diff --git a/sm/certlist.c b/sm/certlist.c index c9e275e9d..c3e4e821b 100644 --- a/sm/certlist.c +++ b/sm/certlist.c @@ -48,7 +48,7 @@ static const char oid_kp_ocspSigning[] = "1.3.6.1.5.5.7.3.9"; debugging). MODE 4 is for certificate signing, MODE for COSP response signing. */ static int -cert_usage_p (ksba_cert_t cert, int mode) +cert_usage_p (ksba_cert_t cert, int mode, int silent) { gpg_error_t err; unsigned int use; @@ -118,7 +118,7 @@ cert_usage_p (ksba_cert_t cert, int mode) if (gpg_err_code (err) == GPG_ERR_NO_DATA) { err = 0; - if (opt.verbose && mode < 2) + if (opt.verbose && mode < 2 && !silent) log_info (_("no key usage specified - assuming all usages\n")); use = ~0; } @@ -139,8 +139,9 @@ cert_usage_p (ksba_cert_t cert, int mode) { if ((use & (KSBA_KEYUSAGE_KEY_CERT_SIGN))) return 0; - log_info (_("certificate should not have " - "been used for certification\n")); + if (!silent) + log_info (_("certificate should not have " + "been used for certification\n")); return gpg_error (GPG_ERR_WRONG_KEY_USAGE); } @@ -151,8 +152,9 @@ cert_usage_p (ksba_cert_t cert, int mode) || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN |KSBA_KEYUSAGE_CRL_SIGN)))) return 0; - log_info (_("certificate should not have " - "been used for OCSP response signing\n")); + if (!silent) + log_info (_("certificate should not have " + "been used for OCSP response signing\n")); return gpg_error (GPG_ERR_WRONG_KEY_USAGE); } @@ -162,19 +164,22 @@ cert_usage_p (ksba_cert_t cert, int mode) ) return 0; - log_info (mode==3? _("certificate should not have been used for encryption\n"): - mode==2? _("certificate should not have been used for signing\n"): - mode==1? _("certificate is not usable for encryption\n"): - _("certificate is not usable for signing\n")); + if (!silent) + log_info + (mode==3? _("certificate should not have been used for encryption\n"): + mode==2? _("certificate should not have been used for signing\n"): + mode==1? _("certificate is not usable for encryption\n"): + /**/ _("certificate is not usable for signing\n")); + return gpg_error (GPG_ERR_WRONG_KEY_USAGE); } /* Return 0 if the cert is usable for signing */ int -gpgsm_cert_use_sign_p (ksba_cert_t cert) +gpgsm_cert_use_sign_p (ksba_cert_t cert, int silent) { - return cert_usage_p (cert, 0); + return cert_usage_p (cert, 0, silent); } @@ -182,31 +187,31 @@ gpgsm_cert_use_sign_p (ksba_cert_t cert) int gpgsm_cert_use_encrypt_p (ksba_cert_t cert) { - return cert_usage_p (cert, 1); + return cert_usage_p (cert, 1, 0); } int gpgsm_cert_use_verify_p (ksba_cert_t cert) { - return cert_usage_p (cert, 2); + return cert_usage_p (cert, 2, 0); } int gpgsm_cert_use_decrypt_p (ksba_cert_t cert) { - return cert_usage_p (cert, 3); + return cert_usage_p (cert, 3, 0); } int gpgsm_cert_use_cert_p (ksba_cert_t cert) { - return cert_usage_p (cert, 4); + return cert_usage_p (cert, 4, 0); } int gpgsm_cert_use_ocsp_p (ksba_cert_t cert) { - return cert_usage_p (cert, 5); + return cert_usage_p (cert, 5, 0); } @@ -341,7 +346,7 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, first_subject = ksba_cert_get_subject (cert, 0); first_issuer = ksba_cert_get_issuer (cert, 0); } - rc = secret? gpgsm_cert_use_sign_p (cert) + rc = secret? gpgsm_cert_use_sign_p (cert, 0) : gpgsm_cert_use_encrypt_p (cert); if (gpg_err_code (rc) == GPG_ERR_WRONG_KEY_USAGE) { @@ -403,8 +408,8 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, first_issuer, cert2) && ((gpg_err_code ( - secret? gpgsm_cert_use_sign_p (cert2) - : gpgsm_cert_use_encrypt_p (cert2) + secret? gpgsm_cert_use_sign_p (cert2,0) + : gpgsm_cert_use_encrypt_p (cert2) ) ) == GPG_ERR_WRONG_KEY_USAGE)); if (tmp) diff --git a/sm/gpgsm.h b/sm/gpgsm.h index 325948aff..0ce96ff55 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -315,7 +315,7 @@ int gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, int gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert); /*-- certlist.c --*/ -int gpgsm_cert_use_sign_p (ksba_cert_t cert); +int gpgsm_cert_use_sign_p (ksba_cert_t cert, int silent); int gpgsm_cert_use_encrypt_p (ksba_cert_t cert); int gpgsm_cert_use_verify_p (ksba_cert_t cert); int gpgsm_cert_use_decrypt_p (ksba_cert_t cert); diff --git a/sm/sign.c b/sm/sign.c index 24ecad3d7..fd6ebe00c 100644 --- a/sm/sign.c +++ b/sm/sign.c @@ -161,7 +161,7 @@ gpgsm_get_default_cert (ctrl_t ctrl, ksba_cert_t *r_cert) return rc; } - if (!gpgsm_cert_use_sign_p (cert)) + if (!gpgsm_cert_use_sign_p (cert, 1)) { p = gpgsm_get_keygrip_hexstring (cert); if (p) @@ -404,7 +404,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, /* Although we don't check for ambiguous specification we will check that the signer's certificate is usable and valid. */ - rc = gpgsm_cert_use_sign_p (cert); + rc = gpgsm_cert_use_sign_p (cert, 0); if (!rc) rc = gpgsm_validate_chain (ctrl, cert, "", NULL, 0, NULL, 0, NULL); if (rc) @@ -513,7 +513,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, /* Gather certificates of signers and store them in the CMS object. */ for (cl=signerlist; cl; cl = cl->next) { - rc = gpgsm_cert_use_sign_p (cl->cert); + rc = gpgsm_cert_use_sign_p (cl->cert, 0); if (rc) goto leave;