1 /* sig-check.c - Check a signature
2 * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003,
3 * 2004, 2006 Free Software Foundation, Inc.
4 * Copyright (C) 2015, 2016 g10 Code GmbH
6 * This file is part of GnuPG.
8 * GnuPG is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * GnuPG is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
37 static int check_signature_end (PKT_public_key *pk, PKT_signature *sig,
39 int *r_expired, int *r_revoked,
40 PKT_public_key *ret_pk);
42 static int check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig,
45 /* Check a signature. This is shorthand for check_signature2 with
46 the unnamed arguments passed as NULL. */
48 check_signature (PKT_signature *sig, gcry_md_hd_t digest)
50 return check_signature2 (sig, digest, NULL, NULL, NULL, NULL);
56 * Looks up the public key that created the signature (SIG->KEYID)
57 * from the key db. Makes sure that the signature is valid (it was
58 * not created prior to the key, the public key was created in the
59 * past, and the signature does not include any unsupported critical
60 * features), finishes computing the hash of the signature data, and
61 * checks that the signature verifies the digest. If the key that
62 * generated the signature is a subkey, this function also verifies
63 * that there is a valid backsig from the subkey to the primary key.
64 * Finally, if status fd is enabled and the signature class is 0x00 or
65 * 0x01, then a STATUS_SIG_ID is emitted on the status fd.
67 * SIG is the signature to check.
69 * DIGEST contains a valid hash context that already includes the
70 * signed data. This function adds the relevant meta-data from the
71 * signature packet to compute the final hash. (See Section 5.2 of
72 * RFC 4880: "The concatenation of the data being signed and the
73 * signature data from the version number through the hashed subpacket
74 * data (inclusive) is hashed.")
76 * If R_EXPIREDATE is not NULL, R_EXPIREDATE is set to the key's
79 * If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has expired
80 * (0 otherwise). Note: PK being expired does not cause this function
83 * If R_REVOKED is not NULL, *R_REVOKED is set to 1 if PK has been
84 * revoked (0 otherwise). Note: PK being revoked does not cause this
87 * If PK is not NULL, the public key is saved in *PK on success.
89 * Returns 0 on success. An error code otherwise. */
91 check_signature2 (PKT_signature *sig, gcry_md_hd_t digest, u32 *r_expiredate,
92 int *r_expired, int *r_revoked, PKT_public_key *pk )
102 pk = xmalloc_clear( sizeof *pk );
105 if ( (rc=openpgp_md_test_algo(sig->digest_algo)) )
106 ; /* We don't have this digest. */
107 else if ((rc=openpgp_pk_test_algo(sig->pubkey_algo)))
108 ; /* We don't have this pubkey algo. */
109 else if (!gcry_md_is_enabled (digest,sig->digest_algo))
111 /* Sanity check that the md has a context for the hash that the
112 sig is expecting. This can happen if a onepass sig header does
113 not match the actual sig, and also if the clearsign "Hash:"
114 header is missing or does not match the actual sig. */
116 log_info(_("WARNING: signature digest conflict in message\n"));
117 rc = GPG_ERR_GENERAL;
119 else if( get_pubkey( pk, sig->keyid ) )
120 rc = GPG_ERR_NO_PUBKEY;
121 else if(!pk->flags.valid && !pk->flags.primary)
123 /* You cannot have a good sig from an invalid subkey. */
124 rc = GPG_ERR_BAD_PUBKEY;
129 *r_expiredate = pk->expiredate;
131 rc = check_signature_end (pk, sig, digest, r_expired, r_revoked, NULL);
133 /* Check the backsig. This is a 0x19 signature from the
134 subkey on the primary key. The idea here is that it should
135 not be possible for someone to "steal" subkeys and claim
136 them as their own. The attacker couldn't actually use the
137 subkey, but they could try and claim ownership of any
138 signatures issued by it. */
139 if(rc==0 && !pk->flags.primary && pk->flags.backsig < 2)
141 if (!pk->flags.backsig)
143 log_info(_("WARNING: signing subkey %s is not"
144 " cross-certified\n"),keystr_from_pk(pk));
145 log_info(_("please see %s for more information\n"),
146 "https://gnupg.org/faq/subkey-cross-certify.html");
147 /* --require-cross-certification makes this warning an
148 error. TODO: change the default to require this
149 after more keys have backsigs. */
150 if(opt.flags.require_cross_cert)
151 rc = GPG_ERR_GENERAL;
153 else if(pk->flags.backsig == 1)
155 log_info(_("WARNING: signing subkey %s has an invalid"
156 " cross-certification\n"),keystr_from_pk(pk));
157 rc = GPG_ERR_GENERAL;
162 if (pk_internal || rc)
164 release_public_key_parts (pk);
168 /* Be very sure that the caller doesn't try to use *PK. */
169 memset (pk, 0, sizeof (*pk));
172 if( !rc && sig->sig_class < 2 && is_status_enabled() ) {
173 /* This signature id works best with DLP algorithms because
174 * they use a random parameter for every signature. Instead of
175 * this sig-id we could have also used the hash of the document
176 * and the timestamp, but the drawback of this is, that it is
177 * not possible to sign more than one identical document within
178 * one second. Some remote batch processing applications might
179 * like this feature here.
181 * Note that before 2.0.10, we used RIPE-MD160 for the hash
182 * and accidentally didn't include the timestamp and algorithm
183 * information in the hash. Given that this feature is not
184 * commonly used and that a replay attacks detection should
185 * not solely be based on this feature (because it does not
186 * work with RSA), we take the freedom and switch to SHA-1
187 * with 2.0.10 to take advantage of hardware supported SHA-1
188 * implementations. We also include the missing information
189 * in the hash. Note also the SIG_ID as computed by gpg 1.x
190 * and gpg 2.x didn't matched either because 2.x used to print
191 * MPIs not in PGP format. */
192 u32 a = sig->timestamp;
193 int nsig = pubkey_get_nsig( sig->pubkey_algo );
194 unsigned char *p, *buffer;
200 for (i=0; i < nsig; i++ )
202 if (gcry_mpi_print (GCRYMPI_FMT_USG, NULL, 0, &n, sig->data[i]))
207 /* Make buffer large enough to be later used as output buffer. */
210 nbytes += 10; /* Safety margin. */
212 /* Fill and hash buffer. */
213 buffer = p = xmalloc (nbytes);
214 *p++ = sig->pubkey_algo;
215 *p++ = sig->digest_algo;
216 *p++ = (a >> 24) & 0xff;
217 *p++ = (a >> 16) & 0xff;
218 *p++ = (a >> 8) & 0xff;
221 for (i=0; i < nsig; i++ )
223 if (gcry_mpi_print (GCRYMPI_FMT_PGP, p, nbytes, &n, sig->data[i]))
228 gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, buffer, p-buffer);
230 p = make_radix64_string (hashbuf, 20);
231 sprintf (buffer, "%s %s %lu",
232 p, strtimestamp (sig->timestamp), (ulong)sig->timestamp);
234 write_status_text (STATUS_SIG_ID, buffer);
242 /* The signature SIG was generated with the public key PK. Check
243 * whether the signature is valid in the following sense:
245 * - Make sure the public key was created before the signature was
248 * - Make sure the public key was created in the past
250 * - Check whether PK has expired (set *R_EXPIRED to 1 if so and 0
253 * - Check whether PK has been revoked (set *R_REVOKED to 1 if so
256 * If either of the first two tests fail, returns an error code.
257 * Otherwise returns 0. (Thus, this function doesn't fail if the
258 * public key is expired or revoked.) */
260 check_signature_metadata_validity (PKT_public_key *pk, PKT_signature *sig,
261 int *r_expired, int *r_revoked)
270 if( pk->timestamp > sig->timestamp )
272 ulong d = pk->timestamp - sig->timestamp;
277 ("public key %s is %lu second newer than the signature\n",
278 "public key %s is %lu seconds newer than the signature\n",
279 d), keystr_from_pk (pk), d);
286 ("public key %s is %lu day newer than the signature\n",
287 "public key %s is %lu days newer than the signature\n",
288 d), keystr_from_pk (pk), d);
290 if (!opt.ignore_time_conflict)
291 return GPG_ERR_TIME_CONFLICT; /* pubkey newer than signature. */
294 cur_time = make_timestamp();
295 if( pk->timestamp > cur_time )
297 ulong d = pk->timestamp - cur_time;
300 log_info (ngettext("key %s was created %lu second"
301 " in the future (time warp or clock problem)\n",
302 "key %s was created %lu seconds"
303 " in the future (time warp or clock problem)\n",
304 d), keystr_from_pk (pk), d);
309 log_info (ngettext("key %s was created %lu day"
310 " in the future (time warp or clock problem)\n",
311 "key %s was created %lu days"
312 " in the future (time warp or clock problem)\n",
313 d), keystr_from_pk (pk), d);
315 if (!opt.ignore_time_conflict)
316 return GPG_ERR_TIME_CONFLICT;
319 /* Check whether the key has expired. We check the has_expired
320 flag which is set after a full evaluation of the key (getkey.c)
321 as well as a simple compare to the current time in case the
322 merge has for whatever reasons not been done. */
323 if( pk->has_expired || (pk->expiredate && pk->expiredate < cur_time)) {
326 log_info(_("Note: signature key %s expired %s\n"),
327 keystr_from_pk(pk), asctimestamp( pk->expiredate ) );
328 sprintf(buf,"%lu",(ulong)pk->expiredate);
329 write_status_text(STATUS_KEYEXPIRED,buf);
334 if (pk->flags.revoked)
337 log_info (_("Note: signature key %s has been revoked\n"),
347 /* Finish generating a signature and check it. Concretely: make sure
348 * that the signature is valid (it was not created prior to the key,
349 * the public key was created in the past, and the signature does not
350 * include any unsupported critical features), finish computing the
351 * digest by adding the relevant data from the signature packet, and
352 * check that the signature verifies the digest.
354 * DIGEST contains a hash context, which has already hashed the signed
355 * data. This function adds the relevant meta-data from the signature
356 * packet to compute the final hash. (See Section 5.2 of RFC 4880:
357 * "The concatenation of the data being signed and the signature data
358 * from the version number through the hashed subpacket data
359 * (inclusive) is hashed.")
361 * SIG is the signature to check.
363 * PK is the public key used to generate the signature.
365 * If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has expired
366 * (0 otherwise). Note: PK being expired does not cause this function
369 * If R_REVOKED is not NULL, *R_REVOKED is set to 1 if PK has been
370 * revoked (0 otherwise). Note: PK being revoked does not cause this
373 * If RET_PK is not NULL, PK is copied into RET_PK on success.
375 * Returns 0 on success. An error code other. */
377 check_signature_end (PKT_public_key *pk, PKT_signature *sig,
379 int *r_expired, int *r_revoked, PKT_public_key *ret_pk)
383 if ((rc = check_signature_metadata_validity (pk, sig,
384 r_expired, r_revoked)))
387 if ((rc = check_signature_end_simple (pk, sig, digest)))
391 copy_public_key(ret_pk,pk);
396 /* This function is similar to check_signature_end, but it only checks
397 whether the signature was generated by PK. It does not check
398 expiration, revocation, etc. */
400 check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig,
403 gcry_mpi_t result = NULL;
405 const struct weakhash *weak;
407 if (!opt.flags.allow_weak_digest_algos)
408 for (weak = opt.weak_digests; weak; weak = weak->next)
409 if (sig->digest_algo == weak->algo)
411 print_digest_rejected_note(sig->digest_algo);
412 return GPG_ERR_DIGEST_ALGO;
415 /* Make sure the digest algo is enabled (in case of a detached
417 gcry_md_enable (digest, sig->digest_algo);
419 /* Complete the digest. */
420 if( sig->version >= 4 )
421 gcry_md_putc( digest, sig->version );
422 gcry_md_putc( digest, sig->sig_class );
423 if( sig->version < 4 ) {
424 u32 a = sig->timestamp;
425 gcry_md_putc( digest, (a >> 24) & 0xff );
426 gcry_md_putc( digest, (a >> 16) & 0xff );
427 gcry_md_putc( digest, (a >> 8) & 0xff );
428 gcry_md_putc( digest, a & 0xff );
433 gcry_md_putc( digest, sig->pubkey_algo );
434 gcry_md_putc( digest, sig->digest_algo );
436 n = sig->hashed->len;
437 gcry_md_putc (digest, (n >> 8) );
438 gcry_md_putc (digest, n );
439 gcry_md_write (digest, sig->hashed->data, n);
443 /* Two octets for the (empty) length of the hashed
445 gcry_md_putc (digest, 0);
446 gcry_md_putc (digest, 0);
449 /* add some magic per Section 5.2.4 of RFC 4880. */
450 buf[0] = sig->version;
456 gcry_md_write( digest, buf, 6 );
458 gcry_md_final( digest );
460 /* Convert the digest to an MPI. */
461 result = encode_md_value (pk, digest, sig->digest_algo );
463 return GPG_ERR_GENERAL;
465 /* Verify the signature. */
466 rc = pk_verify( pk->pubkey_algo, result, sig->data, pk->pkey );
467 gcry_mpi_release (result);
469 if( !rc && sig->flags.unknown_critical )
471 log_info(_("assuming bad signature from key %s"
472 " due to an unknown critical bit\n"),keystr_from_pk(pk));
473 rc = GPG_ERR_BAD_SIGNATURE;
480 /* Add a uid node to a hash context. See section 5.2.4, paragraph 4
483 hash_uid_packet (PKT_user_id *uid, gcry_md_hd_t md, PKT_signature *sig )
485 if( uid->attrib_data ) {
486 if( sig->version >=4 ) {
488 buf[0] = 0xd1; /* packet of type 17 */
489 buf[1] = uid->attrib_len >> 24; /* always use 4 length bytes */
490 buf[2] = uid->attrib_len >> 16;
491 buf[3] = uid->attrib_len >> 8;
492 buf[4] = uid->attrib_len;
493 gcry_md_write( md, buf, 5 );
495 gcry_md_write( md, uid->attrib_data, uid->attrib_len );
498 if( sig->version >=4 ) {
500 buf[0] = 0xb4; /* indicates a userid packet */
501 buf[1] = uid->len >> 24; /* always use 4 length bytes */
502 buf[2] = uid->len >> 16;
503 buf[3] = uid->len >> 8;
505 gcry_md_write( md, buf, 5 );
507 gcry_md_write( md, uid->name, uid->len );
512 cache_sig_result ( PKT_signature *sig, int result )
515 sig->flags.checked = 1;
516 sig->flags.valid = 1;
518 else if ( gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE ) {
519 sig->flags.checked = 1;
520 sig->flags.valid = 0;
523 sig->flags.checked = 0;
524 sig->flags.valid = 0;
529 /* SIG is a key revocation signature. Check if this signature was
530 * generated by any of the public key PK's designated revokers.
532 * PK is the public key that SIG allegedly revokes.
534 * SIG is the revocation signature to check.
536 * This function avoids infinite recursion, which can happen if two
537 * keys are designed revokers for each other and they revoke each
538 * other. This is done by observing that if a key A is revoked by key
539 * B we still consider the revocation to be valid even if B is
540 * revoked. Thus, we don't need to determine whether B is revoked to
541 * determine whether A has been revoked by B, we just need to check
544 * Returns 0 if sig is valid (i.e. pk is revoked), non-0 if not
545 * revoked. We are careful to make sure that GPG_ERR_NO_PUBKEY is
546 * only returned when a revocation signature is from a valid
547 * revocation key designated in a revkey subpacket, but the revocation
548 * key itself isn't present.
550 * XXX: This code will need to be modified if gpg ever becomes
551 * multi-threaded. Note that this guarantees that a designated
552 * revocation sig will never be considered valid unless it is actually
553 * valid, as well as being issued by a revocation key in a valid
554 * direct signature. Note also that this is written so that a revoked
555 * revoker can still issue revocations: i.e. If A revokes B, but A is
556 * revoked, B is still revoked. I'm not completely convinced this is
557 * the proper behavior, but it matches how PGP does it. -dms */
559 check_revocation_keys (PKT_public_key *pk, PKT_signature *sig)
563 int rc = GPG_ERR_GENERAL;
565 log_assert (IS_KEY_REV(sig));
566 log_assert ((sig->keyid[0]!=pk->keyid[0]) || (sig->keyid[0]!=pk->keyid[1]));
568 /* Avoid infinite recursion. Consider the following:
570 * - We want to check if A is revoked.
572 * - C is a designated revoker for B and has revoked B.
574 * - B is a designated revoker for A and has revoked A.
576 * When checking if A is revoked (in merge_selfsigs_main), we
577 * observe that A has a designed revoker. As such, we call this
578 * function. This function sees that there is a valid revocation
579 * signature, which is signed by B. It then calls check_signature()
580 * to verify that the signature is good. To check the sig, we need
581 * to lookup B. Looking up B means calling merge_selfsigs_main,
582 * which checks whether B is revoked, which calls this function to
583 * see if B was revoked by some key.
585 * In this case, the added level of indirection doesn't hurt. It
586 * just means a bit more work. However, if C == A, then we'd end up
587 * in a loop. But, it doesn't make sense to look up C anyways: even
588 * if B is revoked, we conservatively consider a valid revocation
589 * signed by B to revoke A. Since this is the only place where this
590 * type of recursion can occur, we simply cause this function to
591 * fail if it is entered recursively. */
594 /* Return an error (i.e. not revoked), but mark the pk as
595 uncacheable as we don't really know its revocation status
596 until it is checked directly. */
597 pk->flags.dont_cache = 1;
603 /* es_printf("looking at %08lX with a sig from %08lX\n",(ulong)pk->keyid[1],
604 (ulong)sig->keyid[1]); */
606 /* is the issuer of the sig one of our revokers? */
607 if( !pk->revkey && pk->numrevkeys )
610 for(i=0;i<pk->numrevkeys;i++)
612 /* The revoker's keyid. */
615 keyid_from_fingerprint(pk->revkey[i].fpr,MAX_FINGERPRINT_LEN,keyid);
617 if(keyid[0]==sig->keyid[0] && keyid[1]==sig->keyid[1])
618 /* The signature was generated by a designated revoker.
619 Verify the signature. */
623 if (gcry_md_open (&md, sig->digest_algo, 0))
625 hash_public_key(md,pk);
626 /* Note: check_signature only checks that the signature
627 is good. It does not fail if the key is revoked. */
628 rc=check_signature(sig,md);
629 cache_sig_result(sig,rc);
640 /* Check that the backsig BACKSIG from the subkey SUB_PK to its
641 primary key MAIN_PK is valid.
643 Backsigs (0x19) have the same format as binding sigs (0x18), but
644 this function is simpler than check_key_signature in a few ways.
645 For example, there is no support for expiring backsigs since it is
646 questionable what such a thing actually means. Note also that the
647 sig cache check here, unlike other sig caches in GnuPG, is not
650 check_backsig (PKT_public_key *main_pk,PKT_public_key *sub_pk,
651 PKT_signature *backsig)
656 /* Always check whether the algorithm is available. Although
657 gcry_md_open would throw an error, some libgcrypt versions will
658 print a debug message in that case too. */
659 if ((rc=openpgp_md_test_algo (backsig->digest_algo)))
662 if(!opt.no_sig_cache && backsig->flags.checked)
663 return backsig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE);
665 rc = gcry_md_open (&md, backsig->digest_algo,0);
668 hash_public_key(md,main_pk);
669 hash_public_key(md,sub_pk);
670 rc = check_signature_end (sub_pk, backsig, md, NULL, NULL, NULL);
671 cache_sig_result(backsig,rc);
679 /* Check that a signature over a key is valid. This is a
680 * specialization of check_key_signature2 with the unnamed parameters
681 * passed as NULL. See the documentation for that function for more
684 check_key_signature (KBNODE root, KBNODE node, int *is_selfsig)
686 return check_key_signature2 (root, node, NULL, NULL, is_selfsig, NULL, NULL);
690 /* Returns whether SIGNER generated the signature SIG over the packet
691 PACKET, which is a key, subkey or uid, and comes from the key block
692 KB. (KB is PACKET's corresponding keyblock; we don't assume that
693 SIG has been added to the keyblock.)
695 If SIGNER is set, then checks whether SIGNER generated the
696 signature. Otherwise, uses SIG->KEYID to find the alleged signer.
697 This parameter can be used to effectively override the alleged
698 signer that is stored in SIG.
700 KB may be NULL if SIGNER is set.
702 Unlike check_key_signature, this function ignores any cached
703 results! That is, it does not consider SIG->FLAGS.CHECKED and
704 SIG->FLAGS.VALID nor does it set them.
706 This doesn't check the signature's semantic mean. Concretely, it
707 doesn't check whether a non-self signed revocation signature was
708 created by a designated revoker. In fact, it doesn't return an
709 error for a binding generated by a completely different key!
711 Returns 0 if the signature is valid. Returns GPG_ERR_SIG_CLASS if
712 this signature can't be over PACKET. Returns GPG_ERR_NOT_FOUND if
713 the key that generated the signature (according to SIG) could not
714 be found. Returns GPG_ERR_BAD_SIGNATURE if the signature is bad.
715 Other errors codes may be returned if something else goes wrong.
717 IF IS_SELFSIG is not NULL, sets *IS_SELFSIG to 1 if this is a
718 self-signature (by the key's primary key) or 0 if not.
720 If RET_PK is not NULL, returns a copy of the public key that
721 generated the signature (i.e., the signer) on success. This must
722 be released by the caller using release_public_key_parts (). */
724 check_signature_over_key_or_uid (PKT_public_key *signer,
725 PKT_signature *sig, KBNODE kb, PACKET *packet,
726 int *is_selfsig, PKT_public_key *ret_pk)
729 PKT_public_key *pripk = kb->pkt->pkt.public_key;
731 int signer_alloced = 0;
733 rc = openpgp_pk_test_algo (sig->pubkey_algo);
736 rc = openpgp_md_test_algo (sig->digest_algo);
740 /* A signature's class indicates the type of packet that it
742 if (/* Primary key binding (made by a subkey). */
743 sig->sig_class == 0x19
744 /* Direct key signature. */
745 || sig->sig_class == 0x1f
746 /* Primary key revocation. */
747 || sig->sig_class == 0x20)
749 if (packet->pkttype != PKT_PUBLIC_KEY)
750 /* Key revocations can only be over primary keys. */
751 return gpg_error (GPG_ERR_SIG_CLASS);
753 else if (/* Subkey binding. */
754 sig->sig_class == 0x18
755 /* Subkey revocation. */
756 || sig->sig_class == 0x28)
758 if (packet->pkttype != PKT_PUBLIC_SUBKEY)
759 return gpg_error (GPG_ERR_SIG_CLASS);
761 else if (/* Certification. */
762 sig->sig_class == 0x10
763 || sig->sig_class == 0x11
764 || sig->sig_class == 0x12
765 || sig->sig_class == 0x13
766 /* Certification revocation. */
767 || sig->sig_class == 0x30)
769 if (packet->pkttype != PKT_USER_ID)
770 return gpg_error (GPG_ERR_SIG_CLASS);
773 return gpg_error (GPG_ERR_SIG_CLASS);
775 /* PACKET is the right type for SIG. */
781 if (signer->keyid[0] == pripk->keyid[0]
782 && signer->keyid[1] == pripk->keyid[1])
790 /* Get the signer. If possible, avoid a look up. */
791 if (sig->keyid[0] == pripk->keyid[0]
792 && sig->keyid[1] == pripk->keyid[1])
793 /* Issued by the primary key. */
804 /* See if one of the subkeys was the signer (although this
805 is extremely unlikely). */
806 while ((n = walk_kbnode (kb, &ctx, 0)))
808 PKT_public_key *subk;
810 if (n->pkt->pkttype != PKT_PUBLIC_SUBKEY)
813 subk = n->pkt->pkt.public_key;
814 if (sig->keyid[0] == subk->keyid[0]
815 && sig->keyid[1] == subk->keyid[1])
816 /* Issued by a subkey. */
824 /* Signer by some other key. */
831 memset (signer, 0, sizeof (*signer));
836 signer = xmalloc_clear (sizeof (*signer));
840 rc = get_pubkey (signer, sig->keyid);
852 /* We checked above that we supported this algo, so an error here is
854 if (gcry_md_open (&md, sig->digest_algo, 0))
857 /* Hash the relevant data. */
859 if (/* Direct key signature. */
860 sig->sig_class == 0x1f
861 /* Primary key revocation. */
862 || sig->sig_class == 0x20)
864 log_assert (packet->pkttype == PKT_PUBLIC_KEY);
865 hash_public_key (md, packet->pkt.public_key);
866 rc = check_signature_end_simple (signer, sig, md);
868 else if (/* Primary key binding (made by a subkey). */
869 sig->sig_class == 0x19)
871 log_assert (packet->pkttype == PKT_PUBLIC_KEY);
872 hash_public_key (md, packet->pkt.public_key);
873 hash_public_key (md, signer);
874 rc = check_signature_end_simple (signer, sig, md);
876 else if (/* Subkey binding. */
877 sig->sig_class == 0x18
878 /* Subkey revocation. */
879 || sig->sig_class == 0x28)
881 log_assert (packet->pkttype == PKT_PUBLIC_SUBKEY);
882 hash_public_key (md, pripk);
883 hash_public_key (md, packet->pkt.public_key);
884 rc = check_signature_end_simple (signer, sig, md);
886 else if (/* Certification. */
887 sig->sig_class == 0x10
888 || sig->sig_class == 0x11
889 || sig->sig_class == 0x12
890 || sig->sig_class == 0x13
891 /* Certification revocation. */
892 || sig->sig_class == 0x30)
894 log_assert (packet->pkttype == PKT_USER_ID);
895 hash_public_key (md, pripk);
896 hash_uid_packet (packet->pkt.user_id, md, sig);
897 rc = check_signature_end_simple (signer, sig, md);
900 /* We should never get here. (The first if above should have
901 already caught this error.) */
907 if (! rc && ret_pk && (signer_alloced == -1 || ret_pk != signer))
908 copy_public_key (ret_pk, signer);
909 if (signer_alloced == 1)
910 /* We looked up SIGNER; it is not a pointer into KB. */
912 release_public_key_parts (signer);
913 if (signer_alloced == 2)
914 /* We also allocated the memory. */
921 /* Check that a signature over a key (e.g., a key revocation, key
922 * binding, user id certification, etc.) is valid. If the function
923 * detects a self-signature, it uses the public key from the specified
924 * key block and does not bother looking up the key specified in the
927 * ROOT is a keyblock.
929 * NODE references a signature packet that appears in the keyblock
930 * that should be verified.
932 * If CHECK_PK is set, the specified key is sometimes preferred for
933 * verifying signatures. See the implementation for details.
935 * If RET_PK is not NULL, the public key that successfully verified
936 * the signature is copied into *RET_PK.
938 * If IS_SELFSIG is not NULL, *IS_SELFSIG is set to 1 if NODE is a
941 * If R_EXPIREDATE is not NULL, *R_EXPIREDATE is set to the expiry
944 * If R_EXPIRED is not NULL, *R_EXPIRED is set to 1 if PK has been
945 * expired (0 otherwise). Note: PK being revoked does not cause this
949 * If OPT.NO_SIG_CACHE is not set, this function will first check if
950 * the result of a previous verification is already cached in the
951 * signature packet's data structure.
953 * TODO: add r_revoked here as well. It has the same problems as
954 * r_expiredate and r_expired and the cache. */
956 check_key_signature2 (kbnode_t root, kbnode_t node, PKT_public_key *check_pk,
957 PKT_public_key *ret_pk, int *is_selfsig,
958 u32 *r_expiredate, int *r_expired )
971 log_assert (node->pkt->pkttype == PKT_SIGNATURE);
972 log_assert (root->pkt->pkttype == PKT_PUBLIC_KEY);
974 pk = root->pkt->pkt.public_key;
975 sig = node->pkt->pkt.signature;
976 algo = sig->digest_algo;
978 /* Check whether we have cached the result of a previous signature
979 check. Note that we may no longer have the pubkey or hash
980 needed to verify a sig, but can still use the cached value. A
981 cache refresh detects and clears these cases. */
982 if ( !opt.no_sig_cache )
984 if (sig->flags.checked) /* Cached status available. */
990 keyid_from_pk (pk, keyid);
991 if (keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1])
994 /* BUG: This is wrong for non-self-sigs... needs to be the
996 rc = check_signature_metadata_validity (pk, sig, r_expired, NULL);
999 return sig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE);
1003 rc = openpgp_pk_test_algo(sig->pubkey_algo);
1006 rc = openpgp_md_test_algo(algo);
1010 if (sig->sig_class == 0x20) /* key revocation */
1013 keyid_from_pk( pk, keyid );
1015 /* Is it a designated revoker? */
1016 if (keyid[0] != sig->keyid[0] || keyid[1] != sig->keyid[1])
1017 rc = check_revocation_keys (pk, sig);
1020 rc = check_signature_metadata_validity (pk, sig,
1023 rc = check_signature_over_key_or_uid (pk, sig, root, root->pkt,
1024 is_selfsig, ret_pk);
1027 else if (sig->sig_class == 0x28 /* subkey revocation */
1028 || sig->sig_class == 0x18) /* key binding */
1030 kbnode_t snode = find_prev_kbnode (root, node, PKT_PUBLIC_SUBKEY);
1034 rc = check_signature_metadata_validity (pk, sig,
1037 /* 0x28 must be a self-sig, but 0x18 needn't be. */
1038 rc = check_signature_over_key_or_uid (sig->sig_class == 0x18
1040 sig, root, snode->pkt,
1041 is_selfsig, ret_pk);
1047 if (sig->sig_class == 0x28)
1048 log_info (_("key %s: no subkey for subkey"
1049 " revocation signature\n"), keystr_from_pk(pk));
1050 else if (sig->sig_class == 0x18)
1051 log_info(_("key %s: no subkey for subkey"
1052 " binding signature\n"), keystr_from_pk(pk));
1054 rc = GPG_ERR_SIG_CLASS;
1057 else if (sig->sig_class == 0x1f) /* direct key signature */
1059 rc = check_signature_metadata_validity (pk, sig,
1062 rc = check_signature_over_key_or_uid (pk, sig, root, root->pkt,
1063 is_selfsig, ret_pk);
1065 else if (/* Certification. */
1066 sig->sig_class == 0x10
1067 || sig->sig_class == 0x11
1068 || sig->sig_class == 0x12
1069 || sig->sig_class == 0x13
1070 /* Certification revocation. */
1071 || sig->sig_class == 0x30)
1073 kbnode_t unode = find_prev_kbnode (root, node, PKT_USER_ID);
1077 rc = check_signature_metadata_validity (pk, sig, r_expired, NULL);
1079 /* If this is a self-sig, ignore check_pk. */
1080 rc = check_signature_over_key_or_uid
1081 (keyid_cmp (pk_keyid (pk), sig->keyid) == 0 ? pk : check_pk,
1082 sig, root, unode->pkt, NULL, ret_pk);
1087 log_info ("key %s: no user ID for key signature packet"
1088 " of class %02x\n",keystr_from_pk(pk),sig->sig_class);
1089 rc = GPG_ERR_SIG_CLASS;
1094 log_info ("sig issued by %s with class %d (digest: %02x %02x)"
1095 " is not valid over a user id or a key id, ignoring.\n",
1096 keystr (sig->keyid), sig->sig_class,
1097 sig->digest_start[0], sig->digest_start[1]);
1098 rc = gpg_error (GPG_ERR_BAD_SIGNATURE);
1101 cache_sig_result (sig, rc);
projects / gnupg.git / blob