security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

* verify.c (strtimestamp_r, gpgsm_verify): 

* sign.c (gpgsm_sign):

* keylist.c (print_time, list_cert_std, list_cert_colon):

* certdump.c (gpgsm_print_time, gpgsm_dump_time, gpgsm_dump_cert):

* certchain.c (gpgsm_validate_chain): Changed to use ksba_isotime_t.
This commit is contained in:
Werner Koch 2003-10-31 12:12:47 +00:00
parent c8fb3836fb
commit dd808fa15b
8 changed files with 79 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
sm/ChangeLog
View File

@ -1,3 +1,16 @@
2003-10-31 Werner Koch <wk@gnupg.org>
* verify.c (strtimestamp_r, gpgsm_verify):
* sign.c (gpgsm_sign):
* keylist.c (print_time, list_cert_std, list_cert_colon):
* certdump.c (gpgsm_print_time, gpgsm_dump_time, gpgsm_dump_cert):
* certchain.c (gpgsm_validate_chain): Changed to use ksba_isotime_t.
2003-10-25 Werner Koch <wk@gnupg.org>
* certreqgen.c (read_parameters): Fixed faulty of !spacep().

37
sm/certchain.c
View File

@ -408,23 +408,26 @@ gpgsm_is_root_cert (KsbaCert cert)
/* Validate a chain and optionally return the nearest expiration time
in R_EXPTIME */
int
gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, time_t *r_exptime)
gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, ksba_isotime_t r_exptime)
{
int rc = 0, depth = 0, maxdepth;
char *issuer = NULL;
char *subject = NULL;
KEYDB_HANDLE kh = keydb_new (0);
KsbaCert subject_cert = NULL, issuer_cert = NULL;
time_t current_time = gnupg_get_time ();
time_t exptime = 0;
ksba_isotime_t current_time;
ksba_isotime_t exptime;
int any_expired = 0;
int any_revoked = 0;
int any_no_crl = 0;
int any_crl_too_old = 0;
int any_no_policy_match = 0;
gnupg_get_isotime (current_time);
if (r_exptime)
*r_exptime = 0;
*exptime = 0;
if (opt.no_chain_validation)
{
@ -460,26 +463,28 @@ gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, time_t *r_exptime)
}
{
time_t not_before, not_after;
ksba_isotime_t not_before, not_after;
not_before = ksba_cert_get_validity (subject_cert, 0);
not_after = ksba_cert_get_validity (subject_cert, 1);
if (not_before == (time_t)(-1) || not_after == (time_t)(-1))
rc = ksba_cert_get_validity (subject_cert, 0, not_before);
if (!rc)
rc = ksba_cert_get_validity (subject_cert, 1, not_after);
if (rc)
{
log_error ("certificate with invalid validity\n");
log_error (_("certificate with invalid validity: %s\n"),
ksba_strerror (rc));
rc = gpg_error (GPG_ERR_BAD_CERT);
goto leave;
}
if (not_after)
if (*not_after)
{
if (!exptime)
exptime = not_after;
else if (not_after < exptime)
exptime = not_after;
if (!*exptime)
gnupg_copy_time (exptime, not_after);
else if (strcmp (not_after, exptime) < 0 )
gnupg_copy_time (exptime, not_after);
}
if (not_before && current_time < not_before)
if (*not_before && strcmp (current_time, not_before) < 0 )
{
log_error ("certificate too young; valid from ");
gpgsm_dump_time (not_before);
@ -487,7 +492,7 @@ gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, time_t *r_exptime)
rc = gpg_error (GPG_ERR_CERT_TOO_YOUNG);
goto leave;
}
if (not_after && current_time > not_after)
if (not_after && strcmp (current_time, not_after) > 0 )
{
log_error ("certificate has expired at ");
gpgsm_dump_time (not_after);
@ -692,7 +697,7 @@ gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, time_t *r_exptime)
leave:
if (r_exptime)
*r_exptime = exptime;
gnupg_copy_time (r_exptime, exptime);
xfree (issuer);
keydb_release (kh);
ksba_cert_release (issuer_cert);

40
sm/certdump.c
View File

@ -93,42 +93,22 @@ gpgsm_dump_serial (KsbaConstSexp p)
}
void
gpgsm_print_time (FILE *fp, time_t t)
gpgsm_print_time (FILE *fp, ksba_isotime_t t)
{
if (!t)
if (!t || !*t)
fputs (_("none"), fp);
else if ( t == (time_t)(-1) )
fputs ("[Error - Invalid time]", fp);
else
{
struct tm *tp;
tp = gmtime (&t);
fprintf (fp, "%04d-%02d-%02d %02d:%02d:%02d Z",
1900+tp->tm_year, tp->tm_mon+1, tp->tm_mday,
tp->tm_hour, tp->tm_min, tp->tm_sec);
assert (!tp->tm_isdst);
}
fprintf (fp, "%.4s-%.2s-%.2s %.2s:%.2s:%s", t, t+4, t+6, t+9, t+11, t+13);
}
void
gpgsm_dump_time (time_t t)
gpgsm_dump_time (ksba_isotime_t t)
{
if (!t)
if (!t || !*t)
log_printf (_("[none]"));
else if ( t == (time_t)(-1) )
log_printf (_("[error]"));
else
{
struct tm *tp;
tp = gmtime (&t);
log_printf ("%04d-%02d-%02d %02d:%02d:%02d",
1900+tp->tm_year, tp->tm_mon+1, tp->tm_mday,
tp->tm_hour, tp->tm_min, tp->tm_sec);
assert (!tp->tm_isdst);
}
log_printf ("%.4s-%.2s-%.2s %.2s:%.2s:%s",
t, t+4, t+6, t+9, t+11, t+13);
}
@ -167,7 +147,7 @@ gpgsm_dump_cert (const char *text, KsbaCert cert)
KsbaSexp sexp;
unsigned char *p;
char *dn;
time_t t;
ksba_isotime_t t;
log_debug ("BEGIN Certificate `%s':\n", text? text:"");
if (cert)
@ -178,11 +158,11 @@ gpgsm_dump_cert (const char *text, KsbaCert cert)
ksba_free (sexp);
log_printf ("\n");
t = ksba_cert_get_validity (cert, 0);
ksba_cert_get_validity (cert, 0, t);
log_debug (" notBefore: ");
gpgsm_dump_time (t);
log_printf ("\n");
t = ksba_cert_get_validity (cert, 1);
ksba_cert_get_validity (cert, 1, t);
log_debug (" notAfter: ");
gpgsm_dump_time (t);
log_printf ("\n");

5
sm/gpgsm.c
View File

@ -1035,8 +1035,11 @@ main ( int argc, char **argv)
if (gnupg_faked_time_p ())
{
gnupg_isotime_t tbuf;
log_info (_("WARNING: running with faked system time: "));
gpgsm_dump_time (gnupg_get_time ());
gnupg_get_isotime (tbuf);
gpgsm_dump_time (tbuf);
log_printf ("\n");
}

6
sm/gpgsm.h
View File

@ -177,12 +177,12 @@ void gpgsm_destroy_writer (Base64Context ctx);
/*-- certdump.c --*/
void gpgsm_print_serial (FILE *fp, KsbaConstSexp p);
void gpgsm_print_time (FILE *fp, time_t t);
void gpgsm_print_time (FILE *fp, ksba_isotime_t t);
void gpgsm_print_name (FILE *fp, const char *string);
void gpgsm_dump_cert (const char *text, KsbaCert cert);
void gpgsm_dump_serial (KsbaConstSexp p);
void gpgsm_dump_time (time_t t);
void gpgsm_dump_time (ksba_isotime_t t);
void gpgsm_dump_string (const char *string);
@ -199,7 +199,7 @@ int gpgsm_create_cms_signature (KsbaCert cert, gcry_md_hd_t md, int mdalgo,
/*-- certchain.c --*/
int gpgsm_walk_cert_chain (KsbaCert start, KsbaCert *r_next);
int gpgsm_is_root_cert (KsbaCert cert);
int gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, time_t *r_exptime);
int gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, ksba_isotime_t r_exptime);
int gpgsm_basic_cert_check (KsbaCert cert);
/*-- certlist.c --*/

23
sm/keylist.c
View File

@ -101,14 +101,12 @@ print_capabilities (KsbaCert cert, FILE *fp)
static void
print_time (time_t t, FILE *fp)
print_time (gnupg_isotime_t t, FILE *fp)
{
if (!t)
if (!t || !*t)
;
else if ( t == (time_t)(-1) )
putc ('?', fp);
else
fprintf (fp, "%lu", (unsigned long)t);
else
fputs (t, fp);
}
@ -153,6 +151,7 @@ list_cert_colon (KsbaCert cert, FILE *fp, int have_secret)
char *p;
KsbaSexp sexp;
char *fpr;
ksba_isotime_t t;
fputs (have_secret? "crs:":"crt:", fp);
trustletter = 0;
@ -177,9 +176,11 @@ list_cert_colon (KsbaCert cert, FILE *fp, int have_secret)
fpr+24);
/* we assume --fixed-list-mode for gpgsm */
print_time ( ksba_cert_get_validity (cert, 0), fp);
ksba_cert_get_validity (cert, 0, t);
print_time (t, fp);
putc (':', fp);
print_time ( ksba_cert_get_validity (cert, 1), fp);
ksba_cert_get_validity (cert, 1, t);
print_time ( t, fp);
putc (':', fp);
/* field 8, serial number: */
if ((sexp = ksba_cert_get_serial (cert)))
@ -280,7 +281,7 @@ list_cert_std (KsbaCert cert, FILE *fp, int have_secret)
KsbaError kerr;
KsbaSexp sexp;
char *dn;
time_t t;
ksba_isotime_t t;
int idx;
int is_ca, chainlen;
unsigned int kusage;
@ -318,11 +319,11 @@ list_cert_std (KsbaCert cert, FILE *fp, int have_secret)
putc ('\n', fp);
}
t = ksba_cert_get_validity (cert, 0);
ksba_cert_get_validity (cert, 0, t);
fputs (" validity: ", fp);
gpgsm_print_time (fp, t);
fputs (" through ", fp);
t = ksba_cert_get_validity (cert, 1);
ksba_cert_get_validity (cert, 1, t);
gpgsm_print_time (fp, t);
putc ('\n', fp);

8
sm/sign.c
View File

@ -306,7 +306,7 @@ gpgsm_sign (CTRL ctrl, CERTLIST signerlist,
int signer;
const char *algoid;
int algo;
time_t signed_at;
ksba_isotime_t signed_at;
CERTLIST cl;
int release_signerlist = 0;
@ -462,7 +462,7 @@ gpgsm_sign (CTRL ctrl, CERTLIST signerlist,
}
}
signed_at = gnupg_get_time ();
gnupg_get_isotime (signed_at);
for (cl=signerlist,signer=0; cl; cl = cl->next, signer++)
{
err = ksba_cms_set_signing_time (cms, signer, signed_at);
@ -577,11 +577,11 @@ gpgsm_sign (CTRL ctrl, CERTLIST signerlist,
gcry_md_close (md);
goto leave;
}
rc = asprintf (&buf, "%c %d %d 00 %lu %s",
rc = asprintf (&buf, "%c %d %d 00 %s %s",
detached? 'D':'S',
GCRY_PK_RSA, /* FIXME: get pk algo from cert */
algo,
(ulong)signed_at,
signed_at,
fpr);
xfree (fpr);
if (rc < 0)

31
sm/verify.c
View File

@ -35,22 +35,14 @@
#include "i18n.h"
static char *
strtimestamp_r (time_t atime)
strtimestamp_r (ksba_isotime_t atime)
{
char *buffer = xmalloc (15);
if (atime < 0)
strcpy (buffer, "????" "-??" "-??");
else if (!atime)
if (!atime || !*atime)
strcpy (buffer, "none");
else
{
struct tm *tp;
tp = gmtime( &atime );
sprintf (buffer, "%04d-%02d-%02d",
1900+tp->tm_year, tp->tm_mon+1, tp->tm_mday);
}
sprintf (buffer, "%.4s-%.2s-%.2s", atime, atime+4, atime+6);
return buffer;
}
@ -251,7 +243,7 @@ gpgsm_verify (CTRL ctrl, int in_fd, int data_fd, FILE *out_fp)
{
char *issuer = NULL;
KsbaSexp sigval = NULL;
time_t sigtime, keyexptime;
ksba_isotime_t sigtime, keyexptime;
KsbaSexp serial;
char *msgdigest = NULL;
size_t msgdigestlen;
@ -279,13 +271,14 @@ gpgsm_verify (CTRL ctrl, int in_fd, int data_fd, FILE *out_fp)
log_printf ("\n");
}
err = ksba_cms_get_signing_time (cms, signer, &sigtime);
err = ksba_cms_get_signing_time (cms, signer, sigtime);
if (err == KSBA_No_Data)
sigtime = 0;
*sigtime = 0;
else if (err)
{
log_error ("error getting signing time: %s\n", ksba_strerror (err));
sigtime = (time_t)-1;
*sigtime = 0; /* FIXME: we can't encode an error in the time
string. */
}
err = ksba_cms_get_message_digest (cms, signer,
@ -383,7 +376,7 @@ gpgsm_verify (CTRL ctrl, int in_fd, int data_fd, FILE *out_fp)
}
log_info (_("Signature made "));
if (sigtime)
if (*sigtime)
gpgsm_dump_time (sigtime);
else
log_printf (_("[date not given]"));
@ -459,7 +452,7 @@ gpgsm_verify (CTRL ctrl, int in_fd, int data_fd, FILE *out_fp)
if (DBG_X509)
log_debug ("signature okay - checking certs\n");
rc = gpgsm_validate_chain (ctrl, cert, &keyexptime);
rc = gpgsm_validate_chain (ctrl, cert, keyexptime);
if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED)
{
gpgsm_status (ctrl, STATUS_EXPKEYSIG, NULL);
@ -474,8 +467,8 @@ gpgsm_verify (CTRL ctrl, int in_fd, int data_fd, FILE *out_fp)
fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
tstr = strtimestamp_r (sigtime);
buf = xmalloc ( strlen(fpr) + strlen (tstr) + 120);
sprintf (buf, "%s %s %lu %lu", fpr, tstr,
(unsigned long)sigtime, (unsigned long)keyexptime );
sprintf (buf, "%s %s %s %s", fpr, tstr,
sigtime, keyexptime );
xfree (tstr);
xfree (fpr);
gpgsm_status (ctrl, STATUS_VALIDSIG, buf);