1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

105 Commits

Author SHA1 Message Date
Werner Koch
6e041b7b35
sm: Add a couple of debug calls to the keydb module.
* sm/gpgsm.h (DBG_CLOCK_VALUE, DBG_CLOCK): New.
(DBG_LOOKUP_VALUE, DBG_LOOKUP): New.
* sm/gpgsm.c: new debug flags "lookup" and "clock"
* sm/keydb.c: Add log_clock calls to most functions.
(keydb_search_desc_dump): New.
(keydb_search) [DBG_LOOKUP]: Print descrh decription.
* sm/keylist.c (list_cert_std): Flush FP in debug mode to better
syncronize the output with the debug output
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-05-15 08:52:21 +02:00
Werner Koch
bdda31a26b
kbx: Unify the fingerprint search modes.
* kbx/keybox-search-desc.h (KEYDB_SEARCH_MODE_FPR16)
(KEYDB_SEARCH_MODE_FPR20, KEYDB_SEARCH_MODE_FPR32): Remove.  Switch
all users to KEYDB_SEARCH_MODE_FPR along with the fprlen value.
--

These search modes were added over time and there has until recently
be no incentive to remove the cruft.  With the change for v5 keys I
finally went over all places and allowed the generic fingerprint mode
along with a given length of the fingerprint at all places.
Consequently the other modes can now be removed.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-14 14:55:06 +01:00
Werner Koch
86c241a8c9
sm: Print Yubikey attestation extensions with --dump-cert.
* sm/keylist.c (oidtranstbl): Add Yubikey OIDs.
(OID_FLAG_HEX): New.
(print_hex_extn): New.
(list_cert_raw): Make use of that flag.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-01 15:23:49 +01:00
Werner Koch
2c75af9f65
sm: Don't mark a cert as de-vs compliant if it leads to SHA-1 sigs.
* sm/keylist.c (print_compliance_flags): Also check the diges_also.
--

A certificate with algorithm sha1WithRSAEncryption can be de-vs
compliant (e.g. if the next in the chain used sha256WithRSAEncryption
to sign it and RSA is long enough) but flagging it as such is useless
because that certificate can't be used because it will create
signatures using the non-compliant SHA-1 algorithm.

Well, it could be used for encryption.  But also evaluating the
key-usage flags here would make it harder for the user to understand
why certain certificates are listed as de-vs compliant and others are
not.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-28 14:45:21 +01:00
Werner Koch
825abec0e7
gpg,sm: New option --with-key-screening.
* common/pkscreening.c: New.
* common/pkscreening.h: New.
* common/Makefile.am (common_sources): Add them.
* g10/gpg.c (opts): New option --with-key-screening.
* g10/options.h (struct opt): New field with_key_screening.
* g10/keylist.c: Include pkscreening.h.
(print_pk_screening): New.
(list_keyblock_print): Call it.
(print_compliance_flags): Call it.
* sm/gpgsm.c (opts): New option --with-key-screening.
* sm/gpgsm.h (scruct opt): New field with_key_screening.
* sm/keylist.c:  Include pkscreening.h.
(print_pk_screening): New.
(print_compliance_flags): Call it.  Add new arg cert.
(list_cert_colon): Pass arg cert
(list_cert_std): Call print_pk_screening.
* sm/fingerprint.c (gpgsm_get_rsa_modulus): New.
--

This new option can be used to detect ROCA affected keys.  To scan an
entire keyring and print the affected fingerprints use this:

  gpg -k --with-key-screening --with-colons | gawk -F: \
       '$1~/pub|sub|sec|ssb|crt/ && $18~/\<6001\>/ {found=1;next};
        $1=="fpr" && found {print $10}; {found=0}'

The same works for gpgsm.  Note that we need gawk due to the "\<" in
the r.e.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-17 21:10:19 +02:00
Werner Koch
69e579d785
sm: Fix colon listing of fields > 12 in crt records.
* sm/keylist.c (print_capabilities): Move colon printing ...
(list_cert_colon): to here.
--

Fixes-commit: 7af008bfe1641938a6c2c995cb065829fa05a693
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-17 20:56:55 +02:00
Werner Koch
0a8e20c4c6
sm: Always print the keygrip in colon mode.
* sm/keylist.c (list_cert_colon): Always print the keygrip as
described in the manual.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-08-08 13:05:50 +02:00
Justus Winter
8a012280e0
gpg,common: Move the compliance framework.
* common/Makefile.am (common_sources): Add new files.
* common/compliance.c: New file.  Move 'gnupg_pk_is_compliant' here,
and tweak it to not rely on types private to gpg.
* common/compliance.h: New file.  Move the compliance enum here.
* g10/keylist.c (print_compliance_flags): Adapt callsite.
* g10/main.h (gnupg_pk_is_compliant): Remove prototype.
* g10/misc.c (gnupg_pk_is_compliant): Remove function.
* g10/options.h (opt): Use the new compliance enum.
* sm/keylist.c (print_compliance_flags): Use the common functions.

Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-01 12:09:43 +02:00
NIIBE Yutaka
5c8fe54809 Spelling fixes in docs and comments.
--

In addition, fix trailing spaces in tests/inittests.

GnuPG-bug-id: 3121
Reported-by: ka7 (klemens)
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-28 10:06:33 +09:00
Werner Koch
fe0b37e123
gpg: Add new field no 18 to the colon listing.
* g10/misc.c (gnupg_pk_is_compliant): New.
* g10/keylist.c (print_compliance_flags): New.
(list_keyblock_colon): Call it here.
* sm/keylist.c (print_compliance_flags): New.
(list_cert_colon): Call it here.
--

This patch is to convey information about DE_VS compliant keys to the
caller.  The double digit value is used so that parsers do the right
thing and don't just look for a single digit.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-20 10:09:40 +01:00
NIIBE Yutaka
70aca95d68 Remove -I option to common.
* dirmngr/Makefile.am (AM_CPPFLAGS): Remove -I$(top_srcdir)/common.
* g10/Makefile.am (AM_CPPFLAGS): Ditto.
* g13/Makefile.am (AM_CPPFLAGS): Ditto.
* kbx/Makefile.am (AM_CPPFLAGS): Ditto.
* scd/Makefile.am (AM_CPPFLAGS): Ditto.
* sm/Makefile.am (AM_CPPFLAGS): Ditto.
* tools/Makefile.am (AM_CPPFLAGS): Ditto.
* Throughout: Follow the change.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-03-07 20:25:54 +09:00
Yuri Chornoivan
24cf0606b4 Clean up word replication.
--

This fixes extra word repetitions (like "the the" or "is is") in the
code and docs.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-02-21 13:11:46 -05:00
Werner Koch
5d13581f47
gpg,sm: Add STATUS_ERROR keydb_search and keydb_add-resource.
* g10/keydb.c (keydb_add_resource): Make ANY_REGISTERED
file-global.  Write a STATUS_ERROR.
(maybe_create_keyring_or_box): Check for non-accessible but existant
file.
(keydb_search): Write a STATUS_ERROR if no keyring has been registered
but continue to return NOT_FOUND.
* sm/keydb.c (keydb_add_resource): Rename ANY_PUBLIC to ANY_REGISTERED
and make file-global.  Write a STATUS_ERROR.
(keydb_search): Write a STATUS_ERROR if no keyring has been registered
but continue to return NOT_FOUND.  Also add new arg CTRL and change
all callers to pass it down.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-10 17:07:28 +01:00
Werner Koch
c8044c6e33
sm: Remove unused arg SECRET from keydb functions.
* sm/keydb.c (struct resource_item): Remove field 'secret'.
(keydb_add_resource): Remove arg 'secret' and change all callers.
(keydb_new): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-10 17:04:03 +01:00
Werner Koch
4d7dc432b5
Change all http://www.gnu.org in license notices to https://
--
2016-11-05 12:02:19 +01:00
Justus Winter
40365b28c3 gpgsm: Fix machine-readable key listing.
* sm/keylist.c (list_cert_colon): Drop superfluous colon.

GnuPG-bug-id: 2432
Signed-off-by: Justus Winter <justus@g10code.com>
2016-08-01 12:32:36 +02:00
Werner Koch
be07ed65e1 Add new option --with-secret.
* g10/gpg.c: Add option --with-secret.
* g10/options.h (struct opt): Add field with_secret.
* g10/keylist.c (public_key_list): Pass opt.with_secret to list_all
and list_one.
(list_all, list_one): Add arg mark_secret.
(list_keyblock_colon): Add arg has_secret.
* sm/gpgsm.c: Add option --with-secret.
* sm/server.c (option_handler): Add option "with-secret".
* sm/gpgsm.h (server_control_s): Add field with_secret.
* sm/keylist.c (list_cert_colon): Take care of with_secret.  Also move
the token string from the wrong field 14 to 15.
--

This option is useful for key managers which need to know whether a
key has a secret key.  This change allows to collect this information
in one pass.
2014-06-03 21:35:59 +02:00
Werner Koch
096e7457ec Change all quotes in strings and comments to the new GNU standard.
The asymmetric quotes used by GNU in the past (`...') don't render
nicely on modern systems.  We now use two \x27 characters ('...').

The proper solution would be to use the correct Unicode symmetric
quotes here.  However this has the disadvantage that the system
requires Unicode support.  We don't want that today.  If Unicode is
available a generated po file can be used to output proper quotes.  A
simple sed script like the one used for en@quote is sufficient to
change them.

The changes have been done by applying

  sed -i "s/\`\([^'\`]*\)'/'\1'/g"

to most files and fixing obvious problems by hand.  The msgid strings in
the po files were fixed with a similar command.
2012-06-05 19:29:22 +02:00
Werner Koch
8a12a2000d gpgsm: Add new validation model "steed".
* sm/gpgsm.h (VALIDATE_FLAG_STEED): New.
* sm/gpgsm.c (gpgsm_parse_validation_model): Add model "steed".
* sm/server.c (option_handler): Allow validation model "steed".
* sm/certlist.c (gpgsm_cert_has_well_known_private_key): New.
* sm/certchain.c (do_validate_chain): Handle the
well-known-private-key attribute.  Support the "steed" model.
(gpgsm_validate_chain): Ditto.
* sm/verify.c (gpgsm_verify): Return "steed" in the trust status line.
* sm/keylist.c (list_cert_colon): Print the new 'w' flag.
--

This is the first part of changes to implement the STEED proposal as
described at http://g10code.com/steed.html .  The idea for X.509 is
not to use plain self-signed certificates but certificates signed by a
dummy CA (i.e. one for which the private key is known).  Having a
single CA as an indication for the use of STEED might help other X.509
implementations to implement STEED.
2011-12-07 16:15:15 +01:00
Werner Koch
5cdad8ff00 gpgsm: Allow arbitrary extensions for cert creation.
* sm/certreqgen.c (pSUBJKEYID, pEXTENSION): New.
(read_parameters): Add new keywords.
(proc_parameters): Check values of new keywords.
(create_request): Add SubjectKeyId and extensions.
(parse_parameter_usage): Support "cert" and the encrypt alias "encr".
2011-12-06 19:57:27 +01:00
Werner Koch
5da12674ea Fix regression in gpg's mail address parsing.
Since 2009-12-08 gpg was not able to find email addresses indicated
by a leading '<'.  This happened when I merged the user id
classification code of gpgsm and gpg.
2011-04-25 23:59:25 +02:00
Werner Koch
28c157b55c Support X.509 certificate creation.
Using "gpgsm --genkey" allows the creation of a self-signed
certificate via a new prompt.

Using "gpgsm --genkey --batch" should allow the creation of arbitrary
certificates controlled by a parameter file.  An example parameter file
is

    Key-Type: RSA
    Key-Length: 1024
    Key-Grip: 2C50DC6101C10C9C643E315FE3EADCCBC24F4BEA
    Key-Usage: sign, encrypt
    Serial: random
    Name-DN: CN=some test key
    Name-Email: foo@example.org
    Name-Email: bar@exmaple.org
    Hash-Algo: SHA384
    not-after: 2038-01-16 12:44

This creates a self-signed X.509 certificate using the key given by
the keygrip and using SHA-384 as hash algorithm.  The keyword
signing-key can be used to sign the certificate with a different key.
See sm/certreggen.c for details.
2011-03-01 14:42:56 +01:00
Werner Koch
b008274afd Nuked almost all trailing white space.
We better do this once and for all instead of cluttering all future
commits with diffs of trailing white spaces.  In the majority of cases
blank or single lines are affected and thus this change won't disturb
a git blame too much.  For future commits the pre-commit scripts
checks that this won't happen again.
2011-02-04 12:57:53 +01:00
Werner Koch
a78335c9ce Add new option --with-keygrip 2010-10-08 11:11:08 +00:00
Werner Koch
8459bcf95a Various changes to eventually support openpgp keys in pgp-agent.
Comment fixes.
Minor chnages in preparation of a W32CE port.
2010-02-02 14:06:19 +00:00
Werner Koch
9a96043be4 Unification of the search descriptor usage. 2009-12-08 16:30:33 +00:00
Marcus Brinkmann
7af008bfe1 2009-07-29 Marcus Brinkmann <marcus@g10code.com>
* keylist.c (print_capabilities): Print a trailing colon.
2009-07-29 16:05:49 +00:00
Werner Koch
7d92a25561 Print the card's S/N in a secret key listing. 2009-04-02 07:20:35 +00:00
Werner Koch
ceb42db4dd Print NO_SECKEY status line in gpgsm.
This fixes bug#1020.
2009-03-25 16:05:16 +00:00
Werner Koch
36d681d98e Fix keygrip computation for TCOS 3 cards.
Emit PROGRESS status lines during --learn-card.
2009-03-20 19:04:47 +00:00
Werner Koch
a3b63ac1dc Add server option with-ephemeral-keys.
Extend SCD LEARN command.
2009-03-18 11:18:56 +00:00
Werner Koch
a9c317a95c New gpg-agent command to list key information.
Gpgsm does now print the S/N of cards.
Consider ephemeral keys during listing an export.
2009-03-06 17:31:27 +00:00
Werner Koch
7ddd27a836 Minor fixes 2009-01-12 10:08:55 +00:00
Werner Koch
12366d1e81 Help dirmngr to use supplied trust anchors. 2008-10-21 15:03:51 +00:00
Werner Koch
0a5f742466 Marked all unused args on non-W32 platforms. 2008-10-20 13:53:23 +00:00
Werner Koch
7b81a6b074 Print a 'f' for validated non-root certificates in gpgsm colon style listing.
Doc fixes.
2008-08-13 15:41:48 +00:00
Werner Koch
e253f0cb55 Minor fixes. 2008-06-26 19:21:45 +00:00
Werner Koch
a6a9181818 Start support of TCOS 3 cards.
Support restriction attribute.
Fix utf-8 printing problems.
Use AES by default.
2008-06-26 19:09:07 +00:00
Werner Koch
4254e90426 Fixed bug#907.
Fixed a segv in keybox and made it more robust.
2008-05-06 14:03:36 +00:00
Werner Koch
6a78bca874 Fixed an email/DN bug.
Changed pinentry prompts.
2008-03-13 08:46:08 +00:00
Werner Koch
0819c1e8ca Always search missing certifcates using a running Dirmngr's cache. 2008-02-13 16:47:14 +00:00
Marcus Brinkmann
8ac61bc708 2008-01-29 Marcus Brinkmann <marcus@g10code.de>
* keylist.c (list_internal_keys): New variable lastcert.  Use it
	to suppress duplicates which immediately follow each other.
2008-01-30 17:21:28 +00:00
Werner Koch
c3b9005ec3 Typo fixes.
Portability fix for asschk.c
2008-01-26 22:12:23 +00:00
Werner Koch
74d344a521 Implemented the chain model for X.509 validation. 2007-08-10 16:52:05 +00:00
Werner Koch
93d3811abc Changed to GPLv3.
Removed intl/.
2007-07-04 19:49:40 +00:00
Werner Koch
12cc96a176 kbx/
* keybox.h (KEYBOX_FLAG_BLOB_SECRET, KEYBOX_FLAG_BLOB_EPHEMERAL):
	New.
	* keybox-update.c (keybox_compress): Use it here instead of a
	magic constant.
sm/
	* fingerprint.c (gpgsm_get_fingerprint): Add caching.
	(gpgsm_get_fingerprint_string): Use bin2hexcolon().
	(gpgsm_get_fingerprint_hexstring): Use bin2hex and allocate only
	as much memory as required.
	(gpgsm_get_keygrip_hexstring): Use bin2hex.

	* certchain.c (gpgsm_validate_chain): Keep track of the
	certificate chain and reset the ephemeral flags.
	* keydb.c (keydb_set_cert_flags): New args EPHEMERAL and MASK.
	Changed caller to use a mask of ~0.  Return a proper error code if
	the certificate is not available.
2007-03-20 16:57:40 +00:00
Werner Koch
12b661166c Changes to let the key listing use estream to help systems without
funopen.
2007-03-19 14:35:04 +00:00
Werner Koch
0f49adb44e Preparing a release 2006-10-18 17:19:08 +00:00
Werner Koch
4b48bcacc9 Fix for bug 537 2006-10-02 11:54:35 +00:00
Werner Koch
d94faf4a3d New "relax" option for trustlist.txt 2006-09-25 18:29:20 +00:00