* sm/certlist.c (gpgsm_add_to_certlist): Track expired error. Make
the expired check easier to read by using if and case.
--
Original ChangeLog:
If all selected certificates are expired, don't mislead the user
saying that no certificate was found. Instead, return the error
of the first certificate selected.
* sm/certlist.c: if one expired certificate was found, don't return
no certificate found, return instead the expiration error
I heavily changed Ramon's original patch and hope that I don't
introduced a regression to his patch. - wk@gnupg.org
* sm/certchain.c (check_validity_period_cm): Add arg no_log_expired to
avoid bumping of the error counter due to the do_list function.
* sm/certlist.c (gpgsm_add_to_certlist): Set no_log_expired when
checking the expiration.
--
I modified the original patch to make the patch smaller and the code
easier to read. - wk@gnupg.org
* sm/certchain.c (check_validity_period_cm): Make function global.
* sm/certlist.c (gpgsm_add_to_certlist): If an expired certificate is
found, continue looking for another one.
--
This enables the user to select a certificate by subject, and keep
old expired certificates in the store in case he wishes to decrypt
or verify an old file. This makes renewal of certificate smoother.
Due to a broken patch I had to massage the patch and while doing this
also fixed the indentation and moved a declaration to the begin of a
block. - wk@gnupg.org
* agent/command.c (cmd_learn): Allow for s/n argument.
* agent/learncard.c (agent_handle_learn): Ditto.
* agent/call-scd.c (agent_card_learn): Ditto. Pass it on to scd.
* scd/command.c (cmd_switchcard): Factor most code out to ...
(switchcard_core): new.
(cmd_learn): Add option --demand to specify a s/n.
* sm/gpgsm.c (main): Allow a s/n argument for --learn-card.
--
This help Kleopatra to get a stable certificate listing.
GnuPG-bug-id: 7379
* sm/keylist.c (list_internal_keys): Detect write errors to the output
stream.
* sm/server.c (any_failure_printed): New var.
(gpgsm_status2): Handle new var. Move statusfp init to ...
(gpgsm_init_statusfp): new function.
(gpgsm_exit_failure_status): New.
* sm/gpgsm.c (main): Explicit statusfp init.
(gpgsm_exit): Print failure status on error.
--
Test by using
gpgsm -k >/dev/full
gpgsm -k --wit-colons >/dev/full
and also by redirecting to a file on a small partition.
GnuPG-bug-id: 6185
* dirmngr/crlcache.c (crl_cache_list): Print a summary of URLs.
* sm/call-dirmngr.c (gpgsm_dirmngr_run_command): Print a notice to
stdout if the dirmngr has been disabled.
--
GnuPG-bug-id: 7337
* sm/gpgsm.h (struct keyinfo_cache_item_s): New.
(struct server_control_s): Add keyinfo_cache and keyinfo_cache_valid.
* sm/call-agent.c (keyinfo_cache_disabled): New flag.
(release_a_keyinfo_cache): New.
(gpgsm_flush_keyinfo_cache): New.
(struct keyinfo_status_parm_s): New.
(keyinfo_status_cb): Implement a fill mode.
(gpgsm_agent_keyinfo): Implement a cache.
* sm/server.c (reset_notify): Flush the cache.
* sm/gpgsm.c (gpgsm_deinit_default_ctrl): Ditto.
--
In almost all cases we have just a few private keys in the agent and
thus it is better to fetch them early. This does not work in a
restricted connection but we take care and disable the cache in this
case.
This cache gives a a minor speed up.
GnuPG-bug-id: 7308
* sm/call-agent.c (struct istrusted_cache_s): New.
(istrusted_cache, istrusted_cache_valid): New.
(istrusted_cache_disabled): New.
(flush_istrusted_cache): New.
(struct istrusted_status_parm_s): New.
(istrusted_status_cb): Fill the cache.
(gpgsm_agent_istrusted): Implement a cache.
--
Not a really measurable performance improvements on Linux but maybe
somewhat on Windows (not yet tested). However, it does not clutter
the log files with IPC calls returning NOT_TRUSTED.
GnuPG-bug-id: 7308
* sm/minip12.c (parse_shrouded_key_bag): Increase size of salt buffer.
--
Reported on the mailing list. The change does not seem to have a big
regression risk, thus applied. See below for the mail
# ------------------------ >8 ------------------------
https://lists.gnupg.org/pipermail/gnupg-users/2024-September/067312.html
* sm/certchain.c (ask_marktrusted): Avoid fingerprint printing in
quiet mode
--
And also don't print it anymore after the agent told us that the
feature has been disabled.
* sm/gpgsm.h (COMPAT_NO_CHAIN_CACHE): New.
(struct cert_cache_item_s, cert_cache_item_t): New.
(struct server_control_s): Add parent_cert_cache.
* sm/gpgsm.c (compatibility_flags): Add "no-chain-cache".
(parent_cache_stats): New.
(gpgsm_exit): Print the stats with --debug=memstat.
(gpgsm_deinit_default_ctrl): Release the cache.
* sm/certchain.c (gpgsm_walk_cert_chain): Cache the certificates.
(do_validate_chain): Ditto.
--
This gives another boost of 30% (from 6.5 to 4.0 seconds in the test
environment with ~1000 certs). do_validate_chain actually brings us
the speedup becuase the gpgsm_walk_cert_chain is not used during a key
listing. For the latter we actually cache all certificates because
that was easier.
GnuPG-bug-id: 7308
* kbx/keybox-search.c (keybox_get_cert): Store the blob clags in the
cert object.
* sm/certchain.c (do_validate_chain): Skip clearing of the ephemeral
flag if we know that it is not set.
--
GnuPG-bug-id: 7308
* common/tlv.h (TLV_PARSER_FLAG_T5793): New.
(tlv_parser_new): New macro. Rename function with an underscore.
(tlv_next_with_flag): New.
* common/tlv-parser.c (struct tlv_parser_s): Remove const from buffer.
Add fields crammed, lasttlv, and origoff. Remove bufferlist ands ist
definition.
(dump_to_file): New but disabled debug helper.
(parse_tag): Print more info on error.
(_tlv_parser_new): Add args lasttlv and LNO. Take a copy of the data.
(_tlv_parser_release): Free the copy of the buffer and return the
recorded TLV object from tlv_parser_new.
(_tlv_peek, tlv_parser_peek, _tlv_parser_peek_null): Remove.
(_tlv_push): Record crammed length.
(_tlv_pop): Restore crammed length.
(_tlv_parser_next): Add arg flags. More debug output. Handle cramming
here. Take care of cramming here.
(tlv_expect_object): Simplify to adjust for changes in _tlv_parser_next.
(tlv_expect_octet_string): Remove arg encapsulates. Adjust for
changes in _tlv_parser_next. Change all allers.
(tlv_expect_null): New.
(cram_octet_string): Rewrite.
(need_octet_string_cramming): Remove.
* sm/minip12.c (dump_to_file): New. Enablein debug mode and if a
envvar ist set. Replace all explict but disabled dumping to call this
function.
(parse_bag_encrypted_data): Replace tlv_peek_null and a peeking for an
optional SET by non-peeking code.
(parse_cert_bag): Ditto.
(parse_shrouded_key_bag): Replace tlv_peek_null by non-peeking code.
(parse_bag_encrypted_data): Use the new TLV_PARSER_FLAG_T5793 to
enable the Mozilla workaround.
(parse_bag_encrypted_data): Replace the 'renewed_tlv' code by the new
tlv_parser_release semantics.
(parse_shrouded_key_bag): Ditto.
(parse_shrouded_key_bag): Create a new context instead of using the
former encapsulated mechanism for tlv_expect_octet_string.
(parse_bag_data): Ditto.
(p12_parse): Ditto.
--
GnuPG-bug-id: 7213
Fixing this took way too long; I should have earlier explained the
code to a co-hacker to find the problem myself in my code by this.
* sm/t-minip12.c (cram_file): New.
(main): Add option --cram.
--
This is sometimes useful to convert constructed octet strings into
primitive octet strings.
* agent/genkey.c (do_check_passphrase_pattern): Use the gpgrt API.
* common/asshelp.c (start_new_service): Ditto.
* common/exechelp.h: Remove gnupg_process_spawn API.
* common/exechelp-posix.c: Remove gnupg_process_spawn implementation.
* common/exechelp-w32.c: Likewise.
* common/exectool.c (gnupg_exec_tool_stream): Use the gpgrt API.
* common/t-exechelp.c (test_pipe_stream): Remove.
* dirmngr/ldap-wrapper.c (destroy_wrapper, ldap_reaper_thread): Use
the gpgrt API.
(ldap_wrapper_connection_cleanup, ldap_wrapper): Ditto.
* dirmngr/ldap.c, g10/call-keyboxd.c: No need to include exechelp.h.
* g10/photoid.c (run_with_pipe, show_photo): Use the gpgrt API.
* g13/be-encfs.c (run_umount_helper, run_encfs_tool): Ditto.
* g13/g13.c, g13/mount.c, g13/runner.c: No need to include exechelp.h.
* scd/apdu.c: No need to include exechelp.h.
* scd/app.c (report_change): Use the gpgrt API.
* sm/export.c, sm/import.c: No need to include exechelp.h.
* tests/gpgscm/ffi.c (proc_object_finalize, proc_wrap)
(do_process_spawn_io, do_process_spawn_fd, do_process_wait): Use the
gpgrt API.
* tools/gpg-auth.c: No need to include exechelp.h.
* tools/gpg-card.c (cmd_gpg): Use the gpgrt API.
* tools/gpg-connect-agent.c: No need to include exechelp.h.
* tools/gpg-mail-tube.c (mail_tube_encrypt, prepare_for_appimage)
(start_gpg_encrypt): Use the gpgrt API.
* tools/gpgconf-comp.c (gpg_agent_runtime_change)
(scdaemon_runtime_change, tpm2daemon_runtime_change)
(dirmngr_runtime_change, keyboxd_runtime_change)
(gc_component_launch, gc_component_check_options)
(retrieve_options_from_program): Ditto.
* tools/gpgconf.c (show_versions_via_dirmngr): Ditto.
* tools/gpgtar-create.c (gpgtar_create): Ditto.
* tools/gpgtar-extract.c (gpgtar_extract): Ditto.
* tools/gpgtar-list.c (gpgtar_list): Ditto.
--
GnuPG-bug-id: 7192
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* sm/keylist.c (list_cert_colon): Rework listing of user IDs.
--
Only in colon mode this did not work. Note that an updated libksba is
anyway required to parse a certificate with an empty Subject.
GnuPG-bug-id: 7171
--
These are non-substantive corrections for minor spelling mistakes
within the GnuPG codebase.
With something like this applied to the codebase, and a judiciously
tuned spellchecker integrated as part of a standard test suite, it
should be possible to keep a uniform orthography within the project.
GnuPG-bug-id: 7116
* sm/certcheck.c (gpgsm_check_cms_signature): Do not free s_sig on
error. Its owned and freed by the caller.
--
This is part of
GnuPG-bug-id: 7129
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Fixes-commit: 969abcf40cdfc65f3ee859c5e62889e1a8ccde91
* sm/keydb.c (keydb_search): Init skipped.
--
Skipped is not actually used.
This is part of
GnuPG-bug-id: 7129
Reported-by: Jakub Jelen <jjelen@redhat.com>
* sm/certreqgen-ui.c (gpgsm_gencertreq_tty): Add a prompt for
extensions.
--
An example for an extension would be extKeyUsage for authentication:
2.5.29.37 n 301406082B0601050507030206082B06010505070301
* common/sysutils.c (no_translate_sys2libc_fd) [W32]: New global.
(disable_translate_sys2libc_fd): New.
(translate_sys2libc_fd): Make static and cobuild only for Windows.
(translate_sys2libc_fd_int): Use no_translate_sys2libc_fd flag.
* g10/gpg.c, sm/gpgsm.c (oDisableFdTranslation): New const.
(opts): Add option "disable-fd-translation".
(main): Set option.
--
GnuPG-bug-id: 7060
* agent/gpg-agent.c (parse_rereadable_options): Use make_filename_try
for opt.pinentry_program. Change definition accordingly.
* g10/gpg.c (main): Use make_filename for agent_program,
dirmngr_program, and keyboxd_program. Change definition accordingly.
* sm/gpgsm.c (main): Ditto.
* tools/gpg-card.c (parse_arguments): Ditto.
* tools/gpg-connect-agent.c (main): Ditto.
* tools/gpg-wks-client.c (parse_arguments): Likewise. Do it also for
option --output.
(process_confirmation_request): Print a note for a successful sent.
--
GnuPG-bug-id: 7017
* sm/minip12.c (p12_parse): set err on the different error paths
--
GnuPG-bug-id: 6973
Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786
Signed-off-by: Ángel González <angel@pgp.16bits.net>
* sm/minip12.c (struct p12_parse_ctx_s): Add privatekey2.
(parse_shrouded_key_bag): Handle a second private key.
(p12_parse_free_kparms): New.
* sm/import.c (parse_p12): Factor some code out to ...
(p12_to_skey): this.
(parse_p12): Use p12_parse_free_kparms.
--
Take care: We allow parsing of a second private key but we are not yet
able to import the second private key.
The whole things is required to at least import the certificates of
current pkcs#12 files as created by the German Elster tax system. No
test data, sorry.
* g10/call-keyboxd.c (keydb_default_status_cb): New.
(keydb_update_keyblock): Add new status callback.
(keydb_insert_keyblock): Ditto.
(keydb_delete_keyblock): Ditto.
(search_status_cb): Also try the new status callback.
* sm/keydb.c (keydb_default_status_cb): New.
(keydb_insert_cert): Add new status callback.
(keydb_delete): Ditto
(search_status_cb): Also try the new status callback.
--
GnuPG-bug-id: 6838
* g10/call-agent.c (agent_get_passphrase): Call
assuan_begin_confidential and assuan_end_confidential.
* sm/call-agent.c (gpgsm_agent_ask_passphrase): Ditto.
--
GnuPG-bug-id: 6654
The drawback of this solution is that we don't see any IPC lines from
the assuan_transact. Everything else would require larger changes to
libassuan.
* sm/encrypt.c (gpgsm_encrypt): Unify use of RC and ERR.
* sm/sign.c (gpgsm_sign): ditto.
--
Initially we didn't used the gpg_error_t thingy and while migrating
we sometimes used RC and ERR for tracking the error. This is pretty
error prone and thus we better remove it (after 20 years).
