[gnutls-help] Problem Using gnutls_openpgp_crt_verify_ring .. cdk_pk_check_sigs

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Jan 3 21:45:15 CET 2014

On 12/23/2013 11:53 PM, Rogers, David wrote:
> Hello!
>   I'm trying to write server code to verify a client's OpenPGP key
> inside gnutls.  The key exchange works fine, but the server's call
> to gnutls_openpgp_crt_verify_ring always returns CDK_KEY_NOSIGNER. (on
> gnutls_certificate_verification_status_print -->
> The certificate is NOT trusted. The certificate is not trusted. Could
> not find a signer of the certificate. 
> I think the trouble is that it has some impossible requirements on the
> signers (line 509):
> verification must be ok AND the signature must not be a self-sig.

Hello David,
 In short the idea is to only accept a signature if it is made by
someone else than the owner of the key.

> But the self-sigs have to be good, or else the algo. fails.  So, the
> self-sigs it adds to the "uid_list" make the final "uid_list_all_signed"
> check (on line 522) fail, resulting in CDK_KEY_NOSIGNER.  For the algo
> to be correct, the self-sigs should not be added to the final list
> check.  I'm not even sure what the uid_list check is for...

I have not checked the details, but could you describe the scenario you
want it to succeed and it doesn't?

>   FWIW, I would rather see a "int
> gnutls_openpgp_crt_verify_signer(gnutls_openpgp_crt_t key,
> gnutls_openpgp_crt_t signer, unsigned int *verify)" test that would take
> an gnutls_openpgp_crt_t 'cert' from the client and
> an gnutls_openpgp_crt_t  'signer' holding the signer's public key and
> check that
> 1) the client cert's self-signs are valid
> 2) the client cert has at least one valid signature from the provided
> 'signer' pubkey

That's what the existing gnutls_openpgp_crt_verify_ring() is supposed to
do. There is indeed quite some functionality missing for pgp support but
I don't plan in working on it any time soon. However, if you submit
patches to improve or fix the openpgp functionality I'll includ them.


More information about the Gnutls-help mailing list