sm: Avoid confusing diagnostic for the default key.

* sm/certlist.c (cert_usage_p): Add arg 'silent' and change all callers. (gpgsm_cert_use_sign_p): Add arg 'silent' and pass to cert_usage_p. Change all callers. * sm/sign.c (gpgsm_get_default_cert): Set SILENT when calling gpgsm_cert_use_sign_p -- GnuPG-bug-id: 4535 Signed-off-by: Werner Koch <wk@gnupg.org>
2019-05-27 15:44:16 +02:00 · 2019-05-27 15:44:16 +02:00 · 32210e855c
parent 190eeb7cce
commit 32210e855c
3 changed files with 29 additions and 24 deletions
--- a/sm/certlist.c
+++ b/sm/certlist.c
@ -48,7 +48,7 @@ static const char oid_kp_ocspSigning[]    = "1.3.6.1.5.5.7.3.9";
   debugging).  MODE 4 is for certificate signing, MODE for COSP
   response signing. */
 static int
-cert_usage_p (ksba_cert_t cert, int mode)
+cert_usage_p (ksba_cert_t cert, int mode, int silent)
 {
  gpg_error_t err;
  unsigned int use;
@ -118,7 +118,7 @@ cert_usage_p (ksba_cert_t cert, int mode)
      if (gpg_err_code (err) == GPG_ERR_NO_DATA)
        {
          err = 0;
-          if (opt.verbose && mode < 2)
+          if (opt.verbose && mode < 2 && !silent)
            log_info (_("no key usage specified - assuming all usages\n"));
          use = ~0;
        }
@ -139,8 +139,9 @@ cert_usage_p (ksba_cert_t cert, int mode)
    {
      if ((use & (KSBA_KEYUSAGE_KEY_CERT_SIGN)))
        return 0;
-      log_info (_("certificate should not have "
+      if (!silent)
-                  "been used for certification\n"));
+        log_info (_("certificate should not have "
                    "been used for certification\n"));
      return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
    }
@ -151,8 +152,9 @@ cert_usage_p (ksba_cert_t cert, int mode)
              || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
                         |KSBA_KEYUSAGE_CRL_SIGN))))
        return 0;
-      log_info (_("certificate should not have "
+      if (!silent)
-                  "been used for OCSP response signing\n"));
+        log_info (_("certificate should not have "
                    "been used for OCSP response signing\n"));
      return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
    }
@ -162,19 +164,22 @@ cert_usage_p (ksba_cert_t cert, int mode)
      )
    return 0;
-  log_info (mode==3? _("certificate should not have been used for encryption\n"):
+  if (!silent)
-            mode==2? _("certificate should not have been used for signing\n"):
+    log_info
-            mode==1? _("certificate is not usable for encryption\n"):
+      (mode==3? _("certificate should not have been used for encryption\n"):
-                     _("certificate is not usable for signing\n"));
+       mode==2? _("certificate should not have been used for signing\n"):
       mode==1? _("certificate is not usable for encryption\n"):
       /**/     _("certificate is not usable for signing\n"));
  return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
 }
 /* Return 0 if the cert is usable for signing */
 int
-gpgsm_cert_use_sign_p (ksba_cert_t cert)
+gpgsm_cert_use_sign_p (ksba_cert_t cert, int silent)
 {
-  return cert_usage_p (cert, 0);
+  return cert_usage_p (cert, 0, silent);
 }
@ -182,31 +187,31 @@ gpgsm_cert_use_sign_p (ksba_cert_t cert)
 int
 gpgsm_cert_use_encrypt_p (ksba_cert_t cert)
 {
-  return cert_usage_p (cert, 1);
+  return cert_usage_p (cert, 1, 0);
 }
 int
 gpgsm_cert_use_verify_p (ksba_cert_t cert)
 {
-  return cert_usage_p (cert, 2);
+  return cert_usage_p (cert, 2, 0);
 }
 int
 gpgsm_cert_use_decrypt_p (ksba_cert_t cert)
 {
-  return cert_usage_p (cert, 3);
+  return cert_usage_p (cert, 3, 0);
 }
 int
 gpgsm_cert_use_cert_p (ksba_cert_t cert)
 {
-  return cert_usage_p (cert, 4);
+  return cert_usage_p (cert, 4, 0);
 }
 int
 gpgsm_cert_use_ocsp_p (ksba_cert_t cert)
 {
-  return cert_usage_p (cert, 5);
+  return cert_usage_p (cert, 5, 0);
 }
@ -341,7 +346,7 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
                  first_subject = ksba_cert_get_subject (cert, 0);
                  first_issuer = ksba_cert_get_issuer (cert, 0);
                }
-              rc = secret? gpgsm_cert_use_sign_p (cert)
+              rc = secret? gpgsm_cert_use_sign_p (cert, 0)
                         : gpgsm_cert_use_encrypt_p (cert);
              if (gpg_err_code (rc) == GPG_ERR_WRONG_KEY_USAGE)
                {
@ -403,8 +408,8 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
                                                      first_issuer,
                                                      cert2)
                                 && ((gpg_err_code (
-                                      secret? gpgsm_cert_use_sign_p (cert2)
+                                      secret? gpgsm_cert_use_sign_p (cert2,0)
-                                      : gpgsm_cert_use_encrypt_p (cert2)
+                                            : gpgsm_cert_use_encrypt_p (cert2)
                                      )
                                     )  == GPG_ERR_WRONG_KEY_USAGE));
                      if (tmp)
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@ -315,7 +315,7 @@ int gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert,
 int gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert);
 /*-- certlist.c --*/
-int gpgsm_cert_use_sign_p (ksba_cert_t cert);
+int gpgsm_cert_use_sign_p (ksba_cert_t cert, int silent);
 int gpgsm_cert_use_encrypt_p (ksba_cert_t cert);
 int gpgsm_cert_use_verify_p (ksba_cert_t cert);
 int gpgsm_cert_use_decrypt_p (ksba_cert_t cert);
--- a/sm/sign.c
+++ b/sm/sign.c
@ -161,7 +161,7 @@ gpgsm_get_default_cert (ctrl_t ctrl, ksba_cert_t *r_cert)
          return rc;
        }
-      if (!gpgsm_cert_use_sign_p (cert))
+      if (!gpgsm_cert_use_sign_p (cert, 1))
        {
          p = gpgsm_get_keygrip_hexstring (cert);
          if (p)
@ -404,7 +404,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
      /* Although we don't check for ambiguous specification we will
         check that the signer's certificate is usable and valid.  */
-      rc = gpgsm_cert_use_sign_p (cert);
+      rc = gpgsm_cert_use_sign_p (cert, 0);
      if (!rc)
        rc = gpgsm_validate_chain (ctrl, cert, "", NULL, 0, NULL, 0, NULL);
      if (rc)
@ -513,7 +513,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
  /* Gather certificates of signers and store them in the CMS object. */
  for (cl=signerlist; cl; cl = cl->next)
    {
-      rc = gpgsm_cert_use_sign_p (cl->cert);
+      rc = gpgsm_cert_use_sign_p (cl->cert, 0);
      if (rc)
        goto leave;