On Jan 3, 2014, at 3:45 PM, Nikos Mavrogiannopoulos <[email protected]> wrote: > On 12/23/2013 11:53 PM, Rogers, David wrote: >> Hello! >> >> I'm trying to write server code to verify a client's OpenPGP key >> inside gnutls. The key exchange works fine, but the server's call >> to gnutls_openpgp_crt_verify_ring always returns CDK_KEY_NOSIGNER. (on >> GNUTLS_DEBUG_LEVEL=9) > [...] >> gnutls_certificate_verification_status_print --> >> The certificate is NOT trusted. The certificate is not trusted. Could >> not find a signer of the certificate. > [...] >> I think the trouble is that it has some impossible requirements on the >> signers (line 509): >> verification must be ok AND the signature must not be a self-sig. > > Hello David, > In short the idea is to only accept a signature if it is made by > someone else than the owner of the key. > >> But the self-sigs have to be good, or else the algo. fails. So, the >> self-sigs it adds to the "uid_list" make the final "uid_list_all_signed" >> check (on line 522) fail, resulting in CDK_KEY_NOSIGNER. For the algo >> to be correct, the self-sigs should not be added to the final list >> check. I'm not even sure what the uid_list check is for... > > I have not checked the details, but could you describe the scenario you > want it to succeed and it doesn't? > >> FWIW, I would rather see a "int >> gnutls_openpgp_crt_verify_signer(gnutls_openpgp_crt_t key, >> gnutls_openpgp_crt_t signer, unsigned int *verify)" test that would take >> an gnutls_openpgp_crt_t 'cert' from the client and >> an gnutls_openpgp_crt_t 'signer' holding the signer's public key and >> check that >> 1) the client cert's self-signs are valid >> 2) the client cert has at least one valid signature from the provided >> 'signer' pubkey > > That's what the existing gnutls_openpgp_crt_verify_ring() is supposed to > do. There is indeed quite some functionality missing for pgp support but > I don't plan in working on it any time soon. However, if you submit > patches to improve or fix the openpgp functionality I'll includ them. > > regards, > Nikos > >
Actually, I realized my problem was caused by reading the PGP keyring (gnutls_openpgp_keyring_import) using ASCII mode, when the file (.gpg extension) was binary. No error occurred on read, but no signers could be found because the public keys didn't actually load. So I would re-classify this as an issue with gnutls_openpgp_keyring_import. What I wanted to do was verify that the peer's certificate had a valid signature from a particular signer. This is covered by the present code if I create a keyring containing only the public key I want to check against. Thanks! ~ David. _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
