2005-04-18 12:44:46 +02:00
|
|
|
|
/* keylist.c - Print certificates in various formats.
|
2011-12-07 16:15:15 +01:00
|
|
|
|
* Copyright (C) 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2008, 2009,
|
|
|
|
|
* 2010, 2011 Free Software Foundation, Inc.
|
2003-08-05 19:11:04 +02:00
|
|
|
|
*
|
|
|
|
|
* This file is part of GnuPG.
|
|
|
|
|
*
|
|
|
|
|
* GnuPG is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
2007-07-04 21:49:40 +02:00
|
|
|
|
* the Free Software Foundation; either version 3 of the License, or
|
2003-08-05 19:11:04 +02:00
|
|
|
|
* (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* GnuPG is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
2016-11-05 12:02:19 +01:00
|
|
|
|
* along with this program; if not, see <https://www.gnu.org/licenses/>.
|
2003-08-05 19:11:04 +02:00
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <errno.h>
|
2011-02-04 12:57:53 +01:00
|
|
|
|
#include <unistd.h>
|
2003-08-05 19:11:04 +02:00
|
|
|
|
#include <time.h>
|
|
|
|
|
|
|
|
|
|
#include "gpgsm.h"
|
|
|
|
|
|
|
|
|
|
#include <gcrypt.h>
|
|
|
|
|
#include <ksba.h>
|
|
|
|
|
|
|
|
|
|
#include "keydb.h"
|
2004-02-02 18:09:35 +01:00
|
|
|
|
#include "../kbx/keybox.h" /* for KEYBOX_FLAG_* */
|
2017-03-07 12:21:23 +01:00
|
|
|
|
#include "../common/i18n.h"
|
|
|
|
|
#include "../common/tlv.h"
|
2017-05-31 14:33:45 +02:00
|
|
|
|
#include "../common/compliance.h"
|
2017-10-17 21:10:19 +02:00
|
|
|
|
#include "../common/pkscreening.h"
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2011-02-04 12:57:53 +01:00
|
|
|
|
struct list_external_parm_s
|
2007-03-19 15:35:04 +01:00
|
|
|
|
{
|
2004-02-17 16:05:04 +01:00
|
|
|
|
ctrl_t ctrl;
|
2007-03-19 15:35:04 +01:00
|
|
|
|
estream_t fp;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
int print_header;
|
|
|
|
|
int with_colons;
|
|
|
|
|
int with_chain;
|
2004-04-22 15:03:44 +02:00
|
|
|
|
int raw_mode;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
2008-06-26 21:09:07 +02:00
|
|
|
|
/* Do not print this extension in the list of extensions. This is set
|
2017-04-28 03:06:33 +02:00
|
|
|
|
for oids which are already available via ksba functions. */
|
2008-06-26 21:09:07 +02:00
|
|
|
|
#define OID_FLAG_SKIP 1
|
|
|
|
|
/* The extension is a simple UTF8String and should be printed. */
|
2011-02-04 12:57:53 +01:00
|
|
|
|
#define OID_FLAG_UTF8 2
|
2023-10-18 15:43:22 +02:00
|
|
|
|
/* The extension can be printed as a hex string. */
|
2019-03-01 15:23:49 +01:00
|
|
|
|
#define OID_FLAG_HEX 4
|
2024-05-13 00:09:23 +02:00
|
|
|
|
/* Define if this specifies a key purpose. */
|
2021-02-01 10:28:52 +01:00
|
|
|
|
#define OID_FLAG_KP 8
|
2008-06-26 21:09:07 +02:00
|
|
|
|
|
2004-04-23 12:34:25 +02:00
|
|
|
|
/* A table mapping OIDs to a descriptive string. */
|
2011-02-04 12:57:53 +01:00
|
|
|
|
static struct
|
2007-03-19 15:35:04 +01:00
|
|
|
|
{
|
2004-04-23 12:34:25 +02:00
|
|
|
|
char *oid;
|
|
|
|
|
char *name;
|
2008-06-26 21:09:07 +02:00
|
|
|
|
unsigned int flag; /* A flag as described above. */
|
2004-04-23 12:34:25 +02:00
|
|
|
|
} oidtranstbl[] = {
|
|
|
|
|
|
|
|
|
|
/* Algorithms. */
|
|
|
|
|
{ "1.2.840.10040.4.1", "dsa" },
|
|
|
|
|
{ "1.2.840.10040.4.3", "dsaWithSha1" },
|
|
|
|
|
|
|
|
|
|
{ "1.2.840.113549.1.1.1", "rsaEncryption" },
|
|
|
|
|
{ "1.2.840.113549.1.1.2", "md2WithRSAEncryption" },
|
|
|
|
|
{ "1.2.840.113549.1.1.3", "md4WithRSAEncryption" },
|
|
|
|
|
{ "1.2.840.113549.1.1.4", "md5WithRSAEncryption" },
|
|
|
|
|
{ "1.2.840.113549.1.1.5", "sha1WithRSAEncryption" },
|
|
|
|
|
{ "1.2.840.113549.1.1.7", "rsaOAEP" },
|
|
|
|
|
{ "1.2.840.113549.1.1.8", "rsaOAEP-MGF" },
|
|
|
|
|
{ "1.2.840.113549.1.1.9", "rsaOAEP-pSpecified" },
|
|
|
|
|
{ "1.2.840.113549.1.1.10", "rsaPSS" },
|
|
|
|
|
{ "1.2.840.113549.1.1.11", "sha256WithRSAEncryption" },
|
|
|
|
|
{ "1.2.840.113549.1.1.12", "sha384WithRSAEncryption" },
|
|
|
|
|
{ "1.2.840.113549.1.1.13", "sha512WithRSAEncryption" },
|
|
|
|
|
|
|
|
|
|
{ "1.3.14.3.2.26", "sha1" },
|
|
|
|
|
{ "1.3.14.3.2.29", "sha-1WithRSAEncryption" },
|
|
|
|
|
{ "1.3.36.3.3.1.2", "rsaSignatureWithripemd160" },
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Telesec extensions. */
|
|
|
|
|
{ "0.2.262.1.10.12.0", "certExtensionLiabilityLimitationExt" },
|
|
|
|
|
{ "0.2.262.1.10.12.1", "telesecCertIdExt" },
|
|
|
|
|
{ "0.2.262.1.10.12.2", "telesecPolicyIdentifier" },
|
|
|
|
|
{ "0.2.262.1.10.12.3", "telesecPolicyQualifierID" },
|
|
|
|
|
{ "0.2.262.1.10.12.4", "telesecCRLFilteredExt" },
|
|
|
|
|
{ "0.2.262.1.10.12.5", "telesecCRLFilterExt"},
|
|
|
|
|
{ "0.2.262.1.10.12.6", "telesecNamingAuthorityExt" },
|
2008-06-26 21:09:07 +02:00
|
|
|
|
#define OIDSTR_restriction \
|
|
|
|
|
"1.3.36.8.3.8"
|
|
|
|
|
{ OIDSTR_restriction, "restriction", OID_FLAG_UTF8 },
|
|
|
|
|
|
2004-04-23 12:34:25 +02:00
|
|
|
|
|
|
|
|
|
/* PKIX private extensions. */
|
|
|
|
|
{ "1.3.6.1.5.5.7.1.1", "authorityInfoAccess" },
|
|
|
|
|
{ "1.3.6.1.5.5.7.1.2", "biometricInfo" },
|
|
|
|
|
{ "1.3.6.1.5.5.7.1.3", "qcStatements" },
|
|
|
|
|
{ "1.3.6.1.5.5.7.1.4", "acAuditIdentity" },
|
|
|
|
|
{ "1.3.6.1.5.5.7.1.5", "acTargeting" },
|
|
|
|
|
{ "1.3.6.1.5.5.7.1.6", "acAaControls" },
|
|
|
|
|
{ "1.3.6.1.5.5.7.1.7", "sbgp-ipAddrBlock" },
|
|
|
|
|
{ "1.3.6.1.5.5.7.1.8", "sbgp-autonomousSysNum" },
|
|
|
|
|
{ "1.3.6.1.5.5.7.1.9", "sbgp-routerIdentifier" },
|
|
|
|
|
{ "1.3.6.1.5.5.7.1.10", "acProxying" },
|
|
|
|
|
{ "1.3.6.1.5.5.7.1.11", "subjectInfoAccess" },
|
|
|
|
|
|
2021-02-01 10:28:52 +01:00
|
|
|
|
{ "1.3.6.1.5.5.7.3.1", "serverAuth", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.5.5.7.3.2", "clientAuth", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.5.5.7.3.3", "codeSigning", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.5.5.7.3.4", "emailProtection", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.5.5.7.3.5", "ipsecEndSystem", OID_FLAG_KP }, /* historic */
|
|
|
|
|
{ "1.3.6.1.5.5.7.3.6", "ipsecTunnel", OID_FLAG_KP }, /* historic */
|
|
|
|
|
{ "1.3.6.1.5.5.7.3.7", "ipsecUser", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.5.5.7.3.8", "timeStamping", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.5.5.7.3.9", "ocspSigning", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.5.5.7.3.10", "dvcs", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.5.5.7.3.11", "sbgpCertAAServerAuth", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.5.5.7.3.13", "eapOverPPP", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.5.5.7.3.14", "wlanSSID", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.5.5.7.3.17", "ipsecIKE", OID_FLAG_KP }, /* rfc-4945 */
|
|
|
|
|
|
2006-09-06 13:53:24 +02:00
|
|
|
|
{ "1.3.6.1.5.5.7.48.1", "ocsp" },
|
2021-02-01 10:28:52 +01:00
|
|
|
|
{ "1.3.6.1.5.5.7.48.1.5", "ocspNoCheck", OID_FLAG_KP },
|
2006-09-06 13:53:24 +02:00
|
|
|
|
{ "1.3.6.1.5.5.7.48.2", "caIssuers" },
|
|
|
|
|
{ "1.3.6.1.5.5.7.48.3", "timeStamping" },
|
|
|
|
|
{ "1.3.6.1.5.5.7.48.5", "caRepository" },
|
|
|
|
|
|
2004-04-23 12:34:25 +02:00
|
|
|
|
/* X.509 id-ce */
|
2008-06-26 21:09:07 +02:00
|
|
|
|
{ "2.5.29.14", "subjectKeyIdentifier", OID_FLAG_SKIP},
|
|
|
|
|
{ "2.5.29.15", "keyUsage", OID_FLAG_SKIP},
|
2004-04-23 12:34:25 +02:00
|
|
|
|
{ "2.5.29.16", "privateKeyUsagePeriod" },
|
2008-06-26 21:09:07 +02:00
|
|
|
|
{ "2.5.29.17", "subjectAltName", OID_FLAG_SKIP},
|
|
|
|
|
{ "2.5.29.18", "issuerAltName", OID_FLAG_SKIP},
|
|
|
|
|
{ "2.5.29.19", "basicConstraints", OID_FLAG_SKIP},
|
2004-04-23 12:34:25 +02:00
|
|
|
|
{ "2.5.29.20", "cRLNumber" },
|
|
|
|
|
{ "2.5.29.21", "cRLReason" },
|
|
|
|
|
{ "2.5.29.22", "expirationDate" },
|
2011-02-04 12:57:53 +01:00
|
|
|
|
{ "2.5.29.23", "instructionCode" },
|
2004-04-23 12:34:25 +02:00
|
|
|
|
{ "2.5.29.24", "invalidityDate" },
|
|
|
|
|
{ "2.5.29.27", "deltaCRLIndicator" },
|
|
|
|
|
{ "2.5.29.28", "issuingDistributionPoint" },
|
|
|
|
|
{ "2.5.29.29", "certificateIssuer" },
|
|
|
|
|
{ "2.5.29.30", "nameConstraints" },
|
2008-06-26 21:09:07 +02:00
|
|
|
|
{ "2.5.29.31", "cRLDistributionPoints", OID_FLAG_SKIP},
|
|
|
|
|
{ "2.5.29.32", "certificatePolicies", OID_FLAG_SKIP},
|
2004-04-23 12:34:25 +02:00
|
|
|
|
{ "2.5.29.32.0", "anyPolicy" },
|
|
|
|
|
{ "2.5.29.33", "policyMappings" },
|
2008-06-26 21:09:07 +02:00
|
|
|
|
{ "2.5.29.35", "authorityKeyIdentifier", OID_FLAG_SKIP},
|
2004-04-23 12:34:25 +02:00
|
|
|
|
{ "2.5.29.36", "policyConstraints" },
|
2008-06-26 21:09:07 +02:00
|
|
|
|
{ "2.5.29.37", "extKeyUsage", OID_FLAG_SKIP},
|
2021-02-22 15:54:05 +01:00
|
|
|
|
{ "2.5.29.37.0", "anyExtendedKeyUsage", OID_FLAG_KP},
|
2004-04-23 12:34:25 +02:00
|
|
|
|
{ "2.5.29.46", "freshestCRL" },
|
|
|
|
|
{ "2.5.29.54", "inhibitAnyPolicy" },
|
|
|
|
|
|
|
|
|
|
/* Netscape certificate extensions. */
|
|
|
|
|
{ "2.16.840.1.113730.1.1", "netscape-cert-type" },
|
|
|
|
|
{ "2.16.840.1.113730.1.2", "netscape-base-url" },
|
|
|
|
|
{ "2.16.840.1.113730.1.3", "netscape-revocation-url" },
|
|
|
|
|
{ "2.16.840.1.113730.1.4", "netscape-ca-revocation-url" },
|
|
|
|
|
{ "2.16.840.1.113730.1.7", "netscape-cert-renewal-url" },
|
|
|
|
|
{ "2.16.840.1.113730.1.8", "netscape-ca-policy-url" },
|
|
|
|
|
{ "2.16.840.1.113730.1.9", "netscape-homePage-url" },
|
|
|
|
|
{ "2.16.840.1.113730.1.10", "netscape-entitylogo" },
|
|
|
|
|
{ "2.16.840.1.113730.1.11", "netscape-userPicture" },
|
|
|
|
|
{ "2.16.840.1.113730.1.12", "netscape-ssl-server-name" },
|
|
|
|
|
{ "2.16.840.1.113730.1.13", "netscape-comment" },
|
2021-02-01 10:28:52 +01:00
|
|
|
|
{ "2.16.840.1.113730.4.1", "serverGatedCrypto.ns", OID_FLAG_KP },
|
2004-04-23 12:34:25 +02:00
|
|
|
|
|
2005-11-13 20:07:06 +01:00
|
|
|
|
/* GnuPG extensions */
|
|
|
|
|
{ "1.3.6.1.4.1.11591.2.1.1", "pkaAddress" },
|
2011-03-01 14:42:56 +01:00
|
|
|
|
{ "1.3.6.1.4.1.11591.2.2.1", "standaloneCertificate" },
|
2011-12-06 19:57:27 +01:00
|
|
|
|
{ "1.3.6.1.4.1.11591.2.2.2", "wellKnownPrivateKey" },
|
2021-03-24 11:07:47 +01:00
|
|
|
|
{ "1.3.6.1.4.1.11591.2.6.1", "gpgUsageCert", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.4.1.11591.2.6.2", "gpgUsageSign", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.4.1.11591.2.6.3", "gpgUsageEncr", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.4.1.11591.2.6.4", "gpgUsageAuth", OID_FLAG_KP },
|
2005-11-13 20:07:06 +01:00
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
/* Extensions used by the Bundesnetzagentur. */
|
|
|
|
|
{ "1.3.6.1.4.1.8301.3.5", "validityModel" },
|
|
|
|
|
|
2019-03-01 15:23:49 +01:00
|
|
|
|
/* Yubikey extensions for attestation certificates. */
|
|
|
|
|
{ "1.3.6.1.4.1.41482.3.3", "yubikey-firmware-version", OID_FLAG_HEX },
|
|
|
|
|
{ "1.3.6.1.4.1.41482.3.7", "yubikey-serial-number", OID_FLAG_HEX },
|
|
|
|
|
{ "1.3.6.1.4.1.41482.3.8", "yubikey-pin-touch-policy", OID_FLAG_HEX },
|
|
|
|
|
{ "1.3.6.1.4.1.41482.3.9", "yubikey-formfactor", OID_FLAG_HEX },
|
|
|
|
|
|
2021-02-01 10:28:52 +01:00
|
|
|
|
/* Microsoft extensions. */
|
2021-02-22 15:54:05 +01:00
|
|
|
|
{ "1.3.6.1.4.1.311.3.10.3.12","ms-old-documentSigning", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.4.1.311.10.3.3", "ms-serverGatedCrypto", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.4.1.311.10.3.11","ms-keyRecovery", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.4.1.311.10.3.12","ms-documentSigning", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.4.1.311.10.3.4", "ms-encryptedFileSystem", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.4.1.311.10.3.4.1","ms-efsRecovery", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.4.1.311.20.2.1", "ms-enrollmentAgent", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.4.1.311.20.2.2", "ms-smartcardLogon", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.4.1.311.21.5", "ms-caExchange", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.4.1.311.21.6", "ms-keyRecovery", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.4.1.311.21.19", "ms-dsEmailReplication", OID_FLAG_KP },
|
|
|
|
|
|
2023-10-18 15:43:22 +02:00
|
|
|
|
/* BSI policies. */
|
|
|
|
|
|
2021-02-22 15:54:05 +01:00
|
|
|
|
/* Other vendor extensions. */
|
2021-02-01 10:28:52 +01:00
|
|
|
|
{ "1.3.6.1.4.1.30205.13.1.1", "trusted-disk", OID_FLAG_KP },
|
2021-02-22 15:54:05 +01:00
|
|
|
|
{ "1.2.840.113583.1.1.5", "pdfAuthenticDocumentsTrust", OID_FLAG_KP },
|
|
|
|
|
{ "1.3.6.1.4.1.6449.1.3.5.2", "comodoCertifiedDeliveryService", OID_FLAG_KP },
|
2021-02-01 10:28:52 +01:00
|
|
|
|
|
2021-09-09 13:09:59 +02:00
|
|
|
|
/* ARRL */
|
|
|
|
|
{ "1.3.6.1.4.1.12348.1.1", "lotw-callsign" },
|
|
|
|
|
{ "1.3.6.1.4.1.12348.1.2", "lotw-qso-first-date" },
|
|
|
|
|
{ "1.3.6.1.4.1.12348.1.3", "lotw-qso-end-date" },
|
|
|
|
|
{ "1.3.6.1.4.1.12348.1.4", "lotw-dxcc-entity" },
|
|
|
|
|
/* { "1.3.6.1.4.1.12348.1.5", "lotw-fixme" }, */
|
|
|
|
|
|
2004-04-23 12:34:25 +02:00
|
|
|
|
{ NULL }
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
2021-02-01 10:28:52 +01:00
|
|
|
|
/* Return the description for OID; if no description is available NULL
|
|
|
|
|
* is returned. If MATCHFLAG is set the flag of the OID must match
|
|
|
|
|
* MATCHFLAG; otherwise NULL is returned. */
|
2004-04-23 12:34:25 +02:00
|
|
|
|
static const char *
|
2021-02-01 10:28:52 +01:00
|
|
|
|
get_oid_desc (const char *oid, unsigned int matchflag, unsigned int *flag)
|
2004-04-23 12:34:25 +02:00
|
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
if (oid)
|
|
|
|
|
for (i=0; oidtranstbl[i].oid; i++)
|
2021-02-01 10:28:52 +01:00
|
|
|
|
if (!strcmp (oidtranstbl[i].oid, oid)
|
|
|
|
|
&& (!matchflag || (oidtranstbl[i].flag & matchflag)))
|
2004-04-23 12:34:25 +02:00
|
|
|
|
{
|
|
|
|
|
if (flag)
|
|
|
|
|
*flag = oidtranstbl[i].flag;
|
|
|
|
|
return oidtranstbl[i].name;
|
|
|
|
|
}
|
|
|
|
|
if (flag)
|
|
|
|
|
*flag = 0;
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
static void
|
2007-03-19 15:35:04 +01:00
|
|
|
|
print_key_data (ksba_cert_t cert, estream_t fp)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2011-02-04 12:57:53 +01:00
|
|
|
|
#if 0
|
2003-08-05 19:11:04 +02:00
|
|
|
|
int n = pk ? pubkey_get_npkey( pk->pubkey_algo ) : 0;
|
|
|
|
|
int i;
|
|
|
|
|
|
2011-02-04 12:57:53 +01:00
|
|
|
|
for(i=0; i < n; i++ )
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, "pkd:%d:%u:", i, mpi_get_nbits( pk->pkey[i] ) );
|
2003-08-05 19:11:04 +02:00
|
|
|
|
mpi_print(stdout, pk->pkey[i], 1 );
|
|
|
|
|
putchar(':');
|
|
|
|
|
putchar('\n');
|
|
|
|
|
}
|
2008-10-20 15:53:23 +02:00
|
|
|
|
#else
|
|
|
|
|
(void)cert;
|
|
|
|
|
(void)fp;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-17 21:10:19 +02:00
|
|
|
|
|
|
|
|
|
/* Various public key screenings. (Right now just ROCA). With
|
|
|
|
|
* COLON_MODE set the output is formatted for use in the compliance
|
|
|
|
|
* field of a colon listing. */
|
|
|
|
|
static void
|
|
|
|
|
print_pk_screening (ksba_cert_t cert, int colon_mode, estream_t fp)
|
|
|
|
|
{
|
|
|
|
|
gpg_error_t err;
|
|
|
|
|
gcry_mpi_t modulus;
|
|
|
|
|
|
|
|
|
|
modulus = gpgsm_get_rsa_modulus (cert);
|
|
|
|
|
if (modulus)
|
|
|
|
|
{
|
|
|
|
|
err = screen_key_for_roca (modulus);
|
|
|
|
|
if (!err)
|
|
|
|
|
;
|
|
|
|
|
else if (gpg_err_code (err) == GPG_ERR_TRUE)
|
|
|
|
|
{
|
|
|
|
|
if (colon_mode)
|
|
|
|
|
es_fprintf (fp, colon_mode > 1? " %d":"%d", 6001);
|
|
|
|
|
else
|
|
|
|
|
es_fprintf (fp, " screening: ROCA vulnerability detected\n");
|
|
|
|
|
}
|
|
|
|
|
else if (!colon_mode)
|
|
|
|
|
es_fprintf (fp, " screening: [ROCA check failed: %s]\n",
|
|
|
|
|
gpg_strerror (err));
|
|
|
|
|
gcry_mpi_release (modulus);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
static void
|
2022-11-15 16:31:46 +01:00
|
|
|
|
print_capabilities (ksba_cert_t cert, int algo, estream_t fp)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2003-12-17 13:28:24 +01:00
|
|
|
|
gpg_error_t err;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
unsigned int use;
|
2022-06-13 17:46:40 +02:00
|
|
|
|
unsigned int is_encr, is_sign, is_cert;
|
2005-11-13 20:07:06 +01:00
|
|
|
|
size_t buflen;
|
|
|
|
|
char buffer[1];
|
|
|
|
|
|
2022-06-13 17:46:40 +02:00
|
|
|
|
|
2011-02-04 12:57:53 +01:00
|
|
|
|
err = ksba_cert_get_user_data (cert, "is_qualified",
|
2005-11-13 20:07:06 +01:00
|
|
|
|
&buffer, sizeof (buffer), &buflen);
|
|
|
|
|
if (!err && buflen)
|
|
|
|
|
{
|
|
|
|
|
if (*buffer)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('q', fp);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
}
|
2005-11-13 20:07:06 +01:00
|
|
|
|
else if (gpg_err_code (err) == GPG_ERR_NOT_FOUND)
|
|
|
|
|
; /* Don't know - will not get marked as 'q' */
|
|
|
|
|
else
|
|
|
|
|
log_debug ("get_user_data(is_qualified) failed: %s\n",
|
2011-02-04 12:57:53 +01:00
|
|
|
|
gpg_strerror (err));
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
err = ksba_cert_get_key_usage (cert, &use);
|
2007-07-04 21:49:40 +02:00
|
|
|
|
if (gpg_err_code (err) == GPG_ERR_NO_DATA)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('e', fp);
|
|
|
|
|
es_putc ('s', fp);
|
|
|
|
|
es_putc ('c', fp);
|
|
|
|
|
es_putc ('E', fp);
|
|
|
|
|
es_putc ('S', fp);
|
|
|
|
|
es_putc ('C', fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
if (err)
|
2011-02-04 12:57:53 +01:00
|
|
|
|
{
|
2003-08-05 19:11:04 +02:00
|
|
|
|
log_error (_("error getting key usage information: %s\n"),
|
2003-11-12 16:17:44 +01:00
|
|
|
|
gpg_strerror (err));
|
2003-08-05 19:11:04 +02:00
|
|
|
|
return;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2022-06-13 17:46:40 +02:00
|
|
|
|
is_encr = is_sign = is_cert = 0;
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if ((use & (KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT)))
|
2022-06-13 17:46:40 +02:00
|
|
|
|
is_encr = 1;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if ((use & (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION)))
|
2022-06-13 17:46:40 +02:00
|
|
|
|
is_sign = 1;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if ((use & KSBA_KEYUSAGE_KEY_CERT_SIGN))
|
2022-06-13 17:46:40 +02:00
|
|
|
|
is_cert = 1;
|
|
|
|
|
|
|
|
|
|
/* We need to returned the faked key usage to frontends so that they
|
|
|
|
|
* can select the right key. Note that we don't do this for the
|
|
|
|
|
* human readable keyUsage. */
|
2022-11-15 16:31:46 +01:00
|
|
|
|
if ((algo == GCRY_PK_ECC || (opt.compat_flags & COMPAT_ALLOW_KA_TO_ENCR))
|
2022-06-13 17:46:40 +02:00
|
|
|
|
&& (use & KSBA_KEYUSAGE_KEY_AGREEMENT))
|
|
|
|
|
is_encr = 1;
|
|
|
|
|
|
|
|
|
|
if (is_encr)
|
|
|
|
|
es_putc ('e', fp);
|
|
|
|
|
if (is_sign)
|
|
|
|
|
es_putc ('s', fp);
|
|
|
|
|
if (is_cert)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('c', fp);
|
2022-06-13 17:46:40 +02:00
|
|
|
|
if (is_encr)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('E', fp);
|
2022-06-13 17:46:40 +02:00
|
|
|
|
if (is_sign)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('S', fp);
|
2022-06-13 17:46:40 +02:00
|
|
|
|
if (is_cert)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('C', fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
2007-03-19 15:35:04 +01:00
|
|
|
|
print_time (gnupg_isotime_t t, estream_t fp)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2003-10-31 13:12:47 +01:00
|
|
|
|
if (!t || !*t)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
else
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (t, fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2005-07-20 17:05:05 +02:00
|
|
|
|
/* Return an allocated string with the email address extracted from a
|
2008-03-13 09:46:08 +01:00
|
|
|
|
DN. Note hat we use this code also in ../kbx/keybox-blob.c. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
static char *
|
|
|
|
|
email_kludge (const char *name)
|
|
|
|
|
{
|
2005-07-20 17:05:05 +02:00
|
|
|
|
const char *p, *string;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
unsigned char *buf;
|
|
|
|
|
int n;
|
|
|
|
|
|
2005-07-20 17:05:05 +02:00
|
|
|
|
string = name;
|
|
|
|
|
for (;;)
|
|
|
|
|
{
|
|
|
|
|
p = strstr (string, "1.2.840.113549.1.9.1=#");
|
|
|
|
|
if (!p)
|
|
|
|
|
return NULL;
|
|
|
|
|
if (p == name || (p > string+1 && p[-1] == ',' && p[-2] != '\\'))
|
|
|
|
|
{
|
|
|
|
|
name = p + 22;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
string = p + 22;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
/* This looks pretty much like an email address in the subject's DN
|
|
|
|
|
we use this to add an additional user ID entry. This way,
|
2008-03-13 09:46:08 +01:00
|
|
|
|
OpenSSL generated keys get a nicer and usable listing. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
for (n=0, p=name; hexdigitp (p) && hexdigitp (p+1); p +=2, n++)
|
|
|
|
|
;
|
2005-07-20 17:05:05 +02:00
|
|
|
|
if (!n)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
return NULL;
|
|
|
|
|
buf = xtrymalloc (n+3);
|
|
|
|
|
if (!buf)
|
|
|
|
|
return NULL; /* oops, out of core */
|
|
|
|
|
*buf = '<';
|
2005-07-20 17:05:05 +02:00
|
|
|
|
for (n=1, p=name; hexdigitp (p); p +=2, n++)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
buf[n] = xtoi_2 (p);
|
|
|
|
|
buf[n++] = '>';
|
|
|
|
|
buf[n] = 0;
|
2005-06-16 10:12:03 +02:00
|
|
|
|
return (char*)buf;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2017-03-20 10:09:40 +01:00
|
|
|
|
/* Print the compliance flags to field 18. ALGO is the gcrypt algo
|
|
|
|
|
* number. NBITS is the length of the key in bits. */
|
|
|
|
|
static void
|
2017-10-17 21:10:19 +02:00
|
|
|
|
print_compliance_flags (ksba_cert_t cert, int algo, unsigned int nbits,
|
2023-10-24 14:22:05 +02:00
|
|
|
|
const char *curvename, estream_t fp)
|
2017-03-20 10:09:40 +01:00
|
|
|
|
{
|
2019-02-28 14:43:42 +01:00
|
|
|
|
int indent = 0;
|
|
|
|
|
int hashalgo;
|
2017-10-17 21:10:19 +02:00
|
|
|
|
|
2020-07-03 15:47:55 +02:00
|
|
|
|
/* Note that we do not need to test for PK_ALGO_FLAG_RSAPSS because
|
|
|
|
|
* that is not a property of the key but one of the created
|
|
|
|
|
* signature. */
|
2023-10-24 14:22:05 +02:00
|
|
|
|
if (gnupg_pk_is_compliant (CO_DE_VS, algo, 0, NULL, nbits, curvename))
|
2017-10-17 21:10:19 +02:00
|
|
|
|
{
|
2019-02-28 14:43:42 +01:00
|
|
|
|
hashalgo = gcry_md_map_name (ksba_cert_get_digest_algo (cert));
|
|
|
|
|
if (gnupg_digest_is_compliant (CO_DE_VS, hashalgo))
|
|
|
|
|
{
|
|
|
|
|
es_fputs (gnupg_status_compliance_flag (CO_DE_VS), fp);
|
|
|
|
|
indent = 1;
|
|
|
|
|
}
|
2017-10-17 21:10:19 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (opt.with_key_screening)
|
2019-02-28 14:43:42 +01:00
|
|
|
|
print_pk_screening (cert, 1+indent, fp);
|
2017-03-20 10:09:40 +01:00
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* List one certificate in colon mode */
|
|
|
|
|
static void
|
2004-02-17 16:05:04 +01:00
|
|
|
|
list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
|
2007-03-19 15:35:04 +01:00
|
|
|
|
estream_t fp, int have_secret)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2004-05-11 21:11:53 +02:00
|
|
|
|
int rc;
|
2004-02-17 16:05:04 +01:00
|
|
|
|
int idx;
|
|
|
|
|
char truststring[2];
|
2003-08-05 19:11:04 +02:00
|
|
|
|
char *p;
|
2003-12-17 13:28:24 +01:00
|
|
|
|
ksba_sexp_t sexp;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
char *fpr;
|
2003-10-31 13:12:47 +01:00
|
|
|
|
ksba_isotime_t t;
|
2004-02-17 16:05:04 +01:00
|
|
|
|
gpg_error_t valerr;
|
2004-05-11 17:36:48 +02:00
|
|
|
|
int algo;
|
|
|
|
|
unsigned int nbits;
|
2020-05-07 09:45:49 +02:00
|
|
|
|
char *curve = NULL;
|
2004-05-11 21:11:53 +02:00
|
|
|
|
const char *chain_id;
|
|
|
|
|
char *chain_id_buffer = NULL;
|
|
|
|
|
int is_root = 0;
|
2007-08-10 18:52:05 +02:00
|
|
|
|
char *kludge_uid;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2004-02-17 16:05:04 +01:00
|
|
|
|
if (ctrl->with_validation)
|
2022-02-18 03:11:12 +01:00
|
|
|
|
valerr = gpgsm_validate_chain (ctrl, cert,
|
|
|
|
|
GNUPG_ISOTIME_NONE, NULL, 1, NULL, 0, NULL);
|
2004-02-02 18:09:35 +01:00
|
|
|
|
else
|
2004-02-17 16:05:04 +01:00
|
|
|
|
valerr = 0;
|
|
|
|
|
|
2004-05-11 21:11:53 +02:00
|
|
|
|
|
|
|
|
|
/* We need to get the fingerprint and the chaining ID in advance. */
|
|
|
|
|
fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
|
|
|
|
|
{
|
|
|
|
|
ksba_cert_t next;
|
|
|
|
|
|
2008-02-13 17:47:14 +01:00
|
|
|
|
rc = gpgsm_walk_cert_chain (ctrl, cert, &next);
|
2004-05-11 21:11:53 +02:00
|
|
|
|
if (!rc) /* We known the issuer's certificate. */
|
|
|
|
|
{
|
|
|
|
|
p = gpgsm_get_fingerprint_hexstring (next, GCRY_MD_SHA1);
|
|
|
|
|
chain_id_buffer = p;
|
|
|
|
|
chain_id = chain_id_buffer;
|
|
|
|
|
ksba_cert_release (next);
|
|
|
|
|
}
|
2020-09-10 13:05:17 +02:00
|
|
|
|
else if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND)
|
2004-05-11 21:11:53 +02:00
|
|
|
|
{
|
2020-09-10 13:05:17 +02:00
|
|
|
|
/* We have reached the root certificate. */
|
2004-05-11 21:11:53 +02:00
|
|
|
|
chain_id = fpr;
|
|
|
|
|
is_root = 1;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
chain_id = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (have_secret? "crs:":"crt:", fp);
|
2004-09-30 15:24:33 +02:00
|
|
|
|
|
|
|
|
|
/* Note: We can't use multiple flags, like "ei", because the
|
|
|
|
|
validation check does only return one error. */
|
2004-02-17 16:05:04 +01:00
|
|
|
|
truststring[0] = 0;
|
|
|
|
|
truststring[1] = 0;
|
|
|
|
|
if ((validity & VALIDITY_REVOKED)
|
|
|
|
|
|| gpg_err_code (valerr) == GPG_ERR_CERT_REVOKED)
|
|
|
|
|
*truststring = 'r';
|
|
|
|
|
else if (gpg_err_code (valerr) == GPG_ERR_CERT_EXPIRED)
|
|
|
|
|
*truststring = 'e';
|
2011-02-04 12:57:53 +01:00
|
|
|
|
else
|
2004-03-15 09:39:48 +01:00
|
|
|
|
{
|
|
|
|
|
/* Lets also check whether the certificate under question
|
|
|
|
|
expired. This is merely a hack until we found a proper way
|
|
|
|
|
to store the expiration flag in the keybox. */
|
|
|
|
|
ksba_isotime_t current_time, not_after;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2004-03-15 09:39:48 +01:00
|
|
|
|
gnupg_get_isotime (current_time);
|
|
|
|
|
if (!opt.ignore_expiration
|
|
|
|
|
&& !ksba_cert_get_validity (cert, 1, not_after)
|
|
|
|
|
&& *not_after && strcmp (current_time, not_after) > 0 )
|
|
|
|
|
*truststring = 'e';
|
2004-09-30 15:24:33 +02:00
|
|
|
|
else if (valerr)
|
2011-12-07 16:15:15 +01:00
|
|
|
|
{
|
|
|
|
|
if (gpgsm_cert_has_well_known_private_key (cert))
|
|
|
|
|
*truststring = 'w'; /* Well, this is dummy CA. */
|
2023-11-27 12:34:38 +01:00
|
|
|
|
else if (gpg_err_code (valerr) == GPG_ERR_NOT_TRUSTED)
|
|
|
|
|
*truststring = 'n'; /* Likely the root cert is not trusted. */
|
2011-12-07 16:15:15 +01:00
|
|
|
|
else
|
|
|
|
|
*truststring = 'i';
|
|
|
|
|
}
|
2008-08-13 17:41:48 +02:00
|
|
|
|
else if (ctrl->with_validation && !is_root)
|
|
|
|
|
*truststring = 'f';
|
2004-03-15 09:39:48 +01:00
|
|
|
|
}
|
2004-05-11 21:11:53 +02:00
|
|
|
|
|
2006-09-25 20:29:20 +02:00
|
|
|
|
/* If we have no truststring yet (i.e. the certificate might be
|
2004-05-11 21:11:53 +02:00
|
|
|
|
good) and this is a root certificate, we ask the agent whether
|
|
|
|
|
this is a trusted root certificate. */
|
|
|
|
|
if (!*truststring && is_root)
|
|
|
|
|
{
|
2006-09-25 20:29:20 +02:00
|
|
|
|
struct rootca_flags_s dummy_flags;
|
|
|
|
|
|
2011-12-07 16:15:15 +01:00
|
|
|
|
if (gpgsm_cert_has_well_known_private_key (cert))
|
|
|
|
|
*truststring = 'w'; /* Well, this is dummy CA. */
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
rc = gpgsm_agent_istrusted (ctrl, cert, NULL, &dummy_flags);
|
|
|
|
|
if (!rc)
|
|
|
|
|
*truststring = 'u'; /* Yes, we trust this one (ultimately). */
|
|
|
|
|
else if (gpg_err_code (rc) == GPG_ERR_NOT_TRUSTED)
|
|
|
|
|
*truststring = 'n'; /* No, we do not trust this one. */
|
|
|
|
|
/* (in case of an error we can't tell anything.) */
|
|
|
|
|
}
|
2004-05-11 21:11:53 +02:00
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2004-02-17 16:05:04 +01:00
|
|
|
|
if (*truststring)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (truststring, fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2023-10-24 14:51:16 +02:00
|
|
|
|
algo = gpgsm_get_key_algo_info (cert, &nbits, &curve);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, ":%u:%d:%s:", nbits, algo, fpr+24);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2003-10-31 13:12:47 +01:00
|
|
|
|
ksba_cert_get_validity (cert, 0, t);
|
|
|
|
|
print_time (t, fp);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc (':', fp);
|
2003-10-31 13:12:47 +01:00
|
|
|
|
ksba_cert_get_validity (cert, 1, t);
|
|
|
|
|
print_time ( t, fp);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc (':', fp);
|
2004-03-15 09:39:48 +01:00
|
|
|
|
/* Field 8, serial number: */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if ((sexp = ksba_cert_get_serial (cert)))
|
|
|
|
|
{
|
|
|
|
|
int len;
|
|
|
|
|
const unsigned char *s = sexp;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (*s == '(')
|
|
|
|
|
{
|
|
|
|
|
s++;
|
|
|
|
|
for (len=0; *s && *s != ':' && digitp (s); s++)
|
|
|
|
|
len = len*10 + atoi_1 (s);
|
|
|
|
|
if (*s == ':')
|
|
|
|
|
for (s++; len; len--, s++)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp,"%02X", *s);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
xfree (sexp);
|
|
|
|
|
}
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc (':', fp);
|
2004-03-15 09:39:48 +01:00
|
|
|
|
/* Field 9, ownertrust - not used here */
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc (':', fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
/* field 10, old user ID - we use it here for the issuer DN */
|
|
|
|
|
if ((p = ksba_cert_get_issuer (cert,0)))
|
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_write_sanitized (fp, p, strlen (p), ":", NULL);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (p);
|
|
|
|
|
}
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc (':', fp);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
/* Field 11, signature class - not used */
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc (':', fp);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
/* Field 12, capabilities: */
|
2022-11-15 16:31:46 +01:00
|
|
|
|
print_capabilities (cert, algo, fp);
|
2017-10-17 20:56:55 +02:00
|
|
|
|
es_putc (':', fp);
|
2009-03-06 18:31:27 +01:00
|
|
|
|
/* Field 13, not used: */
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc (':', fp);
|
2017-03-20 10:09:40 +01:00
|
|
|
|
/* Field 14, not used: */
|
|
|
|
|
es_putc (':', fp);
|
2014-06-03 21:35:59 +02:00
|
|
|
|
if (have_secret || ctrl->with_secret)
|
2009-03-06 18:31:27 +01:00
|
|
|
|
{
|
|
|
|
|
char *cardsn;
|
|
|
|
|
|
|
|
|
|
p = gpgsm_get_keygrip_hexstring (cert);
|
2014-06-03 21:35:59 +02:00
|
|
|
|
if (!gpgsm_agent_keyinfo (ctrl, p, &cardsn)
|
|
|
|
|
&& (cardsn || ctrl->with_secret))
|
2009-03-06 18:31:27 +01:00
|
|
|
|
{
|
2014-06-03 21:35:59 +02:00
|
|
|
|
/* Field 15: Token serial number or secret key indicator. */
|
|
|
|
|
if (cardsn)
|
|
|
|
|
es_fputs (cardsn, fp);
|
|
|
|
|
else if (ctrl->with_secret)
|
|
|
|
|
es_putc ('+', fp);
|
2009-03-06 18:31:27 +01:00
|
|
|
|
}
|
|
|
|
|
xfree (cardsn);
|
|
|
|
|
xfree (p);
|
|
|
|
|
}
|
2017-03-20 10:09:40 +01:00
|
|
|
|
es_putc (':', fp); /* End of field 15. */
|
|
|
|
|
es_putc (':', fp); /* End of field 16. */
|
2020-05-07 09:45:49 +02:00
|
|
|
|
if (curve)
|
|
|
|
|
es_fputs (curve, fp);
|
2017-03-20 10:09:40 +01:00
|
|
|
|
es_putc (':', fp); /* End of field 17. */
|
2023-10-24 14:22:05 +02:00
|
|
|
|
print_compliance_flags (cert, algo, nbits, curve, fp);
|
2017-03-20 10:09:40 +01:00
|
|
|
|
es_putc (':', fp); /* End of field 18. */
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
/* FPR record */
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, "fpr:::::::::%s:::", fpr);
|
2004-03-15 09:39:48 +01:00
|
|
|
|
/* Print chaining ID (field 13)*/
|
2004-05-11 21:11:53 +02:00
|
|
|
|
if (chain_id)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (chain_id, fp);
|
|
|
|
|
es_putc (':', fp);
|
|
|
|
|
es_putc ('\n', fp);
|
2004-05-11 21:11:53 +02:00
|
|
|
|
xfree (fpr); fpr = NULL; chain_id = NULL;
|
|
|
|
|
xfree (chain_id_buffer); chain_id_buffer = NULL;
|
2020-08-04 11:03:49 +02:00
|
|
|
|
/* SHA256 FPR record */
|
|
|
|
|
fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA256);
|
|
|
|
|
es_fprintf (fp, "fp2:::::::::%s::::\n", fpr);
|
|
|
|
|
xfree (fpr); fpr = NULL;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2017-08-08 13:04:12 +02:00
|
|
|
|
/* Always print the keygrip. */
|
|
|
|
|
if ( (p = gpgsm_get_keygrip_hexstring (cert)))
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2017-08-08 13:04:12 +02:00
|
|
|
|
es_fprintf (fp, "grp:::::::::%s:\n", p);
|
|
|
|
|
xfree (p);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
2017-08-08 13:04:12 +02:00
|
|
|
|
if (opt.with_key_data)
|
|
|
|
|
print_key_data (cert, fp);
|
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
kludge_uid = NULL;
|
2024-06-21 10:19:00 +02:00
|
|
|
|
p = ksba_cert_get_subject (cert, 0);
|
|
|
|
|
es_fprintf (fp, "uid:%s::::::::", truststring);
|
|
|
|
|
if (p)
|
|
|
|
|
es_write_sanitized (fp, p, strlen (p), ":", NULL);
|
|
|
|
|
es_putc (':', fp);
|
|
|
|
|
es_putc (':', fp);
|
|
|
|
|
es_putc (':', fp);
|
|
|
|
|
es_putc ('\n', fp);
|
|
|
|
|
if (p)
|
|
|
|
|
{
|
|
|
|
|
/* It would be better to get the faked email address from the
|
|
|
|
|
* keydb. But as long as we don't have a way to pass the meta
|
|
|
|
|
* data back, we just check it the same way as the code used to
|
|
|
|
|
* create the keybox meta data does */
|
|
|
|
|
kludge_uid = email_kludge (p);
|
|
|
|
|
if (kludge_uid)
|
|
|
|
|
{
|
|
|
|
|
es_fprintf (fp, "uid:%s::::::::", truststring);
|
|
|
|
|
es_write_sanitized (fp, kludge_uid, strlen (kludge_uid),
|
|
|
|
|
":", NULL);
|
|
|
|
|
es_putc (':', fp);
|
|
|
|
|
es_putc (':', fp);
|
|
|
|
|
es_putc ('\n', fp);
|
|
|
|
|
}
|
|
|
|
|
xfree (p);
|
|
|
|
|
}
|
|
|
|
|
for (idx=1; (p = ksba_cert_get_subject (cert,idx)); idx++)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2008-01-26 23:12:23 +01:00
|
|
|
|
/* In the case that the same email address is in the subject DN
|
|
|
|
|
as well as in an alternate subject name we avoid printing it
|
2007-08-10 18:52:05 +02:00
|
|
|
|
a second time. */
|
|
|
|
|
if (kludge_uid && !strcmp (kludge_uid, p))
|
2024-06-21 10:19:00 +02:00
|
|
|
|
{
|
|
|
|
|
xfree (p);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, "uid:%s::::::::", truststring);
|
|
|
|
|
es_write_sanitized (fp, p, strlen (p), ":", NULL);
|
|
|
|
|
es_putc (':', fp);
|
|
|
|
|
es_putc (':', fp);
|
|
|
|
|
es_putc ('\n', fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (p);
|
|
|
|
|
}
|
2007-08-10 18:52:05 +02:00
|
|
|
|
xfree (kludge_uid);
|
2020-05-07 09:45:49 +02:00
|
|
|
|
xfree (curve);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2004-04-23 12:34:25 +02:00
|
|
|
|
static void
|
2007-03-19 15:35:04 +01:00
|
|
|
|
print_name_raw (estream_t fp, const char *string)
|
2004-04-23 12:34:25 +02:00
|
|
|
|
{
|
|
|
|
|
if (!string)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs ("[error]", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
else
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_write_sanitized (fp, string, strlen (string), NULL, NULL);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
2007-03-19 15:35:04 +01:00
|
|
|
|
print_names_raw (estream_t fp, int indent, ksba_name_t name)
|
2004-04-23 12:34:25 +02:00
|
|
|
|
{
|
|
|
|
|
int idx;
|
|
|
|
|
const char *s;
|
|
|
|
|
int indent_all;
|
|
|
|
|
|
|
|
|
|
if ((indent_all = (indent < 0)))
|
|
|
|
|
indent = - indent;
|
|
|
|
|
|
|
|
|
|
if (!name)
|
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs ("none\n", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
return;
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2004-04-23 12:34:25 +02:00
|
|
|
|
for (idx=0; (s = ksba_name_enum (name, idx)); idx++)
|
|
|
|
|
{
|
|
|
|
|
char *p = ksba_name_get_uri (name, idx);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, "%*s", idx||indent_all?indent:0, "");
|
|
|
|
|
es_write_sanitized (fp, p?p:s, strlen (p?p:s), NULL, NULL);
|
|
|
|
|
es_putc ('\n', fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
xfree (p);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2008-06-26 21:09:07 +02:00
|
|
|
|
static void
|
2011-02-04 12:57:53 +01:00
|
|
|
|
print_utf8_extn_raw (estream_t fp, int indent,
|
2008-06-26 21:09:07 +02:00
|
|
|
|
const unsigned char *der, size_t derlen)
|
|
|
|
|
{
|
|
|
|
|
gpg_error_t err;
|
|
|
|
|
int class, tag, constructed, ndef;
|
|
|
|
|
size_t objlen, hdrlen;
|
|
|
|
|
|
|
|
|
|
if (indent < 0)
|
|
|
|
|
indent = - indent;
|
|
|
|
|
|
|
|
|
|
err = parse_ber_header (&der, &derlen, &class, &tag, &constructed,
|
|
|
|
|
&ndef, &objlen, &hdrlen);
|
|
|
|
|
if (!err && (objlen > derlen || tag != TAG_UTF8_STRING))
|
|
|
|
|
err = gpg_error (GPG_ERR_INV_OBJ);
|
|
|
|
|
if (err)
|
|
|
|
|
{
|
|
|
|
|
es_fprintf (fp, "%*s[%s]\n", indent, "", gpg_strerror (err));
|
|
|
|
|
return;
|
|
|
|
|
}
|
2009-01-12 11:08:55 +01:00
|
|
|
|
es_fprintf (fp, "%*s(%.*s)\n", indent, "", (int)objlen, der);
|
2008-06-26 21:09:07 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
2011-02-04 12:57:53 +01:00
|
|
|
|
print_utf8_extn (estream_t fp, int indent,
|
2008-06-26 21:09:07 +02:00
|
|
|
|
const unsigned char *der, size_t derlen)
|
|
|
|
|
{
|
|
|
|
|
gpg_error_t err;
|
|
|
|
|
int class, tag, constructed, ndef;
|
|
|
|
|
size_t objlen, hdrlen;
|
|
|
|
|
int indent_all;
|
|
|
|
|
|
|
|
|
|
if ((indent_all = (indent < 0)))
|
|
|
|
|
indent = - indent;
|
|
|
|
|
|
|
|
|
|
err = parse_ber_header (&der, &derlen, &class, &tag, &constructed,
|
|
|
|
|
&ndef, &objlen, &hdrlen);
|
|
|
|
|
if (!err && (objlen > derlen || tag != TAG_UTF8_STRING))
|
|
|
|
|
err = gpg_error (GPG_ERR_INV_OBJ);
|
|
|
|
|
if (err)
|
|
|
|
|
{
|
2008-06-26 21:21:45 +02:00
|
|
|
|
es_fprintf (fp, "%*s[%s%s]\n",
|
|
|
|
|
indent_all? indent:0, "", _("Error - "), gpg_strerror (err));
|
2008-06-26 21:09:07 +02:00
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
es_fprintf (fp, "%*s\"", indent_all? indent:0, "");
|
|
|
|
|
/* Fixme: we should implement word wrapping */
|
|
|
|
|
es_write_sanitized (fp, der, objlen, "\"", NULL);
|
|
|
|
|
es_fputs ("\"\n", fp);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2019-03-01 15:23:49 +01:00
|
|
|
|
/* Print the extension described by (DER,DERLEN) in hex. */
|
|
|
|
|
static void
|
|
|
|
|
print_hex_extn (estream_t fp, int indent,
|
|
|
|
|
const unsigned char *der, size_t derlen)
|
|
|
|
|
{
|
|
|
|
|
if (indent < 0)
|
|
|
|
|
indent = - indent;
|
|
|
|
|
|
|
|
|
|
es_fprintf (fp, "%*s(", indent, "");
|
|
|
|
|
for (; derlen; der++, derlen--)
|
|
|
|
|
es_fprintf (fp, "%02X%s", *der, derlen > 1? " ":"");
|
|
|
|
|
es_fprintf (fp, ")\n");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2004-04-22 15:03:44 +02:00
|
|
|
|
/* List one certificate in raw mode useful to have a closer look at
|
2004-07-22 11:37:36 +02:00
|
|
|
|
the certificate. This one does no beautification and only minimal
|
2004-04-22 15:03:44 +02:00
|
|
|
|
output sanitation. It is mainly useful for debugging. */
|
|
|
|
|
static void
|
2004-08-06 18:14:10 +02:00
|
|
|
|
list_cert_raw (ctrl_t ctrl, KEYDB_HANDLE hd,
|
2007-03-19 15:35:04 +01:00
|
|
|
|
ksba_cert_t cert, estream_t fp, int have_secret,
|
2004-04-22 15:03:44 +02:00
|
|
|
|
int with_validation)
|
|
|
|
|
{
|
|
|
|
|
gpg_error_t err;
|
2004-04-23 12:34:25 +02:00
|
|
|
|
size_t off, len;
|
2005-04-18 12:44:46 +02:00
|
|
|
|
ksba_sexp_t sexp, keyid;
|
2004-04-22 15:03:44 +02:00
|
|
|
|
char *dn;
|
|
|
|
|
ksba_isotime_t t;
|
|
|
|
|
int idx, i;
|
|
|
|
|
int is_ca, chainlen;
|
|
|
|
|
unsigned int kusage;
|
|
|
|
|
char *string, *p, *pend;
|
2004-04-23 12:34:25 +02:00
|
|
|
|
const char *oid, *s;
|
|
|
|
|
ksba_name_t name, name2;
|
|
|
|
|
unsigned int reason;
|
2008-06-26 21:09:07 +02:00
|
|
|
|
const unsigned char *cert_der = NULL;
|
2021-05-20 19:09:38 +02:00
|
|
|
|
char *algostr;
|
|
|
|
|
int algoid;
|
2004-04-22 15:03:44 +02:00
|
|
|
|
|
2008-10-20 15:53:23 +02:00
|
|
|
|
(void)have_secret;
|
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
es_fprintf (fp, " ID: 0x%08lX\n",
|
2009-03-25 17:05:16 +01:00
|
|
|
|
gpgsm_get_short_fingerprint (cert, NULL));
|
2007-08-10 18:52:05 +02:00
|
|
|
|
|
2004-04-22 15:03:44 +02:00
|
|
|
|
sexp = ksba_cert_get_serial (cert);
|
2007-08-10 18:52:05 +02:00
|
|
|
|
es_fputs (" S/N: ", fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
gpgsm_print_serial (fp, sexp);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2020-06-26 12:59:02 +02:00
|
|
|
|
es_fputs (" (dec): ", fp);
|
|
|
|
|
gpgsm_print_serial_decimal (fp, sexp);
|
|
|
|
|
es_putc ('\n', fp);
|
|
|
|
|
ksba_free (sexp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
|
|
|
|
|
dn = ksba_cert_get_issuer (cert, 0);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" Issuer: ", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
print_name_raw (fp, dn);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
ksba_free (dn);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
for (idx=1; (dn = ksba_cert_get_issuer (cert, idx)); idx++)
|
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" aka: ", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
print_name_raw (fp, dn);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
ksba_free (dn);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dn = ksba_cert_get_subject (cert, 0);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" Subject: ", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
print_name_raw (fp, dn);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
ksba_free (dn);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
for (idx=1; (dn = ksba_cert_get_subject (cert, idx)); idx++)
|
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" aka: ", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
print_name_raw (fp, dn);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
ksba_free (dn);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
}
|
|
|
|
|
|
2020-08-04 11:03:49 +02:00
|
|
|
|
dn = gpgsm_get_fingerprint_string (cert, GCRY_MD_SHA256);
|
|
|
|
|
es_fprintf (fp, " sha2_fpr: %s\n", dn?dn:"error");
|
|
|
|
|
xfree (dn);
|
|
|
|
|
|
2004-04-23 12:34:25 +02:00
|
|
|
|
dn = gpgsm_get_fingerprint_string (cert, 0);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, " sha1_fpr: %s\n", dn?dn:"error");
|
2004-04-23 12:34:25 +02:00
|
|
|
|
xfree (dn);
|
|
|
|
|
|
|
|
|
|
dn = gpgsm_get_fingerprint_string (cert, GCRY_MD_MD5);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, " md5_fpr: %s\n", dn?dn:"error");
|
2004-04-23 12:34:25 +02:00
|
|
|
|
xfree (dn);
|
|
|
|
|
|
2021-05-20 19:09:38 +02:00
|
|
|
|
algoid = 0;
|
|
|
|
|
algostr = gpgsm_pubkey_algo_string (cert, &algoid);
|
|
|
|
|
|
|
|
|
|
/* For RSA we support printing an OpenPGP v4 fingerprint under the
|
|
|
|
|
* assumption that the not-before date would be used as the OpenPGP
|
|
|
|
|
* key creation date. */
|
|
|
|
|
if (algoid == GCRY_PK_RSA)
|
|
|
|
|
{
|
|
|
|
|
ksba_sexp_t pk;
|
|
|
|
|
size_t pklen;
|
|
|
|
|
const unsigned char *m, *e;
|
|
|
|
|
size_t mlen, elen;
|
|
|
|
|
unsigned char fpr20[20];
|
|
|
|
|
time_t tmpt;
|
|
|
|
|
unsigned long keytime;
|
|
|
|
|
|
|
|
|
|
pk = ksba_cert_get_public_key (cert);
|
|
|
|
|
if (pk)
|
|
|
|
|
{
|
|
|
|
|
ksba_cert_get_validity (cert, 0, t);
|
|
|
|
|
tmpt = isotime2epoch (t);
|
|
|
|
|
keytime = (tmpt == (time_t)(-1))? 0 : (u32)tmpt;
|
|
|
|
|
|
|
|
|
|
pklen = gcry_sexp_canon_len (pk, 0, NULL, NULL);
|
|
|
|
|
if (!pklen)
|
|
|
|
|
log_error ("libksba did not return a proper S-Exp\n");
|
|
|
|
|
else if (!get_rsa_pk_from_canon_sexp (pk, pklen,
|
|
|
|
|
&m, &mlen, &e, &elen)
|
|
|
|
|
&& !compute_openpgp_fpr_rsa (4,
|
|
|
|
|
keytime,
|
|
|
|
|
m, mlen, e, elen,
|
|
|
|
|
fpr20, NULL))
|
|
|
|
|
{
|
|
|
|
|
char *fpr = bin2hex (fpr20, 20, NULL);
|
|
|
|
|
es_fprintf (fp, " pgp_fpr: %s\n", fpr);
|
|
|
|
|
xfree (fpr);
|
|
|
|
|
}
|
|
|
|
|
ksba_free (pk);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2006-06-20 19:21:37 +02:00
|
|
|
|
dn = gpgsm_get_certid (cert);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, " certid: %s\n", dn?dn:"error");
|
2006-06-20 19:21:37 +02:00
|
|
|
|
xfree (dn);
|
|
|
|
|
|
2004-07-22 11:37:36 +02:00
|
|
|
|
dn = gpgsm_get_keygrip_hexstring (cert);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, " keygrip: %s\n", dn?dn:"error");
|
2004-07-22 11:37:36 +02:00
|
|
|
|
xfree (dn);
|
|
|
|
|
|
2004-04-22 15:03:44 +02:00
|
|
|
|
ksba_cert_get_validity (cert, 0, t);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" notBefore: ", fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
gpgsm_print_time (fp, t);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
|
|
|
|
es_fputs (" notAfter: ", fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
ksba_cert_get_validity (cert, 1, t);
|
|
|
|
|
gpgsm_print_time (fp, t);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
|
2004-04-23 12:34:25 +02:00
|
|
|
|
oid = ksba_cert_get_digest_algo (cert);
|
2021-02-01 10:28:52 +01:00
|
|
|
|
s = get_oid_desc (oid, 0, NULL);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, " hashAlgo: %s%s%s%s\n", oid, s?" (":"",s?s:"",s?")":"");
|
2004-04-23 12:34:25 +02:00
|
|
|
|
|
2021-05-20 19:09:38 +02:00
|
|
|
|
es_fprintf (fp, " keyType: %s\n", algostr? algostr : "[error]");
|
2004-05-11 17:36:48 +02:00
|
|
|
|
|
2005-04-18 12:44:46 +02:00
|
|
|
|
/* subjectKeyIdentifier */
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" subjKeyId: ", fp);
|
2005-04-18 12:44:46 +02:00
|
|
|
|
err = ksba_cert_get_subj_key_id (cert, NULL, &keyid);
|
2007-07-04 21:49:40 +02:00
|
|
|
|
if (!err || gpg_err_code (err) == GPG_ERR_NO_DATA)
|
2005-04-18 12:44:46 +02:00
|
|
|
|
{
|
2007-07-04 21:49:40 +02:00
|
|
|
|
if (gpg_err_code (err) == GPG_ERR_NO_DATA)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs ("[none]\n", fp);
|
2005-04-18 12:44:46 +02:00
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
gpgsm_print_serial (fp, keyid);
|
|
|
|
|
ksba_free (keyid);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2005-04-18 12:44:46 +02:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs ("[?]\n", fp);
|
2005-04-18 12:44:46 +02:00
|
|
|
|
|
|
|
|
|
|
2004-04-23 12:34:25 +02:00
|
|
|
|
/* authorityKeyIdentifier */
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" authKeyId: ", fp);
|
2005-04-18 12:44:46 +02:00
|
|
|
|
err = ksba_cert_get_auth_key_id (cert, &keyid, &name, &sexp);
|
2007-07-04 21:49:40 +02:00
|
|
|
|
if (!err || gpg_err_code (err) == GPG_ERR_NO_DATA)
|
2004-04-23 12:34:25 +02:00
|
|
|
|
{
|
2007-07-04 21:49:40 +02:00
|
|
|
|
if (gpg_err_code (err) == GPG_ERR_NO_DATA || !name)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs ("[none]\n", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
gpgsm_print_serial (fp, sexp);
|
|
|
|
|
ksba_free (sexp);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
print_names_raw (fp, -15, name);
|
|
|
|
|
ksba_name_release (name);
|
|
|
|
|
}
|
2005-04-18 12:44:46 +02:00
|
|
|
|
if (keyid)
|
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" authKeyId.ki: ", fp);
|
2005-04-18 12:44:46 +02:00
|
|
|
|
gpgsm_print_serial (fp, keyid);
|
|
|
|
|
ksba_free (keyid);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2005-04-18 12:44:46 +02:00
|
|
|
|
}
|
2004-04-23 12:34:25 +02:00
|
|
|
|
}
|
|
|
|
|
else
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs ("[?]\n", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" keyUsage:", fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
err = ksba_cert_get_key_usage (cert, &kusage);
|
2007-07-04 21:49:40 +02:00
|
|
|
|
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
|
2004-04-22 15:03:44 +02:00
|
|
|
|
{
|
|
|
|
|
if (err)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, " [error: %s]", gpg_strerror (err));
|
2004-04-22 15:03:44 +02:00
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
if ( (kusage & KSBA_KEYUSAGE_DIGITAL_SIGNATURE))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" digitalSignature", fp);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
if ( (kusage & KSBA_KEYUSAGE_NON_REPUDIATION))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" nonRepudiation", fp);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
if ( (kusage & KSBA_KEYUSAGE_KEY_ENCIPHERMENT))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" keyEncipherment", fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
if ( (kusage & KSBA_KEYUSAGE_DATA_ENCIPHERMENT))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" dataEncipherment", fp);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
if ( (kusage & KSBA_KEYUSAGE_KEY_AGREEMENT))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" keyAgreement", fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
if ( (kusage & KSBA_KEYUSAGE_KEY_CERT_SIGN))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" certSign", fp);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
if ( (kusage & KSBA_KEYUSAGE_CRL_SIGN))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" crlSign", fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
if ( (kusage & KSBA_KEYUSAGE_ENCIPHER_ONLY))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" encipherOnly", fp);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
if ( (kusage & KSBA_KEYUSAGE_DECIPHER_ONLY))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" decipherOnly", fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
}
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
}
|
2004-04-23 12:34:25 +02:00
|
|
|
|
else
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" [none]\n", fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" extKeyUsage: ", fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
err = ksba_cert_get_ext_key_usages (cert, &string);
|
2007-07-04 21:49:40 +02:00
|
|
|
|
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
|
2011-02-04 12:57:53 +01:00
|
|
|
|
{
|
2004-04-22 15:03:44 +02:00
|
|
|
|
if (err)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, "[error: %s]", gpg_strerror (err));
|
2004-04-22 15:03:44 +02:00
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
p = string;
|
|
|
|
|
while (p && (pend=strchr (p, ':')))
|
|
|
|
|
{
|
|
|
|
|
*pend++ = 0;
|
2021-02-01 10:28:52 +01:00
|
|
|
|
s = get_oid_desc (p, OID_FLAG_KP, NULL);
|
|
|
|
|
es_fputs (s ? s : p, fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
p = pend;
|
|
|
|
|
if (*p != 'C')
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" (suggested)", fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
if ((p = strchr (p, '\n')))
|
|
|
|
|
{
|
|
|
|
|
p++;
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs ("\n ", fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
xfree (string);
|
|
|
|
|
}
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
}
|
2004-04-23 12:34:25 +02:00
|
|
|
|
else
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs ("[none]\n", fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
|
2004-04-23 12:34:25 +02:00
|
|
|
|
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" policies: ", fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
err = ksba_cert_get_cert_policies (cert, &string);
|
2007-07-04 21:49:40 +02:00
|
|
|
|
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
|
2004-04-22 15:03:44 +02:00
|
|
|
|
{
|
|
|
|
|
if (err)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, "[error: %s]", gpg_strerror (err));
|
2004-04-22 15:03:44 +02:00
|
|
|
|
else
|
|
|
|
|
{
|
2004-04-23 12:34:25 +02:00
|
|
|
|
p = string;
|
|
|
|
|
while (p && (pend=strchr (p, ':')))
|
2004-04-22 15:03:44 +02:00
|
|
|
|
{
|
2004-04-23 12:34:25 +02:00
|
|
|
|
*pend++ = 0;
|
2021-02-01 10:28:52 +01:00
|
|
|
|
s = get_oid_desc (p, OID_FLAG_KP, NULL);
|
|
|
|
|
es_fputs (s?s:p, fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
p = pend;
|
|
|
|
|
if (*p == 'C')
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" (critical)", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
if ((p = strchr (p, '\n')))
|
|
|
|
|
{
|
|
|
|
|
p++;
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs ("\n ", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
}
|
2004-04-22 15:03:44 +02:00
|
|
|
|
}
|
|
|
|
|
xfree (string);
|
|
|
|
|
}
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
}
|
2004-04-23 12:34:25 +02:00
|
|
|
|
else
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs ("[none]\n", fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" chainLength: ", fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
err = ksba_cert_is_ca (cert, &is_ca, &chainlen);
|
|
|
|
|
if (err || is_ca)
|
|
|
|
|
{
|
2006-10-18 19:19:08 +02:00
|
|
|
|
if (gpg_err_code (err) == GPG_ERR_NO_VALUE )
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, "[none]");
|
2006-10-18 19:19:08 +02:00
|
|
|
|
else if (err)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, "[error: %s]", gpg_strerror (err));
|
2004-04-22 15:03:44 +02:00
|
|
|
|
else if (chainlen == -1)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs ("unlimited", fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
else
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, "%d", chainlen);
|
|
|
|
|
es_putc ('\n', fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
}
|
2004-04-23 12:34:25 +02:00
|
|
|
|
else
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs ("not a CA\n", fp);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
|
|
|
|
|
|
2004-04-23 12:34:25 +02:00
|
|
|
|
/* CRL distribution point */
|
|
|
|
|
for (idx=0; !(err=ksba_cert_get_crl_dist_point (cert, idx, &name, &name2,
|
|
|
|
|
&reason)) ;idx++)
|
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" crlDP: ", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
print_names_raw (fp, 15, name);
|
|
|
|
|
if (reason)
|
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" reason: ", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
if ( (reason & KSBA_CRLREASON_UNSPECIFIED))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" unused", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
if ( (reason & KSBA_CRLREASON_KEY_COMPROMISE))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" keyCompromise", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
if ( (reason & KSBA_CRLREASON_CA_COMPROMISE))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" caCompromise", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
if ( (reason & KSBA_CRLREASON_AFFILIATION_CHANGED))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" affiliationChanged", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
if ( (reason & KSBA_CRLREASON_SUPERSEDED))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" superseded", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
if ( (reason & KSBA_CRLREASON_CESSATION_OF_OPERATION))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" cessationOfOperation", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
if ( (reason & KSBA_CRLREASON_CERTIFICATE_HOLD))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" certificateHold", fp);
|
|
|
|
|
es_putc ('\n', fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
}
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" issuer: ", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
print_names_raw (fp, 23, name2);
|
|
|
|
|
ksba_name_release (name);
|
|
|
|
|
ksba_name_release (name2);
|
|
|
|
|
}
|
2006-10-18 19:19:08 +02:00
|
|
|
|
if (err && gpg_err_code (err) != GPG_ERR_EOF
|
|
|
|
|
&& gpg_err_code (err) != GPG_ERR_NO_VALUE)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" crlDP: [error]\n", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
else if (!idx)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" crlDP: [none]\n", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* authorityInfoAccess. */
|
|
|
|
|
for (idx=0; !(err=ksba_cert_get_authority_info_access (cert, idx, &string,
|
|
|
|
|
&name)); idx++)
|
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" authInfo: ", fp);
|
2021-02-01 10:28:52 +01:00
|
|
|
|
s = get_oid_desc (string, 0, NULL);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, "%s%s%s%s\n", string, s?" (":"", s?s:"", s?")":"");
|
2004-04-23 12:34:25 +02:00
|
|
|
|
print_names_raw (fp, -15, name);
|
|
|
|
|
ksba_name_release (name);
|
|
|
|
|
ksba_free (string);
|
|
|
|
|
}
|
2006-10-18 19:19:08 +02:00
|
|
|
|
if (err && gpg_err_code (err) != GPG_ERR_EOF
|
|
|
|
|
&& gpg_err_code (err) != GPG_ERR_NO_VALUE)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" authInfo: [error]\n", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
else if (!idx)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" authInfo: [none]\n", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
|
|
|
|
|
/* subjectInfoAccess. */
|
|
|
|
|
for (idx=0; !(err=ksba_cert_get_subject_info_access (cert, idx, &string,
|
|
|
|
|
&name)); idx++)
|
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" subjectInfo: ", fp);
|
2021-02-01 10:28:52 +01:00
|
|
|
|
s = get_oid_desc (string, 0, NULL);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, "%s%s%s%s\n", string, s?" (":"", s?s:"", s?")":"");
|
2004-04-23 12:34:25 +02:00
|
|
|
|
print_names_raw (fp, -15, name);
|
|
|
|
|
ksba_name_release (name);
|
|
|
|
|
ksba_free (string);
|
|
|
|
|
}
|
2006-10-18 19:19:08 +02:00
|
|
|
|
if (err && gpg_err_code (err) != GPG_ERR_EOF
|
|
|
|
|
&& gpg_err_code (err) != GPG_ERR_NO_VALUE)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" subjInfo: [error]\n", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
else if (!idx)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" subjInfo: [none]\n", fp);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
for (idx=0; !(err=ksba_cert_get_extension (cert, idx,
|
|
|
|
|
&oid, &i, &off, &len));idx++)
|
|
|
|
|
{
|
|
|
|
|
unsigned int flag;
|
|
|
|
|
|
2021-02-01 10:28:52 +01:00
|
|
|
|
s = get_oid_desc (oid, 0, &flag);
|
2008-06-26 21:09:07 +02:00
|
|
|
|
if ((flag & OID_FLAG_SKIP))
|
|
|
|
|
continue;
|
2004-04-23 12:34:25 +02:00
|
|
|
|
|
2019-03-01 15:23:49 +01:00
|
|
|
|
es_fprintf (fp, " %s: %s%s%s%s",
|
2008-06-26 21:09:07 +02:00
|
|
|
|
i? "critExtn":" extn",
|
2019-03-01 15:23:49 +01:00
|
|
|
|
oid, s?" (":"", s?s:"", s?")":"");
|
2008-06-26 21:09:07 +02:00
|
|
|
|
if ((flag & OID_FLAG_UTF8))
|
|
|
|
|
{
|
|
|
|
|
if (!cert_der)
|
|
|
|
|
cert_der = ksba_cert_get_image (cert, NULL);
|
2019-03-01 15:23:49 +01:00
|
|
|
|
log_assert (cert_der);
|
|
|
|
|
es_fprintf (fp, "\n");
|
2008-06-26 21:09:07 +02:00
|
|
|
|
print_utf8_extn_raw (fp, -15, cert_der+off, len);
|
|
|
|
|
}
|
2019-03-01 15:23:49 +01:00
|
|
|
|
else if ((flag & OID_FLAG_HEX))
|
|
|
|
|
{
|
|
|
|
|
if (!cert_der)
|
|
|
|
|
cert_der = ksba_cert_get_image (cert, NULL);
|
|
|
|
|
log_assert (cert_der);
|
|
|
|
|
es_fprintf (fp, "\n");
|
|
|
|
|
print_hex_extn (fp, -15, cert_der+off, len);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
es_fprintf (fp, " [%d octets]\n", (int)len);
|
2004-04-23 12:34:25 +02:00
|
|
|
|
}
|
|
|
|
|
|
2004-04-22 15:03:44 +02:00
|
|
|
|
|
|
|
|
|
if (with_validation)
|
|
|
|
|
{
|
2022-02-18 03:11:12 +01:00
|
|
|
|
err = gpgsm_validate_chain (ctrl, cert,
|
|
|
|
|
GNUPG_ISOTIME_NONE, NULL, 1, fp, 0, NULL);
|
2022-12-05 16:42:08 +01:00
|
|
|
|
if (gpg_err_code (err) == GPG_ERR_CERT_REVOKED
|
|
|
|
|
&& !check_isotime (ctrl->revoked_at))
|
|
|
|
|
{
|
|
|
|
|
es_fputs (" revoked: ", fp);
|
|
|
|
|
gpgsm_print_time (fp, ctrl->revoked_at);
|
|
|
|
|
if (ctrl->revocation_reason)
|
|
|
|
|
es_fprintf (fp, " (%s)", ctrl->revocation_reason);
|
|
|
|
|
es_putc ('\n', fp);
|
|
|
|
|
}
|
2004-04-22 15:03:44 +02:00
|
|
|
|
if (!err)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, " [certificate is good]\n");
|
2004-04-22 15:03:44 +02:00
|
|
|
|
else
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, " [certificate is bad: %s]\n", gpg_strerror (err));
|
2004-04-22 15:03:44 +02:00
|
|
|
|
}
|
2004-08-06 18:14:10 +02:00
|
|
|
|
|
2009-03-06 18:31:27 +01:00
|
|
|
|
if (hd)
|
2004-08-06 18:14:10 +02:00
|
|
|
|
{
|
|
|
|
|
unsigned int blobflags;
|
|
|
|
|
|
|
|
|
|
err = keydb_get_flags (hd, KEYBOX_FLAG_BLOB, 0, &blobflags);
|
|
|
|
|
if (err)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, " [error getting keyflags: %s]\n",gpg_strerror (err));
|
2007-03-20 17:57:40 +01:00
|
|
|
|
else if ((blobflags & KEYBOX_FLAG_BLOB_EPHEMERAL))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, " [stored as ephemeral]\n");
|
2004-08-06 18:14:10 +02:00
|
|
|
|
}
|
|
|
|
|
|
2021-05-20 19:09:38 +02:00
|
|
|
|
xfree (algostr);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
/* List one certificate in standard mode */
|
|
|
|
|
static void
|
2007-03-19 15:35:04 +01:00
|
|
|
|
list_cert_std (ctrl_t ctrl, ksba_cert_t cert, estream_t fp, int have_secret,
|
2004-02-17 16:05:04 +01:00
|
|
|
|
int with_validation)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2004-02-17 16:05:04 +01:00
|
|
|
|
gpg_error_t err;
|
2003-12-17 13:28:24 +01:00
|
|
|
|
ksba_sexp_t sexp;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
char *dn;
|
2003-10-31 13:12:47 +01:00
|
|
|
|
ksba_isotime_t t;
|
2021-02-01 10:28:52 +01:00
|
|
|
|
int idx;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
int is_ca, chainlen;
|
|
|
|
|
unsigned int kusage;
|
2004-02-20 14:46:21 +01:00
|
|
|
|
char *string, *p, *pend;
|
2008-06-26 21:09:07 +02:00
|
|
|
|
size_t off, len;
|
2021-02-01 10:28:52 +01:00
|
|
|
|
const char *oid, *s;
|
2008-06-26 21:09:07 +02:00
|
|
|
|
const unsigned char *cert_der = NULL;
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2007-08-10 18:52:05 +02:00
|
|
|
|
es_fprintf (fp, " ID: 0x%08lX\n",
|
2009-03-25 17:05:16 +01:00
|
|
|
|
gpgsm_get_short_fingerprint (cert, NULL));
|
2007-08-10 18:52:05 +02:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
sexp = ksba_cert_get_serial (cert);
|
2007-08-10 18:52:05 +02:00
|
|
|
|
es_fputs (" S/N: ", fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
gpgsm_print_serial (fp, sexp);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2020-06-26 12:59:02 +02:00
|
|
|
|
es_fputs (" (dec): ", fp);
|
|
|
|
|
gpgsm_print_serial_decimal (fp, sexp);
|
|
|
|
|
es_putc ('\n', fp);
|
|
|
|
|
ksba_free (sexp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
dn = ksba_cert_get_issuer (cert, 0);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" Issuer: ", fp);
|
|
|
|
|
gpgsm_es_print_name (fp, dn);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
ksba_free (dn);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
for (idx=1; (dn = ksba_cert_get_issuer (cert, idx)); idx++)
|
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" aka: ", fp);
|
|
|
|
|
gpgsm_es_print_name (fp, dn);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
ksba_free (dn);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dn = ksba_cert_get_subject (cert, 0);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" Subject: ", fp);
|
|
|
|
|
gpgsm_es_print_name (fp, dn);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
ksba_free (dn);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
for (idx=1; (dn = ksba_cert_get_subject (cert, idx)); idx++)
|
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" aka: ", fp);
|
|
|
|
|
gpgsm_es_print_name (fp, dn);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
ksba_free (dn);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
2003-10-31 13:12:47 +01:00
|
|
|
|
ksba_cert_get_validity (cert, 0, t);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" validity: ", fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
gpgsm_print_time (fp, t);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" through ", fp);
|
2003-10-31 13:12:47 +01:00
|
|
|
|
ksba_cert_get_validity (cert, 1, t);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
gpgsm_print_time (fp, t);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2004-05-11 17:36:48 +02:00
|
|
|
|
|
|
|
|
|
{
|
2020-05-07 09:45:49 +02:00
|
|
|
|
char *algostr;
|
2004-05-11 17:36:48 +02:00
|
|
|
|
|
2020-05-07 09:45:49 +02:00
|
|
|
|
algostr = gpgsm_pubkey_algo_string (cert, NULL);
|
|
|
|
|
es_fprintf (fp, " key type: %s\n", algostr? algostr : "[error]");
|
|
|
|
|
xfree (algostr);
|
2004-05-11 17:36:48 +02:00
|
|
|
|
}
|
|
|
|
|
|
2004-02-17 16:05:04 +01:00
|
|
|
|
err = ksba_cert_get_key_usage (cert, &kusage);
|
2007-07-04 21:49:40 +02:00
|
|
|
|
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" key usage:", fp);
|
2004-02-17 16:05:04 +01:00
|
|
|
|
if (err)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, " [error: %s]", gpg_strerror (err));
|
2003-08-05 19:11:04 +02:00
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
if ( (kusage & KSBA_KEYUSAGE_DIGITAL_SIGNATURE))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" digitalSignature", fp);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
if ( (kusage & KSBA_KEYUSAGE_NON_REPUDIATION))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" nonRepudiation", fp);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
if ( (kusage & KSBA_KEYUSAGE_KEY_ENCIPHERMENT))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" keyEncipherment", fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if ( (kusage & KSBA_KEYUSAGE_DATA_ENCIPHERMENT))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" dataEncipherment", fp);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
if ( (kusage & KSBA_KEYUSAGE_KEY_AGREEMENT))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" keyAgreement", fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if ( (kusage & KSBA_KEYUSAGE_KEY_CERT_SIGN))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" certSign", fp);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
if ( (kusage & KSBA_KEYUSAGE_CRL_SIGN))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" crlSign", fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if ( (kusage & KSBA_KEYUSAGE_ENCIPHER_ONLY))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" encipherOnly", fp);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
if ( (kusage & KSBA_KEYUSAGE_DECIPHER_ONLY))
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" decipherOnly", fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2004-02-20 14:46:21 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = ksba_cert_get_ext_key_usages (cert, &string);
|
2007-07-04 21:49:40 +02:00
|
|
|
|
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
|
2011-02-04 12:57:53 +01:00
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs ("ext key usage: ", fp);
|
2004-02-20 14:46:21 +01:00
|
|
|
|
if (err)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, "[error: %s]", gpg_strerror (err));
|
2004-02-20 14:46:21 +01:00
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
p = string;
|
|
|
|
|
while (p && (pend=strchr (p, ':')))
|
|
|
|
|
{
|
|
|
|
|
*pend++ = 0;
|
2021-02-01 10:28:52 +01:00
|
|
|
|
s = get_oid_desc (p, OID_FLAG_KP, NULL);
|
|
|
|
|
es_fputs (s? s : p, fp);
|
2004-02-20 14:46:21 +01:00
|
|
|
|
p = pend;
|
|
|
|
|
if (*p != 'C')
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" (suggested)", fp);
|
2004-02-20 14:46:21 +01:00
|
|
|
|
if ((p = strchr (p, '\n')))
|
|
|
|
|
{
|
|
|
|
|
p++;
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (", ", fp);
|
2004-02-20 14:46:21 +01:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
xfree (string);
|
|
|
|
|
}
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
2008-06-26 21:09:07 +02:00
|
|
|
|
/* Print restrictions. */
|
|
|
|
|
for (idx=0; !(err=ksba_cert_get_extension (cert, idx,
|
|
|
|
|
&oid, NULL, &off, &len));idx++)
|
|
|
|
|
{
|
|
|
|
|
if (!strcmp (oid, OIDSTR_restriction) )
|
|
|
|
|
{
|
|
|
|
|
if (!cert_der)
|
|
|
|
|
cert_der = ksba_cert_get_image (cert, NULL);
|
2020-07-08 14:40:34 +02:00
|
|
|
|
log_assert (cert_der);
|
2008-06-26 21:09:07 +02:00
|
|
|
|
es_fputs (" restriction: ", fp);
|
|
|
|
|
print_utf8_extn (fp, 15, cert_der+off, len);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Print policies. */
|
2004-02-17 16:05:04 +01:00
|
|
|
|
err = ksba_cert_get_cert_policies (cert, &string);
|
2007-07-04 21:49:40 +02:00
|
|
|
|
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" policies: ", fp);
|
2004-02-17 16:05:04 +01:00
|
|
|
|
if (err)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, "[error: %s]", gpg_strerror (err));
|
2003-08-05 19:11:04 +02:00
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
for (p=string; *p; p++)
|
|
|
|
|
{
|
|
|
|
|
if (*p == '\n')
|
|
|
|
|
*p = ',';
|
|
|
|
|
}
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_write_sanitized (fp, string, strlen (string), NULL, NULL);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (string);
|
|
|
|
|
}
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
2004-02-17 16:05:04 +01:00
|
|
|
|
err = ksba_cert_is_ca (cert, &is_ca, &chainlen);
|
|
|
|
|
if (err || is_ca)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" chain length: ", fp);
|
2006-10-18 19:19:08 +02:00
|
|
|
|
if (gpg_err_code (err) == GPG_ERR_NO_VALUE )
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, "none");
|
2006-10-18 19:19:08 +02:00
|
|
|
|
else if (err)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, "[error: %s]", gpg_strerror (err));
|
2003-08-05 19:11:04 +02:00
|
|
|
|
else if (chainlen == -1)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs ("unlimited", fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
else
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, "%d", chainlen);
|
|
|
|
|
es_putc ('\n', fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
2004-02-17 16:05:04 +01:00
|
|
|
|
if (opt.with_md5_fingerprint)
|
|
|
|
|
{
|
|
|
|
|
dn = gpgsm_get_fingerprint_string (cert, GCRY_MD_MD5);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, " md5 fpr: %s\n", dn?dn:"error");
|
2004-02-17 16:05:04 +01:00
|
|
|
|
xfree (dn);
|
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
dn = gpgsm_get_fingerprint_string (cert, 0);
|
2020-08-04 11:03:49 +02:00
|
|
|
|
es_fprintf (fp, " sha1 fpr: %s\n", dn?dn:"error");
|
|
|
|
|
xfree (dn);
|
|
|
|
|
|
|
|
|
|
dn = gpgsm_get_fingerprint_string (cert, GCRY_MD_SHA256);
|
|
|
|
|
es_fprintf (fp, " sha2 fpr: %s\n", dn?dn:"error");
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (dn);
|
2004-02-17 16:05:04 +01:00
|
|
|
|
|
2010-10-08 13:11:08 +02:00
|
|
|
|
if (opt.with_keygrip)
|
|
|
|
|
{
|
|
|
|
|
dn = gpgsm_get_keygrip_hexstring (cert);
|
|
|
|
|
if (dn)
|
|
|
|
|
{
|
|
|
|
|
es_fprintf (fp, " keygrip: %s\n", dn);
|
|
|
|
|
xfree (dn);
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
}
|
2010-10-08 13:11:08 +02:00
|
|
|
|
|
2017-10-17 21:10:19 +02:00
|
|
|
|
if (opt.with_key_screening)
|
|
|
|
|
print_pk_screening (cert, 0, fp);
|
|
|
|
|
|
2009-04-02 09:20:35 +02:00
|
|
|
|
if (have_secret)
|
|
|
|
|
{
|
|
|
|
|
char *cardsn;
|
2005-11-13 20:07:06 +01:00
|
|
|
|
|
2009-04-02 09:20:35 +02:00
|
|
|
|
p = gpgsm_get_keygrip_hexstring (cert);
|
|
|
|
|
if (!gpgsm_agent_keyinfo (ctrl, p, &cardsn) && cardsn)
|
|
|
|
|
es_fprintf (fp, " card s/n: %s\n", cardsn);
|
|
|
|
|
xfree (cardsn);
|
|
|
|
|
xfree (p);
|
|
|
|
|
}
|
2005-11-13 20:07:06 +01:00
|
|
|
|
|
2004-02-17 16:05:04 +01:00
|
|
|
|
if (with_validation)
|
|
|
|
|
{
|
2005-11-13 20:07:06 +01:00
|
|
|
|
gpg_error_t tmperr;
|
|
|
|
|
size_t buflen;
|
|
|
|
|
char buffer[1];
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2022-02-18 03:11:12 +01:00
|
|
|
|
err = gpgsm_validate_chain (ctrl, cert,
|
|
|
|
|
GNUPG_ISOTIME_NONE, NULL, 1, fp, 0, NULL);
|
2022-12-05 16:42:08 +01:00
|
|
|
|
if (gpg_err_code (err) == GPG_ERR_CERT_REVOKED
|
|
|
|
|
&& !check_isotime (ctrl->revoked_at))
|
|
|
|
|
{
|
|
|
|
|
es_fputs (" revoked: ", fp);
|
|
|
|
|
gpgsm_print_time (fp, ctrl->revoked_at);
|
|
|
|
|
if (ctrl->revocation_reason)
|
|
|
|
|
es_fprintf (fp, " (%s)", ctrl->revocation_reason);
|
|
|
|
|
es_putc ('\n', fp);
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
tmperr = ksba_cert_get_user_data (cert, "is_qualified",
|
2005-11-13 20:07:06 +01:00
|
|
|
|
&buffer, sizeof (buffer), &buflen);
|
|
|
|
|
if (!tmperr && buflen)
|
|
|
|
|
{
|
|
|
|
|
if (*buffer)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs (" [qualified]\n", fp);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
}
|
2005-11-13 20:07:06 +01:00
|
|
|
|
else if (gpg_err_code (tmperr) == GPG_ERR_NOT_FOUND)
|
|
|
|
|
; /* Don't know - will not get marked as 'q' */
|
|
|
|
|
else
|
|
|
|
|
log_debug ("get_user_data(is_qualified) failed: %s\n",
|
2011-02-04 12:57:53 +01:00
|
|
|
|
gpg_strerror (tmperr));
|
2005-11-13 20:07:06 +01:00
|
|
|
|
|
2004-02-17 16:05:04 +01:00
|
|
|
|
if (!err)
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, " [certificate is good]\n");
|
2004-02-17 16:05:04 +01:00
|
|
|
|
else
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, " [certificate is bad: %s]\n", gpg_strerror (err));
|
2004-02-17 16:05:04 +01:00
|
|
|
|
}
|
2019-05-14 20:03:44 +02:00
|
|
|
|
if (opt.debug)
|
|
|
|
|
es_fflush (fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
2004-02-17 16:05:04 +01:00
|
|
|
|
|
2017-02-20 22:19:50 +01:00
|
|
|
|
/* Same as standard mode list all certifying certs too. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
static void
|
2004-08-06 18:14:10 +02:00
|
|
|
|
list_cert_chain (ctrl_t ctrl, KEYDB_HANDLE hd,
|
|
|
|
|
ksba_cert_t cert, int raw_mode,
|
2007-03-19 15:35:04 +01:00
|
|
|
|
estream_t fp, int with_validation)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2003-12-17 13:28:24 +01:00
|
|
|
|
ksba_cert_t next = NULL;
|
sm: Detect circular chains in --list-chain.
* sm/keylist.c (list_cert_chain): Break loop for a too long chain.
--
This avoids endless loops in case of circular chain definitions. We
use such a limit at other palces as well. Example for such a chain is
# ------------------------ >8 ------------------------
ID: 0xBE231B05
S/N: 51260A931CE27F9CC3A55F79E072AE82
(dec): 107864989418777835411218143713715990146
Issuer: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
sha2_fpr: 92:5E:4B:37:2B:A3:2E:5E:87:30:22:84:B2:D7:C9:DF:BF:82:00:FF:CB:A0:D1:66:03:A1:A0:6F:F7:6C:D3:53
sha1_fpr: 31:93:78:6A:48:BD:F2:D4:D2:0B:8F:C6:50:1F:4D:E8:BE:23:1B:05
md5_fpr: AC:F3:10:0D:1A:96:A9:2E:B8:8B:9B:F8:7E:09:FA:E6
pgp_fpr: E8D2CA1449A80D784FB1532C06B1611DB06A1678
certid: 610C27E9D37835A8962EA5B8368D3FBED1A8A15D.51260A931CE27F9CC3A55F79E072AE82
keygrip: CFCA58448222ECAAF77EEF8CC45F0D6DB4E412C9
notBefore: 2005-06-07 08:09:10
notAfter: 2019-06-24 19:06:30
hashAlgo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption)
keyType: rsa2048
subjKeyId: ADBD987A34B426F7FAC42654EF03BDE024CB541A
authKeyId: [none]
authKeyId.ki: 5332D1B3CF7FFAE0F1A05D854E92D29E451DB44F
[...]
Certified by
ID: 0xCE2E4C63
S/N: 46EAF096054CC5E3FA65EA6E9F42C664
(dec): 94265836834010752231943569188608722532
Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
Subject: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
sha2_fpr: 21:3F:AD:03:B1:C5:23:47:E9:A8:0F:29:9A:F0:89:9B:CA:FF:3F:62:B3:4E:B0:60:66:F4:D7:EE:A5:EE:1A:73
sha1_fpr: 9E:99:81:7D:12:28:0C:96:77:67:44:30:49:2E:DA:1D:CE:2E:4C:63
md5_fpr: 55:07:0F:1F:9A:E5:EA:21:61:F3:72:2B:8B:41:7F:27
pgp_fpr: 922A6D0A1C0027E75038F8A1503DA72CF2C53840
certid: 14673DA5792E145E9FA1425F9EF3BFC1C4B4957C.46EAF096054CC5E3FA65EA6E9F42C664
keygrip: 10678FB5A458D99B7692851E49849F507688B847
notBefore: 2005-06-07 08:09:10
notAfter: 2020-05-30 10:48:38
hashAlgo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption)
keyType: rsa2048
subjKeyId: 5332D1B3CF7FFAE0F1A05D854E92D29E451DB44F
authKeyId: [none]
authKeyId.ki: ADBD987A34B426F7FAC42654EF03BDE024CB541A
keyUsage: certSign crlSign
[...]
Which has a circular dependency on subKeyId/authkeyId.ki.
2021-11-15 17:51:01 +01:00
|
|
|
|
int depth = 0;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2004-04-22 15:03:44 +02:00
|
|
|
|
if (raw_mode)
|
2004-08-06 18:14:10 +02:00
|
|
|
|
list_cert_raw (ctrl, hd, cert, fp, 0, with_validation);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
else
|
|
|
|
|
list_cert_std (ctrl, cert, fp, 0, with_validation);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
ksba_cert_ref (cert);
|
2008-02-13 17:47:14 +01:00
|
|
|
|
while (!gpgsm_walk_cert_chain (ctrl, cert, &next))
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fputs ("Certified by\n", fp);
|
sm: Detect circular chains in --list-chain.
* sm/keylist.c (list_cert_chain): Break loop for a too long chain.
--
This avoids endless loops in case of circular chain definitions. We
use such a limit at other palces as well. Example for such a chain is
# ------------------------ >8 ------------------------
ID: 0xBE231B05
S/N: 51260A931CE27F9CC3A55F79E072AE82
(dec): 107864989418777835411218143713715990146
Issuer: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
sha2_fpr: 92:5E:4B:37:2B:A3:2E:5E:87:30:22:84:B2:D7:C9:DF:BF:82:00:FF:CB:A0:D1:66:03:A1:A0:6F:F7:6C:D3:53
sha1_fpr: 31:93:78:6A:48:BD:F2:D4:D2:0B:8F:C6:50:1F:4D:E8:BE:23:1B:05
md5_fpr: AC:F3:10:0D:1A:96:A9:2E:B8:8B:9B:F8:7E:09:FA:E6
pgp_fpr: E8D2CA1449A80D784FB1532C06B1611DB06A1678
certid: 610C27E9D37835A8962EA5B8368D3FBED1A8A15D.51260A931CE27F9CC3A55F79E072AE82
keygrip: CFCA58448222ECAAF77EEF8CC45F0D6DB4E412C9
notBefore: 2005-06-07 08:09:10
notAfter: 2019-06-24 19:06:30
hashAlgo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption)
keyType: rsa2048
subjKeyId: ADBD987A34B426F7FAC42654EF03BDE024CB541A
authKeyId: [none]
authKeyId.ki: 5332D1B3CF7FFAE0F1A05D854E92D29E451DB44F
[...]
Certified by
ID: 0xCE2E4C63
S/N: 46EAF096054CC5E3FA65EA6E9F42C664
(dec): 94265836834010752231943569188608722532
Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
Subject: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
sha2_fpr: 21:3F:AD:03:B1:C5:23:47:E9:A8:0F:29:9A:F0:89:9B:CA:FF:3F:62:B3:4E:B0:60:66:F4:D7:EE:A5:EE:1A:73
sha1_fpr: 9E:99:81:7D:12:28:0C:96:77:67:44:30:49:2E:DA:1D:CE:2E:4C:63
md5_fpr: 55:07:0F:1F:9A:E5:EA:21:61:F3:72:2B:8B:41:7F:27
pgp_fpr: 922A6D0A1C0027E75038F8A1503DA72CF2C53840
certid: 14673DA5792E145E9FA1425F9EF3BFC1C4B4957C.46EAF096054CC5E3FA65EA6E9F42C664
keygrip: 10678FB5A458D99B7692851E49849F507688B847
notBefore: 2005-06-07 08:09:10
notAfter: 2020-05-30 10:48:38
hashAlgo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption)
keyType: rsa2048
subjKeyId: 5332D1B3CF7FFAE0F1A05D854E92D29E451DB44F
authKeyId: [none]
authKeyId.ki: ADBD987A34B426F7FAC42654EF03BDE024CB541A
keyUsage: certSign crlSign
[...]
Which has a circular dependency on subKeyId/authkeyId.ki.
2021-11-15 17:51:01 +01:00
|
|
|
|
if (++depth > 50)
|
|
|
|
|
{
|
|
|
|
|
es_fputs (_("certificate chain too long\n"), fp);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
ksba_cert_release (cert);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
if (raw_mode)
|
2004-08-06 18:14:10 +02:00
|
|
|
|
list_cert_raw (ctrl, hd, next, fp, 0, with_validation);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
else
|
|
|
|
|
list_cert_std (ctrl, next, fp, 0, with_validation);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
cert = next;
|
|
|
|
|
}
|
|
|
|
|
ksba_cert_release (cert);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2004-04-22 15:03:44 +02:00
|
|
|
|
/* List all internal keys or just the keys given as NAMES. MODE is a
|
|
|
|
|
bit vector to specify what keys are to be included; see
|
|
|
|
|
gpgsm_list_keys (below) for details. If RAW_MODE is true, the raw
|
2006-09-13 17:57:30 +02:00
|
|
|
|
output mode will be used instead of the standard beautified one.
|
2003-08-05 19:11:04 +02:00
|
|
|
|
*/
|
2004-02-21 14:05:52 +01:00
|
|
|
|
static gpg_error_t
|
2007-03-19 15:35:04 +01:00
|
|
|
|
list_internal_keys (ctrl_t ctrl, strlist_t names, estream_t fp,
|
2004-04-22 15:03:44 +02:00
|
|
|
|
unsigned int mode, int raw_mode)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
KEYDB_HANDLE hd;
|
|
|
|
|
KEYDB_SEARCH_DESC *desc = NULL;
|
2006-10-02 13:54:35 +02:00
|
|
|
|
strlist_t sl;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
int ndesc;
|
2003-12-17 13:28:24 +01:00
|
|
|
|
ksba_cert_t cert = NULL;
|
2008-01-30 18:21:28 +01:00
|
|
|
|
ksba_cert_t lastcert = NULL;
|
2004-02-21 14:05:52 +01:00
|
|
|
|
gpg_error_t rc = 0;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
const char *lastresname, *resname;
|
|
|
|
|
int have_secret;
|
2009-03-18 12:18:56 +01:00
|
|
|
|
int want_ephemeral = ctrl->with_ephemeral_keys;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2020-09-02 17:27:30 +02:00
|
|
|
|
hd = keydb_new (ctrl);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!hd)
|
|
|
|
|
{
|
|
|
|
|
log_error ("keydb_new failed\n");
|
2004-02-21 14:05:52 +01:00
|
|
|
|
rc = gpg_error (GPG_ERR_GENERAL);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!names)
|
|
|
|
|
ndesc = 1;
|
|
|
|
|
else
|
|
|
|
|
{
|
2011-02-04 12:57:53 +01:00
|
|
|
|
for (sl=names, ndesc=0; sl; sl = sl->next, ndesc++)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
desc = xtrycalloc (ndesc, sizeof *desc);
|
|
|
|
|
if (!ndesc)
|
|
|
|
|
{
|
2006-09-14 18:50:33 +02:00
|
|
|
|
rc = gpg_error_from_syserror ();
|
2003-08-05 19:11:04 +02:00
|
|
|
|
log_error ("out of core\n");
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!names)
|
|
|
|
|
desc[0].mode = KEYDB_SEARCH_MODE_FIRST;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
else
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2011-02-04 12:57:53 +01:00
|
|
|
|
for (ndesc=0, sl=names; sl; sl = sl->next)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2011-04-25 23:56:47 +02:00
|
|
|
|
rc = classify_user_id (sl->d, desc+ndesc, 0);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (rc)
|
|
|
|
|
{
|
2012-06-05 19:29:22 +02:00
|
|
|
|
log_error ("key '%s' not found: %s\n",
|
2003-08-05 19:11:04 +02:00
|
|
|
|
sl->d, gpg_strerror (rc));
|
|
|
|
|
rc = 0;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
ndesc++;
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
2009-03-06 18:31:27 +01:00
|
|
|
|
/* If all specifications are done by fingerprint or keygrip, we
|
|
|
|
|
switch to ephemeral mode so that _all_ currently available and
|
|
|
|
|
matching certificates are listed. */
|
|
|
|
|
if (!want_ephemeral && names && ndesc)
|
|
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
for (i=0; (i < ndesc
|
|
|
|
|
&& (desc[i].mode == KEYDB_SEARCH_MODE_FPR
|
|
|
|
|
|| desc[i].mode == KEYDB_SEARCH_MODE_KEYGRIP)); i++)
|
|
|
|
|
;
|
|
|
|
|
if (i == ndesc)
|
|
|
|
|
want_ephemeral = 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (want_ephemeral)
|
2004-08-06 18:14:10 +02:00
|
|
|
|
keydb_set_ephemeral (hd, 1);
|
|
|
|
|
|
2004-02-17 16:05:04 +01:00
|
|
|
|
/* It would be nice to see which of the given users did actually
|
2003-08-05 19:11:04 +02:00
|
|
|
|
match one in the keyring. To implement this we need to have a
|
|
|
|
|
found flag for each entry in desc and to set this we must check
|
|
|
|
|
all those entries after a match to mark all matched one -
|
|
|
|
|
currently we stop at the first match. To do this we need an
|
|
|
|
|
extra flag to enable this feature so */
|
|
|
|
|
|
2008-01-30 18:21:28 +01:00
|
|
|
|
/* Suppress duplicates at least when they follow each other. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
lastresname = NULL;
|
2016-11-10 17:01:19 +01:00
|
|
|
|
while (!(rc = keydb_search (ctrl, hd, desc, ndesc)))
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2004-02-02 18:09:35 +01:00
|
|
|
|
unsigned int validity;
|
|
|
|
|
|
2011-02-04 12:57:53 +01:00
|
|
|
|
if (!names)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
desc[0].mode = KEYDB_SEARCH_MODE_NEXT;
|
|
|
|
|
|
2004-02-02 18:09:35 +01:00
|
|
|
|
rc = keydb_get_flags (hd, KEYBOX_FLAG_VALIDITY, 0, &validity);
|
|
|
|
|
if (rc)
|
|
|
|
|
{
|
|
|
|
|
log_error ("keydb_get_flags failed: %s\n", gpg_strerror (rc));
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
2003-08-05 19:11:04 +02:00
|
|
|
|
rc = keydb_get_cert (hd, &cert);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
if (rc)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
log_error ("keydb_get_cert failed: %s\n", gpg_strerror (rc));
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
2008-01-30 18:21:28 +01:00
|
|
|
|
/* Skip duplicated certificates, at least if they follow each
|
|
|
|
|
others. This works best if a single key is searched for and
|
|
|
|
|
expected. FIXME: Non-sequential duplicates remain. */
|
|
|
|
|
if (gpgsm_certs_identical_p (cert, lastcert))
|
|
|
|
|
{
|
|
|
|
|
ksba_cert_release (cert);
|
2009-03-20 20:04:47 +01:00
|
|
|
|
cert = NULL;
|
2008-01-30 18:21:28 +01:00
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
resname = keydb_get_resource_name (hd);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
|
|
|
|
if (lastresname != resname )
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
int i;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (ctrl->no_server)
|
|
|
|
|
{
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (fp, "%s\n", resname );
|
2003-08-05 19:11:04 +02:00
|
|
|
|
for (i=strlen(resname); i; i-- )
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('-', fp);
|
|
|
|
|
es_putc ('\n', fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
lastresname = resname;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
have_secret = 0;
|
|
|
|
|
if (mode)
|
|
|
|
|
{
|
|
|
|
|
char *p = gpgsm_get_keygrip_hexstring (cert);
|
|
|
|
|
if (p)
|
|
|
|
|
{
|
2011-02-04 12:57:53 +01:00
|
|
|
|
rc = gpgsm_agent_havekey (ctrl, p);
|
2010-02-02 15:06:19 +01:00
|
|
|
|
if (!rc)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
have_secret = 1;
|
2004-02-21 14:05:52 +01:00
|
|
|
|
else if ( gpg_err_code (rc) != GPG_ERR_NO_SECKEY)
|
|
|
|
|
goto leave;
|
|
|
|
|
rc = 0;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (p);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-11-10 17:01:19 +01:00
|
|
|
|
if (!mode || ((mode & 1) && !have_secret)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|| ((mode & 2) && have_secret) )
|
|
|
|
|
{
|
|
|
|
|
if (ctrl->with_colons)
|
2004-02-17 16:05:04 +01:00
|
|
|
|
list_cert_colon (ctrl, cert, validity, fp, have_secret);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
else if (ctrl->with_chain)
|
2004-08-06 18:14:10 +02:00
|
|
|
|
list_cert_chain (ctrl, hd, cert,
|
|
|
|
|
raw_mode, fp, ctrl->with_validation);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
else
|
|
|
|
|
{
|
2004-04-22 15:03:44 +02:00
|
|
|
|
if (raw_mode)
|
2004-08-06 18:14:10 +02:00
|
|
|
|
list_cert_raw (ctrl, hd, cert, fp, have_secret,
|
2004-04-22 15:03:44 +02:00
|
|
|
|
ctrl->with_validation);
|
|
|
|
|
else
|
|
|
|
|
list_cert_std (ctrl, cert, fp, have_secret,
|
|
|
|
|
ctrl->with_validation);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
}
|
2008-01-30 18:21:28 +01:00
|
|
|
|
|
2011-02-04 12:57:53 +01:00
|
|
|
|
ksba_cert_release (lastcert);
|
2008-01-30 18:21:28 +01:00
|
|
|
|
lastcert = cert;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
cert = NULL;
|
|
|
|
|
}
|
2020-09-10 13:05:17 +02:00
|
|
|
|
if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND)
|
2004-02-21 14:05:52 +01:00
|
|
|
|
rc = 0;
|
|
|
|
|
if (rc)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
log_error ("keydb_search failed: %s\n", gpg_strerror (rc));
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
leave:
|
|
|
|
|
ksba_cert_release (cert);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
ksba_cert_release (lastcert);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (desc);
|
|
|
|
|
keydb_release (hd);
|
2004-02-21 14:05:52 +01:00
|
|
|
|
return rc;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
2003-12-17 13:28:24 +01:00
|
|
|
|
list_external_cb (void *cb_value, ksba_cert_t cert)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
struct list_external_parm_s *parm = cb_value;
|
|
|
|
|
|
2016-11-10 17:01:19 +01:00
|
|
|
|
if (keydb_store_cert (parm->ctrl, cert, 1, NULL))
|
2003-08-05 19:11:04 +02:00
|
|
|
|
log_error ("error storing certificate as ephemeral\n");
|
|
|
|
|
|
|
|
|
|
if (parm->print_header)
|
|
|
|
|
{
|
|
|
|
|
const char *resname = "[external keys]";
|
|
|
|
|
int i;
|
|
|
|
|
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_fprintf (parm->fp, "%s\n", resname );
|
2003-08-05 19:11:04 +02:00
|
|
|
|
for (i=strlen(resname); i; i-- )
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc('-', parm->fp);
|
|
|
|
|
es_putc ('\n', parm->fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
parm->print_header = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (parm->with_colons)
|
2004-02-17 16:05:04 +01:00
|
|
|
|
list_cert_colon (parm->ctrl, cert, 0, parm->fp, 0);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
else if (parm->with_chain)
|
2004-08-06 18:14:10 +02:00
|
|
|
|
list_cert_chain (parm->ctrl, NULL, cert, parm->raw_mode, parm->fp, 0);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
else
|
|
|
|
|
{
|
2004-04-22 15:03:44 +02:00
|
|
|
|
if (parm->raw_mode)
|
2004-08-06 18:14:10 +02:00
|
|
|
|
list_cert_raw (parm->ctrl, NULL, cert, parm->fp, 0, 0);
|
2004-04-22 15:03:44 +02:00
|
|
|
|
else
|
|
|
|
|
list_cert_std (parm->ctrl, cert, parm->fp, 0, 0);
|
2007-03-19 15:35:04 +01:00
|
|
|
|
es_putc ('\n', parm->fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* List external keys similar to internal one. Note: mode does not
|
|
|
|
|
make sense here because it would be unwise to list external secret
|
|
|
|
|
keys */
|
2004-02-21 14:05:52 +01:00
|
|
|
|
static gpg_error_t
|
2007-03-19 15:35:04 +01:00
|
|
|
|
list_external_keys (ctrl_t ctrl, strlist_t names, estream_t fp, int raw_mode)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
int rc;
|
|
|
|
|
struct list_external_parm_s parm;
|
|
|
|
|
|
|
|
|
|
parm.fp = fp;
|
2004-02-17 16:05:04 +01:00
|
|
|
|
parm.ctrl = ctrl,
|
2003-08-05 19:11:04 +02:00
|
|
|
|
parm.print_header = ctrl->no_server;
|
|
|
|
|
parm.with_colons = ctrl->with_colons;
|
|
|
|
|
parm.with_chain = ctrl->with_chain;
|
2004-04-22 15:03:44 +02:00
|
|
|
|
parm.raw_mode = raw_mode;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2020-04-16 18:01:37 +02:00
|
|
|
|
rc = gpgsm_dirmngr_lookup (ctrl, names, NULL, 0, list_external_cb, &parm);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
if (gpg_err_code (rc) == GPG_ERR_EOF || rc == -1
|
2008-05-06 16:03:36 +02:00
|
|
|
|
|| gpg_err_code (rc) == GPG_ERR_NOT_FOUND)
|
|
|
|
|
rc = 0; /* "Not found" is not an error here. */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (rc)
|
|
|
|
|
log_error ("listing external keys failed: %s\n", gpg_strerror (rc));
|
2004-02-21 14:05:52 +01:00
|
|
|
|
return rc;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* List all keys or just the key given as NAMES.
|
2011-02-04 12:57:53 +01:00
|
|
|
|
MODE controls the operation mode:
|
2003-08-05 19:11:04 +02:00
|
|
|
|
Bit 0-2:
|
|
|
|
|
0 = list all public keys but don't flag secret ones
|
|
|
|
|
1 = list only public keys
|
|
|
|
|
2 = list only secret keys
|
|
|
|
|
3 = list secret and public keys
|
|
|
|
|
Bit 6: list internal keys
|
|
|
|
|
Bit 7: list external keys
|
2004-04-22 15:03:44 +02:00
|
|
|
|
Bit 8: Do a raw format dump.
|
2003-08-05 19:11:04 +02:00
|
|
|
|
*/
|
2004-02-21 14:05:52 +01:00
|
|
|
|
gpg_error_t
|
2007-03-19 15:35:04 +01:00
|
|
|
|
gpgsm_list_keys (ctrl_t ctrl, strlist_t names, estream_t fp,
|
|
|
|
|
unsigned int mode)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2004-02-21 14:05:52 +01:00
|
|
|
|
gpg_error_t err = 0;
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if ((mode & (1<<6)))
|
2004-04-22 15:03:44 +02:00
|
|
|
|
err = list_internal_keys (ctrl, names, fp, (mode & 3), (mode&256));
|
2004-02-21 14:05:52 +01:00
|
|
|
|
if (!err && (mode & (1<<7)))
|
2011-02-04 12:57:53 +01:00
|
|
|
|
err = list_external_keys (ctrl, names, fp, (mode&256));
|
2004-02-21 14:05:52 +01:00
|
|
|
|
return err;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
2021-04-20 09:37:56 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static gpg_error_t
|
|
|
|
|
do_show_certs (ctrl_t ctrl, const char *fname, estream_t outfp)
|
|
|
|
|
{
|
|
|
|
|
gpg_error_t err;
|
|
|
|
|
gnupg_ksba_io_t b64reader = NULL;
|
|
|
|
|
ksba_reader_t reader;
|
|
|
|
|
ksba_cert_t cert = NULL;
|
|
|
|
|
estream_t fp;
|
|
|
|
|
int any = 0;
|
|
|
|
|
|
|
|
|
|
if (!fname || (fname[0] == '-' && !fname[1]))
|
|
|
|
|
{
|
|
|
|
|
fp = es_stdin;
|
|
|
|
|
fname = "[stdin]";
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
fp = es_fopen (fname, "rb");
|
|
|
|
|
if (!fp)
|
|
|
|
|
{
|
|
|
|
|
err = gpg_error_from_syserror ();
|
|
|
|
|
log_error (_("can't open '%s': %s\n"), fname, gpg_strerror (err));
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = gnupg_ksba_create_reader
|
|
|
|
|
(&b64reader, ((ctrl->is_pem? GNUPG_KSBA_IO_PEM : 0)
|
|
|
|
|
| (ctrl->is_base64? GNUPG_KSBA_IO_BASE64 : 0)
|
|
|
|
|
| (ctrl->autodetect_encoding? GNUPG_KSBA_IO_AUTODETECT : 0)
|
|
|
|
|
| GNUPG_KSBA_IO_MULTIPEM),
|
|
|
|
|
fp, &reader);
|
|
|
|
|
if (err)
|
|
|
|
|
{
|
|
|
|
|
log_error ("can't create reader: %s\n", gpg_strerror (err));
|
|
|
|
|
goto leave;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* We need to loop here to handle multiple PEM objects per file. */
|
|
|
|
|
do
|
|
|
|
|
{
|
|
|
|
|
ksba_cert_release (cert); cert = NULL;
|
|
|
|
|
|
|
|
|
|
err = ksba_cert_new (&cert);
|
|
|
|
|
if (err)
|
|
|
|
|
goto leave;
|
|
|
|
|
|
|
|
|
|
err = ksba_cert_read_der (cert, reader);
|
|
|
|
|
if (err)
|
|
|
|
|
goto leave;
|
|
|
|
|
|
|
|
|
|
es_fprintf (outfp, "File ........: %s\n", fname);
|
|
|
|
|
list_cert_raw (ctrl, NULL, cert, outfp, 0, 0);
|
|
|
|
|
es_putc ('\n', outfp);
|
|
|
|
|
any = 1;
|
|
|
|
|
|
|
|
|
|
ksba_reader_clear (reader, NULL, NULL);
|
|
|
|
|
}
|
|
|
|
|
while (!gnupg_ksba_reader_eof_seen (b64reader));
|
|
|
|
|
|
|
|
|
|
leave:
|
|
|
|
|
if (any && gpg_err_code (err) == GPG_ERR_EOF)
|
|
|
|
|
err = 0;
|
|
|
|
|
ksba_cert_release (cert);
|
|
|
|
|
gnupg_ksba_destroy_reader (b64reader);
|
|
|
|
|
if (fp != es_stdin)
|
|
|
|
|
es_fclose (fp);
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Show a raw dump of the certificates found in the files given in
|
|
|
|
|
* the arrag FILES. Write output to FP. */
|
|
|
|
|
gpg_error_t
|
|
|
|
|
gpgsm_show_certs (ctrl_t ctrl, int nfiles, char **files, estream_t fp)
|
|
|
|
|
{
|
|
|
|
|
gpg_error_t saveerr = 0;
|
|
|
|
|
gpg_error_t err;
|
|
|
|
|
|
|
|
|
|
if (!nfiles)
|
|
|
|
|
saveerr = do_show_certs (ctrl, NULL, fp);
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
for (; nfiles; nfiles--, files++)
|
|
|
|
|
{
|
|
|
|
|
err = do_show_certs (ctrl, *files, fp);
|
|
|
|
|
if (err && !saveerr)
|
|
|
|
|
saveerr = err;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return saveerr;
|
|
|
|
|
}
|