[gnutls-help] Problem Using gnutls_openpgp_crt_verify_ring .. cdk_pk_check_sigs

Rogers, David davidrogers at usf.edu
Mon Dec 23 23:53:05 CET 2013


Hello!

  I'm trying to write server code to verify a client's OpenPGP key inside gnutls.  The key exchange works fine, but the server's call
to gnutls_openpgp_crt_verify_ring always returns CDK_KEY_NOSIGNER. (on GNUTLS_DEBUG_LEVEL=9)

gnutls[9]: signature good: signer 03357392 keyid 03357392
gnutls[2]: ASSERT: keydb.c:866
gnutls[2]: ASSERT: keydb.c:1237
gnutls[9]: signature good: signer 262B259C keyid 03357392
gnutls[2]: status: 8
gnutls[2]: ASSERT: keydb.c:866
gnutls[2]: ASSERT: keydb.c:1237
gnutls[2]: PGP: key not found 03357392

gnutls_certificate_verification_status_print -->
The certificate is NOT trusted. The certificate is not trusted. Could not find a signer of the certificate.

gnutls_openpgp_crt_verify_ring(crt, keyring, flag, &status)
attempts to verify all the signatures in the crt against the public keys listed in "keyring"

It calls:
lib/openpgp/pgpverify.c:68 : rc = cdk_pk_check_sigs(key->knode, keyring->db, &status);
(lib/opencdk/sig-check.c:454)
which steps through all CDK_PKT_SIGNATURE-s in the key packet,
running rc = _cdk_pk_check_sig(keydb, key, node, &is_selfsig, &uid_name);
on each.  Those calls are the sources of the individual "GOOD" verification signatures above.

I think the trouble is that it has some impossible requirements on the signers (line 509):
verification must be ok AND the signature must not be a self-sig.

But the self-sigs have to be good, or else the algo. fails.  So, the self-sigs it adds to the "uid_list" make the final "uid_list_all_signed"
check (on line 522) fail, resulting in CDK_KEY_NOSIGNER.  For the algo to be correct, the self-sigs should not be added to the final list check.  I'm not even sure what the uid_list check is for...

  FWIW, I would rather see a "int gnutls_openpgp_crt_verify_signer(gnutls_openpgp_crt_t key, gnutls_openpgp_crt_t signer, unsigned int *verify)" test that would take an gnutls_openpgp_crt_t 'cert' from the client and an gnutls_openpgp_crt_t  'signer' holding the signer's public key and check that
1) the client cert's self-signs are valid
2) the client cert has at least one valid signature from the provided 'signer' pubkey

~ David.

(both client and server)
#define KEYFILE "/Users/rogers/.gnupg/kubotan-key.asc"
#define CERTFILE "/Users/rogers/.gnupg/kubotan.asc"
#define RINGFILE "/Users/rogers/.gnupg/pubring.gpg"

pub   2048R/262B259C 2013-12-20
uid                  David M. Rogers <predictivestatmech-gmail.com<http://predictivestatmech-gmail.com>>
sig 3        262B259C 2013-12-20  David M. Rogers <predictivestatmech-gmail.com<http://predictivestatmech-gmail.com>>
sub   2048R/E494F149 2013-12-20
sig          262B259C 2013-12-20  David M. Rogers <predictivestatmech-gmail.com<http://predictivestatmech-gmail.com>>

pub   2048R/03357392 2013-12-20 [expires: 2016-12-19]
uid                  kubotan (MBPR Laptop) <davidrogers-usf.edu<http://davidrogers-usf.edu>>
sig 3        03357392 2013-12-20  kubotan (MBPR Laptop) <davidrogers-usf.edu<http://davidrogers-usf.edu>>
sig          262B259C 2013-12-20  David M. Rogers <predictivestatmech-gmail.com<http://predictivestatmech-gmail.com>>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20131223/40d55255/attachment-0001.html>


More information about the Gnutls-help mailing list