[gnutls-help] Problem Using gnutls_openpgp_crt_verify_ring .. cdk_pk_check_sigs

Rogers, David davidrogers at usf.edu
Fri Jan 3 21:56:20 CET 2014

On Jan 3, 2014, at 3:45 PM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> On 12/23/2013 11:53 PM, Rogers, David wrote:
>> Hello!
>>  I'm trying to write server code to verify a client's OpenPGP key
>> inside gnutls.  The key exchange works fine, but the server's call
>> to gnutls_openpgp_crt_verify_ring always returns CDK_KEY_NOSIGNER. (on
> [...]
>> gnutls_certificate_verification_status_print -->
>> The certificate is NOT trusted. The certificate is not trusted. Could
>> not find a signer of the certificate. 
> [...]
>> I think the trouble is that it has some impossible requirements on the
>> signers (line 509):
>> verification must be ok AND the signature must not be a self-sig.
> Hello David,
> In short the idea is to only accept a signature if it is made by
> someone else than the owner of the key.
>> But the self-sigs have to be good, or else the algo. fails.  So, the
>> self-sigs it adds to the "uid_list" make the final "uid_list_all_signed"
>> check (on line 522) fail, resulting in CDK_KEY_NOSIGNER.  For the algo
>> to be correct, the self-sigs should not be added to the final list
>> check.  I'm not even sure what the uid_list check is for...
> I have not checked the details, but could you describe the scenario you
> want it to succeed and it doesn't?
>>  FWIW, I would rather see a "int
>> gnutls_openpgp_crt_verify_signer(gnutls_openpgp_crt_t key,
>> gnutls_openpgp_crt_t signer, unsigned int *verify)" test that would take
>> an gnutls_openpgp_crt_t 'cert' from the client and
>> an gnutls_openpgp_crt_t  'signer' holding the signer's public key and
>> check that
>> 1) the client cert's self-signs are valid
>> 2) the client cert has at least one valid signature from the provided
>> 'signer' pubkey
> That's what the existing gnutls_openpgp_crt_verify_ring() is supposed to
> do. There is indeed quite some functionality missing for pgp support but
> I don't plan in working on it any time soon. However, if you submit
> patches to improve or fix the openpgp functionality I'll includ them.
> regards,
> Nikos

  Actually, I realized my problem was caused by reading the PGP keyring (gnutls_openpgp_keyring_import) using ASCII mode, when the file (.gpg extension) was binary.  No error occurred on read, but no signers could be found because the public keys didn't actually load.  So I would re-classify this as an issue with gnutls_openpgp_keyring_import.

  What I wanted to do was verify that the peer's certificate had a valid signature from a particular signer.  This is covered by the present code if I create a keyring containing only the public key I want to check against.

~ David.

More information about the Gnutls-help mailing list