gpgsm: Add new validation model "steed".

* sm/gpgsm.h (VALIDATE_FLAG_STEED): New. * sm/gpgsm.c (gpgsm_parse_validation_model): Add model "steed". * sm/server.c (option_handler): Allow validation model "steed". * sm/certlist.c (gpgsm_cert_has_well_known_private_key): New. * sm/certchain.c (do_validate_chain): Handle the well-known-private-key attribute. Support the "steed" model. (gpgsm_validate_chain): Ditto. * sm/verify.c (gpgsm_verify): Return "steed" in the trust status line. * sm/keylist.c (list_cert_colon): Print the new 'w' flag. -- This is the first part of changes to implement the STEED proposal as described at http://g10code.com/steed.html . The idea for X.509 is not to use plain self-signed certificates but certificates signed by a dummy CA (i.e. one for which the private key is known). Having a single CA as an indication for the use of STEED might help other X.509 implementations to implement STEED.
2025-07-02 22:46:30 +02:00 · 2011-12-07 16:15:15 +01:00 · 2011-12-07 16:15:15 +01:00 · 8a12a2000d
commit 8a12a2000d
parent 14e4fdc9f9
9 changed files with 104 additions and 29 deletions
--- a/sm/certlist.c
+++ b/sm/certlist.c
@ -1,6 +1,6 @@
 /* certlist.c - build list of certificates
 * Copyright (C) 2001, 2003, 2004, 2005, 2007,
- *               2008 Free Software Foundation, Inc.
+ *               2008, 2011 Free Software Foundation, Inc.
 *
 * This file is part of GnuPG.
 *
@ -210,6 +210,21 @@ gpgsm_cert_use_ocsp_p (ksba_cert_t cert)
 }


+/* Return true if CERT has the well known private key extension.  */
+int
+gpgsm_cert_has_well_known_private_key (ksba_cert_t cert)
+{
+  int idx;
+  const char *oid;
+
+  for (idx=0; !ksba_cert_get_extension (cert, idx,
+                                        &oid, NULL, NULL, NULL);idx++)
+    if (!strcmp (oid, "1.3.6.1.4.1.11591.2.2.2") )
+      return 1; /* Yes.  */
+  return 0; /* No.  */
+}
+
+
 static int
 same_subject_issuer (const char *subject, const char *issuer, ksba_cert_t cert)
 {