Exported gnutls_certificate_get_peers_subkey_id().
Removed compatibility code with RFC5081.
The gnutls_openpgp_*_get_subkey_*() functions return the master key parameters if provided with GNUTLS_OPENPGP_MASTER_KEYID_IDX.
OCSP certificate status request extensions by default. The flag
GNUTLS_NO_EXTENSIONS can be used to prevent that.
+** libgnutls: Compatibility code with RFC5081 was removed. The OpenPGP
+code now is RFC6091 compliant only.
+
** libgnutls-dane: Added. It is a library to provide DANE with DNSSEC
certificate verification.
** certtool: The --dane-tlsa-rr option generates DANE TLSA Resource Records (RR).
** API and ABI modifications:
+gnutls_certificate_get_peers_subkey_id: Added
gnutls_certificate_set_ocsp_status_request_function: Added
gnutls_certificate_set_ocsp_status_request_file: Added
gnutls_ocsp_status_request_enable_client: Added
* exported certificate struct (cert_auth_info_t)
*/
static int
-_gnutls_copy_certificate_auth_info (cert_auth_info_t info, gnutls_pcert_st * certs, size_t ncerts, int subkey_used, /* openpgp only */
+_gnutls_copy_certificate_auth_info (cert_auth_info_t info, gnutls_pcert_st * certs, size_t ncerts, /* openpgp only */
void *keyid)
{
/* Copy peer's information to auth_info_t
#ifdef ENABLE_OPENPGP
if (certs[0].type == GNUTLS_CRT_OPENPGP)
{
- info->use_subkey = subkey_used;
if (keyid)
memcpy (info->subkey_id, keyid, GNUTLS_OPENPGP_KEYID_SIZE);
}
}
enum PGPKeyDescriptorType
-{ PGP_KEY_FINGERPRINT, PGP_KEY, PGP_KEY_SUBKEY, PGP_KEY_FINGERPRINT_SUBKEY };
+{ PGP_EMPTY_KEY=1, PGP_KEY_SUBKEY, PGP_KEY_FINGERPRINT_SUBKEY };
#ifdef ENABLE_OPENPGP
static int
uint8_t type;
uint8_t fpr[20];
size_t fpr_size;
- unsigned int use_subkey = 0;
/* find the appropriate certificate */
if ((ret =
fpr_size = sizeof (fpr);
ret =
gnutls_pubkey_get_openpgp_key_id (apr_cert_list[0].pubkey, 0, fpr,
- &fpr_size, &use_subkey);
+ &fpr_size, NULL);
if (ret < 0)
return gnutls_assert_val (ret);
- if (use_subkey != 0)
- ret += 1 + fpr_size; /* for the keyid */
+ ret += 1 + fpr_size; /* for the keyid */
ret += apr_cert_list[0].cert.size;
}
if (apr_cert_list_length > 0)
{
- if (use_subkey != 0)
- {
- type = PGP_KEY_SUBKEY;
+ type = PGP_KEY_SUBKEY;
- ret = _gnutls_buffer_append_data (data, &type, 1);
- if (ret < 0)
- return gnutls_assert_val (ret);
+ ret = _gnutls_buffer_append_data (data, &type, 1);
+ if (ret < 0)
+ return gnutls_assert_val (ret);
- ret = _gnutls_buffer_append_data_prefix (data, 8, fpr, fpr_size);
- if (ret < 0)
- return gnutls_assert_val (ret);
- }
- else
- {
- type = PGP_KEY;
- ret = _gnutls_buffer_append_data (data, &type, 1);
- if (ret < 0)
- return gnutls_assert_val (ret);
- }
+ ret = _gnutls_buffer_append_data_prefix (data, 8, fpr, fpr_size);
+ if (ret < 0)
+ return gnutls_assert_val (ret);
ret =
_gnutls_buffer_append_data_prefix (data, 24,
}
else /* empty - no certificate */
{
- type = PGP_KEY;
+ type = PGP_EMPTY_KEY;
ret = _gnutls_buffer_append_data (data, &type, 1);
if (ret < 0)
gnutls_pcert_st *apr_cert_list;
gnutls_privkey_t apr_pkey;
int apr_cert_list_length;
- unsigned int use_subkey = 0;
/* find the appropriate certificate */
if ((ret =
fpr_size = sizeof (fpr);
ret =
gnutls_pubkey_get_openpgp_key_id (apr_cert_list[0].pubkey, 0, fpr,
- &fpr_size, &use_subkey);
+ &fpr_size, NULL);
if (ret < 0)
return gnutls_assert_val (ret);
packet_size = 3 + 1;
-
- if (use_subkey)
- packet_size += 1 + fpr_size; /* for the keyid */
+ packet_size += 1 + fpr_size; /* for the keyid */
/* Only v4 fingerprints are sent
*/
if (ret < 0)
return gnutls_assert_val (ret);
- if (use_subkey)
- {
- type = PGP_KEY_FINGERPRINT_SUBKEY;
- ret = _gnutls_buffer_append_data (data, &type, 1);
- if (ret < 0)
- return gnutls_assert_val (ret);
-
- ret = _gnutls_buffer_append_data_prefix (data, 8, fpr, fpr_size);
- if (ret < 0)
- return gnutls_assert_val (ret);
- }
- else
- {
- type = PGP_KEY_FINGERPRINT; /* key fingerprint */
- ret = _gnutls_buffer_append_data (data, &type, 1);
- if (ret < 0)
- return gnutls_assert_val (ret);
- }
-
- fpr_size = sizeof (fpr);
- if ((ret =
- _gnutls_openpgp_fingerprint (&apr_cert_list[0].cert, fpr,
- &fpr_size)) < 0)
- {
- gnutls_assert ();
- return ret;
- }
+ type = PGP_KEY_FINGERPRINT_SUBKEY;
+ ret = _gnutls_buffer_append_data (data, &type, 1);
+ if (ret < 0)
+ return gnutls_assert_val (ret);
ret = _gnutls_buffer_append_data_prefix (data, 8, fpr, fpr_size);
if (ret < 0)
if ((ret =
_gnutls_copy_certificate_auth_info (info,
peer_certificate_list,
- peer_certificate_list_size, 0,
+ peer_certificate_list_size,
NULL)) < 0)
{
gnutls_assert ();
gnutls_pcert_st *peer_certificate_list = NULL;
gnutls_datum_t tmp, akey = { NULL, 0 };
uint8_t subkey_id[GNUTLS_OPENPGP_KEYID_SIZE];
- unsigned int subkey_id_set = 0;
cred = (gnutls_certificate_credentials_t)
_gnutls_get_cred (session, GNUTLS_CRD_CERTIFICATE, NULL);
DECR_LEN (dsize, GNUTLS_OPENPGP_KEYID_SIZE);
memcpy (subkey_id, p, GNUTLS_OPENPGP_KEYID_SIZE);
p += GNUTLS_OPENPGP_KEYID_SIZE;
-
- subkey_id_set = 1;
-
}
- /* read the actual key or fingerprint */
- if (key_type == PGP_KEY_FINGERPRINT ||
- key_type == PGP_KEY_FINGERPRINT_SUBKEY)
- { /* the fingerprint */
-
+ if (key_type == PGP_KEY_FINGERPRINT_SUBKEY)
+ {
DECR_LEN (dsize, 1);
len = (uint8_t) * p;
p++;
}
tmp = akey;
}
- else if (key_type == PGP_KEY || key_type == PGP_KEY_SUBKEY)
+ else if (key_type == PGP_KEY_SUBKEY)
{ /* the whole key */
/* Read the actual certificate */
{
gnutls_assert ();
/* no certificate was sent */
- return GNUTLS_E_NO_CERTIFICATE_FOUND;
+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
}
DECR_LEN (dsize, len);
tmp.data = p;
}
+ else if (key_type == PGP_EMPTY_KEY)
+ { /* the whole key */
+
+ /* Read the actual certificate */
+ DECR_LEN (dsize, 3);
+ len = _gnutls_read_uint24 (p);
+ p += 3;
+
+ if (len != 0) /* PGP_EMPTY_KEY */
+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+ else
+ return GNUTLS_E_NO_CERTIFICATE_FOUND;
+ }
else
{
gnutls_assert ();
/* ok we now have the peer's key in tmp datum
*/
peer_certificate_list =
- gnutls_calloc (1,
- sizeof (gnutls_pcert_st));
+ gnutls_calloc (1, sizeof (gnutls_pcert_st));
if (peer_certificate_list == NULL)
{
gnutls_assert ();
gnutls_pcert_import_openpgp_raw (&peer_certificate_list[0],
&tmp,
GNUTLS_OPENPGP_FMT_RAW,
- (subkey_id_set != 0) ? subkey_id : NULL,
+ subkey_id,
0);
if (ret < 0)
{
ret =
_gnutls_copy_certificate_auth_info (info,
peer_certificate_list,
- 1,
- subkey_id_set,
- (subkey_id_set !=
- 0) ? subkey_id : NULL);
+ 1, subkey_id);
if (ret < 0)
{
gnutls_assert ();
gnutls_certificate_type_t cert_type;
#ifdef ENABLE_OPENPGP
- int use_subkey;
uint8_t subkey_id[GNUTLS_OPENPGP_KEYID_SIZE];
#endif
} *cert_auth_info_t;
return gnutls_pcert_import_openpgp_raw(pcert,
&info->raw_certificate_list[0],
GNUTLS_OPENPGP_FMT_RAW,
- info->use_subkey ? info->
- subkey_id : NULL, GNUTLS_PCERT_NO_CERT);
+ info->subkey_id, GNUTLS_PCERT_NO_CERT);
#endif
default:
gnutls_assert ();
* replaced by the actual size of parameters)
* @subkey: Will be non zero if the key ID corresponds to a subkey
*
- * This function will return a unique ID the depends on the public
- * key parameters. This ID can be used in checking whether a
- * certificate corresponds to the given public key.
+ * This function returned the OpenPGP key ID of the corresponding key.
+ * The key is a unique ID the depends on the public
+ * key parameters.
*
* If the buffer provided is not long enough to hold the output, then
* *output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will
- * be returned. The output will normally be a SHA-1 hash output,
- * which is 20 bytes.
+ * be returned. The output is %GNUTLS_OPENPGP_KEYID_SIZE bytes long.
*
* Returns: In case of failure a negative error code will be
* returned, and 0 on success.
return info->raw_certificate_list;
}
+/**
+ * gnutls_certificate_get_peers_subkey_id:
+ * @session: is a gnutls session
+ * @id: will contain the ID
+ *
+ * Get the peer's subkey ID when OpenPGP certificates are
+ * used. The returned @id should be treated as constant.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
+ * an error code is returned.
+ **/
+int gnutls_certificate_get_peers_subkey_id(gnutls_session_t session,
+ gnutls_datum_t *id)
+{
+ cert_auth_info_t info;
+
+ CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
+
+ info = _gnutls_get_auth_info (session);
+ if (info == NULL)
+ return GNUTLS_E_INVALID_REQUEST;
+
+ id->data = info->subkey_id;
+ id->size = GNUTLS_OPENPGP_KEYID_SIZE;
+
+ return 0;
+}
/**
* gnutls_certificate_client_get_request_status:
const gnutls_datum_t *gnutls_certificate_get_ours (gnutls_session_t
session);
+ int gnutls_certificate_get_peers_subkey_id(gnutls_session_t session,
+ gnutls_datum_t *id);
+
time_t gnutls_certificate_activation_time_peers (gnutls_session_t session);
time_t gnutls_certificate_expiration_time_peers (gnutls_session_t session);
#define GNUTLS_OPENPGP_H
#include <gnutls/gnutls.h>
+#include <limits.h>
#ifdef __cplusplus
extern "C"
/* The key_usage flags are defined in gnutls.h. They are
* the GNUTLS_KEY_* definitions.
*/
+#define GNUTLS_OPENPGP_MASTER_KEYID_IDX INT_MAX
+
int gnutls_openpgp_crt_get_key_usage (gnutls_openpgp_crt_t key,
unsigned int *key_usage);
int gnutls_openpgp_crt_get_fingerprint (gnutls_openpgp_crt_t key, void *fpr,
gnutls_pkcs12_export2;
gnutls_pubkey_import_openpgp_raw;
gnutls_pubkey_import_x509_raw;
+ gnutls_certificate_get_peers_subkey_id;
} GNUTLS_3_0_0;
GNUTLS_PRIVATE {
int idx;
idx = gnutls_openpgp_crt_get_subkey_idx (key, keyid);
- algo =
- gnutls_openpgp_crt_get_subkey_pk_algorithm (key, idx, NULL);
- }
- else
- {
- pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_PUBLIC_KEY);
- if (pkt)
+ if (idx != GNUTLS_OPENPGP_MASTER_KEYID_IDX)
{
- if (bits)
- *bits = cdk_pk_get_nbits (pkt->pkt.public_key);
- algo = _gnutls_openpgp_get_algo (pkt->pkt.public_key->pubkey_algo);
+ algo =
+ gnutls_openpgp_crt_get_subkey_pk_algorithm (key, idx, bits);
+ return algo;
}
}
+ pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_PUBLIC_KEY);
+ if (pkt)
+ {
+ if (bits)
+ *bits = cdk_pk_get_nbits (pkt->pkt.public_key);
+ algo = _gnutls_openpgp_get_algo (pkt->pkt.public_key->pubkey_algo);
+ }
+
return algo;
}
return GNUTLS_E_INVALID_REQUEST;
}
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_crt_get_revoked_status(key);
+
pkt = _get_public_subkey (key, idx);
if (!pkt)
return GNUTLS_E_OPENPGP_GETKEY_FAILED;
return GNUTLS_PK_UNKNOWN;
}
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_crt_get_pk_algorithm(key, bits);
+
pkt = _get_public_subkey (key, idx);
algo = 0;
if (!key)
return (time_t) - 1;
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_crt_get_creation_time(key);
+
pkt = _get_public_subkey (key, idx);
if (pkt)
timestamp = pkt->pkt.public_key->timestamp;
if (!key)
return (time_t) - 1;
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_crt_get_expiration_time(key);
+
pkt = _get_public_subkey (key, idx);
if (pkt)
expiredate = pkt->pkt.public_key->expiredate;
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
+
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_crt_get_key_id(key, keyid);
pkt = _get_public_subkey (key, idx);
if (!pkt)
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
+
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_crt_get_fingerprint(key, fpr, fprlen);
*fprlen = 0;
{
int ret;
uint32_t kid[2];
+ uint8_t master_id[GNUTLS_OPENPGP_KEYID_SIZE];
if (!key)
{
return GNUTLS_E_INVALID_REQUEST;
}
+ ret = gnutls_openpgp_crt_get_key_id (key, master_id);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ if (memcmp(master_id, keyid, GNUTLS_OPENPGP_KEYID_SIZE)==0)
+ return GNUTLS_OPENPGP_MASTER_KEYID_IDX;
+
KEYID_IMPORT (kid, keyid);
ret = _gnutls_openpgp_find_subkey_idx (key->knode, kid, 0);
return GNUTLS_E_INVALID_REQUEST;
}
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_crt_get_key_usage(key, key_usage);
+
pkt = _get_public_subkey (key, idx);
if (!pkt)
return GNUTLS_E_OPENPGP_SUBKEY_ERROR;
uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
int ret;
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_crt_get_pk_rsa_raw(crt, m, e);
+
ret = gnutls_openpgp_crt_get_subkey_id (crt, idx, keyid);
if (ret < 0)
{
uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
int ret;
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_crt_get_pk_dsa_raw(crt, p,q, g, y);
+
ret = gnutls_openpgp_crt_get_subkey_id (crt, idx, keyid);
if (ret < 0)
{
int idx;
idx = gnutls_openpgp_privkey_get_subkey_idx (key, keyid);
- algo =
- gnutls_openpgp_privkey_get_subkey_pk_algorithm (key, idx, NULL);
- }
- else
- {
- pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_SECRET_KEY);
- if (pkt)
+ if (idx != GNUTLS_OPENPGP_MASTER_KEYID_IDX)
{
- if (bits)
- *bits = cdk_pk_get_nbits (pkt->pkt.secret_key->pk);
- algo = _gnutls_openpgp_get_algo (pkt->pkt.secret_key->pk->pubkey_algo);
+ algo =
+ gnutls_openpgp_privkey_get_subkey_pk_algorithm (key, idx, bits);
+ return algo;
}
}
+ pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_SECRET_KEY);
+ if (pkt)
+ {
+ if (bits)
+ *bits = cdk_pk_get_nbits (pkt->pkt.secret_key->pk);
+ algo = _gnutls_openpgp_get_algo (pkt->pkt.secret_key->pk->pubkey_algo);
+ }
+
return algo;
}
return 0;
}
-
/**
* gnutls_openpgp_privkey_get_subkey_count:
* @key: is an OpenPGP key
return GNUTLS_E_INVALID_REQUEST;
}
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_privkey_get_revoked_status(key);
+
pkt = _get_secret_subkey (key, idx);
if (!pkt)
return GNUTLS_E_OPENPGP_GETKEY_FAILED;
return GNUTLS_PK_UNKNOWN;
}
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_privkey_get_pk_algorithm(key, bits);
+
pkt = _get_secret_subkey (key, idx);
algo = 0;
{
int ret;
uint32_t kid[2];
+ uint8_t master_id[GNUTLS_OPENPGP_KEYID_SIZE];
if (!key)
{
return GNUTLS_E_INVALID_REQUEST;
}
+ ret = gnutls_openpgp_privkey_get_key_id (key, master_id);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ if (memcmp(master_id, keyid, GNUTLS_OPENPGP_KEYID_SIZE)==0)
+ return GNUTLS_OPENPGP_MASTER_KEYID_IDX;
+
KEYID_IMPORT (kid, keyid);
ret = _gnutls_openpgp_find_subkey_idx (key->knode, kid, 1);
if (!key)
return (time_t) - 1;
- pkt = _get_secret_subkey (key, idx);
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_SECRET_KEY);
+ else
+ pkt = _get_secret_subkey (key, idx);
+
if (pkt)
timestamp = pkt->pkt.secret_key->pk->timestamp;
else
key, unsigned int idx)
{
cdk_packet_t pkt;
- time_t expiredate;
+ time_t timestamp;
if (!key)
return (time_t) - 1;
- pkt = _get_secret_subkey (key, idx);
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_SECRET_KEY);
+ else
+ pkt = _get_secret_subkey (key, idx);
+
if (pkt)
- expiredate = pkt->pkt.secret_key->expiredate;
+ timestamp = pkt->pkt.secret_key->pk->expiredate;
else
- expiredate = 0;
+ timestamp = 0;
- return expiredate;
+ return timestamp;
}
/**
return GNUTLS_E_INVALID_REQUEST;
}
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_privkey_get_key_id(key, keyid);
+
pkt = _get_secret_subkey (key, idx);
if (!pkt)
return GNUTLS_E_OPENPGP_GETKEY_FAILED;
return GNUTLS_E_INVALID_REQUEST;
}
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ return gnutls_openpgp_privkey_get_fingerprint(key, fpr, fprlen);
+
*fprlen = 0;
pkt = _get_secret_subkey (key, idx);
uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
int ret;
- ret = gnutls_openpgp_privkey_get_subkey_id (pkey, idx, keyid);
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ ret = gnutls_openpgp_privkey_get_key_id (pkey, keyid);
+ else
+ ret = gnutls_openpgp_privkey_get_subkey_id (pkey, idx, keyid);
if (ret < 0)
{
gnutls_assert ();
uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
int ret;
- ret = gnutls_openpgp_privkey_get_subkey_id (pkey, idx, keyid);
+ if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
+ ret = gnutls_openpgp_privkey_get_key_id (pkey, keyid);
+ else
+ ret = gnutls_openpgp_privkey_get_subkey_id (pkey, idx, keyid);
+
if (ret < 0)
{
gnutls_assert ();