Allow verification of some broken S-TRUST generated signatures.

2025-07-02 22:46:30 +02:00 · 2007-12-13 15:45:40 +00:00 · 2007-12-13 15:45:40 +00:00 · 9d66580cff
commit 9d66580cff
parent aeb5a65f7c
19 changed files with 276 additions and 25 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,3 +1,14 @@
+2007-12-13  Werner Koch  <wk@g10code.com>
+
+	* qualified.txt: Add 2 root certs from S-Trust for 2008-2012.
+	* examples/trustlist.txt: Ditto.
+
+	* gpgsm.texi (Esoteric Options): Document --extra-digest-algo.
+
+2007-12-12  Werner Koch  <wk@g10code.com>
+
+	* gpg.texi: Typo fixes.  From Christer Andersson.
+
 2007-12-04  Werner Koch  <wk@g10code.com>

 	* help.txt: New online help file.
--- a/doc/debugging.texi
+++ b/doc/debugging.texi
@ -182,7 +182,12 @@ such a certificate.  You may use the @code{relax} flag in
 fingerprint and this flag may only be added manually to
@file{trustlist.txt}.

+@item Error message: ``digest algorithm N has not been enabled''

+The signature is broken.  You may try the option
+@option{--extra-digest-algo SHA256} to workaround the problem.  The
+number N is the internal algorighm indentifier; for example 8 refers to
+SHA-256.

@end itemize

--- a/doc/examples/trustlist.txt
+++ b/doc/examples/trustlist.txt
@ -38,6 +38,17 @@ DB:45:3D:1B:B0:1A:F3:23:10:6B:DE:D0:09:61:57:AA:F4:25:E0:5B  S
 #       Issuer: /CN=11R-CA 1:PN/O=Bundesnetzagentur/C=DE
 A0:8B:DF:3B:AA:EE:3F:9D:64:6C:47:81:23:21:D4:A6:18:81:67:1D  S

+#          S/N: 00B3963E0E6C2D65125853E970665402E5
+#       Issuer: /CN=S-TRUST Qualified Root CA 2008-001:PN
+#               /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE
+C9:2F:E6:50:DB:32:59:E0:CE:65:55:F3:8C:76:E0:B8:A8:FE:A3:CA  S
+
+#          S/N: 00C4216083F35C54F67B09A80C3C55FE7D
+#       Issuer: /CN=S-TRUST Qualified Root CA 2008-002:PN
+#               /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE
+D5:C7:50:F2:FE:4E:EE:D7:C7:B1:E4:13:7B:FB:54:84:3A:7D:97:9B  S
+
+
 #Serial number: 00
 #       Issuer: /CN=CA Cert Signing Authority/OU=http:\x2f\x2fwww.
 #               cacert.org/O=Root CA/EMail=support@cacert.org
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@ -113,7 +113,7 @@ Developer information:
@node GPG Commands
@section Commands

-Commands are not distinguished from options execpt for the fact that
+Commands are not distinguished from options except for the fact that
 only one command is allowed.

@command{@gpgname} may be run with no commands, in which case it will
@ -876,7 +876,7 @@ encountered, you can explicitly stop parsing by using the special option
@node GPG Configuration Options
@subsection How to change the configuration

-These options are used to change the configuraton and are usually found
+These options are used to change the configuration and are usually found
 in the option file.

@table @gnupgtabopt
@ -2456,13 +2456,13 @@ listed. @option{--list-config} is only usable with

@item --gpgconf-list
@opindex gpgconf-list
-This command is simliar to @option{--list-config} but in general only
+This command is similar to @option{--list-config} but in general only
 internally used by the @command{gpgconf} tool.

@item --gpgconf-test
@opindex gpgconf-test
 This is more or less dummy action.  However it parses the configuration
-file and returns with failure if the configuraion file would prevent
+file and returns with failure if the configuration file would prevent
@command{gpg} from startup.  Thus it may be used to run a syntax check
 on the configuration file.

@ -2560,7 +2560,7 @@ For existing users the a small
 helper script is provided to create these files (@pxref{addgnupghome}).
@end ifclear

-For internal purposes @command{@gpgname} creates and maintaines a few other
+For internal purposes @command{@gpgname} creates and maintains a few other
 files; They all live in in the current home directory (@pxref{option
 --homedir}).  Only the @command{@gpgname} may modify these files.

@ -2686,7 +2686,7 @@ user for the filename.
@include specify-user-id.texi
@end ifset

-@mansect return vaue
+@mansect return value
@chapheading RETURN VALUE

 The program returns 0 if everything was fine, 1 if at least
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@ -569,6 +569,19 @@ encryption.  For convenience the strings @code{3DES}, @code{AES} and

@table @gnupgtabopt

+@item --extra-digest-algo @var{name}
+@opindex extra-digest-algo
+Sometimes signatures are broken in that they announce a different digest
+algorithm than actually used.  @command{gpgsm} uses a one-pass data
+processing model and thus needs to rely on the announcde digest
+algorithms to properly hash the data.  As a workaround this option may
+be used to tell gpg to also hash the data using the algorithm
+@var{name}; this slows processing down a little bit but allows to verify
+such broken signatures.  If @command{gpgsm} prints an error like
+``digest algo 8 has not been enabled'' you may want to try this option,
+with @samp{SHA256} for @var{name}.
+
+
@item --faked-system-time @var{epoch}
@opindex faked-system-time
 This option is only useful for testing; it sets the system time back or
--- a/doc/qualified.txt
+++ b/doc/qualified.txt
@ -180,6 +180,35 @@ E0:BF:1B:91:91:6B:88:E4:F1:15:92:22:CE:37:23:96:B1:4A:2E:5C  de
 7A:3C:1B:60:2E:BD:A4:A1:E0:EB:AD:7A:BA:4F:D1:43:69:A9:39:FC  de


+#           ID: 0xA8FEA3CA
+#          S/N: 00B3963E0E6C2D65125853E970665402E5
+#       Issuer: /CN=S-TRUST Qualified Root CA 2008-001:PN
+#               /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE
+#      Subject: /CN=S-TRUST Qualified Root CA 2008-001:PN
+#               /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE
+#     validity: 2008-01-01 00:00:00 through 2012-12-30 23:59:59
+#     key type: 2048 bit RSA
+#    key usage: certSign crlSign
+# chain length: 1
+#[checked: 2007-12-13 via received ZIP file with qualified signature from 
+#         /CN=Dr. Matthias Stehle/O=Deutscher Sparkassenverlag
+#         /C=DE/SerialNumber=DSV0000000008/SN=Stehle/GN=Matthias Georg]
+C9:2F:E6:50:DB:32:59:E0:CE:65:55:F3:8C:76:E0:B8:A8:FE:A3:CA
+
+#           ID: 0x3A7D979B
+#          S/N: 00C4216083F35C54F67B09A80C3C55FE7D
+#       Issuer: /CN=S-TRUST Qualified Root CA 2008-002:PN
+#               /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE
+#      Subject: /CN=S-TRUST Qualified Root CA 2008-002:PN
+#               /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE
+#     validity: 2008-01-01 00:00:00 through 2012-12-30 23:59:59
+#     key type: 2048 bit RSA
+#    key usage: certSign crlSign
+# chain length: 1
+#[checked: 2007-12-13 via received ZIP file with qualified signature from 
+#         /CN=Dr. Matthias Stehle/O=Deutscher Sparkassenverlag
+#         /C=DE/SerialNumber=DSV0000000008/SN=Stehle/GN=Matthias Georg"]
+D5:C7:50:F2:FE:4E:EE:D7:C7:B1:E4:13:7B:FB:54:84:3A:7D:97:9B


 #*******************************************
--- a/doc/specify-user-id.texi
+++ b/doc/specify-user-id.texi
@ -121,7 +121,7 @@ This should return the Root cert of the issuer.  See note above.


@item By exact match on serial number and issuer's DN.
-This is indicated by a hash mark, followed by the hexadecmal
+This is indicated by a hash mark, followed by the hexadecimal
 representation of the serial number, then followed by a slash and the
 RFC-2253 encoded DN of the issuer. See note above.