* sm/import.c (parse_p12): Support ECC import.
--
Although I extended the parser and its test the actual import
missed the required code.
GnuPG-bug-id: 6253
Backported-from-master: 8dfef5197a
* sm/certchain.c (find_up): Get rid of the legacy return code -1 and
chnage var name rc to err.
(gpgsm_walk_cert_chain): Change var name rc to err.
(do_validate_chain): Get rid of the legacy return code -1.
* sm/keydb.c (keydb_search): Replace return code -1 by
GPG_ERR_NOT_FOUND.
(keydb_set_cert_flags): Replace return code -1 by GPG_ERR_NOT_FOUND.
* sm/certchain.c (find_up_search_by_keyid): Ditto.
(find_up_external, find_up, find_up_dirmngr): Ditto.
(gpgsm_walk_cert_chain): Ditto.
(get_regtp_ca_info): Ditto.
* sm/certlist.c (gpgsm_add_to_certlist): Ditto.
(gpgsm_find_cert): Ditto.
* sm/delete.c (delete_one): Ditto.
* sm/export.c (gpgsm_export): Ditto.
(gpgsm_p12_export): Ditto.
* sm/import.c (gpgsm_import_files): Ditto.
* sm/keylist.c (list_cert_colon): Ditto.
(list_internal_keys): Ditto.
* sm/sign.c (add_certificate_list): Ditto.
--
This bug was detected while fixing
GnuPG-bug-id: 4757
Backported-from-master: 473b83d1b9
Some extra code has been taken from
commit ed6ebb696e
* sm/minip12.c: Update from master.
* sm/import.c (parse_p12): Pass NULL for curve.
--
Over the last years we had a couple of changes not backported to 2.2.
However, to support DFN p12 files and probably other p12 files we need
to update the minip12.c module. Instead of picking commits we take
the module verbatim, which is relatively easy because it was
originally designed to be a standalone module.
Summary of commits taken from master:
sm: Improve pkcs#12 debug output.
sm: Rework the PKCS#12 parser to support DFN issued keys.
sm: Fix parsing encrypted data.
sm: Do not print certain issuer not found diags in quiet mode.
sm: Silence some output on --quiet
sm: Replace all assert calls by log_assert.
doc: Typo fixes in code comments
sm: Add support to export ECC private keys.
Detailed log messages for those commits:
commit 52f9e13c0c
sm: Improve pkcs#12 debug output.
* sm/minip12.c (parse_shrouded_key_bag): Fix offset diagnostic.
(parse_cert_bag): Ditto.
(parse_bag_data): Remove debug output. Pass startoffset.
Fix offset diagnostic.
commit a4e04375e8
sm: Rework the PKCS#12 parser to support DFN issued keys.
* sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of
passing several parameters to most functions.
(parse_pag_data): Factor things out to ...
parse_shrouded_key_bag): new.
(parse_cert_bag): New.
(parse_bag_data): New.
(p12_parse): Setup the parse context.
To support newer pkcs#12 files like those issued by the DFN we
need to support another ordering of data elements. This rework
reflects the P12 data structure a bit better than our old ad-hoc
hacks. Tests could only be done with the certificate parts and
not the encrypted private keys.
GnuPG-bug-id: 6037
commit 6c50834c09
sm: Fix parsing encrypted data.
* sm/minip12.c (cram_octet_string): Finish when N==0.
(parse_bag_encrypted_data): Support constructed data with multiple
octet strings.
GnuPG-bug-id: 5793
commit a170f0e73f
sm: Do not print certain issuer not found diags in quiet mode.
* sm/certchain.c (find_up_dirmngr): Print one diagnostic only in
verbose mode. Do not print issuer not found diags in quiet mode.
* sm/minip12.c (parse_bag_data): Add missing verbose condition.
GnuPG-bug-id: 4757
commit 615d2e4fb1
sm: Silence some output on --quiet
* sm/encrypt.c (gpgsm_encrypt): Take care of --quiet.
* sm/gpgsm.c: Include minip12.h.
(set_debug): Call p12_set_verbosity.
* sm/import.c (parse_p12): Dump keygrip only in debug mode.
* sm/minip12.c (opt_verbose, p12_set_verbosity): New.
(parse_bag_encrypted_data): Print info messages only in verbose
mode.
GnuPG-bug-id: 4757
commit 9ee975d588
gpgsm: Replace all assert calls by log_assert.
commit 9bc9d0818b
doc: Typo fixes in code comments
commit 5da6925a33
sm: Add support to export ECC private keys.
* sm/minip12.c [TEST]: Remove test code. Include util.h, tlv.h. and
openpgpdefs.h. Remove the class and tag constants and replace
them by those from tlv.h.
(builder_add_oid, builder_add_mpi): New.
(build_key_sequence): Rename to ...
(build_rsa_key_sequence): this.
(build_ecc_key_sequence): New.
(p12_build): Call RSA or ECC builder.
(p12_raw_build): Ditto.
* sm/export.c (gpgsm_p12_export): Use correct armor header for ECC.
(sexp_to_kparms): Support ECC.
GnuPG-bug-id: 4921
* sm/decrypt.c (pwri_decrypt): Add arg ctrl. Ask for passphrase.
* sm/export.c (export_p12): Mark string as translatable.
* sm/import.c (parse_p12): Ditto.
--
This is finishes the support for PWRI.
The N_() marks are added so that we don't rely of the side-effect of
having the same strings in protect-tool.c
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit eeb65d3bbd)
* sm/encrypt.c (gpgsm_encrypt): Take care of --quiet.
* sm/gpgsm.c: Include minip12.h.
(set_debug): Call p12_set_verbosity.
* sm/import.c (parse_p12): Dump keygrip only in debug mode.
* sm/minip12.c (opt_verbose, p12_set_verbosity): New.
(parse_bag_encrypted_data): Print info messages only in verbose mode.
--
GnuPG-bug-id: 4757
* common/logging.c (log_printhex): Chnage order of args. Make it
printf alike. Change all callers.
* configure.ac: Add -Wno-format-zero-length
--
This makes it consistent with modern libgpgrt logging and thus eases
back porting from newer GnuPG versions which use libgpgrt logging.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/ksba-io-support.c: Include ksba-io-support.h instead of
../sm/gpgsm.h. Include util.h.
(writer_cb_parm_s): Remove const from 'pem_name'.
(gpgsm_destroy_writer): Free 'pem_name'.
(gpgsm_create_reader): Rename to ...
(gnupg_ksba_create_reader): this. Replace args CTRL and
ALLOW_MULTI_PEM by a new arg FLAGS. Change the code to evaluate
FLAGS. Change all callers to pass the FLAGS.
(gpgsm_create_writer): Rename to ...
(gnupg_ksba_create_writer): this. Replace arg CTRL by new arg FLAGS.
Add arg PEM_NAME. Evaluate FLAGS. Store a copy of PEM_NAME. Change
all callers to pass the FLAGS and PEM_NAME.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keydb.c (keydb_add_resource): Make ANY_REGISTERED
file-global. Write a STATUS_ERROR.
(maybe_create_keyring_or_box): Check for non-accessible but existant
file.
(keydb_search): Write a STATUS_ERROR if no keyring has been registered
but continue to return NOT_FOUND.
* sm/keydb.c (keydb_add_resource): Rename ANY_PUBLIC to ANY_REGISTERED
and make file-global. Write a STATUS_ERROR.
(keydb_search): Write a STATUS_ERROR if no keyring has been registered
but continue to return NOT_FOUND. Also add new arg CTRL and change
all callers to pass it down.
Signed-off-by: Werner Koch <wk@gnupg.org>
Since 2009-12-08 gpg was not able to find email addresses indicated
by a leading '<'. This happened when I merged the user id
classification code of gpgsm and gpg.
We better do this once and for all instead of cluttering all future
commits with diffs of trailing white spaces. In the majority of cases
blank or single lines are affected and thus this change won't disturb
a git blame too much. For future commits the pre-commit scripts
checks that this won't happen again.
* keybox.h (KEYBOX_FLAG_BLOB_SECRET, KEYBOX_FLAG_BLOB_EPHEMERAL):
New.
* keybox-update.c (keybox_compress): Use it here instead of a
magic constant.
sm/
* fingerprint.c (gpgsm_get_fingerprint): Add caching.
(gpgsm_get_fingerprint_string): Use bin2hexcolon().
(gpgsm_get_fingerprint_hexstring): Use bin2hex and allocate only
as much memory as required.
(gpgsm_get_keygrip_hexstring): Use bin2hex.
* certchain.c (gpgsm_validate_chain): Keep track of the
certificate chain and reset the ephemeral flags.
* keydb.c (keydb_set_cert_flags): New args EPHEMERAL and MASK.
Changed caller to use a mask of ~0. Return a proper error code if
the certificate is not available.
directories default to c:/gnupg. Require libassuan 0.6.9.
* gpg-agent.c (main) [W32]: Now that Mutexes work we can remove
the pth_init kludge.
(main): Add new options --[no-]use-standard-socket.
(check_for_running_agent): Check whether it is running on the
standard socket.
* sysutils.h [W32]: Define sleep.
* util.h: Add prototype for mkdtemp.
* call-agent.c (start_agent): Before starting a pipe server start
to connect to a server on the standard socket. Use PATHSEP
* call-dirmngr.c (start_dirmngr): Use PATHSEP.
* import.c: Include unistd.h for dup and close.
* gpgsm.c (run_protect_tool) [_WIN32]: Disabled.
* import.c (popen_protect_tool): Simplified by making use of
gnupg_spawn_process.
(parse_p12): Likewise, using gnupg_wait_process.
* export.c (popen_protect_tool): Ditto.
(export_p12): Ditto.
passphrase has been given.
* gpg-agent.texi (Invoking GPG-AGENT): Add a few words about the
expected pinentry filename.
* import.c (parse_p12): Write an error status line for bad
passphrases. Add new arg CTRL and changed caller.
* export.c (export_p12): Likewise.
--with-validation is set.
* certchain.c (gpgsm_basic_cert_check): Print more detailed error
messages.
* certcheck.c (do_encode_md): Partly support DSA. Add new arg
PKALGO. Changed all callers to pass it.
(pk_algo_from_sexp): New.
tests/pkits: New directory
(store_private_key): Print status messages for imported keys.
(read_and_unprotect): Ditto for bad passphrase.
* import.c (check_and_store): Do not update the stats for hidden
imports of issuer certs.
(popen_protect_tool): Request statusmessages from the protect-tool.
(parse_p12): Detect status messages. Add new arg STATS and update them.
(print_imported_summary): Include secret key stats.
Introduce PACKAGE_GT and set it to gnupg2.
* gpg-agent.c (main): Use new libgcrypt thread library register
scheme.
* Makevars (DOMAIN): Init from PACKAGE_GT