[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_2_8_x, updated. gnutls_2_8_5-13-gf3ec62e
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, gnutls_2_8_x, updated. gnutls_2_8_5-13-gf3ec62e |
Date: |
Tue, 12 Jan 2010 19:20:46 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=f3ec62e4e89a379294704b655c466deff5443443
The branch, gnutls_2_8_x has been updated
via f3ec62e4e89a379294704b655c466deff5443443 (commit)
via c8fda46e9fe83e8898b03b8930e382e40622f70f (commit)
via e3741ba25778fe588992d5e4fcccce7604705260 (commit)
from fd29562630a701fadbfbf316ce323a248a3ccd43 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit f3ec62e4e89a379294704b655c466deff5443443
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Jan 12 20:20:30 2010 +0100
When checking self signature also check the signatures of all subkeys.
Ilari Liusvaara noticed and reported the issue and provided test vectors as
well.
certtool --pgp-certificate-info will check self signatures.
Added self tests for self-sigs.
commit c8fda46e9fe83e8898b03b8930e382e40622f70f
Merge: e3741ba25778fe588992d5e4fcccce7604705260
fd29562630a701fadbfbf316ce323a248a3ccd43
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Jan 12 19:52:39 2010 +0100
Merge branch 'gnutls_2_8_x' of ssh://git.sv.gnu.org/srv/git/gnutls into
gnutls_2_8_x
commit e3741ba25778fe588992d5e4fcccce7604705260
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Nov 28 00:41:46 2009 +0200
Corrected two issues that affected certificate request generation.
1. Null padding is added on integers (found thanks to Wilankar Trupti
<address@hidden>)
2. In optional SignatureAlgorithm parameters field for DSA keys the DSA
parameters were added. Those
were rejected by verisign. Gnutls no longer adds those parameters there
since other implementations
don't do either and having them does not seem to offer anything (anyway you
need the signer's certificate
to verify thus public key will be available).
-----------------------------------------------------------------------
Summary of changes:
NEWS | 3 +
lib/opencdk/sig-check.c | 80 +++++++++++--------
lib/x509/mpi.c | 49 ++++---------
src/certtool.c | 18 ++++-
tests/openpgp-certs/Makefile.am | 10 ++-
.../selfsigs/alice-mallory-badsig18.pub | Bin 0 -> 1118 bytes
.../selfsigs/alice-mallory-irrelevantsig.pub | Bin 0 -> 1071 bytes
.../selfsigs/alice-mallory-nosig18.pub | Bin 0 -> 971 bytes
tests/openpgp-certs/selfsigs/alice.pub | Bin 0 -> 1118 bytes
tests/openpgp-certs/testselfsigs | 24 ++++++
10 files changed, 110 insertions(+), 74 deletions(-)
create mode 100644 tests/openpgp-certs/selfsigs/alice-mallory-badsig18.pub
create mode 100644 tests/openpgp-certs/selfsigs/alice-mallory-irrelevantsig.pub
create mode 100644 tests/openpgp-certs/selfsigs/alice-mallory-nosig18.pub
create mode 100644 tests/openpgp-certs/selfsigs/alice.pub
create mode 100755 tests/openpgp-certs/testselfsigs
diff --git a/NEWS b/NEWS
index b36d363..60ad12b 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,9 @@ See the end for copying conditions.
* Version 2.8.6 (unreleased)
+** libgnutls: When checking openpgp self signature also check the signatures
of all subkeys.
+Ilari Liusvaara noticed and reported the issue and provided test vectors as
well.
+
** libgnutls: Cleanups and several bug fixes.
Found by Steve Grubb and Tomas Mraz.
diff --git a/lib/opencdk/sig-check.c b/lib/opencdk/sig-check.c
index 3800729..9cebf16 100644
--- a/lib/opencdk/sig-check.c
+++ b/lib/opencdk/sig-check.c
@@ -288,7 +288,8 @@ _cdk_pk_check_sig (cdk_keydb_hd_t keydb,
if (is_selfsig)
*is_selfsig = 0;
- if (knode->pkt->pkttype != CDK_PKT_PUBLIC_KEY ||
+ if ((knode->pkt->pkttype != CDK_PKT_PUBLIC_KEY &&
+ knode->pkt->pkttype != CDK_PKT_PUBLIC_SUBKEY) ||
snode->pkt->pkttype != CDK_PKT_SIGNATURE)
{
gnutls_assert ();
@@ -591,45 +592,56 @@ cdk_pk_check_self_sig (cdk_kbnode_t key, int *r_status)
cdk_error_t rc;
u32 keyid[2], sigid[2];
int is_selfsig, sig_ok;
+ cdk_kbnode_t p, ctx = NULL;
+ cdk_packet_t pkt;
if (!key || !r_status)
return CDK_Inv_Value;
- node = cdk_kbnode_find (key, CDK_PKT_PUBLIC_KEY);
- if (!node)
- return CDK_Error_No_Key;
- /* FIXME: we should set expire/revoke here also but callers
- expect CDK_KEY_VALID=0 if the key is okay. */
cdk_pk_get_keyid (key->pkt->pkt.public_key, keyid);
- sig_ok = 0;
- for (node = key; node; node = node->next)
- {
- if (node->pkt->pkttype != CDK_PKT_SIGNATURE)
- continue;
- sig = node->pkt->pkt.signature;
- if (!IS_UID_SIG (sig))
- continue;
- cdk_sig_get_keyid (sig, sigid);
- if (sigid[0] != keyid[0] || sigid[1] != keyid[1])
- continue;
- /* FIXME: Now we check all self signatures. */
- rc = _cdk_pk_check_sig (NULL, key, node, &is_selfsig, NULL);
- if (rc)
- {
- *r_status = CDK_KEY_INVALID;
- return rc;
- }
- else /* For each valid self sig we increase this
counter. */
- sig_ok++;
- }
- /* A key without a self signature is not valid. */
- if (!sig_ok)
+ while ((p = cdk_kbnode_walk (key, &ctx, 0)))
{
- *r_status = CDK_KEY_INVALID;
- return CDK_General_Error;
+ pkt = cdk_kbnode_get_packet (p);
+ if (pkt->pkttype != CDK_PKT_PUBLIC_SUBKEY && pkt->pkttype !=
CDK_PKT_PUBLIC_KEY)
+ continue;
+
+ /* FIXME: we should set expire/revoke here also but callers
+ expect CDK_KEY_VALID=0 if the key is okay. */
+ sig_ok = 0;
+ for (node = p; node; node = node->next)
+ {
+ if (node->pkt->pkttype != CDK_PKT_SIGNATURE)
+ continue;
+ sig = node->pkt->pkt.signature;
+
+ cdk_sig_get_keyid (sig, sigid);
+ if (sigid[0] != keyid[0] || sigid[1] != keyid[1])
+ continue;
+ /* FIXME: Now we check all self signatures. */
+ rc = _cdk_pk_check_sig (NULL, p, node, &is_selfsig, NULL);
+ if (rc)
+ {
+ *r_status = CDK_KEY_INVALID;
+ return rc;
+ }
+ else /* For each valid self sig we increase this
counter. */
+ sig_ok++;
+ }
+
+ /* A key without a self signature is not valid. At least one
+ * signature for the given key has to be found.
+ */
+ if (!sig_ok)
+ {
+ *r_status = CDK_KEY_INVALID;
+ return CDK_General_Error;
+ }
+
}
- /* No flags indicate a valid key. */
- *r_status = CDK_KEY_VALID;
- return 0;
+
+ /* No flags indicate a valid key. */
+ *r_status = CDK_KEY_VALID;
+
+ return 0;
}
diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c
index c4d8650..49f3a47 100644
--- a/lib/x509/mpi.c
+++ b/lib/x509/mpi.c
@@ -380,14 +380,14 @@ _gnutls_x509_write_rsa_params (bigint_t * params, int
params_size,
return _gnutls_asn2err (result);
}
- result = _gnutls_x509_write_int (spk, "modulus", params[0], 0);
+ result = _gnutls_x509_write_int (spk, "modulus", params[0], 1);
if (result < 0)
{
gnutls_assert ();
goto cleanup;
}
- result = _gnutls_x509_write_int (spk, "publicExponent", params[1], 0);
+ result = _gnutls_x509_write_int (spk, "publicExponent", params[1], 1);
if (result < 0)
{
gnutls_assert ();
@@ -448,36 +448,15 @@ _gnutls_x509_write_sig_params (ASN1_TYPE dst, const char
*dst_name,
_gnutls_str_cpy (name, sizeof (name), dst_name);
_gnutls_str_cat (name, sizeof (name), ".parameters");
- if (pk_algorithm == GNUTLS_PK_DSA)
- {
- result = _gnutls_x509_write_dsa_params (params, params_size, &der);
- if (result < 0)
- {
- gnutls_assert ();
- return result;
- }
+ result = asn1_write_value (dst, name, NULL, 0);
- result = asn1_write_value (dst, name, der.data, der.size);
- _gnutls_free_datum (&der);
-
- if (result != ASN1_SUCCESS)
- {
- gnutls_assert ();
- return _gnutls_asn2err (result);
- }
- }
- else
- { /* RSA */
- result = asn1_write_value (dst, name, NULL, 0);
-
- if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND)
- {
- /* Here we ignore the element not found error, since this
- * may have been disabled before.
- */
- gnutls_assert ();
- return _gnutls_asn2err (result);
- }
+ if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND)
+ {
+ /* Here we ignore the element not found error, since this
+ * may have been disabled before.
+ */
+ gnutls_assert ();
+ return _gnutls_asn2err (result);
}
return 0;
@@ -514,21 +493,21 @@ _gnutls_x509_write_dsa_params (bigint_t * params, int
params_size,
return _gnutls_asn2err (result);
}
- result = _gnutls_x509_write_int (spk, "p", params[0], 0);
+ result = _gnutls_x509_write_int (spk, "p", params[0], 1);
if (result < 0)
{
gnutls_assert ();
goto cleanup;
}
- result = _gnutls_x509_write_int (spk, "q", params[1], 0);
+ result = _gnutls_x509_write_int (spk, "q", params[1], 1);
if (result < 0)
{
gnutls_assert ();
goto cleanup;
}
- result = _gnutls_x509_write_int (spk, "g", params[2], 0);
+ result = _gnutls_x509_write_int (spk, "g", params[2], 1);
if (result < 0)
{
gnutls_assert ();
@@ -580,7 +559,7 @@ _gnutls_x509_write_dsa_public_key (bigint_t * params, int
params_size,
return _gnutls_asn2err (result);
}
- result = _gnutls_x509_write_int (spk, "", params[3], 0);
+ result = _gnutls_x509_write_int (spk, "", params[3], 1);
if (result < 0)
{
gnutls_assert ();
diff --git a/src/certtool.c b/src/certtool.c
index c4e92fa..5693cf2 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -1088,6 +1088,7 @@ pgp_certificate_info (void)
size_t size;
int ret;
gnutls_datum_t pem, out_data;
+ unsigned int verify_status;
pem.data = fread_file (infile, &size);
pem.size = size;
@@ -1114,6 +1115,22 @@ pgp_certificate_info (void)
}
}
+
+ ret = gnutls_openpgp_crt_verify_self(crt, 0, &verify_status);
+ if (ret < 0)
+ {
+ error (EXIT_FAILURE, 0, "verify signature error: %s", gnutls_strerror
(ret));
+ }
+
+ if (verify_status & GNUTLS_CERT_INVALID)
+ {
+ fprintf (outfile, "Self Signature verification: failed\n\n");
+ }
+ else
+ {
+ fprintf (outfile, "Self Signature verification: ok (%x)\n\n",
verify_status);
+ }
+
size = sizeof (buffer);
ret = gnutls_openpgp_crt_export (crt, info.outcert_format, buffer, &size);
if (ret < 0)
@@ -1123,7 +1140,6 @@ pgp_certificate_info (void)
}
fprintf (outfile, "%s\n", buffer);
-
gnutls_openpgp_crt_deinit (crt);
}
diff --git a/tests/openpgp-certs/Makefile.am b/tests/openpgp-certs/Makefile.am
index d437dc5..76fbf3a 100644
--- a/tests/openpgp-certs/Makefile.am
+++ b/tests/openpgp-certs/Makefile.am
@@ -21,13 +21,15 @@ if ENABLE_OPENPGP
EXTRA_DIST = ca-public.gpg srv-public-all-signed.gpg srv-secret.gpg \
ca-secret.gpg srv-public.gpg srv-public-127.0.0.1-signed.gpg \
- srv-public-localhost-signed.gpg
+ srv-public-localhost-signed.gpg selfsigs/alice-mallory-badsig18.pub \
+ selfsigs/alice-mallory-irrelevantsig.pub
selfsigs/alice-mallory-nosig18.pub \
+ selfsigs/alice.pub
# The selftest is disabled until we can make it work under Wine and
# under Debian buildds (problem with 127.0.0.2?). Just extra-dist it
# for now.
-EXTRA_DIST += testcerts
-#dist_check_SCRIPTS = testcerts
-#TESTS = testcerts
+EXTRA_DIST += testcerts testselfsigs
+dist_check_SCRIPTS = testselfsigs #testcerts
+TESTS = testselfsigs #testcerts
endif
diff --git a/tests/openpgp-certs/selfsigs/alice-mallory-badsig18.pub
b/tests/openpgp-certs/selfsigs/alice-mallory-badsig18.pub
new file mode 100644
index 0000000..dd4dab1
Binary files /dev/null and
b/tests/openpgp-certs/selfsigs/alice-mallory-badsig18.pub differ
diff --git a/tests/openpgp-certs/selfsigs/alice-mallory-irrelevantsig.pub
b/tests/openpgp-certs/selfsigs/alice-mallory-irrelevantsig.pub
new file mode 100644
index 0000000..03caa9d
Binary files /dev/null and
b/tests/openpgp-certs/selfsigs/alice-mallory-irrelevantsig.pub differ
diff --git a/tests/openpgp-certs/selfsigs/alice-mallory-nosig18.pub
b/tests/openpgp-certs/selfsigs/alice-mallory-nosig18.pub
new file mode 100644
index 0000000..59f077a
Binary files /dev/null and
b/tests/openpgp-certs/selfsigs/alice-mallory-nosig18.pub differ
diff --git a/tests/openpgp-certs/selfsigs/alice.pub
b/tests/openpgp-certs/selfsigs/alice.pub
new file mode 100644
index 0000000..399a0ba
Binary files /dev/null and b/tests/openpgp-certs/selfsigs/alice.pub differ
diff --git a/tests/openpgp-certs/testselfsigs b/tests/openpgp-certs/testselfsigs
new file mode 100755
index 0000000..51acd86
--- /dev/null
+++ b/tests/openpgp-certs/testselfsigs
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+srcdir="${srcdir:-.}"
+CERTTOOL="${certtool:-../../src/certtool} -q"
+unset RETCODE
+
+fail() {
+ echo "Failure: $1" >&2
+ RETCODE=${RETCODE:-${2:-1}}
+}
+
+echo "Checking OpenPGP certificate self verification"
+
+( $CERTTOOL --pgp-certificate-info <$srcdir/selfsigs/alice.pub | grep -e
"^Self Signature verification: ok" ) >/dev/null ||
+ fail "Self sig Verification should have succeeded!"
+
+( $CERTTOOL --pgp-certificate-info
<$srcdir/selfsigs/alice-mallory-badsig18.pub | grep -e "^Self Signature
verification: failed" ) >/dev/null ||
+ fail "Self sig Verification should have failed!"
+( $CERTTOOL --pgp-certificate-info
<$srcdir/selfsigs/alice-mallory-irrelevantsig.pub | grep -e "^Self Signature
verification: failed" ) >/dev/null ||
+ fail "Self sig Verification should have failed!"
+( $CERTTOOL --pgp-certificate-info <$srcdir/selfsigs/alice-mallory-nosig18.pub
| grep -e "^Self Signature verification: failed" ) >/dev/null ||
+ fail "Self sig Verification should have failed!"
+
+exit ${RETCODE:-0}
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_2_8_x, updated. gnutls_2_8_5-13-gf3ec62e,
Nikos Mavrogiannopoulos <=