lib/openpgp/pgpverify.c

   1 /*
   2  * Copyright (C) 2002-2010, 2012 Free Software Foundation, Inc.
   3  *
   4  * Author: Timo Schulz, Nikos Mavrogiannopoulos
   5  *
   6  * This file is part of GnuTLS.
   7  *
   8  * The GnuTLS is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public License
  10  * as published by the Free Software Foundation; either version 3 of
  11  * the License, or (at your option) any later version.
  12  *
  13  * This library is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public License
  19  * along with this program.  If not, see <http://www.gnu.org/licenses/>
  20  *
  21  */
  22
  23 /* Functions on OpenPGP key parsing
  24  */
  25
  26 #include <gnutls_int.h>
  27 #include <openpgp_int.h>
  28 #include <gnutls_errors.h>
  29 #include <gnutls_openpgp.h>
  30 #include <gnutls_num.h>
  31
  32 /**
  33  * gnutls_openpgp_crt_verify_ring:
  34  * @key: the structure that holds the key.
  35  * @keyring: holds the keyring to check against
  36  * @flags: unused (should be 0)
  37  * @verify: will hold the certificate verification output.
  38  *
  39  * Verify all signatures in the key, using the given set of keys
  40  * (keyring).
  41  *
  42  * The key verification output will be put in @verify and will be one
  43  * or more of the #gnutls_certificate_status_t enumerated elements
  44  * bitwise or'd.
  45  *
  46  * Note that this function does not verify using any "web of trust".
  47  * You may use GnuPG for that purpose, or any other external PGP
  48  * application.
  49  *
  50  * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
  51  **/
  52 int
  53 gnutls_openpgp_crt_verify_ring (gnutls_openpgp_crt_t key,
  54                                 gnutls_openpgp_keyring_t keyring,
  55                                 unsigned int flags, unsigned int *verify)
  56 {
  57   uint8_t id[GNUTLS_OPENPGP_KEYID_SIZE];
  58   cdk_error_t rc;
  59   int status;
  60
  61   if (!key || !keyring)
  62     {
  63       gnutls_assert ();
  64       return GNUTLS_E_NO_CERTIFICATE_FOUND;
  65     }
  66
  67   *verify = 0;
  68
  69   rc = cdk_pk_check_sigs (key->knode, keyring->db, &status);
  70   if (rc == CDK_Error_No_Key)
  71     {
  72       rc = GNUTLS_E_NO_CERTIFICATE_FOUND;
  73       gnutls_assert ();
  74       return rc;
  75     }
  76   else if (rc != CDK_Success)
  77     {
  78       _gnutls_debug_log ("cdk_pk_check_sigs: error %d\n", rc);
  79       rc = _gnutls_map_cdk_rc (rc);
  80       gnutls_assert ();
  81       return rc;
  82     }
  83   _gnutls_debug_log ("status: %x\n", status);
  84
  85   if (status & CDK_KEY_INVALID)
  86     *verify |= GNUTLS_CERT_SIGNATURE_FAILURE;
  87   if (status & CDK_KEY_REVOKED)
  88     *verify |= GNUTLS_CERT_REVOKED;
  89   if (status & CDK_KEY_NOSIGNER)
  90     *verify |= GNUTLS_CERT_SIGNER_NOT_FOUND;
  91
  92   /* Check if the key is included in the ring. */
  93   if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME))
  94     {
  95       rc = gnutls_openpgp_crt_get_key_id (key, id);
  96       if (rc < 0)
  97         {
  98           gnutls_assert ();
  99           return rc;
 100         }
 101
 102       rc = gnutls_openpgp_keyring_check_id (keyring, id, 0);
 103       /* If it exists in the keyring don't treat it as unknown. */
 104       if (rc == 0 && *verify & GNUTLS_CERT_SIGNER_NOT_FOUND)
 105         *verify &= ~GNUTLS_CERT_SIGNER_NOT_FOUND;
 106     }
 107
 108   if (*verify != 0)
 109     *verify |= GNUTLS_CERT_INVALID;
 110
 111   return 0;
 112 }
 113
 114
 115 /**
 116  * gnutls_openpgp_crt_verify_self:
 117  * @key: the structure that holds the key.
 118  * @flags: unused (should be 0)
 119  * @verify: will hold the key verification output.
 120  *
 121  * Verifies the self signature in the key.  The key verification
 122  * output will be put in @verify and will be one or more of the
 123  * gnutls_certificate_status_t enumerated elements bitwise or'd.
 124  *
 125  * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
 126  **/
 127 int
 128 gnutls_openpgp_crt_verify_self (gnutls_openpgp_crt_t key,
 129                                 unsigned int flags, unsigned int *verify)
 130 {
 131   int status;
 132   cdk_error_t rc;
 133
 134   *verify = 0;
 135
 136   rc = cdk_pk_check_self_sig (key->knode, &status);
 137   if (rc || status != CDK_KEY_VALID)
 138     *verify |= GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNATURE_FAILURE;
 139   else
 140     *verify = 0;
 141
 142   return 0;
 143 }