Switch to using rpmKeyringVerifySig() internally

- Change rpmVerifySignature() to take just the signature parameters
  instead of the whole dig (this is an internal API so we're free
  to mess with it) from which it only needed the signature params.
- The internal low-level verifySignature() is thus reduced to
  to a call to rpmKeyringVerifySig() and spitting some silly
  strings to msg.
- With this, keyring can now use and reuse the its internally stored
  pgp key parameters instead of having to parse the same PGP packets
  over and over. As a result, signature checking is faster now. Not
  dramatically so but measurably nevertheless.

diff --git a/lib/package.c b/lib/package.c
index e29c23c..b5e238e 100644 (file)
--- a/lib/package.c
+++ b/lib/package.c
@@ -275,7 +275,7 @@ static rpmRC headerSigVerify(rpmKeyring keyring, rpmVSFlags vsflags,
        rpmDigestUpdate(ctx, pe, (ril * sizeof(*pe)));
        rpmDigestUpdate(ctx, dataStart, rdl);
 
-       rc = rpmVerifySignature(keyring, &sigtd, dig, ctx, buf);
+       rc = rpmVerifySignature(keyring, &sigtd, sig, ctx, buf);
 
        rpmDigestFinal(ctx, NULL, NULL, 0);
     }
@@ -649,7 +649,7 @@ static rpmRC rpmpkgRead(rpmKeyring keyring, rpmVSFlags vsflags,
     }
 
     /** @todo Implement disable/enable/warn/error/anal policy. */
-    rc = rpmVerifySignature(keyring, &sigtd, dig, ctx, &msg);
+    rc = rpmVerifySignature(keyring, &sigtd, sig, ctx, &msg);
        
     switch (rc) {
     case RPMRC_OK:             /* Signature is OK. */

diff --git a/lib/rpmchecksig.c b/lib/rpmchecksig.c
index 597ceaf..3624f41 100644 (file)
--- a/lib/rpmchecksig.c
+++ b/lib/rpmchecksig.c
@@ -364,7 +364,7 @@ static int rpmpkgVerifySigs(rpmKeyring keyring, rpmQueryFlags flags,
            break;
        }
 
-       rc = rpmVerifySignature(keyring, &sigtd, dig, ctx, &result);
+       rc = rpmVerifySignature(keyring, &sigtd, sig, ctx, &result);
        rpmDigestFinal(ctx, NULL, NULL, 0);
 
        formatResult(sigtd.tag, rc, result, havekey, 

diff --git a/lib/signature.c b/lib/signature.c
index c5a06de..a1293cb 100644 (file)
--- a/lib/signature.c
+++ b/lib/signature.c
@@ -462,37 +462,29 @@ exit:
 /**
  * Verify DSA/RSA signature.
  * @param keyring      pubkey keyring
- * @param dig          OpenPGP container
+ * @param sig          OpenPGP signature parameters
  * @param hashctx      digest context
  * @param isHdr                header-only signature?
  * @retval msg         verbose success/failure text
  * @return             RPMRC_OK on success
  */
 static rpmRC
-verifySignature(rpmKeyring keyring, pgpDig dig, DIGEST_CTX hashctx, int isHdr, 
-               char **msg)
+verifySignature(rpmKeyring keyring, pgpDigParams sig, DIGEST_CTX hashctx,
+               int isHdr, char **msg)
 {
-    rpmRC res = RPMRC_FAIL; /* assume failure */
-    char *sigid = NULL;
-    *msg = NULL;
-    pgpDigParams sig = pgpDigGetParams(dig, PGPTAG_SIGNATURE);
-
-    /* Call verify even if we dont have a key for a basic sanity check */
-    if (sig) {
-       (void) rpmKeyringLookup(keyring, dig);
-       res = pgpVerifySignature(pgpDigGetParams(dig, PGPTAG_PUBLIC_KEY),
-                                sig, hashctx);
-
-       sigid = pgpIdentItem(sig);
-       rasprintf(msg, "%s%s: %s\n", isHdr ? _("Header ") : "", sigid, 
-                   rpmSigString(res));
-       free(sigid);
-    }
+
+    rpmRC res = rpmKeyringVerifySig(keyring, sig, hashctx);
+
+    char *sigid = pgpIdentItem(sig);
+    rasprintf(msg, "%s%s: %s\n", isHdr ? _("Header ") : "", sigid, 
+               rpmSigString(res));
+    free(sigid);
     return res;
 }
 
 rpmRC
-rpmVerifySignature(rpmKeyring keyring, rpmtd sigtd, pgpDig dig, DIGEST_CTX ctx, char ** result)
+rpmVerifySignature(rpmKeyring keyring, rpmtd sigtd, pgpDigParams sig,
+                  DIGEST_CTX ctx, char ** result)
 {
     rpmRC res = RPMRC_NOTFOUND;
     char *msg = NULL;
@@ -515,8 +507,8 @@ rpmVerifySignature(rpmKeyring keyring, rpmtd sigtd, pgpDig dig, DIGEST_CTX ctx,
     case RPMSIGTAG_PGP5:       /* XXX legacy */
     case RPMSIGTAG_PGP:
     case RPMSIGTAG_GPG:
-       if (dig != NULL)
-           res = verifySignature(keyring, dig, ctx, hdrsig, &msg);
+       if (sig != NULL)
+           res = verifySignature(keyring, sig, ctx, hdrsig, &msg);
        break;
     default:
        break;
@@ -526,7 +518,7 @@ exit:
     if (res == RPMRC_NOTFOUND) {
        rasprintf(&msg,
                  _("Verify signature: BAD PARAMETERS (%d %p %d %p %p)\n"),
-                 sigtd->tag, sigtd->data, sigtd->count, ctx, dig);
+                 sigtd->tag, sigtd->data, sigtd->count, ctx, sig);
        res = RPMRC_FAIL;
     }
 

diff --git a/lib/signature.h b/lib/signature.h
index 781ffd6..136b70d 100644 (file)
--- a/lib/signature.h
+++ b/lib/signature.h
@@ -58,12 +58,13 @@ int rpmGenDigest(Header sigh, const char * file, rpmTagVal sigTag);
  *
  * @param keyring      keyring handle
  * @param sigtd                signature tag data container
- * @param dig          signature/pubkey parameters
+ * @param sig          signature/pubkey parameters
  * @retval result      detailed text result of signature verification
  *                     (malloc'd)
  * @return             result of signature verification
  */
-rpmRC rpmVerifySignature(rpmKeyring keyring, rpmtd sigtd, pgpDig dig, DIGEST_CTX ctx, char ** result);
+rpmRC rpmVerifySignature(rpmKeyring keyring, rpmtd sigtd, pgpDigParams sig,
+                        DIGEST_CTX ctx, char ** result);
 
 /** \ingroup signature
  * Destroy signature header from package.