security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-05-19 09:02:22 +02:00
Code Activity

Add KEYEXPIRED, EXPSIG, and EXPKEYSIG. Add

Browse Source 
"deprecated-use-keyexpired-instead" to SIGEXPIRED.

Start transition from SIGEXPIRED to KEYEXPIRED, since the actual event is
signature verification by an expired key and not an expired signature.
Rename do_signature_check as signature_check2, make public, and change all
callers.

Use status EXPSIG for an expired, but good, signature.  Add the expiration
time (or 0) to the VALIDSIG status line.  Use status KEYEXPSIG for a good
signature from an expired key.

Remove checks for no arguments now that argparse does it.
This commit is contained in:
David Shaw 2002-04-10 04:21:26 +00:00
parent 2ad36cb4f2
commit d367d40e47
7 changed files with 80 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
g10/ChangeLog
View File

@ -1,3 +1,23 @@
2002-04-08 David Shaw <dshaw@jabberwocky.com>
* status.h, status.c (get_status_string): Add KEYEXPIRED, EXPSIG,
and EXPKEYSIG. Add "deprecated-use-keyexpired-instead" to
SIGEXPIRED.
* sig-check.c (do_check): Start transition from SIGEXPIRED to
KEYEXPIRED, since the actual event is signature verification by an
expired key and not an expired signature. (do_signature_check,
packet.h): Rename as signature_check2, make public, and change all
callers.
* mainproc.c (check_sig_and_print, do_check_sig): Use status
EXPSIG for an expired, but good, signature. Add the expiration
time (or 0) to the VALIDSIG status line. Use status KEYEXPSIG for
a good signature from an expired key.
* g10.c (main): remove checks for no arguments now that argparse
does it.
2002-04-06 Werner Koch <wk@gnupg.org> 2002-04-06 Werner Koch <wk@gnupg.org>
* keyring.c (keyring_get_keyblock): Disable the keylist mode here. * keyring.c (keyring_get_keyblock): Disable the keylist mode here.
@ -1645,6 +1665,7 @@
* sign.c (make_keysig_packet): Added new sigversion argument to * sign.c (make_keysig_packet): Added new sigversion argument to
allow the caller to force generation of required signature allow the caller to force generation of required signature
version. Changed all callers. Suggested by Thomas Roessler. version. Changed all callers. Suggested by Thomas Roessler.
* keyedit.c (sign_uids): Force v4 signature generation for local * keyedit.c (sign_uids): Force v4 signature generation for local
sigs. Removed the check for local signature and pre-v4 keys. sigs. Removed the check for local signature and pre-v4 keys.

4
g10/g10.c
View File

@ -1191,16 +1191,14 @@ main( int argc, char **argv )
#endif /* __riscos__ */ #endif /* __riscos__ */
break; break;
case oKeyServer: case oKeyServer:
if(pargs.r.ret_str==NULL || parse_keyserver_uri(pargs.r.ret_str)) if(parse_keyserver_uri(pargs.r.ret_str))
log_error(_("could not parse keyserver URI\n")); log_error(_("could not parse keyserver URI\n"));
break; break;
case oKeyServerOptions: case oKeyServerOptions:
if(pargs.r.ret_str)
parse_keyserver_options(pargs.r.ret_str); parse_keyserver_options(pargs.r.ret_str);
break; break;
case oTempDir: opt.temp_dir=pargs.r.ret_str; break; case oTempDir: opt.temp_dir=pargs.r.ret_str; break;
case oExecPath: case oExecPath:
if(pargs.r.ret_str)
{ {
/* Notice that path is never freed. That is /* Notice that path is never freed. That is
intentional due to the way putenv() works. */ intentional due to the way putenv() works. */

43
g10/mainproc.c
View File

@ -619,11 +619,14 @@ proc_compressed( CTX c, PACKET *pkt )
* Returns: 0 = valid signature or an error code * Returns: 0 = valid signature or an error code
*/ */
static int static int
do_check_sig( CTX c, KBNODE node, int *is_selfsig ) do_check_sig( CTX c, KBNODE node, int *is_selfsig, int *is_expkey )
{ {
PKT_signature *sig; PKT_signature *sig;
MD_HANDLE md = NULL, md2 = NULL; MD_HANDLE md = NULL, md2 = NULL;
int algo, rc; int algo, rc, dummy, dum2;
if(!is_expkey)
is_expkey=&dum2;
assert( node->pkt->pkttype == PKT_SIGNATURE ); assert( node->pkt->pkttype == PKT_SIGNATURE );
if( is_selfsig ) if( is_selfsig )
@ -677,9 +680,9 @@ do_check_sig( CTX c, KBNODE node, int *is_selfsig )
} }
else else
return G10ERR_SIG_CLASS; return G10ERR_SIG_CLASS;
rc = signature_check( sig, md ); rc = signature_check2( sig, md, &dummy, is_expkey );
if( rc == G10ERR_BAD_SIGN && md2 ) if( rc == G10ERR_BAD_SIGN && md2 )
rc = signature_check( sig, md2 ); rc = signature_check2( sig, md2, &dummy, is_expkey );
md_close(md); md_close(md);
md_close(md2); md_close(md2);
@ -939,7 +942,7 @@ list_node( CTX c, KBNODE node )
fputs("sig", stdout); fputs("sig", stdout);
if( opt.check_sigs ) { if( opt.check_sigs ) {
fflush(stdout); fflush(stdout);
switch( (rc2=do_check_sig( c, node, &is_selfsig )) ) { switch( (rc2=do_check_sig( c, node, &is_selfsig, NULL )) ) {
case 0: sigrc = '!'; break; case 0: sigrc = '!'; break;
case G10ERR_BAD_SIGN: sigrc = '-'; break; case G10ERR_BAD_SIGN: sigrc = '-'; break;
case G10ERR_NO_PUBKEY: case G10ERR_NO_PUBKEY:
@ -1188,7 +1191,7 @@ check_sig_and_print( CTX c, KBNODE node )
{ {
PKT_signature *sig = node->pkt->pkt.signature; PKT_signature *sig = node->pkt->pkt.signature;
const char *astr, *tstr; const char *astr, *tstr;
int rc; int rc, is_expkey=0;
if( opt.skip_verify ) { if( opt.skip_verify ) {
log_info(_("signature verification suppressed\n")); log_info(_("signature verification suppressed\n"));
@ -1257,16 +1260,25 @@ check_sig_and_print( CTX c, KBNODE node )
log_info(_("Signature made %.*s using %s key ID %08lX\n"), log_info(_("Signature made %.*s using %s key ID %08lX\n"),
(int)strlen(tstr), tstr, astr? astr: "?", (ulong)sig->keyid[1] ); (int)strlen(tstr), tstr, astr? astr: "?", (ulong)sig->keyid[1] );
rc = do_check_sig(c, node, NULL ); rc = do_check_sig(c, node, NULL, &is_expkey );
if( rc == G10ERR_NO_PUBKEY && opt.keyserver_scheme && opt.keyserver_options.auto_key_retrieve) { if( rc == G10ERR_NO_PUBKEY && opt.keyserver_scheme && opt.keyserver_options.auto_key_retrieve) {
if( keyserver_import_keyid ( sig->keyid )==0 ) if( keyserver_import_keyid ( sig->keyid )==0 )
rc = do_check_sig(c, node, NULL ); rc = do_check_sig(c, node, NULL, &is_expkey );
} }
if( !rc || rc == G10ERR_BAD_SIGN ) { if( !rc || rc == G10ERR_BAD_SIGN ) {
KBNODE un, keyblock; KBNODE un, keyblock;
int count=0; int count=0, statno;
char keyid_str[50]; char keyid_str[50];
if(rc)
statno=STATUS_BADSIG;
else if(sig->flags.expired)
statno=STATUS_EXPSIG;
else if(is_expkey)
statno=STATUS_EXPKEYSIG;
else
statno=STATUS_GOODSIG;
keyblock = get_pubkeyblock( sig->keyid ); keyblock = get_pubkeyblock( sig->keyid );
sprintf (keyid_str, "%08lX%08lX [uncertain] ", sprintf (keyid_str, "%08lX%08lX [uncertain] ",
@ -1284,8 +1296,7 @@ check_sig_and_print( CTX c, KBNODE node )
continue; continue;
keyid_str[17] = 0; /* cut off the "[uncertain]" part */ keyid_str[17] = 0; /* cut off the "[uncertain]" part */
write_status_text_and_buffer (rc? STATUS_BADSIG:STATUS_GOODSIG, write_status_text_and_buffer (statno, keyid_str,
keyid_str,
un->pkt->pkt.user_id->name, un->pkt->pkt.user_id->name,
un->pkt->pkt.user_id->len, un->pkt->pkt.user_id->len,
-1 ); -1 );
@ -1307,8 +1318,7 @@ check_sig_and_print( CTX c, KBNODE node )
if (opt.always_trust || !un) if (opt.always_trust || !un)
keyid_str[17] = 0; /* cut off the "[uncertain]" part */ keyid_str[17] = 0; /* cut off the "[uncertain]" part */
write_status_text_and_buffer (rc? STATUS_BADSIG:STATUS_GOODSIG, write_status_text_and_buffer (statno, keyid_str,
keyid_str,
un? un->pkt->pkt.user_id->name:"[?]", un? un->pkt->pkt.user_id->name:"[?]",
un? un->pkt->pkt.user_id->len:3, un? un->pkt->pkt.user_id->len:3,
-1 ); -1 );
@ -1354,16 +1364,17 @@ check_sig_and_print( CTX c, KBNODE node )
if( !get_pubkey( pk, sig->keyid ) ) { if( !get_pubkey( pk, sig->keyid ) ) {
byte array[MAX_FINGERPRINT_LEN], *p; byte array[MAX_FINGERPRINT_LEN], *p;
char buf[MAX_FINGERPRINT_LEN*2+61]; char buf[MAX_FINGERPRINT_LEN*2+72];
size_t i, n; size_t i, n;
fingerprint_from_pk( pk, array, &n ); fingerprint_from_pk( pk, array, &n );
p = array; p = array;
for(i=0; i < n ; i++, p++ ) for(i=0; i < n ; i++, p++ )
sprintf(buf+2*i, "%02X", *p ); sprintf(buf+2*i, "%02X", *p );
sprintf(buf+strlen(buf), " %s %lu", sprintf(buf+strlen(buf), " %s %lu %lu",
strtimestamp( sig->timestamp ), strtimestamp( sig->timestamp ),
(ulong)sig->timestamp ); (ulong)sig->timestamp,
(ulong)sig->expiredate );
write_status_text( STATUS_VALIDSIG, buf ); write_status_text( STATUS_VALIDSIG, buf );
} }
free_public_key( pk ); free_public_key( pk );

2
g10/packet.h
View File

@ -439,6 +439,8 @@ int cmp_user_ids( PKT_user_id *a, PKT_user_id *b );
/*-- sig-check.c --*/ /*-- sig-check.c --*/
int signature_check( PKT_signature *sig, MD_HANDLE digest ); int signature_check( PKT_signature *sig, MD_HANDLE digest );
int signature_check2( PKT_signature *sig, MD_HANDLE digest,
u32 *r_expiredate, int *r_expired );
/*-- seckey-cert.c --*/ /*-- seckey-cert.c --*/
int is_secret_key_protected( PKT_secret_key *sk ); int is_secret_key_protected( PKT_secret_key *sk );

18
g10/sig-check.c
View File

@ -39,13 +39,9 @@ struct cmp_help_context_s {
MD_HANDLE md; MD_HANDLE md;
}; };
static int do_signature_check( PKT_signature *sig, MD_HANDLE digest,
u32 *r_expiredate, int *r_expired );
static int do_check( PKT_public_key *pk, PKT_signature *sig, static int do_check( PKT_public_key *pk, PKT_signature *sig,
MD_HANDLE digest, int *r_expired ); MD_HANDLE digest, int *r_expired );
/**************** /****************
* Check the signature which is contained in SIG. * Check the signature which is contained in SIG.
* The MD_HANDLE should be currently open, so that this function * The MD_HANDLE should be currently open, so that this function
@ -56,11 +52,11 @@ signature_check( PKT_signature *sig, MD_HANDLE digest )
{ {
u32 dummy; u32 dummy;
int dum2; int dum2;
return do_signature_check( sig, digest, &dummy, &dum2 ); return signature_check2( sig, digest, &dummy, &dum2 );
} }
static int int
do_signature_check( PKT_signature *sig, MD_HANDLE digest, signature_check2( PKT_signature *sig, MD_HANDLE digest,
u32 *r_expiredate, int *r_expired ) u32 *r_expiredate, int *r_expired )
{ {
PKT_public_key *pk = m_alloc_clear( sizeof *pk ); PKT_public_key *pk = m_alloc_clear( sizeof *pk );
@ -82,7 +78,7 @@ do_signature_check( PKT_signature *sig, MD_HANDLE digest,
* this sig-id we could have also used the hash of the document * this sig-id we could have also used the hash of the document
* and the timestamp, but the drawback of this is, that it is * and the timestamp, but the drawback of this is, that it is
* not possible to sign more than one identical document within * not possible to sign more than one identical document within
* one second. Some remote bacth processing applications might * one second. Some remote batch processing applications might
* like this feature here */ * like this feature here */
MD_HANDLE md; MD_HANDLE md;
u32 a = sig->timestamp; u32 a = sig->timestamp;
@ -233,6 +229,7 @@ do_check( PKT_public_key *pk, PKT_signature *sig, MD_HANDLE digest,
} }
if( pk->expiredate && pk->expiredate < cur_time ) { if( pk->expiredate && pk->expiredate < cur_time ) {
char buf[11];
if (opt.verbose) { if (opt.verbose) {
u32 tmp_kid[2]; u32 tmp_kid[2];
@ -240,6 +237,9 @@ do_check( PKT_public_key *pk, PKT_signature *sig, MD_HANDLE digest,
log_info(_("NOTE: signature key %08lX expired %s\n"), log_info(_("NOTE: signature key %08lX expired %s\n"),
(ulong)tmp_kid[1], asctimestamp( pk->expiredate ) ); (ulong)tmp_kid[1], asctimestamp( pk->expiredate ) );
} }
/* SIGEXPIRED is deprecated. Use KEYEXPIRED. */
sprintf(buf,"%lu",(ulong)pk->expiredate);
write_status_text(STATUS_KEYEXPIRED,buf);
write_status(STATUS_SIGEXPIRED); write_status(STATUS_SIGEXPIRED);
*r_expired = 1; *r_expired = 1;
} }
@ -490,7 +490,7 @@ check_key_signature2( KBNODE root, KBNODE node, int *is_selfsig,
rc = do_check( pk, sig, md, r_expired ); rc = do_check( pk, sig, md, r_expired );
} }
else { else {
rc = do_signature_check( sig, md, r_expiredate, r_expired ); rc = signature_check2( sig, md, r_expiredate, r_expired );
} }
cache_sig_result ( sig, rc ); cache_sig_result ( sig, rc );
md_close(md); md_close(md);

5
g10/status.c
View File

@ -84,7 +84,7 @@ get_status_string ( int no )
case STATUS_LEAVE : s = "LEAVE"; break; case STATUS_LEAVE : s = "LEAVE"; break;
case STATUS_ABORT : s = "ABORT"; break; case STATUS_ABORT : s = "ABORT"; break;
case STATUS_GOODSIG: s = "GOODSIG"; break; case STATUS_GOODSIG: s = "GOODSIG"; break;
case STATUS_SIGEXPIRED: s = "SIGEXPIRED"; break; case STATUS_KEYEXPIRED: s = "KEYEXPIRED"; break;
case STATUS_KEYREVOKED: s = "KEYREVOKED"; break; case STATUS_KEYREVOKED: s = "KEYREVOKED"; break;
case STATUS_BADSIG : s = "BADSIG"; break; case STATUS_BADSIG : s = "BADSIG"; break;
case STATUS_ERRSIG : s = "ERRSIG"; break; case STATUS_ERRSIG : s = "ERRSIG"; break;
@ -143,6 +143,9 @@ get_status_string ( int no )
case STATUS_INV_RECP : s = "INV_RECP"; break; case STATUS_INV_RECP : s = "INV_RECP"; break;
case STATUS_NO_RECP : s = "NO_RECP"; break; case STATUS_NO_RECP : s = "NO_RECP"; break;
case STATUS_ALREADY_SIGNED : s = "ALREADY_SIGNED"; break; case STATUS_ALREADY_SIGNED : s = "ALREADY_SIGNED"; break;
case STATUS_SIGEXPIRED : s = "SIGEXPIRED deprecated-use-keyexpired-instead"; break;
case STATUS_EXPSIG : s = "EXPSIG"; break;
case STATUS_EXPKEYSIG : s = "EXPKEYSIG"; break;
default: s = "?"; break; default: s = "?"; break;
} }
return s; return s;

6
g10/status.h
View File

@ -33,7 +33,7 @@
#define STATUS_BADARMOR 7 #define STATUS_BADARMOR 7
#define STATUS_RSA_OR_IDEA 8 #define STATUS_RSA_OR_IDEA 8
#define STATUS_SIGEXPIRED 9 #define STATUS_KEYEXPIRED 9
#define STATUS_KEYREVOKED 10 #define STATUS_KEYREVOKED 10
#define STATUS_TRUST_UNDEFINED 11 #define STATUS_TRUST_UNDEFINED 11
@ -93,7 +93,9 @@
#define STATUS_INV_RECP 61 #define STATUS_INV_RECP 61
#define STATUS_NO_RECP 62 #define STATUS_NO_RECP 62
#define STATUS_ALREADY_SIGNED 63 #define STATUS_ALREADY_SIGNED 63
#define STATUS_SIGEXPIRED 64
#define STATUS_EXPSIG 65
#define STATUS_EXPKEYSIG 66
/*-- status.c --*/ /*-- status.c --*/
void set_status_fd ( int fd ); void set_status_fd ( int fd );