diff --git a/sm/ChangeLog b/sm/ChangeLog index 4bddd2487..846388f81 100644 --- a/sm/ChangeLog +++ b/sm/ChangeLog @@ -1,3 +1,15 @@ +2002-03-05 Werner Koch + + * gpgsm.c, gpgsm.h: Add local_user. + * sign.c (gpgsm_get_default_cert): New. + (get_default_signer): Use the new function if local_user is not + set otherwise used that value. + * encrypt.c (get_default_recipient): Removed. + (gpgsm_encrypt): Use gpgsm_get_default_cert. + + * verify.c (gpgsm_verify): Better error text for a bad signature + found by comparing the hashs. + 2002-02-27 Werner Koch * call-dirmngr.c, call-agent.c: Add 2 more arguments to all uses diff --git a/sm/certcheck.c b/sm/certcheck.c index 28689fcae..07f2d3509 100644 --- a/sm/certcheck.c +++ b/sm/certcheck.c @@ -204,14 +204,15 @@ gpgsm_check_cms_signature (KsbaCert cert, KsbaConstSexp sigval, } p = ksba_cert_get_public_key (cert); - if (DBG_X509) - log_debug ("public key: %s\n", p); n = gcry_sexp_canon_len (p, 0, NULL, NULL); if (!n) { log_error ("libksba did not return a proper S-Exp\n"); return GNUPG_Bug; } + if (DBG_X509) + log_printhex ("public key: ", p, n); + rc = gcry_sexp_sscan ( &s_pkey, NULL, p, n); if (rc) { @@ -256,7 +257,7 @@ gpgsm_create_cms_signature (KsbaCert cert, GCRY_MD_HD md, int mdalgo, r_sigval, &siglen); xfree (grip); /* FIXME: we should check that the returned S-Exp is valid fits int - siglen. It ould probaly be a good idea to scan and print it + siglen. It ould probably be a good idea to scan and print it again to make this sure and be sure that we have canoncical encoding */ return rc; diff --git a/sm/encrypt.c b/sm/encrypt.c index 43087fc87..526720e47 100644 --- a/sm/encrypt.c +++ b/sm/encrypt.c @@ -58,45 +58,6 @@ struct encrypt_cb_parm_s { }; -static KsbaCert -get_default_recipient (void) -{ - const char key[] = - "/CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Düsseldorf,C=DE"; - - KEYDB_SEARCH_DESC desc; - KsbaCert cert = NULL; - KEYDB_HANDLE kh = NULL; - int rc; - - rc = keydb_classify_name (key, &desc); - if (rc) - { - log_error ("failed to find recipient: %s\n", gnupg_strerror (rc)); - return NULL; - } - - kh = keydb_new (0); - if (!kh) - return NULL; - - rc = keydb_search (kh, &desc, 1); - if (rc) - { - log_debug ("failed to find default certificate: rc=%d\n", rc); - } - else - { - rc = keydb_get_cert (kh, &cert); - if (rc) - { - log_debug ("failed to get cert: rc=%d\n", rc); - } - } - - keydb_release (kh); - return cert; -} @@ -417,8 +378,8 @@ gpgsm_encrypt (CTRL ctrl, CERTLIST recplist, int data_fd, FILE *out_fp) STATUS_NO_RECP */ if (!recplist) { - help_recplist.cert = get_default_recipient (); - if (!help_recplist.cert) + rc = gpgsm_get_default_cert (&help_recplist.cert); + if (rc) { log_error ("no default recipient found\n"); rc = seterr (General_Error); diff --git a/sm/gpgsm.c b/sm/gpgsm.c index 14c889d66..3aa35b78c 100644 --- a/sm/gpgsm.c +++ b/sm/gpgsm.c @@ -875,6 +875,7 @@ main ( int argc, char **argv) case oTextmode: /*fixme:opt.textmode=1;*/ break; case oUser: /* store the local users */ + opt.local_user = pargs.r.ret_str; add_to_strlist ( &locusr, pargs.r.ret_str); break; diff --git a/sm/gpgsm.h b/sm/gpgsm.h index dac0a00e2..bb75c56d1 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -58,6 +58,8 @@ struct { char *def_recipient; /* userID of the default recipient */ int def_recipient_self; /* The default recipient is the default key */ + char *local_user; /* NULL or argument to -u */ + int always_trust; /* Trust the given keys even if there is no valid certification path */ int skip_verify; /* do not check signatures on data */ @@ -189,6 +191,7 @@ int gpgsm_import (CTRL ctrl, int in_fd); int gpgsm_verify (CTRL ctrl, int in_fd, int data_fd, FILE *out_fp); /*-- sign.c --*/ +int gpgsm_get_default_cert (KsbaCert *r_cert); int gpgsm_sign (CTRL ctrl, int data_fd, int detached, FILE *out_fp); /*-- encrypt.c --*/ diff --git a/sm/keydb.c b/sm/keydb.c index 34e7adc9d..4f7bbb594 100644 --- a/sm/keydb.c +++ b/sm/keydb.c @@ -1197,4 +1197,3 @@ keydb_store_cert (KsbaCert cert) } - diff --git a/sm/keylist.c b/sm/keylist.c index d3dd839d6..0c8416810 100644 --- a/sm/keylist.c +++ b/sm/keylist.c @@ -233,7 +233,7 @@ gpgsm_list_keys (CTRL ctrl, STRLIST names, FILE *fp, unsigned int mode) int have_secret; #warning there is no key selection yet - /* We must take care of qouting here */ + /* We must take care of quoting here */ hd = keydb_new (0); if (!hd) rc = GNUPG_General_Error; diff --git a/sm/sign.c b/sm/sign.c index 48b751b2b..b16e840bc 100644 --- a/sm/sign.c +++ b/sm/sign.c @@ -61,19 +61,84 @@ hash_data (int fd, GCRY_MD_HD md) } +/* Get the default certificate which is defined as the first one our + keyDB retruns and has a secret key available */ +int +gpgsm_get_default_cert (KsbaCert *r_cert) +{ + KEYDB_HANDLE hd; + KsbaCert cert = NULL; + int rc; + char *p; + + hd = keydb_new (0); + if (!hd) + return GNUPG_General_Error; + rc = keydb_search_first (hd); + if (rc) + { + keydb_release (hd); + return rc; + } + + do + { + rc = keydb_get_cert (hd, &cert); + if (rc) + { + log_error ("keydb_get_cert failed: %s\n", gnupg_strerror (rc)); + keydb_release (hd); + return rc; + } + + p = gpgsm_get_keygrip_hexstring (cert); + if (p) + { + if (!gpgsm_agent_havekey (p)) + { + xfree (p); + keydb_release (hd); + *r_cert = cert; + return 0; /* got it */ + } + xfree (p); + } + + ksba_cert_release (cert); + cert = NULL; + } + while (!(rc = keydb_search_next (hd))); + if (rc && rc != -1) + log_error ("keydb_search_next failed: %s\n", gnupg_strerror (rc)); + + ksba_cert_release (cert); + keydb_release (hd); + return rc; +} + + static KsbaCert get_default_signer (void) { - // const char key[] = "1.2.840.113549.1.9.1=#7472757374407765622E6465#,CN=WEB.DE TrustCenter,OU=TrustCenter,O=WEB.DE AG,L=D-76227 Karlsruhe,C=DE"; - const char key[] = - "/CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Düsseldorf,C=DE"; - KEYDB_SEARCH_DESC desc; KsbaCert cert = NULL; KEYDB_HANDLE kh = NULL; int rc; - rc = keydb_classify_name (key, &desc); + if (!opt.local_user) + { + rc = gpgsm_get_default_cert (&cert); + if (rc) + { + if (rc != -1) + log_debug ("failed to find default certificate: %s\n", + gnupg_strerror (rc)); + return NULL; + } + return cert; + } + + rc = keydb_classify_name (opt.local_user, &desc); if (rc) { log_error ("failed to find default signer: %s\n", gnupg_strerror (rc)); @@ -103,6 +168,7 @@ get_default_signer (void) } + /* Depending on the options in CTRL add the certificate CERT as well as other certificate up in the chain to the Root-CA to the CMS object. */ diff --git a/sm/verify.c b/sm/verify.c index d4de57866..6ff1cafaa 100644 --- a/sm/verify.c +++ b/sm/verify.c @@ -328,8 +328,8 @@ gpgsm_verify (CTRL ctrl, int in_fd, int data_fd, FILE *out_fp) || gcry_md_get_algo_dlen (algo) != msgdigestlen || !s || memcmp (s, msgdigest, msgdigestlen) ) { - log_error ("message digest attribute does not " - "match calculated one\n"); + log_error ("invalid signature: message digest attribute " + "does not match calculated one\n"); gpgsm_status (ctrl, STATUS_BADSIG, NULL); goto next_signer; } @@ -424,5 +424,3 @@ gpgsm_verify (CTRL ctrl, int in_fd, int data_fd, FILE *out_fp) fclose (fp); return rc; } - -