diff --git a/NEWS b/NEWS index 689c8ede7..d36033402 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,11 @@ Noteworthy changes in version 2.0.7 ------------------------------------------------ + * Fixed encryption problem if duplicate certificates are in the + keybox. + + * Made it work on Windows Vista. + Noteworthy changes in version 2.0.6 (2007-08-16) ------------------------------------------------ diff --git a/doc/ChangeLog b/doc/ChangeLog index 07c497cc7..d4ade07d9 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,8 @@ +2007-08-24 Werner Koch + + * debugging.texi (Common Problems): Add "A root certifciate does + not validate." + 2007-08-14 Werner Koch * glossary.texi (Glossary): Add a more items. diff --git a/doc/debugging.texi b/doc/debugging.texi index e1a62d7eb..fb27b2710 100644 --- a/doc/debugging.texi +++ b/doc/debugging.texi @@ -77,6 +77,13 @@ are flagges as ephemeral, meaning that they are only temporary stored provided by @command{gpgsm} or @command{gpg}. 81 certifcates are stored in a standard way and directly available from @command{gpgsm}. +@noindent +To find duplicated certificates and keyblocks in a keybox file (this +should not occur but sometimes things go wrong), run it using + +@samp{kbxutil --find-dups ~/.gnupg/pubring.kbx} + + @@ -165,6 +172,18 @@ stored private keys because some private keys are used for Secure Shell or other purposes and don't have a corresponding certificate. +@item A root certificate does not verify + +A common problem is that the root certificate misses the required +basicConstrains attribute and thus @command{gpgsm} rejects this +certificate. An error message indicating ``no value'' is a sign for +such a certificate. You may use the @code{relax} flag in +@file{trustlist.txt} to accept the certificate anyway. Note that the +fingerprint and this flag may only be added manually to +@file{trustlist.txt}. + + + @end itemize diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index 829530bd8..156fe533e 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -502,7 +502,9 @@ caller: @table @code @item relax -Relax checking of some root certificate requirements. +Relax checking of some root certificate requirements. This is for +example required if the certificate is missing the basicConstraints +attribute (despite that it is a MUST for CA certificates). @item cm If validation of a certificate finally issued by a CA with this flag set diff --git a/g10/ChangeLog b/g10/ChangeLog index be41ada5a..90501d090 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,3 +1,7 @@ +2007-08-24 Werner Koch + + * keyring.c (keyring_register_filename): Use same_file_p(). + 2007-08-21 Werner Koch * misc.c (openpgp_md_test_algo): Remove rfc2440bis hash algorithms. diff --git a/g10/keyring.c b/g10/keyring.c index 67ac018c6..937502ab2 100644 --- a/g10/keyring.c +++ b/g10/keyring.c @@ -206,10 +206,10 @@ keyring_register_filename (const char *fname, int secret, void **ptr) for (kr=kr_names; kr; kr = kr->next) { - if ( !compare_filenames (kr->fname, fname) ) + if (same_file_p (kr->fname, fname)) { *ptr=kr; - return 0; /* already registered */ + return 0; /* Already registered. */ } } diff --git a/jnlib/ChangeLog b/jnlib/ChangeLog index c7722876b..1d0adec0e 100644 --- a/jnlib/ChangeLog +++ b/jnlib/ChangeLog @@ -1,3 +1,9 @@ +2007-08-24 Werner Koch + + * mischelp.c (same_file_p): New. + (libjnlib_dummy_mischelp_func): Remove as we now always have one + function. + 2007-08-09 Werner Koch * argparse.c (show_help): Expand the @EMAIL@ macro in the package diff --git a/jnlib/mischelp.c b/jnlib/mischelp.c index b2248288e..f7df5c154 100644 --- a/jnlib/mischelp.c +++ b/jnlib/mischelp.c @@ -1,5 +1,5 @@ /* mischelp.c - Miscellaneous helper functions - * Copyright (C) 1998, 2000, 2001, 2006 Free Software Foundation, Inc. + * Copyright (C) 1998, 2000, 2001, 2006, 2007 Free Software Foundation, Inc. * * This file is part of JNLIB. * @@ -21,16 +21,63 @@ #include #include #include +#ifdef HAVE_W32_SYSTEM +# define WIN32_LEAN_AND_MEAN +# include +#else /*!HAVE_W32_SYSTEM*/ +# include +# include +# include +#endif /*!HAVE_W32_SYSTEM*/ #include "libjnlib-config.h" +#include "stringhelp.h" #include "mischelp.h" -/* A dummy function to prevent an empty compilation unit. Some - compilers bail out in this case. */ -time_t -libjnlib_dummy_mischelp_func (void) + +/* Check whether the files NAME1 and NAME2 are identical. This is for + example achieved by comparing the inode numbers of the files. */ +int +same_file_p (const char *name1, const char *name2) { - return time (NULL); + int yes; + + /* First try a shortcut. */ + if (!compare_filenames (name1, name2)) + yes = 1; + else + { +#ifdef HAVE_W32_SYSTEM + HANDLE file1, file2; + BY_HANDLE_FILE_INFORMATION info1, info2; + + file1 = CreateFile (name1, 0, 0, NULL, OPEN_EXISTING, 0, NULL); + if (file1 == INVALID_HANDLE_VALUE) + yes = 0; /* If we can't open the file, it is not the same. */ + else + { + file2 = CreateFile (name2, 0, 0, NULL, OPEN_EXISTING, 0, NULL); + if (file1 == INVALID_HANDLE_VALUE) + yes = 0; /* If we can't open the file, it is not the same. */ + else + { + yes = (GetFileInformationByHandle (file1, &info1) + && GetFileInformationByHandle (file2, &info2) + && info1.dwVolumeSerialNumber==info2.dwVolumeSerialNumber + && info1.nFileIndexHigh == info2.nFileIndexHigh + && info1.nFileIndexLow == info2.nFileIndexLow); + CloseHandle (file2); + } + CloseHandle (file1); + } +#else /*!HAVE_W32_SYSTEM*/ + struct stat info1, info2; + + yes = (!stat (name1, &info1) && !stat (name2, &info2) + && info1.st_dev == info2.st_dev && info1.st_ino == info2.st_ino); +#endif /*!HAVE_W32_SYSTEM*/ + } + return yes; } diff --git a/jnlib/mischelp.h b/jnlib/mischelp.h index a00764106..2f003e1ce 100644 --- a/jnlib/mischelp.h +++ b/jnlib/mischelp.h @@ -1,6 +1,6 @@ /* mischelp.h - Miscellaneous helper macros and functions * Copyright (C) 1999, 2000, 2001, 2002, 2003, - * 2006 Free Software Foundation, Inc. + * 2006, 2007 Free Software Foundation, Inc. * * This file is part of JNLIB. * @@ -22,6 +22,11 @@ #define LIBJNLIB_MISCHHELP_H +/* Check whether the files NAME1 and NAME2 are identical. This is for + example achieved by comparing the inode numbers of the files. */ +int same_file_p (const char *name1, const char *name2); + + #ifndef HAVE_TIMEGM #include time_t timegm (struct tm *tm); diff --git a/jnlib/stringhelp.c b/jnlib/stringhelp.c index b1f6f73db..e7fd0ce45 100644 --- a/jnlib/stringhelp.c +++ b/jnlib/stringhelp.c @@ -338,11 +338,14 @@ make_filename( const char *first_part, ... ) } +/* Compare whether the filenames are identical. This is a + specialversion of strcmp() taking the semantics of filenames in + account. Note that this function works only on the supplied names + without considereing any context like the current directory. See + also same_file_p(). */ int compare_filenames (const char *a, const char *b) { - /* ? check whether this is an absolute filename and resolve - symlinks? */ #ifdef HAVE_DRIVE_LETTERS for ( ; *a && *b; a++, b++ ) { diff --git a/kbx/ChangeLog b/kbx/ChangeLog index edcf917fd..f7c79ee1a 100644 --- a/kbx/ChangeLog +++ b/kbx/ChangeLog @@ -1,3 +1,7 @@ +2007-08-24 Werner Koch + + * keybox-init.c (keybox_register_file): Use same_file_p. + 2007-08-23 Werner Koch * kbxutil.c: New commands --find-dups and --cut. New options diff --git a/kbx/keybox-init.c b/kbx/keybox-init.c index ea95c5f67..fcf3c7cee 100644 --- a/kbx/keybox-init.c +++ b/kbx/keybox-init.c @@ -24,10 +24,9 @@ #include #include +#include "../jnlib/mischelp.h" #include "keybox-defs.h" -#define compare_filenames strcmp - static KB_NAME kb_names; @@ -42,8 +41,8 @@ keybox_register_file (const char *fname, int secret) for (kr=kb_names; kr; kr = kr->next) { - if ( !compare_filenames (kr->fname, fname) ) - return NULL; /* already registered */ + if (same_file_p (kr->fname, fname) ) + return NULL; /* Already registered. */ } kr = xtrymalloc (sizeof *kr + strlen (fname)); diff --git a/tests/samplekeys/README b/tests/samplekeys/README index 0e8877907..57ece0dcd 100644 --- a/tests/samplekeys/README +++ b/tests/samplekeys/README @@ -13,5 +13,8 @@ webderoot.der trust.web.de Root CA certificate [2004-02-17] webdeca.der trust.web.de CA certificate [2004-02-17] +gte.pem GTE CyberTrust Global Root + + diff --git a/tests/samplekeys/gte.pem b/tests/samplekeys/gte.pem new file mode 100644 index 000000000..fd6ae9f5f --- /dev/null +++ b/tests/samplekeys/gte.pem @@ -0,0 +1,19 @@ +Issuer ...: /CN=GTE CyberTrust Global Root/OU=GTE CyberTrust Solutions, Inc./O=GTE Corporation/C=US +Serial ...: 01A5 +Subject ..: /CN=GTE CyberTrust Global Root/OU=GTE CyberTrust Solutions, Inc./O=GTE Corporation/C=US + +-----BEGIN CERTIFICATE----- +MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD +VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv +bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv +b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV +UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU +cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds +b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH +iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS +r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4 +04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r +GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9 +3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P +lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/ +-----END CERTIFICATE-----