mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
we are now able to check self-signed certificates
This commit is contained in:
parent
fcfec25620
commit
a014d87d1c
@ -19,6 +19,7 @@
|
||||
|
||||
## Process this file with automake to produce Makefile.in
|
||||
|
||||
EXTRA_DIST = mkerrors
|
||||
INCLUDES = -I.. -I$(top_srcdir)/include
|
||||
BUILT_SOURCES = assuan-errors.c
|
||||
|
||||
|
@ -21,7 +21,8 @@
|
||||
bin_PROGRAMS = gpgsm
|
||||
|
||||
INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/intl
|
||||
LDFLAGS = @LDFLAGS@ $(LIBGCRYPT_LIBS)
|
||||
LDFLAGS = @LDFLAGS@
|
||||
#$(LIBGCRYPT_LIBS)
|
||||
BUILT_SOURCES = errors.c
|
||||
|
||||
gpgsm_SOURCES = \
|
||||
@ -31,8 +32,11 @@ gpgsm_SOURCES = \
|
||||
import.c
|
||||
|
||||
gpgsm_LDADD = ../jnlib/libjnlib.a ../assuan/libassuan.a \
|
||||
../../libksba/src/.libs/libksba.a
|
||||
../../libksba/src/.libs/libksba.a \
|
||||
../../libgcrypt/src/.libs/libgcrypt.so.1
|
||||
|
||||
|
||||
errors.c : gpgsm.h mkerrors
|
||||
$(srcdir)/mkerrors < $(srcdir)/gpgsm.h > errors.c
|
||||
|
||||
|
||||
|
@ -969,6 +969,7 @@ main ( int argc, char **argv)
|
||||
|
||||
case aImport:
|
||||
/* import_keys (argc? argv:NULL, argc); */
|
||||
gpgsm_import (0);
|
||||
break;
|
||||
|
||||
case aExport:
|
||||
|
194
sm/import.c
194
sm/import.c
@ -27,6 +27,7 @@
|
||||
#include <time.h>
|
||||
#include <assert.h>
|
||||
|
||||
#include <gcrypt.h>
|
||||
#include <ksba.h>
|
||||
|
||||
#include "gpgsm.h"
|
||||
@ -37,7 +38,7 @@ struct reader_cb_parm_s {
|
||||
|
||||
|
||||
static int
|
||||
reader_cb (void *cb_value, unsigned char *buffer, size_t count, size_t *nread)
|
||||
reader_cb (void *cb_value, char *buffer, size_t count, size_t *nread)
|
||||
{
|
||||
struct reader_cb_parm_s *parm = cb_value;
|
||||
size_t n;
|
||||
@ -55,10 +56,10 @@ reader_cb (void *cb_value, unsigned char *buffer, size_t count, size_t *nread)
|
||||
if ( ferror (parm->fp) )
|
||||
return -1;
|
||||
if (n)
|
||||
break; /* return what we have beofre an EOF */
|
||||
break; /* return what we have before an EOF */
|
||||
return -1;
|
||||
}
|
||||
*buffer++ = c;
|
||||
*(byte *)buffer++ = c;
|
||||
}
|
||||
|
||||
*nread = n;
|
||||
@ -111,6 +112,153 @@ print_dn (char *p)
|
||||
printf ("`%s'", p);
|
||||
}
|
||||
|
||||
static void
|
||||
print_cert (KsbaCert cert)
|
||||
{
|
||||
unsigned char *p;
|
||||
char *dn;
|
||||
time_t t;
|
||||
|
||||
p = ksba_cert_get_serial (cert);
|
||||
fputs ("serial: ", stdout);
|
||||
print_integer (p);
|
||||
ksba_free (p);
|
||||
putchar ('\n');
|
||||
|
||||
t = ksba_cert_get_validity (cert, 0);
|
||||
fputs ("notBefore: ", stdout);
|
||||
print_time (t);
|
||||
putchar ('\n');
|
||||
t = ksba_cert_get_validity (cert, 1);
|
||||
fputs ("notAfter: ", stdout);
|
||||
print_time (t);
|
||||
putchar ('\n');
|
||||
|
||||
dn = ksba_cert_get_issuer (cert);
|
||||
fputs ("issuer: ", stdout);
|
||||
print_dn (dn);
|
||||
ksba_free (dn);
|
||||
putchar ('\n');
|
||||
|
||||
dn = ksba_cert_get_subject (cert);
|
||||
fputs ("subject: ", stdout);
|
||||
print_dn (dn);
|
||||
ksba_free (dn);
|
||||
putchar ('\n');
|
||||
|
||||
printf ("hash algo: %d\n", ksba_cert_get_digest_algo (cert));
|
||||
}
|
||||
|
||||
|
||||
|
||||
static MPI
|
||||
do_encode_md (GCRY_MD_HD md, int algo, size_t len, unsigned nbits,
|
||||
const byte *asn, size_t asnlen)
|
||||
{
|
||||
int nframe = (nbits+7) / 8;
|
||||
byte *frame;
|
||||
int i,n;
|
||||
MPI a;
|
||||
|
||||
if( len + asnlen + 4 > nframe )
|
||||
log_bug("can't encode a %d bit MD into a %d bits frame\n",
|
||||
(int)(len*8), (int)nbits);
|
||||
|
||||
/* We encode the MD in this way:
|
||||
*
|
||||
* 0 A PAD(n bytes) 0 ASN(asnlen bytes) MD(len bytes)
|
||||
*
|
||||
* PAD consists of FF bytes.
|
||||
*/
|
||||
frame = xmalloc (nframe);
|
||||
n = 0;
|
||||
frame[n++] = 0;
|
||||
frame[n++] = 1; /* block type */
|
||||
i = nframe - len - asnlen -3 ;
|
||||
assert( i > 1 );
|
||||
memset( frame+n, 0xff, i ); n += i;
|
||||
frame[n++] = 0;
|
||||
memcpy( frame+n, asn, asnlen ); n += asnlen;
|
||||
memcpy( frame+n, gcry_md_read(md, algo), len ); n += len;
|
||||
assert( n == nframe );
|
||||
gcry_mpi_scan ( &a, GCRYMPI_FMT_USG, frame, &nframe);
|
||||
xfree(frame);
|
||||
return a;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
static void
|
||||
check_selfsigned_cert (KsbaCert cert)
|
||||
{
|
||||
/* OID for MD5 as defined in PKCS#1 (rfc2313) */
|
||||
static byte asn[18] = /* Object ID is 1.2.840.113549.2.5 (md5) */
|
||||
{ 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48,
|
||||
0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10
|
||||
};
|
||||
|
||||
GCRY_MD_HD md;
|
||||
int rc, algo;
|
||||
GCRY_MPI frame;
|
||||
char *p;
|
||||
GCRY_SEXP s_sig, s_hash, s_pkey;
|
||||
|
||||
algo = ksba_cert_get_digest_algo (cert);
|
||||
md = gcry_md_open (algo, 0);
|
||||
if (!md)
|
||||
{
|
||||
log_error ("md_open failed: %s\n", gcry_strerror (-1));
|
||||
return;
|
||||
}
|
||||
|
||||
gcry_md_start_debug (md, "cert");
|
||||
rc = ksba_cert_hash (cert, gcry_md_write, md);
|
||||
if (rc)
|
||||
{
|
||||
log_error ("ksba_cert_hash failed: %s\n", ksba_strerror (rc));
|
||||
gcry_md_close (md);
|
||||
return;
|
||||
}
|
||||
gcry_md_final (md);
|
||||
|
||||
p = ksba_cert_get_sig_val (cert);
|
||||
printf ("signature: %s\n", p);
|
||||
|
||||
rc = gcry_sexp_sscan ( &s_sig, NULL, p, strlen(p));
|
||||
if (rc)
|
||||
{
|
||||
log_error ("gcry_sexp_scan failed: %s\n", gcry_strerror (rc));
|
||||
return;
|
||||
}
|
||||
/*gcry_sexp_dump (s_sig);*/
|
||||
|
||||
|
||||
/* FIXME: need to map the algo to the ASN OID - we assume a fixed
|
||||
one for now */
|
||||
frame = do_encode_md (md, algo, 16, 2048, asn, DIM(asn));
|
||||
|
||||
/* put hash into the S-Exp s_hash */
|
||||
if ( gcry_sexp_build (&s_hash, NULL, "%m", frame) )
|
||||
BUG ();
|
||||
/*fputs ("hash:\n", stderr); gcry_sexp_dump (s_hash);*/
|
||||
_gcry_log_mpidump ("hash", frame);
|
||||
|
||||
p = ksba_cert_get_public_key (cert);
|
||||
printf ("public key: %s\n", p);
|
||||
|
||||
rc = gcry_sexp_sscan ( &s_pkey, NULL, p, strlen(p));
|
||||
if (rc)
|
||||
{
|
||||
log_error ("gcry_sexp_scan failed: %s\n", gcry_strerror (rc));
|
||||
return;
|
||||
}
|
||||
/*gcry_sexp_dump (s_pkey);*/
|
||||
|
||||
rc = gcry_pk_verify (s_sig, s_hash, s_pkey);
|
||||
log_error ("gcry_pk_verify: %s\n", gcry_strerror (rc));
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
@ -163,42 +311,9 @@ gpgsm_import (int in_fd)
|
||||
goto leave;
|
||||
}
|
||||
|
||||
{
|
||||
unsigned char *p;
|
||||
char *dn;
|
||||
time_t t;
|
||||
|
||||
p = ksba_cert_get_serial (cert);
|
||||
fputs ("serial: ", stdout);
|
||||
print_integer (p);
|
||||
ksba_free (p);
|
||||
putchar ('\n');
|
||||
print_cert (cert);
|
||||
check_selfsigned_cert (cert);
|
||||
|
||||
t = ksba_cert_get_validity (cert, 0);
|
||||
fputs ("notBefore: ", stdout);
|
||||
print_time (t);
|
||||
putchar ('\n');
|
||||
t = ksba_cert_get_validity (cert, 1);
|
||||
fputs ("notAfter: ", stdout);
|
||||
print_time (t);
|
||||
putchar ('\n');
|
||||
|
||||
dn = ksba_cert_get_issuer (cert);
|
||||
fputs ("issuer: ", stdout);
|
||||
print_dn (dn);
|
||||
ksba_free (dn);
|
||||
putchar ('\n');
|
||||
|
||||
dn = ksba_cert_get_subject (cert);
|
||||
fputs ("subject: ", stdout);
|
||||
print_dn (dn);
|
||||
ksba_free (dn);
|
||||
putchar ('\n');
|
||||
|
||||
printf ("hash algo: %d\n", ksba_cert_get_digest_algo (cert));
|
||||
|
||||
ksba_cert_hash (cert, NULL, NULL);
|
||||
}
|
||||
|
||||
leave:
|
||||
ksba_cert_release (cert);
|
||||
@ -208,6 +323,3 @@ gpgsm_import (int in_fd)
|
||||
return rc;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user