (!pkt)
return GNUTLS_E_OPENPGP_SUBKEY_ERROR;
@@ -1456,6 +1498,9 @@ gnutls_openpgp_crt_get_subkey_pk_rsa_raw (gnutls_openpgp_crt_t crt,
uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
int ret;
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_crt_get_pk_rsa_raw(crt, m, e);
+
ret = gnutls_openpgp_crt_get_subkey_id (crt, idx, keyid);
if (ret < 0)
{
@@ -1494,6 +1539,9 @@ gnutls_openpgp_crt_get_subkey_pk_dsa_raw (gnutls_openpgp_crt_t crt,
uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
int ret;
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_crt_get_pk_dsa_raw(crt, p,q, g, y);
+
ret = gnutls_openpgp_crt_get_subkey_id (crt, idx, keyid);
if (ret < 0)
{
@@ -1574,14 +1622,10 @@ gnutls_openpgp_crt_set_preferred_key_id (gnutls_openpgp_crt_t key,
* gnutls_openpgp_crt_get_auth_subkey:
* @crt: the structure that contains the OpenPGP public key.
* @keyid: the struct to save the keyid.
- * @flag: Non (0) indicates that a valid subkey is always returned.
+ * @flag: Non-zero indicates that a valid subkey is always returned.
*
* Returns the 64-bit keyID of the first valid OpenPGP subkey marked
- * for authentication. If flag is non (0) and no authentication
- * subkey exists, then a valid subkey will be returned even if it is
- * not marked for authentication.
- * Returns the 64-bit keyID of the first valid OpenPGP subkey marked
- * for authentication. If flag is non (0) and no authentication
+ * for authentication. If flag is non-zero and no authentication
* subkey exists, then a valid subkey will be returned even if it is
* not marked for authentication.
*
diff --git a/lib/openpgp/privkey.c b/lib/openpgp/privkey.c
index 9be87b0206..6eb4df9c81 100644
--- a/lib/openpgp/privkey.c
+++ b/lib/openpgp/privkey.c
@@ -230,7 +230,6 @@ gnutls_openpgp_privkey_export (gnutls_openpgp_privkey_t key,
output_data_size, 1);
}
-
/**
* gnutls_openpgp_privkey_get_pk_algorithm:
* @key: is an OpenPGP key
@@ -253,7 +252,8 @@ gnutls_openpgp_privkey_get_pk_algorithm (gnutls_openpgp_privkey_t key,
unsigned int *bits)
{
cdk_packet_t pkt;
- int algo;
+ int algo = 0, ret;
+ uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
if (!key)
{
@@ -261,7 +261,20 @@ gnutls_openpgp_privkey_get_pk_algorithm (gnutls_openpgp_privkey_t key,
return GNUTLS_PK_UNKNOWN;
}
- algo = 0;
+ ret = gnutls_openpgp_privkey_get_preferred_key_id (key, keyid);
+ if (ret == 0)
+ {
+ int idx;
+
+ idx = gnutls_openpgp_privkey_get_subkey_idx (key, keyid);
+ if (idx != GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ {
+ algo =
+ gnutls_openpgp_privkey_get_subkey_pk_algorithm (key, idx, bits);
+ return algo;
+ }
+ }
+
pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_SECRET_KEY);
if (pkt)
{
@@ -403,7 +416,6 @@ gnutls_openpgp_privkey_get_key_id (gnutls_openpgp_privkey_t key,
return 0;
}
-
/**
* gnutls_openpgp_privkey_get_subkey_count:
* @key: is an OpenPGP key
@@ -484,6 +496,9 @@ gnutls_openpgp_privkey_get_subkey_revoked_status (gnutls_openpgp_privkey_t
return GNUTLS_E_INVALID_REQUEST;
}
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_privkey_get_revoked_status(key);
+
pkt = _get_secret_subkey (key, idx);
if (!pkt)
return GNUTLS_E_OPENPGP_GETKEY_FAILED;
@@ -525,6 +540,9 @@ gnutls_openpgp_privkey_get_subkey_pk_algorithm (gnutls_openpgp_privkey_t key,
return GNUTLS_PK_UNKNOWN;
}
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_privkey_get_pk_algorithm(key, bits);
+
pkt = _get_secret_subkey (key, idx);
algo = 0;
@@ -561,6 +579,7 @@ gnutls_openpgp_privkey_get_subkey_idx (gnutls_openpgp_privkey_t key,
{
int ret;
uint32_t kid[2];
+ uint8_t master_id[GNUTLS_OPENPGP_KEYID_SIZE];
if (!key)
{
@@ -568,6 +587,12 @@ gnutls_openpgp_privkey_get_subkey_idx (gnutls_openpgp_privkey_t key,
return GNUTLS_E_INVALID_REQUEST;
}
+ ret = gnutls_openpgp_privkey_get_key_id (key, master_id);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ if (memcmp(master_id, keyid, GNUTLS_OPENPGP_KEYID_SIZE)==0)
+ return GNUTLS_OPENPGP_MASTER_KEYID_IDX;
+
KEYID_IMPORT (kid, keyid);
ret = _gnutls_openpgp_find_subkey_idx (key->knode, kid, 1);
@@ -600,7 +625,11 @@ gnutls_openpgp_privkey_get_subkey_creation_time (gnutls_openpgp_privkey_t key,
if (!key)
return (time_t) - 1;
- pkt = _get_secret_subkey (key, idx);
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_SECRET_KEY);
+ else
+ pkt = _get_secret_subkey (key, idx);
+
if (pkt)
timestamp = pkt->pkt.secret_key->pk->timestamp;
else
@@ -626,18 +655,22 @@ gnutls_openpgp_privkey_get_subkey_expiration_time (gnutls_openpgp_privkey_t
key, unsigned int idx)
{
cdk_packet_t pkt;
- time_t expiredate;
+ time_t timestamp;
if (!key)
return (time_t) - 1;
- pkt = _get_secret_subkey (key, idx);
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_SECRET_KEY);
+ else
+ pkt = _get_secret_subkey (key, idx);
+
if (pkt)
- expiredate = pkt->pkt.secret_key->expiredate;
+ timestamp = pkt->pkt.secret_key->pk->expiredate;
else
- expiredate = 0;
+ timestamp = 0;
- return expiredate;
+ return timestamp;
}
/**
@@ -666,6 +699,9 @@ gnutls_openpgp_privkey_get_subkey_id (gnutls_openpgp_privkey_t key,
return GNUTLS_E_INVALID_REQUEST;
}
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_privkey_get_key_id(key, keyid);
+
pkt = _get_secret_subkey (key, idx);
if (!pkt)
return GNUTLS_E_OPENPGP_GETKEY_FAILED;
@@ -705,6 +741,9 @@ gnutls_openpgp_privkey_get_subkey_fingerprint (gnutls_openpgp_privkey_t key,
return GNUTLS_E_INVALID_REQUEST;
}
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_privkey_get_fingerprint(key, fpr, fprlen);
+
*fprlen = 0;
pkt = _get_secret_subkey (key, idx);
@@ -1106,7 +1145,10 @@ gnutls_openpgp_privkey_export_subkey_rsa_raw (gnutls_openpgp_privkey_t pkey,
uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
int ret;
- ret = gnutls_openpgp_privkey_get_subkey_id (pkey, idx, keyid);
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ ret = gnutls_openpgp_privkey_get_key_id (pkey, keyid);
+ else
+ ret = gnutls_openpgp_privkey_get_subkey_id (pkey, idx, keyid);
if (ret < 0)
{
gnutls_assert ();
@@ -1146,7 +1188,11 @@ gnutls_openpgp_privkey_export_subkey_dsa_raw (gnutls_openpgp_privkey_t pkey,
uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
int ret;
- ret = gnutls_openpgp_privkey_get_subkey_id (pkey, idx, keyid);
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ ret = gnutls_openpgp_privkey_get_key_id (pkey, keyid);
+ else
+ ret = gnutls_openpgp_privkey_get_subkey_id (pkey, idx, keyid);
+
if (ret < 0)
{
gnutls_assert ();
@@ -1281,7 +1327,7 @@ gnutls_openpgp_privkey_sign_hash (gnutls_openpgp_privkey_t key,
result =
- _gnutls_soft_sign (pk_algorithm, &params, hash, signature);
+ _gnutls_pk_sign (pk_algorithm, signature, hash, &params);
gnutls_pk_params_release(&params);
@@ -1351,22 +1397,12 @@ _gnutls_openpgp_privkey_decrypt_data (gnutls_openpgp_privkey_t key,
return result;
}
- if (pk_algorithm != GNUTLS_PK_RSA)
- {
- gnutls_assert ();
- return GNUTLS_E_INVALID_REQUEST;
- }
-
- result =
- _gnutls_pkcs1_rsa_decrypt (plaintext, ciphertext, &params, 2);
+ result = _gnutls_pk_decrypt (pk_algorithm, plaintext, ciphertext, &params);
gnutls_pk_params_release(&params);
if (result < 0)
- {
- gnutls_assert ();
- return result;
- }
+ return gnutls_assert_val(result);
return 0;
}
View Lorry Controller Status