From ed1d22b9fd875d4af17bfe7efe096526a8ae030a Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 3 Oct 2003 11:14:57 +0000 Subject: Converted the pgp verification functions to the new API. --- configure.in | 6 +- includes/gnutls/openpgp.h | 10 +-- libextra/Makefile.am | 1 - libextra/gnutls_openpgp.h | 107 ---------------------- libextra/openpgp/Makefile.am | 4 +- libextra/openpgp/gnutls_openpgp.c | 181 +------------------------------------- libextra/openpgp/gnutls_openpgp.h | 84 ++++++++++++++++++ libextra/openpgp/openpgp.c | 4 + libextra/openpgp/openpgp.h | 11 +++ 9 files changed, 112 insertions(+), 296 deletions(-) delete mode 100644 libextra/gnutls_openpgp.h create mode 100644 libextra/openpgp/gnutls_openpgp.h diff --git a/configure.in b/configure.in index d6380848cc..e822d8f649 100644 --- a/configure.in +++ b/configure.in @@ -277,10 +277,10 @@ AC_ARG_ENABLE( openpgp-authentication, [ --disable-openpgp-authentication disab ) if test x$ac_enable_openpgp != xno; then AC_MSG_RESULT(no) - AM_PATH_LIBOPENCDK( 0.4.0, AC_DEFINE(HAVE_LIBOPENCDK, 1, [have libopencdk]), + AM_PATH_LIBOPENCDK( 0.5.2, AC_DEFINE(HAVE_LIBOPENCDK, 1, [have libopencdk]), AC_MSG_WARN([[ *** -*** libopencdk 0.4.0 was not found. You will not be able to use OpenPGP keys with gnutls. +*** libopencdk 0.5.2 was not found. You will not be able to use OpenPGP keys with gnutls. ]])) else AC_MSG_RESULT(yes) @@ -459,7 +459,7 @@ AC_CONFIG_COMMANDS([includes/gnutls/gnutls.h],[[ ]],[[]]) AC_CONFIG_FILES([Makefile src/Makefile libextra/Makefile lib/Makefile \ -lib/libgnutls-config libextra/libgnutls-extra-config \ +libextra/openpgp/Makefile lib/libgnutls-config libextra/libgnutls-extra-config \ doc/Makefile src/x509/Makefile src/srp/Makefile src/openpgp/Makefile \ doc/tex/Makefile doc/tex/cover.tex doc/scripts/Makefile \ doc/examples/Makefile lib/minitasn1/Makefile lib/x509/Makefile \ diff --git a/includes/gnutls/openpgp.h b/includes/gnutls/openpgp.h index 6767796a75..6fce2e5b05 100644 --- a/includes/gnutls/openpgp.h +++ b/includes/gnutls/openpgp.h @@ -79,11 +79,11 @@ int gnutls_openpgp_keyring_import(gnutls_openpgp_keyring ring, */ struct gnutls_openpgp_trustdb; -int gnutls_openpgp_trustdb_init( gnutls_openpgp_trustdb* ring); -void gnutls_openpgp_trustdb_deinit(gnutls_openpgp_trustdb ring); +int gnutls_openpgp_trustdb_init( gnutls_openpgp_trustdb* db); +void gnutls_openpgp_trustdb_deinit(gnutls_openpgp_trustdb db); -int gnutls_openpgp_trustdb_import(gnutls_openpgp_trustdb ring, - const gnutls_datum* data, gnutls_openpgp_key_fmt format); +int gnutls_openpgp_trustdb_import(gnutls_openpgp_trustdb db, + const char* file); int gnutls_openpgp_key_verify_ring( @@ -92,7 +92,7 @@ int gnutls_openpgp_key_verify_ring( unsigned int flags /* if not used reserved for future use, unsigned int * verify /* the output of the verification */); -int gnutls_openpgp_key_verify_db( +int gnutls_openpgp_key_verify_trustdb( gnutls_openpgp_key key, gnutls_openpgp_trustdb db, unsigned int flags /* if not used reserved for future use, diff --git a/libextra/Makefile.am b/libextra/Makefile.am index c0999fd79a..2f9651df4b 100644 --- a/libextra/Makefile.am +++ b/libextra/Makefile.am @@ -1,6 +1,5 @@ INCLUDES = -I../lib -I../includes -I../lib/minitasn1/ bin_SCRIPTS = libgnutls-extra-config -DIST_SUBDIRS = openpgp SUBDIRS = openpgp m4datadir = $(datadir)/aclocal diff --git a/libextra/gnutls_openpgp.h b/libextra/gnutls_openpgp.h deleted file mode 100644 index 7f3b08f2df..0000000000 --- a/libextra/gnutls_openpgp.h +++ /dev/null @@ -1,107 +0,0 @@ -#ifndef GNUTLS_OPENPGP_H -#define GNUTLS_OPENPGP_H - -#include -#include - -/* OpenCDK compatible */ -typedef enum { - KEY_ATTR_NONE = 0, - KEY_ATTR_SHORT_KEYID = 3, - KEY_ATTR_KEYID = 4, - KEY_ATTR_FPR = 5 -} key_attr_t; - -int gnutls_certificate_set_openpgp_key_file( - gnutls_certificate_credentials res, - char* CERTFILE, - char* KEYFILE); - -int gnutls_openpgp_count_key_names( - const gnutls_datum *cert ); - -int gnutls_openpgp_extract_key_name( - const gnutls_datum *cert, - int idx, - gnutls_openpgp_name *dn ); - -int gnutls_openpgp_extract_key_pk_algorithm( - const gnutls_datum *cert, - int *r_bits ); - -int gnutls_openpgp_extract_key_version( - const gnutls_datum *cert ); - -time_t gnutls_openpgp_extract_key_creation_time( - const gnutls_datum *cert ); - -time_t gnutls_openpgp_extract_key_expiration_time( - const gnutls_datum *cert ); - -int gnutls_openpgp_verify_key( - const char *trustdb, - const gnutls_datum *keyring, - const gnutls_datum* cert_list, - int cert_list_length ); - -int gnutls_openpgp_fingerprint( - const gnutls_datum *cert, - unsigned char *fpr, - size_t *fprlen ); - -int gnutls_openpgp_extract_key_id( - const gnutls_datum *cert, - unsigned char keyid[8] ); - -int gnutls_openpgp_add_keyring_mem( - gnutls_datum *keyring, - const opaque *data, - size_t len ); - -int gnutls_openpgp_add_keyring_file( - gnutls_datum *keyring, - const char *name ); - -int gnutls_certificate_set_openpgp_keyring_file( - gnutls_certificate_credentials c, - const char *file ); - -int gnutls_certificate_set_openpgp_keyring_mem( - gnutls_certificate_credentials c, - const opaque *data, - size_t dlen ); - -int gnutls_openpgp_get_key( - gnutls_datum *key, - const gnutls_datum *keyring, - key_attr_t by, - opaque *pattern ); - -int gnutls_openpgp_get_key_trust( - const char *trustdb, - gnutls_datum *key ); - -int gnutls_openpgp_recv_key( - const char *host, - short port, - uint32 keyid, - gnutls_datum *key ); - -int gnutls_openpgp_key_to_xml( - const gnutls_datum *cert, - gnutls_datum *xmlkey, int ext ); - -/* internal */ -int _gnutls_openpgp_cert2gnutls_cert( - gnutls_cert *cert, - const gnutls_datum *raw ); - -int -_gnutls_openpgp_request_key( - gnutls_session, - gnutls_datum* ret, - const gnutls_certificate_credentials cred, - opaque* key_fpr, - int key_fpr_size ); - -#endif /*GNUTLS_OPENPGP_H*/ diff --git a/libextra/openpgp/Makefile.am b/libextra/openpgp/Makefile.am index db5f86ec4f..787a84ae54 100644 --- a/libextra/openpgp/Makefile.am +++ b/libextra/openpgp/Makefile.am @@ -1,9 +1,9 @@ INCLUDES = -I../ -I../../includes/ -I../../lib -EXTRA_DIST = openpgp.h +EXTRA_DIST = openpgp.h gnutls_openpgp.h noinst_LTLIBRARIES = libpgp.la -COBJECTS = openpgp.c xml.c gnutls_openpgp.c +COBJECTS = openpgp.c xml.c gnutls_openpgp.c verify.c extras.c libpgp_la_SOURCES = $(COBJECTS) diff --git a/libextra/openpgp/gnutls_openpgp.c b/libextra/openpgp/gnutls_openpgp.c index b10364dfb4..9930f9c51e 100644 --- a/libextra/openpgp/gnutls_openpgp.c +++ b/libextra/openpgp/gnutls_openpgp.c @@ -45,17 +45,6 @@ #define datum_append(x, y, z) _gnutls_datum_append_m( x, y, z, gnutls_realloc ) -typedef struct { - int type; - int armored; - size_t size; - uint8 *data; -} keybox_blob; - -typedef enum { - KBX_BLOB_FILE = 0x00, - KBX_BLOB_DATA = 0x01 -} keyring_blob_types; static void @@ -122,7 +111,7 @@ kbx_blob_new( keybox_blob **r_ctx ) } -static void +void kbx_blob_release( keybox_blob *ctx ) { if( ctx ) { @@ -132,7 +121,7 @@ kbx_blob_release( keybox_blob *ctx ) } -static cdk_keydb_hd_t +cdk_keydb_hd_t kbx_to_keydb( keybox_blob *blob ) { cdk_keydb_hd_t hd; @@ -164,7 +153,7 @@ kbx_to_keydb( keybox_blob *blob ) /* Extract a keybox blob from the given position. */ -static keybox_blob* +keybox_blob* kbx_read_blob( const gnutls_datum* keyring, size_t pos ) { keybox_blob *blob = NULL; @@ -749,170 +738,6 @@ gnutls_openpgp_count_key_names( const gnutls_datum *cert ) -int -_gnutls_openpgp_get_key_trust( const char *trustdb, - const gnutls_datum *key, - int *r_trustval ) -{ - cdk_kbnode_t knode = NULL; - cdk_stream_t inp; - CDK_PACKET *pkt; - cdk_pkt_pubkey_t pk = NULL; - int flags = 0, ot = 0; - int rc = 0; - - if( !trustdb || !key || !r_trustval ) { - gnutls_assert( ); - return GNUTLS_E_INVALID_REQUEST; - } - - *r_trustval = 0; - - rc = cdk_kbnode_read_from_mem( &knode, key->data, key->size ); - if( (rc = _gnutls_map_cdk_rc( rc )) ) - return rc; - - pkt = cdk_kbnode_find_packet( knode, CDK_PKT_PUBLIC_KEY ); - if( !pkt ) { - rc = GNUTLS_E_OPENPGP_GETKEY_FAILED; - goto leave; - } - pk = pkt->pkt.public_key; - - rc = cdk_stream_open( trustdb, &inp ); - if( rc ) { - rc = _gnutls_map_cdk_rc( rc ); - goto leave; - } - - rc = cdk_trustdb_get_ownertrust( inp, pk, &ot, &flags ); - cdk_stream_close( inp ); - if ( rc ) { /* no ownertrust record was found */ - rc = 0; - *r_trustval = 0; - goto leave; - } - - if( flags & CDK_TFLAG_DISABLED ) { - *r_trustval |= GNUTLS_CERT_NOT_TRUSTED; - *r_trustval |= GNUTLS_CERT_INVALID; - goto leave; - } - - if( flags & CDK_TFLAG_REVOKED ) { - *r_trustval |= GNUTLS_CERT_NOT_TRUSTED; - *r_trustval |= GNUTLS_CERT_REVOKED; - } - - switch( ot ) { - case CDK_TRUST_NEVER: - *r_trustval |= GNUTLS_CERT_NOT_TRUSTED; - break; - case CDK_TRUST_UNKNOWN: - case CDK_TRUST_UNDEFINED: - case CDK_TRUST_MARGINAL: - case CDK_TRUST_FULLY: - case CDK_TRUST_ULTIMATE: - *r_trustval |= 1; /* means okay */ - rc = 0; - break; - } - -leave: - if( rc ) - *r_trustval |= GNUTLS_CERT_NOT_TRUSTED; - cdk_kbnode_release( knode ); - return rc; -} - - -/** - * gnutls_openpgp_verify_key - Verify all signatures on the key - * @cert_list: the structure that holds the certificates. - * @cert_list_lenght: the items in the cert_list. - * - * Verify all signatures in the certificate list. When the key - * is not available, the signature is skipped. - * - * When the trustdb parameter is used, the function checks the - * ownertrust of the key before the signatures are checked. It - * is possible that the key was disabled or the owner is not trusted - * at all. Then we don't check the signatures because it makes no sense. - * - * The return value is one of the CertificateStatus entries. - * - * NOTE: this function does not verify using any "web of trust". You - * may use GnuPG for that purpose, or any other external PGP application. - **/ -int -gnutls_openpgp_verify_key( const char *trustdb, - const gnutls_datum* keyring, - const gnutls_datum* cert_list, - int cert_list_length ) -{ - cdk_kbnode_t knode = NULL; - cdk_keydb_hd_t hd = NULL; - keybox_blob *blob = NULL; - int rc = 0; - int status = 0; - - if( !cert_list || cert_list_length != 1 || !keyring ) { - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - if( !keyring->size && !trustdb ) { - gnutls_assert( ); - return GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED; - } - - blob = kbx_read_blob( keyring, 0 ); - if( !blob ) { - gnutls_assert(); - return GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED; - } - hd = kbx_to_keydb( blob ); - if( !hd ) { - rc = GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED; - goto leave; - } - - if( trustdb ) { - int ktrust; - rc = _gnutls_openpgp_get_key_trust( trustdb, cert_list, &ktrust ); - if( rc || !ktrust ) - goto leave; - } - - rc = cdk_kbnode_read_from_mem( &knode, cert_list->data, cert_list->size ); - if( (rc = _gnutls_map_cdk_rc( rc )) ) { - goto leave; - return GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED; - } - - rc = cdk_pk_check_sigs( knode, hd, &status ); - if( rc == CDK_Error_No_Key ) - rc = 0; /* fixme */ - - switch( status ) { - case CDK_KEY_INVALID: - rc = GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED; - break; - - case CDK_KEY_REVOKED: - rc = GNUTLS_CERT_REVOKED | GNUTLS_CERT_NOT_TRUSTED; - break; - } - -leave: - kbx_blob_release( blob ); - cdk_free( hd ); - cdk_kbnode_release( knode ); - if( rc ) { - gnutls_assert(); - } - return rc; -} /*- diff --git a/libextra/openpgp/gnutls_openpgp.h b/libextra/openpgp/gnutls_openpgp.h new file mode 100644 index 0000000000..e89708d10e --- /dev/null +++ b/libextra/openpgp/gnutls_openpgp.h @@ -0,0 +1,84 @@ +#ifndef GNUTLS_OPENPGP_H +#define GNUTLS_OPENPGP_H + +#include +#include +#include + +typedef struct { + int type; + int armored; + size_t size; + uint8 *data; +} keybox_blob; + +typedef enum { + KBX_BLOB_FILE = 0x00, + KBX_BLOB_DATA = 0x01 +} keyring_blob_types; + +/* OpenCDK compatible */ +typedef enum { + KEY_ATTR_NONE = 0, + KEY_ATTR_SHORT_KEYID = 3, + KEY_ATTR_KEYID = 4, + KEY_ATTR_FPR = 5 +} key_attr_t; + +int gnutls_certificate_set_openpgp_key_file( + gnutls_certificate_credentials res, + char* CERTFILE, + char* KEYFILE); + +int gnutls_openpgp_count_key_names( + const gnutls_datum *cert ); + +int gnutls_openpgp_add_keyring_mem( + gnutls_datum *keyring, + const opaque *data, + size_t len ); + +int gnutls_openpgp_add_keyring_file( + gnutls_datum *keyring, + const char *name ); + +int gnutls_certificate_set_openpgp_keyring_file( + gnutls_certificate_credentials c, + const char *file ); + +int gnutls_certificate_set_openpgp_keyring_mem( + gnutls_certificate_credentials c, + const opaque *data, + size_t dlen ); + +int gnutls_openpgp_get_key( + gnutls_datum *key, + const gnutls_datum *keyring, + key_attr_t by, + opaque *pattern ); + +int gnutls_openpgp_recv_key( + const char *host, + short port, + uint32 keyid, + gnutls_datum *key ); + +/* internal */ +int _gnutls_openpgp_cert2gnutls_cert( + gnutls_cert *cert, + const gnutls_datum *raw ); + +int +_gnutls_openpgp_request_key( + gnutls_session, + gnutls_datum* ret, + const gnutls_certificate_credentials cred, + opaque* key_fpr, + int key_fpr_size ); + +keybox_blob* kbx_read_blob( const gnutls_datum* keyring, size_t pos ); +cdk_keydb_hd_t kbx_to_keydb( keybox_blob *blob ); +void kbx_blob_release( keybox_blob *ctx ); + + +#endif /*GNUTLS_OPENPGP_H*/ diff --git a/libextra/openpgp/openpgp.c b/libextra/openpgp/openpgp.c index f41962ef3a..c24c8a14f9 100644 --- a/libextra/openpgp/openpgp.c +++ b/libextra/openpgp/openpgp.c @@ -24,6 +24,9 @@ */ #include + +#ifdef HAVE_LIBOPENCDK + #include #include #include @@ -412,3 +415,4 @@ int gnutls_openpgp_key_check_hostname(gnutls_openpgp_key key, return 0; } +#endif diff --git a/libextra/openpgp/openpgp.h b/libextra/openpgp/openpgp.h index 424a0a5b1d..b559522da7 100644 --- a/libextra/openpgp/openpgp.h +++ b/libextra/openpgp/openpgp.h @@ -7,10 +7,20 @@ typedef struct gnutls_openpgp_key_int { cdk_kbnode_t knode; } gnutls_openpgp_key_int; +typedef struct gnutls_openpgp_keyring_int { + cdk_keydb_hd_t hd; +} gnutls_openpgp_keyring_int; + +typedef struct gnutls_openpgp_trustdb_int { + cdk_stream_t st; +} gnutls_openpgp_trustdb_int; + typedef enum gnutls_openpgp_key_fmt { GNUTLS_X509_FMT_RAW, GNUTLS_X509_FMT_BASE64 } gnutls_openpgp_key_fmt; typedef struct gnutls_openpgp_key_int *gnutls_openpgp_key; +typedef struct gnutls_openpgp_keyring_int *gnutls_openpgp_keyring; +typedef struct gnutls_openpgp_trustdb_int *gnutls_openpgp_trustdb; int _gnutls_map_cdk_rc( int rc); @@ -19,4 +29,5 @@ gnutls_openpgp_key_get_name( gnutls_openpgp_key key, int idx, char *buf, size_t *sizeof_buf); + #endif -- cgit v1.2.1