[Help-gnutls] Re: Certificate verification when using OpenPGP certificat

help-gnutls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnutls] Re: Certificate verification when using OpenPGP certificat

From:	Simon Josefsson
Subject:	[Help-gnutls] Re: Certificate verification when using OpenPGP certificates
Date:	Thu, 15 Mar 2007 12:40:49 +0100
User-agent:	Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.94 (gnu/linux)

Matthias Wimmer <address@hidden> writes:

> Hi!
>
> Is there any example or documentation how to do certificate
> verification, if the peer used an OpenPGP key to authenticate? The
> OpenPGP example distributed with GnuTLS (ex-serv-pgp.c) does not do
> any verification.
>
> I guess that I have to use gnutls_certificate_verify_peers2() first
> and if that succeeds, all that is left to do is to check if the
> OpenPGP key contains one ID that matches what I expect the peer to be.
> Do I have to check anything else? E.g. expiration of the key (as I
> would have to do with X.509 certificates, but there does not seem to
> be a function for that) or the self signature of the key (I'd expect
> that this might already been done by
> gnutls_certificate_verify_peers2())?

I don't really know.  The draft-ietf-tls-openpgp-keys-11.txt document says:

   Considerations about the use of the web of trust or identity and
   certificate verification procedure are outside the scope of this
   document.  These are considered issues to be handled by the
   application layer protocols.

So it doesn't give much guidance.  gnutls_certificate_verify_peers2,
via _gnutls_openpgp_verify_key, do check signatures against
keyring/trustdb, and self signature, but nothing else as far as I can
tell.

The code for gnutls-serv, see print_openpgp_info src/common.c,
suggests several checks.  Identity check:

          if (gnutls_openpgp_key_check_hostname (crt, hostname) == 0)
            {
              printf
                (" # The hostname in the key does NOT match '%s'.\n",
                 hostname);
            }
          else
            {
              printf (" # The hostname in the key matches '%s'.\n", hostname);
            }

Expiration check:

      activet = gnutls_openpgp_key_get_creation_time (crt);
      expiret = gnutls_openpgp_key_get_expiration_time (crt);

      printf (" # Key was created at: %s", my_ctime (&activet));
      printf (" # Key expires: ");
      if (expiret != 0)
        printf ("%s", my_ctime (&expiret));
      else
        printf ("Never\n");

Possibly we could add an API to GnuTLS to check these things too.  It
seems error prone that every application need to do the same kind of
checks.  Maybe even gnutls_certificate_verify_peers2 should do this.

/Simon

[Prev in Thread]

Current Thread

[Next in Thread]

[Help-gnutls] Certificate verification when using OpenPGP certificates, Matthias Wimmer, 2007/03/14
- [Help-gnutls] Re: Certificate verification when using OpenPGP certificates, Simon Josefsson <=
- [Help-gnutls] Certificate verification when using OpenPGP certificates, Matthias Wimmer, 2007/03/14

Prev by Date: [Help-gnutls] Re: gnutls_x509_crt_set_version documentation suggestion
Next by Date: [Help-gnutls] Re: Error making certificate
Previous by thread: [Help-gnutls] Certificate verification when using OpenPGP certificates
Next by thread: [Help-gnutls] Certificate verification when using OpenPGP certificates
Index(es):
- Date
- Thread