From dd808fa15bd93656bae7a70a463da0bdddace254 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 31 Oct 2003 12:12:47 +0000 Subject: [PATCH] * verify.c (strtimestamp_r, gpgsm_verify): * sign.c (gpgsm_sign): * keylist.c (print_time, list_cert_std, list_cert_colon): * certdump.c (gpgsm_print_time, gpgsm_dump_time, gpgsm_dump_cert): * certchain.c (gpgsm_validate_chain): Changed to use ksba_isotime_t. --- sm/ChangeLog | 13 +++++++++++++ sm/certchain.c | 37 +++++++++++++++++++++---------------- sm/certdump.c | 40 ++++++++++------------------------------ sm/gpgsm.c | 5 ++++- sm/gpgsm.h | 6 +++--- sm/keylist.c | 23 ++++++++++++----------- sm/sign.c | 8 ++++---- sm/verify.c | 31 ++++++++++++------------------- 8 files changed, 79 insertions(+), 84 deletions(-) diff --git a/sm/ChangeLog b/sm/ChangeLog index 4a2825efe..a8dfc0896 100644 --- a/sm/ChangeLog +++ b/sm/ChangeLog @@ -1,3 +1,16 @@ +2003-10-31 Werner Koch + + + * verify.c (strtimestamp_r, gpgsm_verify): + + * sign.c (gpgsm_sign): + + * keylist.c (print_time, list_cert_std, list_cert_colon): + + * certdump.c (gpgsm_print_time, gpgsm_dump_time, gpgsm_dump_cert): + + * certchain.c (gpgsm_validate_chain): Changed to use ksba_isotime_t. + 2003-10-25 Werner Koch * certreqgen.c (read_parameters): Fixed faulty of !spacep(). diff --git a/sm/certchain.c b/sm/certchain.c index 6323c725e..216b72e0e 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -408,23 +408,26 @@ gpgsm_is_root_cert (KsbaCert cert) /* Validate a chain and optionally return the nearest expiration time in R_EXPTIME */ int -gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, time_t *r_exptime) +gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, ksba_isotime_t r_exptime) { int rc = 0, depth = 0, maxdepth; char *issuer = NULL; char *subject = NULL; KEYDB_HANDLE kh = keydb_new (0); KsbaCert subject_cert = NULL, issuer_cert = NULL; - time_t current_time = gnupg_get_time (); - time_t exptime = 0; + ksba_isotime_t current_time; + ksba_isotime_t exptime; int any_expired = 0; int any_revoked = 0; int any_no_crl = 0; int any_crl_too_old = 0; int any_no_policy_match = 0; + + gnupg_get_isotime (current_time); if (r_exptime) *r_exptime = 0; + *exptime = 0; if (opt.no_chain_validation) { @@ -460,26 +463,28 @@ gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, time_t *r_exptime) } { - time_t not_before, not_after; + ksba_isotime_t not_before, not_after; - not_before = ksba_cert_get_validity (subject_cert, 0); - not_after = ksba_cert_get_validity (subject_cert, 1); - if (not_before == (time_t)(-1) || not_after == (time_t)(-1)) + rc = ksba_cert_get_validity (subject_cert, 0, not_before); + if (!rc) + rc = ksba_cert_get_validity (subject_cert, 1, not_after); + if (rc) { - log_error ("certificate with invalid validity\n"); + log_error (_("certificate with invalid validity: %s\n"), + ksba_strerror (rc)); rc = gpg_error (GPG_ERR_BAD_CERT); goto leave; } - if (not_after) + if (*not_after) { - if (!exptime) - exptime = not_after; - else if (not_after < exptime) - exptime = not_after; + if (!*exptime) + gnupg_copy_time (exptime, not_after); + else if (strcmp (not_after, exptime) < 0 ) + gnupg_copy_time (exptime, not_after); } - if (not_before && current_time < not_before) + if (*not_before && strcmp (current_time, not_before) < 0 ) { log_error ("certificate too young; valid from "); gpgsm_dump_time (not_before); @@ -487,7 +492,7 @@ gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, time_t *r_exptime) rc = gpg_error (GPG_ERR_CERT_TOO_YOUNG); goto leave; } - if (not_after && current_time > not_after) + if (not_after && strcmp (current_time, not_after) > 0 ) { log_error ("certificate has expired at "); gpgsm_dump_time (not_after); @@ -692,7 +697,7 @@ gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, time_t *r_exptime) leave: if (r_exptime) - *r_exptime = exptime; + gnupg_copy_time (r_exptime, exptime); xfree (issuer); keydb_release (kh); ksba_cert_release (issuer_cert); diff --git a/sm/certdump.c b/sm/certdump.c index 703e07186..f06cc5832 100644 --- a/sm/certdump.c +++ b/sm/certdump.c @@ -93,42 +93,22 @@ gpgsm_dump_serial (KsbaConstSexp p) } void -gpgsm_print_time (FILE *fp, time_t t) +gpgsm_print_time (FILE *fp, ksba_isotime_t t) { - if (!t) + if (!t || !*t) fputs (_("none"), fp); - else if ( t == (time_t)(-1) ) - fputs ("[Error - Invalid time]", fp); else - { - struct tm *tp; - - tp = gmtime (&t); - fprintf (fp, "%04d-%02d-%02d %02d:%02d:%02d Z", - 1900+tp->tm_year, tp->tm_mon+1, tp->tm_mday, - tp->tm_hour, tp->tm_min, tp->tm_sec); - assert (!tp->tm_isdst); - } + fprintf (fp, "%.4s-%.2s-%.2s %.2s:%.2s:%s", t, t+4, t+6, t+9, t+11, t+13); } void -gpgsm_dump_time (time_t t) +gpgsm_dump_time (ksba_isotime_t t) { - - if (!t) + if (!t || !*t) log_printf (_("[none]")); - else if ( t == (time_t)(-1) ) - log_printf (_("[error]")); else - { - struct tm *tp; - - tp = gmtime (&t); - log_printf ("%04d-%02d-%02d %02d:%02d:%02d", - 1900+tp->tm_year, tp->tm_mon+1, tp->tm_mday, - tp->tm_hour, tp->tm_min, tp->tm_sec); - assert (!tp->tm_isdst); - } + log_printf ("%.4s-%.2s-%.2s %.2s:%.2s:%s", + t, t+4, t+6, t+9, t+11, t+13); } @@ -167,7 +147,7 @@ gpgsm_dump_cert (const char *text, KsbaCert cert) KsbaSexp sexp; unsigned char *p; char *dn; - time_t t; + ksba_isotime_t t; log_debug ("BEGIN Certificate `%s':\n", text? text:""); if (cert) @@ -178,11 +158,11 @@ gpgsm_dump_cert (const char *text, KsbaCert cert) ksba_free (sexp); log_printf ("\n"); - t = ksba_cert_get_validity (cert, 0); + ksba_cert_get_validity (cert, 0, t); log_debug (" notBefore: "); gpgsm_dump_time (t); log_printf ("\n"); - t = ksba_cert_get_validity (cert, 1); + ksba_cert_get_validity (cert, 1, t); log_debug (" notAfter: "); gpgsm_dump_time (t); log_printf ("\n"); diff --git a/sm/gpgsm.c b/sm/gpgsm.c index c392886ba..3fab49731 100644 --- a/sm/gpgsm.c +++ b/sm/gpgsm.c @@ -1035,8 +1035,11 @@ main ( int argc, char **argv) if (gnupg_faked_time_p ()) { + gnupg_isotime_t tbuf; + log_info (_("WARNING: running with faked system time: ")); - gpgsm_dump_time (gnupg_get_time ()); + gnupg_get_isotime (tbuf); + gpgsm_dump_time (tbuf); log_printf ("\n"); } diff --git a/sm/gpgsm.h b/sm/gpgsm.h index f996d578c..f0b10c8dc 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -177,12 +177,12 @@ void gpgsm_destroy_writer (Base64Context ctx); /*-- certdump.c --*/ void gpgsm_print_serial (FILE *fp, KsbaConstSexp p); -void gpgsm_print_time (FILE *fp, time_t t); +void gpgsm_print_time (FILE *fp, ksba_isotime_t t); void gpgsm_print_name (FILE *fp, const char *string); void gpgsm_dump_cert (const char *text, KsbaCert cert); void gpgsm_dump_serial (KsbaConstSexp p); -void gpgsm_dump_time (time_t t); +void gpgsm_dump_time (ksba_isotime_t t); void gpgsm_dump_string (const char *string); @@ -199,7 +199,7 @@ int gpgsm_create_cms_signature (KsbaCert cert, gcry_md_hd_t md, int mdalgo, /*-- certchain.c --*/ int gpgsm_walk_cert_chain (KsbaCert start, KsbaCert *r_next); int gpgsm_is_root_cert (KsbaCert cert); -int gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, time_t *r_exptime); +int gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, ksba_isotime_t r_exptime); int gpgsm_basic_cert_check (KsbaCert cert); /*-- certlist.c --*/ diff --git a/sm/keylist.c b/sm/keylist.c index 634bda292..548f2a452 100644 --- a/sm/keylist.c +++ b/sm/keylist.c @@ -101,14 +101,12 @@ print_capabilities (KsbaCert cert, FILE *fp) static void -print_time (time_t t, FILE *fp) +print_time (gnupg_isotime_t t, FILE *fp) { - if (!t) + if (!t || !*t) ; - else if ( t == (time_t)(-1) ) - putc ('?', fp); - else - fprintf (fp, "%lu", (unsigned long)t); + else + fputs (t, fp); } @@ -153,6 +151,7 @@ list_cert_colon (KsbaCert cert, FILE *fp, int have_secret) char *p; KsbaSexp sexp; char *fpr; + ksba_isotime_t t; fputs (have_secret? "crs:":"crt:", fp); trustletter = 0; @@ -177,9 +176,11 @@ list_cert_colon (KsbaCert cert, FILE *fp, int have_secret) fpr+24); /* we assume --fixed-list-mode for gpgsm */ - print_time ( ksba_cert_get_validity (cert, 0), fp); + ksba_cert_get_validity (cert, 0, t); + print_time (t, fp); putc (':', fp); - print_time ( ksba_cert_get_validity (cert, 1), fp); + ksba_cert_get_validity (cert, 1, t); + print_time ( t, fp); putc (':', fp); /* field 8, serial number: */ if ((sexp = ksba_cert_get_serial (cert))) @@ -280,7 +281,7 @@ list_cert_std (KsbaCert cert, FILE *fp, int have_secret) KsbaError kerr; KsbaSexp sexp; char *dn; - time_t t; + ksba_isotime_t t; int idx; int is_ca, chainlen; unsigned int kusage; @@ -318,11 +319,11 @@ list_cert_std (KsbaCert cert, FILE *fp, int have_secret) putc ('\n', fp); } - t = ksba_cert_get_validity (cert, 0); + ksba_cert_get_validity (cert, 0, t); fputs (" validity: ", fp); gpgsm_print_time (fp, t); fputs (" through ", fp); - t = ksba_cert_get_validity (cert, 1); + ksba_cert_get_validity (cert, 1, t); gpgsm_print_time (fp, t); putc ('\n', fp); diff --git a/sm/sign.c b/sm/sign.c index 0afb52b62..8e7431312 100644 --- a/sm/sign.c +++ b/sm/sign.c @@ -306,7 +306,7 @@ gpgsm_sign (CTRL ctrl, CERTLIST signerlist, int signer; const char *algoid; int algo; - time_t signed_at; + ksba_isotime_t signed_at; CERTLIST cl; int release_signerlist = 0; @@ -462,7 +462,7 @@ gpgsm_sign (CTRL ctrl, CERTLIST signerlist, } } - signed_at = gnupg_get_time (); + gnupg_get_isotime (signed_at); for (cl=signerlist,signer=0; cl; cl = cl->next, signer++) { err = ksba_cms_set_signing_time (cms, signer, signed_at); @@ -577,11 +577,11 @@ gpgsm_sign (CTRL ctrl, CERTLIST signerlist, gcry_md_close (md); goto leave; } - rc = asprintf (&buf, "%c %d %d 00 %lu %s", + rc = asprintf (&buf, "%c %d %d 00 %s %s", detached? 'D':'S', GCRY_PK_RSA, /* FIXME: get pk algo from cert */ algo, - (ulong)signed_at, + signed_at, fpr); xfree (fpr); if (rc < 0) diff --git a/sm/verify.c b/sm/verify.c index 6dd4f4e5b..3c333129b 100644 --- a/sm/verify.c +++ b/sm/verify.c @@ -35,22 +35,14 @@ #include "i18n.h" static char * -strtimestamp_r (time_t atime) +strtimestamp_r (ksba_isotime_t atime) { char *buffer = xmalloc (15); - if (atime < 0) - strcpy (buffer, "????" "-??" "-??"); - else if (!atime) + if (!atime || !*atime) strcpy (buffer, "none"); else - { - struct tm *tp; - - tp = gmtime( &atime ); - sprintf (buffer, "%04d-%02d-%02d", - 1900+tp->tm_year, tp->tm_mon+1, tp->tm_mday); - } + sprintf (buffer, "%.4s-%.2s-%.2s", atime, atime+4, atime+6); return buffer; } @@ -251,7 +243,7 @@ gpgsm_verify (CTRL ctrl, int in_fd, int data_fd, FILE *out_fp) { char *issuer = NULL; KsbaSexp sigval = NULL; - time_t sigtime, keyexptime; + ksba_isotime_t sigtime, keyexptime; KsbaSexp serial; char *msgdigest = NULL; size_t msgdigestlen; @@ -279,13 +271,14 @@ gpgsm_verify (CTRL ctrl, int in_fd, int data_fd, FILE *out_fp) log_printf ("\n"); } - err = ksba_cms_get_signing_time (cms, signer, &sigtime); + err = ksba_cms_get_signing_time (cms, signer, sigtime); if (err == KSBA_No_Data) - sigtime = 0; + *sigtime = 0; else if (err) { log_error ("error getting signing time: %s\n", ksba_strerror (err)); - sigtime = (time_t)-1; + *sigtime = 0; /* FIXME: we can't encode an error in the time + string. */ } err = ksba_cms_get_message_digest (cms, signer, @@ -383,7 +376,7 @@ gpgsm_verify (CTRL ctrl, int in_fd, int data_fd, FILE *out_fp) } log_info (_("Signature made ")); - if (sigtime) + if (*sigtime) gpgsm_dump_time (sigtime); else log_printf (_("[date not given]")); @@ -459,7 +452,7 @@ gpgsm_verify (CTRL ctrl, int in_fd, int data_fd, FILE *out_fp) if (DBG_X509) log_debug ("signature okay - checking certs\n"); - rc = gpgsm_validate_chain (ctrl, cert, &keyexptime); + rc = gpgsm_validate_chain (ctrl, cert, keyexptime); if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED) { gpgsm_status (ctrl, STATUS_EXPKEYSIG, NULL); @@ -474,8 +467,8 @@ gpgsm_verify (CTRL ctrl, int in_fd, int data_fd, FILE *out_fp) fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1); tstr = strtimestamp_r (sigtime); buf = xmalloc ( strlen(fpr) + strlen (tstr) + 120); - sprintf (buf, "%s %s %lu %lu", fpr, tstr, - (unsigned long)sigtime, (unsigned long)keyexptime ); + sprintf (buf, "%s %s %s %s", fpr, tstr, + sigtime, keyexptime ); xfree (tstr); xfree (fpr); gpgsm_status (ctrl, STATUS_VALIDSIG, buf);