* dirmngr/validate.c (pk_algo_from_sexp): Make public. Support ECC.
* dirmngr/ocsp.c (check_signature): Remove hash preparation out to ...
(check_signature_core): here. This changes the arg s_hash to md.
Support ECDSA.
--
The test was done with my qualified signature certificate from the
Telesec and their responder http://tqrca1.ocsp.telesec.de/ocspr .
See also libksba commit rK24992a4a7a61d93759e1dbd104b845903d4589bf
(cherry picked from commit 890e9849b5)
* dirmngr/validate.h (VALIDATE_FLAG_SYSTRUST): Remove
(VALIDATE_FLAG_EXTRATRUST): Remove
(VALIDATE_FLAG_TRUST_SYSTEM): New.
(VALIDATE_FLAG_TRUST_CONFIG): New.
(VALIDATE_FLAG_TRUST_HKP): New.
(VALIDATE_FLAG_TRUST_HKPSPOOL): New.
(VALIDATE_FLAG_MASK_TRUST): New.
* dirmngr/validate.c (check_header_constants): New.
(validate_cert_chain): Call new function. Simplify call to
is_trusted_cert.
* dirmngr/crlcache.c (crl_parse_insert): Pass
VALIDATE_FLAG_TRUST_CONFIG to validate_cert_chain
* dirmngr/server.c (cmd_validate): Use VALDIATE_FLAG_TRUST_SYSTEM and
VALIDATE_FLAG_TRUST_CONFIG.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Check provided TLS
context. Set trustclass flags using the new VALIDATE_FLAG_TRUST
values.
* dirmngr/certcache.c (cert_cache_init): Load the standard pool
certificate prior to the --hkp-cacerts.
--
Note that this changes the way the standard cert is used: We require
that it is installed at /usr/share/gnupg and we do not allow to change
it. If this is not desired, the the standard cert can be removed or
replaced by a newer one.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/validate.c (enum cert_usage_modes): New.
(cert_usage_p): Change type of arg MODE. Use enums instead of
hardwired values. Use a switch instead of tricky bit tests.
(cert_use_cert_p, cert_use_ocsp_p, cert_use_crl_p): Adjust.
* dirmngr/validate.c (cert_usage_p): Rename to check_cert_usage.
(cert_use_cert_p): Rename to check_cert_use_cert.
(cert_use_ocsp_p): Rename to check_cert_use_ocsp.
(cert_use_crl_p): Rename to check_cert_use_crl.
* dirmngr/validate.h (VALIDATE_MODE_CERT_SYSTRUST): New.
(VALIDATE_MODE_TLS, VALIDATE_MODE_TLS_SYSTRUST): New.
--
A function with a "_p" suffix return 0 for a True just looks weird.
We now use names which better indicate that an error code is returned.
Signed-off-by: Werner Koch <wk@gnupg.org>