dirmngr/src (6 files)
cvs user wk
cvs at cvs.gnupg.org
Wed Dec 15 23:07:35 CET 2004
Date: Wednesday, December 15, 2004 @ 23:11:59
Author: wk
Path: /cvs/dirmngr/dirmngr/src
Modified: ChangeLog certcache.h crlcache.c dirmngr.c ldap.c validate.c
* ldap.c (ldap_wrapper): Print a diagnostic after forking for the
ldap wrapper.
* certcache.h (find_cert_bysn): Add this prototype.
* crlcache.c (start_sig_check): Write CRL hash debug file.
(finish_sig_check): Dump the signer's certificate.
(crl_parse_insert): Try to get the issuing cert by authKeyId.
Moved certificate retrieval after item processing.
-------------+
ChangeLog | 10 ++++++
certcache.h | 5 +++
crlcache.c | 85 ++++++++++++++++++++++++++++++++++++++++++----------------
dirmngr.c | 2 -
ldap.c | 3 +-
validate.c | 4 +-
6 files changed, 82 insertions(+), 27 deletions(-)
Index: dirmngr/src/ChangeLog
diff -u dirmngr/src/ChangeLog:1.35 dirmngr/src/ChangeLog:1.36
--- dirmngr/src/ChangeLog:1.35 Mon Dec 13 16:16:35 2004
+++ dirmngr/src/ChangeLog Wed Dec 15 23:11:59 2004
@@ -1,3 +1,13 @@
+2004-12-15 Werner Koch <wk at g10code.com>
+
+ * ldap.c (ldap_wrapper): Print a diagnostic after forking for the
+ ldap wrapper.
+ * certcache.h (find_cert_bysn): Add this prototype.
+ * crlcache.c (start_sig_check): Write CRL hash debug file.
+ (finish_sig_check): Dump the signer's certificate.
+ (crl_parse_insert): Try to get the issuing cert by authKeyId.
+ Moved certificate retrieval after item processing.
+
2004-12-13 Werner Koch <wk at g10code.com>
* dirmngr_ldap.c (catch_alarm, set_timeout): new.
Index: dirmngr/src/certcache.h
diff -u dirmngr/src/certcache.h:1.5 dirmngr/src/certcache.h:1.6
--- dirmngr/src/certcache.h:1.5 Fri Dec 3 15:42:36 2004
+++ dirmngr/src/certcache.h Wed Dec 15 23:11:59 2004
@@ -62,6 +62,11 @@
ksba_cert_t get_cert_byissuer (const char *issuer_dn, unsigned int seq);
+/* Return the certificate matching ISSUER_DN and SERIALNO; if it is
+ not already in the cache, try to find it from other resources. */
+ksba_cert_t find_cert_bysn (ctrl_t ctrl,
+ const char *issuer_dn, ksba_sexp_t serialno);
+
/* Given the certificate CERT locate the issuer for this certificate
and return it at R_CERT. Returns 0 on success or
GPG_ERR_NOT_FOUND. */
Index: dirmngr/src/crlcache.c
diff -u dirmngr/src/crlcache.c:1.51 dirmngr/src/crlcache.c:1.52
--- dirmngr/src/crlcache.c:1.51 Fri Dec 3 15:42:36 2004
+++ dirmngr/src/crlcache.c Wed Dec 15 23:11:59 2004
@@ -1443,7 +1443,9 @@
*algo, gcry_strerror (err));
return err;
}
-
+ if (DBG_HASHING)
+ gcry_md_start_debug (*md, "crl");
+
ksba_crl_set_hash_function (crl, HASH_FNC, *md);
return 0;
}
@@ -1486,6 +1488,8 @@
}
/* Get and convert the public key for the issuer certificate. */
+ if (DBG_X509)
+ dump_cert ("crl_issuer_cert", issuer_cert);
pubkey = ksba_cert_get_public_key (issuer_cert);
n = gcry_sexp_canon_len (pubkey, 0, NULL, NULL);
if (!n)
@@ -1518,6 +1522,8 @@
/* Pass this on to the signature verification. */
err = gcry_pk_verify (s_sig, s_hash, s_pkey);
+ if (DBG_X509)
+ log_debug ("gcry_pk_verify: %s\n", gpg_strerror (err));
leave:
xfree (sigval);
@@ -1572,29 +1578,9 @@
{
case KSBA_SR_BEGIN_ITEMS:
{
- char *issuer;
-
if (start_sig_check (crl, &md, &algo ))
goto failure;
- err = ksba_crl_get_issuer (crl, &issuer);
- if( err )
- {
- log_error (_("no issuer found in CRL: %s\n"),
- gpg_strerror (err) );
- err = gpg_error (GPG_ERR_INV_CRL);
- goto failure;
- }
- *r_issuer = issuer; /* (Do it here so we don't need to
- free it later) */
-
- issuer_cert = get_issuer_cert (ctrl, issuer);
- if (!issuer_cert)
- {
- err = gpg_error (GPG_ERR_MISSING_CERT);
- goto failure;
- }
-
err = ksba_crl_get_update_times (crl, thisupdate, nextupdate);
if (err)
{
@@ -1607,8 +1593,6 @@
if (opt.verbose)
log_info (_("update times of this CRL: this=%s next=%s\n"),
thisupdate, nextupdate);
-
- issuer = NULL;
}
break;
@@ -1654,6 +1638,52 @@
case KSBA_SR_READY:
{
+ char *issuer;
+ ksba_name_t authid;
+ ksba_sexp_t authidsn;
+
+ err = ksba_crl_get_issuer (crl, &issuer);
+ if( err )
+ {
+ log_error (_("no issuer found in CRL: %s\n"),
+ gpg_strerror (err) );
+ err = gpg_error (GPG_ERR_INV_CRL);
+ goto failure;
+ }
+ *r_issuer = issuer; /* (Do it here so we don't need to
+ free it later) */
+
+ if (!ksba_crl_get_auth_key_id (crl, NULL, &authid, &authidsn))
+ {
+ const char *s;
+
+ if (opt.verbose)
+ log_info (_("locating CRL issuer certificate by "
+ "authorityKeyIdentifier\n"));
+
+ s = ksba_name_enum (authid, 0);
+ if (s && *authidsn)
+ issuer_cert = find_cert_bysn (ctrl, s, authidsn);
+ if (!issuer_cert)
+ {
+ log_info ("issuer certificate (#");
+ dump_serial (authidsn);
+ log_printf ("/");
+ dump_string (s);
+ log_printf (") not found\n");
+ }
+ ksba_name_release (authid);
+ xfree (authidsn);
+ }
+ else
+ issuer_cert = get_issuer_cert (ctrl, issuer);
+ err = 0;
+ if (!issuer_cert)
+ {
+ err = gpg_error (GPG_ERR_MISSING_CERT);
+ goto failure;
+ }
+
err = finish_sig_check (crl, md, algo, issuer_cert);
if (err)
{
@@ -1670,6 +1700,7 @@
gpg_strerror (err));
goto failure;
}
+
}
break;
@@ -2221,6 +2252,8 @@
any_dist_point = 1;
+ if (DBG_X509)
+ log_debug ("fetching CRL from `%s'\n", distpoint_uri);
err = crl_fetch (ctrl, distpoint_uri, &reader);
if (err)
{
@@ -2228,6 +2261,8 @@
goto leave;
}
+ if (DBG_X509)
+ log_debug ("inserting CRL\n");
err = crl_cache_insert (ctrl, distpoint_uri, reader);
if (err)
{
@@ -2259,6 +2294,8 @@
goto leave;
}
+ if (DBG_X509)
+ log_debug ("fetching CRL from default location\n");
err = crl_fetch_default (ctrl, issuer, &reader);
if (err)
{
@@ -2267,6 +2304,8 @@
goto leave;
}
+ if (DBG_X509)
+ log_debug ("inserting CRL\n");
err = crl_cache_insert (ctrl, "default location(s)", reader);
if (err)
{
Index: dirmngr/src/dirmngr.c
diff -u dirmngr/src/dirmngr.c:1.52 dirmngr/src/dirmngr.c:1.53
--- dirmngr/src/dirmngr.c:1.52 Mon Dec 13 16:16:35 2004
+++ dirmngr/src/dirmngr.c Wed Dec 15 23:11:59 2004
@@ -285,7 +285,7 @@
else if (!strcmp (debug_level, "basic"))
opt.debug = DBG_ASSUAN_VALUE;
else if (!strcmp (debug_level, "advanced"))
- opt.debug = DBG_ASSUAN_VALUE|DBG_X509_VALUE|DBG_LOOKUP_VALUE;
+ opt.debug = (DBG_ASSUAN_VALUE|DBG_X509_VALUE|DBG_LOOKUP_VALUE);
else if (!strcmp (debug_level, "expert"))
opt.debug = (DBG_ASSUAN_VALUE|DBG_X509_VALUE|DBG_LOOKUP_VALUE
|DBG_CACHE_VALUE|DBG_CRYPTO_VALUE);
Index: dirmngr/src/ldap.c
diff -u dirmngr/src/ldap.c:1.42 dirmngr/src/ldap.c:1.43
--- dirmngr/src/ldap.c:1.42 Mon Dec 13 16:16:35 2004
+++ dirmngr/src/ldap.c Wed Dec 15 23:11:59 2004
@@ -684,7 +684,8 @@
ctx->reader = *reader;
ctx->next = wrapper_list;
wrapper_list = ctx;
-
+ if (opt.verbose)
+ log_info (_("ldap wrapper %d started\n"), (int)ctx->pid);
return 0;
}
Index: dirmngr/src/validate.c
diff -u dirmngr/src/validate.c:1.6 dirmngr/src/validate.c:1.7
--- dirmngr/src/validate.c:1.6 Wed Dec 1 17:11:14 2004
+++ dirmngr/src/validate.c Wed Dec 15 23:11:59 2004
@@ -701,7 +701,7 @@
ksba_free (p);
return gpg_error (GPG_ERR_BUG);
}
- if (DBG_X509)
+ if (DBG_CRYPTO)
{
int j;
log_debug ("signature value:");
@@ -774,7 +774,7 @@
}
err = gcry_pk_verify (s_sig, s_hash, s_pkey);
- if (DBG_CRYPTO)
+ if (DBG_X509)
log_debug ("gcry_pk_verify: %s\n", gpg_strerror (err));
gcry_md_close (md);
gcry_sexp_release (s_sig);
More information about the Gnupg-commits
mailing list