1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

* gpgsm.c (main): New option --debug-ignore-expiration.

* certchain.c (gpgsm_validate_chain): Use it here.

* certlist.c (cert_usage_p): Apply extKeyUsage.
This commit is contained in:
Werner Koch 2004-02-20 13:46:21 +00:00
parent a1b487a17a
commit aa0e38982a
8 changed files with 159 additions and 36 deletions

24
TODO
View File

@ -21,14 +21,6 @@ might want to have an agent context for each service request
** When a certificate chain was sucessfully verified, make ephemeral certs used in this chain permanent.
** figure out how to auto retrieve a key by serialno+issuer.
Dirmngr is currently not able to parse more than the CN.
** Try all available root certs in case we have several of them in our keybox.
For example TC TrustCenter Class 1 CA certs are ambiguous becuase
user certs don't come with a authorityKeyIdentifier.
** Support extKeyUsage
The only value which makes sense for us is emailProtection (I have
not yet found a test cetificate with that). We might want to allow
other usages depending on special options (e.g. an option used for code
signing).
* sm/decrypt.c
** replace leading zero in integer hack by a cleaner solution
@ -49,10 +41,12 @@ might want to have an agent context for each service request
** Remove the inter-module dependencies between gpgsm and keybox
** Add an source_of_key field
** We need an error code GPG_ERR_NOT_LOCKED
It is already libgpg-error.
* agent/gpg-agent.c
** A SIGHUP should also restart the scdaemon
But do this only after all connections terminated.
As of now we only send a RESET.
* agent/command.c
** Make sure that secure memory is used where appropriate
@ -63,10 +57,6 @@ might want to have an agent context for each service request
* agent/divert-scd.c
Remove the agent_reset_scd kludge.
* agent/protect-tool.c
** Export certificates along with the secret key.
** BUG? --p12-export seems to work only with unprotected keys
* Move pkcs-1 encoding into libgcrypt.
* Use a MAC to protect some files.
@ -74,12 +64,6 @@ might want to have an agent context for each service request
* sm/export.c
** Return an error code or a status info per user ID.
* scd/apdu.c
** We need close_reader functionality
* ALL
** Return IMPORT_OK status.
* Where is http.c, regcomp.c, srv.c, w32reg.c ?
* scd/sc-investigate
@ -90,12 +74,12 @@ might want to have an agent context for each service request
authentication key. Old GnuPG versions seem to encode the wrong
keyID.
* Store the revocation status directly in the Keybox
* tests
** Makefile.am
We use printf(1) to setup the library path, this is not portable.
Furthermore LD_LIBRARY_PATH is not used on all systems. It doesn't
matter for now, because we use some GNU/*BSDish features anyway.
** Add a test to check the extkeyusage.

View File

@ -411,6 +411,12 @@ Same as @code{--debug=0xffffffff}
This is actually not a debugging option but only useful as such. It
lets gpgsm bypass all certificate chain validation checks.
@item --debug-ignore-expiration
@opindex debug-ignore-expiration
This is actually not a debugging option but only useful as such. It
lets gpgsm ignore all notAfter dates, this is used by the regresssion
tests.
@end table
All the long options may also be given in the configuration file after

View File

@ -1,3 +1,10 @@
2004-02-20 Werner Koch <wk@gnupg.org>
* gpgsm.c (main): New option --debug-ignore-expiration.
* certchain.c (gpgsm_validate_chain): Use it here.
* certlist.c (cert_usage_p): Apply extKeyUsage.
2004-02-19 Werner Koch <wk@gnupg.org>
* export.c (export_p12, popen_protect_tool)

View File

@ -66,7 +66,6 @@ do_list (int is_error, int listmode, FILE *fp, const char *format, ...)
}
static int
unknown_criticals (ksba_cert_t cert, int listmode, FILE *fp)
{
@ -74,6 +73,7 @@ unknown_criticals (ksba_cert_t cert, int listmode, FILE *fp)
"2.5.29.15", /* keyUsage */
"2.5.29.19", /* basic Constraints */
"2.5.29.32", /* certificatePolicies */
"2.5.29.37", /* extendedKeyUsage - handled by certlist.c */
NULL
};
int rc = 0, i, idx, crit;
@ -548,15 +548,19 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
rc = gpg_error (GPG_ERR_CERT_TOO_YOUNG);
goto leave;
}
if (not_after && strcmp (current_time, not_after) > 0 )
if (*not_after && strcmp (current_time, not_after) > 0 )
{
do_list (1, lm, fp, _("certificate has expired"));
do_list (opt.ignore_expiration?0:1, lm, fp,
_("certificate has expired"));
if (!lm)
{
log_error ("(expired at ");
log_info ("(expired at ");
gpgsm_dump_time (not_after);
log_printf (")\n");
}
if (opt.ignore_expiration)
log_info ("WARNING: ignoring expiration\n");
else
any_expired = 1;
}
}

View File

@ -1,5 +1,5 @@
/* certlist.c - build list of certificates
* Copyright (C) 2001, 2003 Free Software Foundation, Inc.
* Copyright (C) 2001, 2003, 2004 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
@ -34,6 +34,13 @@
#include "keydb.h"
#include "i18n.h"
static const char oid_kp_serverAuth[] = "1.3.6.1.5.5.7.3.1";
static const char oid_kp_clientAuth[] = "1.3.6.1.5.5.7.3.2";
static const char oid_kp_codeSigning[] = "1.3.6.1.5.5.7.3.3";
static const char oid_kp_emailProtection[]= "1.3.6.1.5.5.7.3.4";
static const char oid_kp_timeStamping[] = "1.3.6.1.5.5.7.3.8";
/* Return 0 if the cert is usable for encryption. A MODE of 0 checks
for signing a MODE of 1 checks for encryption, a MODE of 2 checks
for verification and a MODE of 3 for decryption (just for
@ -43,20 +50,78 @@ cert_usage_p (ksba_cert_t cert, int mode)
{
gpg_error_t err;
unsigned int use;
char *extkeyusages;
err = ksba_cert_get_ext_key_usages (cert, &extkeyusages);
if (gpg_err_code (err) == GPG_ERR_NO_DATA)
err = 0; /* no policy given */
if (!err)
{
unsigned int extusemask = ~0; /* Allow all. */
if (extkeyusages)
{
char *p, *pend;
int any_critical = 0;
extusemask = 0;
p = extkeyusages;
while (p && (pend=strchr (p, ':')))
{
*pend++ = 0;
/* Only care about critical flagged usages. */
if ( *pend == 'C' )
{
any_critical = 1;
if ( !strcmp (p, oid_kp_serverAuth))
extusemask |= (KSBA_KEYUSAGE_DIGITAL_SIGNATURE
| KSBA_KEYUSAGE_KEY_ENCIPHERMENT
| KSBA_KEYUSAGE_KEY_AGREEMENT);
else if ( !strcmp (p, oid_kp_clientAuth))
extusemask |= (KSBA_KEYUSAGE_DIGITAL_SIGNATURE
| KSBA_KEYUSAGE_KEY_AGREEMENT);
else if ( !strcmp (p, oid_kp_codeSigning))
extusemask |= (KSBA_KEYUSAGE_DIGITAL_SIGNATURE);
else if ( !strcmp (p, oid_kp_emailProtection))
extusemask |= (KSBA_KEYUSAGE_DIGITAL_SIGNATURE
| KSBA_KEYUSAGE_NON_REPUDIATION
| KSBA_KEYUSAGE_KEY_ENCIPHERMENT
| KSBA_KEYUSAGE_KEY_AGREEMENT);
else if ( !strcmp (p, oid_kp_timeStamping))
extusemask |= (KSBA_KEYUSAGE_DIGITAL_SIGNATURE
| KSBA_KEYUSAGE_NON_REPUDIATION);
}
if ((p = strchr (pend, '\n')))
p++;
}
xfree (extkeyusages);
extkeyusages = NULL;
if (!any_critical)
extusemask = ~0; /* Reset to the don't care mask. */
}
err = ksba_cert_get_key_usage (cert, &use);
if (gpg_err_code (err) == GPG_ERR_NO_DATA)
{
err = 0;
if (opt.verbose && mode < 2)
log_info (mode?
_("no key usage specified - accepted for encryption\n"):
_("no key usage specified - accepted for signing\n"));
return 0;
log_info (_("no key usage specified - assuming all usages\n"));
use = ~0;
}
/* Apply extKeyUsage. */
use &= extusemask;
}
if (err)
{
log_error (_("error getting key usage information: %s\n"),
gpg_strerror (err));
xfree (extkeyusages);
return err;
}
@ -73,6 +138,7 @@ cert_usage_p (ksba_cert_t cert, int mode)
(KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION)))
)
return 0;
log_info (mode==3? _("certificate should have not been used for encryption\n"):
mode==2? _("certificate should have not been used for signing\n"):
mode==1? _("certificate is not usable for encryption\n"):

View File

@ -89,6 +89,7 @@ enum cmd_and_opt_values {
oDebugAll,
oDebugWait,
oDebugNoChainValidation,
oDebugIgnoreExpiration,
oLogFile,
oEnableSpecialFilenames,
@ -324,6 +325,7 @@ static ARGPARSE_OPTS opts[] = {
{ oDebugAll, "debug-all" ,0, "@"},
{ oDebugWait, "debug-wait" ,1, "@"},
{ oDebugNoChainValidation, "debug-no-chain-validation", 0, "@"},
{ oDebugIgnoreExpiration, "debug-ignore-expiration", 0, "@"},
{ oStatusFD, "status-fd" ,1, N_("|FD|write status info to this FD") },
{ aDummy, "no-comment", 0, "@"},
{ aDummy, "completes-needed", 1, "@"},
@ -991,6 +993,7 @@ main ( int argc, char **argv)
case oDebugLevel: debug_level = pargs.r.ret_str; break;
case oDebugWait: debug_wait = pargs.r.ret_int; break;
case oDebugNoChainValidation: opt.no_chain_validation = 1; break;
case oDebugIgnoreExpiration: opt.ignore_expiration = 1; break;
case oStatusFD: ctrl.status_fd = pargs.r.ret_int; break;
case oLoggerFD: log_set_fd (pargs.r.ret_int ); break;

View File

@ -94,6 +94,7 @@ struct {
char *policy_file; /* full pathname of policy file */
int no_policy_check; /* ignore certificate policies */
int no_chain_validation; /* Bypass all cert chain validity tests */
int ignore_expiration; /* Ignore the notAfter validity checks. */
int auto_issuer_key_retrieve; /* try to retrieve a missing issuer key. */
} opt;

View File

@ -46,6 +46,28 @@ struct list_external_parm_s {
};
/* This table is to map Extended Key Usage OIDs to human readable
names. */
struct {
const char *oid;
const char *name;
} key_purpose_map[] = {
{ "1.3.6.1.5.5.7.3.1", "serverAuth" },
{ "1.3.6.1.5.5.7.3.2", "clientAuth" },
{ "1.3.6.1.5.5.7.3.3", "codeSigning" },
{ "1.3.6.1.5.5.7.3.4", "emailProtection" },
{ "1.3.6.1.5.5.7.3.5", "ipsecEndSystem" },
{ "1.3.6.1.5.5.7.3.6", "ipsecTunnel" },
{ "1.3.6.1.5.5.7.3.7", "ipsecUser" },
{ "1.3.6.1.5.5.7.3.8", "timeStamping" },
{ "1.3.6.1.5.5.7.3.9", "ocspSigning" },
{ "1.3.6.1.5.5.7.3.10", "dvcs" },
{ "1.3.6.1.5.5.7.3.11", "sbgpCertAAServerAuth" },
{ "1.3.6.1.5.5.7.3.13", "eapOverPPP" },
{ "1.3.6.1.5.5.7.3.14", "wlanSSID" },
{ NULL, NULL }
};
static void
print_key_data (ksba_cert_t cert, FILE *fp)
@ -292,10 +314,10 @@ list_cert_std (ctrl_t ctrl, ksba_cert_t cert, FILE *fp, int have_secret,
ksba_sexp_t sexp;
char *dn;
ksba_isotime_t t;
int idx;
int idx, i;
int is_ca, chainlen;
unsigned int kusage;
char *string, *p;
char *string, *p, *pend;
sexp = ksba_cert_get_serial (cert);
fputs ("Serial number: ", fp);
@ -367,6 +389,36 @@ list_cert_std (ctrl_t ctrl, ksba_cert_t cert, FILE *fp, int have_secret,
putc ('\n', fp);
}
err = ksba_cert_get_ext_key_usages (cert, &string);
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
{
fputs ("ext key usage: ", fp);
if (err)
fprintf (fp, "[error: %s]", gpg_strerror (err));
else
{
p = string;
while (p && (pend=strchr (p, ':')))
{
*pend++ = 0;
for (i=0; key_purpose_map[i].oid; i++)
if ( !strcmp (key_purpose_map[i].oid, p) )
break;
fputs (key_purpose_map[i].oid?key_purpose_map[i].name:p, fp);
p = pend;
if (*p != 'C')
fputs (" (suggested)", fp);
if ((p = strchr (p, '\n')))
{
p++;
fputs (", ", fp);
}
}
xfree (string);
}
putc ('\n', fp);
}
err = ksba_cert_get_cert_policies (cert, &string);
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
{