1
1
/* sig-check.c - Check a signature
2
* Copyright (C) 1998, 1999, 2000, 2001, 2002,
3
* 2003 Free Software Foundation, Inc.
2
* Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003,
3
* 2004, 2006 Free Software Foundation, Inc.
5
5
* This file is part of GnuPG.
17
17
* You should have received a copy of the GNU General Public License
18
18
* along with this program; if not, write to the Free Software
19
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
19
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
22
23
#include <config.h>
53
56
* is able to append some data, before finalizing the digest.
56
signature_check( PKT_signature *sig, MD_HANDLE digest )
59
signature_check (PKT_signature *sig, gcry_md_hd_t digest)
58
61
return signature_check2( sig, digest, NULL, NULL, NULL, NULL );
62
signature_check2( PKT_signature *sig, MD_HANDLE digest, u32 *r_expiredate,
65
signature_check2 (PKT_signature *sig, gcry_md_hd_t digest, u32 *r_expiredate,
63
66
int *r_expired, int *r_revoked, PKT_public_key *ret_pk )
65
PKT_public_key *pk = xcalloc (1, sizeof *pk );
68
PKT_public_key *pk = xmalloc_clear( sizeof *pk );
68
/* Sanity check that the md has a context for the hash that the
69
sig is expecting. This can happen if a onepass sig header does
70
not match the actual sig, and also if the clearsign "Hash:"
71
header is missing or does not match the actual sig. */
71
if ( (rc=openpgp_md_test_algo(sig->digest_algo)) )
72
; /* We don't have this digest. */
73
else if ((rc=openpgp_pk_test_algo(sig->pubkey_algo)))
74
; /* We don't have this pubkey algo. */
75
else if (!gcry_md_is_enabled (digest,sig->digest_algo))
77
/* Sanity check that the md has a context for the hash that the
78
sig is expecting. This can happen if a onepass sig header does
79
not match the actual sig, and also if the clearsign "Hash:"
80
header is missing or does not match the actual sig. */
73
if(!gcry_md_is_enabled (digest,sig->digest_algo)) {
74
82
log_info(_("WARNING: signature digest conflict in message\n"));
77
85
else if( get_pubkey( pk, sig->keyid ) )
78
rc = GPG_ERR_NO_PUBKEY;
86
rc = G10ERR_NO_PUBKEY;
79
87
else if(!pk->is_valid && !pk->is_primary)
80
rc=GPG_ERR_BAD_PUBKEY; /* you cannot have a good sig from an
88
rc=G10ERR_BAD_PUBKEY; /* you cannot have a good sig from an
84
*r_expiredate = pk->expiredate;
93
*r_expiredate = pk->expiredate;
85
95
rc = do_check( pk, sig, digest, r_expired, r_revoked, ret_pk );
97
/* Check the backsig. This is a 0x19 signature from the
98
subkey on the primary key. The idea here is that it should
99
not be possible for someone to "steal" subkeys and claim
100
them as their own. The attacker couldn't actually use the
101
subkey, but they could try and claim ownership of any
102
signaures issued by it. */
103
if(rc==0 && !pk->is_primary && pk->backsig<2)
107
log_info(_("WARNING: signing subkey %s is not"
108
" cross-certified\n"),keystr_from_pk(pk));
109
log_info(_("please see %s for more information\n"),
110
"http://www.gnupg.org/faq/subkey-cross-certify.html");
111
/* --require-cross-certification makes this warning an
112
error. TODO: change the default to require this
113
after more keys have backsigs. */
114
if(opt.flags.require_cross_cert)
117
else if(pk->backsig==1)
119
log_info(_("WARNING: signing subkey %s has an invalid"
120
" cross-certification\n"),keystr_from_pk(pk));
88
126
free_public_key( pk );
96
134
* one second. Some remote batch processing applications might
97
135
* like this feature here */
99
138
u32 a = sig->timestamp;
100
139
int i, nsig = pubkey_get_nsig( sig->pubkey_algo );
101
140
byte *p, *buffer;
103
gcry_md_open (&md, GCRY_MD_RMD160, 0);
142
if (gcry_md_open (&md, GCRY_MD_RMD160, 0))
145
/* FIXME: Why the hell are we updating DIGEST here??? */
104
146
gcry_md_putc( digest, sig->pubkey_algo );
105
147
gcry_md_putc( digest, sig->digest_algo );
106
148
gcry_md_putc( digest, (a >> 24) & 0xff );
107
149
gcry_md_putc( digest, (a >> 16) & 0xff );
108
gcry_md_putc( digest, (a >> 8) & 0xff );
109
gcry_md_putc( digest, a & 0xff );
150
gcry_md_putc( digest, (a >> 8) & 0xff );
151
gcry_md_putc( digest, a & 0xff );
110
152
for(i=0; i < nsig; i++ ) {
112
154
unsigned char *tmp;
114
156
if (gcry_mpi_aprint (GCRYMPI_FMT_USG, &tmp, &n, sig->data[i]))
117
158
gcry_md_write (md, tmp, n);
121
p = make_radix64_string( gcry_md_read( md, 0 ), 20 );
122
buffer = xmalloc ( strlen(p) + 60 );
162
p = make_radix64_string ( gcry_md_read( md, 0 ), 20 );
163
buffer = xmalloc( strlen(p) + 60 );
123
164
sprintf( buffer, "%s %s %lu",
124
165
p, strtimestamp( sig->timestamp ), (ulong)sig->timestamp );
125
166
write_status_text( STATUS_SIG_ID, buffer );
128
169
gcry_md_close(md);
136
177
do_check_messages( PKT_public_key *pk, PKT_signature *sig,
137
int *r_expired, int *r_revoked )
178
int *r_expired, int *r_revoked )
145
if( pk->version == 4 && pk->pubkey_algo == PUBKEY_ALGO_ELGAMAL_E ) {
146
log_info(_("key %08lX: this is a PGP generated "
147
"ElGamal key which is NOT secure for signatures!\n"),
148
(ulong)keyid_from_pk(pk,NULL));
149
return GPG_ERR_PUBKEY_ALGO;
152
if( pk->timestamp > sig->timestamp ) {
187
if( pk->timestamp > sig->timestamp )
153
189
ulong d = pk->timestamp - sig->timestamp;
155
? _("public key %08lX is %lu second newer than the signature\n")
156
: _("public key %08lX is %lu seconds newer than the signature\n"),
157
(ulong)keyid_from_pk(pk,NULL),d );
191
?_("public key %s is %lu second newer than the signature\n")
192
:_("public key %s is %lu seconds newer than the signature\n"),
193
keystr_from_pk(pk),d );
158
194
if( !opt.ignore_time_conflict )
159
return GPG_ERR_TIME_CONFLICT; /* pubkey newer than signature */
195
return G10ERR_TIME_CONFLICT; /* pubkey newer than signature */
162
198
cur_time = make_timestamp();
163
if( pk->timestamp > cur_time ) {
199
if( pk->timestamp > cur_time )
164
201
ulong d = pk->timestamp - cur_time;
165
log_info( d==1 ? _("key %08lX has been created %lu second "
166
"in future (time warp or clock problem)\n")
167
: _("key %08lX has been created %lu seconds "
168
"in future (time warp or clock problem)\n"),
169
(ulong)keyid_from_pk(pk,NULL),d );
203
? _("key %s was created %lu second"
204
" in the future (time warp or clock problem)\n")
205
: _("key %s was created %lu seconds"
206
" in the future (time warp or clock problem)\n"),
207
keystr_from_pk(pk),d );
170
208
if( !opt.ignore_time_conflict )
171
return GPG_ERR_TIME_CONFLICT;
209
return G10ERR_TIME_CONFLICT;
174
212
if( pk->expiredate && pk->expiredate < cur_time ) {
179
keyid_from_pk( pk, tmp_kid );
180
log_info(_("NOTE: signature key %08lX expired %s\n"),
181
(ulong)tmp_kid[1], asctimestamp( pk->expiredate ) );
215
log_info(_("NOTE: signature key %s expired %s\n"),
216
keystr_from_pk(pk), asctimestamp( pk->expiredate ) );
183
217
/* SIGEXPIRED is deprecated. Use KEYEXPIRED. */
184
218
sprintf(buf,"%lu",(ulong)pk->expiredate);
185
219
write_status_text(STATUS_KEYEXPIRED,buf);
186
220
write_status(STATUS_SIGEXPIRED);
191
225
if(pk->is_revoked && r_revoked)
199
do_check( PKT_public_key *pk, PKT_signature *sig, MD_HANDLE digest,
233
do_check( PKT_public_key *pk, PKT_signature *sig, gcry_md_hd_t digest,
200
234
int *r_expired, int *r_revoked, PKT_public_key *ret_pk )
202
236
gcry_mpi_t result = NULL;
204
238
struct cmp_help_context_s ctx;
206
240
if( (rc=do_check_messages(pk,sig,r_expired,r_revoked)) )
208
if( (rc=gcry_md_test_algo(sig->digest_algo)) )
210
if( (rc=gcry_pk_test_algo(sig->pubkey_algo)) )
213
/* make sure the digest algo is enabled (in case of a detached
215
gcry_md_enable( digest, sig->digest_algo );
217
/* complete the digest */
243
/* Make sure the digest algo is enabled (in case of a detached
245
gcry_md_enable (digest, sig->digest_algo);
247
/* Complete the digest. */
218
248
if( sig->version >= 4 )
219
249
gcry_md_putc( digest, sig->version );
220
250
gcry_md_putc( digest, sig->sig_class );
254
284
gcry_md_write( digest, buf, 6 );
256
gcry_md_final (digest);
286
gcry_md_final( digest );
258
result = encode_md_value( pk->pubkey_algo, digest, sig->digest_algo,
259
mpi_get_nbits(pk->pkey[0]), 0 );
288
result = encode_md_value( pk, NULL, digest, sig->digest_algo );
261
return GPG_ERR_GENERAL;
290
return G10ERR_GENERAL;
264
rc = pk_verify ( pk->pubkey_algo, result, sig->data, pk->pkey);
265
gcry_mpi_release ( result );
266
if( (opt.emulate_bugs & EMUBUG_MDENCODE)
267
&& gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE
268
&& is_ELGAMAL(pk->pubkey_algo) ) {
269
/* In this case we try again because old GnuPG versions didn't encode
270
* the hash right. There is no problem with DSA however */
271
result = encode_md_value( pk->pubkey_algo, digest, sig->digest_algo,
272
mpi_get_nbits(pk->pkey[0]), (sig->version < 5) );
274
rc = GPG_ERR_GENERAL;
278
rc = pk_verify (pk->pubkey_algo, result, sig->data, pk->pkey);
293
rc = pk_verify( pk->pubkey_algo, result, sig->data, pk->pkey );
294
gcry_mpi_release (result);
282
if( !rc && sig->flags.unknown_critical ) {
283
log_info(_("assuming bad signature from key %08lX "
284
"due to an unknown critical bit\n"),
285
(ulong)keyid_from_pk(pk,NULL));
286
rc = gpg_error (GPG_ERR_BAD_SIGNATURE);
296
if( !rc && sig->flags.unknown_critical )
298
log_info(_("assuming bad signature from key %s"
299
" due to an unknown critical bit\n"),keystr_from_pk(pk));
300
rc = G10ERR_BAD_SIGN;
289
303
if(!rc && ret_pk)
290
304
copy_public_key(ret_pk,pk);
346
360
/* Check the revocation keys to see if any of them have revoked our
347
361
pk. sig is the revocation sig. pk is the key it is on. This code
348
362
will need to be modified if gpg ever becomes multi-threaded. Note
349
363
that this guarantees that a designated revocation sig will never be
350
364
considered valid unless it is actually valid, as well as being
351
issued by a revocation key in a valid direct signature. Note that
352
this is written so that a revoked revoker can still issue
365
issued by a revocation key in a valid direct signature. Note also
366
that this is written so that a revoked revoker can still issue
353
367
revocations: i.e. If A revokes B, but A is revoked, B is still
354
368
revoked. I'm not completely convinced this is the proper behavior,
355
369
but it matches how PGP does it. -dms */
357
371
/* Returns 0 if sig is valid (i.e. pk is revoked), non-0 if not
372
revoked. It is important that G10ERR_NO_PUBKEY is only returned
373
when a revocation signature is from a valid revocation key
374
designated in a revkey subpacket, but the revocation key itself
360
377
check_revocation_keys(PKT_public_key *pk,PKT_signature *sig)
362
379
static int busy=0;
363
int i,rc=GPG_ERR_GENERAL;
380
int i,rc=G10ERR_GENERAL;
365
382
assert(IS_KEY_REV(sig));
366
383
assert((sig->keyid[0]!=pk->keyid[0]) || (sig->keyid[0]!=pk->keyid[1]));
370
/* return -1 (i.e. not revoked), but mark the pk as uncacheable
371
as we don't really know its revocation status until it is
387
/* return an error (i.e. not revoked), but mark the pk as
388
uncacheable as we don't really know its revocation status
389
until it is checked directly. */
374
391
pk->dont_cache=1;
428
/* Backsigs (0x19) have the same format as binding sigs (0x18), but
429
this function is simpler than check_key_signature in a few ways.
430
For example, there is no support for expiring backsigs since it is
431
questionable what such a thing actually means. Note also that the
432
sig cache check here, unlike other sig caches in GnuPG, is not
435
check_backsig(PKT_public_key *main_pk,PKT_public_key *sub_pk,
436
PKT_signature *backsig)
441
if(!opt.no_sig_cache && backsig->flags.checked)
443
if((rc=openpgp_md_test_algo (backsig->digest_algo)))
446
return backsig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE);
449
if (gcry_md_open (&md, backsig->digest_algo,0))
451
hash_public_key(md,main_pk);
452
hash_public_key(md,sub_pk);
453
rc=do_check(sub_pk,backsig,md,NULL,NULL,NULL);
454
cache_sig_result(backsig,rc);
410
461
/****************
411
462
* check the signature pointed to by NODE. This is a key signature.
412
463
* If the function detects a self-signature, it uses the PK from
416
467
check_key_signature( KBNODE root, KBNODE node, int *is_selfsig )
418
return check_key_signature2(root, node, NULL, NULL, is_selfsig, NULL, NULL);
469
return check_key_signature2(root, node, NULL, NULL, is_selfsig, NULL, NULL );
421
472
/* If check_pk is set, then use it to check the signature in node
478
534
rc=check_revocation_keys(pk,sig);
481
gcry_md_open (&md, algo, 0 );
537
if (gcry_md_open (&md, algo, 0 ))
482
539
hash_public_key( md, pk );
483
540
rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
484
541
cache_sig_result ( sig, rc );
489
546
KBNODE snode = find_prev_kbnode( root, node, PKT_PUBLIC_SUBKEY );
492
gcry_md_open (&md, algo, 0 );
549
if (gcry_md_open (&md, algo, 0))
493
551
hash_public_key( md, pk );
494
552
hash_public_key( md, snode->pkt->pkt.public_key );
495
553
rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
496
554
cache_sig_result ( sig, rc );
497
555
gcry_md_close(md);
501
log_info (_("key %08lX: no subkey for subkey "
502
"revocation signature\n"),
503
(ulong)keyid_from_pk (pk, NULL));
504
rc = GPG_ERR_SIG_CLASS;
560
log_info (_("key %s: no subkey for subkey"
561
" revocation signature\n"),keystr_from_pk(pk));
562
rc = G10ERR_SIG_CLASS;
507
565
else if( sig->sig_class == 0x18 ) { /* key binding */
508
566
KBNODE snode = find_prev_kbnode( root, node, PKT_PUBLIC_SUBKEY );
515
573
if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
518
gcry_md_open (&md, algo, 0 );
576
if (gcry_md_open (&md, algo, 0))
519
578
hash_public_key( md, pk );
520
579
hash_public_key( md, snode->pkt->pkt.public_key );
521
580
rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
522
581
cache_sig_result ( sig, rc );
523
582
gcry_md_close(md);
527
log_info(_("key %08lX: no subkey for subkey "
528
"binding signature\n"),
529
(ulong)keyid_from_pk (pk, NULL));
530
rc = GPG_ERR_SIG_CLASS;
587
log_info(_("key %s: no subkey for subkey"
588
" binding signature\n"),keystr_from_pk(pk));
589
rc = G10ERR_SIG_CLASS;
533
592
else if( sig->sig_class == 0x1f ) { /* direct key signature */
534
gcry_md_open (&md, algo, 0 );
593
if (gcry_md_open (&md, algo, 0 ))
535
595
hash_public_key( md, pk );
536
596
rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
537
597
cache_sig_result ( sig, rc );
554
615
rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
556
617
else if (check_pk)
557
rc=do_check(check_pk,sig,md,r_expired, NULL, ret_pk);
618
rc=do_check(check_pk,sig,md,r_expired,NULL,ret_pk);
559
rc = signature_check2( sig, md, r_expiredate, r_expired,
620
rc=signature_check2(sig,md,r_expiredate,r_expired,NULL,ret_pk);
562
622
cache_sig_result ( sig, rc );
563
623
gcry_md_close(md);
567
log_info ("key %08lX: no user ID for key signature packet "
569
(ulong)keyid_from_pk (pk, NULL), sig->sig_class );
570
rc = GPG_ERR_SIG_CLASS;
628
log_info ("key %s: no user ID for key signature packet"
629
" of class %02x\n",keystr_from_pk(pk),sig->sig_class);
630
rc = G10ERR_SIG_CLASS;