[mod_gnutls-devel] Add support for GnuTLSClientVerifyMethod=msva for OpenPGP certs

Thu Mar 20 04:08:03 CET 2014

diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
index d068ebb..85c9585 100644

--- a/src/gnutls_hooks.c
+++ b/src/gnutls_hooks.c
@@ -1245,10 +1245,70 @@ static int mgs_cert_verify(request_rec * r,
mgs_handle_t * ctxt) {
             break;
 #ifdef ENABLE_MSVA
         case mgs_cvm_msva:
-            /* need to set status and rv */
-            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                          "GnuTLS:  OpenPGP verification via MSVA is not
yet implemented");
-            rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;
+        {
+            struct msv_response* resp = NULL;
+            struct msv_query q = { .context="https", .peertype="client",
.pkctype="openpgp4fpr" };
+            msv_ctxt_t ctx = msv_ctxt_init(NULL);
+            char fpr[32];
+            size_t fprlen = sizeof (fpr);
+
+            rv = 0;
+            if (!ctx) {
+                ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+                              "MSV: Could not initialize context");
+                status = GNUTLS_CERT_INVALID;
+                rv = GNUTLS_E_MEMORY_ERROR;
+                break;
+            }
+
+            if (gnutls_openpgp_crt_get_fingerprint(cert.pgp, fpr, &fprlen)
>= 0) {
+                gnutls_datum_t d = {.data = (unsigned char *)fpr, .size =
fprlen};
+                char buf[64];
+                size_t buflen = sizeof(buf);
+
+                if (gnutls_hex_encode(&d, buf, &buflen) >= 0) {
+                    char name[1024];
+                    size_t namelen = sizeof (name);
+
+                    if (gnutls_openpgp_crt_get_name(cert.pgp, 0, name,
&namelen) >= 0) {
+                        q.peername = name;
+                        q.pkcdata = buf;
+                        rv = msv_query_agent(ctx, q, &resp);
+                        if (rv == LIBMSV_ERROR_SUCCESS) {
+                            status = 0;
+                        } else if (rv == LIBMSV_ERROR_INVALID) {
+                            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                                    "GnuTLS: Monkeysphere validation
failed: (message: %s)", resp->message);
+                            status = GNUTLS_CERT_INVALID;
+                            rv = GNUTLS_E_CERTIFICATE_ERROR;
+                        } else {
+                            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                                    "GnuTLS: Error communicating with the
Monkeysphere Validation Agent: (%d) %s", rv, msv_strerror(ctx, rv));
+                            status = GNUTLS_CERT_INVALID;
+                            rv = -1;
+                        }
+                    } else {
+                        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+                                "GnuTLS: Could not get name from the
client certificate or name too long");
+                        status = GNUTLS_CERT_INVALID;
+                        rv = -1;
+                    }
+                } else {
+                    ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+                            "GnuTLS: Could not convert fingerprint");
+                    status = GNUTLS_CERT_INVALID;
+                    rv = -1;
+                    break;
+                }
+            } else {
+                ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+                              "GnuTLS: Could not get fingerprint from
client certificate");
+                status = GNUTLS_CERT_INVALID;
+                rv = -1;
+            }
+            msv_response_destroy(resp);
+            msv_ctxt_destroy(ctx);
+        }
             break;
 #endif
         default:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140319/2cf56853/attachment.html>
