Hello! I'm trying to write server code to verify a client's OpenPGP key inside gnutls. The key exchange works fine, but the server's call to gnutls_openpgp_crt_verify_ring always returns CDK_KEY_NOSIGNER. (on GNUTLS_DEBUG_LEVEL=9)
gnutls[9]: signature good: signer 03357392 keyid 03357392 gnutls[2]: ASSERT: keydb.c:866 gnutls[2]: ASSERT: keydb.c:1237 gnutls[9]: signature good: signer 262B259C keyid 03357392 gnutls[2]: status: 8 gnutls[2]: ASSERT: keydb.c:866 gnutls[2]: ASSERT: keydb.c:1237 gnutls[2]: PGP: key not found 03357392 gnutls_certificate_verification_status_print --> The certificate is NOT trusted. The certificate is not trusted. Could not find a signer of the certificate. gnutls_openpgp_crt_verify_ring(crt, keyring, flag, &status) attempts to verify all the signatures in the crt against the public keys listed in "keyring" It calls: lib/openpgp/pgpverify.c:68 : rc = cdk_pk_check_sigs(key->knode, keyring->db, &status); (lib/opencdk/sig-check.c:454) which steps through all CDK_PKT_SIGNATURE-s in the key packet, running rc = _cdk_pk_check_sig(keydb, key, node, &is_selfsig, &uid_name); on each. Those calls are the sources of the individual "GOOD" verification signatures above. I think the trouble is that it has some impossible requirements on the signers (line 509): verification must be ok AND the signature must not be a self-sig. But the self-sigs have to be good, or else the algo. fails. So, the self-sigs it adds to the "uid_list" make the final "uid_list_all_signed" check (on line 522) fail, resulting in CDK_KEY_NOSIGNER. For the algo to be correct, the self-sigs should not be added to the final list check. I'm not even sure what the uid_list check is for... FWIW, I would rather see a "int gnutls_openpgp_crt_verify_signer(gnutls_openpgp_crt_t key, gnutls_openpgp_crt_t signer, unsigned int *verify)" test that would take an gnutls_openpgp_crt_t 'cert' from the client and an gnutls_openpgp_crt_t 'signer' holding the signer's public key and check that 1) the client cert's self-signs are valid 2) the client cert has at least one valid signature from the provided 'signer' pubkey ~ David. (both client and server) #define KEYFILE "/Users/rogers/.gnupg/kubotan-key.asc" #define CERTFILE "/Users/rogers/.gnupg/kubotan.asc" #define RINGFILE "/Users/rogers/.gnupg/pubring.gpg" pub 2048R/262B259C 2013-12-20 uid David M. Rogers <predictivestatmech-gmail.com<http://predictivestatmech-gmail.com>> sig 3 262B259C 2013-12-20 David M. Rogers <predictivestatmech-gmail.com<http://predictivestatmech-gmail.com>> sub 2048R/E494F149 2013-12-20 sig 262B259C 2013-12-20 David M. Rogers <predictivestatmech-gmail.com<http://predictivestatmech-gmail.com>> pub 2048R/03357392 2013-12-20 [expires: 2016-12-19] uid kubotan (MBPR Laptop) <davidrogers-usf.edu<http://davidrogers-usf.edu>> sig 3 03357392 2013-12-20 kubotan (MBPR Laptop) <davidrogers-usf.edu<http://davidrogers-usf.edu>> sig 262B259C 2013-12-20 David M. Rogers <predictivestatmech-gmail.com<http://predictivestatmech-gmail.com>>
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
