better reporting of bad DNs

2006-07-03 13:26:19 +00:00 · 2006-07-03 13:26:19 +00:00 · 4954c5f1c3
parent 640d5a8c53
commit 4954c5f1c3
5 changed files with 37 additions and 11 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+2006-07-03  Werner Koch  <wk@g10code.com>
+
+	* configure.ac: Test for ksba_dn_teststr. 
+
 2006-06-30  Werner Koch  <wk@g10code.com>

 	* keyserver/: New.  Taken from 1.4.4
--- a/4
+++ b/4
@ -13,10 +13,6 @@ We should always use valid S-Exp and not just parts.
 might want to have an agent context for each service request
 (i.e. Assuan context).

-* sm/certreqgen.c
-** Improve error reporting
-** Do some basic checks on the supplied DNs
-
 * sm/certchain.c
 ** When a certificate chain was sucessfully verified, make ephemeral certs used  in this chain permanent.
 ** Try to keep certificate references somewhere
--- a/configure.ac
+++ b/configure.ac
@ -512,6 +512,11 @@ AM_PATH_LIBASSUAN("$NEED_LIBASSUAN_VERSION",
 # libksba is our X.509 support library
 #
 AM_PATH_KSBA("$NEED_KSBA_VERSION",have_ksba=yes,have_ksba=no)
+# fixme: Remove the following test and require newer libksba instead.
+_ksba_save_libs=$LIBS
+LIBS=$KSBA_LIBS
+AC_CHECK_FUNCS(ksba_dn_teststr)
+LIBS=$_ksba_save_libs

 #
 # libusb allows us to use the integrated CCID smartcard reader driver.
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@ -1,3 +1,8 @@
+2006-07-03  Werner Koch  <wk@g10code.com>
+
+	* certreqgen.c (proc_parameters): Print the component label of a
+	faulty DN.
+
 2006-06-26  Werner Koch  <wk@g10code.com>

 	* certdump.c (gpgsm_cert_log_name): New.
--- a/sm/certreqgen.c
+++ b/sm/certreqgen.c
@ -441,6 +441,7 @@ static int
 proc_parameters (ctrl_t ctrl,
                 struct para_data_s *para, struct reqgen_ctrl_s *outctrl)
 {
+  gpg_error_t err;
  struct para_data_s *r;
  const char *s;
  int i;
@ -450,8 +451,9 @@ proc_parameters (ctrl_t ctrl,
  int rc;
  ksba_sexp_t public;
  int seq;
-  
-  /* check that we have all required parameters */
+  size_t erroff, errlen;
+
+  /* Check that we have all required parameters; */
  assert (get_parameter (para, pKEYTYPE, 0));

  /* We can only use RSA for now.  There is a with pkcs-10 on how to
@ -483,17 +485,31 @@ proc_parameters (ctrl_t ctrl,
  if (parse_parameter_usage (para, pKEYUSAGE))
    return gpg_error (GPG_ERR_INV_PARAMETER);

-  /* check that there is a subject name and that this DN fits our
-     requirements */
+  /* Check that there is a subject name and that this DN fits our
+     requirements. */
  if (!(s=get_parameter_value (para, pNAMEDN, 0)))
    {
-      r = get_parameter (para, pKEYTYPE, 0);
+      r = get_parameter (para, pNAMEDN, 0);
      log_error (_("line %d: no subject name given\n"), r->lnr);
      return gpg_error (GPG_ERR_INV_PARAMETER);
    }
-  /* fixme check s */
+#if HAVE_KSBA_DN_TESTSTR
+  err = ksba_dn_teststr (s, 0, &erroff, &errlen);
+  if (err)
+    {
+      r = get_parameter (para, pNAMEDN, 0);
+      if (gpg_err_code (err) == GPG_ERR_UNKNOWN_NAME)
+        log_error (_("line %d: invalid subject name label `%.*s'\n"),
+                   r->lnr, (int)errlen, s+erroff);
+      else
+        log_error (_("line %d: invalid subject name `%s' at pos %d\n"),
+                   r->lnr, s, erroff);

-  /* check that the optional email address is okay */
+      return gpg_error (GPG_ERR_INV_PARAMETER);
+    }
+#endif /*HAVE_KSBA_DN_TESTSTR*/
+
+  /* Check that the optional email address is okay. */
  for (seq=0; (s=get_parameter_value (para, pNAMEEMAIL, seq)); seq++)
    { 
      if (has_invalid_email_chars (s)