[gnutls-help] Problem Using gnutls_openpgp_crt_verify_ring .. cdk_pk_check_sigs
nmav at gnutls.org
Fri Jan 3 21:45:15 CET 2014
On 12/23/2013 11:53 PM, Rogers, David wrote:
> I'm trying to write server code to verify a client's OpenPGP key
> inside gnutls. The key exchange works fine, but the server's call
> to gnutls_openpgp_crt_verify_ring always returns CDK_KEY_NOSIGNER. (on
> gnutls_certificate_verification_status_print -->
> The certificate is NOT trusted. The certificate is not trusted. Could
> not find a signer of the certificate.
> I think the trouble is that it has some impossible requirements on the
> signers (line 509):
> verification must be ok AND the signature must not be a self-sig.
In short the idea is to only accept a signature if it is made by
someone else than the owner of the key.
> But the self-sigs have to be good, or else the algo. fails. So, the
> self-sigs it adds to the "uid_list" make the final "uid_list_all_signed"
> check (on line 522) fail, resulting in CDK_KEY_NOSIGNER. For the algo
> to be correct, the self-sigs should not be added to the final list
> check. I'm not even sure what the uid_list check is for...
I have not checked the details, but could you describe the scenario you
want it to succeed and it doesn't?
> FWIW, I would rather see a "int
> gnutls_openpgp_crt_verify_signer(gnutls_openpgp_crt_t key,
> gnutls_openpgp_crt_t signer, unsigned int *verify)" test that would take
> an gnutls_openpgp_crt_t 'cert' from the client and
> an gnutls_openpgp_crt_t 'signer' holding the signer's public key and
> check that
> 1) the client cert's self-signs are valid
> 2) the client cert has at least one valid signature from the provided
> 'signer' pubkey
That's what the existing gnutls_openpgp_crt_verify_ring() is supposed to
do. There is indeed quite some functionality missing for pgp support but
I don't plan in working on it any time soon. However, if you submit
patches to improve or fix the openpgp functionality I'll includ them.
More information about the Gnutls-help