* certcheck.c (gpgsm_check_cert_sig): Add cert hash debugging.

* certchain.c (find_up): Print info when the cert was not found by the autorithyKeyIdentifier.
2002-09-19 12:59:57 +00:00 · 2002-09-19 12:59:57 +00:00 · 8bd507e5a2
parent fb332938d2
commit 8bd507e5a2
3 changed files with 35 additions and 3 deletions
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@ -1,3 +1,10 @@
+2002-09-19  Werner Koch  <wk@gnupg.org>
+
+	* certcheck.c (gpgsm_check_cert_sig): Add cert hash debugging.
+
+	* certchain.c (find_up): Print info when the cert was not found 
+	by the autorithyKeyIdentifier.
+
 2002-09-03  Werner Koch  <wk@gnupg.org>

 	* gpgsm.c (main): Disable the internal libgcrypt locking.
--- a/sm/certchain.c
+++ b/sm/certchain.c
@ -237,6 +237,19 @@ find_up (KEYDB_HANDLE kh, KsbaCert cert, const char *issuer)
              keydb_set_ephemeral (kh, old);
            }
        }
+      /* print a note so that the user does not feel too helpless when
+         an issuer certificate was found and gpgsm prints BAD
+         signature becuase it is not the correct one. */
+      if (rc == -1)
+        {
+          log_info ("issuer certificate (#");
+          gpgsm_dump_serial (authidno);
+          log_printf ("/");
+          gpgsm_dump_string (s);
+          log_printf (") not found\n");
+        }
+      else if (rc)
+        log_error ("failed to find authorityKeyIdentifier: rc=%d\n", rc);
      ksba_name_release (authid);
      xfree (authidno);
      /* Fixme: don't know how to do dirmngr lookup with serial+issuer. */
@ -267,7 +280,7 @@ find_up (KEYDB_HANDLE kh, KsbaCert cert, const char *issuer)
        log_info (_("looking up issuer at external location\n"));
      /* dirmngr is confused about unknown attributes so has a quick
         and ugly hack we locate the CN and use this and the
-         following.  Fixme: we should have far ebtter parsing in the
+         following.  Fixme: we should have far better parsing in the
         dirmngr. */
      s = strstr (issuer, "CN=");
      if (!s || s == issuer || s[-1] != ',')
@ -588,7 +601,7 @@ gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, time_t *r_exptime)
        {
          if (rc == -1)
            {
-              log_info ("issuer certificate (");
+              log_info ("issuer certificate (#/");
              gpgsm_dump_string (issuer);
              log_printf (") not found\n");
            }
@ -735,7 +748,7 @@ gpgsm_basic_cert_check (KsbaCert cert)
        {
          if (rc == -1)
            {
-              log_info ("issuer certificate (");
+              log_info ("issuer certificate (#/");
              gpgsm_dump_string (issuer);
              log_printf (") not found\n");
            }
--- a/sm/certcheck.c
+++ b/sm/certcheck.c
@ -123,6 +123,8 @@ gpgsm_check_cert_sig (KsbaCert issuer_cert, KsbaCert cert)
      log_error ("md_open failed: %s\n", gcry_strerror (-1));
      return GNUPG_General_Error;
    }
+  if (DBG_HASHING)
+    gcry_md_start_debug (md, "hash.cert");

  rc = ksba_cert_hash (cert, 1, HASH_FNC, md);
  if (rc)
@ -142,6 +144,15 @@ gpgsm_check_cert_sig (KsbaCert issuer_cert, KsbaCert cert)
      ksba_free (p);
      return GNUPG_Bug;
    }
+  if (DBG_X509)
+    {
+      int j;
+      log_debug ("signature value:");
+      for (j=0; j < n; j++)
+        log_printf (" %02X", p[j]);
+      log_printf ("\n");
+    }
+
  rc = gcry_sexp_sscan ( &s_sig, NULL, p, n);
  ksba_free (p);
  if (rc)
@ -184,6 +195,7 @@ gpgsm_check_cert_sig (KsbaCert issuer_cert, KsbaCert cert)
  if ( gcry_sexp_build (&s_hash, NULL, "%m", frame) )
    BUG ();
  gcry_mpi_release (frame);
+
  
  rc = gcry_pk_verify (s_sig, s_hash, s_pkey);
  if (DBG_CRYPTO)