diff options
| author | Panu Matilainen <pmatilai@redhat.com> | 2011-11-06 20:58:56 +0200 |
|---|---|---|
| committer | Panu Matilainen <pmatilai@redhat.com> | 2011-11-07 08:05:34 +0200 |
| commit | dc3f313b667844e397028bbf2c7dc75cf2917a7a (patch) | |
| tree | ac76c56dc0681160da92bf8f6d39c7453792acff | |
| parent | 44f1c853fd776f50f58f300e6045d45d73ff5566 (diff) | |
| download | rpm-dc3f313b667844e397028bbf2c7dc75cf2917a7a.tar.gz rpm-dc3f313b667844e397028bbf2c7dc75cf2917a7a.tar.bz2 rpm-dc3f313b667844e397028bbf2c7dc75cf2917a7a.zip | |
Add another pgpVerify variant which takes key and sig as separate args
- pgpVerifySig() is now just a dumb wrapper around pgpVerifySignature()
which does the real work.
- Update the sole caller to use the new interface instead, deprecate
the old dig interface.
- First steps towards getting rig of pgpDig which always was a
strange creature and now is nothing but a nuisance and obfuscation.
Yes keys and signatures walk hand in hand much of the time, but
they come from different sources and want to be handled as
separate data really.
| -rw-r--r-- | lib/signature.c | 2 | ||||
| -rw-r--r-- | rpmio/rpmpgp.c | 33 | ||||
| -rw-r--r-- | rpmio/rpmpgp.h | 11 |
3 files changed, 32 insertions, 14 deletions
diff --git a/lib/signature.c b/lib/signature.c index dcb6a7c3a..ff7a0653d 100644 --- a/lib/signature.c +++ b/lib/signature.c @@ -479,7 +479,7 @@ verifySignature(rpmKeyring keyring, pgpDig dig, DIGEST_CTX hashctx, int isHdr, /* Call verify even if we dont have a key for a basic sanity check */ (void) rpmKeyringLookup(keyring, dig); - res = pgpVerifySig(dig, hashctx); + res = pgpVerifySignature(&dig->pubkey, &dig->signature, hashctx); sigid = pgpIdentItem(&dig->signature); rasprintf(msg, "%s%s: %s\n", isHdr ? _("Header ") : "", sigid, diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c index e64ea0147..c846967e5 100644 --- a/rpmio/rpmpgp.c +++ b/rpmio/rpmpgp.c @@ -929,26 +929,25 @@ char *pgpIdentItem(pgpDigParams digp) return id; } -rpmRC pgpVerifySig(pgpDig dig, DIGEST_CTX hashctx) +rpmRC pgpVerifySignature(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx) { DIGEST_CTX ctx = rpmDigestDup(hashctx); uint8_t *hash = NULL; size_t hashlen = 0; rpmRC res = RPMRC_FAIL; /* assume failure */ - pgpDigParams sigp = dig ? &dig->signature : NULL; - if (sigp == NULL || ctx == NULL) + if (sig == NULL || ctx == NULL) goto exit; - if (sigp->hash != NULL) - rpmDigestUpdate(ctx, sigp->hash, sigp->hashlen); + if (sig->hash != NULL) + rpmDigestUpdate(ctx, sig->hash, sig->hashlen); - if (sigp->version == 4) { + if (sig->version == 4) { /* V4 trailer is six octets long (rfc4880) */ uint8_t trailer[6]; - uint32_t nb = sigp->hashlen; + uint32_t nb = sig->hashlen; nb = htonl(nb); - trailer[0] = sigp->version; + trailer[0] = sig->version; trailer[1] = 0xff; memcpy(trailer+2, &nb, 4); rpmDigestUpdate(ctx, trailer, sizeof(trailer)); @@ -957,20 +956,20 @@ rpmRC pgpVerifySig(pgpDig dig, DIGEST_CTX hashctx) rpmDigestFinal(ctx, (void **)&hash, &hashlen, 0); /* Compare leading 16 bits of digest for quick check. */ - if (hash == NULL || memcmp(hash, sigp->signhash16, 2) != 0) + if (hash == NULL || memcmp(hash, sig->signhash16, 2) != 0) goto exit; /* * If we have a key, verify the signature for real. Otherwise we've * done all we can, return NOKEY to indicate "looks okay but dunno." */ - if (dig->pubkey.alg == NULL) { + if (key->alg == NULL) { res = RPMRC_NOKEY; } else { - pgpDigAlg sa = dig->signature.alg; - pgpDigAlg ka = dig->pubkey.alg; + pgpDigAlg sa = sig->alg; + pgpDigAlg ka = key->alg; if (sa && sa->verify) { - if (sa->verify(ka, sa, hash, hashlen, sigp->hash_algo) == 0) { + if (sa->verify(ka, sa, hash, hashlen, sig->hash_algo) == 0) { res = RPMRC_OK; } } @@ -982,6 +981,14 @@ exit: } +rpmRC pgpVerifySig(pgpDig dig, DIGEST_CTX hashctx) +{ + if (dig == NULL || hashctx == NULL) + return RPMRC_FAIL; + + return pgpVerifySignature(&dig->pubkey, &dig->signature, hashctx); +} + static pgpArmor decodePkts(uint8_t *b, uint8_t **pkt, size_t *pktlen) { const char * enc = NULL; diff --git a/rpmio/rpmpgp.h b/rpmio/rpmpgp.h index 00f960639..920afbc74 100644 --- a/rpmio/rpmpgp.h +++ b/rpmio/rpmpgp.h @@ -1046,6 +1046,17 @@ pgpDig pgpFreeDig(pgpDig dig); /** \ingroup rpmpgp * Verify a PGP signature. + * @param key public key + * @param sig signature + * @param hashctx digest context + * @return RPMRC_OK on success + */ +rpmRC pgpVerifySignature(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx); + +/** \ingroup rpmpgp + * Verify a PGP signature. + * @deprecated use pgpVerifySignature() instead + * * @param dig container * @param hashctx digest context * @return RPMRC_OK on success |