initial GNU TLS import - this should reduce in size considerable

12 files changed, 3574 insertions, 0 deletions

diff --git a/src/daemon/https/openpgp/Makefile.am b/src/daemon/https/openpgp/Makefile.am
new file mode 100644
index 00000000..94c27ac1
--- /dev/null
+++ b/src/daemon/https/openpgp/Makefile.am
@@ -0,0 +1,27 @@
+SUBDIRS = .
+
+AM_CPPFLAGS = -I./includes \
+-I$(top_srcdir)/src/daemon/https/includes \
+-I$(top_srcdir)/src/daemon/https/lgl \
+-I$(top_srcdir)/src/daemon/https/x509 \
+-I$(top_srcdir)/src/daemon/https/tls \
+-I$(top_srcdir)/src/daemon/https/openpgp \
+-I$(top_srcdir)/src/daemon/https/opencdk \
+-I$(top_srcdir)/src/daemon/https/minitasn1
+
+noinst_LTLIBRARIES = libopenpgp.la
+
+# libopenpgp_la_LDFLAGS = -l$(top_srcdir)/src/daemon/https/libextra/.lib/libextra.la
+
+libopenpgp_la_SOURCES = \
+pgp_privkey.c \
+compat.c \
+pgp_verify.c \
+extras.c \
+pgp.c
+
+# x libextra source list
+libopenpgp_la_SOURCES += \
+gnutls_openpgp.c \
+gnutls_ia.c \
+gnutls_extra.c
diff --git a/src/daemon/https/openpgp/compat.c b/src/daemon/https/openpgp/compat.c
new file mode 100644
index 00000000..1ba7177a
--- /dev/null
+++ b/src/daemon/https/openpgp/compat.c
@@ -0,0 +1,252 @@
+/*
+ * Copyright (C) 2002, 2003, 2004, 2005 Free Software Foundation
+ *
+ * Author: Timo Schulz, Nikos Mavrogiannopoulos
+ *
+ * This file is part of GNUTLS-EXTRA.
+ *
+ * GNUTLS-EXTRA is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *               
+ * GNUTLS-EXTRA is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *                               
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/* Compatibility functions on OpenPGP key parsing.
+ */
+
+#include <gnutls_int.h>
+#include <gnutls_errors.h>
+#include <gnutls_openpgp.h>
+#include "openpgp.h"
+
+/*-
+ * gnutls_openpgp_verify_key - Verify all signatures on the key
+ * @cert_list: the structure that holds the certificates.
+ * @cert_list_lenght: the items in the cert_list.
+ * @status: the output of the verification function
+ *
+ * Verify all signatures in the certificate list. When the key
+ * is not available, the signature is skipped.
+ *
+ * The return value is one of the CertificateStatus entries.
+ *
+ * NOTE: this function does not verify using any "web of trust". You
+ * may use GnuPG for that purpose, or any other external PGP application.
+ -*/
+int
+_gnutls_openpgp_verify_key (const gnutls_certificate_credentials_t cred,
+                            const gnutls_datum_t * cert_list,
+                            int cert_list_length, unsigned int *status)
+{
+  int ret = 0;
+  gnutls_openpgp_crt_t key = NULL;
+  unsigned int verify = 0, verify_self = 0;
+
+  if (!cert_list || cert_list_length != 1)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_NO_CERTIFICATE_FOUND;
+    }
+
+  ret = gnutls_openpgp_crt_init (&key);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      return ret;
+    }
+
+  ret =
+    gnutls_openpgp_crt_import (key, &cert_list[0], GNUTLS_OPENPGP_FMT_RAW);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      goto leave;
+    }
+
+#ifndef KEYRING_HACK
+  if (cred->keyring != NULL)
+    {
+      ret = gnutls_openpgp_crt_verify_ring (key, cred->keyring, 0, &verify);
+      if (ret < 0)
+        {
+          gnutls_assert ();
+          goto leave;
+        }
+    }
+#else
+  {
+    gnutls_openpgp_keyring_t kring;
+
+    ret = gnutls_openpgp_keyring_init (&kring);
+    if (ret < 0)
+      {
+        gnutls_assert ();
+        return ret;
+      }
+
+    ret =
+      gnutls_openpgp_keyring_import (kring, &cred->keyring,
+                                     cred->keyring_format);
+    if (ret < 0)
+      {
+        gnutls_assert ();
+        gnutls_openpgp_keyring_deinit (kring);
+        return ret;
+      }
+
+    ret = gnutls_openpgp_crt_verify_ring (key, kring, 0, &verify);
+    if (ret < 0)
+      {
+        gnutls_assert ();
+        gnutls_openpgp_keyring_deinit (kring);
+        return ret;
+      }
+    gnutls_openpgp_keyring_deinit (kring);
+  }
+#endif
+
+  /* Now try the self signature. */
+  ret = gnutls_openpgp_crt_verify_self (key, 0, &verify_self);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      goto leave;
+    }
+
+  *status = verify_self | verify;
+
+#ifndef KEYRING_HACK
+  /* If we only checked the self signature. */
+  if (!cred->keyring)
+#else
+  if (!cred->keyring.data || !cred->keyring.size)
+#endif
+    *status |= GNUTLS_CERT_SIGNER_NOT_FOUND;
+
+
+  ret = 0;
+
+leave:
+  gnutls_openpgp_crt_deinit (key);
+
+  return ret;
+}
+
+/*-
+ * gnutls_openpgp_fingerprint - Gets the fingerprint
+ * @cert: the raw data that contains the OpenPGP public key.
+ * @fpr: the buffer to save the fingerprint.
+ * @fprlen: the integer to save the length of the fingerprint.
+ *
+ * Returns the fingerprint of the OpenPGP key. Depence on the algorithm,
+ * the fingerprint can be 16 or 20 bytes.
+ -*/
+int
+_gnutls_openpgp_fingerprint (const gnutls_datum_t * cert,
+                             unsigned char *fpr, size_t * fprlen)
+{
+  gnutls_openpgp_crt_t key;
+  int ret;
+
+  ret = gnutls_openpgp_crt_init (&key);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      return ret;
+    }
+
+  ret = gnutls_openpgp_crt_import (key, cert, GNUTLS_OPENPGP_FMT_RAW);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      return ret;
+    }
+
+  ret = gnutls_openpgp_crt_get_fingerprint (key, fpr, fprlen);
+  gnutls_openpgp_crt_deinit (key);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      return ret;
+    }
+
+  return 0;
+}
+
+/*-
+ * gnutls_openpgp_get_raw_key_creation_time - Extract the timestamp
+ * @cert: the raw data that contains the OpenPGP public key.
+ *
+ * Returns the timestamp when the OpenPGP key was created.
+ -*/
+time_t
+_gnutls_openpgp_get_raw_key_creation_time (const gnutls_datum_t * cert)
+{
+  gnutls_openpgp_crt_t key;
+  int ret;
+  time_t tim;
+
+  ret = gnutls_openpgp_crt_init (&key);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      return ret;
+    }
+
+  ret = gnutls_openpgp_crt_import (key, cert, GNUTLS_OPENPGP_FMT_RAW);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      return ret;
+    }
+
+  tim = gnutls_openpgp_crt_get_creation_time (key);
+
+  gnutls_openpgp_crt_deinit (key);
+
+  return tim;
+}
+
+
+/*-
+ * gnutls_openpgp_get_raw_key_expiration_time - Extract the expire date
+ * @cert: the raw data that contains the OpenPGP public key.
+ *
+ * Returns the time when the OpenPGP key expires. A value of '0' means
+ * that the key doesn't expire at all.
+ -*/
+time_t
+_gnutls_openpgp_get_raw_key_expiration_time (const gnutls_datum_t * cert)
+{
+  gnutls_openpgp_crt_t key;
+  int ret;
+  time_t tim;
+
+  ret = gnutls_openpgp_crt_init (&key);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      return ret;
+    }
+
+  ret = gnutls_openpgp_crt_import (key, cert, GNUTLS_OPENPGP_FMT_RAW);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      return ret;
+    }
+
+  tim = gnutls_openpgp_crt_get_expiration_time (key);
+
+  gnutls_openpgp_crt_deinit (key);
+
+  return tim;
+}
diff --git a/src/daemon/https/openpgp/extras.c b/src/daemon/https/openpgp/extras.c
new file mode 100644
index 00000000..d3c755d4
--- /dev/null
+++ b/src/daemon/https/openpgp/extras.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 2003, 2004, 2005, 2007 Free Software Foundation
+ *
+ * Author: Nikos Mavrogiannopoulos, Timo Schulz
+ *
+ * This file is part of GNUTLS-EXTRA.
+ *
+ * GNUTLS-EXTRA is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *               
+ * GNUTLS-EXTRA is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *                               
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/* Functions on OpenPGP keyring parsing
+ */
+
+#include <gnutls_int.h>
+#include <gnutls_datum.h>
+#include <gnutls_global.h>
+#include <gnutls_errors.h>
+#include <gnutls_openpgp.h>
+#include <gnutls_num.h>
+#include "openpgp.h"
+
+/* Keyring stuff. */
+
+/**
+ * gnutls_openpgp_keyring_init - This function initializes a gnutls_openpgp_keyring_t structure
+ * @keyring: The structure to be initialized
+ *-
+ * This function will initialize an OpenPGP keyring structure. 
+ *
+ * Returns 0 on success.
+ *
+ **/
+int gnutls_openpgp_keyring_init(gnutls_openpgp_keyring_t * keyring)
+{
+  *keyring = gnutls_calloc(1, sizeof(gnutls_openpgp_keyring_int));
+
+  if (*keyring)
+    return 0; /* success */
+  return GNUTLS_E_MEMORY_ERROR;
+}
+
+/**
+ * gnutls_openpgp_keyring_deinit - This function deinitializes memory used by a gnutls_openpgp_keyring_t structure
+ * @keyring: The structure to be initialized
+ *
+ * This function will deinitialize a keyring structure. 
+ *
+ **/
+void gnutls_openpgp_keyring_deinit(gnutls_openpgp_keyring_t keyring)
+{
+  if (!keyring)
+    return;
+
+  if (keyring->db)
+    {
+      cdk_keydb_free(keyring->db);
+      keyring->db = NULL;
+    }
+
+  /* In some cases the stream is also stored outside the keydb context
+   and we need to close it here then. */
+  if (keyring->db_stream)
+    {
+      cdk_stream_close(keyring->db_stream);
+      keyring->db_stream = NULL;
+    }
+
+  gnutls_free(keyring);
+}
+
+/**
+ * gnutls_openpgp_keyring_check_id - Check if a key id exists in the keyring
+ * @ring: holds the keyring to check against
+ * @keyid: will hold the keyid to check for.
+ * @flags: unused (should be 0)
+ *
+ * Check if a given key ID exists in the keyring.
+ *
+ * Returns 0 on success (if keyid exists) and a negative error code
+ * on failure.
+ **/
+int gnutls_openpgp_keyring_check_id(gnutls_openpgp_keyring_t ring,
+                                    const unsigned char keyid[8],
+                                    unsigned int flags)
+{
+  cdk_pkt_pubkey_t pk;
+  uint32_t id[2];
+
+  id[0] = _gnutls_read_uint32(keyid);
+  id[1] = _gnutls_read_uint32(&keyid[4]);
+
+  if (!cdk_keydb_get_pk(ring->db, id, &pk))
+    {
+      cdk_pk_release(pk);
+      return 0;
+    }
+
+  _gnutls_debug_log ("PGP: key not found %08lX\n", (unsigned long) id[1]);
+  return GNUTLS_E_NO_CERTIFICATE_FOUND;
+}
+
+/**
+ * gnutls_openpgp_keyring_import - Import a raw- or Base64-encoded OpenPGP keyring
+ * @keyring: The structure to store the parsed key.
+ * @data: The RAW or BASE64 encoded keyring.
+ * @format: One of #gnutls_openpgp_keyring_fmt elements.
+ *
+ * This function will convert the given RAW or Base64 encoded keyring to the
+ * native #gnutls_openpgp_keyring_t format.  The output will be stored in
+ * 'keyring'.
+ *
+ * Returns 0 on success.
+ *
+ **/
+int gnutls_openpgp_keyring_import(gnutls_openpgp_keyring_t keyring,
+                                  const gnutls_datum_t * data,
+                                  gnutls_openpgp_crt_fmt_t format)
+{
+  cdk_error_t err;
+  cdk_stream_t input;
+
+  _gnutls_debug_log ("PGP: keyring import format '%s'\n",
+      format == GNUTLS_OPENPGP_FMT_RAW ? "raw" : "base64");
+
+  if (format == GNUTLS_OPENPGP_FMT_RAW)
+    {
+      err
+          = cdk_keydb_new(&keyring->db, CDK_DBTYPE_DATA, data->data, data->size);
+      if (err)
+        gnutls_assert ();
+      return _gnutls_map_cdk_rc (err);
+    }
+
+  /* Create a new stream from the given data, which means to
+   allocate a new stream and to write the data in the stream.
+   Then push the armor filter to decode the data and to store
+   it in the raw format. */
+  err = cdk_stream_tmp_from_mem(data->data, data->size, &input);
+  if (!err)
+    err = cdk_stream_set_armor_flag(input, 0);
+  if (!err)
+    err = cdk_keydb_new_from_stream(&keyring->db, 0, input);
+  if (err)
+    {
+      cdk_stream_close(input);
+      gnutls_assert ();
+    }
+  else
+    /* The keydb function will not close the stream itself, so we need to
+     store it separately to close it later. */
+    keyring->db_stream = input;
+
+  return _gnutls_map_cdk_rc (err);
+}
diff --git a/src/daemon/https/openpgp/gnutls_extra.c b/src/daemon/https/openpgp/gnutls_extra.c
new file mode 100644
index 00000000..7c47e3f1
--- /dev/null
+++ b/src/daemon/https/openpgp/gnutls_extra.c
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) 2001, 2004, 2005, 2007 Free Software Foundation
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GNUTLS-EXTRA.
+ *
+ * GNUTLS-EXTRA is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *               
+ * GNUTLS-EXTRA is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *                               
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <gnutls_int.h>
+#include <gnutls_errors.h>
+#include <gnutls_extensions.h>
+#include <gnutls_openpgp.h>
+#include <gnutls_extra.h>
+#include <gnutls_extra_hooks.h>
+#include <gnutls_algorithms.h>
+
+/* the number of the compression algorithms available in the compression
+ * structure.
+ */
+extern int _gnutls_comp_algorithms_size;
+
+/* Functions in gnutls that have not been initialized.
+ */
+
+static int _gnutls_init_extra = 0;
+
+/**
+ * gnutls_global_init_extra - This function initializes the global state of gnutls-extra 
+ *
+ * This function initializes the global state of gnutls-extra library
+ * to defaults.  Returns zero on success.
+ *
+ * Note that gnutls_global_init() has to be called before this
+ * function.  If this function is not called then the gnutls-extra
+ * library will not be usable.
+ *
+ **/
+int
+gnutls_global_init_extra (void)
+{
+  int ret;
+
+  /* If the version of libgnutls != version of
+   * libextra, then do not initialize the library.
+   * This is because it may break things.
+   */
+  if (strcmp (gnutls_check_version (NULL), VERSION) != 0)
+    {
+      return GNUTLS_E_LIBRARY_VERSION_MISMATCH;
+    }
+
+  _gnutls_init_extra++;
+
+  if (_gnutls_init_extra != 1)
+    {
+      return 0;
+    }
+
+  /* Register the openpgp functions. This is because some
+   * of them are defined to be NULL in the main library.
+   */
+  _gnutls_add_openpgp_functions (_gnutls_openpgp_verify_key,
+                                 _gnutls_openpgp_get_raw_key_creation_time,
+                                 _gnutls_openpgp_get_raw_key_expiration_time,
+                                 _gnutls_openpgp_fingerprint,
+                                 _gnutls_openpgp_request_key,
+                                 _gnutls_openpgp_raw_key_to_gcert,
+                                 _gnutls_openpgp_raw_privkey_to_gkey,
+                                 _gnutls_openpgp_crt_to_gcert,
+                                 _gnutls_openpgp_privkey_to_gkey,
+                                 gnutls_openpgp_crt_deinit,
+                                 gnutls_openpgp_keyring_deinit,
+                                 gnutls_openpgp_privkey_deinit);
+
+  return 0;
+}
+
+#include <strverscmp.h>
+
+/**
+ * gnutls_extra_check_version - This function checks the library's version
+ * @req_version: the version to check
+ *
+ * Check that the version of the gnutls-extra library is at minimum
+ * the requested one and return the version string; return NULL if the
+ * condition is not satisfied.  If a NULL is passed to this function,
+ * no check is done, but the version string is simply returned.
+ *
+ **/
+const char *
+gnutls_extra_check_version (const char *req_version)
+{
+  if (!req_version || strverscmp (req_version, VERSION) <= 0)
+    return VERSION;
+
+  return NULL;
+}
diff --git a/src/daemon/https/openpgp/gnutls_extra.h b/src/daemon/https/openpgp/gnutls_extra.h
new file mode 100644
index 00000000..de7fc889
--- /dev/null
+++ b/src/daemon/https/openpgp/gnutls_extra.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2002, 2003, 2004, 2005, 2007 Free Software Foundation
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GNUTLS-EXTRA.
+ *
+ * GNUTLS-EXTRA is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * GNUTLS-EXTRA is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GNUTLS-EXTRA; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ */
+
+#include <auth_cert.h>
+
+typedef int (*OPENPGP_VERIFY_KEY_FUNC) (const
+                                        gnutls_certificate_credentials_t,
+                                        const gnutls_datum_t *, int,
+                                        unsigned int *);
+
+typedef time_t (*OPENPGP_KEY_CREATION_TIME_FUNC) (const gnutls_datum_t *);
+typedef time_t (*OPENPGP_KEY_EXPIRATION_TIME_FUNC) (const gnutls_datum_t *);
+typedef int (*OPENPGP_KEY_REQUEST) (gnutls_session_t, gnutls_datum_t *,
+                                    const gnutls_certificate_credentials_t,
+                                    opaque *, int);
+
+typedef int (*OPENPGP_FINGERPRINT) (const gnutls_datum_t *,
+                                    unsigned char *, size_t *);
+
+typedef int (*OPENPGP_RAW_KEY_TO_GCERT) (gnutls_cert *,
+                                         const gnutls_datum_t *);
+typedef int (*OPENPGP_RAW_PRIVKEY_TO_GKEY) (gnutls_privkey *,
+                                            const gnutls_datum_t *);
+
+typedef int (*OPENPGP_KEY_TO_GCERT) (gnutls_cert *, gnutls_openpgp_crt_t);
+typedef int (*OPENPGP_PRIVKEY_TO_GKEY) (gnutls_privkey *,
+                                        gnutls_openpgp_privkey_t);
+typedef void (*OPENPGP_KEY_DEINIT) (gnutls_openpgp_crt_t);
+typedef void (*OPENPGP_PRIVKEY_DEINIT) (gnutls_openpgp_privkey_t);
diff --git a/src/daemon/https/openpgp/gnutls_ia.c b/src/daemon/https/openpgp/gnutls_ia.c
new file mode 100644
index 00000000..55b22e9c
--- /dev/null
+++ b/src/daemon/https/openpgp/gnutls_ia.c
@@ -0,0 +1,905 @@
+/*
+ * Copyright (C) 2005, 2006 Free Software Foundation
+ *
+ * Author: Simon Josefsson
+ *
+ * This file is part of GNUTLS-EXTRA.
+ *
+ * GNUTLS-EXTRA is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *               
+ * GNUTLS-EXTRA is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *                               
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "gnutls_int.h"
+#include "gnutls_record.h"
+#include "gnutls_errors.h"
+#include "gnutls_num.h"
+#include "gnutls_state.h"
+
+#define CHECKSUM_SIZE 12
+
+struct gnutls_ia_client_credentials_st
+{
+  gnutls_ia_avp_func avp_func;
+  void *avp_ptr;
+};
+
+struct gnutls_ia_server_credentials_st
+{
+  gnutls_ia_avp_func avp_func;
+  void *avp_ptr;
+};
+
+static const char server_finished_label[] = "server phase finished";
+static const char client_finished_label[] = "client phase finished";
+static const char inner_permutation_label[] = "inner secret permutation";
+static const char challenge_label[] = "inner application challenge";
+
+/*
+ * The TLS/IA packet is the InnerApplication token, described as
+ * follows in draft-funk-tls-inner-application-extension-01.txt:
+ *
+ * enum {
+ *   application_payload(0), intermediate_phase_finished(1),
+ *   final_phase_finished(2), (255)
+ * } InnerApplicationType;
+ *
+ * struct {
+ *   InnerApplicationType msg_type;
+ *   uint24 length;
+ *   select (InnerApplicationType) {
+ *     case application_payload:           ApplicationPayload;
+ *     case intermediate_phase_finished:   IntermediatePhaseFinished;
+ *     case final_phase_finished:          FinalPhaseFinished;
+ *   } body;
+ * } InnerApplication;
+ *
+ */
+
+/* Send TLS/IA data.  If data==NULL && sizeofdata==NULL, then the last
+   send was interrupted for some reason, and then we try to send it
+   again.  Returns the number of bytes sent, or an error code.  If
+   this return E_AGAIN and E_INTERRUPTED, call this function again
+   with data==NULL&&sizeofdata=0NULL until it returns successfully. */
+static ssize_t
+_gnutls_send_inner_application (gnutls_session_t session,
+                                gnutls_ia_apptype_t msg_type,
+                                const char *data, size_t sizeofdata)
+{
+  opaque *p = NULL;
+  size_t plen = 0;
+  ssize_t len;
+
+  if (data != NULL)
+    {
+      plen = sizeofdata + 4;
+      p = gnutls_malloc (plen);
+      if (!p)
+        {
+          gnutls_assert ();
+          return GNUTLS_E_MEMORY_ERROR;
+        }
+
+      *(unsigned char *) p = (unsigned char) (msg_type & 0xFF);
+      _gnutls_write_uint24 (sizeofdata, p + 1);
+      memcpy (p + 4, data, sizeofdata);
+    }
+
+  len = _gnutls_send_int (session, GNUTLS_INNER_APPLICATION, -1, p, plen);
+
+  if (p)
+    gnutls_free (p);
+
+  return len;
+}
+
+/* Receive TLS/IA data.  Store received TLS/IA message type in
+   *MSG_TYPE, and the data in DATA of max SIZEOFDATA size.  Return the
+   number of bytes read, or an error code. */
+static ssize_t
+_gnutls_recv_inner_application (gnutls_session_t session,
+                                gnutls_ia_apptype_t * msg_type,
+                                opaque * data, size_t sizeofdata)
+{
+  ssize_t len;
+  opaque pkt[4];
+
+  len = _gnutls_recv_int (session, GNUTLS_INNER_APPLICATION, -1, pkt, 4);
+  if (len != 4)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
+    }
+
+  *msg_type = pkt[0];
+  len = _gnutls_read_uint24 (&pkt[1]);
+
+  if (*msg_type != GNUTLS_IA_APPLICATION_PAYLOAD && len != CHECKSUM_SIZE)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
+    }
+
+  if (sizeofdata < len)
+    {
+      /* XXX push back pkt to IA buffer? */
+      gnutls_assert ();
+      return GNUTLS_E_SHORT_MEMORY_BUFFER;
+    }
+
+  if (len > 0)
+    {
+      int tmplen = len;
+
+      len = _gnutls_recv_int (session, GNUTLS_INNER_APPLICATION, -1,
+                              data, tmplen);
+      if (len != tmplen)
+        {
+          gnutls_assert ();
+          /* XXX Correct? */
+          return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
+        }
+    }
+
+  return len;
+}
+
+/* Apply the TLS PRF using the TLS/IA inner secret as keying material,
+   where the seed is the client random concatenated with the server
+   random concatenated EXTRA of EXTRA_SIZE length (which can be NULL/0
+   respectively).  LABEL and LABEL_SIZE is used as the label.  The
+   result is placed in pre-allocated OUT of OUTSIZE length. */
+static int
+_gnutls_ia_prf (gnutls_session_t session,
+                size_t label_size,
+                const char *label,
+                size_t extra_size,
+                const char *extra, size_t outsize, opaque * out)
+{
+  int ret;
+  opaque *seed;
+  size_t seedsize = 2 * TLS_RANDOM_SIZE + extra_size;
+
+  seed = gnutls_malloc (seedsize);
+  if (!seed)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_MEMORY_ERROR;
+    }
+
+  memcpy (seed, session->security_parameters.server_random, TLS_RANDOM_SIZE);
+  memcpy (seed + TLS_RANDOM_SIZE, session->security_parameters.client_random,
+          TLS_RANDOM_SIZE);
+  memcpy (seed + 2 * TLS_RANDOM_SIZE, extra, extra_size);
+
+  ret = _gnutls_PRF (session, session->security_parameters.inner_secret,
+                     TLS_MASTER_SIZE,
+                     label, label_size, seed, seedsize, outsize, out);
+
+  gnutls_free (seed);
+
+  return ret;
+}
+
+/**
+ * gnutls_ia_permute_inner_secret:
+ * @session: is a #gnutls_session_t structure.
+ * @session_keys_size: Size of generated session keys (0 if none).
+ * @session_keys: Generated session keys, used to permute inner secret
+ *                (NULL if none).
+ *
+ * Permute the inner secret using the generated session keys.
+ *
+ * This can be called in the TLS/IA AVP callback to mix any generated
+ * session keys with the TLS/IA inner secret.
+ *
+ * Return value: Return zero on success, or a negative error code.
+ **/
+int
+gnutls_ia_permute_inner_secret (gnutls_session_t session,
+                                size_t session_keys_size,
+                                const char *session_keys)
+{
+  return _gnutls_ia_prf (session,
+                         sizeof (inner_permutation_label) - 1,
+                         inner_permutation_label,
+                         session_keys_size,
+                         session_keys,
+                         TLS_RANDOM_SIZE,
+                         session->security_parameters.inner_secret);
+}
+
+/**
+ * gnutls_ia_generate_challenge:
+ * @session: is a #gnutls_session_t structure.
+ * @buffer_size: size of output buffer.
+ * @buffer: pre-allocated buffer to contain @buffer_size bytes of output.
+ *
+ * Generate an application challenge that the client cannot control or
+ * predict, based on the TLS/IA inner secret.
+ *
+ * Return value: Returns 0 on success, or an negative error code.
+ **/
+int
+gnutls_ia_generate_challenge (gnutls_session_t session,
+                              size_t buffer_size, char *buffer)
+{
+  return _gnutls_ia_prf (session,
+                         sizeof (challenge_label) - 1,
+                         challenge_label, 0, NULL, buffer_size, buffer);
+}
+
+/**
+ * gnutls_ia_extract_inner_secret:
+ * @session: is a #gnutls_session_t structure.
+ * @buffer: pre-allocated buffer to hold 48 bytes of inner secret.
+ *
+ * Copy the 48 bytes large inner secret into the specified buffer
+ *
+ * This function is typically used after the TLS/IA handshake has
+ * concluded.  The TLS/IA inner secret can be used as input to a PRF
+ * to derive session keys.  Do not use the inner secret directly as a
+ * session key, because for a resumed session that does not include an
+ * application phase, the inner secret will be identical to the inner
+ * secret in the original session.  It is important to include, for
+ * example, the client and server randomness when deriving a sesssion
+ * key from the inner secret.
+ **/
+void
+gnutls_ia_extract_inner_secret (gnutls_session_t session, char *buffer)
+{
+  memcpy (buffer, session->security_parameters.inner_secret, TLS_MASTER_SIZE);
+}
+
+/**
+ * gnutls_ia_endphase_send:
+ * @session: is a #gnutls_session_t structure.
+ * @final_p: Set iff this should signal the final phase.
+ *
+ * Send a TLS/IA end phase message.
+ *
+ * In the client, this should only be used to acknowledge an end phase
+ * message sent by the server.
+ *
+ * In the server, this can be called instead of gnutls_ia_send() if
+ * the server wishes to end an application phase.
+ *
+ * Return value: Return 0 on success, or an error code.
+ **/
+int
+gnutls_ia_endphase_send (gnutls_session_t session, int final_p)
+{
+  opaque local_checksum[CHECKSUM_SIZE];
+  int client = session->security_parameters.entity == GNUTLS_CLIENT;
+  const char *label = client ? client_finished_label : server_finished_label;
+  int size_of_label = client ? sizeof (client_finished_label) :
+    sizeof (server_finished_label);
+  ssize_t len;
+  int ret;
+
+  ret = _gnutls_PRF (session, session->security_parameters.inner_secret,
+                     TLS_MASTER_SIZE, label, size_of_label - 1,
+                     /* XXX specification unclear on seed. */
+                     "", 0, CHECKSUM_SIZE, local_checksum);
+  if (ret < 0)
+    return ret;
+
+  len = _gnutls_send_inner_application
+    (session,
+     final_p ? GNUTLS_IA_FINAL_PHASE_FINISHED :
+     GNUTLS_IA_INTERMEDIATE_PHASE_FINISHED, local_checksum, CHECKSUM_SIZE);
+
+  /* XXX  Instead of calling this function over and over...?
+   * while (len == GNUTLS_E_AGAIN || len == GNUTLS_E_INTERRUPTED)
+   *  len = _gnutls_io_write_flush(session);
+   */
+
+  if (len < 0)
+    {
+      gnutls_assert ();
+      return len;
+    }
+
+  return 0;
+}
+
+/**
+ * gnutls_ia_verify_endphase:
+ * @session: is a #gnutls_session_t structure.
+ * @checksum: 12-byte checksum data, received from gnutls_ia_recv().
+ *
+ * Verify TLS/IA end phase checksum data.  If verification fails, the
+ * %GNUTLS_A_INNER_APPLICATION_VERIFICATION alert is sent to the other
+ * sie.
+ *
+ * This function is called when gnutls_ia_recv() return
+ * %GNUTLS_E_WARNING_IA_IPHF_RECEIVED or
+ * %GNUTLS_E_WARNING_IA_FPHF_RECEIVED.
+ *
+ * Return value: Return 0 on successful verification, or an error
+ * code.  If the checksum verification of the end phase message fails,
+ * %GNUTLS_E_IA_VERIFY_FAILED is returned.
+ **/
+int
+gnutls_ia_verify_endphase (gnutls_session_t session, const char *checksum)
+{
+  char local_checksum[CHECKSUM_SIZE];
+  int client = session->security_parameters.entity == GNUTLS_CLIENT;
+  const char *label = client ? server_finished_label : client_finished_label;
+  int size_of_label = client ? sizeof (server_finished_label) :
+    sizeof (client_finished_label);
+  int ret;
+
+  ret = _gnutls_PRF (session, session->security_parameters.inner_secret,
+                     TLS_MASTER_SIZE,
+                     label, size_of_label - 1,
+                     "", 0, CHECKSUM_SIZE, local_checksum);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      return ret;
+    }
+
+  if (memcmp (local_checksum, checksum, CHECKSUM_SIZE) != 0)
+    {
+      ret = gnutls_alert_send (session, GNUTLS_AL_FATAL,
+                               GNUTLS_A_INNER_APPLICATION_VERIFICATION);
+      if (ret < 0)
+        {
+          gnutls_assert ();
+          return ret;
+        }
+
+      return GNUTLS_E_IA_VERIFY_FAILED;
+    }
+
+  return 0;
+}
+
+/**
+ * gnutls_ia_send: Send peer the specified TLS/IA data.
+ * @session: is a #gnutls_session_t structure.
+ * @data: contains the data to send
+ * @sizeofdata: is the length of the data
+ *
+ * Send TLS/IA application payload data.  This function has the
+ * similar semantics with send(). The only difference is that is
+ * accepts a GNUTLS session, and uses different error codes.
+ *
+ * The TLS/IA protocol is synchronous, so you cannot send more than
+ * one packet at a time.  The client always send the first packet.
+ *
+ * To finish an application phase in the server, use
+ * gnutls_ia_endphase_send().  The client cannot end an application
+ * phase unilaterally; rather, a client is required to respond with an
+ * endphase of its own if gnutls_ia_recv indicates that the server has
+ * sent one.
+ *
+ * If the EINTR is returned by the internal push function (the default
+ * is send()} then %GNUTLS_E_INTERRUPTED will be returned.  If
+ * %GNUTLS_E_INTERRUPTED or %GNUTLS_E_AGAIN is returned, you must call
+ * this function again, with the same parameters; alternatively you
+ * could provide a %NULL pointer for data, and 0 for size.
+ *
+ * Returns the number of bytes sent, or a negative error code.
+ **/
+ssize_t
+gnutls_ia_send (gnutls_session_t session, const char *data, size_t sizeofdata)
+{
+  ssize_t len;
+
+  len = _gnutls_send_inner_application (session,
+                                        GNUTLS_IA_APPLICATION_PAYLOAD,
+                                        data, sizeofdata);
+
+  return len;
+}
+
+/**
+ * gnutls_ia_recv - read data from the TLS/IA protocol
+ * @session: is a #gnutls_session_t structure.
+ * @data: the buffer that the data will be read into, must hold >= 12 bytes.
+ * @sizeofdata: the number of requested bytes, must be >= 12.
+ *
+ * Receive TLS/IA data.  This function has the similar semantics with
+ * recv(). The only difference is that is accepts a GNUTLS session,
+ * and uses different error codes.
+ *
+ * If the server attempt to finish an application phase, this function
+ * will return %GNUTLS_E_WARNING_IA_IPHF_RECEIVED or
+ * %GNUTLS_E_WARNING_IA_FPHF_RECEIVED.  The caller should then invoke
+ * gnutls_ia_verify_endphase(), and if it runs the client side, also
+ * send an endphase message of its own using gnutls_ia_endphase_send.
+ *
+ * If EINTR is returned by the internal push function (the default is
+ * @code{recv()}) then GNUTLS_E_INTERRUPTED will be returned.  If
+ * GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN is returned, you must call
+ * this function again, with the same parameters; alternatively you
+ * could provide a NULL pointer for data, and 0 for size.
+ *
+ * Returns the number of bytes received.  A negative error code is
+ * returned in case of an error.  The
+ * %GNUTLS_E_WARNING_IA_IPHF_RECEIVED and
+ * %GNUTLS_E_WARNING_IA_FPHF_RECEIVED errors are returned when an
+ * application phase finished message has been sent by the server.
+ **/
+ssize_t
+gnutls_ia_recv (gnutls_session_t session, char *data, size_t sizeofdata)
+{
+  gnutls_ia_apptype_t msg_type;
+  ssize_t len;
+
+  len = _gnutls_recv_inner_application (session, &msg_type, data, sizeofdata);
+
+  if (msg_type == GNUTLS_IA_INTERMEDIATE_PHASE_FINISHED)
+    return GNUTLS_E_WARNING_IA_IPHF_RECEIVED;
+  else if (msg_type == GNUTLS_IA_FINAL_PHASE_FINISHED)
+    return GNUTLS_E_WARNING_IA_FPHF_RECEIVED;
+
+  return len;
+}
+
+/* XXX rewrite the following two functions as state machines, to
+   handle EAGAIN/EINTERRUPTED?  just add more problems to callers,
+   though.  */
+
+int
+_gnutls_ia_client_handshake (gnutls_session_t session)
+{
+  char *buf = NULL;
+  size_t buflen = 0;
+  char tmp[1024];               /* XXX */
+  ssize_t len;
+  int ret;
+  const struct gnutls_ia_client_credentials_st *cred =
+    _gnutls_get_cred (session->key, GNUTLS_CRD_IA, NULL);
+
+  if (cred == NULL)
+    return GNUTLS_E_INTERNAL_ERROR;
+
+  while (1)
+    {
+      char *avp;
+      size_t avplen;
+
+      ret = cred->avp_func (session, cred->avp_ptr,
+                            buf, buflen, &avp, &avplen);
+      if (ret)
+        {
+          int tmpret;
+          tmpret = gnutls_alert_send (session, GNUTLS_AL_FATAL,
+                                      GNUTLS_A_INNER_APPLICATION_FAILURE);
+          if (tmpret < 0)
+            gnutls_assert ();
+          return ret;
+        }
+
+      len = gnutls_ia_send (session, avp, avplen);
+      gnutls_free (avp);
+      if (len < 0)
+        return len;
+
+      len = gnutls_ia_recv (session, tmp, sizeof (tmp));
+      if (len == GNUTLS_E_WARNING_IA_IPHF_RECEIVED ||
+          len == GNUTLS_E_WARNING_IA_FPHF_RECEIVED)
+        {
+          ret = gnutls_ia_verify_endphase (session, tmp);
+          if (ret < 0)
+            return ret;
+
+          ret = gnutls_ia_endphase_send
+            (session, len == GNUTLS_E_WARNING_IA_FPHF_RECEIVED);
+          if (ret < 0)
+            return ret;
+        }
+
+      if (len == GNUTLS_E_WARNING_IA_IPHF_RECEIVED)
+        {
+          buf = NULL;
+          buflen = 0;
+          continue;
+        }
+      else if (len == GNUTLS_E_WARNING_IA_FPHF_RECEIVED)
+        break;
+
+      if (len < 0)
+        return len;
+
+      buflen = len;
+      buf = tmp;
+    }
+
+  return 0;
+}
+
+int
+_gnutls_ia_server_handshake (gnutls_session_t session)
+{
+  gnutls_ia_apptype_t msg_type;
+  ssize_t len;
+  char buf[1024];
+  int ret;
+  const struct gnutls_ia_server_credentials_st *cred =
+    _gnutls_get_cred (session->key, GNUTLS_CRD_IA, NULL);
+
+  if (cred == NULL)
+    return GNUTLS_E_INTERNAL_ERROR;
+
+  do
+    {
+      char *avp;
+      size_t avplen;
+
+      len = gnutls_ia_recv (session, buf, sizeof (buf));
+      if (len == GNUTLS_E_WARNING_IA_IPHF_RECEIVED ||
+          len == GNUTLS_E_WARNING_IA_FPHF_RECEIVED)
+        {
+          ret = gnutls_ia_verify_endphase (session, buf);
+          if (ret < 0)
+            return ret;
+        }
+
+      if (len == GNUTLS_E_WARNING_IA_IPHF_RECEIVED)
+        continue;
+      else if (len == GNUTLS_E_WARNING_IA_FPHF_RECEIVED)
+        break;
+
+      if (len < 0)
+        return len;
+
+      avp = NULL;
+      avplen = 0;
+
+      ret = cred->avp_func (session, cred->avp_ptr, buf, len, &avp, &avplen);
+      if (ret < 0)
+        {
+          int tmpret;
+          tmpret = gnutls_alert_send (session, GNUTLS_AL_FATAL,
+                                      GNUTLS_A_INNER_APPLICATION_FAILURE);
+          if (tmpret < 0)
+            gnutls_assert ();
+          return ret;
+        }
+
+      msg_type = ret;
+
+      if (msg_type != GNUTLS_IA_APPLICATION_PAYLOAD)
+        {
+          ret = gnutls_ia_endphase_send (session, msg_type ==
+                                         GNUTLS_IA_FINAL_PHASE_FINISHED);
+          if (ret < 0)
+            return ret;
+        }
+      else
+        {
+          len = gnutls_ia_send (session, avp, avplen);
+          gnutls_free (avp);
+          if (len < 0)
+            return len;
+        }
+    }
+  while (1);
+
+  return 0;
+}
+
+/**
+ * gnutls_ia_handshake_p:
+ * @session: is a #gnutls_session_t structure.
+ *
+ * Predicate to be used after gnutls_handshake() to decide whether to
+ * invoke gnutls_ia_handshake().  Usable by both clients and servers.
+ *
+ * Return value: non-zero if TLS/IA handshake is expected, zero
+ *   otherwise.
+ **/
+int
+gnutls_ia_handshake_p (gnutls_session_t session)
+{
+  tls_ext_st *ext = &session->security_parameters.extensions;
+
+  /* Either local side or peer doesn't do TLS/IA: don't do IA */
+
+  if (!ext->gnutls_ia_enable || !ext->gnutls_ia_peer_enable)
+    return 0;
+
+  /* Not resuming or we don't allow skipping on resumption locally: do IA */
+
+  if (!ext->gnutls_ia_allowskip || !gnutls_session_is_resumed (session))
+    return 1;
+
+  /* If we're resuming and we and the peer both allow skipping on resumption: 
+   * don't do IA */
+
+  return !ext->gnutls_ia_peer_allowskip;
+}
+
+
+/**
+ * gnutls_ia_handshake:
+ * @session: is a #gnutls_session_t structure.
+ *
+ * Perform a TLS/IA handshake.  This should be called after
+ * gnutls_handshake() iff gnutls_ia_handshake_p().
+ *
+ * Return 0 on success, or an error code.
+ **/
+int
+gnutls_ia_handshake (gnutls_session_t session)
+{
+  int ret;
+
+  if (session->security_parameters.entity == GNUTLS_CLIENT)
+    ret = _gnutls_ia_client_handshake (session);
+  else
+    ret = _gnutls_ia_server_handshake (session);
+
+  return ret;
+}
+
+/**
+ * gnutls_ia_allocate_client_credentials - Used to allocate an gnutls_ia_server_credentials_t structure
+ * @sc: is a pointer to an #gnutls_ia_server_credentials_t structure.
+ *
+ * This structure is complex enough to manipulate directly thus this
+ * helper function is provided in order to allocate it.
+ *
+ * Adding this credential to a session will enable TLS/IA, and will
+ * require an Application Phase after the TLS handshake (if the server
+ * support TLS/IA).  Use gnutls_ia_require_inner_phase() to toggle the
+ * TLS/IA mode.
+ *
+ * Returns 0 on success.
+ **/
+int
+gnutls_ia_allocate_client_credentials (gnutls_ia_client_credentials_t * sc)
+{
+  *sc = gnutls_calloc (1, sizeof (**sc));
+
+  if (*sc == NULL)
+    return GNUTLS_E_MEMORY_ERROR;
+
+  return 0;
+}
+
+/**
+ * gnutls_ia_free_client_credentials - Used to free an allocated #gnutls_ia_client_credentials_t structure
+ * @sc: is an #gnutls_ia_client_credentials_t structure.
+ *
+ * This structure is complex enough to manipulate directly thus this
+ * helper function is provided in order to free (deallocate) it.
+ *
+ **/
+void
+gnutls_ia_free_client_credentials (gnutls_ia_client_credentials_t sc)
+{
+  gnutls_free (sc);
+}
+
+/**
+ * gnutls_ia_set_client_avp_function - Used to set a AVP callback
+ * @cred: is a #gnutls_ia_client_credentials_t structure.
+ * @avp_func: is the callback function
+ *
+ * Set the TLS/IA AVP callback handler used for the session.
+ *
+ * The AVP callback is called to process AVPs received from the
+ * server, and to get a new AVP to send to the server.
+ *
+ * The callback's function form is:
+ * int (*avp_func) (gnutls_session_t session, void *ptr,
+ *                  const char *last, size_t lastlen,
+ *                  char **next, size_t *nextlen);
+ *
+ * The @session parameter is the #gnutls_session_t structure
+ * corresponding to the current session.  The @ptr parameter is the
+ * application hook pointer, set through
+ * gnutls_ia_set_client_avp_ptr().  The AVP received from the server
+ * is present in @last of @lastlen size, which will be %NULL on the
+ * first invocation.  The newly allocated output AVP to send to the
+ * server should be placed in *@next of *@nextlen size.
+ *
+ * The callback may invoke gnutls_ia_permute_inner_secret() to mix any
+ * generated session keys with the TLS/IA inner secret.
+ *
+ * Return 0 (%GNUTLS_IA_APPLICATION_PAYLOAD) on success, or a negative
+ * error code to abort the TLS/IA handshake.
+ *
+ * Note that the callback must use allocate the @next parameter using
+ * gnutls_malloc(), because it is released via gnutls_free() by the
+ * TLS/IA handshake function.
+ *
+ **/
+void
+gnutls_ia_set_client_avp_function (gnutls_ia_client_credentials_t cred,
+                                   gnutls_ia_avp_func avp_func)
+{
+  cred->avp_func = avp_func;
+}
+
+/**
+ * gnutls_ia_set_client_avp_ptr - Sets a pointer to be sent to TLS/IA callback
+ * @cred: is a #gnutls_ia_client_credentials_t structure.
+ * @ptr: is the pointer
+ *
+ * Sets the pointer that will be provided to the TLS/IA callback
+ * function as the first argument.
+ *
+ **/
+void
+gnutls_ia_set_client_avp_ptr (gnutls_ia_client_credentials_t cred, void *ptr)
+{
+  cred->avp_ptr = ptr;
+}
+
+/**
+ * gnutls_ia_get_client_avp_ptr - Returns the pointer which is sent to TLS/IA callback
+ * @cred: is a #gnutls_ia_client_credentials_t structure.
+ *
+ * Returns the pointer that will be provided to the TLS/IA callback
+ * function as the first argument.
+ *
+ **/
+void *
+gnutls_ia_get_client_avp_ptr (gnutls_ia_client_credentials_t cred)
+{
+  return cred->avp_ptr;
+}
+
+/**
+ * gnutls_ia_allocate_server_credentials - Used to allocate an gnutls_ia_server_credentials_t structure
+ * @sc: is a pointer to an #gnutls_ia_server_credentials_t structure.
+ *
+ * This structure is complex enough to manipulate directly thus this
+ * helper function is provided in order to allocate it.
+ *
+ * Adding this credential to a session will enable TLS/IA, and will
+ * require an Application Phase after the TLS handshake (if the client
+ * support TLS/IA).  Use gnutls_ia_require_inner_phase() to toggle the
+ * TLS/IA mode.
+ *
+ * Returns 0 on success.
+ **/
+int
+gnutls_ia_allocate_server_credentials (gnutls_ia_server_credentials_t * sc)
+{
+  *sc = gnutls_calloc (1, sizeof (**sc));
+
+  if (*sc == NULL)
+    return GNUTLS_E_MEMORY_ERROR;
+
+  return 0;
+}
+
+/**
+ * gnutls_ia_free_server_credentials - Used to free an allocated #gnutls_ia_server_credentials_t structure
+ * @sc: is an #gnutls_ia_server_credentials_t structure.
+ *
+ * This structure is complex enough to manipulate directly thus this
+ * helper function is provided in order to free (deallocate) it.
+ *
+ **/
+void
+gnutls_ia_free_server_credentials (gnutls_ia_server_credentials_t sc)
+{
+  gnutls_free (sc);
+}
+
+/**
+ * gnutls_ia_set_server_credentials_function - Used to set a AVP callback
+ * @cred: is a #gnutls_ia_server_credentials_t structure.
+ * @func: is the callback function
+ *
+ * Set the TLS/IA AVP callback handler used for the session.
+ *
+ * The callback's function form is:
+ * int (*avp_func) (gnutls_session_t session, void *ptr,
+ *                  const char *last, size_t lastlen,
+ *                  char **next, size_t *nextlen);
+ *
+ * The @session parameter is the #gnutls_session_t structure
+ * corresponding to the current session.  The @ptr parameter is the
+ * application hook pointer, set through
+ * gnutls_ia_set_server_avp_ptr().  The AVP received from the client
+ * is present in @last of @lastlen size.  The newly allocated output
+ * AVP to send to the client should be placed in *@next of *@nextlen
+ * size.
+ *
+ * The AVP callback is called to process incoming AVPs from the
+ * client, and to get a new AVP to send to the client.  It can also be
+ * used to instruct the TLS/IA handshake to do go into the
+ * Intermediate or Final phases.  It return a negative error code, or
+ * an #gnutls_ia_apptype_t message type.
+ *
+ * The callback may invoke gnutls_ia_permute_inner_secret() to mix any
+ * generated session keys with the TLS/IA inner secret.
+ *
+ * Specifically, return %GNUTLS_IA_APPLICATION_PAYLOAD (0) to send
+ * another AVP to the client, return
+ * %GNUTLS_IA_INTERMEDIATE_PHASE_FINISHED (1) to indicate that an
+ * IntermediatePhaseFinished message should be sent, and return
+ * %GNUTLS_IA_FINAL_PHASE_FINISHED (2) to indicate that an
+ * FinalPhaseFinished message should be sent.  In the last two cases,
+ * the contents of the @next and @nextlen parameter is not used.
+ *
+ * Note that the callback must use allocate the @next parameter using
+ * gnutls_malloc(), because it is released via gnutls_free() by the
+ * TLS/IA handshake function.
+ **/
+void
+gnutls_ia_set_server_avp_function (gnutls_ia_server_credentials_t cred,
+                                   gnutls_ia_avp_func avp_func)
+{
+  cred->avp_func = avp_func;
+}
+
+/**
+ * gnutls_ia_set_server_avp_ptr - Sets a pointer to be sent to TLS/IA callback
+ * @cred: is a #gnutls_ia_client_credentials_t structure.
+ * @ptr: is the pointer
+ *
+ * Sets the pointer that will be provided to the TLS/IA callback
+ * function as the first argument.
+ *
+ **/
+void
+gnutls_ia_set_server_avp_ptr (gnutls_ia_server_credentials_t cred, void *ptr)
+{
+  cred->avp_ptr = ptr;
+}
+
+/**
+ * gnutls_ia_get_server_avp_ptr - Returns the pointer which is sent to TLS/IA callback
+ * @cred: is a #gnutls_ia_client_credentials_t structure.
+ *
+ * Returns the pointer that will be provided to the TLS/IA callback
+ * function as the first argument.
+ *
+ **/
+void *
+gnutls_ia_get_server_avp_ptr (gnutls_ia_server_credentials_t cred)
+{
+  return cred->avp_ptr;
+}
+
+/**
+ * gnutls_ia_enable - Indicate willingness for TLS/IA application phases
+ * @session: is a #gnutls_session_t structure.
+ * @allow_skip_on_resume: non-zero if local party allows to skip the
+ *                        TLS/IA application phases for a resumed session.
+ *
+ * Specify whether we must advertise support for the TLS/IA extension
+ * during the handshake.
+ *
+ * At the client side, we always advertise TLS/IA if gnutls_ia_enable
+ * was called before the handshake; at the server side, we also
+ * require that the client has advertised that it wants to run TLS/IA
+ * before including the advertisement, as required by the protocol.
+ *
+ * Similarly, at the client side we always advertise that we allow
+ * TLS/IA to be skipped for resumed sessions if @allow_skip_on_resume
+ * is non-zero; at the server side, we also require that the session
+ * is indeed resumable and that the client has also advertised that it
+ * allows TLS/IA to be skipped for resumed sessions.
+ *
+ * After the TLS handshake, call gnutls_ia_handshake_p() to find out
+ * whether both parties agreed to do a TLS/IA handshake, before
+ * calling gnutls_ia_handshake() or one of the lower level gnutls_ia_*
+ * functions.
+ **/
+void
+gnutls_ia_enable (gnutls_session_t session, int allow_skip_on_resume)
+{
+  session->security_parameters.extensions.gnutls_ia_enable = 1;
+  session->security_parameters.extensions.gnutls_ia_allowskip =
+    allow_skip_on_resume;
+}
diff --git a/src/daemon/https/openpgp/gnutls_openpgp.c b/src/daemon/https/openpgp/gnutls_openpgp.c
new file mode 100644
index 00000000..02469463
--- /dev/null
+++ b/src/daemon/https/openpgp/gnutls_openpgp.c
@@ -0,0 +1,973 @@
+/*
+ * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation
+ *
+ * Author: Timo Schulz
+ *
+ * This file is part of GNUTLS-EXTRA.
+ *
+ * GNUTLS-EXTRA is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *               
+ * GNUTLS-EXTRA is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *                               
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "gnutls_int.h"
+#include "gnutls_errors.h"
+#include "gnutls_mpi.h"
+#include "gnutls_cert.h"
+#include "gnutls_datum.h"
+#include "gnutls_global.h"
+#include "gnutls_openpgp.h"
+#include "read-file.h"
+#include <gnutls_str.h>
+#include <gnutls_sig.h>
+#include <stdio.h>
+#include <gcrypt.h>
+#include <time.h>
+#include <sys/stat.h>
+
+#define OPENPGP_NAME_SIZE 256
+
+#define datum_append(x, y, z) _gnutls_datum_append_m (x, y, z, gnutls_realloc)
+
+
+
+static void
+release_mpi_array (mpi_t * arr, size_t n)
+{
+  mpi_t x;
+
+  while (arr && n--)
+    {
+      x = *arr;
+      _gnutls_mpi_release (&x);
+      *arr = NULL;
+      arr++;
+    }
+}
+
+
+/* Map an OpenCDK error type to a GnuTLS error type. */
+int
+_gnutls_map_cdk_rc (int rc)
+{
+  switch (rc)
+    {
+    case CDK_Success:
+      return 0;
+    case CDK_Too_Short:
+      return GNUTLS_E_SHORT_MEMORY_BUFFER;
+    case CDK_General_Error:
+      return GNUTLS_E_INTERNAL_ERROR;
+    case CDK_File_Error:
+      return GNUTLS_E_FILE_ERROR;
+    case CDK_MPI_Error:
+      return GNUTLS_E_MPI_SCAN_FAILED;
+    case CDK_Error_No_Key:
+      return GNUTLS_E_OPENPGP_GETKEY_FAILED;
+    case CDK_Armor_Error:
+      return GNUTLS_E_BASE64_DECODING_ERROR;
+    case CDK_Inv_Value:
+      return GNUTLS_E_INVALID_REQUEST;
+    default:
+      return GNUTLS_E_INTERNAL_ERROR;
+    }
+}
+
+static unsigned long
+buftou32 (const uint8_t * buf)
+{
+  unsigned a;
+  a = buf[0] << 24;
+  a |= buf[1] << 16;
+  a |= buf[2] << 8;
+  a |= buf[3];
+  return a;
+}
+
+static int
+openpgp_pk_to_gnutls_cert (gnutls_cert * cert, cdk_pkt_pubkey_t pk)
+{
+  uint8_t buf[512 + 2];
+  size_t nbytes;
+  int algo, i;
+  int rc = 0;
+
+  if (!cert || !pk)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_INVALID_REQUEST;
+    }
+
+  /* GnuTLS OpenPGP does not support ELG keys */
+  if (is_ELG (pk->pubkey_algo))
+    {
+      gnutls_assert ();
+      return GNUTLS_E_UNWANTED_ALGORITHM;
+    }
+
+  algo = GNUTLS_PK_RSA;
+  cert->subject_pk_algorithm = algo;
+  cert->version = pk->version;
+  cert->cert_type = GNUTLS_CRT_OPENPGP;
+
+  cert->key_usage = 0;
+  if (pk->pubkey_usage & CDK_KEY_USG_SIGN)
+    cert->key_usage = KEY_DIGITAL_SIGNATURE;
+  if (pk->pubkey_usage & CDK_KEY_USG_ENCR)
+    cert->key_usage = KEY_KEY_ENCIPHERMENT;
+  if (!cert->key_usage)         /* Fallback code. */
+    {
+      if (pk->pubkey_algo == GCRY_PK_DSA || pk->pubkey_algo == GCRY_PK_RSA_S)
+        cert->key_usage = KEY_DIGITAL_SIGNATURE;
+      else if (pk->pubkey_algo == GCRY_PK_RSA_E)
+        cert->key_usage = KEY_KEY_ENCIPHERMENT;
+      else if (pk->pubkey_algo == GCRY_PK_RSA)
+        cert->key_usage = KEY_DIGITAL_SIGNATURE | KEY_KEY_ENCIPHERMENT;
+    }
+
+  cert->params_size = cdk_pk_get_npkey (pk->pubkey_algo);
+  for (i = 0; i < cert->params_size; i++)
+    {
+      nbytes = sizeof (buf) / sizeof (buf[0]);
+      cdk_pk_get_mpi (pk, i, buf, nbytes, &nbytes, NULL);
+      rc = _gnutls_mpi_scan_pgp (&cert->params[i], buf, &nbytes);
+      if (rc)
+        {
+          rc = GNUTLS_E_MPI_SCAN_FAILED;
+          break;
+        }
+    }
+
+  if (rc)
+    release_mpi_array (cert->params, i - 1);
+  return rc;
+}
+
+/*-
+ * _gnutls_openpgp_raw_privkey_to_gkey - Converts an OpenPGP secret key to GnuTLS
+ * @pkey: the GnuTLS private key context to store the key.
+ * @raw_key: the raw data which contains the whole key packets.
+ * @format: the format of the key packets.
+ *
+ * The RFC2440 (OpenPGP Message Format) data is converted into the
+ * GnuTLS specific data which is need to perform secret key operations.
+ *
+ * This function can read both BASE64 and RAW keys.
+ -*/
+int
+_gnutls_openpgp_raw_privkey_to_gkey (gnutls_privkey * pkey,
+                                     const gnutls_datum_t * raw_key,
+                                     gnutls_openpgp_crt_fmt_t format)
+{
+  cdk_kbnode_t snode = NULL;
+  cdk_packet_t pkt;
+  cdk_stream_t out;
+  cdk_pkt_seckey_t sk = NULL;
+  int pke_algo, i, j;
+  size_t nbytes = 0;
+  uint8_t buf[512];
+  int rc = 0;
+
+  if (!pkey || raw_key->size <= 0)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_CERTIFICATE_ERROR;
+    }
+
+  rc = cdk_stream_tmp_new (&out);
+  if (rc)
+    return GNUTLS_E_CERTIFICATE_ERROR;
+
+  if (format == GNUTLS_OPENPGP_FMT_BASE64)
+    {
+      rc = cdk_stream_set_armor_flag (out, 0);
+      if (rc)
+        {
+          cdk_stream_close (out);
+          rc = _gnutls_map_cdk_rc (rc);
+          gnutls_assert ();
+          goto leave;
+        }
+    }
+
+  cdk_stream_write (out, raw_key->data, raw_key->size);
+  cdk_stream_seek (out, 0);
+
+  rc = cdk_keydb_get_keyblock (out, &snode);
+  cdk_stream_close (out);
+  if (rc)
+    {
+      rc = GNUTLS_E_OPENPGP_GETKEY_FAILED;
+      goto leave;
+    }
+
+  pkt = cdk_kbnode_find_packet (snode, CDK_PKT_SECRET_KEY);
+  if (!pkt)
+    {
+      rc = GNUTLS_E_OPENPGP_GETKEY_FAILED;
+      goto leave;
+    }
+  sk = pkt->pkt.secret_key;
+  pke_algo = sk->pk->pubkey_algo;
+  pkey->params_size = cdk_pk_get_npkey (pke_algo);
+  for (i = 0; i < pkey->params_size; i++)
+    {
+      nbytes = sizeof (buf) / sizeof (buf[0]);
+      cdk_pk_get_mpi (sk->pk, i, buf, nbytes, &nbytes, NULL);
+      rc = _gnutls_mpi_scan_pgp (&pkey->params[i], buf, &nbytes);
+      if (rc)
+        {
+          rc = GNUTLS_E_MPI_SCAN_FAILED;
+          release_mpi_array (pkey->params, i - 1);
+          goto leave;
+        }
+    }
+
+  pkey->params_size += cdk_pk_get_nskey (pke_algo);
+  for (j = 0; j < cdk_pk_get_nskey (pke_algo); j++, i++)
+    {
+      nbytes = sizeof (buf) / sizeof (buf[0]);
+      cdk_sk_get_mpi (sk, j, buf, nbytes, &nbytes, NULL);
+      rc = _gnutls_mpi_scan_pgp (&pkey->params[i], buf, &nbytes);
+      if (rc)
+        {
+          rc = GNUTLS_E_MPI_SCAN_FAILED;
+          release_mpi_array (pkey->params, i - 1);
+          goto leave;
+        }
+    }
+
+  if (is_ELG (pke_algo))
+    return GNUTLS_E_UNWANTED_ALGORITHM;
+  else if (is_RSA (pke_algo))
+    pkey->pk_algorithm = GNUTLS_PK_RSA;
+
+leave:
+  cdk_kbnode_release (snode);
+  return rc;
+}
+
+
+/*-
+ * _gnutls_openpgp_raw_key_to_gcert - Converts raw OpenPGP data to GnuTLS certs
+ * @cert: the certificate to store the data.
+ * @raw: the buffer which contains the whole OpenPGP key packets.
+ *
+ * The RFC2440 (OpenPGP Message Format) data is converted to a GnuTLS
+ * specific certificate.
+ -*/
+int
+_gnutls_openpgp_raw_key_to_gcert (gnutls_cert * cert,
+                                  const gnutls_datum_t * raw)
+{
+  cdk_kbnode_t knode = NULL;
+  cdk_packet_t pkt = NULL;
+  int rc;
+
+  if (!cert)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_INVALID_REQUEST;
+    }
+
+  memset (cert, 0, sizeof *cert);
+
+  rc = cdk_kbnode_read_from_mem (&knode, raw->data, raw->size);
+  if (!(rc = _gnutls_map_cdk_rc (rc)))
+    {
+      pkt = cdk_kbnode_find_packet (knode, CDK_PKT_PUBLIC_KEY);
+    }
+  if (!pkt)
+    {
+      gnutls_assert ();
+      rc = _gnutls_map_cdk_rc (rc);
+    }
+  if (!rc)
+    rc = _gnutls_set_datum (&cert->raw, raw->data, raw->size);
+  if (!rc)
+    rc = openpgp_pk_to_gnutls_cert (cert, pkt->pkt.public_key);
+
+  cdk_kbnode_release (knode);
+  return rc;
+}
+
+/**
+  * gnutls_certificate_set_openpgp_key - Used to set keys in a gnutls_certificate_credentials_t structure
+  * @res: is an #gnutls_certificate_credentials_t structure.
+  * @key: contains an openpgp public key
+  * @pkey: is an openpgp private key
+  *
+  * This function sets a certificate/private key pair in the 
+  * gnutls_certificate_credentials_t structure. This function may be called
+  * more than once (in case multiple keys/certificates exist for the
+  * server).
+  *
+  **/
+int
+gnutls_certificate_set_openpgp_key (gnutls_certificate_credentials_t
+                                    res, gnutls_openpgp_crt_t crt,
+                                    gnutls_openpgp_privkey_t pkey)
+{
+  int ret;
+
+  /* this should be first */
+
+  res->pkey = gnutls_realloc_fast (res->pkey,
+                                   (res->ncerts + 1) *
+                                   sizeof (gnutls_privkey));
+  if (res->pkey == NULL)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_MEMORY_ERROR;
+    }
+
+  ret = _gnutls_openpgp_privkey_to_gkey (&res->pkey[res->ncerts], pkey);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      return ret;
+    }
+
+  res->cert_list = gnutls_realloc_fast (res->cert_list,
+                                        (1 +
+                                         res->ncerts) *
+                                        sizeof (gnutls_cert *));
+  if (res->cert_list == NULL)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_MEMORY_ERROR;
+    }
+
+  res->cert_list_length = gnutls_realloc_fast (res->cert_list_length,
+                                               (1 +
+                                                res->ncerts) * sizeof (int));
+  if (res->cert_list_length == NULL)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_MEMORY_ERROR;
+    }
+
+  res->cert_list[res->ncerts] = gnutls_calloc (1, sizeof (gnutls_cert));
+  if (res->cert_list[res->ncerts] == NULL)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_MEMORY_ERROR;
+    }
+
+  res->cert_list_length[res->ncerts] = 1;
+
+  ret = _gnutls_openpgp_crt_to_gcert (res->cert_list[res->ncerts], crt);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      return ret;
+    }
+
+  res->ncerts++;
+
+  /* FIXME: Check if the keys match. */
+
+  return 0;
+}
+
+
+/*-
+ * gnutls_openpgp_get_key - Retrieve a key from the keyring.
+ * @key: the destination context to save the key.
+ * @keyring: the datum struct that contains all keyring information.
+ * @attr: The attribute (keyid, fingerprint, ...).
+ * @by: What attribute is used.
+ *
+ * This function can be used to retrieve keys by different pattern
+ * from a binary or a file keyring.
+ -*/
+int
+gnutls_openpgp_get_key (gnutls_datum_t * key,
+                        gnutls_openpgp_keyring_t keyring, key_attr_t by,
+                        opaque * pattern)
+{
+  cdk_kbnode_t knode = NULL;
+  unsigned long keyid[2];
+  unsigned char *buf;
+  void *desc;
+  size_t len;
+  int rc = 0;
+
+  if (!key || !keyring || by == KEY_ATTR_NONE)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_INVALID_REQUEST;
+    }
+
+  memset (key, 0, sizeof *key);
+
+  if (by == KEY_ATTR_SHORT_KEYID)
+    {
+      keyid[0] = buftou32 (pattern);
+      desc = keyid;
+    }
+  else if (by == KEY_ATTR_KEYID)
+    {
+      keyid[0] = buftou32 (pattern);
+      keyid[1] = buftou32 (pattern + 4);
+      desc = keyid;
+    }
+  else
+    desc = pattern;
+  rc = cdk_keydb_search_start (keyring->db, by, desc);
+  if (!rc)
+    rc = cdk_keydb_search (keyring->db, &knode);
+  if (rc)
+    {
+      rc = _gnutls_map_cdk_rc (rc);
+      goto leave;
+    }
+
+  if (!cdk_kbnode_find (knode, CDK_PKT_PUBLIC_KEY))
+    {
+      rc = GNUTLS_E_OPENPGP_GETKEY_FAILED;
+      goto leave;
+    }
+
+  /* We let the function allocate the buffer to avoid
+     to call the function twice. */
+  rc = cdk_kbnode_write_to_mem_alloc (knode, &buf, &len);
+  if (!rc)
+    datum_append (key, buf, len);
+  cdk_free (buf);
+
+leave:
+  cdk_kbnode_release (knode);
+  return rc;
+}
+
+
+/* Convert the stream to a datum. In this case we use the mmap
+   function to map the entire stream to a buffer. */
+static int
+stream_to_datum (cdk_stream_t inp, gnutls_datum_t * raw)
+{
+  uint8_t *buf;
+  size_t buflen;
+
+  if (!inp || !raw)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_INVALID_REQUEST;
+    }
+
+  cdk_stream_mmap (inp, &buf, &buflen);
+  datum_append (raw, buf, buflen);
+  cdk_free (buf);
+
+  if (!buflen)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_INTERNAL_ERROR;
+    }
+
+  return 0;
+}
+
+
+
+/**
+ * gnutls_certificate_set_openpgp_key_mem - Used to set OpenPGP keys
+ * @res: the destination context to save the data.
+ * @cert: the datum that contains the public key.
+ * @key: the datum that contains the secret key.
+ *
+ * This funtion is used to load OpenPGP keys into the GnuTLS credential 
+ * structure.
+ * It doesn't matter whether the keys are armored or not, but the files
+ * should only contain one key which should not be encrypted.
+ **/
+int
+gnutls_certificate_set_openpgp_key_mem (gnutls_certificate_credentials_t
+                                        res, const gnutls_datum_t * icert,
+                                        const gnutls_datum_t * ikey,
+                                        gnutls_openpgp_crt_fmt_t format)
+{
+  gnutls_openpgp_privkey_t key;
+  gnutls_openpgp_crt_t cert;
+  int ret;
+
+  ret = gnutls_openpgp_privkey_init (&key);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      return ret;
+    }
+
+  ret = gnutls_openpgp_privkey_import (key, ikey, format, NULL, 0);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      gnutls_openpgp_privkey_deinit (key);
+      return ret;
+    }
+
+  ret = gnutls_openpgp_crt_init (&cert);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      gnutls_openpgp_privkey_deinit (key);
+      return ret;
+    }
+
+  ret = gnutls_openpgp_crt_import (cert, icert, format);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      gnutls_openpgp_privkey_deinit (key);
+      gnutls_openpgp_crt_deinit (cert);
+      return ret;
+    }
+
+
+  ret = gnutls_certificate_set_openpgp_key (res, cert, key);
+
+  gnutls_openpgp_privkey_deinit (key);
+  gnutls_openpgp_crt_deinit (cert);
+
+  return ret;
+}
+
+
+/**
+ * gnutls_certificate_set_openpgp_key_file - Used to set OpenPGP keys
+ * @res: the destination context to save the data.
+ * @certfile: the file that contains the public key.
+ * @keyfile: the file that contains the secret key.
+ *
+ * This funtion is used to load OpenPGP keys into the GnuTLS credentials structure.
+ * It doesn't matter whether the keys are armored or not, but the files
+ * should only contain one key which should not be encrypted.
+ **/
+int
+gnutls_certificate_set_openpgp_key_file (gnutls_certificate_credentials_t
+                                         res, const char *certfile,
+                                         const char *keyfile,
+                                         gnutls_openpgp_crt_fmt_t format)
+{
+  struct stat statbuf;
+  gnutls_datum_t key, cert;
+  int rc;
+  size_t size;
+
+  if (!res || !keyfile || !certfile)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_INVALID_REQUEST;
+    }
+
+  if (stat (certfile, &statbuf) || stat (keyfile, &statbuf))
+    {
+      gnutls_assert ();
+      return GNUTLS_E_FILE_ERROR;
+    }
+
+  cert.data = read_binary_file (certfile, &size);
+  cert.size = (unsigned int) size;
+  if (cert.data == NULL)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_FILE_ERROR;
+    }
+
+  key.data = read_binary_file (keyfile, &size);
+  key.size = (unsigned int) size;
+  if (key.data == NULL)
+    {
+      gnutls_assert ();
+      free (cert.data);
+      return GNUTLS_E_FILE_ERROR;
+    }
+
+  rc = gnutls_certificate_set_openpgp_key_mem (res, &cert, &key, format);
+
+  free (cert.data);
+  free (key.data);
+
+  if (rc < 0)
+    {
+      gnutls_assert ();
+      return rc;
+    }
+
+  return 0;
+}
+
+
+int
+gnutls_openpgp_count_key_names (const gnutls_datum_t * cert)
+{
+  cdk_kbnode_t knode, p, ctx;
+  cdk_packet_t pkt;
+  int nuids;
+
+  if (cert == NULL)
+    {
+      gnutls_assert ();
+      return 0;
+    }
+
+  if (cdk_kbnode_read_from_mem (&knode, cert->data, cert->size))
+    {
+      gnutls_assert ();
+      return 0;
+    }
+
+  ctx = NULL;
+  for (nuids = 0;;)
+    {
+      p = cdk_kbnode_walk (knode, &ctx, 0);
+      if (!p)
+        break;
+      pkt = cdk_kbnode_get_packet (p);
+      if (pkt->pkttype == CDK_PKT_USER_ID)
+        nuids++;
+    }
+
+  cdk_kbnode_release (knode);
+  return nuids;
+}
+
+
+/**
+ * gnutls_certificate_set_openpgp_keyring_file - Sets a keyring file for OpenPGP
+ * @c: A certificate credentials structure
+ * @file: filename of the keyring.
+ *
+ * The function is used to set keyrings that will be used internally
+ * by various OpenPGP functions. For example to find a key when it
+ * is needed for an operations. The keyring will also be used at the
+ * verification functions.
+ *
+ **/
+int
+gnutls_certificate_set_openpgp_keyring_file (gnutls_certificate_credentials_t
+                                             c, const char *file,
+                                             gnutls_openpgp_crt_fmt_t format)
+{
+  gnutls_datum_t ring;
+  size_t size;
+  int rc;
+
+  if (!c || !file)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_INVALID_REQUEST;
+    }
+
+  ring.data = read_binary_file (file, &size);
+  ring.size = (unsigned int) size;
+  if (ring.data == NULL)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_FILE_ERROR;
+    }
+
+  rc =
+    gnutls_certificate_set_openpgp_keyring_mem (c, ring.data, ring.size,
+                                                format);
+
+  free (ring.data);
+
+  return rc;
+}
+
+/**
+ * gnutls_certificate_set_openpgp_keyring_mem - Add keyring data for OpenPGP
+ * @c: A certificate credentials structure
+ * @data: buffer with keyring data.
+ * @dlen: length of data buffer.
+ *
+ * The function is used to set keyrings that will be used internally
+ * by various OpenPGP functions. For example to find a key when it
+ * is needed for an operations. The keyring will also be used at the
+ * verification functions.
+ *
+ **/
+int
+gnutls_certificate_set_openpgp_keyring_mem (gnutls_certificate_credentials_t
+                                            c, const opaque * data,
+                                            size_t dlen,
+                                            gnutls_openpgp_crt_fmt_t format)
+{
+#ifndef KEYRING_HACK
+  cdk_stream_t inp;
+  size_t count;
+  uint8_t *buf;
+  gnutls_datum ddata;
+  int rc;
+
+  ddata.data = (void *) data;
+  ddata.size = dlen;
+
+  if (!c || !data || !dlen)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_INVALID_REQUEST;
+    }
+
+  rc = gnutls_openpgp_keyring_init (&c->keyring);
+  if (rc < 0)
+    {
+      gnutls_assert ();
+      return rc;
+    }
+
+  rc = gnutls_openpgp_keyring_import (c->keyring, &ddata, format);
+  if (rc < 0)
+    {
+      gnutls_assert ();
+      gnutls_openpgp_keyring_deinit (c->keyring);
+      return rc;
+    }
+
+  return 0;
+#else
+
+  c->keyring_format = format;
+
+  c->keyring.data = gnutls_malloc (dlen + 1);
+  if (c->keyring.data == NULL)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_MEMORY_ERROR;
+    }
+  memcpy (c->keyring.data, data, dlen);
+  c->keyring.data[dlen] = 0;
+  c->keyring.size = dlen;
+
+#endif
+}
+
+/*-
+ * _gnutls_openpgp_request_key - Receives a key from a database, key server etc
+ * @ret - a pointer to gnutls_datum_t structure.
+ * @cred - a gnutls_certificate_credentials_t structure.
+ * @key_fingerprint - The keyFingerprint
+ * @key_fingerprint_size - the size of the fingerprint
+ *
+ * Retrieves a key from a local database, keyring, or a key server. The
+ * return value is locally allocated.
+ *
+ -*/
+int
+_gnutls_openpgp_request_key (gnutls_session_t session, gnutls_datum_t * ret,
+                             const gnutls_certificate_credentials_t cred,
+                             opaque * key_fpr, int key_fpr_size)
+{
+  int rc = 0;
+#ifdef KEYRING_HACK
+  gnutls_openpgp_keyring_t kring;
+#endif
+
+  if (!ret || !cred || !key_fpr)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_INVALID_REQUEST;
+    }
+
+  if (key_fpr_size != 16 && key_fpr_size != 20)
+    return GNUTLS_E_HASH_FAILED;        /* only MD5 and SHA1 are supported */
+
+#ifndef KEYRING_HACK
+  rc = gnutls_openpgp_get_key (ret, cred->keyring, KEY_ATTR_FPR, key_fpr);
+#else
+  rc = gnutls_openpgp_keyring_init (&kring);
+  if (rc < 0)
+    {
+      gnutls_assert ();
+      return rc;
+    }
+
+  rc =
+    gnutls_openpgp_keyring_import (kring, &cred->keyring,
+                                   cred->keyring_format);
+  if (rc < 0)
+    {
+      gnutls_assert ();
+      gnutls_openpgp_keyring_deinit (kring);
+      return rc;
+    }
+#endif
+  if (rc >= 0)                  /* key was found */
+    {
+      rc = 0;
+      goto error;
+    }
+  else
+    rc = GNUTLS_E_OPENPGP_GETKEY_FAILED;
+
+  /* If the callback function was set, then try this one. */
+  if (session->internals.openpgp_recv_key_func != NULL)
+    {
+      rc = session->internals.openpgp_recv_key_func (session,
+                                                     key_fpr,
+                                                     key_fpr_size, ret);
+      if (rc < 0)
+        {
+          gnutls_assert ();
+          rc = GNUTLS_E_OPENPGP_GETKEY_FAILED;
+          goto error;
+        }
+    }
+
+error:
+#ifdef KEYRING_HACK
+  gnutls_openpgp_keyring_deinit (kring);
+#endif
+  return rc;
+}
+
+/**
+ * gnutls_openpgp_set_recv_key_function - Used to set a key retrieval callback for PGP keys
+ * @session: a TLS session
+ * @func: the callback
+ *
+ * This funtion will set a key retrieval function for OpenPGP keys. This
+ * callback is only useful in server side, and will be used if the peer
+ * sent a key fingerprint instead of a full key.
+ *
+ **/
+void
+gnutls_openpgp_set_recv_key_function (gnutls_session_t session,
+                                      gnutls_openpgp_recv_key_func func)
+{
+  session->internals.openpgp_recv_key_func = func;
+}
+
+
+/* Copies a gnutls_openpgp_privkey_t to a gnutls_privkey structure. */
+int
+_gnutls_openpgp_privkey_to_gkey (gnutls_privkey * dest,
+                                 gnutls_openpgp_privkey_t src)
+{
+  int i, ret;
+
+  memset (dest, 0, sizeof (gnutls_privkey));
+
+  for (i = 0; i < src->pkey.params_size; i++)
+    {
+      dest->params[i] = _gnutls_mpi_copy (src->pkey.params[i]);
+      if (dest->params[i] == NULL)
+        {
+          gnutls_assert ();
+          ret = GNUTLS_E_MEMORY_ERROR;
+          goto cleanup;
+        }
+    }
+
+  dest->pk_algorithm = src->pkey.pk_algorithm;
+  dest->params_size = src->pkey.params_size;
+
+  return 0;
+
+cleanup:
+  for (i = 0; i < src->pkey.params_size; i++)
+    _gnutls_mpi_release (&dest->params[i]);
+  return ret;
+}
+
+/* Converts a parsed gnutls_openpgp_crt_t to a gnutls_cert structure.
+ */
+int
+_gnutls_openpgp_crt_to_gcert (gnutls_cert * gcert, gnutls_openpgp_crt_t cert)
+{
+  opaque *der;
+  size_t der_size = 0;
+  gnutls_datum_t raw;
+  int ret;
+
+  memset (gcert, 0, sizeof (gnutls_cert));
+  gcert->cert_type = GNUTLS_CRT_OPENPGP;
+
+
+  ret = gnutls_openpgp_crt_export (cert, GNUTLS_OPENPGP_FMT_RAW,
+                                   NULL, &der_size);
+  if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
+    {
+      gnutls_assert ();
+      return ret;
+    }
+
+  der = gnutls_malloc (der_size);
+  if (der == NULL)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_MEMORY_ERROR;
+    }
+
+  ret = gnutls_openpgp_crt_export (cert, GNUTLS_OPENPGP_FMT_RAW,
+                                   der, &der_size);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      gnutls_free (der);
+      return ret;
+    }
+
+  raw.data = der;
+  raw.size = der_size;
+
+  ret = _gnutls_openpgp_raw_key_to_gcert (gcert, &raw);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      gnutls_free (der);
+      return ret;
+    }
+
+  gnutls_free (der);
+
+  return 0;
+
+}
+
+
+/**
+ * gnutls_openpgp_privkey_sign_hash - This function will sign the given data using the private key params
+ * @key: Holds the key
+ * @hash: holds the data to be signed
+ * @signature: will contain newly allocated signature
+ *
+ * This function will sign the given hash using the private key.
+ *
+ * Return value: In case of failure a negative value will be returned,
+ * and 0 on success.
+ **/
+int
+gnutls_openpgp_privkey_sign_hash (gnutls_openpgp_privkey_t key,
+                                  const gnutls_datum_t * hash,
+                                  gnutls_datum_t * signature)
+{
+  int result;
+
+  if (key == NULL)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_INVALID_REQUEST;
+    }
+
+  result = _gnutls_sign (key->pkey.pk_algorithm, key->pkey.params,
+                         key->pkey.params_size, hash, signature);
+  if (result < 0)
+    {
+      gnutls_assert ();
+      return result;
+    }
+
+  return 0;
+}
diff --git a/src/daemon/https/openpgp/gnutls_openpgp.h b/src/daemon/https/openpgp/gnutls_openpgp.h
new file mode 100644
index 00000000..82e22eee
--- /dev/null
+++ b/src/daemon/https/openpgp/gnutls_openpgp.h
@@ -0,0 +1,98 @@
+#include <config.h>
+
+#ifdef ENABLE_OPENPGP
+
+#ifndef GNUTLS_OPENPGP_H
+#define GNUTLS_OPENPGP_H
+
+#include <auth_cert.h>
+#include <opencdk.h>
+
+typedef struct
+  {
+    int type;
+    size_t size;
+    uint8_t *data;
+  }keybox_blob;
+
+typedef enum
+  {
+    KBX_BLOB_FILE = 0x00,
+    KBX_BLOB_DATA = 0x01
+  }keyring_blob_types;
+
+/* OpenCDK compatible */
+typedef enum
+  {
+    KEY_ATTR_NONE = 0,
+    KEY_ATTR_SHORT_KEYID = 3,
+    KEY_ATTR_KEYID = 4,
+    KEY_ATTR_FPR = 5
+  }key_attr_t;
+
+int
+gnutls_certificate_set_openpgp_key_file (gnutls_certificate_credentials_t
+    res, const char *CERTFILE,
+    const char *KEYFILE, gnutls_openpgp_crt_fmt_t);
+
+int gnutls_openpgp_count_key_names (const gnutls_datum_t * cert);
+
+int gnutls_certificate_set_openpgp_keyring_file
+(gnutls_certificate_credentials_t c, const char *file, gnutls_openpgp_crt_fmt_t);
+
+int
+gnutls_certificate_set_openpgp_keyring_mem (gnutls_certificate_credentials_t
+    c, const opaque * data,
+    size_t dlen, gnutls_openpgp_crt_fmt_t);
+
+int gnutls_openpgp_get_key (gnutls_datum_t * key,
+    gnutls_openpgp_keyring_t keyring,
+    key_attr_t by, opaque * pattern);
+
+int gnutls_openpgp_recv_key (const char *host,
+    short port, uint32_t keyid,
+    gnutls_datum_t * key);
+
+/* internal */
+int _gnutls_openpgp_raw_key_to_gcert (gnutls_cert * cert,
+    const gnutls_datum_t * raw);
+
+extern int
+_gnutls_openpgp_raw_privkey_to_gkey (gnutls_privkey * pkey,
+    const gnutls_datum_t * raw_key,
+    gnutls_openpgp_crt_fmt_t format);
+
+int
+_gnutls_openpgp_request_key (gnutls_session_t,
+    gnutls_datum_t * ret,
+    const gnutls_certificate_credentials_t cred,
+    opaque * key_fpr, int key_fpr_size);
+
+int _gnutls_openpgp_verify_key (const gnutls_certificate_credentials_t,
+    const gnutls_datum_t * cert_list,
+    int cert_list_length, unsigned int *status);
+int _gnutls_openpgp_fingerprint (const gnutls_datum_t * cert,
+    unsigned char *fpr, size_t * fprlen);
+time_t _gnutls_openpgp_get_raw_key_creation_time (const gnutls_datum_t *
+    cert);
+time_t _gnutls_openpgp_get_raw_key_expiration_time (const gnutls_datum_t *
+    cert);
+
+int
+gnutls_openpgp_privkey_init (gnutls_openpgp_privkey_t * key);
+
+int
+gnutls_openpgp_privkey_init (gnutls_openpgp_privkey_t * key);
+
+void
+gnutls_openpgp_privkey_deinit (gnutls_openpgp_privkey_t key);
+
+int
+gnutls_openpgp_privkey_import (gnutls_openpgp_privkey_t key,
+    const gnutls_datum_t * data,
+    gnutls_openpgp_crt_fmt_t format,
+    const char *pass, unsigned int flags);
+
+#endif /*GNUTLS_OPENPGP_H */
+
+#endif /*ENABLE_OPENPGP */
diff --git a/src/daemon/https/openpgp/openpgp.h b/src/daemon/https/openpgp/openpgp.h
new file mode 100644
index 00000000..e4ea952b
--- /dev/null
+++ b/src/daemon/https/openpgp/openpgp.h
@@ -0,0 +1,182 @@
+#ifndef OPENPGP_H
+#define OPENPGP_H
+
+#include "config.h"
+
+#ifdef ENABLE_OPENPGP
+
+#ifdef __cplusplus
+extern "C"
+  {
+#endif
+
+#include <gnutls.h>
+#include <gnutls_cert.h>
+#include "opencdk.h"
+
+/* Internal context to store the OpenPGP key. */
+typedef struct gnutls_openpgp_crt_int
+  {
+    cdk_kbnode_t knode;
+  } gnutls_openpgp_crt_int;
+
+/* Internal context to store the private OpenPGP key. */
+typedef struct gnutls_openpgp_privkey_int
+  {
+    gnutls_privkey pkey;
+  } gnutls_openpgp_privkey_int;
+
+typedef struct gnutls_openpgp_keyring_int
+  {
+    cdk_keydb_hd_t db;
+    cdk_stream_t db_stream;
+  } gnutls_openpgp_keyring_int;
+
+typedef struct gnutls_openpgp_keyring_int * gnutls_openpgp_keyring_t;
+/* gnutls_openpgp_cert_t should be defined in gnutls.h */
+
+/* initializes the memory for gnutls_openpgp_crt_t struct */
+int gnutls_openpgp_crt_init(gnutls_openpgp_crt_t * key);
+/* frees all memory */
+void gnutls_openpgp_crt_deinit(gnutls_openpgp_crt_t key);
+
+int gnutls_openpgp_crt_import(gnutls_openpgp_crt_t key,
+                              const gnutls_datum_t * data,
+                              gnutls_openpgp_crt_fmt_t format);
+int gnutls_openpgp_crt_export(gnutls_openpgp_crt_t key,
+                              gnutls_openpgp_crt_fmt_t format,
+                              void *output_data,
+                              size_t * output_data_size);
+
+/* The key_usage flags are defined in gnutls.h. They are
+ * the GNUTLS_KEY_* definitions.
+ */
+int gnutls_openpgp_crt_get_key_usage(gnutls_openpgp_crt_t cert,
+                                     unsigned int *key_usage);
+int gnutls_openpgp_crt_get_fingerprint(gnutls_openpgp_crt_t key,
+                                       void *fpr,
+                                       size_t * fprlen);
+
+int gnutls_openpgp_crt_get_name(gnutls_openpgp_crt_t key,
+                                int idx,
+                                char *buf,
+                                size_t * sizeof_buf);
+
+gnutls_pk_algorithm_t
+    gnutls_openpgp_crt_get_pk_algorithm(gnutls_openpgp_crt_t key,
+                                        unsigned int *bits);
+
+int gnutls_openpgp_crt_get_version(gnutls_openpgp_crt_t key);
+
+time_t gnutls_openpgp_crt_get_creation_time(gnutls_openpgp_crt_t key);
+time_t gnutls_openpgp_crt_get_expiration_time(gnutls_openpgp_crt_t key);
+
+int gnutls_openpgp_crt_get_id(gnutls_openpgp_crt_t key,
+                              unsigned char keyid[8]);
+
+int gnutls_openpgp_crt_check_hostname(gnutls_openpgp_crt_t key,
+                                      const char *hostname);
+
+/* privkey stuff.  */
+int gnutls_openpgp_privkey_init(gnutls_openpgp_privkey_t * key);
+void gnutls_openpgp_privkey_deinit(gnutls_openpgp_privkey_t key);
+gnutls_pk_algorithm_t
+    gnutls_openpgp_privkey_get_pk_algorithm(gnutls_openpgp_privkey_t key,
+                                            unsigned int *bits);
+int gnutls_openpgp_privkey_import(gnutls_openpgp_privkey_t key,
+                                  const gnutls_datum_t * data,
+                                  gnutls_openpgp_crt_fmt_t format,
+                                  const char *pass,
+                                  unsigned int flags);
+int gnutls_openpgp_privkey_sign_hash(gnutls_openpgp_privkey_t key,
+                                     const gnutls_datum_t * hash,
+                                     gnutls_datum_t * signature);
+
+/* Keyring stuff. */
+
+int gnutls_openpgp_keyring_init(gnutls_openpgp_keyring_t * keyring);
+void gnutls_openpgp_keyring_deinit(gnutls_openpgp_keyring_t keyring);
+
+int gnutls_openpgp_keyring_import(gnutls_openpgp_keyring_t keyring,
+                                  const gnutls_datum_t * data,
+                                  gnutls_openpgp_crt_fmt_t format);
+
+int gnutls_openpgp_keyring_check_id(gnutls_openpgp_keyring_t ring,
+                                    const unsigned char keyid[8],
+                                    unsigned int flags);
+
+int gnutls_openpgp_crt_verify_ring(gnutls_openpgp_crt_t key,
+                                   gnutls_openpgp_keyring_t keyring,
+                                   unsigned int flags,
+                                   unsigned int *verify
+/* the output of the verification */);
+
+int gnutls_openpgp_crt_verify_self(gnutls_openpgp_crt_t key,
+                                   unsigned int flags,
+                                   unsigned int *verify);
+
+/* certificate authentication stuff.
+ */
+int gnutls_certificate_set_openpgp_key(gnutls_certificate_credentials_t
+                                       res,
+                                       gnutls_openpgp_crt_t key,
+                                       gnutls_openpgp_privkey_t pkey);
+
+#ifdef __cplusplus
+}
+#endif    
+
+int _gnutls_map_cdk_rc(int rc);
+int gnutls_openpgp_crt_get_name(gnutls_openpgp_crt_t key,
+                                int idx,
+                                char *buf,
+                                size_t * sizeof_buf);
+int gnutls_openpgp_crt_get_fingerprint(gnutls_openpgp_crt_t key,
+                                       void *fpr,
+                                       size_t * fprlen);
+gnutls_pk_algorithm_t
+    gnutls_openpgp_crt_get_pk_algorithm(gnutls_openpgp_crt_t key,
+                                        unsigned int *bits);
+int gnutls_openpgp_crt_get_version(gnutls_openpgp_crt_t key);
+time_t gnutls_openpgp_crt_get_creation_time(gnutls_openpgp_crt_t key);
+time_t gnutls_openpgp_crt_get_expiration_time(gnutls_openpgp_crt_t key);
+int gnutls_openpgp_crt_get_id(gnutls_openpgp_crt_t key,
+                              unsigned char keyid[8]);
+
+int gnutls_openpgp_crt_init(gnutls_openpgp_crt_t * key);
+void gnutls_openpgp_crt_deinit(gnutls_openpgp_crt_t key);
+int gnutls_openpgp_crt_import(gnutls_openpgp_crt_t key,
+                              const gnutls_datum_t * data,
+                              gnutls_openpgp_crt_fmt_t format);
+int gnutls_openpgp_crt_export(gnutls_openpgp_crt_t key,
+                              gnutls_openpgp_crt_fmt_t format,
+                              void *output_data,
+                              size_t * output_data_size);
+
+void gnutls_openpgp_keyring_deinit(gnutls_openpgp_keyring_t keyring);
+int gnutls_openpgp_keyring_init(gnutls_openpgp_keyring_t * keyring);
+int gnutls_openpgp_keyring_import(gnutls_openpgp_keyring_t keyring,
+                                  const gnutls_datum_t * data,
+                                  gnutls_openpgp_crt_fmt_t format);
+int gnutls_openpgp_keyring_check_id(gnutls_openpgp_keyring_t ring,
+                                    const unsigned char keyid[8],
+                                    unsigned int flags);
+
+int gnutls_openpgp_crt_verify_ring(gnutls_openpgp_crt_t key,
+                                   gnutls_openpgp_keyring_t keyring,
+                                   unsigned int flags,
+                                   unsigned int *verify);
+
+int gnutls_openpgp_crt_verify_self(gnutls_openpgp_crt_t key,
+                                   unsigned int flags,
+                                   unsigned int *verify);
+
+int _gnutls_openpgp_crt_to_gcert(gnutls_cert * gcert,
+                                 gnutls_openpgp_crt_t cert);
+int _gnutls_openpgp_privkey_to_gkey(gnutls_privkey * dest,
+                                    gnutls_openpgp_privkey_t src);
+
+void gnutls_openpgp_privkey_deinit(gnutls_openpgp_privkey_t key);
+
+#endif /* ENABLE_OPENPGP */
+#endif /* OPENPGP_H */
diff --git a/src/daemon/https/openpgp/pgp.c b/src/daemon/https/openpgp/pgp.c
new file mode 100644
index 00000000..fca307f5
--- /dev/null
+++ b/src/daemon/https/openpgp/pgp.c
@@ -0,0 +1,534 @@
+/*
+ * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation
+ *
+ * Author: Timo Schulz, Nikos Mavrogiannopoulos
+ *
+ * This file is part of GNUTLS-EXTRA.
+ *
+ * GNUTLS-EXTRA is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *               
+ * GNUTLS-EXTRA is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *                               
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/* Functions on OpenPGP key parsing
+ */
+
+#include <gnutls_int.h>
+#include <gnutls_datum.h>
+#include <gnutls_global.h>
+#include <gnutls_errors.h>
+#include "openpgp.h"
+/* x509 */
+#include <rfc2818.h>
+
+/**
+ * gnutls_openpgp_crt_init - This function initializes a gnutls_openpgp_crt_t structure
+ * @key: The structure to be initialized
+ *
+ * This function will initialize an OpenPGP key structure. 
+ *
+ * Returns 0 on success.
+ *
+ **/
+int gnutls_openpgp_crt_init(gnutls_openpgp_crt_t * key)
+{
+  *key = gnutls_calloc(1, sizeof(gnutls_openpgp_crt_int));
+
+  if (*key)
+    return 0; /* success */
+  return GNUTLS_E_MEMORY_ERROR;
+}
+
+/**
+ * gnutls_openpgp_crt_deinit - This function deinitializes memory used by a gnutls_openpgp_crt_t structure
+ * @key: The structure to be initialized
+ *
+ * This function will deinitialize a key structure. 
+ **/
+void gnutls_openpgp_crt_deinit(gnutls_openpgp_crt_t key)
+{
+  if (!key)
+    return;
+
+  if (key->knode)
+    {
+      cdk_kbnode_release(key->knode);
+      key->knode = NULL;
+    }
+
+  gnutls_free(key);
+}
+
+/**
+ * gnutls_openpgp_crt_import - This function will import a RAW or BASE64 encoded key
+ * @key: The structure to store the parsed key.
+ * @data: The RAW or BASE64 encoded key.
+ * @format: One of gnutls_openpgp_crt_fmt_t elements.
+ *
+ * This function will convert the given RAW or Base64 encoded key
+ * to the native gnutls_openpgp_crt_t format. The output will be stored in 'key'.
+ *
+ * Returns 0 on success.
+ **/
+int gnutls_openpgp_crt_import(gnutls_openpgp_crt_t key,
+                              const gnutls_datum_t * data,
+                              gnutls_openpgp_crt_fmt_t format)
+{
+  cdk_stream_t inp;
+  int rc;
+
+  if (format == GNUTLS_OPENPGP_FMT_RAW)
+    rc = cdk_kbnode_read_from_mem(&key->knode, data->data, data->size);
+  else
+    {
+      rc = cdk_stream_tmp_from_mem(data->data, data->size, &inp);
+      if (rc)
+        {
+          rc = _gnutls_map_cdk_rc(rc);
+          gnutls_assert ();
+          return rc;
+        }
+      if (cdk_armor_filter_use(inp))
+        rc = cdk_stream_set_armor_flag(inp, 0);
+      if (!rc)
+        rc = cdk_keydb_get_keyblock(inp, &key->knode);
+      cdk_stream_close(inp);
+      if (rc)
+        {
+          rc = _gnutls_map_cdk_rc(rc);
+          gnutls_assert ();
+          return rc;
+        }
+    }
+
+  return 0;
+}
+
+/**
+ * gnutls_openpgp_crt_export - This function will export a RAW or BASE64 encoded key
+ * @key: Holds the key.
+ * @format: One of gnutls_openpgp_crt_fmt_t elements.
+ * @output_data: will contain the key base64 encoded or raw
+ * @output_data_size: holds the size of output_data (and will be replaced by the actual size of parameters)
+ *
+ * This function will convert the given key to RAW or Base64 format.
+ * If the buffer provided is not long enough to hold the output, then
+ * GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
+ *
+ * Returns 0 on success.
+ *
+ **/
+int gnutls_openpgp_crt_export(gnutls_openpgp_crt_t key,
+                              gnutls_openpgp_crt_fmt_t format,
+                              void *output_data,
+                              size_t * output_data_size)
+{
+  size_t input_data_size = *output_data_size;
+  size_t calc_size;
+  int rc;
+
+  rc = cdk_kbnode_write_to_mem(key->knode, output_data, output_data_size);
+  if (rc)
+    {
+      rc = _gnutls_map_cdk_rc(rc);
+      gnutls_assert ();
+      return rc;
+    }
+
+  /* FIXME: The first call of this function is with output_data == NULL
+   to figure out the size and the caller expects this error here. */
+  if (!output_data)
+    return GNUTLS_E_SHORT_MEMORY_BUFFER;
+
+  if (format == GNUTLS_OPENPGP_FMT_BASE64)
+    {
+      unsigned char *in = cdk_calloc(1, *output_data_size);
+      memcpy(in, output_data, *output_data_size);
+
+      /* Calculate the size of the encoded data and check if the provided
+       buffer is large enough. */
+      rc = cdk_armor_encode_buffer(in, input_data_size, 
+      NULL, 0, &calc_size, CDK_ARMOR_PUBKEY);
+      if (rc || calc_size > input_data_size)
+        {
+          cdk_free(in);
+          *output_data_size = calc_size;
+          rc = _gnutls_map_cdk_rc(CDK_Too_Short);
+          gnutls_assert ();
+          return rc;
+        }
+
+      rc = cdk_armor_encode_buffer(in, input_data_size, output_data,
+                                   input_data_size, &calc_size,
+                                   CDK_ARMOR_PUBKEY);
+      cdk_free(in);
+      *output_data_size = calc_size;
+    }
+
+  return 0;
+}
+
+/**
+ * gnutls_openpgp_crt_get_fingerprint - Gets the fingerprint
+ * @key: the raw data that contains the OpenPGP public key.
+ * @fpr: the buffer to save the fingerprint, must hold at least 20 bytes.
+ * @fprlen: the integer to save the length of the fingerprint.
+ *
+ * Returns the fingerprint of the OpenPGP key. Depends on the algorithm,
+ * the fingerprint can be 16 or 20 bytes.
+ **/
+int gnutls_openpgp_crt_get_fingerprint(gnutls_openpgp_crt_t key,
+                                       void *fpr,
+                                       size_t * fprlen)
+{
+  cdk_packet_t pkt;
+  cdk_pkt_pubkey_t pk= NULL;
+
+  if (!fpr || !fprlen)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_INVALID_REQUEST;
+    }
+
+  *fprlen = 0;
+
+  pkt = cdk_kbnode_find_packet(key->knode, CDK_PKT_PUBLIC_KEY);
+  if (!pkt)
+    return GNUTLS_E_OPENPGP_GETKEY_FAILED;
+
+  pk = pkt->pkt.public_key;
+  *fprlen = 20;
+
+  /* FIXME: Check if the draft allows old PGP keys. */
+  if (is_RSA (pk->pubkey_algo) && pk->version < 4)
+    *fprlen = 16;
+  cdk_pk_get_fingerprint(pk, fpr);
+
+  return 0;
+}
+
+int _gnutls_openpgp_count_key_names(gnutls_openpgp_crt_t key)
+{
+  cdk_kbnode_t p, ctx;
+  cdk_packet_t pkt;
+  int nuids;
+
+  if (key == NULL)
+    {
+      gnutls_assert ();
+      return 0;
+    }
+
+  ctx = NULL;
+  nuids = 0;
+  while ((p = cdk_kbnode_walk(key->knode, &ctx, 0)))
+    {
+      pkt = cdk_kbnode_get_packet(p);
+      if (pkt->pkttype == CDK_PKT_USER_ID)
+        nuids++;
+    }
+
+  return nuids;
+}
+
+/**
+ * gnutls_openpgp_crt_get_name - Extracts the userID
+ * @key: the structure that contains the OpenPGP public key.
+ * @idx: the index of the ID to extract
+ * @buf: a pointer to a structure to hold the name
+ * @sizeof_buf: holds the maximum size of @buf, on return hold the
+ *   actual/required size of @buf.
+ *
+ * Extracts the userID from the parsed OpenPGP key.
+ *
+ * Returns 0 on success, and GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
+ * if the index of the ID does not exist.
+ *
+ **/
+int gnutls_openpgp_crt_get_name(gnutls_openpgp_crt_t key,
+                                int idx,
+                                char *buf,
+                                size_t * sizeof_buf)
+{
+  cdk_kbnode_t ctx= NULL, p;
+  cdk_packet_t pkt= NULL;
+  cdk_pkt_userid_t uid= NULL;
+  int pos = 0;
+
+  if (!key || !buf)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_INVALID_REQUEST;
+    }
+
+  if (idx < 0 || idx > _gnutls_openpgp_count_key_names(key))
+    return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
+
+  if (!idx)
+    pkt = cdk_kbnode_find_packet(key->knode, CDK_PKT_USER_ID);
+  else
+    {
+      pos = 0;
+      while ((p = cdk_kbnode_walk(key->knode, &ctx, 0)))
+        {
+          pkt = cdk_kbnode_get_packet(p);
+          if (pkt->pkttype == CDK_PKT_USER_ID && ++pos == idx)
+            break;
+        }
+    }
+
+  if (!pkt)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_INTERNAL_ERROR;
+    }
+
+  uid = pkt->pkt.user_id;
+  if (uid->len >= *sizeof_buf)
+    {
+      gnutls_assert ();
+      *sizeof_buf = uid->len + 1;
+      return GNUTLS_E_SHORT_MEMORY_BUFFER;
+    }
+
+  memcpy(buf, uid->name, uid->len);
+  buf[uid->len] = '\0'; /* make sure it's a string */
+  *sizeof_buf = uid->len + 1;
+
+  if (uid->is_revoked)
+    return GNUTLS_E_OPENPGP_UID_REVOKED;
+
+  return 0;
+}
+
+/**
+ * gnutls_openpgp_crt_get_pk_algorithm - This function returns the key's PublicKey algorithm
+ * @key: is an OpenPGP key
+ * @bits: if bits is non null it will hold the size of the parameters' in bits
+ *
+ * This function will return the public key algorithm of an OpenPGP
+ * certificate.
+ *
+ * If bits is non null, it should have enough size to hold the parameters
+ * size in bits. For RSA the bits returned is the modulus. 
+ * For DSA the bits returned are of the public exponent.
+ *
+ * Returns a member of the GNUTLS_PKAlgorithm enumeration on success,
+ * or a negative value on error.
+ *
+ **/
+gnutls_pk_algorithm_t gnutls_openpgp_crt_get_pk_algorithm(gnutls_openpgp_crt_t key,
+                                                          unsigned int *bits)
+{
+  cdk_packet_t pkt;
+  int algo;
+
+  if (!key)
+    return GNUTLS_PK_UNKNOWN;
+
+  algo = 0;
+  pkt = cdk_kbnode_find_packet(key->knode, CDK_PKT_PUBLIC_KEY);
+  if (pkt && pkt->pkttype == CDK_PKT_PUBLIC_KEY)
+    {
+      if (bits)
+        *bits = cdk_pk_get_nbits(pkt->pkt.public_key);
+      algo = pkt->pkt.public_key->pubkey_algo;
+      if (is_RSA (algo))
+        algo = GNUTLS_PK_RSA;
+      else
+        algo = GNUTLS_E_UNKNOWN_PK_ALGORITHM;
+    }
+
+  return algo;
+}
+
+/**
+ * gnutls_openpgp_crt_get_version - Extracts the version of the key.
+ * @key: the structure that contains the OpenPGP public key.
+ *
+ * Extract the version of the OpenPGP key.
+ **/
+int gnutls_openpgp_crt_get_version(gnutls_openpgp_crt_t key)
+{
+  cdk_packet_t pkt;
+  int version;
+
+  if (!key)
+    return -1;
+
+  pkt = cdk_kbnode_find_packet(key->knode, CDK_PKT_PUBLIC_KEY);
+  if (pkt)
+    version = pkt->pkt.public_key->version;
+  else
+    version = 0;
+
+  return version;
+}
+
+/**
+ * gnutls_openpgp_crt_get_creation_time - Extract the timestamp
+ * @key: the structure that contains the OpenPGP public key.
+ *
+ * Returns the timestamp when the OpenPGP key was created.
+ **/
+time_t gnutls_openpgp_crt_get_creation_time(gnutls_openpgp_crt_t key)
+{
+  cdk_packet_t pkt;
+  time_t timestamp;
+
+  if (!key)
+    return (time_t) - 1;
+
+  pkt = cdk_kbnode_find_packet(key->knode, CDK_PKT_PUBLIC_KEY);
+  if (pkt)
+    timestamp = pkt->pkt.public_key->timestamp;
+  else
+    timestamp = 0;
+
+  return timestamp;
+}
+
+/**
+ * gnutls_openpgp_crt_get_expiration_time - Extract the expire date
+ * @key: the structure that contains the OpenPGP public key.
+ *
+ * Returns the time when the OpenPGP key expires. A value of '0' means
+ * that the key doesn't expire at all.
+ **/
+time_t gnutls_openpgp_crt_get_expiration_time(gnutls_openpgp_crt_t key)
+{
+  cdk_packet_t pkt;
+  time_t expiredate;
+
+  if (!key)
+    return (time_t) - 1;
+
+  pkt = cdk_kbnode_find_packet(key->knode, CDK_PKT_PUBLIC_KEY);
+  if (pkt)
+    expiredate = pkt->pkt.public_key->expiredate;
+  else
+    expiredate = 0;
+
+  return expiredate;
+}
+
+/**
+ * gnutls_openpgp_crt_get_id - Gets the keyID
+ * @key: the structure that contains the OpenPGP public key.
+ * @keyid: the buffer to save the keyid.
+ *
+ * Returns the 64-bit keyID of the OpenPGP key.
+ **/
+int gnutls_openpgp_crt_get_id(gnutls_openpgp_crt_t key,
+                              unsigned char keyid[8])
+{
+  cdk_packet_t pkt;
+  uint32_t kid[2];
+
+  if (!key || !keyid)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_INVALID_REQUEST;
+    }
+
+  pkt = cdk_kbnode_find_packet(key->knode, CDK_PKT_PUBLIC_KEY);
+  if (!pkt)
+    return GNUTLS_E_OPENPGP_GETKEY_FAILED;
+
+  cdk_pk_get_keyid(pkt->pkt.public_key, kid);
+  keyid[0] = kid[0] >> 24;
+  keyid[1] = kid[0] >> 16;
+  keyid[2] = kid[0] >> 8;
+  keyid[3] = kid[0];
+  keyid[4] = kid[1] >> 24;
+  keyid[5] = kid[1] >> 16;
+  keyid[6] = kid[1] >> 8;
+  keyid[7] = kid[1];
+
+  return 0;
+}
+
+/**
+ * gnutls_openpgp_crt_check_hostname - This function compares the given hostname with the hostname in the key
+ * @key: should contain an gnutls_openpgp_crt_t structure
+ * @hostname: A null terminated string that contains a DNS name
+ *
+ * This function will check if the given key's owner matches
+ * the given hostname. This is a basic implementation of the matching 
+ * described in RFC2818 (HTTPS), which takes into account wildcards.
+ *
+ * Returns non zero on success, and zero on failure.
+ *
+ **/
+int gnutls_openpgp_crt_check_hostname(gnutls_openpgp_crt_t key,
+                                      const char *hostname)
+{
+  char dnsname[MAX_CN];
+  size_t dnsnamesize;
+  int ret;
+  int i;
+
+  /* Check through all included names. */
+  for (i = 0; !(ret < 0); i++)
+    {
+      dnsnamesize = sizeof (dnsname);
+      ret = gnutls_openpgp_crt_get_name(key, i, dnsname, &dnsnamesize);
+      /* FIXME: ret is not used */
+      if (_gnutls_hostname_compare(dnsname, hostname))
+        return 1;
+    }
+
+  /* not found a matching name */
+  return 0;
+}
+
+/**
+ * gnutls_openpgp_crt_get_key_usage - This function returns the key's usage
+ * @key: should contain a gnutls_openpgp_crt_t structure
+ * @key_usage: where the key usage bits will be stored
+ *
+ * This function will return certificate's key usage, by checking the
+ * key algorithm. The key usage value will ORed values of the:
+ * GNUTLS_KEY_DIGITAL_SIGNATURE, GNUTLS_KEY_KEY_ENCIPHERMENT.
+ *
+ * A negative value may be returned in case of parsing error.
+ *
+ */
+int gnutls_openpgp_crt_get_key_usage(gnutls_openpgp_crt_t key,
+                                     unsigned int *key_usage)
+{
+  cdk_packet_t pkt;
+  int algo = 0;
+
+  if (!key)
+    return GNUTLS_E_INVALID_REQUEST;
+
+  *key_usage = 0;
+
+  pkt = cdk_kbnode_find_packet(key->knode, CDK_PKT_PUBLIC_KEY);
+  if (pkt && pkt->pkttype == CDK_PKT_PUBLIC_KEY)
+    {
+      algo = pkt->pkt.public_key->pubkey_algo;
+
+      /* FIXME: We need to take a look at the key flags because
+       RSA-E and RSA-S are obsolete. Only RSA is used
+       and the flags are used to set the capabilities. */
+      if (is_DSA (algo) || algo == GCRY_PK_RSA_S)
+        *key_usage |= KEY_DIGITAL_SIGNATURE;
+      else if (algo == GCRY_PK_RSA_E)
+        *key_usage |= KEY_KEY_ENCIPHERMENT;
+      else if (algo == GCRY_PK_RSA)
+        *key_usage |= KEY_DIGITAL_SIGNATURE | KEY_KEY_ENCIPHERMENT;
+    }
+
+  return 0;
+}
diff --git a/src/daemon/https/openpgp/pgp_privkey.c b/src/daemon/https/openpgp/pgp_privkey.c
new file mode 100644
index 00000000..e09697eb
--- /dev/null
+++ b/src/daemon/https/openpgp/pgp_privkey.c
@@ -0,0 +1,134 @@
+/*
+ * Copyright (C) 2003, 2004, 2005, 2006, 2007 Free Software Foundation
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GNUTLS-EXTRA.
+ *
+ * GNUTLS-EXTRA is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *               
+ * GNUTLS-EXTRA is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *                               
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/* Functions on OpenPGP privkey parsing
+ */
+
+#include <gnutls_int.h>
+#include <gnutls_datum.h>
+#include <gnutls_global.h>
+#include <gnutls_errors.h>
+#include "openpgp.h"
+#include <gnutls_openpgp.h>
+#include <gnutls_cert.h>
+/* x509 */
+#include <rfc2818.h>
+
+/**
+ * gnutls_openpgp_privkey_init - This function initializes a gnutls_openpgp_privkey_t structure
+ * @key: The structure to be initialized
+ *
+ * This function will initialize an OpenPGP key structure. 
+ *
+ * Returns 0 on success.
+ *
+ **/
+int
+gnutls_openpgp_privkey_init (gnutls_openpgp_privkey_t * key)
+{
+  *key = gnutls_calloc (1, sizeof (gnutls_openpgp_privkey_int));
+
+  if (*key)
+    return 0;                   /* success */
+  return GNUTLS_E_MEMORY_ERROR;
+}
+
+/**
+ * gnutls_openpgp_privkey_deinit - This function deinitializes memory used by a gnutls_openpgp_privkey_t structure
+ * @key: The structure to be initialized
+ *
+ * This function will deinitialize a key structure. 
+ *
+ **/
+void
+gnutls_openpgp_privkey_deinit (gnutls_openpgp_privkey_t key)
+{
+  if (!key)
+    return;
+
+  _gnutls_gkey_deinit (&key->pkey);
+  gnutls_free (key);
+}
+
+/**
+ * gnutls_openpgp_privkey_import - This function will import a RAW or BASE64 encoded key
+ * @key: The structure to store the parsed key.
+ * @data: The RAW or BASE64 encoded key.
+ * @format: One of gnutls_openpgp_crt_fmt_t elements.
+ * @pass: Unused for now
+ * @flags: should be zero
+ *
+ * This function will convert the given RAW or Base64 encoded key
+ * to the native gnutls_openpgp_privkey_t format. The output will be stored in 'key'.
+ *
+ * Returns 0 on success.
+ *
+ **/
+int
+gnutls_openpgp_privkey_import (gnutls_openpgp_privkey_t key,
+                               const gnutls_datum_t * data,
+                               gnutls_openpgp_crt_fmt_t format,
+                               const char *pass, unsigned int flags)
+{
+  int rc;
+
+  rc = _gnutls_openpgp_raw_privkey_to_gkey (&key->pkey, data, format);
+  if (rc)
+    {
+      gnutls_assert ();
+      return rc;
+    }
+
+  return 0;
+}
+
+
+/**
+ * gnutls_openpgp_privkey_get_pk_algorithm - This function returns the key's PublicKey algorithm
+ * @key: is an OpenPGP key
+ * @bits: if bits is non null it will hold the size of the parameters' in bits
+ *
+ * This function will return the public key algorithm of an OpenPGP
+ * certificate.
+ *
+ * If bits is non null, it should have enough size to hold the parameters
+ * size in bits. For RSA the bits returned is the modulus. 
+ * For DSA the bits returned are of the public exponent.
+ *
+ * Returns a member of the GNUTLS_PKAlgorithm enumeration on success,
+ * or a negative value on error.
+ *
+ **/
+gnutls_pk_algorithm_t
+gnutls_openpgp_privkey_get_pk_algorithm (gnutls_openpgp_privkey_t key,
+                                         unsigned int *bits)
+{
+  int pk = key->pkey.pk_algorithm;
+
+  if (bits)
+    {
+      *bits = 0;
+      if (pk == GNUTLS_PK_RSA)
+        *bits = _gnutls_mpi_get_nbits (key->pkey.params[0]);
+    }
+
+  return pk;
+}
diff --git a/src/daemon/https/openpgp/pgp_verify.c b/src/daemon/https/openpgp/pgp_verify.c
new file mode 100644
index 00000000..cfa29b69
--- /dev/null
+++ b/src/daemon/https/openpgp/pgp_verify.c
@@ -0,0 +1,144 @@
+/*
+ * Copyright (C) 2002, 2003, 2004, 2005, 2007 Free Software Foundation
+ *
+ * Author: Timo Schulz, Nikos Mavrogiannopoulos
+ *
+ * This file is part of GNUTLS-EXTRA.
+ *
+ * GNUTLS-EXTRA is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *               
+ * GNUTLS-EXTRA is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *                               
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/* Functions on OpenPGP key parsing
+ */
+
+#include <gnutls_int.h>
+#include <gnutls_errors.h>
+#include <gnutls_openpgp.h>
+#include <gnutls_num.h>
+#include "openpgp.h"
+/* x509 */
+#include <verify.h>             /* lib/x509/verify.h */
+
+
+/**
+ * gnutls_openpgp_crt_verify_ring - Verify all signatures in the key
+ * @key: the structure that holds the key.
+ * @keyring: holds the keyring to check against
+ * @flags: unused (should be 0)
+ * @verify: will hold the certificate verification output.
+ *
+ * Verify all signatures in the key, using the given set of keys (keyring). 
+ *
+ * The key verification output will be put in @verify and will be
+ * one or more of the gnutls_certificate_status_t enumerated elements bitwise or'd.
+ *
+ * GNUTLS_CERT_INVALID: A signature on the key is invalid.
+ *
+ * GNUTLS_CERT_REVOKED: The key has been revoked.
+ *
+ * Note that this function does not verify using any "web of
+ * trust". You may use GnuPG for that purpose, or any other external
+ * PGP application.
+ *
+ * Returns 0 on success.
+ **/
+int
+gnutls_openpgp_crt_verify_ring (gnutls_openpgp_crt_t key,
+                                gnutls_openpgp_keyring_t keyring,
+                                unsigned int flags, unsigned int *verify)
+{
+  opaque id[8];
+  cdk_error_t rc;
+  int status;
+
+  if (!key || !keyring)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_NO_CERTIFICATE_FOUND;
+    }
+
+  *verify = 0;
+
+  rc = cdk_pk_check_sigs (key->knode, keyring->db, &status);
+  if (rc == CDK_Error_No_Key)
+    {
+      rc = GNUTLS_E_NO_CERTIFICATE_FOUND;
+      gnutls_assert ();
+      return rc;
+    }
+  else if (rc != CDK_Success)
+    {
+      _gnutls_x509_log ("cdk_pk_check_sigs: error %d\n", rc);
+      rc = _gnutls_map_cdk_rc (rc);
+      gnutls_assert ();
+      return rc;
+    }
+  _gnutls_x509_log ("status: %x\n", status);
+
+  if (status & CDK_KEY_INVALID)
+    *verify |= GNUTLS_CERT_INVALID;
+  if (status & CDK_KEY_REVOKED)
+    *verify |= GNUTLS_CERT_REVOKED;
+  if (status & CDK_KEY_NOSIGNER)
+    *verify |= GNUTLS_CERT_SIGNER_NOT_FOUND;
+
+  /* Check if the key is included in the ring. */
+  if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME))
+    {
+      rc = gnutls_openpgp_crt_get_id (key, id);
+      if (rc < 0)
+        {
+          gnutls_assert ();
+          return rc;
+        }
+
+      rc = gnutls_openpgp_keyring_check_id (keyring, id, 0);
+      /* If it exists in the keyring don't treat it as unknown. */
+      if (rc == 0 && *verify & GNUTLS_CERT_SIGNER_NOT_FOUND)
+        *verify ^= GNUTLS_CERT_SIGNER_NOT_FOUND;
+    }
+
+  return 0;
+}
+
+
+/**
+ * gnutls_openpgp_crt_verify_self - Verify the self signature on the key
+ * @key: the structure that holds the key.
+ * @flags: unused (should be 0)
+ * @verify: will hold the key verification output.
+ *
+ * Verifies the self signature in the key.
+ * The key verification output will be put in @verify and will be
+ * one or more of the gnutls_certificate_status_t enumerated elements bitwise or'd.
+ *
+ * GNUTLS_CERT_INVALID: The self signature on the key is invalid.
+ *
+ * Returns 0 on success.
+ **/
+int
+gnutls_openpgp_crt_verify_self (gnutls_openpgp_crt_t key,
+                                unsigned int flags, unsigned int *verify)
+{
+  int status;
+  cdk_error_t rc;
+
+  rc = cdk_pk_check_self_sig (key->knode, &status);
+  if (rc || status != CDK_KEY_VALID)
+    *verify |= GNUTLS_CERT_INVALID;
+  else
+    *verify = 0;
+
+  return 0;
+}