1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

885 Commits

Author SHA1 Message Date
Werner Koch
a430f22549
common: Prepare for more flags in start_new_service.
* common/asshelp.h (ASSHELP_FLAG_AUTOSTART): New.
* common/asshelp.c (start_new_service): Rename arg autostart to flags
and adjust checks.
(start_new_gpg_agent): Likewise.  Change all callers.
(start_new_keyboxd): Likewise.  Change all callers.
(start_new_dirmngr): Likewise.  Change all callers.
--

It is easier to have a generic flags arg instead of adding more and
more dedicated args.  verbose and debug are kept as they are because
they are not boolean.
2023-08-29 13:18:13 +02:00
NIIBE Yutaka
1d73806972
gpg,agent,kbx,sm,scd,tpm2d,g13: Use assuan_control.
* agent/gpg-agent.c (thread_init_once): Call assuan_control.
* g10/gpg.c (main): Likewise.
* g13/g13.c (main): Likewise.
* kbx/keyboxd.c (thread_init_once): Likewise.
* scd/scdaemon.c (main): Likewise.
* sm/gpgsm.c (main): Likewise.
* tpm2d/tpm2daemon.c (main): Likewise.

--

GnuPG-bug-id: 6606
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-08-03 16:34:18 +09:00
NIIBE Yutaka
0821ceebfb
agent,dirmgr,gpg,g13,kbx,scd,sm,tmp2d: Remove ASSUAN_SYSTEM_NPTH.
* agent/gpg-agent.c (ASSUAN_SYSTEM_NPTH_IMPL): Remove.
(initialize_modules): Don't call assuan_set_system_hooks.
(main): Don't call assuan_sock_set_system_hooks.
* dirmngr/dirmngr.c (ASSUAN_SYSTEM_NPTH_IMPL): Remove.
(thread_init): Don't call assuan_set_system_hooks.
* g10/gpg.c (ASSUAN_SYSTEM_NPTH_IMPL): Remove.
(main): Don't call assuan_set_system_hooks.
* g13/g13.c (ASSUAN_SYSTEM_NPTH_IMPL): Remove.
(main): Set the syscall clamp with gpgrt_set_syscall_clamp.
Don't call assuan_set_system_hooks.
* kbx/keyboxd.c (ASSUAN_SYSTEM_NPTH_IMPL): Remove.
(initialize_modules): Don't call assuan_set_system_hooks.
(main): Don't call assuan_sock_set_system_hooks.
* scd/scdaemon.c (ASSUAN_SYSTEM_NPTH_IMPL): Remove.
(main): Don't call assuan_set_system_hooks.
* sm/gpgsm.c (ASSUAN_SYSTEM_NPTH_IMPL): Remove.
(main): Don't call assuan_set_system_hooks.
* tpm2d/tpm2daemon.c (ASSUAN_SYSTEM_NPTH_IMPL): Remove.
(main): Don't call assuan_set_system_hooks.

--

GnuPG-bug-id: 6606
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-08-03 16:34:00 +09:00
NIIBE Yutaka
95d9761509
sm: Use estream for I/O.
* sm/decrypt.c (gpgsm_decrypt): Use estream for the input.
* sm/encrypt.c (gpgsm_encrypt): Likewise.
* sm/gpgsm.c (open_read): Remove.
(main): Use open_es_fread for gpgsm_import_files.  Fix call of
gpgsm_encrypt, gpgsm_sign, gpgsm_verify and gpgsm_decrypt.
(open_es_fread): Use gnupg_check_special_filename and open_stream_nc.
* sm/gpgsm.h: Fix function declarations.
* sm/import.c (import_one): Use estream for the input.
(reimport_one, gpgsm_import, gpgsm_import_files): Likewise.
* sm/server.c (struct server_local_s): Rename MESSAGE_FD to
MESSAGE_FP.
(close_message_fp): Rename from close_message_fd.
(reset_notify): Follow the change of close_message_fp.
(cmd_encrypt, cmd_decrypt, cmd_verify, cmd_sign): Follow the change of
close_message_fp.  Use open_stream_nc to get estream.
(cmd_import): Likewise.
(cmd_export, cmd_delkeys, gpgsm_server): Follow the change of
close_message_fp.
(cmd_message): Setup MESSAGE_FP with open_stream_nc.
* sm/sign.c (hash_data): Use estream for the input.
(hash_and_copy_data): Likewise.
(gpgsm_sign): Likewise.
* sm/verify.c (hash_data): Use estream_t for FP.
(gpgsm_verify): Use estream_t for IN_FP and DATA_FP.

--

GnuPG-bug-id: 6592
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-07-25 10:04:18 +09:00
NIIBE Yutaka
b849c930e9
common: Introduce FD_DBG to display gnupg_fd_t value.
* common/sysutils.h (FD_DBG): New.
* agent/gpg-agent.c (check_nonce): Use FD_DBG.
(do_start_connection_thread, start_connection_thread_ssh): Likewise.
* common/iobuf.c (fd_cache_close, file_filter, do_open): Likewise.
(do_iobuf_fdopen): Likewise.
* dirmngr/dirmngr.c (check_nonce, start_connection_thread)
(handle_connections): Likewise.
* dirmngr/http.c (_my_socket_new, _my_socket_ref): Likewise.
(_my_socket_unref): Likewise.
* g10/decrypt.c (decrypt_message_fd): Likewise.
* g10/encrypt.c (encrypt_crypt): Likewise.
* g10/openfile.c (open_outfile): Likewise.
* g10/plaintext.c (get_output_file, hash_datafile_by_fd): Likewise.
* g10/verify.c (gpg_verify): Likewise.
* kbx/keyboxd.c (check_nonce, do_start_connection_thread): Likewise.
* scd/scdaemon.c (start_connection_thread): Likewise.
(handle_connections): Likewise.
* sm/gpgsm.c (open_es_fread, open_es_fwrite): Likewise.
* tpm2d/tpm2daemon.c (start_connection_thread): Likewise.
(handle_connections): Likewise.

--

GnuPG-bug-id: 6597
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-07-18 11:54:16 +09:00
NIIBE Yutaka
cf270b0d30
sm: Fix open_es_fread and open_es_fwrite for gnupg_fd_t.
* sm/gpgsm.c (open_es_fread, open_es_fwrite): Use gnupg_fd_t
and open_stream_nc.

--

GnuPG-bug-id: 6580
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-07-13 14:37:20 +09:00
NIIBE Yutaka
ea625c74f0
sm: Use open_stream_nc for do_listkeys.
* sm/server.c (do_listkeys): Use open_stream_nc.

--

GnuPG-bug-id: 6580
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-07-13 13:53:49 +09:00
NIIBE Yutaka
69c1d81284
sm: Use gnupg_fd_t and open_stream_nc for assuan_get_input_fd.
* sm/server.c (cmd_genkey): Use open_stream_nc for input and output.
(cmd_getauditlog): Use open_stream_nc for output.

--

GnuPG-bug-id: 6580
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-07-13 13:46:43 +09:00
NIIBE Yutaka
fb046ccd93
sm: Use open_stream_nc for HANDLE by assuan_get_output_fd.
* sm/server.c (cmd_encrypt): Use gnupg_fd_t for OUT_FD.
Call open_stream_nc with OUT_FD.
(cmd_decrypt, cmd_verify, cmd_sign, cmd_export): Likewise.

--

GnuPG-bug-id: 6580
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-07-13 11:18:47 +09:00
Werner Koch
334f5d95c8
Merge branch 'STABLE-BRANCH-2-4' into master 2023-07-04 17:37:54 +02:00
Werner Koch
7a2831bc0e
gpgsm: Init a diagnostic var.
* sm/minip12.c (p12_parse): Init where.
--
2023-07-04 09:26:55 +02:00
Werner Koch
5f694dc0be
sm: Adding missing stuff to the PKCS#12 parser rewrite.
* sm/minip12.c (struct bufferlist_s): New.
(struct tlv_ctx_s): Add bufferlist.
(tlv_register_buffer): New.
(tlv_release): Release bufferlist.
(tlv_expect_object): Handle octet string cramming.
(tlv_expect_octet_string): Ditto.
(cram_octet_string): Changed interface.  We don't need the
input_consumed value anymore.

* sm/minip12.c (parse_shrouded_key_bag): Also parse the attribute set.

* sm/t-minip12.c (main): Add option --no-extra.
(cert_collect_cb, run_tests_from_file): Fix memory leak

* tests/cms/samplekeys/t5793-openssl.pfx: New from T5793.
* tests/cms/samplekeys/t5793-test.pfx: Ditto.
* tests/cms/samplekeys/Description-p12: Add them.
* tests/cms/Makefile.am (EXTRA_DIST): Add samplekeys.
--

This should finish the rewrite of the pkcsc#12 parser for now.  More
fun is likely to come.

GnuPG-bug-id: 6536, 5793
2023-06-29 17:49:10 +02:00
Werner Koch
101433dfb4
sm: Major rewrite of the PKCS#12 parser
* sm/minip12.c: Reworked most of the parser.
(p12_set_verbosity): Add arg debug and change all callers.

* sm/t-minip12.c: Major rewrite to run regression tests unattended.
* sm/Makefile.am (module_maint_tests): Move t-Minit to ...
(module_tests): here.
* tests/cms/samplekeys/Description-p12: New.
--

Note that cram_octet_string stuff has not yet been reworked.  I need
to locate the sample files first.

GnuPG-bug-id: 6536
2023-06-28 17:34:19 +02:00
Werner Koch
c926967d85
sm: Remove duplicated code.
* sm/minip12.c (struct tag_info): Change type of length and nhdr.
(dump_tag_info): Adjust.
(parse_tag): Re-implement using the parse_ber_header.
2023-06-28 17:34:19 +02:00
NIIBE Yutaka
b9b0c18320
common,gpg,sm,tools: Don't remove translate_sys2libc_fd_int.
* common/sysutils.c (translate_sys2libc_fd_int): Recover.
(translate_sys2libc_fdstr): Remove.
(check_special_filename): Follow the change.
* common/sysutils.h (translate_sys2libc_fd_int): Recover.
(translate_sys2libc_fdstr): Remove.
* g10/gpg.c, g10/gpgv.c, sm/gpgsm.c: Revert the changes.
* tools/gpg-auth.c, tools/gpg-card.c, tools/gpg-pair-tool.c: Likewise.
* tools/gpg-wks-client.c, tools/gpgconf.c: Likewise.

--

GnuPG-bug-id: 6551
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-06-27 14:44:01 +09:00
NIIBE Yutaka
2756147e39
gpg,sm,tools: Use string for option --*-fd.
* g10/gpg.c (opts): Use string for oLoggerFD, oOverrideSessionKeyFD,
oStatusFD, oAttributeFD, oCommandFD, and oPassphraseFD.
(main): Use translate_sys2libc_fdstr.
* g10/gpgv.c (opts): Use string for oLoggerFD, and oStatusFD.
(main): Use translate_sys2libc_fdstr.
* sm/gpgsm.c (opts): Use string for oLoggerFD, oStatusFD, and
oPassphraseFD.
(main): Use translate_sys2libc_fdstr.
* tools/gpg-auth.c (opts): Use string for oStatusFD.
(main): Use translate_sys2libc_fdstr.
tools/gpg-card.c (opts): Use string for oStatusFD.
(main): Use translate_sys2libc_fdstr.
* tools/gpg-pair-tool.c (opts): Use string for oStatusFD.
(main): Use translate_sys2libc_fdstr.
* tools/gpg-wks-client.c (opts): Use string for oStatusFD.
(main): Use translate_sys2libc_fdstr.
* tools/gpgconf.c (opts): Use string for oStatusFD.
(main): Use translate_sys2libc_fdstr.
* tools/gpgtar-create.c (gpgtar_create): Fix for opt.status_fd.
* tools/gpgtar-extract.c (gpgtar_extract): Fix for opt.status_fd.
* tools/gpgtar-list.c (gpgtar_list): Fix for opt.status_fd.
* tools/gpgtar.c (opts): Use string for oStatusFD.
(main): Use translate_sys2libc_fdstr.
* tools/gpgtar.h (opts): Use string for oStatusFD.

--

GnuPG-bug-id: 6551
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-06-23 13:22:00 +09:00
Werner Koch
701a8b30f0
gpgsm: Support SENDCERT_SKI for --call-dirmngr
* sm/call-dirmngr.c (run_command_inq_cb): Support SENDCERT_SKI.

* dirmngr/crlcache.c (crl_cache_insert): Print the CRL name along with
the unknown OID nortice.
2023-06-19 14:05:22 +02:00
Werner Koch
e9c337c0b9
gpgsm: New option --input-size-hint.
* sm/gpgsm.c (oInputSizeHint): New.
(opts): Add "--input-size-hint".
(main): Set option.
* sm/server.c (option_handler): Add option "input-size-hint".
* sm/gpgsm.h (struct server_control_s): Add field input_size_hint.
* sm/encrypt.c (gpgsm_encrypt): Set the toatl file size.
* sm/decrypt.c (gpgsm_decrypt): Ditto.
* sm/sign.c (gpgsm_sign): Ditto.
* sm/verify.c (gpgsm_verify): Ditto.
--

This option allows to set a value for the progress output line.  Note
that as of now there is no other way to set the file size.

GnuPG-bug-id: 6534
2023-06-15 12:28:55 +02:00
Werner Koch
a88aeee129
gpgsm: Fix last commit
--

There was some test code left over and a check reversed.
2023-06-15 12:20:11 +02:00
Werner Koch
c58067415f
gpgsm: Print PROGRESS status lines.
* common/ksba-io-support.c (struct writer_cb_parm_s): Add field
progress.
(struct gnupg_ksba_io_s): Add field is_writer.
(update_write_progress): New.
(base64_writer_cb, plain_writer_cb): Call update_write_progress.
(base64_finish_write): Ditto.
(gnupg_ksba_create_writer): Set is_writer.
(gnupg_ksba_set_progress_cb): New.
(gnupg_ksba_set_total): New.
* common/ksba-io-support.h (gnupg_ksba_progress_cb_t): New type.
* sm/server.c (gpgsm_status2): Return error from statusfp writes.
(gpgsm_progress_cb): New.
* sm/decrypt.c (gpgsm_decrypt): Set progress handler.
* sm/encrypt.c (gpgsm_encrypt): Ditto.
* sm/sign.c (gpgsm_sign): Ditto.
* sm/verify.c (gpgsm_verify): Ditto.
--

GnuPG-bug-id: 6534
2023-06-15 10:37:07 +02:00
NIIBE Yutaka
f5656ff363
kbx: Fix datastream_thread and use the data pipe.
* g10/call-keyboxd.c (gpg_keyboxd_deinit_session_data): Release
the assuan connection before kbx_client_data_release.
(open_context): Enable use of the data pipe.
* sm/keydb.c (gpgsm_keydb_deinit_session_data): Release the
assuan connection before kbx_client_data_release.
(open_context): Enable use of the data pipe.
* kbx/kbx-client-util.c (struct kbx_client_data_s): Add THD field.
(prepare_data_pipe): Close the pipe output end as it's been sent
already.  Remember the KCD->THD, so that it can be joined later.
(datastream_thread): Finish when reading no data from the pipe.
(kbx_client_data_release): Join the thread.  Then, we can safely
call es_fclose on the FP.

--

GnuPG-bug-id: 6512
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-06-07 15:26:34 +09:00
Werner Koch
8295fb3f0b
w32: Add missing supportedOS Ids for Windows-10
--
2023-05-24 14:17:06 +02:00
Werner Koch
6657230f9e
w32: Add missing supportedOS Ids for Windows-10
--
2023-05-24 14:16:10 +02:00
Werner Koch
3a438a1cc3
w32: Add missing manifests and set a requestedExecutionLevel.
* agent/gpg-agent.w32-manifest.in: New.
* dirmngr/dirmngr-client-w32info.rc: New.
* dirmngr/dirmngr-client.w32-manifest.in: New.
* dirmngr/dirmngr-w32info.rc: New.
* dirmngr/dirmngr.w32-manifest.in: New.
* dirmngr/dirmngr_ldap-w32info.rc: New.
* dirmngr/dirmngr_ldap.w32-manifest.in: New.
* g10/gpgv-w32info.rc: New.
* g10/gpgv.w32-manifest.in: New.
* kbx/keyboxd.w32-manifest.in: New.
* scd/scdaemon.w32-manifest.in: New.
* sm/gpgsm.w32-manifest.in: New.
--

This avoids the use of the VirtualStore uner Windows.

GnuPG-bug-id: 6503
2023-05-24 12:14:06 +02:00
Werner Koch
7e681da1b2
sm: Emit STATUS_FAILURE for non-implemented commands.
* sm/gpgsm.c (main): Do it here.
2023-05-24 12:13:53 +02:00
Werner Koch
faf0a97b2e
gpg: Improve error code for file already exists.
* g10/plaintext.c (get_output_file): Fix error code.
2023-05-24 12:12:34 +02:00
Werner Koch
3fbe10172f
w32: Add missing manifests and set a requestedExecutionLevel.
* agent/gpg-agent.w32-manifest.in: New.
* dirmngr/dirmngr-client-w32info.rc: New.
* dirmngr/dirmngr-client.w32-manifest.in: New.
* dirmngr/dirmngr-w32info.rc: New.
* dirmngr/dirmngr.w32-manifest.in: New.
* dirmngr/dirmngr_ldap-w32info.rc: New.
* dirmngr/dirmngr_ldap.w32-manifest.in: New.
* g10/gpgv-w32info.rc: New.
* g10/gpgv.w32-manifest.in: New.
* kbx/keyboxd.w32-manifest.in: New.
* scd/scdaemon.w32-manifest.in: New.
* sm/gpgsm.w32-manifest.in: New.
--

This avoids the use of the VirtualStore uner Windows.

GnuPG-bug-id: 6503
2023-05-24 12:06:37 +02:00
Werner Koch
5f46bcaaa0
sm: Emit STATUS_FAILURE for non-implemented commands.
* sm/gpgsm.c (main): Do it here.
2023-05-22 17:00:54 +02:00
Werner Koch
08ff55bd44
kbx: Use custom estream buffering
* kbx/keybox-init.c (ll_buffer_size): New var intialized to 128k
(stream_buffers): New var.
(keybox_set_buffersize): New.
(_keybox_ll_open, _keybox_ll_close): Implement buffering.

* sm/gpgsm.c (oKbxBufferSize): New.
(opts): Add option --kbx-buffer-size.
(main): Call keybox_set_buffersize.

* g10/gpg.c: Include keybox.h.
* (oKbxBufferSize): New.
(opts): Add option --kbx-buffer-size.
(main): Call keybox_set_buffersize.
--

Running a test on Windows using a pubring.kbx with
Total number of blobs:     2098
              openpgp:     1294
                 x509:      803
and a size of 42MiB with

gpgsm -k --with-validation --disable-dirmngr --kbx-buffer-size N >nul

gives these performance figures using procmon

| N(k) | file events | time(s) |
|------+-------------+---------|
|    0 |     4900000 |      86 |
|   16 |     2456000 |      58 |
|   32 |     1233000 |      43 |
|   64 |      622000 |      37 |
|  128 |      317000 |      32 |
|  256 |      164000 |      31 |
|  512 |       88000 |      30 |

Using _open instead of CreateFile give the same number of file events
but increased the time slight by one second for the measured buffer
size of 64k and 128k.   Benchmarks for gpg have not been conducted.
2023-05-08 09:40:14 +02:00
Werner Koch
a7dbf11954
kbx: Add extra flags to fopen for use by Windows.
* kbx/keybox-search.c (open_file): Use sysopen and sequential.
* kbx/keybox-update.c (create_tmp_file): Ditto.
(blob_filecopy): Ditto.
(keybox_set_flags): Ditto.
(keybox_delete): Ditto.
(keybox_compress): Ditto.
--

Under Windows "sysopen" requests that direct API calls (CreateFile et
al.) are used instead of the libc wrappers.  This may or may not
improve the performance.

Using "sequential" is a hint to Windows to assume that a file is in
general access in a sequential manner.  This will have an affect only
with a future libgpg-error.
2023-05-04 14:37:48 +02:00
Werner Koch
68613a6a9d
gpgsm: Cache the non-existence of the policy file.
* sm/certchain.c (check_cert_policy): Add simple static cache.
--

It is quite common that a policy file does not exist.  Thus we can
avoid the overhead of trying to open it over and over again just to
assert that it does not exists.
2023-05-04 14:35:31 +02:00
Werner Koch
d9e7488b17
Use the keyboxd for a fresh install
* common/homedir.c (gnupg_maybe_make_homedir): Also create a
common.conf.
* g10/keydb.c: Include comopt.h.
(maybe_create_keyring_or_box): Detect the creation of a common.conf.
* g10/gpg.c (main): Avoid adding more resources in this case.
* sm/keydb.c:  Include comopt.h.
(maybe_create_keybox): Detect the creation of a common.conf.

* common/comopt.h (comopt): Remove the conditional "extern".
2023-04-04 16:39:59 +02:00
Werner Koch
a5360ae4c7
agent: Add trustlist flag "de-vs".
* agent/trustlist.c (struct trustitem_s): Add field de_vs.
(read_one_trustfile): Parse it.
(istrusted_internal): Emit TRUSTLISTFLAG status line.
* sm/gpgsm.h (struct rootca_flags_s): Add field de_vs.
* sm/call-agent.c (istrusted_status_cb): Detect the flags.

* sm/sign.c (write_detached_signature): Remove unused vars.
--

Right now this flag has no effect; we first need to specify the exact
behaviour.

GnuPG-bug-id: 5079
2023-04-03 14:10:33 +02:00
Werner Koch
8996b0b655
gpgsm: Create binary detached sigs with definite form length octets.
* sm/sign.c: Include tlv.h.
(write_detached_signature): New,
(gpgsm_sign): Fixup binary detached signatures.
--

This helps some other software to verify detached signatures.
2023-04-03 12:01:37 +02:00
Werner Koch
4b9346492e
gpgsm: Remove conditional compilation for older libksba versions.
* sm/sign.c (add_signed_attribute): Return an error because the option
--attribute is not yet working.

--

We require libskba 1.6 anyway.
2023-03-31 09:35:07 +02:00
Werner Koch
e4ac3e7dec
gpgsm: New option --no-pretty-dn
* sm/gpgsm.c (oNoPrettyDN): New.
(opts): Add --no-pretty-dn.
(main): Implement.
* sm/gpgsm.h (opt): Add no_pretty_dn.
* sm/certdump.c (gpgsm_es_print_name): Act upon.
2023-03-16 09:46:05 +01:00
Werner Koch
56ca164684
dirmngr: Add command "GETINFO stats".
* dirmngr/server.c (cmd_getinfo): New sub-command "stats".
(dirmngr_status_helpf): Allow for a CTRL of NULL.
* dirmngr/certcache.c (cert_cache_print_stats): Add arg ctrl and use
dirmngr_status_helpf.  Adjust all callers.
* dirmngr/domaininfo.c (domaininfo_print_stats): Ditto.

* sm/certchain.c (ask_marktrusted): Flush stdout before printing the
fingerprint.
2023-03-10 11:24:48 +01:00
Werner Koch
b52a0e244a
dirmngr: Distinguish between "no crl" and "crl not trusted".
* dirmngr/crlcache.h (CRL_CACHE_NOTTRUSTED): New.
* dirmngr/crlcache.c (cache_isvalid): Set this status.
(crl_cache_cert_isvalid): Map it to GPG_ERR_NOT_TRUSTED.
(crl_cache_reload_crl): Move diagnostic to ...
* dirmngr/crlfetch.c (crl_fetch): here.
* dirmngr/server.c (cmd_isvalid): Map it to GPG_ERR_NOT_TRUSTED.
* dirmngr/validate.c (check_revocations): Handle new status.  Improve
diagnostics.
* common/status.c (get_inv_recpsgnr_code): Map INV_CRL_OBJ.
* common/audit.c (proc_type_verify): Ditto.
--

This avoids repeated loading of CRLs in case of untrusted root
certificates.
2023-03-09 18:28:39 +01:00
Werner Koch
d2d1db8860
gpg,gpgsm: New option --log-time
* g10/gpg.c (oLogTime): New.
(opts): Add "log-time".
(opt_log_time): New var.
(main): Implement.
* sm/gpgsm.c (oLogTime): New.
(opts): Add "log-time".
(opt_log_time): New var.
(main): Implement.
2023-03-08 15:10:52 +01:00
Werner Koch
2a13f7f9dc
gpgsm: Strip trailing zeroes from detached signatures.
* common/ksba-io-support.c: Include tlv.h
(struct reader_cb_parm_s): Add new fields.
(starts_with_sequence): New.
(simple_reader_cb): Handle stripping.
* common/ksba-io-support.h (GNUPG_KSBA_IO_STRIP): New.
(gnupg_ksba_create_reader): Handle the new flag.
* sm/verify.c (gpgsm_verify): Use the new flag for detached
signatures.
--

Note that this works only if --assume-binary is given.  The use case
for the feature is PDF signature checking where the PDF specs require
that the detached signature is padded with zeroes.
2023-03-08 11:00:00 +01:00
Werner Koch
5d96aab27d
gpgsm: Improve cert lookup callback from dirmngr.
* sm/gpgsm.h (FIND_CERT_ALLOW_AMBIG): New.
(FIND_CERT_WITH_EPHEM): New.
* sm/certlist.c (gpgsm_find_cert): Replace arg allow_ambiguous by a
generic flags arg.  Implement the new flag FIND_CERT_WITH_EPHEM.
* sm/call-dirmngr.c (inq_certificate): Return also ephemeral marked
certs.
--

The dirmngr may need to get a certificate from gpgsm's store in the
course of verifying a CRL.  In some cases the certificate is still
marked as epehemeral - this needs to be returned as well.

This _may_ also fix
GnuPG-bug-id: 4436
2023-02-26 19:14:22 +01:00
Andre Heinecke
1952a0e5e4
sm: Fix dirmngr loadcrl for intermediate certs
* sm/call-dirmngr.c (run_command_inq_cb): Support ISTRUSTED.
(inq_certificate): Distinguish unsupported inquiry error.

--
When loading a CRL through "gpgsm --call-dirmngr loadcrl foo"
dirmngr can ask gpgsm back if a certificate used ISTRUSTED, which
previously resulted in an error.

(cherry picked from commit 6b36c16f77722d17f4f317c788701cbc1e9552b2)
That commit was from the 2.2 branch and we forgot to forward port it.
2023-02-24 18:22:13 +01:00
Werner Koch
338a5ecaa1
sm: Fix compliance checking for ECC signature verification.
* common/compliance.c (gnupg_pk_is_compliant): Also consider the
gcrypt vids for ECDSA et al.
(gnupg_pk_is_allowed): Ditto.
* sm/verify.c (gpgsm_verify): Consider the curve.  Print a compliance
notice for a non-compliant key.

* sm/certchain.c (gpgsm_validate_chain): Silence the "switching to
chain model".
2023-01-12 20:52:27 +01:00
NIIBE Yutaka
f32d0c9c0f
build: Remove Windows CE support.
* agent/Makefile.am [HAVE_W32CE_SYSTEM]: Remove.
* am/cmacros.am [HAVE_W32CE_SYSTEM]: Remove.
* autogen.sh: Remove W32ce_ variables.
* configure.ac: Likewise.
* dirmngr/Makefile.am (extra_bin_ldflags): Remove.
* g10/Makefile.am [HAVE_W32CE_SYSTEM]: Remove.
* kbx/Makefile.am: Likewise.
* sm/Makefile.am (extra_bin_ldflags): Remove.
* tools/Makefile.am (extra_bin_ldflags): Remove.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-12-09 14:06:08 +09:00
Werner Koch
58819c024a
gpgsm: Print the revocation time also with --verify.
* sm/certchain.c (is_cert_still_valid): Print revocation reason.
2022-12-05 17:48:24 +01:00
Werner Koch
1c2bdd80b1
gpgsm: Fix "problem re-searching certificate" case.
* sm/keydb.c (keydb_set_cert_flags): Fix error test.
2022-12-05 17:30:26 +01:00
Werner Koch
b6abaed2b5
gpgsm: Print revocation date and reason in cert listings.
* dirmngr/ocsp.c (ocsp_isvalid): Add args r_revoked_at and
r_revocation_reason.
* dirmngr/server.c (cmd_isvalid): Emit a new REVOCATIONINFO status.
(cmd_checkocsp): Ditto.

* sm/call-dirmngr.c (struct isvalid_status_parm_s): Add new fields.
(isvalid_status_cb): Parse REVOCATIONINFO.
(gpgsm_dirmngr_isvalid): Add args r_revoked_at and
r_revocation_reason.

* sm/gpgsm.h (struct server_control_s): Add fields revoked_art and
revocation_reason.
* sm/keylist.c (list_cert_raw): Print revocation date.
(list_cert_std): Ditto.
--

Note that for now we do this only for OCSP because it is an important
piece of information when using the chain model.  For a sample key see
commit 7fa1d3cc821dca1ea8e1c80a0bdd527177c185ee.
2022-12-05 16:42:08 +01:00
Werner Koch
4f1b9e3abb
gpgsm: Silence the "non-critical certificate policy not allowed".
* sm/certchain.c (check_cert_policy): Print non-critical policy
warning only in verbose mode.
2022-12-05 14:31:45 +01:00
Werner Koch
7fa1d3cc82
gpgsm: Always use the chain model if the root-CA requests this.
* sm/call-dirmngr.c (gpgsm_dirmngr_isvalid): Do not use
option --force-default-responder.
* sm/certchain.c (is_cert_still_valid): Rename arg for clarity.
(gpgsm_validate_chain): Always switch to chain model.
--

The trustlist.txt may indicate that a root CA issues certificates
which shall be validated using the chain model.  This is for example
the case for qualified signatures.  Before this change we did this
only if the default shell model indicated that a certificate has
expired.  This optimization is technically okay but has one problem:
The chain model requires the use of OCSP but we switch to this only
when running the chain model validation.  To catch revoked
certificates using OCSP we need to always switch to the chain model
unless OCSP has been enabled anyway.

Note that the old --force-default-responder option is not anymore
used.

Test cases are certificates issued by

  # CN=TeleSec qualified Root CA 1
  # O=Deutsche Telekom AG
  # C=DE
  # 2.5.4.97=USt-IdNr. DE 123475223
  90:C6:13:6C:7D:EF:EF:E9:7C:C7:64:F9:D2:67:8E:AD:03:E5:52:96 \
    S cm qual relax

A sample revoked certificate is

-----BEGIN CERTIFICATE-----
MIIDTzCCAvSgAwIBAgIQIXfquQjq32B03CdaflIbiDAMBggqhkjOPQQDAgUAMHEx
CzAJBgNVBAYTAkRFMRwwGgYDVQQKDBNEZXV0c2NoZSBUZWxla29tIEFHMSMwIQYD
VQQDDBpUZWxlU2VjIFBLUyBlSURBUyBRRVMgQ0EgMTEfMB0GA1UEYQwWVVN0LUlk
TnIuIERFIDEyMzQ3NTIyMzAeFw0yMDA2MjIxMDQ1NDJaFw0yMzA2MjUyMzU5MDBa
MDAxCzAJBgNVBAYTAkRFMRUwEwYDVQQDDAxLb2NoLCBXZXJuZXIxCjAIBgNVBAUT
ATMwWjAUBgcqhkjOPQIBBgkrJAMDAggBAQcDQgAEbkEXUuXTriWOwqQhjlh11oCc
6Z8lQdQDz3zY/OEh8fMJS7AKBNo8zkpPKDJ2olPph18b1goEbLiqHQsPRPahDaOC
AaowggGmMB8GA1UdIwQYMBaAFP/0iep1rMXT0iQ0+WUqBvLM6bqBMB0GA1UdDgQW
BBQEI3xsIUDnoOx+gLYbG63v5/f9kjAOBgNVHQ8BAf8EBAMCBkAwDAYDVR0TAQH/
BAIwADAgBgNVHREEGTAXgRV3ZXJuZXIua29jaEBnbnVwZy5jb20wPQYDVR0gBDYw
NDAyBgcEAIvsQAECMCcwJQYIKwYBBQUHAgEWGWh0dHA6Ly9wa3MudGVsZXNlYy5k
ZS9jcHMwgYQGCCsGAQUFBwEBBHgwdjBLBggrBgEFBQcwAoY/aHR0cDovL3RxcmNh
MS5wa2kudGVsZXNlYy5kZS9jcnQvVGVsZVNlY19QS1NfZUlEQVNfUUVTX0NBXzEu
Y3J0MCcGCCsGAQUFBzABhhtodHRwOi8vcGtzLnRlbGVzZWMuZGUvb2NzcHIwXgYI
KwYBBQUHAQMEUjBQMAgGBgQAjkYBATAIBgYEAI5GAQQwOgYGBACORgEFMDAwLhYo
aHR0cHM6Ly93d3cudGVsZXNlYy5kZS9zaWduYXR1cmthcnRlL2FnYhMCZW4wDAYI
KoZIzj0EAwIFAANHADBEAiAqgB8gyZyj05CRdHD5KJcpG68DzQECYnYP6ZPasUYK
AQIgI1GtRMJWvFTIKsZpgY+ty0pRb5/K09fbmvaSAKFpv/I=
-----END CERTIFICATE-----
2022-12-05 14:25:04 +01:00
Werner Koch
2d8ac55d26
gpgsm: Change default algo to AES-256.
* sm/gpgsm.c (DEFAULT_CIPHER_ALGO): Change.
2022-12-01 10:12:21 +01:00
Werner Koch
d70779bdc6
dirmngr: Silence ocsp debug output.
* dirmngr/ocsp.c (check_signature_core): No debug output
--

Also typo and doc fixes.
2022-11-25 09:26:30 +01:00
Werner Koch
f5c3f13609
gpgsm: Fix colon outout of ECC encryption certificates
* sm/keylist.c (print_capabilities): Add arg algo and use it to check
for ECC capabilities.
(list_cert_colon): Call with algo.
--

This will mark certificates with only keyAgreement usage correctly in
the --with-colons listing.
2022-11-15 16:31:46 +01:00
Werner Koch
b71a14238d
gpgsm: Also announce AES256-CBC in signatures.
* sm/sign.c (gpgsm_sign): Add new capability.
--

It might be better to have this.  No concrete bug report, though.
2022-10-28 15:24:17 +02:00
Werner Koch
6bd0dd762c
gpgsm: Allow ECC encryption keys with just keyAgreement specified.
* sm/certlist.c (cert_usage_p): Allow keyAgreement for ECC.
* sm/fingerprint.c (gpgsm_is_ecc_key): New.
--

For ECC encryption keys keyAgreement is the keyUsage we want.
2022-10-25 11:57:23 +02:00
Werner Koch
50efcf2eb0
gpgsm: Use macro constants for cert_usage_p.
* sm/certlist.c (USE_MODE_): New.  Use them for easier reading.
2022-10-25 11:57:23 +02:00
NIIBE Yutaka
87d4338ed1
gpg,common,scd,sm: Function prototype fixes for modern compiler.
* common/gettime.c (gnupg_get_time): It has no arguments.
* common/signal.c (gnupg_block_all_signals): Likewise.
(gnupg_unblock_all_signals): Likewise.
* common/utf8conv.c (get_native_charset): Likewise.
* g10/cpr.c (is_status_enabled, cpr_enabled): Likewise.
* g10/getkey.c (getkey_disable_caches): Likewise.
* g10/keygen.c (ask_expiredate): Likewise.
* g10/passphrase.c (have_static_passphrase): Likewise.
(get_last_passphrase): Likewise.
* g10/tdbio.c (tdbio_is_dirty, tdbio_sync): Likewise.
(tdbio_get_dbname, open_db, tdbio_db_matches_options): Likewise.
(tdbio_read_nextcheck): Likewise.
* g10/trustdb.c (how_to_fix_the_trustdb): Likewise.
* scd/scdaemon.c (scd_get_socket_name): Likewise.
* sm/passphrase.c (have_static_passphrase): Likewise.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-09-13 16:34:00 +09:00
Ingo Klöcker
a47b3a4087
sm: Fix reporting of bad passphrase error
* sm/minip12.c (p12_parse): Set badpass flag to result in ctx.
--

Fixes-commit: a4e04375e84ecb7ea0d02e153cb27988fca4c2d0
GnuPG-bug-id: 5713, 6037
2022-09-09 18:23:11 +02:00
Werner Koch
203dcc19eb
common: New common option no-autostart.
* common/comopt.c (opts): Add "no-autostart".
(parse_comopt): Set it.
* common/comopt.h (comopt): Add no_autostart.

* g10/gpg.c (main): Take care of the new option.
* sm/gpgsm.c (main): Ditto.
* tools/gpg-connect-agent.c (INCLUDED_BY_MAIN_MODULE): Add.
(main): Parse common options and handle new option.
* tools/gpg-card.c (main): Ditto.
(cmd_yubikey): Fix minor error reporting issue.

* common/util.h (GNUPG_MODULE_NAME_CARD): New const.
* common/homedir.c (gnupg_module_name): Support it.
--

Having a global option makes it easier to use disable autostart on a
server which is required to use a remote gpg-agent reliable.
2022-08-22 12:05:02 +02:00
Werner Koch
52f9e13c0c
sm: Improve pkcs#12 debug output.
* sm/minip12.c (parse_shrouded_key_bag): Fix offset diagnostic.
(parse_cert_bag): Ditto.
(parse_bag_data): Remove debug output.  Pass startoffset.  Fix offset
diagnostic.
2022-06-20 17:24:55 +02:00
Werner Koch
a4e04375e8
sm: Rework the PKCS#12 parser to support DFN issued keys.
* sm/minip12.c (struct p12_parse_ctx_s): New.  Use this instead of
passing several parameters to most functions.
(parse_pag_data): Factor things out to  ...
parse_shrouded_key_bag): new.
(parse_cert_bag): New.
(parse_bag_data): New.
(p12_parse): Setup the parse context.
--

To support newer pkcs#12 files like those issued by the DFN we need to
support another ordering of data elements.  This rework reflects the
P12 data structure a bit better than our old ad-hoc hacks.  Tests could
only be done with the certificate parts and not the encrypted private
keys.

GnuPG-bug-id: 6037
2022-06-20 16:47:41 +02:00
Werner Koch
f0b373cec9
gpgsm: New option --compatibility-flags.
* sm/gpgsm.c (oCompatibilityFlags): New option.
(compatibility_flags): new.
(main): Parse and print them in verbose mode.
* sm/gpgsm.h (opt): Add field compat_glags.:
(COMPAT_ALLOW_KA_TO_ENCR): New.
* sm/keylist.c (print_capabilities): Take care of the new flag.
* sm/certlist.c (cert_usage_p): Ditto.
2022-06-13 17:50:26 +02:00
Werner Koch
d2d7a2b128
Remove remaining support for WindowsCE
--
2022-06-03 10:08:21 +02:00
Todd Zullinger
beb79f2705
sm: Use gpg_err_code() instead of -1
* sm/verify.c (gpgsm_verify): use gpg_err_code instead of 'rc == -1'
comparison.
--

In ed6ebb696e (sm: Implement initial support for keyboxd., 2020-09-10),
the return of keydb_search() was changed to use gpg_err_code().  Adjust
gpgsm_verify() to use it.  This provides a nicer error message to users
when a certificate is not found -- the same error that is seen from 2.2.

Prior to this change, when a cert was not found, gpgsm output:

    gpgsm: failed to find the certificate: Not found

as opposed to the more human-readable message from 2.2:

    gpgsm: certificate not found

They now return the same message.

Signed-off-by: Todd Zullinger <tmz@pobox.com>
2022-04-25 12:09:50 +02:00
Werner Koch
22fef189b1
w32: Do no use Registry item DefaultLogFile for the main tools.
* g10/gpg.c (main): Set LOG_NO_REGISTRY.
* sm/gpgsm.c (main): Ditto.
* tools/gpg-connect-agent.c (main): Ditto.
* tools/gpgconf.c (main): Ditto.
(show_other_registry_entries): Print "DefaultLogFile".
--

The intention of this mostly forgotten registry entry was to allow for
easy debugging of the tools.  However, with the global config file
common.conf things are anyway better.  We disable the use for the
commonly used tools so that it does not look like calling gpg on the
command line seems to block with no output if the log
server (e.g. tcp://1.2.3.4:11111) is not reachable.
2022-04-20 09:30:56 +02:00
Werner Koch
137e59a6a5
sm: Print diagnostic about CRL problems due to Tor mode.
* dirmngr/crlfetch.c (crl_fetch, crl_fetch_default)
(ca_cert_fetch, start_cert_fetch): Factor Tor error out to ...
(no_crl_due_to_tor): new.  Print status note.

* dirmngr/ks-engine-ldap.c (ks_ldap_get)
(ks_ldap_search, ks_ldap_put): Factor Tor error out to ...
(no_ldap_due_to_tor): new.  Print status note.

* dirmngr/ocsp.c (do_ocsp_request): Print status note.
* sm/misc.c (gpgsm_print_further_info): New.
* sm/call-dirmngr.c (warning_and_note_printer): New.
(isvalid_status_cb): Call it.
(lookup_status_cb): Ditto.
(run_command_status_cb): Ditto.

* common/asshelp2.c (vprint_assuan_status): Strip a possible trailing
LF.

--
2022-04-11 17:57:14 +02:00
Werner Koch
198fad9fc1
doc: Typo fix in comment
--
2022-04-08 16:07:34 +02:00
NIIBE Yutaka
6c50834c09 sm: Fix parsing encrypted data.
* sm/minip12.c (cram_octet_string): Finish when N==0.
(parse_bag_encrypted_data): Support constructed data with multiple
octet strings.

--

GnuPG-bug-id: 5793
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-03-09 10:52:10 +09:00
Werner Koch
f8075257af
gpgsm: New option --require-compliance
* sm/gpgsm.c (oRequireCompliance): New.
(opts): Add --require-compliance.
(main): Set option.
* sm/gpgsm.h (opt): Add field require_compliance.
(gpgsm_errors_seen): Declare.
* sm/verify.c (gpgsm_verify): Emit error if non de-vs compliant.
* sm/encrypt.c (gpgsm_encrypt): Ditto.
* sm/decrypt.c (gpgsm_decrypt): Ditto.
--
2022-03-08 19:28:16 +01:00
Werner Koch
7c8c606061
agent: New flag "qual" for the trustlist.txt.
* agent/trustlist.c (struct trustitem_s): Add flag "qual".
(read_one_trustfile): Rename arg "allow_include" to "systrust" and
change callers.  Parse new flag "qual".
(istrusted_internal): Print all flags.
* sm/call-agent.c (istrusted_status_cb): Detect the "qual" flag.
* sm/gpgsm.h (struct rootca_flags_s): Add flag "qualified".
* sm/certchain.c (do_validate_chain): Take care of the qualified flag.
2022-02-27 12:26:38 +01:00
NIIBE Yutaka
05fdaa1737 sm: Fix use of value NONE in gnupg_isotime_t type.
* common/gettime.h (GNUPG_ISOTIME_NONE): New.
* sm/call-dirmngr.c (gpgsm_dirmngr_isvalid): Use it.
* sm/certlist.c (gpgsm_add_to_certlist): Likewise.
* sm/import.c (check_and_store): Likewise.
* sm/keylist.c (list_cert_colon, list_cert_raw): Likewise.
(list_cert_std): Likewise.
* sm/sign.c (gpgsm_sign): Likewise.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-02-18 11:11:12 +09:00
Werner Koch
e23dc755fa
sm: New option --ignore-cert-with-oid.
* sm/gpgsm.c (oIgnoreCertWithOID): New.
(opts): Add option.
(main): Store its value.
* sm/call-agent.c (learn_cb): Test against that list.
2022-02-03 14:17:10 +01:00
Werner Koch
623a427b0c
sm: Partly revert last commit.
* sm/gpgsm.c (set_debug): Remove doubled code.
--

It was already there; sorry.

Fixes-commit: 51edea995d352a7b557fb0315fa5091dc42065cb
2022-02-01 15:20:29 +01:00
Werner Koch
51edea995d
gpg,sm: Set --verbose and clear --quiet in debug mode.
* g10/gpg.c (set_debug): Tweak options.
* sm/gpgsm.c (set_debug): Ditto.
2022-02-01 15:13:13 +01:00
Werner Koch
f2d1187fcd
gpgsm: Retire the new --ldapserver.
* sm/gpgsm.c (oKeyServer_deprecated): New.
(opts): Assign "ldapserver" to the new option and mark it as obsolete.
--

We want to use "ldapserver" in dirmngr but need to keep using
"keyserver" in gpgsm for existant versions of Kleopatra etc.

GnuPG-bug-id: 5801
2022-01-27 15:23:42 +01:00
Werner Koch
0b4fdbd5f4
gpgconf: Return --ldapserver and --keyserver from dirmngr.
* dirmngr/dirmngr.c: Reorder two option groups.
* tools/gpgconf-comp.c (known_options_gpgsm): Rename "keyserver" to
"ldapserver" and set level to invisible.
(known_options_dirmngr): Add "ldapserver" at the basic level.
* sm/gpgsm.c (opts): No more help text for "ldapserver".
--

GnuPG-bug-id: 5800
2022-01-25 20:24:25 +01:00
Werner Koch
5f39db70c0
gpg,gpgsm: Add option --min-rsa-length.
* common/compliance.c (min_compliant_rsa_length): New.
(gnupg_pk_is_compliant): Take in account.
(gnupg_pk_is_allowed): Ditto.
(gnupg_set_compliance_extra_info): New.
* g10/gpg.c (oMinRSALength): New.
(opts): Add --min-rsa-length.
(main): Set value.
* g10/options.h (opt): Add field min_rsa_length.
* sm/gpgsm.c (oMinRSALength): New.
(opts): Add --min-rsa-length.
(main): Set value.
* sm/gpgsm.h (opt): Add field min_rsa_length.
2021-11-18 20:49:37 +01:00
Werner Koch
74c5b35062
sm: Detect circular chains in --list-chain.
* sm/keylist.c (list_cert_chain): Break loop for a too long chain.
--

This avoids endless loops in case of circular chain definitions.  We
use such a limit at other palces as well.  Example for such a chain is

# ------------------------ >8 ------------------------
           ID: 0xBE231B05
          S/N: 51260A931CE27F9CC3A55F79E072AE82
        (dec): 107864989418777835411218143713715990146
       Issuer: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
      Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
     sha2_fpr: 92:5E:4B:37:2B:A3:2E:5E:87:30:22:84:B2:D7:C9:DF:BF:82:00:FF:CB:A0:D1:66:03:A1:A0:6F:F7:6C:D3:53
     sha1_fpr: 31:93:78:6A:48:BD:F2:D4:D2:0B:8F:C6:50:1F:4D:E8:BE:23:1B:05
      md5_fpr: AC:F3:10:0D:1A:96:A9:2E:B8:8B:9B:F8:7E:09:FA:E6
      pgp_fpr: E8D2CA1449A80D784FB1532C06B1611DB06A1678
       certid: 610C27E9D37835A8962EA5B8368D3FBED1A8A15D.51260A931CE27F9CC3A55F79E072AE82
      keygrip: CFCA58448222ECAAF77EEF8CC45F0D6DB4E412C9
    notBefore: 2005-06-07 08:09:10
     notAfter: 2019-06-24 19:06:30
     hashAlgo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption)
      keyType: rsa2048
    subjKeyId: ADBD987A34B426F7FAC42654EF03BDE024CB541A
    authKeyId: [none]
 authKeyId.ki: 5332D1B3CF7FFAE0F1A05D854E92D29E451DB44F
[...]

Certified by
           ID: 0xCE2E4C63
          S/N: 46EAF096054CC5E3FA65EA6E9F42C664
        (dec): 94265836834010752231943569188608722532
       Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
      Subject: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
     sha2_fpr: 21:3F:AD:03:B1:C5:23:47:E9:A8:0F:29:9A:F0:89:9B:CA:FF:3F:62:B3:4E:B0:60:66:F4:D7:EE:A5:EE:1A:73
     sha1_fpr: 9E:99:81:7D:12:28:0C:96:77:67:44:30:49:2E:DA:1D:CE:2E:4C:63
      md5_fpr: 55:07:0F:1F:9A:E5:EA:21:61:F3:72:2B:8B:41:7F:27
      pgp_fpr: 922A6D0A1C0027E75038F8A1503DA72CF2C53840
       certid: 14673DA5792E145E9FA1425F9EF3BFC1C4B4957C.46EAF096054CC5E3FA65EA6E9F42C664
      keygrip: 10678FB5A458D99B7692851E49849F507688B847
    notBefore: 2005-06-07 08:09:10
     notAfter: 2020-05-30 10:48:38
     hashAlgo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption)
      keyType: rsa2048
    subjKeyId: 5332D1B3CF7FFAE0F1A05D854E92D29E451DB44F
    authKeyId: [none]
 authKeyId.ki: ADBD987A34B426F7FAC42654EF03BDE024CB541A
     keyUsage: certSign crlSign
[...]

Which has a circular dependency on subKeyId/authkeyId.ki.
2021-11-15 17:51:38 +01:00
Werner Koch
255d4d5815
sm: Add LotW support to the key listing
* sm/certdump.c (parse_dn_part): Translate OID to "Callsign"
* sm/keylist.c (oidtranstbl): Some more OIDs.
--

This is Ham thingy to make it easier to read LotW certificates.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-09-09 13:30:22 +02:00
Ingo Klöcker
08f227052f build: Fix "ksba.h not found" problem
* sm/Makefile.am (t_minip12_CFLAGS): Add KSBA_CFLAGS.
--

GnuPG-bug-id: 5592
2021-09-08 15:18:38 +02:00
NIIBE Yutaka
100c954ab0 sm: Fix pwri.
* sm/decrypt.c (pwri_parse_pbkdf2): Use int for digest algo.
(pwri_decrypt): Use int for cipher algo and digest algo.

--

Fixes-commit: 02029f9eab87e9fd667829dfb083846275576398
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-05 11:16:56 +09:00
Werner Koch
7cdd06af47
sm,w32: Fix Unicode problem on key box creation.
* sm/keydb.c (maybe_create_keybox): Replace access by gnupg_access
2021-07-29 11:51:25 +02:00
Werner Koch
89df86157e
sm: New option --ldapserver as an alias for --keyserver.
* sm/gpgsm.c (opts): Add option --ldapserver and make --keyserver an
alias.
--

We should use "keyserver" for OpenPGP and thus it is better to allow
for "ldapserver" here - it is the same convention as now used in
dirmngr.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit d6df1bf84969bf5f5781e33bc1c2f6cb2aee0093)
2021-06-16 13:04:34 +02:00
Werner Koch
bebc71d229
gpg,sm: Simplify keyserver spec parsing.
* common/keyserver.h: Remove.
* sm/gpgsm.h (struct keyserver_spec): Remove.
(opt): Change keyserver to a strlist_t.
* sm/gpgsm.c (keyserver_list_free): Remove.
(parse_keyserver_line): Remove.
(main): Store keyserver in an strlist.
* sm/call-dirmngr.c (prepare_dirmngr): Adjust for the strlist.  Avoid
an ambiguity in dirmngr by adding a prefix if needed.

* g10/options.h (struct keyserver_spec): Move definition from
keyserver.h to here.  Remove most fields.
* g10/keyserver.c (free_keyserver_spec): Adjust.
(cmp_keyserver_spec): Adjust.
(parse_keyserver_uri): Simplify.
(keyidlist): Remove fakev3 arg which does not make any sense because
we don't even support v3 keys.
--

We now rely on the dirmngr to parse the keyserver specs.  Thus a bad
specification will not be caught immediately.  However, even before
that dirmngr had stricter tests.

Signed-off-by: Werner Koch <wk@gnupg.org>
Ported-from: 9f586700ec4ceac97fd47cd799878a8847342ffa
2021-06-16 12:03:13 +02:00
Werner Koch
6b76693ff5
sm: Fix finding of issuer in use-keyboxd mode.
* sm/keydb.c (struct keydb_local_s): Add field saved_search_result.
(keydb_push_found_state): Implement for keyboxd.
(keydb_pop_found_state): Ditto.
(keydb_get_cert): Do not release the cert so that the function can be
used again to get the same cert.  This is the same behaviour as in
pubring.kbx mode.

* sm/certchain.c, sm/import.c: Improve some error messages.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-11 20:15:32 +02:00
Werner Koch
4980fb3c6d
sm: Support AES-GCM decryption.
* tests/cms/samplemsgs/: Add sample messages.
* sm/gpgsm.c (main): Use gpgrt_fcancel on decryption error.
* sm/decrypt.c (decrypt_gcm_filter): New.
(gpgsm_decrypt): Use this filter if requested.  Check authtag.
--

Note that the sample message pwri-sample.gcm.p7m is broken: The
authtag is duplicated to the authEncryptedContentInfo.  I used a
temporary code during testing hack to that test message out.
2021-06-02 11:03:55 +02:00
Werner Koch
52bbdc731f
sm: Let --dump-cert --show-cert also print an OpenPGP fingerprint.
* sm/keylist.c (list_cert_raw): Print the OpenPGP fpr.
--

This is useful for debugging for example if an OpenPGP key is used to
create an X.509 cert.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-20 19:09:38 +02:00
Jakub Jelen
e6132bc9f4
sm: Avoid memory leaks and double double-free
* sm/certcheck.c (extract_pss_params): Avoid double free
* sm/decrypt.c (gpgsm_decrypt): goto leave instead of return
* sm/encrypt.c (encrypt_dek): release s_pkey
* sm/server.c (cmd_export): free list
(do_listkeys): free lists

--

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
GnuPG-bug-id: 5393
2021-05-20 13:51:47 +02:00
Werner Koch
6dfae2f402
gpg: Use a more descriptive prompt for symmetric decryption.
* g10/keydb.h (GETPASSWORD_FLAG_SYMDECRYPT): New.
(passphrase_to_dek_ext): Remove this obsolete prototype.
* g10/passphrase.c (passphrase_get): Add arg flags.  Use new flag
value.
(passphrase_to_dek): Add arg flags and pass it on.
* g10/mainproc.c (proc_symkey_enc): Use new flag.

* sm/decrypt.c (pwri_decrypt): Use "passphrase".
--

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 03f83bcda5d1f8d8246bcc1afc603b7f74d0626b)

Note that we keep on using the term "passphrase" although "password"
would be better.  There are however so many occurance of this and
given it is a bike shedding topic we fix that in the PO files.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-17 19:48:15 +02:00
Werner Koch
eeb65d3bbd
sm: Ask for the password for password based decryption (pwri)
* sm/decrypt.c (pwri_decrypt): Add arg ctrl.  Ask for passphrase.

* sm/export.c (export_p12): Mark string as translatable.
* sm/import.c (parse_p12): Ditto.
--

This is finishes the support for PWRI.

The N_() marks are added so that we don't rely of the side-effect of
having the same strings in protect-tool.c

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-17 15:42:27 +02:00
Werner Koch
02029f9eab
sm: Support decryption of password based encryption (pwri)
* sm/decrypt.c (pwri_parse_pbkdf2): New.
(pwri_decrypt): New.
(prepare_decryption): Support pwri.
(gpgsm_decrypt): Test for PWRI.  Move IS_DE_VS flag to DFPARM.
--

Note that this is not finished because we need to implement a password
callback.  For now "abc" is used as passwort.

Latest libksba is also required to return the required info.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-14 18:56:10 +02:00
Werner Koch
f79e9540ca
keyboxd: Fix searching for exact mail addresses.
* kbx/kbxserver.c (cmd_search): Use the openpgp hack for calling
classify_user_id.
* kbx/backend-sqlite.c (run_select_statement): Remove angle brackets
in exact addrspec mode.
* g10/call-keyboxd.c (keydb_search): Do not duplicate the left angle
bracket.
* sm/keydb.c (keydb_search): Ditto.
--

Note that the openpgp hack flag of classify_user_id is actually a
misnomer because we actually hack a round a problem in gpgsm.  And it
is only over there that we don't set it there.  In keyboxd the flag
should be set.  And we need to remove the angle brackets of course
because that is how we create the addrspec column values.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-21 14:40:08 +02:00
Werner Koch
d153e4936e
gpg,sm: Ignore the log-file option from common.conf.
* g10/gpg.c (main): Don't use the default log file from common.conf.
* sm/gpgsm.c (main): Ditto.
--

That was acutally not intended and contradicts the description in
doc/example/common.conf.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-21 14:40:08 +02:00
Werner Koch
51419d6341
sm: New command --show-certs
* sm/keylist.c (do_show_certs): New.
(gpgsm_show_certs): New.
* sm/gpgsm.c (aShowCerts): New.
(opts): Add --show-certs.
(main): Call gpgsm_show_certs.
--

I have been using libksba test programs for countless times to look at
certificates and I always wanted to add such a feature to gpgsm.  This
is simply much more convenient.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-20 09:37:56 +02:00
Werner Koch
5fe60576d5
build: Fix build problems on macOS for gpgsm tests and gpg-card.
* tools/gpg-card.c: Include ctype.h.
* sm/Makefile.am (t_common_ldadd): Add LIBICONV.
--

GnuPG-bug-id: 5400
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-19 20:17:39 +02:00
Werner Koch
d13c5bc244
gpg,gpgsm: Move use-keyboxd to the new conf file common.conf
* common/comopt.c, common/comopt.h: New.
* common/Makefile.am: Add them.
* g10/gpg.c: Include comopt.h.
(main): Also parse common.conf.
* sm/gpgsm.c: Include comopt.h.
(main): Set a flag for the --no-logfile option.  Parse common.conf.

* tools/gpgconf-comp.c (known_options_gpg): Remove "use-keyboxd", add
pseudo option "use_keyboxd".
(known_pseudo_options_gpg): Add pseudo option "use_keyboxd".
(known_options_gpgsm): Remove "use-keyboxd".

* tests/openpgp/defs.scm (create-gpghome): Create common.conf.

* doc/examples/common.conf: New.
--

Note that --use-keybox still works but prints a warning.  We will
eventually remove this option becuase it was marked as an experimental
feature anyway.

It would be too confusing if gpg and gpgsm use different key storages.
Further, other components (e.g. dirmngr or gpg-wks-client) which call
gpg or gpgsm need to be aware that the keyboxd is used and pass that
option on the command line.  Now that common.conf is always read (even
if --no-options is used) those tools will work instantly.
2021-04-19 11:33:19 +02:00
Werner Koch
c56926f773
sm: Add a few more OIDs to the table for nicer keylistings
--
2021-03-24 12:27:35 +01:00
Werner Koch
a4021d9be4
sm: Init nPth which might be used by some helper code.
* sm/gpgsm.c: Include npth.h.
(main): Init nPth.
--

Actually we currently do not use extra threads but we need to link to
the npth version of the common functions because there is an option to
use threads.  Now, without initialized npth, we could experience a
crash in gnupg_sleep, which uses npth_usleep in the npth based common
functions.

Fixes-commit: 046f419f806036248c058c4bd44368f8596287b7
2021-03-08 21:53:29 +01:00
Werner Koch
a170f0e73f
sm: Do not print certain issuer not found diags in quiet mode.
* sm/certchain.c (find_up_dirmngr): Print one diagnostic only in
verbose mode.  Do not print issuer not found diags in quiet mode.
* sm/minip12.c (parse_bag_data): Add missing verbose condition.
--

GnuPG-bug-id: 4757
2021-02-25 09:16:18 +01:00
Werner Koch
473b83d1b9
sm: Fix issuer certificate look error due to legacy error code.
* sm/certchain.c (find_up): Get rid of the legacy return code -1 and
chnage var name rc to err.
(gpgsm_walk_cert_chain): Change var name rc to err.
(do_validate_chain): Get rid of the legacy return code -1.
--

This was detected while fixing
GnuPG-bug-id: 4757
2021-02-25 09:00:38 +01:00
Werner Koch
615d2e4fb1
sm: Silence some output on --quiet
* sm/encrypt.c (gpgsm_encrypt): Take care of --quiet.
* sm/gpgsm.c: Include minip12.h.
(set_debug): Call p12_set_verbosity.
* sm/import.c (parse_p12): Dump keygrip only in debug mode.
* sm/minip12.c (opt_verbose, p12_set_verbosity): New.
(parse_bag_encrypted_data): Print info messages only in verbose mode.
--

GnuPG-bug-id: 4757
2021-02-24 08:40:06 +01:00