From fc07b029ea71cf46304aaaea453d794daf39c68e Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 18 Aug 2004 14:38:47 +0000
Subject: [PATCH] * certlist.c (gpgsm_cert_use_ocsp_p): New. (cert_usage_p):
 Support it here. * call-dirmngr.c (gpgsm_dirmngr_isvalid): Use it here.

---
 doc/gpgsm.texi    |  4 +++-
 sm/ChangeLog      |  6 ++++++
 sm/call-dirmngr.c |  4 +---
 sm/certlist.c     | 29 ++++++++++++++++++++++++++++-
 sm/gpgsm.h        |  1 +
 5 files changed, 39 insertions(+), 5 deletions(-)

diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index c79622342..0f2167184 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -133,6 +133,8 @@ Generate a new key and a certificate request.
 @itemx -k 
 @opindex list-keys
 List all available certificates stored in the local key database.
+Note that the displayed data might be reformatted for better human
+readability and illegal characters are replaced by safe substitutes.
 
 @item --list-secret-keys
 @itemx -K
@@ -156,7 +158,7 @@ List all available certificates for which a corresponding a secret key
 is available using a format useful mainly for debugging.
 
 @item --dump-external-keys @var{pattern}
-@opindex dump-keys
+@opindex dump-external-keys
 List certificates matching @var{pattern} using an external server.
 This utilizes the @code{dirmngr} service.  It uses a format useful
 mainly for debugging.
diff --git a/sm/ChangeLog b/sm/ChangeLog
index 0bc31c0bc..ab362e842 100644
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@@ -1,3 +1,9 @@
+2004-08-18  Werner Koch  <wk@g10code.de>
+
+	* certlist.c (gpgsm_cert_use_ocsp_p): New.
+	(cert_usage_p): Support it here.
+	* call-dirmngr.c (gpgsm_dirmngr_isvalid): Use it here.
+
 2004-08-17  Marcus Brinkmann  <marcus@g10code.de>
 
 	* import.c: Fix typo in last change.
diff --git a/sm/call-dirmngr.c b/sm/call-dirmngr.c
index 15160dc41..849b8a04c 100644
--- a/sm/call-dirmngr.c
+++ b/sm/call-dirmngr.c
@@ -458,9 +458,7 @@ gpgsm_dirmngr_isvalid (ctrl_t ctrl,
 
           if (!rc)
             {
-              /* fixme: We should refine the check to check for
-                 certificates allowed for CRL/OCPS. */
-              rc = gpgsm_cert_use_verify_p (rspcert);
+              rc = gpgsm_cert_use_ocsp_p (rspcert);
               if (rc)
                 rc = gpg_error (GPG_ERR_INV_CRL);
               else
diff --git a/sm/certlist.c b/sm/certlist.c
index 96acf90f7..983732317 100644
--- a/sm/certlist.c
+++ b/sm/certlist.c
@@ -45,13 +45,15 @@ static const char oid_kp_ocspSigning[]    = "1.3.6.1.5.6.7.3.9";
 /* Return 0 if the cert is usable for encryption.  A MODE of 0 checks
    for signing a MODE of 1 checks for encryption, a MODE of 2 checks
    for verification and a MODE of 3 for decryption (just for
-   debugging) */
+   debugging).  MODE 4 is for certificate signing, MODE for COSP
+   response signing. */
 static int
 cert_usage_p (ksba_cert_t cert, int mode)
 {
   gpg_error_t err;
   unsigned int use;
   char *extkeyusages;
+  int have_ocsp_signing = 0;
 
   err = ksba_cert_get_ext_key_usages (cert, &extkeyusages);
   if (gpg_err_code (err) == GPG_ERR_NO_DATA)
@@ -94,6 +96,13 @@ cert_usage_p (ksba_cert_t cert, int mode)
                                    | KSBA_KEYUSAGE_NON_REPUDIATION);
                 }
               
+              /* This is a hack to cope with OCSP.  Note that we do
+                 not yet fully comply with the requirements and that
+                 the entire CRL/OCSP checking thing should undergo a
+                 thorough review and probably redesign. */
+              if ( !strcmp (p, oid_kp_ocspSigning))
+                have_ocsp_signing = 1;
+
               if ((p = strchr (pend, '\n')))
                 p++;
             }
@@ -135,6 +144,18 @@ cert_usage_p (ksba_cert_t cert, int mode)
       return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
     }
 
+  if (mode == 5)
+    {
+      if (use != ~0 
+          && (have_ocsp_signing
+              || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
+                         |KSBA_KEYUSAGE_CRL_SIGN))))
+        return 0;
+      log_info (_("certificate should have not "
+                  "been used for OCSP response signing\n"));
+      return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
+    }
+
   if ((use & ((mode&1)?
               (KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT):
               (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION)))
@@ -182,6 +203,12 @@ gpgsm_cert_use_cert_p (ksba_cert_t cert)
   return cert_usage_p (cert, 4);
 }
 
+int
+gpgsm_cert_use_ocsp_p (ksba_cert_t cert)
+{
+  return cert_usage_p (cert, 5);
+}
+
 
 static int
 same_subject_issuer (const char *subject, const char *issuer, ksba_cert_t cert)
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index 20a3c5ee9..72486aadb 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -240,6 +240,7 @@ int gpgsm_cert_use_encrypt_p (ksba_cert_t cert);
 int gpgsm_cert_use_verify_p (ksba_cert_t cert);
 int gpgsm_cert_use_decrypt_p (ksba_cert_t cert);
 int gpgsm_cert_use_cert_p (ksba_cert_t cert);
+int gpgsm_cert_use_ocsp_p (ksba_cert_t cert);
 int gpgsm_add_cert_to_certlist (ctrl_t ctrl, ksba_cert_t cert,
                                 certlist_t *listaddr, int is_encrypt_to);
 int gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,