From f10040147834bbc5cc75f02b7215f2b45642ecaf Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Mon, 20 Sep 2004 18:47:11 +0000
Subject: [PATCH] (show_key_with_all_names): Print the card S/N.

* app-openpgp.c (app_select_openpgp): Its app_munge_serialno and
not app_number_serialno.
---
 g10/ChangeLog     |  4 ++++
 g10/keyedit.c     | 21 +++++++++++++++++++++
 scd/ChangeLog     |  5 +++++
 scd/app-openpgp.c |  2 +-
 sm/ChangeLog      |  6 ++++++
 sm/certchain.c    | 15 ++++++++++++---
 6 files changed, 49 insertions(+), 4 deletions(-)

diff --git a/g10/ChangeLog b/g10/ChangeLog
index d33dcdc36..b553c1c9f 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,7 @@
+2004-09-20  Werner Koch  <wk@g10code.com>
+
+	* keyedit.c (show_key_with_all_names): Print the card S/N.
+
 2004-09-11  Moritz Schulte  <moritz@g10code.com>
 
 	* openfile.c (copy_options_file): Fixed last commit (added a `+').
diff --git a/g10/keyedit.c b/g10/keyedit.c
index 4da174e3c..2f9fccbf5 100644
--- a/g10/keyedit.c
+++ b/g10/keyedit.c
@@ -2121,6 +2121,27 @@ show_key_with_all_names( KBNODE keyblock, int only_marked, int with_revoker,
 			  datestr_from_sk(sk),
 			  expirestr_from_sk(sk) );
 	    tty_printf("\n");
+            if (sk->is_protected && sk->protect.s2k.mode == 1002)
+              {
+		tty_printf("                     ");
+                tty_printf(_("card-no: ")); 
+                if (sk->protect.ivlen == 16
+                    && !memcmp (sk->protect.iv, "\xD2\x76\x00\x01\x24\x01", 6))
+                  { /* This is an OpenPGP card. */
+                    for (i=8; i < 14; i++)
+                      {
+                        if (i == 10)
+                          tty_printf (" ");
+                        tty_printf ("%02X", sk->protect.iv[i]);
+                      }
+                  }
+                else
+                  { /* Something is wrong: Print all. */
+                    for (i=0; i < sk->protect.ivlen; i++)
+                      tty_printf ("%02X", sk->protect.iv[i]);
+                  }
+                tty_printf ("\n");
+              }
 	}
 	else if( with_subkeys && node->pkt->pkttype == PKT_SIGNATURE
 		 && node->pkt->pkt.signature->sig_class == 0x28       ) {
diff --git a/scd/ChangeLog b/scd/ChangeLog
index a527b5da5..e6789fcb2 100644
--- a/scd/ChangeLog
+++ b/scd/ChangeLog
@@ -1,3 +1,8 @@
+2004-09-11  Werner Koch  <wk@g10code.com>
+
+	* app-openpgp.c (app_select_openpgp): Its app_munge_serialno and
+	not app_number_serialno.
+
 2004-08-20  Werner Koch  <wk@g10code.de>
 
 	* app.c (select_application): Fixed serial number extraction and
diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c
index 67bc336ec..1617ab888 100644
--- a/scd/app-openpgp.c
+++ b/scd/app-openpgp.c
@@ -1397,7 +1397,7 @@ app_select_openpgp (APP app)
 #if GNUPG_MAJOR_VERSION != 1
       /* A valid OpenPGP card should never need this but well the test
          is cheap. */
-      rc = app_number_serialno (app);
+      rc = app_munge_serialno (app);
       if (rc)
         goto leave;
 #endif
diff --git a/sm/ChangeLog b/sm/ChangeLog
index a8139e2e0..d68759151 100644
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@@ -1,3 +1,9 @@
+2004-09-14  Werner Koch  <wk@g10code.com>
+
+	* certchain.c (gpgsm_validate_chain): Give expired certificates a
+	higher error precedence and don't bother to check any CRL in that
+	case.
+
 2004-08-24  Werner Koch  <wk@g10code.de>
 
 	* certlist.c: Fixed typo in ocsp OID.
diff --git a/sm/certchain.c b/sm/certchain.c
index 2ce247f65..ad30a36e1 100644
--- a/sm/certchain.c
+++ b/sm/certchain.c
@@ -672,7 +672,12 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
           else if (gpg_err_code (rc) == GPG_ERR_NOT_TRUSTED)
             {
               do_list (0, lm, fp, _("root certificate is not marked trusted"));
-              if (!lm)
+              /* If we already figured out that the certificate is
+                 expired it does not make much sense to ask the user
+                 whether we wants to trust the root certificate.  He
+                 should do this only if the certificate under question
+                 will then be usable. */
+              if (!lm && !any_expired)
                 {
                   int rc2;
                   char *fpr = gpgsm_get_fingerprint_string (subject_cert,
@@ -707,6 +712,8 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
           /* Check for revocations etc. */
           if ((flags & 1))
             rc = 0;
+          else if (any_expired)
+            ; /* Don't bother to run the expensive CRL check then. */
           else
             rc = is_cert_still_valid (ctrl, lm, fp,
                                       subject_cert, subject_cert,
@@ -835,6 +842,8 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
       /* Check for revocations etc. */
       if ((flags & 1))
         rc = 0;
+      else if (any_expired)
+        ; /* Don't bother to run the expensive CRL check then. */
       else
         rc = is_cert_still_valid (ctrl, lm, fp,
                                   subject_cert, issuer_cert,
@@ -866,14 +875,14 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
          the error code to the most critical one */
       if (any_revoked)
         rc = gpg_error (GPG_ERR_CERT_REVOKED);
+      else if (any_expired)
+        rc = gpg_error (GPG_ERR_CERT_EXPIRED);
       else if (any_no_crl)
         rc = gpg_error (GPG_ERR_NO_CRL_KNOWN);
       else if (any_crl_too_old)
         rc = gpg_error (GPG_ERR_CRL_TOO_OLD);
       else if (any_no_policy_match)
         rc = gpg_error (GPG_ERR_NO_POLICY_MATCH);
-      else if (any_expired)
-        rc = gpg_error (GPG_ERR_CERT_EXPIRED);
     }
   
  leave: