Exemplo n.º 1
0
void
doit (void)
{
  gnutls_openpgp_keyring_t keyring;
  gnutls_datum_t data;
  int ret;

  ret = gnutls_global_init ();
  if (ret < 0)
    fail ("init %d\n", ret);

  gnutls_global_set_log_function (tls_log_func);
  if (debug)
    gnutls_global_set_log_level (2);

  ret = gnutls_global_init_extra ();
  if (ret < 0)
    fail ("extra-init %d\n", ret);

  ret = gnutls_openpgp_keyring_init (&keyring);
  if (ret < 0)
    fail ("keyring-init %d\n", ret);

  data.data = raw_keyring;
  data.size = sizeof (raw_keyring) / sizeof (raw_keyring[0]);
  ret = gnutls_openpgp_keyring_import (keyring, &data,
				       GNUTLS_OPENPGP_FMT_RAW);
  if (ret < 0)
    fail ("keyring-import %d\n", ret);

  ret = gnutls_openpgp_keyring_check_id (keyring, id_not_in_keyring, 0);
  if (ret == 0)
    fail ("keyring-check-id (not-in-keyring) %d\n", ret);

  ret = gnutls_openpgp_keyring_check_id (keyring, id_in_keyring, 0);
  if (ret != 0)
    fail ("keyring-check-id first key %d\n", ret);

  ret = gnutls_openpgp_keyring_check_id (keyring, id2_in_keyring, 0);
  if (ret != 0)
    fail ("keyring-check-id second key %d\n", ret);

  if (debug)
    success ("done\n");

  gnutls_openpgp_keyring_deinit (keyring);
  gnutls_global_deinit ();
}
Exemplo n.º 2
0
/**
 * gnutls_openpgp_crt_verify_ring:
 * @key: the structure that holds the key.
 * @keyring: holds the keyring to check against
 * @flags: unused (should be 0)
 * @verify: will hold the certificate verification output.
 *
 * Verify all signatures in the key, using the given set of keys
 * (keyring).
 *
 * The key verification output will be put in @verify and will be one
 * or more of the #gnutls_certificate_status_t enumerated elements
 * bitwise or'd.
 *
 * %GNUTLS_CERT_INVALID: A signature on the key is invalid.
 *
 * %GNUTLS_CERT_REVOKED: The key has been revoked.
 *
 * Note that this function does not verify using any "web of trust".
 * You may use GnuPG for that purpose, or any other external PGP
 * application.
 *
 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
 **/
int
gnutls_openpgp_crt_verify_ring (gnutls_openpgp_crt_t key,
                                gnutls_openpgp_keyring_t keyring,
                                unsigned int flags, unsigned int *verify)
{
  gnutls_openpgp_keyid_t id;
  cdk_error_t rc;
  int status;

  if (!key || !keyring)
    {
      gnutls_assert ();
      return GNUTLS_E_NO_CERTIFICATE_FOUND;
    }

  *verify = 0;

  rc = cdk_pk_check_sigs (key->knode, keyring->db, &status);
  if (rc == CDK_Error_No_Key)
    {
      rc = GNUTLS_E_NO_CERTIFICATE_FOUND;
      gnutls_assert ();
      return rc;
    }
  else if (rc != CDK_Success)
    {
      _gnutls_x509_log ("cdk_pk_check_sigs: error %d\n", rc);
      rc = _gnutls_map_cdk_rc (rc);
      gnutls_assert ();
      return rc;
    }
  _gnutls_x509_log ("status: %x\n", status);

  if (status & CDK_KEY_INVALID)
    *verify |= GNUTLS_CERT_INVALID;
  if (status & CDK_KEY_REVOKED)
    *verify |= GNUTLS_CERT_REVOKED;
  if (status & CDK_KEY_NOSIGNER)
    *verify |= GNUTLS_CERT_SIGNER_NOT_FOUND;

  /* Check if the key is included in the ring. */
  if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME))
    {
      rc = gnutls_openpgp_crt_get_key_id (key, id);
      if (rc < 0)
        {
          gnutls_assert ();
          return rc;
        }

      rc = gnutls_openpgp_keyring_check_id (keyring, id, 0);
      /* If it exists in the keyring don't treat it as unknown. */
      if (rc == 0 && *verify & GNUTLS_CERT_SIGNER_NOT_FOUND)
        *verify ^= GNUTLS_CERT_SIGNER_NOT_FOUND;
    }

  return 0;
}