[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: Certificate verification when using OpenPGP certificat
From: |
Simon Josefsson |
Subject: |
[Help-gnutls] Re: Certificate verification when using OpenPGP certificates |
Date: |
Thu, 15 Mar 2007 12:40:49 +0100 |
User-agent: |
Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.94 (gnu/linux) |
Matthias Wimmer <address@hidden> writes:
> Hi!
>
> Is there any example or documentation how to do certificate
> verification, if the peer used an OpenPGP key to authenticate? The
> OpenPGP example distributed with GnuTLS (ex-serv-pgp.c) does not do
> any verification.
>
> I guess that I have to use gnutls_certificate_verify_peers2() first
> and if that succeeds, all that is left to do is to check if the
> OpenPGP key contains one ID that matches what I expect the peer to be.
> Do I have to check anything else? E.g. expiration of the key (as I
> would have to do with X.509 certificates, but there does not seem to
> be a function for that) or the self signature of the key (I'd expect
> that this might already been done by
> gnutls_certificate_verify_peers2())?
I don't really know. The draft-ietf-tls-openpgp-keys-11.txt document says:
Considerations about the use of the web of trust or identity and
certificate verification procedure are outside the scope of this
document. These are considered issues to be handled by the
application layer protocols.
So it doesn't give much guidance. gnutls_certificate_verify_peers2,
via _gnutls_openpgp_verify_key, do check signatures against
keyring/trustdb, and self signature, but nothing else as far as I can
tell.
The code for gnutls-serv, see print_openpgp_info src/common.c,
suggests several checks. Identity check:
if (gnutls_openpgp_key_check_hostname (crt, hostname) == 0)
{
printf
(" # The hostname in the key does NOT match '%s'.\n",
hostname);
}
else
{
printf (" # The hostname in the key matches '%s'.\n", hostname);
}
Expiration check:
activet = gnutls_openpgp_key_get_creation_time (crt);
expiret = gnutls_openpgp_key_get_expiration_time (crt);
printf (" # Key was created at: %s", my_ctime (&activet));
printf (" # Key expires: ");
if (expiret != 0)
printf ("%s", my_ctime (&expiret));
else
printf ("Never\n");
Possibly we could add an API to GnuTLS to check these things too. It
seems error prone that every application need to do the same kind of
checks. Maybe even gnutls_certificate_verify_peers2 should do this.
/Simon