* certlist.c (gpgsm_cert_use_ocsp_p): New.

(cert_usage_p): Support it here. * call-dirmngr.c (gpgsm_dirmngr_isvalid): Use it here.
2004-08-18 14:38:47 +00:00 · 2004-08-18 14:38:47 +00:00 · fc07b029ea
parent 33310977ac
commit fc07b029ea
5 changed files with 39 additions and 5 deletions
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@ -133,6 +133,8 @@ Generate a new key and a certificate request.
@itemx -k 
@opindex list-keys
 List all available certificates stored in the local key database.
+Note that the displayed data might be reformatted for better human
+readability and illegal characters are replaced by safe substitutes.

@item --list-secret-keys
@itemx -K
@ -156,7 +158,7 @@ List all available certificates for which a corresponding a secret key
 is available using a format useful mainly for debugging.

@item --dump-external-keys @var{pattern}
-@opindex dump-keys
+@opindex dump-external-keys
 List certificates matching @var{pattern} using an external server.
 This utilizes the @code{dirmngr} service.  It uses a format useful
 mainly for debugging.
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@ -1,3 +1,9 @@
+2004-08-18  Werner Koch  <wk@g10code.de>
+
+	* certlist.c (gpgsm_cert_use_ocsp_p): New.
+	(cert_usage_p): Support it here.
+	* call-dirmngr.c (gpgsm_dirmngr_isvalid): Use it here.
+
 2004-08-17  Marcus Brinkmann  <marcus@g10code.de>

 	* import.c: Fix typo in last change.
--- a/sm/call-dirmngr.c
+++ b/sm/call-dirmngr.c
@ -458,9 +458,7 @@ gpgsm_dirmngr_isvalid (ctrl_t ctrl,

          if (!rc)
            {
-              /* fixme: We should refine the check to check for
-                 certificates allowed for CRL/OCPS. */
-              rc = gpgsm_cert_use_verify_p (rspcert);
+              rc = gpgsm_cert_use_ocsp_p (rspcert);
              if (rc)
                rc = gpg_error (GPG_ERR_INV_CRL);
              else
--- a/sm/certlist.c
+++ b/sm/certlist.c
@ -45,13 +45,15 @@ static const char oid_kp_ocspSigning[]    = "1.3.6.1.5.6.7.3.9";
 /* Return 0 if the cert is usable for encryption.  A MODE of 0 checks
   for signing a MODE of 1 checks for encryption, a MODE of 2 checks
   for verification and a MODE of 3 for decryption (just for
-   debugging) */
+   debugging).  MODE 4 is for certificate signing, MODE for COSP
+   response signing. */
 static int
 cert_usage_p (ksba_cert_t cert, int mode)
 {
  gpg_error_t err;
  unsigned int use;
  char *extkeyusages;
+  int have_ocsp_signing = 0;

  err = ksba_cert_get_ext_key_usages (cert, &extkeyusages);
  if (gpg_err_code (err) == GPG_ERR_NO_DATA)
@ -94,6 +96,13 @@ cert_usage_p (ksba_cert_t cert, int mode)
                                   | KSBA_KEYUSAGE_NON_REPUDIATION);
                }
              
+              /* This is a hack to cope with OCSP.  Note that we do
+                 not yet fully comply with the requirements and that
+                 the entire CRL/OCSP checking thing should undergo a
+                 thorough review and probably redesign. */
+              if ( !strcmp (p, oid_kp_ocspSigning))
+                have_ocsp_signing = 1;
+
              if ((p = strchr (pend, '\n')))
                p++;
            }
@ -135,6 +144,18 @@ cert_usage_p (ksba_cert_t cert, int mode)
      return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
    }

+  if (mode == 5)
+    {
+      if (use != ~0 
+          && (have_ocsp_signing
+              || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
+                         |KSBA_KEYUSAGE_CRL_SIGN))))
+        return 0;
+      log_info (_("certificate should have not "
+                  "been used for OCSP response signing\n"));
+      return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
+    }
+
  if ((use & ((mode&1)?
              (KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT):
              (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION)))
@ -182,6 +203,12 @@ gpgsm_cert_use_cert_p (ksba_cert_t cert)
  return cert_usage_p (cert, 4);
 }

+int
+gpgsm_cert_use_ocsp_p (ksba_cert_t cert)
+{
+  return cert_usage_p (cert, 5);
+}
+

 static int
 same_subject_issuer (const char *subject, const char *issuer, ksba_cert_t cert)
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@ -240,6 +240,7 @@ int gpgsm_cert_use_encrypt_p (ksba_cert_t cert);
 int gpgsm_cert_use_verify_p (ksba_cert_t cert);
 int gpgsm_cert_use_decrypt_p (ksba_cert_t cert);
 int gpgsm_cert_use_cert_p (ksba_cert_t cert);
+int gpgsm_cert_use_ocsp_p (ksba_cert_t cert);
 int gpgsm_add_cert_to_certlist (ctrl_t ctrl, ksba_cert_t cert,
                                certlist_t *listaddr, int is_encrypt_to);
 int gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,