Add KEYEXPIRED, EXPSIG, and EXPKEYSIG. Add

"deprecated-use-keyexpired-instead" to SIGEXPIRED.

Start transition from SIGEXPIRED to KEYEXPIRED, since the actual event is
signature verification by an expired key and not an expired signature.
Rename do_signature_check as signature_check2, make public, and change all
callers.

Use status EXPSIG for an expired, but good, signature.  Add the expiration
time (or 0) to the VALIDSIG status line.  Use status KEYEXPSIG for a good
signature from an expired key.

Remove checks for no arguments now that argparse does it.

g10/ChangeLog

@@ -1,3 +1,23 @@
+2002-04-08  David Shaw  <dshaw@jabberwocky.com>
+
+	* status.h, status.c (get_status_string): Add KEYEXPIRED, EXPSIG,
+	and EXPKEYSIG.  Add "deprecated-use-keyexpired-instead" to
+	SIGEXPIRED.
+
+	* sig-check.c (do_check): Start transition from SIGEXPIRED to
+	KEYEXPIRED, since the actual event is signature verification by an
+	expired key and not an expired signature. (do_signature_check,
+	packet.h): Rename as signature_check2, make public, and change all
+	callers.
+
+	* mainproc.c (check_sig_and_print, do_check_sig): Use status
+	EXPSIG for an expired, but good, signature.  Add the expiration
+	time (or 0) to the VALIDSIG status line.  Use status KEYEXPSIG for
+	a good signature from an expired key.
+
+	* g10.c (main): remove checks for no arguments now that argparse
+	does it.
+
 2002-04-06  Werner Koch  <wk@gnupg.org>
 
 	* keyring.c (keyring_get_keyblock): Disable the keylist mode here.
@@ -1644,7 +1664,8 @@
 
 	* sign.c (make_keysig_packet): Added new sigversion argument to
 	allow the caller to force generation of required signature
-	version. Changed all callers. Suggested by Thomas Roessler. 
+	version. Changed all callers. Suggested by Thomas Roessler.
+
 	* keyedit.c (sign_uids): Force v4 signature generation for local
 	sigs.  Removed the check for local signature and pre-v4 keys.
 

g10/g10.c

@@ -1191,25 +1191,23 @@ main( int argc, char **argv )
 #endif /* __riscos__ */
             break;
 	  case oKeyServer:
-	    if(pargs.r.ret_str==NULL || parse_keyserver_uri(pargs.r.ret_str))
+	    if(parse_keyserver_uri(pargs.r.ret_str))
 	      log_error(_("could not parse keyserver URI\n"));
 	    break;
 	  case oKeyServerOptions:
-	    if(pargs.r.ret_str)
-	      parse_keyserver_options(pargs.r.ret_str);
+	    parse_keyserver_options(pargs.r.ret_str);
 	    break;
 	  case oTempDir: opt.temp_dir=pargs.r.ret_str; break;
 	  case oExecPath:
-	    if(pargs.r.ret_str)
-	      {
-		/* Notice that path is never freed.  That is
-                   intentional due to the way putenv() works. */
-		char *path=m_alloc(5+strlen(pargs.r.ret_str)+1);
-		strcpy(path,"PATH=");
-		strcat(path,pargs.r.ret_str);
-		if(putenv(path)!=0)
-		  log_error(_("unable to set exec-path to %s\n"),path);
-	      }
+	    {
+	      /* Notice that path is never freed.  That is
+		 intentional due to the way putenv() works. */
+	      char *path=m_alloc(5+strlen(pargs.r.ret_str)+1);
+	      strcpy(path,"PATH=");
+	      strcat(path,pargs.r.ret_str);
+	      if(putenv(path)!=0)
+		log_error(_("unable to set exec-path to %s\n"),path);
+	    }
 	    break;
 	  case oNotation: add_notation_data( pargs.r.ret_str ); break;
 	  case oShowNotation: opt.show_notation=1; break;

g10/mainproc.c

@@ -619,11 +619,14 @@ proc_compressed( CTX c, PACKET *pkt )
  * Returns: 0 = valid signature or an error code
  */
 static int
-do_check_sig( CTX c, KBNODE node, int *is_selfsig )
+do_check_sig( CTX c, KBNODE node, int *is_selfsig, int *is_expkey )
 {
     PKT_signature *sig;
     MD_HANDLE md = NULL, md2 = NULL;
-    int algo, rc;
+    int algo, rc, dummy, dum2;
+
+    if(!is_expkey)
+      is_expkey=&dum2;
 
     assert( node->pkt->pkttype == PKT_SIGNATURE );
     if( is_selfsig )
@@ -677,9 +680,9 @@ do_check_sig( CTX c, KBNODE node, int *is_selfsig )
     }
     else
 	return G10ERR_SIG_CLASS;
-    rc = signature_check( sig, md );
+    rc = signature_check2( sig, md, &dummy, is_expkey );
     if( rc == G10ERR_BAD_SIGN && md2 )
-	rc = signature_check( sig, md2 );
+	rc = signature_check2( sig, md2, &dummy, is_expkey );
     md_close(md);
     md_close(md2);
 
@@ -939,7 +942,7 @@ list_node( CTX c, KBNODE node )
 	    fputs("sig", stdout);
 	if( opt.check_sigs ) {
 	    fflush(stdout);
-	    switch( (rc2=do_check_sig( c, node, &is_selfsig )) ) {
+	    switch( (rc2=do_check_sig( c, node, &is_selfsig, NULL )) ) {
 	      case 0:		       sigrc = '!'; break;
 	      case G10ERR_BAD_SIGN:    sigrc = '-'; break;
 	      case G10ERR_NO_PUBKEY: 
@@ -1188,7 +1191,7 @@ check_sig_and_print( CTX c, KBNODE node )
 {
     PKT_signature *sig = node->pkt->pkt.signature;
     const char *astr, *tstr;
-    int rc;
+    int rc, is_expkey=0;
 
     if( opt.skip_verify ) {
 	log_info(_("signature verification suppressed\n"));
@@ -1257,16 +1260,25 @@ check_sig_and_print( CTX c, KBNODE node )
     log_info(_("Signature made %.*s using %s key ID %08lX\n"),
 	    (int)strlen(tstr), tstr, astr? astr: "?", (ulong)sig->keyid[1] );
 
-    rc = do_check_sig(c, node, NULL );
+    rc = do_check_sig(c, node, NULL, &is_expkey );
     if( rc == G10ERR_NO_PUBKEY && opt.keyserver_scheme && opt.keyserver_options.auto_key_retrieve) {
 	if( keyserver_import_keyid ( sig->keyid )==0 )
-	    rc = do_check_sig(c, node, NULL );
+	    rc = do_check_sig(c, node, NULL, &is_expkey );
     }
     if( !rc || rc == G10ERR_BAD_SIGN ) {
 	KBNODE un, keyblock;
-	int count=0;
+	int count=0, statno;
         char keyid_str[50];
 
+	if(rc)
+	  statno=STATUS_BADSIG;
+	else if(sig->flags.expired)
+	  statno=STATUS_EXPSIG;
+	else if(is_expkey)
+	  statno=STATUS_EXPKEYSIG;
+	else
+	  statno=STATUS_GOODSIG;
+
 	keyblock = get_pubkeyblock( sig->keyid );
 
         sprintf (keyid_str, "%08lX%08lX [uncertain] ",
@@ -1284,8 +1296,7 @@ check_sig_and_print( CTX c, KBNODE node )
                 continue;
             
             keyid_str[17] = 0; /* cut off the "[uncertain]" part */
-            write_status_text_and_buffer (rc? STATUS_BADSIG:STATUS_GOODSIG,
-                                          keyid_str, 
+            write_status_text_and_buffer (statno, keyid_str,
                                           un->pkt->pkt.user_id->name,
                                           un->pkt->pkt.user_id->len, 
                                           -1 );
@@ -1307,8 +1318,7 @@ check_sig_and_print( CTX c, KBNODE node )
             if (opt.always_trust || !un)
                 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
 
-            write_status_text_and_buffer (rc? STATUS_BADSIG:STATUS_GOODSIG,
-                                          keyid_str, 
+            write_status_text_and_buffer (statno, keyid_str,
                                           un? un->pkt->pkt.user_id->name:"[?]",
                                           un? un->pkt->pkt.user_id->len:3, 
                                           -1 );
@@ -1354,16 +1364,17 @@ check_sig_and_print( CTX c, KBNODE node )
 
 	    if( !get_pubkey( pk, sig->keyid ) ) {
 		byte array[MAX_FINGERPRINT_LEN], *p;
-		char buf[MAX_FINGERPRINT_LEN*2+61];
+		char buf[MAX_FINGERPRINT_LEN*2+72];
 		size_t i, n;
 
 		fingerprint_from_pk( pk, array, &n );
 		p = array;
 		for(i=0; i < n ; i++, p++ )
 		    sprintf(buf+2*i, "%02X", *p );
-		sprintf(buf+strlen(buf), " %s %lu",
+		sprintf(buf+strlen(buf), " %s %lu %lu",
 					 strtimestamp( sig->timestamp ),
-					 (ulong)sig->timestamp );
+					 (ulong)sig->timestamp,
+			                 (ulong)sig->expiredate );
 		write_status_text( STATUS_VALIDSIG, buf );
 	    }
 	    free_public_key( pk );

g10/packet.h

@@ -439,6 +439,8 @@ int cmp_user_ids( PKT_user_id *a, PKT_user_id *b );
 
 /*-- sig-check.c --*/
 int signature_check( PKT_signature *sig, MD_HANDLE digest );
+int signature_check2( PKT_signature *sig, MD_HANDLE digest,
+		      u32 *r_expiredate, int *r_expired );
 
 /*-- seckey-cert.c --*/
 int is_secret_key_protected( PKT_secret_key *sk );

g10/sig-check.c

@@ -39,13 +39,9 @@ struct cmp_help_context_s {
     MD_HANDLE md;
 };
 
-
-static int do_signature_check( PKT_signature *sig, MD_HANDLE digest,
-					 u32 *r_expiredate, int *r_expired );
 static int do_check( PKT_public_key *pk, PKT_signature *sig,
 					 MD_HANDLE digest, int *r_expired );
 
-
 /****************
  * Check the signature which is contained in SIG.
  * The MD_HANDLE should be currently open, so that this function
@@ -56,12 +52,12 @@ signature_check( PKT_signature *sig, MD_HANDLE digest )
 {
     u32 dummy;
     int dum2;
-    return do_signature_check( sig, digest, &dummy, &dum2 );
+    return signature_check2( sig, digest, &dummy, &dum2 );
 }
 
-static int
-do_signature_check( PKT_signature *sig, MD_HANDLE digest,
-					u32 *r_expiredate, int *r_expired )
+int
+signature_check2( PKT_signature *sig, MD_HANDLE digest,
+		  u32 *r_expiredate, int *r_expired )
 {
     PKT_public_key *pk = m_alloc_clear( sizeof *pk );
     int rc=0;
@@ -82,7 +78,7 @@ do_signature_check( PKT_signature *sig, MD_HANDLE digest,
 	 * this sig-id we could have also used the hash of the document
 	 * and the timestamp, but the drawback of this is, that it is
 	 * not possible to sign more than one identical document within
-	 * one second.	Some remote bacth processing applications might
+	 * one second.	Some remote batch processing applications might
 	 * like this feature here */
 	MD_HANDLE md;
 	u32 a = sig->timestamp;
@@ -233,6 +229,7 @@ do_check( PKT_public_key *pk, PKT_signature *sig, MD_HANDLE digest,
     }
 
     if( pk->expiredate && pk->expiredate < cur_time ) {
+        char buf[11];
         if (opt.verbose) {
 	    u32 tmp_kid[2];
 
@@ -240,6 +237,9 @@ do_check( PKT_public_key *pk, PKT_signature *sig, MD_HANDLE digest,
             log_info(_("NOTE: signature key %08lX expired %s\n"),
                      (ulong)tmp_kid[1], asctimestamp( pk->expiredate ) );
         }
+	/* SIGEXPIRED is deprecated.  Use KEYEXPIRED. */
+	sprintf(buf,"%lu",(ulong)pk->expiredate);
+	write_status_text(STATUS_KEYEXPIRED,buf);
 	write_status(STATUS_SIGEXPIRED);
 	*r_expired = 1;
     }
@@ -490,7 +490,7 @@ check_key_signature2( KBNODE root, KBNODE node, int *is_selfsig,
 		rc = do_check( pk, sig, md, r_expired );
 	    }
 	    else {
-		rc = do_signature_check( sig, md, r_expiredate, r_expired );
+		rc = signature_check2( sig, md, r_expiredate, r_expired );
 	    }
             cache_sig_result ( sig, rc );
 	    md_close(md);

g10/status.c

@@ -84,7 +84,7 @@ get_status_string ( int no )
       case STATUS_LEAVE  : s = "LEAVE"; break;
       case STATUS_ABORT  : s = "ABORT"; break;
       case STATUS_GOODSIG: s = "GOODSIG"; break;
-      case STATUS_SIGEXPIRED: s = "SIGEXPIRED"; break;
+      case STATUS_KEYEXPIRED: s = "KEYEXPIRED"; break;
       case STATUS_KEYREVOKED: s = "KEYREVOKED"; break;
       case STATUS_BADSIG : s = "BADSIG"; break;
       case STATUS_ERRSIG : s = "ERRSIG"; break;
@@ -143,6 +143,9 @@ get_status_string ( int no )
       case STATUS_INV_RECP       : s = "INV_RECP"; break;
       case STATUS_NO_RECP        : s = "NO_RECP"; break;
       case STATUS_ALREADY_SIGNED : s = "ALREADY_SIGNED"; break;
+      case STATUS_SIGEXPIRED     : s = "SIGEXPIRED deprecated-use-keyexpired-instead"; break;
+      case STATUS_EXPSIG         : s = "EXPSIG"; break;
+      case STATUS_EXPKEYSIG      : s = "EXPKEYSIG"; break;
       default: s = "?"; break;
     }
     return s;

g10/status.h

@@ -33,7 +33,7 @@
 #define STATUS_BADARMOR  7
 
 #define STATUS_RSA_OR_IDEA 8
-#define STATUS_SIGEXPIRED  9
+#define STATUS_KEYEXPIRED  9
 #define STATUS_KEYREVOKED  10
 
 #define STATUS_TRUST_UNDEFINED 11
@@ -93,7 +93,9 @@
 #define STATUS_INV_RECP         61
 #define STATUS_NO_RECP          62
 #define STATUS_ALREADY_SIGNED   63
-
+#define STATUS_SIGEXPIRED       64
+#define STATUS_EXPSIG           65
+#define STATUS_EXPKEYSIG        66
 
 /*-- status.c --*/
 void set_status_fd ( int fd );