diff options
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | lib/auth/cert.c | 115 | ||||
-rw-r--r-- | lib/auth/cert.h | 1 | ||||
-rw-r--r-- | lib/gnutls_pcert.c | 3 | ||||
-rw-r--r-- | lib/gnutls_pubkey.c | 9 | ||||
-rw-r--r-- | lib/includes/gnutls/openpgp.h | 3 | ||||
-rw-r--r-- | lib/openpgp/pgp.c | 70 | ||||
-rw-r--r-- | lib/openpgp/privkey.c | 86 |
8 files changed, 168 insertions, 122 deletions
@@ -10,6 +10,9 @@ Reported by danblack at http://savannah.gnu.org/support/?108146 ** libgnutls: Added gnutls_ocsp_resp_check_crt() to check whether the OCSP response corresponds to the given certificate. +** libgnutls: Compatibility code with RFC5081 was removed. The OpenPGP +code now is RFC6091 compliant only. + ** API and ABI modifications: gnutls_ocsp_resp_check_crt: Added diff --git a/lib/auth/cert.c b/lib/auth/cert.c index 0e9e0d9825..9286fbb7d8 100644 --- a/lib/auth/cert.c +++ b/lib/auth/cert.c @@ -73,7 +73,7 @@ typedef enum CertificateSigType * exported certificate struct (cert_auth_info_t) */ static int -_gnutls_copy_certificate_auth_info (cert_auth_info_t info, gnutls_pcert_st * certs, size_t ncerts, int subkey_used, /* openpgp only */ +_gnutls_copy_certificate_auth_info (cert_auth_info_t info, gnutls_pcert_st * certs, size_t ncerts, /* openpgp only */ void *keyid) { /* Copy peer's information to auth_info_t @@ -123,7 +123,6 @@ _gnutls_copy_certificate_auth_info (cert_auth_info_t info, gnutls_pcert_st * cer #ifdef ENABLE_OPENPGP if (certs[0].type == GNUTLS_CRT_OPENPGP) { - info->use_subkey = subkey_used; if (keyid) memcpy (info->subkey_id, keyid, GNUTLS_OPENPGP_KEYID_SIZE); } @@ -846,7 +845,7 @@ _gnutls_gen_x509_crt (gnutls_session_t session, gnutls_buffer_st * data) } enum PGPKeyDescriptorType -{ PGP_KEY_FINGERPRINT, PGP_KEY, PGP_KEY_SUBKEY, PGP_KEY_FINGERPRINT_SUBKEY }; +{ PGP_EMPTY_KEY=1, PGP_KEY_SUBKEY, PGP_KEY_FINGERPRINT_SUBKEY }; #ifdef ENABLE_OPENPGP static int @@ -860,7 +859,6 @@ _gnutls_gen_openpgp_certificate (gnutls_session_t session, uint8_t type; uint8_t fpr[20]; size_t fpr_size; - unsigned int use_subkey = 0; /* find the appropriate certificate */ if ((ret = @@ -880,12 +878,11 @@ _gnutls_gen_openpgp_certificate (gnutls_session_t session, fpr_size = sizeof (fpr); ret = gnutls_pubkey_get_openpgp_key_id (apr_cert_list[0].pubkey, 0, fpr, - &fpr_size, &use_subkey); + &fpr_size, NULL); if (ret < 0) return gnutls_assert_val (ret); - if (use_subkey != 0) - ret += 1 + fpr_size; /* for the keyid */ + ret += 1 + fpr_size; /* for the keyid */ ret += apr_cert_list[0].cert.size; } @@ -897,25 +894,15 @@ _gnutls_gen_openpgp_certificate (gnutls_session_t session, if (apr_cert_list_length > 0) { - if (use_subkey != 0) - { - type = PGP_KEY_SUBKEY; + type = PGP_KEY_SUBKEY; - ret = _gnutls_buffer_append_data (data, &type, 1); - if (ret < 0) - return gnutls_assert_val (ret); + ret = _gnutls_buffer_append_data (data, &type, 1); + if (ret < 0) + return gnutls_assert_val (ret); - ret = _gnutls_buffer_append_data_prefix (data, 8, fpr, fpr_size); - if (ret < 0) - return gnutls_assert_val (ret); - } - else - { - type = PGP_KEY; - ret = _gnutls_buffer_append_data (data, &type, 1); - if (ret < 0) - return gnutls_assert_val (ret); - } + ret = _gnutls_buffer_append_data_prefix (data, 8, fpr, fpr_size); + if (ret < 0) + return gnutls_assert_val (ret); ret = _gnutls_buffer_append_data_prefix (data, 24, @@ -926,7 +913,7 @@ _gnutls_gen_openpgp_certificate (gnutls_session_t session, } else /* empty - no certificate */ { - type = PGP_KEY; + type = PGP_EMPTY_KEY; ret = _gnutls_buffer_append_data (data, &type, 1); if (ret < 0) @@ -950,7 +937,6 @@ _gnutls_gen_openpgp_certificate_fpr (gnutls_session_t session, gnutls_pcert_st *apr_cert_list; gnutls_privkey_t apr_pkey; int apr_cert_list_length; - unsigned int use_subkey = 0; /* find the appropriate certificate */ if ((ret = @@ -964,14 +950,12 @@ _gnutls_gen_openpgp_certificate_fpr (gnutls_session_t session, fpr_size = sizeof (fpr); ret = gnutls_pubkey_get_openpgp_key_id (apr_cert_list[0].pubkey, 0, fpr, - &fpr_size, &use_subkey); + &fpr_size, NULL); if (ret < 0) return gnutls_assert_val (ret); packet_size = 3 + 1; - - if (use_subkey) - packet_size += 1 + fpr_size; /* for the keyid */ + packet_size += 1 + fpr_size; /* for the keyid */ /* Only v4 fingerprints are sent */ @@ -984,33 +968,10 @@ _gnutls_gen_openpgp_certificate_fpr (gnutls_session_t session, if (ret < 0) return gnutls_assert_val (ret); - if (use_subkey) - { - type = PGP_KEY_FINGERPRINT_SUBKEY; - ret = _gnutls_buffer_append_data (data, &type, 1); - if (ret < 0) - return gnutls_assert_val (ret); - - ret = _gnutls_buffer_append_data_prefix (data, 8, fpr, fpr_size); - if (ret < 0) - return gnutls_assert_val (ret); - } - else - { - type = PGP_KEY_FINGERPRINT; /* key fingerprint */ - ret = _gnutls_buffer_append_data (data, &type, 1); - if (ret < 0) - return gnutls_assert_val (ret); - } - - fpr_size = sizeof (fpr); - if ((ret = - _gnutls_openpgp_fingerprint (&apr_cert_list[0].cert, fpr, - &fpr_size)) < 0) - { - gnutls_assert (); - return ret; - } + type = PGP_KEY_FINGERPRINT_SUBKEY; + ret = _gnutls_buffer_append_data (data, &type, 1); + if (ret < 0) + return gnutls_assert_val (ret); ret = _gnutls_buffer_append_data_prefix (data, 8, fpr, fpr_size); if (ret < 0) @@ -1182,7 +1143,7 @@ _gnutls_proc_x509_server_crt (gnutls_session_t session, if ((ret = _gnutls_copy_certificate_auth_info (info, peer_certificate_list, - peer_certificate_list_size, 0, + peer_certificate_list_size, NULL)) < 0) { gnutls_assert (); @@ -1220,7 +1181,6 @@ _gnutls_proc_openpgp_server_crt (gnutls_session_t session, gnutls_pcert_st *peer_certificate_list = NULL; gnutls_datum_t tmp, akey = { NULL, 0 }; uint8_t subkey_id[GNUTLS_OPENPGP_KEYID_SIZE]; - unsigned int subkey_id_set = 0; cred = (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); @@ -1278,16 +1238,10 @@ _gnutls_proc_openpgp_server_crt (gnutls_session_t session, DECR_LEN (dsize, GNUTLS_OPENPGP_KEYID_SIZE); memcpy (subkey_id, p, GNUTLS_OPENPGP_KEYID_SIZE); p += GNUTLS_OPENPGP_KEYID_SIZE; - - subkey_id_set = 1; - } - /* read the actual key or fingerprint */ - if (key_type == PGP_KEY_FINGERPRINT || - key_type == PGP_KEY_FINGERPRINT_SUBKEY) - { /* the fingerprint */ - + if (key_type == PGP_KEY_FINGERPRINT_SUBKEY) + { DECR_LEN (dsize, 1); len = (uint8_t) * p; p++; @@ -1311,7 +1265,7 @@ _gnutls_proc_openpgp_server_crt (gnutls_session_t session, } tmp = akey; } - else if (key_type == PGP_KEY || key_type == PGP_KEY_SUBKEY) + else if (key_type == PGP_KEY_SUBKEY) { /* the whole key */ /* Read the actual certificate */ @@ -1323,7 +1277,7 @@ _gnutls_proc_openpgp_server_crt (gnutls_session_t session, { gnutls_assert (); /* no certificate was sent */ - return GNUTLS_E_NO_CERTIFICATE_FOUND; + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); } DECR_LEN (dsize, len); @@ -1332,6 +1286,19 @@ _gnutls_proc_openpgp_server_crt (gnutls_session_t session, tmp.data = p; } + else if (key_type == PGP_EMPTY_KEY) + { /* the whole key */ + + /* Read the actual certificate */ + DECR_LEN (dsize, 3); + len = _gnutls_read_uint24 (p); + p += 3; + + if (len != 0) /* PGP_EMPTY_KEY */ + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + else + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } else { gnutls_assert (); @@ -1341,8 +1308,7 @@ _gnutls_proc_openpgp_server_crt (gnutls_session_t session, /* ok we now have the peer's key in tmp datum */ peer_certificate_list = - gnutls_calloc (1, - sizeof (gnutls_pcert_st)); + gnutls_calloc (1, sizeof (gnutls_pcert_st)); if (peer_certificate_list == NULL) { gnutls_assert (); @@ -1354,7 +1320,7 @@ _gnutls_proc_openpgp_server_crt (gnutls_session_t session, gnutls_pcert_import_openpgp_raw (&peer_certificate_list[0], &tmp, GNUTLS_OPENPGP_FMT_RAW, - (subkey_id_set != 0) ? subkey_id : NULL, + subkey_id, 0); if (ret < 0) { @@ -1365,10 +1331,7 @@ _gnutls_proc_openpgp_server_crt (gnutls_session_t session, ret = _gnutls_copy_certificate_auth_info (info, peer_certificate_list, - 1, - subkey_id_set, - (subkey_id_set != - 0) ? subkey_id : NULL); + 1, subkey_id); if (ret < 0) { gnutls_assert (); diff --git a/lib/auth/cert.h b/lib/auth/cert.h index fd4e5a42be..310831ed65 100644 --- a/lib/auth/cert.h +++ b/lib/auth/cert.h @@ -112,7 +112,6 @@ typedef struct cert_auth_info_st gnutls_certificate_type_t cert_type; #ifdef ENABLE_OPENPGP - int use_subkey; uint8_t subkey_id[GNUTLS_OPENPGP_KEYID_SIZE]; #endif } *cert_auth_info_t; diff --git a/lib/gnutls_pcert.c b/lib/gnutls_pcert.c index 1211e2d6fb..3a6b6fee5c 100644 --- a/lib/gnutls_pcert.c +++ b/lib/gnutls_pcert.c @@ -396,8 +396,7 @@ _gnutls_get_auth_info_pcert (gnutls_pcert_st* pcert, return gnutls_pcert_import_openpgp_raw(pcert, &info->raw_certificate_list[0], GNUTLS_OPENPGP_FMT_RAW, - info->use_subkey ? info-> - subkey_id : NULL, GNUTLS_PCERT_NO_CERT); + info->subkey_id, GNUTLS_PCERT_NO_CERT); #endif default: gnutls_assert (); diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c index 9b029fa2be..5786b85611 100644 --- a/lib/gnutls_pubkey.c +++ b/lib/gnutls_pubkey.c @@ -408,14 +408,13 @@ gnutls_pubkey_import_openpgp (gnutls_pubkey_t key, * replaced by the actual size of parameters) * @subkey: Will be non zero if the key ID corresponds to a subkey * - * This function will return a unique ID the depends on the public - * key parameters. This ID can be used in checking whether a - * certificate corresponds to the given public key. + * This function returned the OpenPGP key ID of the corresponding key. + * The key is a unique ID the depends on the public + * key parameters. * * If the buffer provided is not long enough to hold the output, then * *output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will - * be returned. The output will normally be a SHA-1 hash output, - * which is 20 bytes. + * be returned. The output is %GNUTLS_OPENPGP_KEYID_SIZE bytes long. * * Returns: In case of failure a negative error code will be * returned, and 0 on success. diff --git a/lib/includes/gnutls/openpgp.h b/lib/includes/gnutls/openpgp.h index 1d4e0cd591..b53b165484 100644 --- a/lib/includes/gnutls/openpgp.h +++ b/lib/includes/gnutls/openpgp.h @@ -28,6 +28,7 @@ #define GNUTLS_OPENPGP_H #include <gnutls/gnutls.h> +#include <limits.h> #ifdef __cplusplus extern "C" @@ -76,6 +77,8 @@ extern "C" /* The key_usage flags are defined in gnutls.h. They are * the GNUTLS_KEY_* definitions. */ +#define GNUTLS_OPENPGP_MASTER_KEYID_IDX INT_MAX + int gnutls_openpgp_crt_get_key_usage (gnutls_openpgp_crt_t key, unsigned int *key_usage); int gnutls_openpgp_crt_get_fingerprint (gnutls_openpgp_crt_t key, void *fpr, diff --git a/lib/openpgp/pgp.c b/lib/openpgp/pgp.c index 7ace55da5f..87587e377b 100644 --- a/lib/openpgp/pgp.c +++ b/lib/openpgp/pgp.c @@ -125,7 +125,7 @@ int _gnutls_openpgp_export (cdk_kbnode_t node, gnutls_openpgp_crt_fmt_t format, void *output_data, - size_t * output_data_size, int private) + size_t * output_data_size, int priv) { size_t input_data_size = *output_data_size; size_t calc_size; @@ -141,7 +141,7 @@ _gnutls_openpgp_export (cdk_kbnode_t node, /* If the caller uses output_data == NULL then return what he expects. */ - if (!output_data) + if (!output_data && format != GNUTLS_OPENPGP_FMT_BASE64) { gnutls_assert (); return GNUTLS_E_SHORT_MEMORY_BUFFER; @@ -156,7 +156,7 @@ _gnutls_openpgp_export (cdk_kbnode_t node, buffer is large enough. */ rc = cdk_armor_encode_buffer (in, *output_data_size, NULL, 0, &calc_size, - private ? CDK_ARMOR_SECKEY : + priv ? CDK_ARMOR_SECKEY : CDK_ARMOR_PUBKEY); if (rc || calc_size > input_data_size) { @@ -168,7 +168,7 @@ _gnutls_openpgp_export (cdk_kbnode_t node, rc = cdk_armor_encode_buffer (in, *output_data_size, output_data, input_data_size, &calc_size, - private ? CDK_ARMOR_SECKEY : + priv ? CDK_ARMOR_SECKEY : CDK_ARMOR_PUBKEY); gnutls_free (in); *output_data_size = calc_size; @@ -189,7 +189,7 @@ _gnutls_openpgp_export (cdk_kbnode_t node, * gnutls_openpgp_crt_export: * @key: Holds the key. * @format: One of gnutls_openpgp_crt_fmt_t elements. - * @output_data: will contain the key base64 encoded or raw + * @output_data: will contain the raw or base64 encoded key * @output_data_size: holds the size of output_data (and will * be replaced by the actual size of parameters) * @@ -367,7 +367,8 @@ gnutls_openpgp_crt_get_pk_algorithm (gnutls_openpgp_crt_t key, unsigned int *bits) { cdk_packet_t pkt; - int algo; + int algo = 0, ret; + uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE]; if (!key) { @@ -375,7 +376,20 @@ gnutls_openpgp_crt_get_pk_algorithm (gnutls_openpgp_crt_t key, return GNUTLS_PK_UNKNOWN; } - algo = 0; + ret = gnutls_openpgp_crt_get_preferred_key_id (key, keyid); + if (ret == 0) + { + int idx; + + idx = gnutls_openpgp_crt_get_subkey_idx (key, keyid); + if (idx != GNUTLS_OPENPGP_MASTER_KEYID_IDX) + { + algo = + gnutls_openpgp_crt_get_subkey_pk_algorithm (key, idx, bits); + return algo; + } + } + pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_PUBLIC_KEY); if (pkt) { @@ -799,6 +813,9 @@ gnutls_openpgp_crt_get_subkey_revoked_status (gnutls_openpgp_crt_t key, return GNUTLS_E_INVALID_REQUEST; } + if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX) + return gnutls_openpgp_crt_get_revoked_status(key); + pkt = _get_public_subkey (key, idx); if (!pkt) return GNUTLS_E_OPENPGP_GETKEY_FAILED; @@ -840,6 +857,9 @@ gnutls_openpgp_crt_get_subkey_pk_algorithm (gnutls_openpgp_crt_t key, return GNUTLS_PK_UNKNOWN; } + if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX) + return gnutls_openpgp_crt_get_pk_algorithm(key, bits); + pkt = _get_public_subkey (key, idx); algo = 0; @@ -874,6 +894,9 @@ gnutls_openpgp_crt_get_subkey_creation_time (gnutls_openpgp_crt_t key, if (!key) return (time_t) - 1; + if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX) + return gnutls_openpgp_crt_get_creation_time(key); + pkt = _get_public_subkey (key, idx); if (pkt) timestamp = pkt->pkt.public_key->timestamp; @@ -906,6 +929,9 @@ gnutls_openpgp_crt_get_subkey_expiration_time (gnutls_openpgp_crt_t key, if (!key) return (time_t) - 1; + if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX) + return gnutls_openpgp_crt_get_expiration_time(key); + pkt = _get_public_subkey (key, idx); if (pkt) expiredate = pkt->pkt.public_key->expiredate; @@ -938,6 +964,9 @@ gnutls_openpgp_crt_get_subkey_id (gnutls_openpgp_crt_t key, gnutls_assert (); return GNUTLS_E_INVALID_REQUEST; } + + if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX) + return gnutls_openpgp_crt_get_key_id(key, keyid); pkt = _get_public_subkey (key, idx); if (!pkt) @@ -977,6 +1006,9 @@ gnutls_openpgp_crt_get_subkey_fingerprint (gnutls_openpgp_crt_t key, gnutls_assert (); return GNUTLS_E_INVALID_REQUEST; } + + if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX) + return gnutls_openpgp_crt_get_fingerprint(key, fpr, fprlen); *fprlen = 0; @@ -1012,6 +1044,7 @@ gnutls_openpgp_crt_get_subkey_idx (gnutls_openpgp_crt_t key, { int ret; uint32_t kid[2]; + uint8_t master_id[GNUTLS_OPENPGP_KEYID_SIZE]; if (!key) { @@ -1019,6 +1052,12 @@ gnutls_openpgp_crt_get_subkey_idx (gnutls_openpgp_crt_t key, return GNUTLS_E_INVALID_REQUEST; } + ret = gnutls_openpgp_crt_get_key_id (key, master_id); + if (ret < 0) + return gnutls_assert_val(ret); + if (memcmp(master_id, keyid, GNUTLS_OPENPGP_KEYID_SIZE)==0) + return GNUTLS_OPENPGP_MASTER_KEYID_IDX; + KEYID_IMPORT (kid, keyid); ret = _gnutls_openpgp_find_subkey_idx (key->knode, kid, 0); @@ -1059,6 +1098,9 @@ gnutls_openpgp_crt_get_subkey_usage (gnutls_openpgp_crt_t key, return GNUTLS_E_INVALID_REQUEST; } + if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX) + return gnutls_openpgp_crt_get_key_usage(key, key_usage); + pkt = _get_public_subkey (key, idx); if (!pkt) return GNUTLS_E_OPENPGP_SUBKEY_ERROR; @@ -1456,6 +1498,9 @@ gnutls_openpgp_crt_get_subkey_pk_rsa_raw (gnutls_openpgp_crt_t crt, uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE]; int ret; + if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX) + return gnutls_openpgp_crt_get_pk_rsa_raw(crt, m, e); + ret = gnutls_openpgp_crt_get_subkey_id (crt, idx, keyid); if (ret < 0) { @@ -1494,6 +1539,9 @@ gnutls_openpgp_crt_get_subkey_pk_dsa_raw (gnutls_openpgp_crt_t crt, uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE]; int ret; + if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX) + return gnutls_openpgp_crt_get_pk_dsa_raw(crt, p,q, g, y); + ret = gnutls_openpgp_crt_get_subkey_id (crt, idx, keyid); if (ret < 0) { @@ -1574,14 +1622,10 @@ gnutls_openpgp_crt_set_preferred_key_id (gnutls_openpgp_crt_t key, * gnutls_openpgp_crt_get_auth_subkey: * @crt: the structure that contains the OpenPGP public key. * @keyid: the struct to save the keyid. - * @flag: Non (0) indicates that a valid subkey is always returned. + * @flag: Non-zero indicates that a valid subkey is always returned. * * Returns the 64-bit keyID of the first valid OpenPGP subkey marked - * for authentication. If flag is non (0) and no authentication - * subkey exists, then a valid subkey will be returned even if it is - * not marked for authentication. - * Returns the 64-bit keyID of the first valid OpenPGP subkey marked - * for authentication. If flag is non (0) and no authentication + * for authentication. If flag is non-zero and no authentication * subkey exists, then a valid subkey will be returned even if it is * not marked for authentication. * diff --git a/lib/openpgp/privkey.c b/lib/openpgp/privkey.c index 9be87b0206..6eb4df9c81 100644 --- a/lib/openpgp/privkey.c +++ b/lib/openpgp/privkey.c @@ -230,7 +230,6 @@ gnutls_openpgp_privkey_export (gnutls_openpgp_privkey_t key, output_data_size, 1); } - /** * gnutls_openpgp_privkey_get_pk_algorithm: * @key: is an OpenPGP key @@ -253,7 +252,8 @@ gnutls_openpgp_privkey_get_pk_algorithm (gnutls_openpgp_privkey_t key, unsigned int *bits) { cdk_packet_t pkt; - int algo; + int algo = 0, ret; + uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE]; if (!key) { @@ -261,7 +261,20 @@ gnutls_openpgp_privkey_get_pk_algorithm (gnutls_openpgp_privkey_t key, return GNUTLS_PK_UNKNOWN; } - algo = 0; + ret = gnutls_openpgp_privkey_get_preferred_key_id (key, keyid); + if (ret == 0) + { + int idx; + + idx = gnutls_openpgp_privkey_get_subkey_idx (key, keyid); + if (idx != GNUTLS_OPENPGP_MASTER_KEYID_IDX) + { + algo = + gnutls_openpgp_privkey_get_subkey_pk_algorithm (key, idx, bits); + return algo; + } + } + pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_SECRET_KEY); if (pkt) { @@ -403,7 +416,6 @@ gnutls_openpgp_privkey_get_key_id (gnutls_openpgp_privkey_t key, return 0; } - /** * gnutls_openpgp_privkey_get_subkey_count: * @key: is an OpenPGP key @@ -484,6 +496,9 @@ gnutls_openpgp_privkey_get_subkey_revoked_status (gnutls_openpgp_privkey_t return GNUTLS_E_INVALID_REQUEST; } + if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX) + return gnutls_openpgp_privkey_get_revoked_status(key); + pkt = _get_secret_subkey (key, idx); if (!pkt) return GNUTLS_E_OPENPGP_GETKEY_FAILED; @@ -525,6 +540,9 @@ gnutls_openpgp_privkey_get_subkey_pk_algorithm (gnutls_openpgp_privkey_t key, return GNUTLS_PK_UNKNOWN; } + if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX) + return gnutls_openpgp_privkey_get_pk_algorithm(key, bits); + pkt = _get_secret_subkey (key, idx); algo = 0; @@ -561,6 +579,7 @@ gnutls_openpgp_privkey_get_subkey_idx (gnutls_openpgp_privkey_t key, { int ret; uint32_t kid[2]; + uint8_t master_id[GNUTLS_OPENPGP_KEYID_SIZE]; if (!key) { @@ -568,6 +587,12 @@ gnutls_openpgp_privkey_get_subkey_idx (gnutls_openpgp_privkey_t key, return GNUTLS_E_INVALID_REQUEST; } + ret = gnutls_openpgp_privkey_get_key_id (key, master_id); + if (ret < 0) + return gnutls_assert_val(ret); + if (memcmp(master_id, keyid, GNUTLS_OPENPGP_KEYID_SIZE)==0) + return GNUTLS_OPENPGP_MASTER_KEYID_IDX; + KEYID_IMPORT (kid, keyid); ret = _gnutls_openpgp_find_subkey_idx (key->knode, kid, 1); @@ -600,7 +625,11 @@ gnutls_openpgp_privkey_get_subkey_creation_time (gnutls_openpgp_privkey_t key, if (!key) return (time_t) - 1; - pkt = _get_secret_subkey (key, idx); + if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX) + pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_SECRET_KEY); + else + pkt = _get_secret_subkey (key, idx); + if (pkt) timestamp = pkt->pkt.secret_key->pk->timestamp; else @@ -626,18 +655,22 @@ gnutls_openpgp_privkey_get_subkey_expiration_time (gnutls_openpgp_privkey_t key, unsigned int idx) { cdk_packet_t pkt; - time_t expiredate; + time_t timestamp; if (!key) return (time_t) - 1; - pkt = _get_secret_subkey (key, idx); + if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX) + pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_SECRET_KEY); + else + pkt = _get_secret_subkey (key, idx); + if (pkt) - expiredate = pkt->pkt.secret_key->expiredate; + timestamp = pkt->pkt.secret_key->pk->expiredate; else - expiredate = 0; + timestamp = 0; - return expiredate; + return timestamp; } /** @@ -666,6 +699,9 @@ gnutls_openpgp_privkey_get_subkey_id (gnutls_openpgp_privkey_t key, return GNUTLS_E_INVALID_REQUEST; } + if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX) + return gnutls_openpgp_privkey_get_key_id(key, keyid); + pkt = _get_secret_subkey (key, idx); if (!pkt) return GNUTLS_E_OPENPGP_GETKEY_FAILED; @@ -705,6 +741,9 @@ gnutls_openpgp_privkey_get_subkey_fingerprint (gnutls_openpgp_privkey_t key, return GNUTLS_E_INVALID_REQUEST; } + if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX) + return gnutls_openpgp_privkey_get_fingerprint(key, fpr, fprlen); + *fprlen = 0; pkt = _get_secret_subkey (key, idx); @@ -1106,7 +1145,10 @@ gnutls_openpgp_privkey_export_subkey_rsa_raw (gnutls_openpgp_privkey_t pkey, uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE]; int ret; - ret = gnutls_openpgp_privkey_get_subkey_id (pkey, idx, keyid); + if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX) + ret = gnutls_openpgp_privkey_get_key_id (pkey, keyid); + else + ret = gnutls_openpgp_privkey_get_subkey_id (pkey, idx, keyid); if (ret < 0) { gnutls_assert (); @@ -1146,7 +1188,11 @@ gnutls_openpgp_privkey_export_subkey_dsa_raw (gnutls_openpgp_privkey_t pkey, uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE]; int ret; - ret = gnutls_openpgp_privkey_get_subkey_id (pkey, idx, keyid); + if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX) + ret = gnutls_openpgp_privkey_get_key_id (pkey, keyid); + else + ret = gnutls_openpgp_privkey_get_subkey_id (pkey, idx, keyid); + if (ret < 0) { gnutls_assert (); @@ -1281,7 +1327,7 @@ gnutls_openpgp_privkey_sign_hash (gnutls_openpgp_privkey_t key, result = - _gnutls_soft_sign (pk_algorithm, ¶ms, hash, signature); + _gnutls_pk_sign (pk_algorithm, signature, hash, ¶ms); gnutls_pk_params_release(¶ms); @@ -1351,22 +1397,12 @@ _gnutls_openpgp_privkey_decrypt_data (gnutls_openpgp_privkey_t key, return result; } - if (pk_algorithm != GNUTLS_PK_RSA) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - result = - _gnutls_pkcs1_rsa_decrypt (plaintext, ciphertext, ¶ms, 2); + result = _gnutls_pk_decrypt (pk_algorithm, plaintext, ciphertext, ¶ms); gnutls_pk_params_release(¶ms); if (result < 0) - { - gnutls_assert (); - return result; - } + return gnutls_assert_val(result); return 0; } |