GNUPG-1-9-BRANCH gnupg (17 files)
cvs user wk
cvs at cvs.gnupg.org
Mon Apr 18 12:28:05 CEST 2005
Date: Monday, April 18, 2005 @ 12:44:46
Author: wk
Path: /cvs/gnupg/gnupg
Tag: GNUPG-1-9-BRANCH
Modified: ChangeLog NEWS README TODO agent/command-ssh.c common/ChangeLog
common/sexputil.c common/util.h configure.ac sm/ChangeLog
sm/call-dirmngr.c sm/certchain.c sm/certdump.c sm/certlist.c
sm/gpgsm.c sm/gpgsm.h sm/keylist.c
* configure.ac: Require libksba 0.9.11.
sm/
* call-dirmngr.c (inq_certificate): Add new inquire SENDCERT_SKI.
* certlist.c (gpgsm_find_cert): Add new arg KEYID and implement
this filter. Changed all callers.
* certchain.c (find_up_search_by_keyid): New helper.
(find_up): Also try using the AKI.keyIdentifier.
(find_up_external): Ditto.
---------------------+
ChangeLog | 4 +
NEWS | 9 +++
README | 8 +--
TODO | 4 +
agent/command-ssh.c | 1
common/ChangeLog | 5 ++
common/sexputil.c | 78 ++++++++++++++++++++++++++++++++++
common/util.h | 3 +
configure.ac | 2
sm/ChangeLog | 15 ++++++
sm/call-dirmngr.c | 21 +++++++--
sm/certchain.c | 113 +++++++++++++++++++++++++++++++++++++++++---------
sm/certdump.c | 1
sm/certlist.c | 40 +++++++++++++++--
sm/gpgsm.c | 2
sm/gpgsm.h | 2
sm/keylist.c | 35 +++++++++++++--
17 files changed, 302 insertions(+), 41 deletions(-)
Index: gnupg/ChangeLog
diff -u gnupg/ChangeLog:1.131.2.70 gnupg/ChangeLog:1.131.2.71
--- gnupg/ChangeLog:1.131.2.70 Fri Apr 15 04:24:44 2005
+++ gnupg/ChangeLog Mon Apr 18 12:44:46 2005
@@ -1,3 +1,7 @@
+2005-04-15 Werner Koch <wk at g10code.com>
+
+ * configure.ac: Require libksba 0.9.11.
+
2005-04-15 Marcus Brinkmann <marcus at g10code.de>
* configure.ac: Check for /usr/bin/shred and define SHRED.
Index: gnupg/NEWS
diff -u gnupg/NEWS:1.165.2.65 gnupg/NEWS:1.165.2.66
--- gnupg/NEWS:1.165.2.65 Thu Jan 13 20:03:37 2005
+++ gnupg/NEWS Mon Apr 18 12:44:46 2005
@@ -1,6 +1,13 @@
Noteworthy changes in version 1.9.16
-------------------------------------------------
+ * gpg-agent does now support the ssh-agent protocol and thus allows
+ to use the pinentry as well as the OpenPGP smartcard with ssh.
+
+ * New tool gpg-connect-agent as a genereal client for the gpg-agent.
+
+ * New tool symcryptrun as a wrapper for certain encryption tools.
+
Noteworthy changes in version 1.9.15 (2005-01-13)
-------------------------------------------------
@@ -226,7 +233,7 @@
development branch.
- Copyright 2002, 2003, 2004 Free Software Foundation, Inc.
+ Copyright 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
This file is free software; as a special exception the author gives
unlimited permission to copy and/or distribute it, with or without
Index: gnupg/README
diff -u gnupg/README:1.72.2.15 gnupg/README:1.72.2.16
--- gnupg/README:1.72.2.15 Wed Oct 20 10:54:45 2004
+++ gnupg/README Mon Apr 18 12:44:45 2005
@@ -399,7 +399,7 @@
+Heinrich Heine duesseldorf
- * [NEW] Exact match by subject's DN
+ * Exact match by subject's DN
This is indicated by a leading slash, directly followed by the
rfc2253 encoded DN of the subject. Note that you can't use the
@@ -411,7 +411,7 @@
/CN=Heinrich Heine,O=Poets,L=Paris,C=FR
- * [NEW] Excact match by issuer's DN
+ * Excact match by issuer's DN
This is indicated by a leading hash mark, directly followed by a
slash and then directly followed by the rfc2253 encoded DN of the
@@ -422,10 +422,10 @@
#/CN=Root Cert,O=Poets,L=Paris,C=FR
- * [NEW] Exact match by serial number and subject's DN
+ * Exact match by serial number and issuer's DN
This is indicated by a hash mark, followed by the hexadecmal
- representation of the serial number, the followed by a slahs and
+ representation of the serial number, the followed by a slash and
the RFC2253 encoded DN of the issuer. See note above.
Example:
Index: gnupg/TODO
diff -u gnupg/TODO:1.165.2.38 gnupg/TODO:1.165.2.39
--- gnupg/TODO:1.165.2.38 Thu Mar 3 11:15:07 2005
+++ gnupg/TODO Mon Apr 18 12:44:45 2005
@@ -1,5 +1,9 @@
-*- outline -*-
+* IMPORTANT
+Check that openpty and pty.h are available and build symcryptrun only
+then. Run shred on the temporary files.
+
* src/base64
** Make parsing more robust
Index: gnupg/agent/command-ssh.c
diff -u gnupg/agent/command-ssh.c:1.1.4.16 gnupg/agent/command-ssh.c:1.1.4.17
--- gnupg/agent/command-ssh.c:1.1.4.16 Sat Apr 9 18:41:28 2005
+++ gnupg/agent/command-ssh.c Mon Apr 18 12:44:45 2005
@@ -1741,6 +1741,7 @@
/* Prepare buffer stream. */
+#warning Huh, sleep? why that? Anyway, this should be pth_sleep
sleep (5);
key_directory = NULL;
Index: gnupg/common/ChangeLog
diff -u gnupg/common/ChangeLog:1.30.2.47 gnupg/common/ChangeLog:1.30.2.48
--- gnupg/common/ChangeLog:1.30.2.47 Mon Apr 11 18:10:03 2005
+++ gnupg/common/ChangeLog Mon Apr 18 12:44:45 2005
@@ -1,3 +1,8 @@
+2005-04-17 Werner Koch <wk at g10code.com>
+
+ * sexputil.c (cmp_simple_canon_sexp): New.
+ (make_simple_sexp_from_hexstr): New.
+
2005-04-07 Werner Koch <wk at g10code.com>
* sexputil.c: New.
Index: gnupg/common/sexputil.c
diff -u gnupg/common/sexputil.c:1.1.2.1 gnupg/common/sexputil.c:1.1.2.2
--- gnupg/common/sexputil.c:1.1.2.1 Wed Apr 13 11:39:38 2005
+++ gnupg/common/sexputil.c Mon Apr 18 12:44:45 2005
@@ -61,3 +61,81 @@
return err;
}
+
+/* Compare two simple S-expressions like "(3:foo)". Returns 0 if they
+ are identical or !0 if they are not. Not that this function can't
+ be used for sorting. */
+int
+cmp_simple_canon_sexp (const unsigned char *a, const unsigned char *b)
+{
+ unsigned long n1, n2;
+ char *endp;
+
+ if (!a && !b)
+ return 0; /* Both are NULL, they are identical. */
+ if (!a || !b)
+ return 1; /* One is NULL, they are not identical. */
+ if (*a != '(' || *b != '(')
+ log_bug ("invalid S-exp in cmp_simple_canon_sexp\n");
+
+ a++;
+ n1 = strtoul (a, &endp, 10);
+ a = endp;
+ b++;
+ n2 = strtoul (b, &endp, 10);
+ b = endp;
+
+ if (*a != ':' || *b != ':' )
+ log_bug ("invalid S-exp in cmp_simple_canon_sexp\n");
+ if (n1 != n2)
+ return 1; /* Not the same. */
+
+ for (a++, b++; n1; n1--, a++, b++)
+ if (*a != *b)
+ return 1; /* Not the same. */
+ return 0;
+}
+
+
+/* Create a simple S-expression from the hex string at LIBNE. Returns
+ a newly allocated buffer with that canonical encoded S-expression
+ or NULL in case of an error. On return the number of characters
+ scanned in LINE will be stored at NSCANNED. This fucntions stops
+ converting at the first character not representing a hexdigit. Odd
+ numbers of hex digits are allowed; a leading zero is then
+ assumed. If no characters have been found, NULL is returned.*/
+unsigned char *
+make_simple_sexp_from_hexstr (const char *line, size_t *nscanned)
+{
+ size_t n, len;
+ const char *s;
+ unsigned char *buf;
+ unsigned char *p;
+ char numbuf[50];
+
+ for (n=0, s=line; hexdigitp (s); s++, n++)
+ ;
+ if (nscanned)
+ *nscanned = n;
+ if (!n)
+ return NULL;
+ len = ((n+1) & ~0x01)/2;
+ sprintf (numbuf, "(%u:", (unsigned int)len);
+ buf = xtrymalloc (strlen (numbuf) + len + 1 + 1);
+ if (!buf)
+ return NULL;
+ p = stpcpy (buf, numbuf);
+ s = line;
+ if ((n&1))
+ {
+ *p++ = xtoi_1 (s);
+ s++;
+ n--;
+ }
+ for (; n > 1; n -=2, s += 2)
+ *p++ = xtoi_2 (s);
+ *p++ = ')';
+ *p = 0; /* (Not really neaded.) */
+
+ return buf;
+}
Index: gnupg/common/util.h
diff -u gnupg/common/util.h:1.12.2.16 gnupg/common/util.h:1.12.2.17
--- gnupg/common/util.h:1.12.2.16 Mon Apr 11 18:10:03 2005
+++ gnupg/common/util.h Mon Apr 18 12:44:45 2005
@@ -123,6 +123,9 @@
/*-- sexputil.c */
gpg_error_t keygrip_from_canon_sexp (const unsigned char *key, size_t keylen,
unsigned char *grip);
+int cmp_simple_canon_sexp (const unsigned char *a, const unsigned char *b);
+unsigned char *make_simple_sexp_from_hexstr (const char *line,
+ size_t *nscanned);
/*-- homedir. c --*/
const char *default_homedir (void);
Index: gnupg/configure.ac
diff -u gnupg/configure.ac:1.36.2.82 gnupg/configure.ac:1.36.2.83
--- gnupg/configure.ac:1.36.2.82 Fri Apr 15 04:24:44 2005
+++ gnupg/configure.ac Mon Apr 18 12:44:45 2005
@@ -36,7 +36,7 @@
NEED_LIBASSUAN_VERSION=0.6.9
-NEED_KSBA_VERSION=0.9.7
+NEED_KSBA_VERSION=0.9.11
NEED_OPENSC_VERSION=0.8.0
Index: gnupg/sm/ChangeLog
diff -u gnupg/sm/ChangeLog:1.101.2.91 gnupg/sm/ChangeLog:1.101.2.92
--- gnupg/sm/ChangeLog:1.101.2.91 Mon Apr 11 18:21:05 2005
+++ gnupg/sm/ChangeLog Mon Apr 18 12:44:45 2005
@@ -1,3 +1,18 @@
+2005-04-17 Werner Koch <wk at g10code.com>
+
+ * call-dirmngr.c (inq_certificate): Add new inquire SENDCERT_SKI.
+ * certlist.c (gpgsm_find_cert): Add new arg KEYID and implement
+ this filter. Changed all callers.
+
+ * certchain.c (find_up_search_by_keyid): New helper.
+ (find_up): Also try using the AKI.keyIdentifier.
+ (find_up_external): Ditto.
+
+2005-04-15 Werner Koch <wk at g10code.com>
+
+ * keylist.c (list_cert_raw): Print the subjectKeyIdentifier as
+ well as the keyIdentifier part of the authorityKeyIdentifier.
+
2005-03-31 Werner Koch <wk at g10code.com>
* call-dirmngr.c (start_dirmngr): Use PATHSEP_C instead of ':'.
Index: gnupg/sm/call-dirmngr.c
diff -u gnupg/sm/call-dirmngr.c:1.16.2.13 gnupg/sm/call-dirmngr.c:1.16.2.14
--- gnupg/sm/call-dirmngr.c:1.16.2.13 Mon Apr 11 18:21:05 2005
+++ gnupg/sm/call-dirmngr.c Mon Apr 18 12:44:45 2005
@@ -1,5 +1,5 @@
/* call-dirmngr.c - communication with the dromngr
- * Copyright (C) 2002, 2003 Free Software Foundation, Inc.
+ * Copyright (C) 2002, 2003, 2005 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
@@ -266,11 +266,25 @@
const unsigned char *der;
size_t derlen;
int issuer_mode = 0;
+ ksba_sexp_t ski = NULL;
if (!strncmp (line, "SENDCERT", 8) && (line[8] == ' ' || !line[8]))
{
line += 8;
}
+ else if (!strncmp (line, "SENDCERT_SKI", 12) && (line[12]==' ' || !line[12]))
+ {
+ size_t n;
+
+ /* Send a certificate where a sourceKeyidentifier is included. */
+ line += 12;
+ while (*line == ' ')
+ line++;
+ ski = make_simple_sexp_from_hexstr (line, &n);
+ line += n;
+ while (*line == ' ')
+ line++;
+ }
else if (!strncmp (line, "SENDISSUERCERT", 14)
&& (line[14] == ' ' || !line[14]))
{
@@ -304,7 +318,7 @@
ksba_cert_t cert;
- err = gpgsm_find_cert (line, &cert);
+ err = gpgsm_find_cert (line, ski, &cert);
if (err)
{
log_error ("certificate not found: %s\n", gpg_strerror (err));
@@ -321,6 +335,7 @@
}
}
+ xfree (ski);
return rc;
}
@@ -717,7 +732,7 @@
if (!*line)
return ASSUAN_Inquire_Error;
- err = gpgsm_find_cert (line, &cert);
+ err = gpgsm_find_cert (line, NULL, &cert);
if (err)
{
log_error ("certificate not found: %s\n", gpg_strerror (err));
Index: gnupg/sm/certchain.c
diff -u gnupg/sm/certchain.c:1.32.2.21 gnupg/sm/certchain.c:1.32.2.22
--- gnupg/sm/certchain.c:1.32.2.21 Thu Mar 17 20:10:37 2005
+++ gnupg/sm/certchain.c Mon Apr 18 12:44:45 2005
@@ -266,6 +266,42 @@
}
+/* Helper fucntion for find_up. This resets the key handle and search
+ for an issuer ISSUER with a subjectKeyIdentifier of KEYID. Returns
+ 0 obn success or -1 when not found. */
+static int
+find_up_search_by_keyid (KEYDB_HANDLE kh,
+ const char *issuer, ksba_sexp_t keyid)
+{
+ int rc;
+ ksba_cert_t cert = NULL;
+ ksba_sexp_t subj = NULL;
+
+ keydb_search_reset (kh);
+ while (!(rc = keydb_search_subject (kh, issuer)))
+ {
+ ksba_cert_release (cert); cert = NULL;
+ rc = keydb_get_cert (kh, &cert);
+ if (rc)
+ {
+ log_error ("keydb_get_cert() failed: rc=%d\n", rc);
+ rc = -1;
+ break;
+ }
+ xfree (subj);
+ if (!ksba_cert_get_subj_key_id (cert, NULL, &subj))
+ {
+ if (!cmp_simple_canon_sexp (keyid, subj))
+ break; /* Found matching cert. */
+ }
+ }
+
+ ksba_cert_release (cert);
+ xfree (subj);
+ return rc? -1:0;
+}
+
+
static void
find_up_store_certs_cb (void *cb_value, ksba_cert_t cert)
{
@@ -275,13 +311,13 @@
}
-
/* Helper for find_up(). Locate the certificate for ISSUER using an
external lookup. KH is the keydb context we are currently using.
On success 0 is returned and the certificate may be retrieved from
- the keydb using keydb_get_cert().*/
+ the keydb using keydb_get_cert(). KEYID is the keyIdentifier from
+ the AKI or NULL. */
static int
-find_up_external (KEYDB_HANDLE kh, const char *issuer)
+find_up_external (KEYDB_HANDLE kh, const char *issuer, ksba_sexp_t keyid)
{
int rc;
strlist_t names = NULL;
@@ -324,8 +360,13 @@
/* The issuers are currently stored in the ephemeral key DB, so
we temporary switch to ephemeral mode. */
old = keydb_set_ephemeral (kh, 1);
- keydb_search_reset (kh);
- rc = keydb_search_subject (kh, issuer);
+ if (keyid)
+ rc = find_up_search_by_keyid (kh, issuer, keyid);
+ else
+ {
+ keydb_search_reset (kh);
+ rc = keydb_search_subject (kh, issuer);
+ }
keydb_set_ephemeral (kh, old);
}
return rc;
@@ -343,9 +384,10 @@
{
ksba_name_t authid;
ksba_sexp_t authidno;
+ ksba_sexp_t keyid;
int rc = -1;
- if (!ksba_cert_get_auth_key_id (cert, NULL, &authid, &authidno))
+ if (!ksba_cert_get_auth_key_id (cert, &keyid, &authid, &authidno))
{
const char *s = ksba_name_enum (authid, 0);
if (s && *authidno)
@@ -369,28 +411,57 @@
keydb_set_ephemeral (kh, old);
}
- /* If we didn't found it, try an external lookup. */
- if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next)
- rc = find_up_external (kh, issuer);
}
+ if (rc == -1 && keyid && !find_next)
+ {
+ /* Not found by AIK.issuer_sn. Lets try the AIY.ki
+ instead. Loop over all certificates with that issuer as
+ subject and stop for the one with a matching
+ subjectKeyIdentifier. */
+ rc = find_up_search_by_keyid (kh, issuer, keyid);
+ if (rc)
+ {
+ int old = keydb_set_ephemeral (kh, 1);
+ if (!old)
+ rc = find_up_search_by_keyid (kh, issuer, keyid);
+ keydb_set_ephemeral (kh, old);
+ }
+ if (rc)
+ rc = -1; /* Need to make sure to have this error code. */
+ }
+
+ /* If we still didn't found it, try an external lookup. */
+ if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next)
+ rc = find_up_external (kh, issuer, keyid);
+
/* Print a note so that the user does not feel too helpless when
an issuer certificate was found and gpgsm prints BAD
signature because it is not the correct one. */
if (rc == -1)
{
- log_info ("%sissuer certificate (#", find_next?"next ":"");
- gpgsm_dump_serial (authidno);
- log_printf ("/");
- gpgsm_dump_string (s);
- log_printf (") not found using authorityKeyIdentifier\n");
+ log_info ("%sissuer certificate ", find_next?"next ":"");
+ if (keyid)
+ {
+ log_printf ("{");
+ gpgsm_dump_serial (keyid);
+ log_printf ("} ");
+ }
+ if (authidno)
+ {
+ log_printf ("(#");
+ gpgsm_dump_serial (authidno);
+ log_printf ("/");
+ gpgsm_dump_string (s);
+ log_printf (") ");
+ }
+ log_printf ("not found using authorityKeyIdentifier\n");
}
else if (rc)
log_error ("failed to find authorityKeyIdentifier: rc=%d\n", rc);
+ xfree (keyid);
ksba_name_release (authid);
xfree (authidno);
- /* Fixme: There is no way to do an external lookup with
- serial+issuer. */
}
if (rc) /* Not found via authorithyKeyIdentifier, try regular issuer name. */
@@ -409,7 +480,7 @@
/* Still not found. If enabled, try an external lookup. */
if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next)
- rc = find_up_external (kh, issuer);
+ rc = find_up_external (kh, issuer, NULL);
return rc;
}
@@ -468,7 +539,7 @@
rc = keydb_get_cert (kh, r_next);
if (rc)
{
- log_error ("failed to get cert: rc=%d\n", rc);
+ log_error ("keydb_get_cert() failed: rc=%d\n", rc);
rc = gpg_error (GPG_ERR_GENERAL);
}
@@ -791,7 +862,7 @@
rc = keydb_get_cert (kh, &issuer_cert);
if (rc)
{
- log_error ("failed to get cert: rc=%d\n", rc);
+ log_error ("keydb_get_cert() failed: rc=%d\n", rc);
rc = gpg_error (GPG_ERR_GENERAL);
goto leave;
}
@@ -818,6 +889,8 @@
might have been used. This is required because some
CAs are reusing the issuer and subject DN for new
root certificates. */
+ /* FIXME: Do this only if we don't have an
+ AKI.keyIdentifier */
rc = find_up (kh, subject_cert, issuer, 1);
if (!rc)
{
@@ -1008,7 +1081,7 @@
rc = keydb_get_cert (kh, &issuer_cert);
if (rc)
{
- log_error ("failed to get cert: rc=%d\n", rc);
+ log_error ("keydb_get_cert() failed: rc=%d\n", rc);
rc = gpg_error (GPG_ERR_GENERAL);
goto leave;
}
Index: gnupg/sm/certdump.c
diff -u gnupg/sm/certdump.c:1.11.2.11 gnupg/sm/certdump.c:1.11.2.12
--- gnupg/sm/certdump.c:1.11.2.11 Thu Sep 30 23:37:06 2004
+++ gnupg/sm/certdump.c Mon Apr 18 12:44:45 2005
@@ -75,6 +75,7 @@
}
+/* Dump the serial number or any other simple S-expression. */
void
gpgsm_dump_serial (ksba_const_sexp_t p)
{
Index: gnupg/sm/certlist.c
diff -u gnupg/sm/certlist.c:1.13.2.11 gnupg/sm/certlist.c:1.13.2.12
--- gnupg/sm/certlist.c:1.13.2.11 Tue Aug 24 20:13:15 2004
+++ gnupg/sm/certlist.c Mon Apr 18 12:44:45 2005
@@ -1,5 +1,5 @@
/* certlist.c - build list of certificates
- * Copyright (C) 2001, 2003, 2004 Free Software Foundation, Inc.
+ * Copyright (C) 2001, 2003, 2004, 2005 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
@@ -412,9 +412,11 @@
�
/* Like gpgsm_add_to_certlist, but look only for one certificate. No
- chain validation is done */
+ chain validation is done. If KEYID is not NULL it is take as an
+ additional filter value which must match the
+ subjectKeyIdentifier. */
int
-gpgsm_find_cert (const char *name, ksba_cert_t *r_cert)
+gpgsm_find_cert (const char *name, ksba_sexp_t keyid, ksba_cert_t *r_cert)
{
int rc;
KEYDB_SEARCH_DESC desc;
@@ -429,10 +431,38 @@
rc = gpg_error (GPG_ERR_ENOMEM);
else
{
+ nextone:
rc = keydb_search (kh, &desc, 1);
if (!rc)
- rc = keydb_get_cert (kh, r_cert);
- if (!rc)
+ {
+ rc = keydb_get_cert (kh, r_cert);
+ if (!rc && keyid)
+ {
+ ksba_sexp_t subj;
+
+ rc = ksba_cert_get_subj_key_id (*r_cert, NULL, &subj);
+ if (!rc)
+ {
+ if (cmp_simple_canon_sexp (keyid, subj))
+ {
+ xfree (subj);
+ goto nextone;
+ }
+ xfree (subj);
+ /* Okay: Here we know that the certificate's
+ subjectKeyIdentifier matches the requested
+ one. */
+ }
+ else if (gpg_err_code (rc) == GPG_ERR_NO_DATA)
+ goto nextone;
+ }
+ }
+
+ /* If we don't have the KEYID filter we need to check for
+ ambigious search results. Note, that it is somehwat
+ reasonable to assume that a specification of a KEYID
+ won't lead to ambiguous names. */
+ if (!rc && !keyid)
{
rc = keydb_search (kh, &desc, 1);
if (rc == -1)
Index: gnupg/sm/gpgsm.c
diff -u gnupg/sm/gpgsm.c:1.67.2.38 gnupg/sm/gpgsm.c:1.67.2.39
--- gnupg/sm/gpgsm.c:1.67.2.38 Wed Dec 22 18:55:28 2004
+++ gnupg/sm/gpgsm.c Mon Apr 18 12:44:45 2005
@@ -1566,7 +1566,7 @@
ksba_cert_t cert = NULL;
char *grip = NULL;
- rc = gpgsm_find_cert (*argv, &cert);
+ rc = gpgsm_find_cert (*argv, NULL, &cert);
if (rc)
;
else if (!(grip = gpgsm_get_keygrip_hexstring (cert)))
Index: gnupg/sm/gpgsm.h
diff -u gnupg/sm/gpgsm.h:1.54.2.24 gnupg/sm/gpgsm.h:1.54.2.25
--- gnupg/sm/gpgsm.h:1.54.2.24 Sat Dec 18 11:22:09 2004
+++ gnupg/sm/gpgsm.h Mon Apr 18 12:44:45 2005
@@ -252,7 +252,7 @@
int gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
certlist_t *listaddr, int is_encrypt_to);
void gpgsm_release_certlist (certlist_t list);
-int gpgsm_find_cert (const char *name, ksba_cert_t *r_cert);
+int gpgsm_find_cert (const char *name, ksba_sexp_t keyid, ksba_cert_t *r_cert);
/*-- keylist.c --*/
gpg_error_t gpgsm_list_keys (ctrl_t ctrl, STRLIST names,
Index: gnupg/sm/keylist.c
diff -u gnupg/sm/keylist.c:1.25.2.19 gnupg/sm/keylist.c:1.25.2.20
--- gnupg/sm/keylist.c:1.25.2.19 Sun Dec 19 14:38:24 2004
+++ gnupg/sm/keylist.c Mon Apr 18 12:44:45 2005
@@ -1,6 +1,6 @@
-/* keylist.c
+/* keylist.c - Print certificates in various formats.
* Copyright (C) 1998, 1999, 2000, 2001, 2003,
- * 2004 Free Software Foundation, Inc.
+ * 2004, 2005 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
@@ -122,7 +122,7 @@
{ "1.3.6.1.5.5.7.1.11", "subjectInfoAccess" },
/* X.509 id-ce */
- { "2.5.29.14", "subjectKeyIdentifier"},
+ { "2.5.29.14", "subjectKeyIdentifier", 1},
{ "2.5.29.15", "keyUsage", 1 },
{ "2.5.29.16", "privateKeyUsagePeriod" },
{ "2.5.29.17", "subjectAltName", 1 },
@@ -512,7 +512,7 @@
{
gpg_error_t err;
size_t off, len;
- ksba_sexp_t sexp;
+ ksba_sexp_t sexp, keyid;
char *dn;
ksba_isotime_t t;
int idx, i;
@@ -588,9 +588,27 @@
fprintf (fp, " keyType: %u bit %s\n", nbits, algoname? algoname:"?");
}
+ /* subjectKeyIdentifier */
+ fputs (" subjKeyId: ", fp);
+ err = ksba_cert_get_subj_key_id (cert, NULL, &keyid);
+ if (!err || gpg_err_code (err) == GPG_ERR_NO_DATA)
+ {
+ if (gpg_err_code (err) == GPG_ERR_NO_DATA)
+ fputs ("[none]\n", fp);
+ else
+ {
+ gpgsm_print_serial (fp, keyid);
+ ksba_free (keyid);
+ putc ('\n', fp);
+ }
+ }
+ else
+ fputs ("[?]\n", fp);
+
+
/* authorityKeyIdentifier */
fputs (" authKeyId: ", fp);
- err = ksba_cert_get_auth_key_id (cert, NULL, &name, &sexp);
+ err = ksba_cert_get_auth_key_id (cert, &keyid, &name, &sexp);
if (!err || gpg_err_code (err) == GPG_ERR_NO_DATA)
{
if (gpg_err_code (err) == GPG_ERR_NO_DATA || !name)
@@ -603,6 +621,13 @@
print_names_raw (fp, -15, name);
ksba_name_release (name);
}
+ if (keyid)
+ {
+ fputs (" authKeyId.ki: ", fp);
+ gpgsm_print_serial (fp, keyid);
+ ksba_free (keyid);
+ putc ('\n', fp);
+ }
}
else
fputs ("[?]\n", fp);
More information about the Gnupg-commits
mailing list