mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-20 14:37:08 +01:00
* certlist.c (gpgsm_cert_use_ocsp_p): New.
(cert_usage_p): Support it here. * call-dirmngr.c (gpgsm_dirmngr_isvalid): Use it here.
This commit is contained in:
parent
33310977ac
commit
fc07b029ea
@ -133,6 +133,8 @@ Generate a new key and a certificate request.
|
|||||||
@itemx -k
|
@itemx -k
|
||||||
@opindex list-keys
|
@opindex list-keys
|
||||||
List all available certificates stored in the local key database.
|
List all available certificates stored in the local key database.
|
||||||
|
Note that the displayed data might be reformatted for better human
|
||||||
|
readability and illegal characters are replaced by safe substitutes.
|
||||||
|
|
||||||
@item --list-secret-keys
|
@item --list-secret-keys
|
||||||
@itemx -K
|
@itemx -K
|
||||||
@ -156,7 +158,7 @@ List all available certificates for which a corresponding a secret key
|
|||||||
is available using a format useful mainly for debugging.
|
is available using a format useful mainly for debugging.
|
||||||
|
|
||||||
@item --dump-external-keys @var{pattern}
|
@item --dump-external-keys @var{pattern}
|
||||||
@opindex dump-keys
|
@opindex dump-external-keys
|
||||||
List certificates matching @var{pattern} using an external server.
|
List certificates matching @var{pattern} using an external server.
|
||||||
This utilizes the @code{dirmngr} service. It uses a format useful
|
This utilizes the @code{dirmngr} service. It uses a format useful
|
||||||
mainly for debugging.
|
mainly for debugging.
|
||||||
|
@ -1,3 +1,9 @@
|
|||||||
|
2004-08-18 Werner Koch <wk@g10code.de>
|
||||||
|
|
||||||
|
* certlist.c (gpgsm_cert_use_ocsp_p): New.
|
||||||
|
(cert_usage_p): Support it here.
|
||||||
|
* call-dirmngr.c (gpgsm_dirmngr_isvalid): Use it here.
|
||||||
|
|
||||||
2004-08-17 Marcus Brinkmann <marcus@g10code.de>
|
2004-08-17 Marcus Brinkmann <marcus@g10code.de>
|
||||||
|
|
||||||
* import.c: Fix typo in last change.
|
* import.c: Fix typo in last change.
|
||||||
|
@ -458,9 +458,7 @@ gpgsm_dirmngr_isvalid (ctrl_t ctrl,
|
|||||||
|
|
||||||
if (!rc)
|
if (!rc)
|
||||||
{
|
{
|
||||||
/* fixme: We should refine the check to check for
|
rc = gpgsm_cert_use_ocsp_p (rspcert);
|
||||||
certificates allowed for CRL/OCPS. */
|
|
||||||
rc = gpgsm_cert_use_verify_p (rspcert);
|
|
||||||
if (rc)
|
if (rc)
|
||||||
rc = gpg_error (GPG_ERR_INV_CRL);
|
rc = gpg_error (GPG_ERR_INV_CRL);
|
||||||
else
|
else
|
||||||
|
@ -45,13 +45,15 @@ static const char oid_kp_ocspSigning[] = "1.3.6.1.5.6.7.3.9";
|
|||||||
/* Return 0 if the cert is usable for encryption. A MODE of 0 checks
|
/* Return 0 if the cert is usable for encryption. A MODE of 0 checks
|
||||||
for signing a MODE of 1 checks for encryption, a MODE of 2 checks
|
for signing a MODE of 1 checks for encryption, a MODE of 2 checks
|
||||||
for verification and a MODE of 3 for decryption (just for
|
for verification and a MODE of 3 for decryption (just for
|
||||||
debugging) */
|
debugging). MODE 4 is for certificate signing, MODE for COSP
|
||||||
|
response signing. */
|
||||||
static int
|
static int
|
||||||
cert_usage_p (ksba_cert_t cert, int mode)
|
cert_usage_p (ksba_cert_t cert, int mode)
|
||||||
{
|
{
|
||||||
gpg_error_t err;
|
gpg_error_t err;
|
||||||
unsigned int use;
|
unsigned int use;
|
||||||
char *extkeyusages;
|
char *extkeyusages;
|
||||||
|
int have_ocsp_signing = 0;
|
||||||
|
|
||||||
err = ksba_cert_get_ext_key_usages (cert, &extkeyusages);
|
err = ksba_cert_get_ext_key_usages (cert, &extkeyusages);
|
||||||
if (gpg_err_code (err) == GPG_ERR_NO_DATA)
|
if (gpg_err_code (err) == GPG_ERR_NO_DATA)
|
||||||
@ -94,6 +96,13 @@ cert_usage_p (ksba_cert_t cert, int mode)
|
|||||||
| KSBA_KEYUSAGE_NON_REPUDIATION);
|
| KSBA_KEYUSAGE_NON_REPUDIATION);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* This is a hack to cope with OCSP. Note that we do
|
||||||
|
not yet fully comply with the requirements and that
|
||||||
|
the entire CRL/OCSP checking thing should undergo a
|
||||||
|
thorough review and probably redesign. */
|
||||||
|
if ( !strcmp (p, oid_kp_ocspSigning))
|
||||||
|
have_ocsp_signing = 1;
|
||||||
|
|
||||||
if ((p = strchr (pend, '\n')))
|
if ((p = strchr (pend, '\n')))
|
||||||
p++;
|
p++;
|
||||||
}
|
}
|
||||||
@ -135,6 +144,18 @@ cert_usage_p (ksba_cert_t cert, int mode)
|
|||||||
return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
|
return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (mode == 5)
|
||||||
|
{
|
||||||
|
if (use != ~0
|
||||||
|
&& (have_ocsp_signing
|
||||||
|
|| (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
|
||||||
|
|KSBA_KEYUSAGE_CRL_SIGN))))
|
||||||
|
return 0;
|
||||||
|
log_info (_("certificate should have not "
|
||||||
|
"been used for OCSP response signing\n"));
|
||||||
|
return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
|
||||||
|
}
|
||||||
|
|
||||||
if ((use & ((mode&1)?
|
if ((use & ((mode&1)?
|
||||||
(KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT):
|
(KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT):
|
||||||
(KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION)))
|
(KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION)))
|
||||||
@ -182,6 +203,12 @@ gpgsm_cert_use_cert_p (ksba_cert_t cert)
|
|||||||
return cert_usage_p (cert, 4);
|
return cert_usage_p (cert, 4);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
gpgsm_cert_use_ocsp_p (ksba_cert_t cert)
|
||||||
|
{
|
||||||
|
return cert_usage_p (cert, 5);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
same_subject_issuer (const char *subject, const char *issuer, ksba_cert_t cert)
|
same_subject_issuer (const char *subject, const char *issuer, ksba_cert_t cert)
|
||||||
|
@ -240,6 +240,7 @@ int gpgsm_cert_use_encrypt_p (ksba_cert_t cert);
|
|||||||
int gpgsm_cert_use_verify_p (ksba_cert_t cert);
|
int gpgsm_cert_use_verify_p (ksba_cert_t cert);
|
||||||
int gpgsm_cert_use_decrypt_p (ksba_cert_t cert);
|
int gpgsm_cert_use_decrypt_p (ksba_cert_t cert);
|
||||||
int gpgsm_cert_use_cert_p (ksba_cert_t cert);
|
int gpgsm_cert_use_cert_p (ksba_cert_t cert);
|
||||||
|
int gpgsm_cert_use_ocsp_p (ksba_cert_t cert);
|
||||||
int gpgsm_add_cert_to_certlist (ctrl_t ctrl, ksba_cert_t cert,
|
int gpgsm_add_cert_to_certlist (ctrl_t ctrl, ksba_cert_t cert,
|
||||||
certlist_t *listaddr, int is_encrypt_to);
|
certlist_t *listaddr, int is_encrypt_to);
|
||||||
int gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
|
int gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
|
||||||
|
Loading…
x
Reference in New Issue
Block a user