search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Simplified certificate verification by adding gnutls_certificate_verify_peers3().
[gnutls.git] / lib / openpgp / compat.c
blobebcb3afb82c69be95cb3e2b77b9cd7ef9ddc05b0
1 /*
2 * Copyright (C) 2002-2012 Free Software Foundation, Inc.
3 *
4 * Author: Timo Schulz, Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* Compatibility functions on OpenPGP key parsing.
24 */
25
26 #include <gnutls_int.h>
27 #include <gnutls_errors.h>
28 #include <gnutls_openpgp.h>
29 #include <openpgp_int.h>
30
31 /*-
32 * gnutls_openpgp_verify_key:
33 * @hostname: the name of the certificate holder
34 * @cert_list: the structure that holds the certificates.
35 * @cert_list_lenght: the items in the cert_list.
36 * @status: the output of the verification function
37 *
38 * Verify all signatures in the certificate list. When the key
39 * is not available, the signature is skipped.
40 *
41 * The return value is one of the CertificateStatus entries.
42 *
43 * NOTE: this function does not verify using any "web of trust". You
44 * may use GnuPG for that purpose, or any other external PGP application.
45 -*/
46 int
47 _gnutls_openpgp_verify_key (const gnutls_certificate_credentials_t cred,
48 const char* hostname,
49 const gnutls_datum_t * cert_list,
50 int cert_list_length, unsigned int *status)
51 {
52 int ret = 0;
53 gnutls_openpgp_crt_t key = NULL;
54 unsigned int verify = 0, verify_self = 0;
55
56 if (!cert_list || cert_list_length != 1)
57 {
58 gnutls_assert ();
59 return GNUTLS_E_NO_CERTIFICATE_FOUND;
60 }
61
62 ret = gnutls_openpgp_crt_init (&key);
63 if (ret < 0)
64 {
65 gnutls_assert ();
66 return ret;
67 }
68
69 ret =
70 gnutls_openpgp_crt_import (key, &cert_list[0], GNUTLS_OPENPGP_FMT_RAW);
71 if (ret < 0)
72 {
73 gnutls_assert ();
74 goto leave;
75 }
76
77 if (cred->keyring != NULL)
78 {
79 ret = gnutls_openpgp_crt_verify_ring (key, cred->keyring, 0, &verify);
80 if (ret < 0)
81 {
82 gnutls_assert ();
83 goto leave;
84 }
85 }
86
87 /* Now try the self signature. */
88 ret = gnutls_openpgp_crt_verify_self (key, 0, &verify_self);
89 if (ret < 0)
90 {
91 gnutls_assert ();
92 goto leave;
93 }
94
95 *status = verify_self | verify;
96
97 /* If we only checked the self signature. */
98 if (!cred->keyring)
99 *status |= GNUTLS_CERT_SIGNER_NOT_FOUND;
100
101 if (hostname)
102 {
103 ret = gnutls_openpgp_crt_check_hostname(key, hostname);
104 if (ret == 0)
105 *status |= GNUTLS_CERT_UNEXPECTED_OWNER;
106 }
107
108 ret = 0;
109
110 leave:
111 gnutls_openpgp_crt_deinit (key);
112
113 return ret;
114 }
115
116 /*-
117 * gnutls_openpgp_fingerprint:
118 * @cert: the raw data that contains the OpenPGP public key.
119 * @fpr: the buffer to save the fingerprint.
120 * @fprlen: the integer to save the length of the fingerprint.
121 *
122 * Returns the fingerprint of the OpenPGP key. Depence on the algorithm,
123 * the fingerprint can be 16 or 20 bytes.
124 -*/
125 int
126 _gnutls_openpgp_fingerprint (const gnutls_datum_t * cert,
127 unsigned char *fpr, size_t * fprlen)
128 {
129 gnutls_openpgp_crt_t key;
130 int ret;
131
132 ret = gnutls_openpgp_crt_init (&key);
133 if (ret < 0)
134 {
135 gnutls_assert ();
136 return ret;
137 }
138
139 ret = gnutls_openpgp_crt_import (key, cert, GNUTLS_OPENPGP_FMT_RAW);
140 if (ret < 0)
141 {
142 gnutls_assert ();
143 return ret;
144 }
145
146 ret = gnutls_openpgp_crt_get_fingerprint (key, fpr, fprlen);
147 gnutls_openpgp_crt_deinit (key);
148 if (ret < 0)
149 {
150 gnutls_assert ();
151 return ret;
152 }
153
154 return 0;
155 }
156
157 /*-
158 * gnutls_openpgp_get_raw_key_creation_time:
159 * @cert: the raw data that contains the OpenPGP public key.
160 *
161 * Returns the timestamp when the OpenPGP key was created.
162 -*/
163 time_t
164 _gnutls_openpgp_get_raw_key_creation_time (const gnutls_datum_t * cert)
165 {
166 gnutls_openpgp_crt_t key;
167 int ret;
168 time_t tim;
169
170 ret = gnutls_openpgp_crt_init (&key);
171 if (ret < 0)
172 {
173 gnutls_assert ();
174 return ret;
175 }
176
177 ret = gnutls_openpgp_crt_import (key, cert, GNUTLS_OPENPGP_FMT_RAW);
178 if (ret < 0)
179 {
180 gnutls_assert ();
181 return ret;
182 }
183
184 tim = gnutls_openpgp_crt_get_creation_time (key);
185
186 gnutls_openpgp_crt_deinit (key);
187
188 return tim;
189 }
190
191
192 /*-
193 * gnutls_openpgp_get_raw_key_expiration_time:
194 * @cert: the raw data that contains the OpenPGP public key.
195 *
196 * Returns the time when the OpenPGP key expires. A value of '0' means
197 * that the key doesn't expire at all.
198 -*/
199 time_t
200 _gnutls_openpgp_get_raw_key_expiration_time (const gnutls_datum_t * cert)
201 {
202 gnutls_openpgp_crt_t key;
203 int ret;
204 time_t tim;
205
206 ret = gnutls_openpgp_crt_init (&key);
207 if (ret < 0)
208 {
209 gnutls_assert ();
210 return ret;
211 }
212
213 ret = gnutls_openpgp_crt_import (key, cert, GNUTLS_OPENPGP_FMT_RAW);
214 if (ret < 0)
215 {
216 gnutls_assert ();
217 return ret;
218 }
219
220 tim = gnutls_openpgp_crt_get_expiration_time (key);
221
222 gnutls_openpgp_crt_deinit (key);
223
224 return tim;
225 }
Implementation of the SSL/TLS protocol