On 12/23/2013 11:53 PM, Rogers, David wrote: > Hello! > > I'm trying to write server code to verify a client's OpenPGP key > inside gnutls. The key exchange works fine, but the server's call > to gnutls_openpgp_crt_verify_ring always returns CDK_KEY_NOSIGNER. (on > GNUTLS_DEBUG_LEVEL=9) [...] > gnutls_certificate_verification_status_print --> > The certificate is NOT trusted. The certificate is not trusted. Could > not find a signer of the certificate. [...] > I think the trouble is that it has some impossible requirements on the > signers (line 509): > verification must be ok AND the signature must not be a self-sig.
Hello David, In short the idea is to only accept a signature if it is made by someone else than the owner of the key. > But the self-sigs have to be good, or else the algo. fails. So, the > self-sigs it adds to the "uid_list" make the final "uid_list_all_signed" > check (on line 522) fail, resulting in CDK_KEY_NOSIGNER. For the algo > to be correct, the self-sigs should not be added to the final list > check. I'm not even sure what the uid_list check is for... I have not checked the details, but could you describe the scenario you want it to succeed and it doesn't? > FWIW, I would rather see a "int > gnutls_openpgp_crt_verify_signer(gnutls_openpgp_crt_t key, > gnutls_openpgp_crt_t signer, unsigned int *verify)" test that would take > an gnutls_openpgp_crt_t 'cert' from the client and > an gnutls_openpgp_crt_t 'signer' holding the signer's public key and > check that > 1) the client cert's self-signs are valid > 2) the client cert has at least one valid signature from the provided > 'signer' pubkey That's what the existing gnutls_openpgp_crt_verify_ring() is supposed to do. There is indeed quite some functionality missing for pgp support but I don't plan in working on it any time soon. However, if you submit patches to improve or fix the openpgp functionality I'll includ them. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
