lib/openpgp/pgpverify.c

   1 /*
   2  * Copyright (C) 2002, 2003, 2004, 2005, 2007, 2008, 2010 Free Software
   3  * Foundation, Inc.
   4  *
   5  * Author: Timo Schulz, Nikos Mavrogiannopoulos
   6  *
   7  * This file is part of GNUTLS.
   8  *
   9  * The GNUTLS library is free software; you can redistribute it and/or
  10  * modify it under the terms of the GNU Lesser General Public License
  11  * as published by the Free Software Foundation; either version 2.1 of
  12  * the License, or (at your option) any later version.
  13  *
  14  * This library is distributed in the hope that it will be useful, but
  15  * WITHOUT ANY WARRANTY; without even the implied warranty of
  16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  17  * Lesser General Public License for more details.
  18  *
  19  * You should have received a copy of the GNU Lesser General Public
  20  * License along with this library; if not, write to the Free Software
  21  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  22  * 02110-1301, USA
  23  *
  24  */
  25
  26 /* Functions on OpenPGP key parsing
  27  */
  28
  29 #include <gnutls_int.h>
  30 #include <openpgp_int.h>
  31 #include <gnutls_errors.h>
  32 #include <gnutls_openpgp.h>
  33 #include <gnutls_num.h>
  34
  35 /**
  36  * gnutls_openpgp_crt_verify_ring - Verify all signatures in the key
  37  * @key: the structure that holds the key.
  38  * @keyring: holds the keyring to check against
  39  * @flags: unused (should be 0)
  40  * @verify: will hold the certificate verification output.
  41  *
  42  * Verify all signatures in the key, using the given set of keys
  43  * (keyring).
  44  *
  45  * The key verification output will be put in @verify and will be one
  46  * or more of the #gnutls_certificate_status_t enumerated elements
  47  * bitwise or'd.
  48  *
  49  * %GNUTLS_CERT_INVALID: A signature on the key is invalid.
  50  *
  51  * %GNUTLS_CERT_REVOKED: The key has been revoked.
  52  *
  53  * Note that this function does not verify using any "web of trust".
  54  * You may use GnuPG for that purpose, or any other external PGP
  55  * application.
  56  *
  57  * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
  58  **/
  59 int
  60 gnutls_openpgp_crt_verify_ring (gnutls_openpgp_crt_t key,
  61                                 gnutls_openpgp_keyring_t keyring,
  62                                 unsigned int flags, unsigned int *verify)
  63 {
  64   gnutls_openpgp_keyid_t id;
  65   cdk_error_t rc;
  66   int status;
  67
  68   if (!key || !keyring)
  69     {
  70       gnutls_assert ();
  71       return GNUTLS_E_NO_CERTIFICATE_FOUND;
  72     }
  73
  74   *verify = 0;
  75
  76   rc = cdk_pk_check_sigs (key->knode, keyring->db, &status);
  77   if (rc == CDK_Error_No_Key)
  78     {
  79       rc = GNUTLS_E_NO_CERTIFICATE_FOUND;
  80       gnutls_assert ();
  81       return rc;
  82     }
  83   else if (rc != CDK_Success)
  84     {
  85       _gnutls_x509_log ("cdk_pk_check_sigs: error %d\n", rc);
  86       rc = _gnutls_map_cdk_rc (rc);
  87       gnutls_assert ();
  88       return rc;
  89     }
  90   _gnutls_x509_log ("status: %x\n", status);
  91
  92   if (status & CDK_KEY_INVALID)
  93     *verify |= GNUTLS_CERT_INVALID;
  94   if (status & CDK_KEY_REVOKED)
  95     *verify |= GNUTLS_CERT_REVOKED;
  96   if (status & CDK_KEY_NOSIGNER)
  97     *verify |= GNUTLS_CERT_SIGNER_NOT_FOUND;
  98
  99   /* Check if the key is included in the ring. */
 100   if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME))
 101     {
 102       rc = gnutls_openpgp_crt_get_key_id (key, id);
 103       if (rc < 0)
 104         {
 105           gnutls_assert ();
 106           return rc;
 107         }
 108
 109       rc = gnutls_openpgp_keyring_check_id (keyring, id, 0);
 110       /* If it exists in the keyring don't treat it as unknown. */
 111       if (rc == 0 && *verify & GNUTLS_CERT_SIGNER_NOT_FOUND)
 112         *verify ^= GNUTLS_CERT_SIGNER_NOT_FOUND;
 113     }
 114
 115   return 0;
 116 }
 117
 118
 119 /**
 120  * gnutls_openpgp_crt_verify_self - Verify the self signature on the key
 121  * @key: the structure that holds the key.
 122  * @flags: unused (should be 0)
 123  * @verify: will hold the key verification output.
 124  *
 125  * Verifies the self signature in the key.  The key verification
 126  * output will be put in @verify and will be one or more of the
 127  * gnutls_certificate_status_t enumerated elements bitwise or'd.
 128  *
 129  * %GNUTLS_CERT_INVALID: The self signature on the key is invalid.
 130  *
 131  * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
 132  **/
 133 int
 134 gnutls_openpgp_crt_verify_self (gnutls_openpgp_crt_t key,
 135                                 unsigned int flags, unsigned int *verify)
 136 {
 137   int status;
 138   cdk_error_t rc;
 139
 140   rc = cdk_pk_check_self_sig (key->knode, &status);
 141   if (rc || status != CDK_KEY_VALID)
 142     *verify |= GNUTLS_CERT_INVALID;
 143   else
 144     *verify = 0;
 145
 146   return 0;
 147 }