1
1
/* sig-check.c - Check a signature
2
* Copyright (C) 1998, 1999, 2000, 2001, 2002,
3
* 2003 Free Software Foundation, Inc.
2
* Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003,
3
* 2004, 2006 Free Software Foundation, Inc.
5
5
* This file is part of GnuPG.
7
7
* GnuPG is free software; you can redistribute it and/or modify
8
8
* it under the terms of the GNU General Public License as published by
9
* the Free Software Foundation; either version 2 of the License, or
9
* the Free Software Foundation; either version 3 of the License, or
10
10
* (at your option) any later version.
12
12
* GnuPG is distributed in the hope that it will be useful,
53
54
* is able to append some data, before finalizing the digest.
56
signature_check( PKT_signature *sig, MD_HANDLE digest )
57
signature_check (PKT_signature *sig, gcry_md_hd_t digest)
58
59
return signature_check2( sig, digest, NULL, NULL, NULL, NULL );
62
signature_check2( PKT_signature *sig, MD_HANDLE digest, u32 *r_expiredate,
63
signature_check2 (PKT_signature *sig, gcry_md_hd_t digest, u32 *r_expiredate,
63
64
int *r_expired, int *r_revoked, PKT_public_key *ret_pk )
65
PKT_public_key *pk = xcalloc (1, sizeof *pk );
66
PKT_public_key *pk = xmalloc_clear( sizeof *pk );
68
/* Sanity check that the md has a context for the hash that the
69
sig is expecting. This can happen if a onepass sig header does
70
not match the actual sig, and also if the clearsign "Hash:"
71
header is missing or does not match the actual sig. */
69
if ( (rc=openpgp_md_test_algo(sig->digest_algo)) )
70
; /* We don't have this digest. */
71
else if ((rc=openpgp_pk_test_algo(sig->pubkey_algo)))
72
; /* We don't have this pubkey algo. */
73
else if (!gcry_md_is_enabled (digest,sig->digest_algo))
75
/* Sanity check that the md has a context for the hash that the
76
sig is expecting. This can happen if a onepass sig header does
77
not match the actual sig, and also if the clearsign "Hash:"
78
header is missing or does not match the actual sig. */
73
if(!gcry_md_is_enabled (digest,sig->digest_algo)) {
74
80
log_info(_("WARNING: signature digest conflict in message\n"));
77
83
else if( get_pubkey( pk, sig->keyid ) )
78
rc = GPG_ERR_NO_PUBKEY;
84
rc = G10ERR_NO_PUBKEY;
79
85
else if(!pk->is_valid && !pk->is_primary)
80
rc=GPG_ERR_BAD_PUBKEY; /* you cannot have a good sig from an
86
rc=G10ERR_BAD_PUBKEY; /* you cannot have a good sig from an
84
*r_expiredate = pk->expiredate;
91
*r_expiredate = pk->expiredate;
85
93
rc = do_check( pk, sig, digest, r_expired, r_revoked, ret_pk );
95
/* Check the backsig. This is a 0x19 signature from the
96
subkey on the primary key. The idea here is that it should
97
not be possible for someone to "steal" subkeys and claim
98
them as their own. The attacker couldn't actually use the
99
subkey, but they could try and claim ownership of any
100
signaures issued by it. */
101
if(rc==0 && !pk->is_primary && pk->backsig<2)
105
log_info(_("WARNING: signing subkey %s is not"
106
" cross-certified\n"),keystr_from_pk(pk));
107
log_info(_("please see %s for more information\n"),
108
"http://www.gnupg.org/faq/subkey-cross-certify.html");
109
/* --require-cross-certification makes this warning an
110
error. TODO: change the default to require this
111
after more keys have backsigs. */
112
if(opt.flags.require_cross_cert)
115
else if(pk->backsig==1)
117
log_info(_("WARNING: signing subkey %s has an invalid"
118
" cross-certification\n"),keystr_from_pk(pk));
88
124
free_public_key( pk );
96
132
* one second. Some remote batch processing applications might
97
133
* like this feature here */
99
136
u32 a = sig->timestamp;
100
137
int i, nsig = pubkey_get_nsig( sig->pubkey_algo );
101
138
byte *p, *buffer;
103
gcry_md_open (&md, GCRY_MD_RMD160, 0);
140
if (gcry_md_open (&md, GCRY_MD_RMD160, 0))
143
/* FIXME: Why the hell are we updating DIGEST here??? */
104
144
gcry_md_putc( digest, sig->pubkey_algo );
105
145
gcry_md_putc( digest, sig->digest_algo );
106
146
gcry_md_putc( digest, (a >> 24) & 0xff );
107
147
gcry_md_putc( digest, (a >> 16) & 0xff );
108
gcry_md_putc( digest, (a >> 8) & 0xff );
109
gcry_md_putc( digest, a & 0xff );
148
gcry_md_putc( digest, (a >> 8) & 0xff );
149
gcry_md_putc( digest, a & 0xff );
110
150
for(i=0; i < nsig; i++ ) {
112
152
unsigned char *tmp;
114
154
if (gcry_mpi_aprint (GCRYMPI_FMT_USG, &tmp, &n, sig->data[i]))
117
156
gcry_md_write (md, tmp, n);
121
p = make_radix64_string( gcry_md_read( md, 0 ), 20 );
122
buffer = xmalloc ( strlen(p) + 60 );
160
p = make_radix64_string ( gcry_md_read( md, 0 ), 20 );
161
buffer = xmalloc( strlen(p) + 60 );
123
162
sprintf( buffer, "%s %s %lu",
124
163
p, strtimestamp( sig->timestamp ), (ulong)sig->timestamp );
125
164
write_status_text( STATUS_SIG_ID, buffer );
128
167
gcry_md_close(md);
136
175
do_check_messages( PKT_public_key *pk, PKT_signature *sig,
137
int *r_expired, int *r_revoked )
176
int *r_expired, int *r_revoked )
145
if( pk->version == 4 && pk->pubkey_algo == PUBKEY_ALGO_ELGAMAL_E ) {
146
log_info(_("key %08lX: this is a PGP generated "
147
"ElGamal key which is NOT secure for signatures!\n"),
148
(ulong)keyid_from_pk(pk,NULL));
149
return GPG_ERR_PUBKEY_ALGO;
152
if( pk->timestamp > sig->timestamp ) {
185
if( pk->timestamp > sig->timestamp )
153
187
ulong d = pk->timestamp - sig->timestamp;
155
? _("public key %08lX is %lu second newer than the signature\n")
156
: _("public key %08lX is %lu seconds newer than the signature\n"),
157
(ulong)keyid_from_pk(pk,NULL),d );
189
?_("public key %s is %lu second newer than the signature\n")
190
:_("public key %s is %lu seconds newer than the signature\n"),
191
keystr_from_pk(pk),d );
158
192
if( !opt.ignore_time_conflict )
159
return GPG_ERR_TIME_CONFLICT; /* pubkey newer than signature */
193
return G10ERR_TIME_CONFLICT; /* pubkey newer than signature */
162
196
cur_time = make_timestamp();
163
if( pk->timestamp > cur_time ) {
197
if( pk->timestamp > cur_time )
164
199
ulong d = pk->timestamp - cur_time;
165
log_info( d==1 ? _("key %08lX has been created %lu second "
166
"in future (time warp or clock problem)\n")
167
: _("key %08lX has been created %lu seconds "
168
"in future (time warp or clock problem)\n"),
169
(ulong)keyid_from_pk(pk,NULL),d );
201
? _("key %s was created %lu second"
202
" in the future (time warp or clock problem)\n")
203
: _("key %s was created %lu seconds"
204
" in the future (time warp or clock problem)\n"),
205
keystr_from_pk(pk),d );
170
206
if( !opt.ignore_time_conflict )
171
return GPG_ERR_TIME_CONFLICT;
207
return G10ERR_TIME_CONFLICT;
174
210
if( pk->expiredate && pk->expiredate < cur_time ) {
179
keyid_from_pk( pk, tmp_kid );
180
log_info(_("NOTE: signature key %08lX expired %s\n"),
181
(ulong)tmp_kid[1], asctimestamp( pk->expiredate ) );
213
log_info(_("NOTE: signature key %s expired %s\n"),
214
keystr_from_pk(pk), asctimestamp( pk->expiredate ) );
183
215
/* SIGEXPIRED is deprecated. Use KEYEXPIRED. */
184
216
sprintf(buf,"%lu",(ulong)pk->expiredate);
185
217
write_status_text(STATUS_KEYEXPIRED,buf);
186
218
write_status(STATUS_SIGEXPIRED);
191
223
if(pk->is_revoked && r_revoked)
199
do_check( PKT_public_key *pk, PKT_signature *sig, MD_HANDLE digest,
231
do_check( PKT_public_key *pk, PKT_signature *sig, gcry_md_hd_t digest,
200
232
int *r_expired, int *r_revoked, PKT_public_key *ret_pk )
202
234
gcry_mpi_t result = NULL;
204
236
struct cmp_help_context_s ctx;
206
238
if( (rc=do_check_messages(pk,sig,r_expired,r_revoked)) )
208
if( (rc=gcry_md_test_algo(sig->digest_algo)) )
210
if( (rc=gcry_pk_test_algo(sig->pubkey_algo)) )
213
/* make sure the digest algo is enabled (in case of a detached
215
gcry_md_enable( digest, sig->digest_algo );
217
/* complete the digest */
241
/* Make sure the digest algo is enabled (in case of a detached
243
gcry_md_enable (digest, sig->digest_algo);
245
/* Complete the digest. */
218
246
if( sig->version >= 4 )
219
247
gcry_md_putc( digest, sig->version );
220
248
gcry_md_putc( digest, sig->sig_class );
254
282
gcry_md_write( digest, buf, 6 );
256
gcry_md_final (digest);
284
gcry_md_final( digest );
258
result = encode_md_value( pk->pubkey_algo, digest, sig->digest_algo,
259
mpi_get_nbits(pk->pkey[0]), 0 );
286
result = encode_md_value( pk, NULL, digest, sig->digest_algo );
261
return GPG_ERR_GENERAL;
288
return G10ERR_GENERAL;
264
rc = pk_verify ( pk->pubkey_algo, result, sig->data, pk->pkey);
265
gcry_mpi_release ( result );
266
if( (opt.emulate_bugs & EMUBUG_MDENCODE)
267
&& gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE
268
&& is_ELGAMAL(pk->pubkey_algo) ) {
269
/* In this case we try again because old GnuPG versions didn't encode
270
* the hash right. There is no problem with DSA however */
271
result = encode_md_value( pk->pubkey_algo, digest, sig->digest_algo,
272
mpi_get_nbits(pk->pkey[0]), (sig->version < 5) );
274
rc = GPG_ERR_GENERAL;
278
rc = pk_verify (pk->pubkey_algo, result, sig->data, pk->pkey);
291
rc = pk_verify( pk->pubkey_algo, result, sig->data, pk->pkey );
292
gcry_mpi_release (result);
282
if( !rc && sig->flags.unknown_critical ) {
283
log_info(_("assuming bad signature from key %08lX "
284
"due to an unknown critical bit\n"),
285
(ulong)keyid_from_pk(pk,NULL));
286
rc = gpg_error (GPG_ERR_BAD_SIGNATURE);
294
if( !rc && sig->flags.unknown_critical )
296
log_info(_("assuming bad signature from key %s"
297
" due to an unknown critical bit\n"),keystr_from_pk(pk));
298
rc = G10ERR_BAD_SIGN;
289
301
if(!rc && ret_pk)
290
302
copy_public_key(ret_pk,pk);
346
358
/* Check the revocation keys to see if any of them have revoked our
347
359
pk. sig is the revocation sig. pk is the key it is on. This code
348
360
will need to be modified if gpg ever becomes multi-threaded. Note
349
361
that this guarantees that a designated revocation sig will never be
350
362
considered valid unless it is actually valid, as well as being
351
issued by a revocation key in a valid direct signature. Note that
352
this is written so that a revoked revoker can still issue
363
issued by a revocation key in a valid direct signature. Note also
364
that this is written so that a revoked revoker can still issue
353
365
revocations: i.e. If A revokes B, but A is revoked, B is still
354
366
revoked. I'm not completely convinced this is the proper behavior,
355
367
but it matches how PGP does it. -dms */
357
369
/* Returns 0 if sig is valid (i.e. pk is revoked), non-0 if not
370
revoked. It is important that G10ERR_NO_PUBKEY is only returned
371
when a revocation signature is from a valid revocation key
372
designated in a revkey subpacket, but the revocation key itself
360
375
check_revocation_keys(PKT_public_key *pk,PKT_signature *sig)
362
377
static int busy=0;
363
int i,rc=GPG_ERR_GENERAL;
378
int i,rc=G10ERR_GENERAL;
365
380
assert(IS_KEY_REV(sig));
366
381
assert((sig->keyid[0]!=pk->keyid[0]) || (sig->keyid[0]!=pk->keyid[1]));
370
/* return -1 (i.e. not revoked), but mark the pk as uncacheable
371
as we don't really know its revocation status until it is
385
/* return an error (i.e. not revoked), but mark the pk as
386
uncacheable as we don't really know its revocation status
387
until it is checked directly. */
374
389
pk->dont_cache=1;
426
/* Backsigs (0x19) have the same format as binding sigs (0x18), but
427
this function is simpler than check_key_signature in a few ways.
428
For example, there is no support for expiring backsigs since it is
429
questionable what such a thing actually means. Note also that the
430
sig cache check here, unlike other sig caches in GnuPG, is not
433
check_backsig(PKT_public_key *main_pk,PKT_public_key *sub_pk,
434
PKT_signature *backsig)
439
/* Always check whether the algorithm is available. Although
440
gcry_md_open woyuld throw an error, some libgcrypt versions will
441
print a debug message in that case too. */
442
if ((rc=openpgp_md_test_algo (backsig->digest_algo)))
445
if(!opt.no_sig_cache && backsig->flags.checked)
446
return backsig->flags.valid? 0 : gpg_error (GPG_ERR_BAD_SIGNATURE);
448
rc = gcry_md_open (&md, backsig->digest_algo,0);
451
hash_public_key(md,main_pk);
452
hash_public_key(md,sub_pk);
453
rc=do_check(sub_pk,backsig,md,NULL,NULL,NULL);
454
cache_sig_result(backsig,rc);
410
462
/****************
411
463
* check the signature pointed to by NODE. This is a key signature.
412
464
* If the function detects a self-signature, it uses the PK from
416
468
check_key_signature( KBNODE root, KBNODE node, int *is_selfsig )
418
return check_key_signature2(root, node, NULL, NULL, is_selfsig, NULL, NULL);
470
return check_key_signature2(root, node, NULL, NULL, is_selfsig, NULL, NULL );
421
473
/* If check_pk is set, then use it to check the signature in node
478
535
rc=check_revocation_keys(pk,sig);
481
gcry_md_open (&md, algo, 0 );
538
if (gcry_md_open (&md, algo, 0 ))
482
540
hash_public_key( md, pk );
483
541
rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
484
542
cache_sig_result ( sig, rc );
489
547
KBNODE snode = find_prev_kbnode( root, node, PKT_PUBLIC_SUBKEY );
492
gcry_md_open (&md, algo, 0 );
550
if (gcry_md_open (&md, algo, 0))
493
552
hash_public_key( md, pk );
494
553
hash_public_key( md, snode->pkt->pkt.public_key );
495
554
rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
496
555
cache_sig_result ( sig, rc );
497
556
gcry_md_close(md);
501
log_info (_("key %08lX: no subkey for subkey "
502
"revocation signature\n"),
503
(ulong)keyid_from_pk (pk, NULL));
504
rc = GPG_ERR_SIG_CLASS;
561
log_info (_("key %s: no subkey for subkey"
562
" revocation signature\n"),keystr_from_pk(pk));
563
rc = G10ERR_SIG_CLASS;
507
566
else if( sig->sig_class == 0x18 ) { /* key binding */
508
567
KBNODE snode = find_prev_kbnode( root, node, PKT_PUBLIC_SUBKEY );
515
574
if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] )
518
gcry_md_open (&md, algo, 0 );
577
if (gcry_md_open (&md, algo, 0))
519
579
hash_public_key( md, pk );
520
580
hash_public_key( md, snode->pkt->pkt.public_key );
521
581
rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
522
582
cache_sig_result ( sig, rc );
523
583
gcry_md_close(md);
527
log_info(_("key %08lX: no subkey for subkey "
528
"binding signature\n"),
529
(ulong)keyid_from_pk (pk, NULL));
530
rc = GPG_ERR_SIG_CLASS;
588
log_info(_("key %s: no subkey for subkey"
589
" binding signature\n"),keystr_from_pk(pk));
590
rc = G10ERR_SIG_CLASS;
533
593
else if( sig->sig_class == 0x1f ) { /* direct key signature */
534
gcry_md_open (&md, algo, 0 );
594
if (gcry_md_open (&md, algo, 0 ))
535
596
hash_public_key( md, pk );
536
597
rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
537
598
cache_sig_result ( sig, rc );
554
616
rc = do_check( pk, sig, md, r_expired, NULL, ret_pk );
556
618
else if (check_pk)
557
rc=do_check(check_pk,sig,md,r_expired, NULL, ret_pk);
619
rc=do_check(check_pk,sig,md,r_expired,NULL,ret_pk);
559
rc = signature_check2( sig, md, r_expiredate, r_expired,
621
rc=signature_check2(sig,md,r_expiredate,r_expired,NULL,ret_pk);
562
623
cache_sig_result ( sig, rc );
563
624
gcry_md_close(md);
567
log_info ("key %08lX: no user ID for key signature packet "
569
(ulong)keyid_from_pk (pk, NULL), sig->sig_class );
570
rc = GPG_ERR_SIG_CLASS;
629
log_info ("key %s: no user ID for key signature packet"
630
" of class %02x\n",keystr_from_pk(pk),sig->sig_class);
631
rc = G10ERR_SIG_CLASS;