[svn] dirmngr - r230 - in trunk: . doc m4 po src
svn author wk
cvs at cvs.gnupg.org
Wed Aug 30 22:40:17 CEST 2006
Author: wk
Date: 2006-08-30 22:40:15 +0200 (Wed, 30 Aug 2006)
New Revision: 230
Added:
trunk/m4/autobuild.m4
Modified:
trunk/NEWS
trunk/TODO
trunk/configure.ac
trunk/doc/dirmngr.texi
trunk/m4/Makefile.am
trunk/po/de.po
trunk/po/dirmngr.pot
trunk/src/ChangeLog
trunk/src/certcache.c
trunk/src/certcache.h
trunk/src/dirmngr.c
trunk/src/dirmngr.h
trunk/src/ocsp.c
trunk/src/ocsp.h
trunk/src/server.c
trunk/src/validate.c
Log:
Fixes for OCSP
Modified: trunk/NEWS
===================================================================
--- trunk/NEWS 2006-06-27 11:12:17 UTC (rev 229)
+++ trunk/NEWS 2006-08-30 20:40:15 UTC (rev 230)
@@ -1,3 +1,9 @@
+Noteworthy changes in version 0.9.6
+------------------------------------------------
+
+ * A couple of bug fixes for OCSP.
+
+
Noteworthy changes in version 0.9.5 (2006-06-27)
------------------------------------------------
Modified: trunk/TODO
===================================================================
--- trunk/TODO 2006-06-27 11:12:17 UTC (rev 229)
+++ trunk/TODO 2006-08-30 20:40:15 UTC (rev 230)
@@ -22,5 +22,11 @@
certificates. Requested by Neil Dunbar. I have added some code
fragments to ldap.c but it needs to be finished.
+* Various problems with German SigG certs
+ We need to implement the chain-validation-model and come up with a
+ way to verify the intermediate certificates. Tehre are no CRLs
+ available and using OCSP with the same responder is point less.
+ Needs more investigation.
+
Modified: trunk/configure.ac
===================================================================
--- trunk/configure.ac 2006-06-27 11:12:17 UTC (rev 229)
+++ trunk/configure.ac 2006-08-30 20:40:15 UTC (rev 230)
@@ -23,16 +23,16 @@
AC_PREREQ(2.59)
min_automake_version="1.9.3"
-AC_INIT(dirmngr, 0.9.5, gpa-dev at gnupg.org)
+AC_INIT(dirmngr, 0.9.6-cvs, gpa-dev at gnupg.org)
-NEED_GPG_ERROR_VERSION=0.7
+NEED_GPG_ERROR_VERSION=1.0
NEED_LIBGCRYPT_API=1
-NEED_LIBGCRYPT_VERSION=1.1.94
+NEED_LIBGCRYPT_VERSION=1.2.0
NEED_LIBASSUAN_VERSION=0.6.8
-NEED_KSBA_VERSION=0.9.13
+NEED_KSBA_VERSION=0.9.16
PACKAGE=$PACKAGE_NAME
@@ -41,6 +41,7 @@
AC_CONFIG_SRCDIR(src/dirmngr.c)
AM_CONFIG_HEADER(config.h)
AM_INIT_AUTOMAKE($PACKAGE, $VERSION)
+AB_INIT
AC_GNU_SOURCE
Modified: trunk/doc/dirmngr.texi
===================================================================
--- trunk/doc/dirmngr.texi 2006-06-27 11:12:17 UTC (rev 229)
+++ trunk/doc/dirmngr.texi 2006-08-30 20:40:15 UTC (rev 230)
@@ -157,6 +157,10 @@
when given a SIGHUP. Certificates which are not readable or do not make
up a proper X.509 certificate are ignored; see the log file for details.
+Note that for OCSP responses the certificate specified using the option
+ at option{--ocsp-signer} is always considered valid to sign OCSP requests.
+
+
@item /var/lib/dirmngr/extra-certs
This directory may contain extra certificates which are preloaded into
the interal cache on startup. This is convenient in cases you have a
@@ -471,9 +475,22 @@
@opindex ocsp-signer
Use the certificate with the fingerprint @var{fpr} to check the
responses of the default OCSP Responder. Dirmngr will retrieve this
-certificate from the current client.
+certificate from the current client.
+If a response has been signed by this certificate no further check upon
+the validity of this certificate is done!
+ at item --ocsp-max-clock-skew @var{n}
+ at opindex ocsp-max-clock-skew
+The number of seconds a skew between the OCSP respinder and them local
+clock is accepted. Default is 600 (20 minutes).
+
+ at item --ocsp-current-period @var{n}
+ at opindex ocsp-current-period
+The number of seconds an OCSP reponse is valid after the time given in
+the NEXT_UPDATE datum. Default is 10800 (3 hours).
+
+
@item --max-replies @var{n}
@opindex max-replies
Do not return more that @var{n} items in one query. The default is
Modified: trunk/m4/Makefile.am
===================================================================
--- trunk/m4/Makefile.am 2006-06-27 11:12:17 UTC (rev 229)
+++ trunk/m4/Makefile.am 2006-08-30 20:40:15 UTC (rev 230)
@@ -1,2 +1,10 @@
-EXTRA_DIST = codeset.m4 gettext.m4 glibc21.m4 iconv.m4 intdiv0.m4 intmax.m4 inttypes.m4 inttypes_h.m4 inttypes-pri.m4 isc-posix.m4 lcmessage.m4 lib-ld.m4 lib-link.m4 lib-prefix.m4 longdouble.m4 longlong.m4 nls.m4 po.m4 printf-posix.m4 progtest.m4 signed.m4 size_max.m4 stdint_h.m4 uintmax_t.m4 ulonglong.m4 wchar_t.m4 wint_t.m4 xsize.m4 gpg-error.m4 ksba.m4 libassuan.m4 libgcrypt.m4
+EXTRA_DIST = codeset.m4 gettext.m4 glibc21.m4 iconv.m4 intdiv0.m4 intmax.m4 \
+ inttypes.m4 inttypes_h.m4 inttypes-pri.m4 isc-posix.m4 \
+ lcmessage.m4 lib-ld.m4 lib-link.m4 lib-prefix.m4 longdouble.m4 \
+ longlong.m4 nls.m4 po.m4 printf-posix.m4 progtest.m4 signed.m4 \
+ size_max.m4 stdint_h.m4 uintmax_t.m4 ulonglong.m4 \
+ wchar_t.m4 wint_t.m4 xsize.m4
+
+EXTRA_DIST += autobuild.m4
+EXTRA_DIST += gpg-error.m4 ksba.m4 libassuan.m4 libgcrypt.m4
Added: trunk/m4/autobuild.m4
===================================================================
--- trunk/m4/autobuild.m4 2006-06-27 11:12:17 UTC (rev 229)
+++ trunk/m4/autobuild.m4 2006-08-30 20:40:15 UTC (rev 230)
@@ -0,0 +1,34 @@
+# autobuild.m4 serial 2 (autobuild-3.3)
+# Copyright (C) 2004 Simon Josefsson
+#
+# This file is free software, distributed under the terms of the GNU
+# General Public License. As a special exception to the GNU General
+# Public License, this file may be distributed as part of a program
+# that contains a configuration script generated by Autoconf, under
+# the same distribution terms as the rest of that program.
+#
+# This file can can be used in projects which are not available under
+# the GNU General Public License or the GNU Library General Public
+# License but which still want to provide support for Autobuild.
+
+# Usage: AB_INIT([MODE]).
+AC_DEFUN([AB_INIT],
+[
+ AC_REQUIRE([AC_CANONICAL_BUILD])
+ AC_REQUIRE([AC_CANONICAL_HOST])
+
+ AC_MSG_NOTICE([autobuild project... ${PACKAGE_NAME:-$PACKAGE}])
+ AC_MSG_NOTICE([autobuild revision... ${PACKAGE_VERSION:-$VERSION}])
+ hostname=`hostname`
+ if test "$hostname"; then
+ AC_MSG_NOTICE([autobuild hostname... $hostname])
+ fi
+ ifelse([$1],[],,[AC_MSG_NOTICE([autobuild mode... $1])])
+ date=`date +%Y%m%d-%H%M%S`
+ if test "$?" != 0; then
+ date=`date`
+ fi
+ if test "$date"; then
+ AC_MSG_NOTICE([autobuild timestamp... $date])
+ fi
+])
Modified: trunk/po/de.po
===================================================================
--- trunk/po/de.po 2006-06-27 11:12:17 UTC (rev 229)
+++ trunk/po/de.po 2006-08-30 20:40:15 UTC (rev 230)
@@ -7,7 +7,7 @@
msgstr ""
"Project-Id-Version: dirmngr 0.9.2\n"
"Report-Msgid-Bugs-To: gpa-dev at gnupg.org\n"
-"POT-Creation-Date: 2006-05-16 11:53+0200\n"
+"POT-Creation-Date: 2006-06-27 12:32+0200\n"
"PO-Revision-Date: 2005-11-02 08:26+0100\n"
"Last-Translator: Werner Koch <wk at g10code.com>\n"
"Language-Team: de\n"
@@ -49,7 +49,7 @@
msgid "can't access directory `%s': %s\n"
msgstr "Fehler beim Zugriff auf das Verzeichnis `%s': %s\n"
-#: src/certcache.c:335 src/crlcache.c:2227 src/ldap.c:631
+#: src/certcache.c:335 src/crlcache.c:2150 src/ldap.c:631
#, c-format
msgid "can't open `%s': %s\n"
msgstr "`%s' kann nicht geöffnet werden: %s\n"
@@ -64,290 +64,299 @@
msgid "can't parse certificate `%s': %s\n"
msgstr "Zertifikat `%s' kann nicht zerlegt werden: %s\n"
-#: src/certcache.c:366
+#: src/certcache.c:365
#, c-format
msgid "certificate `%s' already cached\n"
msgstr "Zertifikat `%s' ist bereits im Zwischenspeicher\n"
#: src/certcache.c:369
+#, fuzzy, c-format
+msgid "trusted certificate `%s' loaded\n"
+msgstr "Zertifikat `%s' wurde geladen\n"
+
+#: src/certcache.c:371
#, c-format
msgid "certificate `%s' loaded\n"
msgstr "Zertifikat `%s' wurde geladen\n"
-#: src/certcache.c:373
-#, c-format
-msgid "SHA1 fingerprint = %s\n"
+#: src/certcache.c:375
+#, fuzzy, c-format
+msgid " SHA1 fingerprint = %s\n"
msgstr "SHA1 Fingerabdruck=%s\n"
#: src/certcache.c:378
+msgid " name ="
+msgstr ""
+
+#: src/certcache.c:382
#, c-format
msgid "error loading certificate `%s': %s\n"
msgstr "Fehler beim Laden des Zertifikats `%s': %s\n"
-#: src/certcache.c:452
+#: src/certcache.c:457
#, c-format
msgid "permanently loaded certificates: %u\n"
msgstr " dauerhaft geladene Zertifikate: %u\n"
-#: src/certcache.c:454
+#: src/certcache.c:459
#, c-format
msgid " runtime cached certificates: %u\n"
msgstr "zur Laufzeit zwischengespeicherte Zertifikate: %u\n"
-#: src/certcache.c:469 src/dirmngr-client.c:365
+#: src/certcache.c:474 src/dirmngr-client.c:365
msgid "certificate already cached\n"
msgstr "Zertifikat ist bereits im Zwischenspeicher\n"
-#: src/certcache.c:471
+#: src/certcache.c:476
msgid "certificate cached\n"
msgstr "Zertifikat wurde zwischengespeichert\n"
-#: src/certcache.c:473 src/dirmngr-client.c:369
+#: src/certcache.c:478 src/dirmngr-client.c:369
#, c-format
msgid "error caching certificate: %s\n"
msgstr "Fehler beim Zwischenspeichern des Zertifikats: %s\n"
-#: src/certcache.c:538
+#: src/certcache.c:543
#, c-format
msgid "invalid SHA1 fingerprint string `%s'\n"
msgstr "ungültiger SHA1 Fingerabdruck `%s'\n"
-#: src/certcache.c:681 src/certcache.c:690
+#: src/certcache.c:690 src/certcache.c:699
#, c-format
msgid "error fetching certificate by S/N: %s\n"
msgstr "Fehler beim Holen des Zertifikats mittels Seriennummer: %s\n"
-#: src/certcache.c:786 src/certcache.c:795
+#: src/certcache.c:820 src/certcache.c:829
#, c-format
msgid "error fetching certificate by subject: %s\n"
msgstr "Fehler beim Holen des Zertifikats mittels Subject: %s\n"
-#: src/certcache.c:896 src/validate.c:312
+#: src/certcache.c:932 src/validate.c:354
msgid "no issuer found in certificate\n"
msgstr "Im Zertifikat ist kein Herausgeber enthalten\n"
-#: src/certcache.c:906
+#: src/certcache.c:942
#, c-format
msgid "error getting authorityKeyIdentifier: %s\n"
msgstr "Fehler beim Holen des \"authorityKeyIdentifier\": %s\n"
-#: src/crlcache.c:201
+#: src/crlcache.c:200
#, c-format
msgid "creating directory `%s'\n"
msgstr "Das Verzeichnis `%s' wird erzeugt\n"
-#: src/crlcache.c:205
+#: src/crlcache.c:204
#, c-format
msgid "error creating directory `%s': %s\n"
msgstr "Fehler beim Erzeugen des Verzeichnis '%s': %s\n"
-#: src/crlcache.c:233
+#: src/crlcache.c:232
#, c-format
msgid "ignoring database dir `%s'\n"
msgstr "Das DB-Verzeichnis `%s' wird ignoriert\n"
-#: src/crlcache.c:242
+#: src/crlcache.c:241
#, c-format
msgid "error reading directory `%s': %s\n"
msgstr "Fehler beim Lesen des Verzeichnis `%s': %s\n"
-#: src/crlcache.c:263
+#: src/crlcache.c:262
#, c-format
msgid "removing cache file `%s'\n"
msgstr "Die Zwischenspeicherdatei `%s' wird entfernt\n"
-#: src/crlcache.c:272
+#: src/crlcache.c:271
#, c-format
msgid "not removing file `%s'\n"
msgstr "Die Datei `%s' wird nicht gelöscht\n"
-#: src/crlcache.c:341 src/crlcache.c:986
+#: src/crlcache.c:340 src/crlcache.c:997
#, c-format
msgid "error closing cache file: %s\n"
msgstr "Fehler beim Schließen der Zwischenspeicherdatei: %s\n"
-#: src/crlcache.c:378 src/crlcache.c:702
+#: src/crlcache.c:377 src/crlcache.c:701
#, c-format
msgid "failed to open cache dir file `%s': %s\n"
msgstr ""
"Die Zwischenspeicherverzeichnisdatei `%s' konnte nicht geöffnet werden: %s\n"
-#: src/crlcache.c:388
+#: src/crlcache.c:387
#, c-format
msgid "error creating new cache dir file `%s': %s\n"
msgstr ""
"Fehler beim Erzeugen der neuen Zwischenspeicherverzeichnisdatei `%s': %s\n"
-#: src/crlcache.c:395
+#: src/crlcache.c:394
#, c-format
msgid "error writing new cache dir file `%s': %s\n"
msgstr ""
"Fehler beim Schreiben der neuen Zwischenspeicherverzeichnisdatei `%s': %s\n"
-#: src/crlcache.c:402
+#: src/crlcache.c:401
#, c-format
msgid "error closing new cache dir file `%s': %s\n"
msgstr ""
"Fehler beim Schließen der neuen Zwischenspeicherverzeichnisdatei `%s': %s\n"
-#: src/crlcache.c:407
+#: src/crlcache.c:406
#, c-format
msgid "new cache dir file `%s' created\n"
msgstr "Neue Zwischenspeicherverzeichnisdatei `%s' wurde erzeugt\n"
-#: src/crlcache.c:412
+#: src/crlcache.c:411
#, c-format
msgid "failed to re-open cache dir file `%s': %s\n"
msgstr ""
"Fehler beim Wiederöffnen der Zwischenspeicherverzeichnisdatei `%s': %s\n"
-#: src/crlcache.c:439
+#: src/crlcache.c:438
#, c-format
msgid "first record of `%s' is not the version\n"
msgstr "Der erste Datensatz von `%s' enthält nicht die Version\n"
-#: src/crlcache.c:450
+#: src/crlcache.c:449
msgid "old version of cache directory - cleaning up\n"
msgstr "Alte Version des Zwischenspeicherverzeichnisses - räume auf\n"
-#: src/crlcache.c:466
+#: src/crlcache.c:465
msgid "old version of cache directory - giving up\n"
msgstr "Alte Version des Zwischenspeicherverzeichnisses - gebe auf\n"
-#: src/crlcache.c:554
+#: src/crlcache.c:553
#, c-format
msgid "extra field detected in crl record of `%s' line %u\n"
msgstr "Weiteres Feld im CRL Datensatz von `%s', Zeile %u festgestellt\n"
-#: src/crlcache.c:566
+#: src/crlcache.c:565
#, c-format
msgid "unsupported record type in `%s' line %u skipped\n"
msgstr "Nicht unterstützter Datensatztyp in `%s', Zeile %u übergangen\n"
-#: src/crlcache.c:574 src/crlcache.c:803 src/dirmngr.c:1221
+#: src/crlcache.c:573 src/crlcache.c:802 src/dirmngr.c:1221
#, c-format
msgid "error reading `%s': %s\n"
msgstr "Fehler beim Lesen von `%s': %s\n"
-#: src/crlcache.c:586
+#: src/crlcache.c:585
#, c-format
msgid "invalid issuer hash in `%s' line %u\n"
msgstr "Ungültiger Issuer Hashwert in `%s', Zeile %u\n"
-#: src/crlcache.c:592
+#: src/crlcache.c:591
#, c-format
msgid "no issuer DN in `%s' line %u\n"
msgstr "Kein Issuer DN in `%s', Zeile %u\n"
-#: src/crlcache.c:599
+#: src/crlcache.c:598
#, c-format
msgid "invalid timestamp in `%s' line %u\n"
msgstr "Ungültiger Zeitstempel in `%s', Zeile %u\n"
-#: src/crlcache.c:605
+#: src/crlcache.c:604
#, c-format
msgid "WARNING: invalid cache file hash in `%s' line %u\n"
msgstr "WARNUNG: Ungültiger Zwischenspeicherdatei Hashwert in `%s', Zeile %u\n"
-#: src/crlcache.c:611
+#: src/crlcache.c:610
msgid "detected errors in cache dir file\n"
msgstr "Id der Zwischenspeicherverzeichnisdatei wurden Fehler erkannt\n"
-#: src/crlcache.c:612
+#: src/crlcache.c:611
msgid "please check the reason and manually delete that file\n"
msgstr ""
"Bitte ermitteln sie die Ursache und löschen sie die Datei dann manuell\n"
-#: src/crlcache.c:735
+#: src/crlcache.c:734
#, c-format
msgid "failed to create temporary cache dir file `%s': %s\n"
msgstr ""
"Die temporäre Zwischenspeicherverzeichnisdatei `%s' konnte nicht erzeugt "
"werden: %s\n"
-#: src/crlcache.c:808
+#: src/crlcache.c:807
#, c-format
msgid "error writing `%s': %s\n"
msgstr "Fehler beim Schreiben auf `%s': %s\n"
-#: src/crlcache.c:819
+#: src/crlcache.c:818
#, c-format
msgid "error closing `%s': %s\n"
msgstr "Fehler beim Schließen von `%s': %s\n"
-#: src/crlcache.c:827
+#: src/crlcache.c:826
#, c-format
msgid "error renaming `%s' to `%s': %s\n"
msgstr "Fehler beim Umbenennen von `%s` nach `%s': %s\n"
-#: src/crlcache.c:882
+#: src/crlcache.c:881
#, c-format
msgid "can't hash `%s': %s\n"
msgstr "Hashwert von `%s' kann nicht gebildet werden: %s\n"
-#: src/crlcache.c:890
+#: src/crlcache.c:889
#, c-format
msgid "error setting up MD5 hash context: %s\n"
msgstr "Fehler beim Vorbereiten des MD5 Hashkontext: %s\n"
-#: src/crlcache.c:906
+#: src/crlcache.c:905
#, c-format
msgid "error hashing `%s': %s\n"
msgstr "Fehler beim Hashen von `%s': %s\n"
-#: src/crlcache.c:934
+#: src/crlcache.c:933
#, c-format
msgid "invalid formatted checksum for `%s'\n"
msgstr "Ungültig formatierte Prüfsumme für `%s'\n"
-#: src/crlcache.c:977
+#: src/crlcache.c:986
msgid "too many open cache files; can't open anymore\n"
msgstr ""
"Zu viele geöffnete Zwischenspeicherdateien; weitere kann nicht geöffnet "
"werden\n"
-#: src/crlcache.c:994
+#: src/crlcache.c:1004
#, c-format
msgid "opening cache file `%s'\n"
msgstr "Die Zwischenspeicherdatei `%s' wird geöffnet\n"
-#: src/crlcache.c:1013
+#: src/crlcache.c:1023
#, c-format
msgid "error opening cache file `%s': %s\n"
msgstr "Fehler beim Öffnen der Zwischenspeicherdatei `%s': %s\n"
-#: src/crlcache.c:1022
+#: src/crlcache.c:1032
#, c-format
msgid "error initializing cache file `%s' for reading: %s\n"
msgstr ""
"Fehler beim Initialisieren der Zwischenspeicherdatei `%s' zum Lesen: %s\n"
-#: src/crlcache.c:1044
+#: src/crlcache.c:1053
msgid "calling unlock_db_file on a closed file\n"
msgstr "unlock_db_file wird für eine geschlossene Datei aufgerufen\n"
-#: src/crlcache.c:1046
+#: src/crlcache.c:1055
msgid "calling unlock_db_file on an unlocked file\n"
msgstr "unlock_db_file wird für eine nicht gesperrte Datei aufgerufen\n"
-#: src/crlcache.c:1100
+#: src/crlcache.c:1109
#, c-format
msgid "failed to create a new cache object: %s\n"
msgstr "Ein neues Zwischenspeicherobjekt konnte nicht erzeugt werden: %s\n"
-#: src/crlcache.c:1153
+#: src/crlcache.c:1162
#, c-format
msgid "no CRL available for issuer id %s\n"
msgstr "Es ist keine CRL für den Issuer mit der ID %s vorhanden\n"
-#: src/crlcache.c:1160
+#: src/crlcache.c:1169
#, c-format
msgid "cached CRL for issuer id %s too old; update required\n"
msgstr ""
"Die zwischengespeicherte CRL für den Issuer mit der ID %s ist zu alt; ein "
"Update wird benötigt\n"
-#: src/crlcache.c:1174
+#: src/crlcache.c:1183
#, c-format
msgid ""
"force-crl-refresh active and %d minutes passed for issuer id %s; update "
@@ -356,205 +365,195 @@
"\"force-crl-refresh\" ist aktiviert und %d Minuten für den Issuer mit Id %s "
"sind vorbei; Update wird benötigt\n"
-#: src/crlcache.c:1182
+#: src/crlcache.c:1191
#, c-format
msgid "force-crl-refresh active for issuer id %s; update required\n"
msgstr ""
"\"force-crl-refresh\" ist für den Issuer mit der Id %s aktiviert; Update "
"wird benötigt\n"
-#: src/crlcache.c:1191
+#: src/crlcache.c:1200
#, c-format
msgid "available CRL for issuer ID %s can't be used\n"
msgstr ""
"Die vorhandene CRL für den Issuer mit der ID %s kann nicht benutzt werden\n"
-#: src/crlcache.c:1202
+#: src/crlcache.c:1211
#, c-format
msgid "cached CRL for issuer id %s tampered; we need to update\n"
msgstr ""
"Die zwischengespeicherte CRL für den Issuer mit der ID %s wurde verändert; "
"eine Update wird benötigt\n"
-#: src/crlcache.c:1214
+#: src/crlcache.c:1223
msgid "WARNING: invalid cache record length for S/N "
msgstr "WARNUNG: Ungültige Länge des Zwischenspeicherdateisatzes für S/N "
-#: src/crlcache.c:1223
+#: src/crlcache.c:1232
#, c-format
msgid "problem reading cache record for S/N %s: %s\n"
msgstr "Problem beim Lesen des Zwischenspeicherdatensatzes für S/N %s: %s\n"
-#: src/crlcache.c:1226
+#: src/crlcache.c:1235
#, c-format
msgid "S/N %s is not valid; reason=%02X date=%.15s\n"
msgstr "S/N %s ist nicht gültig; Grund=%02X Datum=%.15s\n"
-#: src/crlcache.c:1237
+#: src/crlcache.c:1246
#, c-format
msgid "S/N %s is valid, it is not listed in the CRL\n"
msgstr "S/N %s ist gültig; sie ist nicht in der CRL enthalten\n"
-#: src/crlcache.c:1245
+#: src/crlcache.c:1254
#, c-format
msgid "error getting data from cache file: %s\n"
msgstr "Fehler beim Holen der Daten aus der Zwischenspeicherdatei: %s\n"
-#: src/crlcache.c:1397
+#: src/crlcache.c:1390 src/validate.c:749
#, c-format
-msgid "error fetching certificate for CRL issuer: %s\n"
-msgstr "Fehler beim Holen des Zertifikats für den CRL Herausgeber: %s\n"
-
-#: src/crlcache.c:1404
-#, c-format
-msgid "invalid CRL issuer certificate: %s\n"
-msgstr "Ungültiges CRL-Herausgeber-Zertifikat: %s\n"
-
-#: src/crlcache.c:1467 src/validate.c:669
-#, c-format
msgid "unknown hash algorithm `%s'\n"
msgstr "Ungültige Hashmethode `%s'\n"
-#: src/crlcache.c:1474
+#: src/crlcache.c:1397
#, c-format
msgid "gcry_md_open for algorithm %d failed: %s\n"
msgstr "gcry_md_open für Methode %d fehlgeschlagen: %s\n"
-#: src/crlcache.c:1510 src/crlcache.c:1529
+#: src/crlcache.c:1433 src/crlcache.c:1452
msgid "got an invalid S-expression from libksba\n"
msgstr "Ungültige S-Expression von Libksba erhalten\n"
-#: src/crlcache.c:1517 src/crlcache.c:1536 src/misc.c:432
+#: src/crlcache.c:1440 src/crlcache.c:1459 src/misc.c:432
#, c-format
msgid "converting S-expression failed: %s\n"
msgstr "Konvertierung der S-Expression fehlgeschlagen: %s\n"
-#: src/crlcache.c:1551 src/ocsp.c:343
+#: src/crlcache.c:1474 src/ocsp.c:343
#, c-format
msgid "creating S-expression failed: %s\n"
msgstr "Erzeugen der S-Expression fehlgeschlagen: %s\n"
-#: src/crlcache.c:1606
+#: src/crlcache.c:1529
#, c-format
msgid "ksba_crl_parse failed: %s\n"
msgstr "ksba_crl_parse fehlgeschlagen: %s\n"
-#: src/crlcache.c:1620
+#: src/crlcache.c:1543
#, c-format
msgid "error getting update times of CRL: %s\n"
msgstr "Die \"Update Times\" konnte nicht aus der CRL bestimmt werden: %s\n"
-#: src/crlcache.c:1627
+#: src/crlcache.c:1550
#, c-format
msgid "update times of this CRL: this=%s next=%s\n"
msgstr "Die \"Update Times\" dieser CRL sind: this=%s next=%s\n"
-#: src/crlcache.c:1644
+#: src/crlcache.c:1567
#, c-format
msgid "error getting CRL item: %s\n"
msgstr "Fehler beim Holen eines CRL Items: %s\n"
-#: src/crlcache.c:1659
+#: src/crlcache.c:1582
#, c-format
msgid "error inserting item into temporary cache file: %s\n"
msgstr ""
"Fehler beim Einfügen eines Items in die temporäre Zwischenspeicherdatei: %s\n"
-#: src/crlcache.c:1686
+#: src/crlcache.c:1609
#, c-format
msgid "no CRL issuer found in CRL: %s\n"
msgstr "In der CRL wurde kein CRL Herausgeber gefunden: %s\n"
-#: src/crlcache.c:1699
+#: src/crlcache.c:1622
msgid "locating CRL issuer certificate by authorityKeyIdentifier\n"
msgstr ""
"CRL Herausgeberzertifikat wird über \"authorityKeyIdentifier\" geholt\n"
-#: src/crlcache.c:1744
+#: src/crlcache.c:1667
#, c-format
msgid "CRL signature verification failed: %s\n"
msgstr "Signaturprüfung der CRL ist fehlgeschlagen: %s\n"
-#: src/crlcache.c:1752
+#: src/crlcache.c:1675
#, c-format
msgid "error checking validity of CRL issuer certificate: %s\n"
msgstr "Fehler beim Püfen des CRL Herausgeberzertifikats: %s\n"
-#: src/crlcache.c:1878
+#: src/crlcache.c:1801
#, c-format
msgid "ksba_crl_new failed: %s\n"
msgstr "ksba_crl_new fehlgeschlagen: %s\n"
-#: src/crlcache.c:1885
+#: src/crlcache.c:1808
#, c-format
msgid "ksba_crl_set_reader failed: %s\n"
msgstr "ksba_crl_set_reader fehlgeschlagen: %s\n"
-#: src/crlcache.c:1908
+#: src/crlcache.c:1831
#, c-format
msgid "removed stale temporary cache file `%s'\n"
msgstr "Die alte temporäre Zwischenspeicherdatei `%s' wurde entfernt\n"
-#: src/crlcache.c:1911
+#: src/crlcache.c:1834
#, c-format
msgid "problem removing stale temporary cache file `%s': %s\n"
msgstr ""
"Problem beim Löschen der alten temporären Zwischenspeicherdatei `%s': %s\n"
-#: src/crlcache.c:1921
+#: src/crlcache.c:1844
#, c-format
msgid "error creating temporary cache file `%s': %s\n"
msgstr "Fehler beim Erzeugen der temporären Zwischenspeicherdatei `%s': %s\n"
-#: src/crlcache.c:1931
+#: src/crlcache.c:1854
#, c-format
msgid "crl_parse_insert failed: %s\n"
msgstr "crl_parse_insert fehlgeschlagen: %s\n"
-#: src/crlcache.c:1940
+#: src/crlcache.c:1863
#, c-format
msgid "error finishing temporary cache file `%s': %s\n"
msgstr ""
"Fehler beim Fertigstellen der temporären Zwischenspeicherdatei `%s': %s\n"
-#: src/crlcache.c:1947
+#: src/crlcache.c:1870
#, c-format
msgid "error closing temporary cache file `%s': %s\n"
msgstr "Fehler beim Schließen der temporären Zwischenspeicherdatei `%s': %s\n"
-#: src/crlcache.c:1972
+#: src/crlcache.c:1895
#, c-format
msgid "WARNING: new CRL still too old; it expired on %s - loading anyway\n"
msgstr ""
"WARNUNG: Neue CRL ist immer noch zu alt; sie verfiel am %s - wird trotzdem "
"geladen\n"
-#: src/crlcache.c:1976
+#: src/crlcache.c:1899
#, c-format
msgid "new CRL still too old; it expired on %s\n"
msgstr "Neue CRL ist immer noch zu alt; sie verviel am %s\n"
-#: src/crlcache.c:1992
+#: src/crlcache.c:1915
#, c-format
msgid "unknown critical CRL extension %s\n"
msgstr "Unbekannte kritische CRL Erweiterung %s\n"
-#: src/crlcache.c:2002
+#: src/crlcache.c:1925
#, c-format
msgid "error reading CRL extensions: %s\n"
msgstr "Fehler beim Lesen einer CRL Erweiterung: %s\n"
-#: src/crlcache.c:2036
+#: src/crlcache.c:1959
#, c-format
msgid "creating cache file `%s'\n"
msgstr "Zwischenspeicherdatei `%s' wird erzeugt\n"
-#: src/crlcache.c:2040
+#: src/crlcache.c:1963
#, c-format
msgid "problem renaming `%s' to `%s': %s\n"
msgstr "Problem beim Umbenennen von `%s' nach `%s': %s\n"
-#: src/crlcache.c:2054
+#: src/crlcache.c:1977
msgid ""
"updating the DIR file failed - cache entry will get lost with the next "
"program start\n"
@@ -562,12 +561,12 @@
"Update der Zwischenspeicherverzeichnisdatei fehlgeschlagen - "
"Zwischenspeichereintrag wird mit dem nächste Programmstart verloren gehen\n"
-#: src/crlcache.c:2090
+#: src/crlcache.c:2013
#, c-format
msgid "Begin CRL dump (retrieved via %s)\n"
msgstr "Anfang CRL Ausgabe (geholt via %s)\n"
-#: src/crlcache.c:2110
+#: src/crlcache.c:2033
#, c-format
msgid ""
" ERROR: The CRL will not be used because it was still too old after an "
@@ -575,7 +574,7 @@
msgstr ""
" FEHLER: Die CRL wird nicht benutzt, da sie trotz eines Updates zu alt war!\n"
-#: src/crlcache.c:2112
+#: src/crlcache.c:2035
#, c-format
msgid ""
" ERROR: The CRL will not be used due to an unknown critical extension!\n"
@@ -583,63 +582,63 @@
" FEHLER: Die CRL wird nicht benutzt, da sie eine unbekannte kritische CRL "
"Erweiterung trägt!\n"
-#: src/crlcache.c:2114
+#: src/crlcache.c:2037
#, c-format
msgid " ERROR: The CRL will not be used\n"
msgstr " FEHLER: Die CRL wird nicht benutzt\n"
-#: src/crlcache.c:2121
+#: src/crlcache.c:2044
#, c-format
msgid " ERROR: This cached CRL may has been tampered with!\n"
msgstr ""
" FEHLER: Diese zwischengespeicherte CRL ist möglicherweise abgeändert "
"worden!\n"
-#: src/crlcache.c:2138
+#: src/crlcache.c:2061
msgid " WARNING: invalid cache record length\n"
msgstr " WARNUNG: Ungültige Länge eines Zwischenspeicherdatensatzes\n"
-#: src/crlcache.c:2145
+#: src/crlcache.c:2068
#, c-format
msgid "problem reading cache record: %s\n"
msgstr "Problem beim Lesen eines Zwischenspeicherdatensatzes: %s\n"
-#: src/crlcache.c:2156
+#: src/crlcache.c:2079
#, c-format
msgid "problem reading cache key: %s\n"
msgstr "Problem beim Lesen eines Zwischenspeicherschlüssels: %s\n"
-#: src/crlcache.c:2187
+#: src/crlcache.c:2110
#, c-format
msgid "error reading cache entry from db: %s\n"
msgstr "Fehler beim Lesen eine Zwischenspeichereintrags aus der DB: %s\n"
-#: src/crlcache.c:2190
+#: src/crlcache.c:2113
#, c-format
msgid "End CRL dump\n"
msgstr "Ende CRL Ausgabe\n"
-#: src/crlcache.c:2236 src/crlfetch.c:98 src/ldap.c:699
+#: src/crlcache.c:2159 src/crlfetch.c:98 src/ldap.c:699
#, c-format
msgid "error initializing reader object: %s\n"
msgstr "Fehler beim Initialisieren des \"reader\" Objekts: %s\n"
-#: src/crlcache.c:2317
+#: src/crlcache.c:2240
#, c-format
msgid "crl_fetch via DP failed: %s\n"
msgstr "crl_fetch über den DP fehlgeschlagen: %s\n"
-#: src/crlcache.c:2328
+#: src/crlcache.c:2251
#, c-format
msgid "crl_cache_insert via DP failed: %s\n"
msgstr "crl_cache_insert über den DP fehlgeschlagen: %s\n"
-#: src/crlcache.c:2378
+#: src/crlcache.c:2301
#, c-format
msgid "crl_fetch via issuer failed: %s\n"
msgstr "crl_fetch über den Issuer fehlgeschlagen: %s\n"
-#: src/crlcache.c:2388
+#: src/crlcache.c:2311
#, c-format
msgid "crl_cache_insert via issuer failed: %s\n"
msgstr "crl_cache_insert über den Issuer fehlgeschlagen: %s\n"
@@ -1052,7 +1051,7 @@
msgid "adding `%s:%d' to the ldap server list\n"
msgstr "`%s:%d' wird der LDAP Serverliste hinzugefügt\n"
-#: src/ldap.c:144 src/misc.c:687
+#: src/ldap.c:144 src/misc.c:716
#, c-format
msgid "malloc failed: %s\n"
msgstr "malloc() fehlgeschlagen: %s\n"
@@ -1159,7 +1158,7 @@
msgid "[none]"
msgstr "[nichts]"
-#: src/misc.c:703
+#: src/misc.c:732
msgid "bad URL encoding detected\n"
msgstr "Fehlerhafte URL Kodierung erkannt\n"
@@ -1226,7 +1225,7 @@
msgstr ""
"Kein benutzbares Zertifikat zur Überprüfung der OCSP Antwort gefunden\n"
-#: src/ocsp.c:424 src/validate.c:459
+#: src/ocsp.c:424 src/validate.c:505
#, c-format
msgid "issuer certificate not found: %s\n"
msgstr "Herausgeberzertifikat nicht gefunden: %s\n"
@@ -1277,37 +1276,37 @@
msgid "error getting OCSP status for target certificate: %s\n"
msgstr "Fehler beim Holen des OCSP Status für das Zielzertifikat: %s\n"
-#: src/ocsp.c:554
+#: src/ocsp.c:572
#, c-format
msgid "certificate status is: %s (this=%s next=%s)\n"
msgstr "Zertifikatstatus ist: %s (this=%s next=%s)\n"
-#: src/ocsp.c:555
+#: src/ocsp.c:573
msgid "good"
msgstr "Gut"
-#: src/ocsp.c:556
+#: src/ocsp.c:574
msgid "revoked"
msgstr "Widerrufen"
-#: src/ocsp.c:557
+#: src/ocsp.c:575
msgid "unknown"
msgstr "Unbekannt"
-#: src/ocsp.c:558
+#: src/ocsp.c:576
msgid "none"
msgstr "Kein"
-#: src/ocsp.c:561
+#: src/ocsp.c:579
#, c-format
msgid "certificate has been revoked at: %s due to: %s\n"
msgstr "Zertifikat wurde widerrufen am: %s wegen: %s\n"
-#: src/ocsp.c:594
+#: src/ocsp.c:612
msgid "OCSP responder returned an too old status\n"
msgstr "OCSP Responder gab einen zu alten Status zurück\n"
-#: src/ocsp.c:606
+#: src/ocsp.c:624
msgid "OCSP responder returned a non-current status\n"
msgstr "OCSP Responder gab einen nicht aktuellen Status zurück\n"
@@ -1321,7 +1320,7 @@
msgstr "Seriennummer fehlt in der Cert-ID"
#: src/server.c:428 src/server.c:544 src/server.c:623 src/server.c:781
-#: src/server.c:809 src/server.c:833 src/server.c:886 src/server.c:939
+#: src/server.c:809 src/server.c:833 src/server.c:886 src/server.c:955
#, c-format
msgid "command %s failed: %s\n"
msgstr "Kommando %s fehlgeschlagen: %s\n"
@@ -1355,27 +1354,27 @@
msgid "no data stream"
msgstr "Kein Datenstrom"
-#: src/server.c:992
+#: src/server.c:1008
#, c-format
msgid "can't allocate control structure: %s\n"
msgstr "Fehler beim Erzeugen der Kontrollstruktur: %s\n"
-#: src/server.c:1015
+#: src/server.c:1031
#, c-format
msgid "failed to initialize the server: %s\n"
msgstr "Fehler beim Initialisieren des Servers: %s\n"
-#: src/server.c:1023
+#: src/server.c:1039
#, c-format
msgid "failed to the register commands with Assuan: %s\n"
msgstr "Fehler beim Registrieren der Kommandos gegen Assuan: %s\n"
-#: src/server.c:1043
+#: src/server.c:1059
#, c-format
msgid "Assuan accept problem: %s\n"
msgstr "Assuan accept Problem: %s\n"
-#: src/server.c:1050
+#: src/server.c:1066
#, c-format
msgid "Assuan processing failed: %s\n"
msgstr "Assuan Verarbeitung fehlgeschlagen: %s\n"
@@ -1397,102 +1396,130 @@
msgid "issuer certificate is not marked as a CA"
msgstr "Das Herausgeberzertifikat ist nicht für eine CA gekennzeichnet"
-#: src/validate.c:208
+#: src/validate.c:199
msgid "CRL checking too deeply nested\n"
msgstr "CRL Überprüfung ist zu tief geschachtelt\n"
-#: src/validate.c:326
+#: src/validate.c:217
+msgid "not checking CRL for"
+msgstr ""
+
+#: src/validate.c:222
+#, fuzzy
+msgid "checking CRL for"
+msgstr "Die CRL konnte nicht geprüft werden: %s"
+
+#: src/validate.c:283
+msgid "running in compatibility mode - certificate chain not checked!\n"
+msgstr ""
+
+#: src/validate.c:368
#, c-format
msgid "certificate with invalid validity: %s"
msgstr "Zertifikat mit unzulässiger Gültigkeit: %s"
-#: src/validate.c:344
+#: src/validate.c:386
msgid "certificate not yet valid"
msgstr "Das Zertifikat ist noch nicht gültig"
-#: src/validate.c:355
+#: src/validate.c:397
msgid "certificate has expired"
msgstr "Das Zertifikat ist abgelaufen"
-#: src/validate.c:384
+#: src/validate.c:426
msgid "selfsigned certificate has a BAD signature"
msgstr "Das eigenbeglaubigte Zertifikat hat eine FALSCHE Signatur"
-#: src/validate.c:402
+#: src/validate.c:444
msgid "root certificate is not marked trusted"
msgstr "Das Wurzelzertifikat ist nicht als vertrauenswürdig markiert"
-#: src/validate.c:404
+#: src/validate.c:446
#, c-format
msgid "fingerprint=%s\n"
msgstr "Fingerprint=%s\n"
-#: src/validate.c:410
+#: src/validate.c:452
#, c-format
msgid "checking trustworthiness of root certificate failed: %s\n"
msgstr ""
"Prüfung der Vertrauenswürdigkeit des Wurzelzertifikats fehlgeschlagen: %s\n"
-#: src/validate.c:441
+#: src/validate.c:487
msgid "certificate chain too long\n"
msgstr "Der Zertifikatkette ist zu lang\n"
-#: src/validate.c:453
+#: src/validate.c:499
msgid "issuer certificate not found"
msgstr "Herausgeberzertifikat nicht gefunden"
-#: src/validate.c:479
+#: src/validate.c:525
msgid "certificate has a BAD signature"
msgstr "Das Zertifikat hat eine FALSCHE Signatur"
-#: src/validate.c:503
+#: src/validate.c:549
msgid "found another possible matching CA certificate - trying again"
msgstr ""
"Eine anderes möglicherweise passendes CA-Zertifikat gefunden - versuche "
"nochmal"
-#: src/validate.c:528
+#: src/validate.c:574
#, c-format
msgid "certificate chain longer than allowed by CA (%d)"
msgstr "Die Zertifikatkette ist länger als von der CA erlaubt (%d)"
-#: src/validate.c:758
+#: src/validate.c:604
+#, fuzzy
+msgid "certificate is good\n"
+msgstr "Zertifikat ist gültig\n"
+
+#: src/validate.c:624
+#, fuzzy
+msgid "certificate chain is good\n"
+msgstr "Der Zertifikatkette ist zu lang\n"
+
+#: src/validate.c:838
msgid "DSA requires the use of a 160 bit hash algorithm\n"
msgstr "DSA benötigt eine 160 Bit Hashmethode\n"
-#: src/validate.c:865
+#: src/validate.c:945
msgid "no key usage specified - assuming all usages\n"
msgstr ""
"Schlüsselverwendungszweck nicht vorhanden - für alle Zwecke akzeptiert\n"
-#: src/validate.c:875
+#: src/validate.c:955
#, c-format
msgid "error getting key usage information: %s\n"
msgstr "Fehler beim holen der Schlüsselbenutzungsinformationen: %s\n"
-#: src/validate.c:885
+#: src/validate.c:965
msgid "certificate should have not been used for certification\n"
msgstr "Das Zertifikat hätte nicht zum Zertifizieren benutzt werden sollen\n"
-#: src/validate.c:897
+#: src/validate.c:977
msgid "certificate should have not been used for OCSP response signing\n"
msgstr ""
"Das Zertifikat hätte nicht zum Signieren von OCSP Antworten benutzt werden "
"sollen\n"
-#: src/validate.c:908
+#: src/validate.c:986
+#, fuzzy
+msgid "certificate should have not been used for CRL signing\n"
+msgstr "Das Zertifikat hätte nicht zum Signieren benutzt werden sollen\n"
+
+#: src/validate.c:997
msgid "certificate should have not been used for encryption\n"
msgstr "Das Zertifikat hätte nicht zum Verschlüsseln benutzt werden sollen\n"
-#: src/validate.c:910
+#: src/validate.c:999
msgid "certificate should have not been used for signing\n"
msgstr "Das Zertifikat hätte nicht zum Signieren benutzt werden sollen\n"
-#: src/validate.c:911
+#: src/validate.c:1000
msgid "certificate is not usable for encryption\n"
msgstr "Das Zertifikat kann nicht zum Verschlüsseln benutzt werden\n"
-#: src/validate.c:912
+#: src/validate.c:1001
msgid "certificate is not usable for signing\n"
msgstr "Das Zertifikat kann nicht zum Signieren benutzt werden\n"
@@ -1546,7 +1573,7 @@
"The Prozess gibt 0 zurück wenn das Zertifikat gültig ist, 1 wenn es nicht\n"
"gültig ist und weitere Werte bei anderen Fehlern.\n"
-#: src/dirmngr-client.c:265 src/dirmngr-client.c:959
+#: src/dirmngr-client.c:265 src/dirmngr-client.c:970
#, c-format
msgid "error reading certificate from stdin: %s\n"
msgstr "Fehler beim Lesen des Zertifikats von der Standardeingabe: %s\n"
@@ -1579,15 +1606,15 @@
msgid "validation of certificate failed: %s\n"
msgstr "Prüfung des Zertifikats fehlgeschlagen: %s\n"
-#: src/dirmngr-client.c:384 src/dirmngr-client.c:970
+#: src/dirmngr-client.c:384 src/dirmngr-client.c:981
msgid "certificate is valid\n"
msgstr "Zertifikat ist gültig\n"
-#: src/dirmngr-client.c:390 src/dirmngr-client.c:978
+#: src/dirmngr-client.c:390 src/dirmngr-client.c:989
msgid "certificate has been revoked\n"
msgstr "Zertifikat wurde widerrufen\n"
-#: src/dirmngr-client.c:395 src/dirmngr-client.c:980
+#: src/dirmngr-client.c:395 src/dirmngr-client.c:991
#, c-format
msgid "certificate check failed: %s\n"
msgstr "Zertifikatprüfung fehlgeschlagen: %s\n"
@@ -1628,16 +1655,16 @@
msgid "can't connect to the dirmngr: %s\n"
msgstr "Verbindung zum Dirmngr nicht möglich: %s\n"
-#: src/dirmngr-client.c:772
+#: src/dirmngr-client.c:779
#, c-format
msgid "unsupported inquiry `%s'\n"
msgstr "Nicht unterstützte INQUIRY `%s'\n"
-#: src/dirmngr-client.c:864
+#: src/dirmngr-client.c:875
msgid "absolute file name expected\n"
msgstr "Absoluter Dateiname erwartet\n"
-#: src/dirmngr-client.c:907
+#: src/dirmngr-client.c:918
#, c-format
msgid "looking up `%s'\n"
msgstr "Auffinden von `%s'\n"
@@ -1811,6 +1838,12 @@
msgid "`%s' is an invalid LDAP URL\n"
msgstr "`%s' ist ein ungültiger LDAP URL\n"
+#~ msgid "error fetching certificate for CRL issuer: %s\n"
+#~ msgstr "Fehler beim Holen des Zertifikats für den CRL Herausgeber: %s\n"
+
+#~ msgid "invalid CRL issuer certificate: %s\n"
+#~ msgstr "Ungültiges CRL-Herausgeber-Zertifikat: %s\n"
+
#~ msgid "can't open `/dev/null': %s\n"
#~ msgstr "`/dev/null' kann nicht geöffnet werden: %s\n"
@@ -1845,9 +1878,6 @@
#~ msgstr ""
#~ "Bitte vergewissern Sie sich das der \"dirmngr\" richtig installiert ist\n"
-#~ msgid "checking the CRL failed: %s"
-#~ msgstr "Die CRL konnte nicht geprüft werden: %s"
-
#~ msgid "root certificate has now been marked as trusted\n"
#~ msgstr "Das Wurzelzertifikat wurde nun als vertrauenswürdig markiert\n"
Modified: trunk/po/dirmngr.pot
===================================================================
--- trunk/po/dirmngr.pot 2006-06-27 11:12:17 UTC (rev 229)
+++ trunk/po/dirmngr.pot 2006-08-30 20:40:15 UTC (rev 230)
@@ -8,7 +8,7 @@
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: gpa-dev at gnupg.org\n"
-"POT-Creation-Date: 2006-05-16 11:53+0200\n"
+"POT-Creation-Date: 2006-06-27 12:32+0200\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL at ADDRESS>\n"
"Language-Team: LANGUAGE <LL at li.org>\n"
@@ -46,7 +46,7 @@
msgid "can't access directory `%s': %s\n"
msgstr ""
-#: src/certcache.c:335 src/crlcache.c:2227 src/ldap.c:631
+#: src/certcache.c:335 src/crlcache.c:2150 src/ldap.c:631
#, c-format
msgid "can't open `%s': %s\n"
msgstr ""
@@ -61,549 +61,548 @@
msgid "can't parse certificate `%s': %s\n"
msgstr ""
-#: src/certcache.c:366
+#: src/certcache.c:365
#, c-format
msgid "certificate `%s' already cached\n"
msgstr ""
#: src/certcache.c:369
#, c-format
+msgid "trusted certificate `%s' loaded\n"
+msgstr ""
+
+#: src/certcache.c:371
+#, c-format
msgid "certificate `%s' loaded\n"
msgstr ""
-#: src/certcache.c:373
+#: src/certcache.c:375
#, c-format
-msgid "SHA1 fingerprint = %s\n"
+msgid " SHA1 fingerprint = %s\n"
msgstr ""
#: src/certcache.c:378
+msgid " name ="
+msgstr ""
+
+#: src/certcache.c:382
#, c-format
msgid "error loading certificate `%s': %s\n"
msgstr ""
-#: src/certcache.c:452
+#: src/certcache.c:457
#, c-format
msgid "permanently loaded certificates: %u\n"
msgstr ""
-#: src/certcache.c:454
+#: src/certcache.c:459
#, c-format
msgid " runtime cached certificates: %u\n"
msgstr ""
-#: src/certcache.c:469 src/dirmngr-client.c:365
+#: src/certcache.c:474 src/dirmngr-client.c:365
msgid "certificate already cached\n"
msgstr ""
-#: src/certcache.c:471
+#: src/certcache.c:476
msgid "certificate cached\n"
msgstr ""
-#: src/certcache.c:473 src/dirmngr-client.c:369
+#: src/certcache.c:478 src/dirmngr-client.c:369
#, c-format
msgid "error caching certificate: %s\n"
msgstr ""
-#: src/certcache.c:538
+#: src/certcache.c:543
#, c-format
msgid "invalid SHA1 fingerprint string `%s'\n"
msgstr ""
-#: src/certcache.c:681 src/certcache.c:690
+#: src/certcache.c:690 src/certcache.c:699
#, c-format
msgid "error fetching certificate by S/N: %s\n"
msgstr ""
-#: src/certcache.c:786 src/certcache.c:795
+#: src/certcache.c:820 src/certcache.c:829
#, c-format
msgid "error fetching certificate by subject: %s\n"
msgstr ""
-#: src/certcache.c:896 src/validate.c:312
+#: src/certcache.c:932 src/validate.c:354
msgid "no issuer found in certificate\n"
msgstr ""
-#: src/certcache.c:906
+#: src/certcache.c:942
#, c-format
msgid "error getting authorityKeyIdentifier: %s\n"
msgstr ""
-#: src/crlcache.c:201
+#: src/crlcache.c:200
#, c-format
msgid "creating directory `%s'\n"
msgstr ""
-#: src/crlcache.c:205
+#: src/crlcache.c:204
#, c-format
msgid "error creating directory `%s': %s\n"
msgstr ""
-#: src/crlcache.c:233
+#: src/crlcache.c:232
#, c-format
msgid "ignoring database dir `%s'\n"
msgstr ""
-#: src/crlcache.c:242
+#: src/crlcache.c:241
#, c-format
msgid "error reading directory `%s': %s\n"
msgstr ""
-#: src/crlcache.c:263
+#: src/crlcache.c:262
#, c-format
msgid "removing cache file `%s'\n"
msgstr ""
-#: src/crlcache.c:272
+#: src/crlcache.c:271
#, c-format
msgid "not removing file `%s'\n"
msgstr ""
-#: src/crlcache.c:341 src/crlcache.c:986
+#: src/crlcache.c:340 src/crlcache.c:997
#, c-format
msgid "error closing cache file: %s\n"
msgstr ""
-#: src/crlcache.c:378 src/crlcache.c:702
+#: src/crlcache.c:377 src/crlcache.c:701
#, c-format
msgid "failed to open cache dir file `%s': %s\n"
msgstr ""
-#: src/crlcache.c:388
+#: src/crlcache.c:387
#, c-format
msgid "error creating new cache dir file `%s': %s\n"
msgstr ""
-#: src/crlcache.c:395
+#: src/crlcache.c:394
#, c-format
msgid "error writing new cache dir file `%s': %s\n"
msgstr ""
-#: src/crlcache.c:402
+#: src/crlcache.c:401
#, c-format
msgid "error closing new cache dir file `%s': %s\n"
msgstr ""
-#: src/crlcache.c:407
+#: src/crlcache.c:406
#, c-format
msgid "new cache dir file `%s' created\n"
msgstr ""
-#: src/crlcache.c:412
+#: src/crlcache.c:411
#, c-format
msgid "failed to re-open cache dir file `%s': %s\n"
msgstr ""
-#: src/crlcache.c:439
+#: src/crlcache.c:438
#, c-format
msgid "first record of `%s' is not the version\n"
msgstr ""
-#: src/crlcache.c:450
+#: src/crlcache.c:449
msgid "old version of cache directory - cleaning up\n"
msgstr ""
-#: src/crlcache.c:466
+#: src/crlcache.c:465
msgid "old version of cache directory - giving up\n"
msgstr ""
-#: src/crlcache.c:554
+#: src/crlcache.c:553
#, c-format
msgid "extra field detected in crl record of `%s' line %u\n"
msgstr ""
-#: src/crlcache.c:566
+#: src/crlcache.c:565
#, c-format
msgid "unsupported record type in `%s' line %u skipped\n"
msgstr ""
-#: src/crlcache.c:574 src/crlcache.c:803 src/dirmngr.c:1221
+#: src/crlcache.c:573 src/crlcache.c:802 src/dirmngr.c:1221
#, c-format
msgid "error reading `%s': %s\n"
msgstr ""
-#: src/crlcache.c:586
+#: src/crlcache.c:585
#, c-format
msgid "invalid issuer hash in `%s' line %u\n"
msgstr ""
-#: src/crlcache.c:592
+#: src/crlcache.c:591
#, c-format
msgid "no issuer DN in `%s' line %u\n"
msgstr ""
-#: src/crlcache.c:599
+#: src/crlcache.c:598
#, c-format
msgid "invalid timestamp in `%s' line %u\n"
msgstr ""
-#: src/crlcache.c:605
+#: src/crlcache.c:604
#, c-format
msgid "WARNING: invalid cache file hash in `%s' line %u\n"
msgstr ""
-#: src/crlcache.c:611
+#: src/crlcache.c:610
msgid "detected errors in cache dir file\n"
msgstr ""
-#: src/crlcache.c:612
+#: src/crlcache.c:611
msgid "please check the reason and manually delete that file\n"
msgstr ""
-#: src/crlcache.c:735
+#: src/crlcache.c:734
#, c-format
msgid "failed to create temporary cache dir file `%s': %s\n"
msgstr ""
-#: src/crlcache.c:808
+#: src/crlcache.c:807
#, c-format
msgid "error writing `%s': %s\n"
msgstr ""
-#: src/crlcache.c:819
+#: src/crlcache.c:818
#, c-format
msgid "error closing `%s': %s\n"
msgstr ""
-#: src/crlcache.c:827
+#: src/crlcache.c:826
#, c-format
msgid "error renaming `%s' to `%s': %s\n"
msgstr ""
-#: src/crlcache.c:882
+#: src/crlcache.c:881
#, c-format
msgid "can't hash `%s': %s\n"
msgstr ""
-#: src/crlcache.c:890
+#: src/crlcache.c:889
#, c-format
msgid "error setting up MD5 hash context: %s\n"
msgstr ""
-#: src/crlcache.c:906
+#: src/crlcache.c:905
#, c-format
msgid "error hashing `%s': %s\n"
msgstr ""
-#: src/crlcache.c:934
+#: src/crlcache.c:933
#, c-format
msgid "invalid formatted checksum for `%s'\n"
msgstr ""
-#: src/crlcache.c:977
+#: src/crlcache.c:986
msgid "too many open cache files; can't open anymore\n"
msgstr ""
-#: src/crlcache.c:994
+#: src/crlcache.c:1004
#, c-format
msgid "opening cache file `%s'\n"
msgstr ""
-#: src/crlcache.c:1013
+#: src/crlcache.c:1023
#, c-format
msgid "error opening cache file `%s': %s\n"
msgstr ""
-#: src/crlcache.c:1022
+#: src/crlcache.c:1032
#, c-format
msgid "error initializing cache file `%s' for reading: %s\n"
msgstr ""
-#: src/crlcache.c:1044
+#: src/crlcache.c:1053
msgid "calling unlock_db_file on a closed file\n"
msgstr ""
-#: src/crlcache.c:1046
+#: src/crlcache.c:1055
msgid "calling unlock_db_file on an unlocked file\n"
msgstr ""
-#: src/crlcache.c:1100
+#: src/crlcache.c:1109
#, c-format
msgid "failed to create a new cache object: %s\n"
msgstr ""
-#: src/crlcache.c:1153
+#: src/crlcache.c:1162
#, c-format
msgid "no CRL available for issuer id %s\n"
msgstr ""
-#: src/crlcache.c:1160
+#: src/crlcache.c:1169
#, c-format
msgid "cached CRL for issuer id %s too old; update required\n"
msgstr ""
-#: src/crlcache.c:1174
+#: src/crlcache.c:1183
#, c-format
msgid ""
"force-crl-refresh active and %d minutes passed for issuer id %s; update "
"required\n"
msgstr ""
-#: src/crlcache.c:1182
+#: src/crlcache.c:1191
#, c-format
msgid "force-crl-refresh active for issuer id %s; update required\n"
msgstr ""
-#: src/crlcache.c:1191
+#: src/crlcache.c:1200
#, c-format
msgid "available CRL for issuer ID %s can't be used\n"
msgstr ""
-#: src/crlcache.c:1202
+#: src/crlcache.c:1211
#, c-format
msgid "cached CRL for issuer id %s tampered; we need to update\n"
msgstr ""
-#: src/crlcache.c:1214
+#: src/crlcache.c:1223
msgid "WARNING: invalid cache record length for S/N "
msgstr ""
-#: src/crlcache.c:1223
+#: src/crlcache.c:1232
#, c-format
msgid "problem reading cache record for S/N %s: %s\n"
msgstr ""
-#: src/crlcache.c:1226
+#: src/crlcache.c:1235
#, c-format
msgid "S/N %s is not valid; reason=%02X date=%.15s\n"
msgstr ""
-#: src/crlcache.c:1237
+#: src/crlcache.c:1246
#, c-format
msgid "S/N %s is valid, it is not listed in the CRL\n"
msgstr ""
-#: src/crlcache.c:1245
+#: src/crlcache.c:1254
#, c-format
msgid "error getting data from cache file: %s\n"
msgstr ""
-#: src/crlcache.c:1397
+#: src/crlcache.c:1390 src/validate.c:749
#, c-format
-msgid "error fetching certificate for CRL issuer: %s\n"
-msgstr ""
-
-#: src/crlcache.c:1404
-#, c-format
-msgid "invalid CRL issuer certificate: %s\n"
-msgstr ""
-
-#: src/crlcache.c:1467 src/validate.c:669
-#, c-format
msgid "unknown hash algorithm `%s'\n"
msgstr ""
-#: src/crlcache.c:1474
+#: src/crlcache.c:1397
#, c-format
msgid "gcry_md_open for algorithm %d failed: %s\n"
msgstr ""
-#: src/crlcache.c:1510 src/crlcache.c:1529
+#: src/crlcache.c:1433 src/crlcache.c:1452
msgid "got an invalid S-expression from libksba\n"
msgstr ""
-#: src/crlcache.c:1517 src/crlcache.c:1536 src/misc.c:432
+#: src/crlcache.c:1440 src/crlcache.c:1459 src/misc.c:432
#, c-format
msgid "converting S-expression failed: %s\n"
msgstr ""
-#: src/crlcache.c:1551 src/ocsp.c:343
+#: src/crlcache.c:1474 src/ocsp.c:343
#, c-format
msgid "creating S-expression failed: %s\n"
msgstr ""
-#: src/crlcache.c:1606
+#: src/crlcache.c:1529
#, c-format
msgid "ksba_crl_parse failed: %s\n"
msgstr ""
-#: src/crlcache.c:1620
+#: src/crlcache.c:1543
#, c-format
msgid "error getting update times of CRL: %s\n"
msgstr ""
-#: src/crlcache.c:1627
+#: src/crlcache.c:1550
#, c-format
msgid "update times of this CRL: this=%s next=%s\n"
msgstr ""
-#: src/crlcache.c:1644
+#: src/crlcache.c:1567
#, c-format
msgid "error getting CRL item: %s\n"
msgstr ""
-#: src/crlcache.c:1659
+#: src/crlcache.c:1582
#, c-format
msgid "error inserting item into temporary cache file: %s\n"
msgstr ""
-#: src/crlcache.c:1686
+#: src/crlcache.c:1609
#, c-format
msgid "no CRL issuer found in CRL: %s\n"
msgstr ""
-#: src/crlcache.c:1699
+#: src/crlcache.c:1622
msgid "locating CRL issuer certificate by authorityKeyIdentifier\n"
msgstr ""
-#: src/crlcache.c:1744
+#: src/crlcache.c:1667
#, c-format
msgid "CRL signature verification failed: %s\n"
msgstr ""
-#: src/crlcache.c:1752
+#: src/crlcache.c:1675
#, c-format
msgid "error checking validity of CRL issuer certificate: %s\n"
msgstr ""
-#: src/crlcache.c:1878
+#: src/crlcache.c:1801
#, c-format
msgid "ksba_crl_new failed: %s\n"
msgstr ""
-#: src/crlcache.c:1885
+#: src/crlcache.c:1808
#, c-format
msgid "ksba_crl_set_reader failed: %s\n"
msgstr ""
-#: src/crlcache.c:1908
+#: src/crlcache.c:1831
#, c-format
msgid "removed stale temporary cache file `%s'\n"
msgstr ""
-#: src/crlcache.c:1911
+#: src/crlcache.c:1834
#, c-format
msgid "problem removing stale temporary cache file `%s': %s\n"
msgstr ""
-#: src/crlcache.c:1921
+#: src/crlcache.c:1844
#, c-format
msgid "error creating temporary cache file `%s': %s\n"
msgstr ""
-#: src/crlcache.c:1931
+#: src/crlcache.c:1854
#, c-format
msgid "crl_parse_insert failed: %s\n"
msgstr ""
-#: src/crlcache.c:1940
+#: src/crlcache.c:1863
#, c-format
msgid "error finishing temporary cache file `%s': %s\n"
msgstr ""
-#: src/crlcache.c:1947
+#: src/crlcache.c:1870
#, c-format
msgid "error closing temporary cache file `%s': %s\n"
msgstr ""
-#: src/crlcache.c:1972
+#: src/crlcache.c:1895
#, c-format
msgid "WARNING: new CRL still too old; it expired on %s - loading anyway\n"
msgstr ""
-#: src/crlcache.c:1976
+#: src/crlcache.c:1899
#, c-format
msgid "new CRL still too old; it expired on %s\n"
msgstr ""
-#: src/crlcache.c:1992
+#: src/crlcache.c:1915
#, c-format
msgid "unknown critical CRL extension %s\n"
msgstr ""
-#: src/crlcache.c:2002
+#: src/crlcache.c:1925
#, c-format
msgid "error reading CRL extensions: %s\n"
msgstr ""
-#: src/crlcache.c:2036
+#: src/crlcache.c:1959
#, c-format
msgid "creating cache file `%s'\n"
msgstr ""
-#: src/crlcache.c:2040
+#: src/crlcache.c:1963
#, c-format
msgid "problem renaming `%s' to `%s': %s\n"
msgstr ""
-#: src/crlcache.c:2054
+#: src/crlcache.c:1977
msgid ""
"updating the DIR file failed - cache entry will get lost with the next "
"program start\n"
msgstr ""
-#: src/crlcache.c:2090
+#: src/crlcache.c:2013
#, c-format
msgid "Begin CRL dump (retrieved via %s)\n"
msgstr ""
-#: src/crlcache.c:2110
+#: src/crlcache.c:2033
#, c-format
msgid ""
" ERROR: The CRL will not be used because it was still too old after an "
"update!\n"
msgstr ""
-#: src/crlcache.c:2112
+#: src/crlcache.c:2035
#, c-format
msgid ""
" ERROR: The CRL will not be used due to an unknown critical extension!\n"
msgstr ""
-#: src/crlcache.c:2114
+#: src/crlcache.c:2037
#, c-format
msgid " ERROR: The CRL will not be used\n"
msgstr ""
-#: src/crlcache.c:2121
+#: src/crlcache.c:2044
#, c-format
msgid " ERROR: This cached CRL may has been tampered with!\n"
msgstr ""
-#: src/crlcache.c:2138
+#: src/crlcache.c:2061
msgid " WARNING: invalid cache record length\n"
msgstr ""
-#: src/crlcache.c:2145
+#: src/crlcache.c:2068
#, c-format
msgid "problem reading cache record: %s\n"
msgstr ""
-#: src/crlcache.c:2156
+#: src/crlcache.c:2079
#, c-format
msgid "problem reading cache key: %s\n"
msgstr ""
-#: src/crlcache.c:2187
+#: src/crlcache.c:2110
#, c-format
msgid "error reading cache entry from db: %s\n"
msgstr ""
-#: src/crlcache.c:2190
+#: src/crlcache.c:2113
#, c-format
msgid "End CRL dump\n"
msgstr ""
-#: src/crlcache.c:2236 src/crlfetch.c:98 src/ldap.c:699
+#: src/crlcache.c:2159 src/crlfetch.c:98 src/ldap.c:699
#, c-format
msgid "error initializing reader object: %s\n"
msgstr ""
-#: src/crlcache.c:2317
+#: src/crlcache.c:2240
#, c-format
msgid "crl_fetch via DP failed: %s\n"
msgstr ""
-#: src/crlcache.c:2328
+#: src/crlcache.c:2251
#, c-format
msgid "crl_cache_insert via DP failed: %s\n"
msgstr ""
-#: src/crlcache.c:2378
+#: src/crlcache.c:2301
#, c-format
msgid "crl_fetch via issuer failed: %s\n"
msgstr ""
-#: src/crlcache.c:2388
+#: src/crlcache.c:2311
#, c-format
msgid "crl_cache_insert via issuer failed: %s\n"
msgstr ""
@@ -1004,7 +1003,7 @@
msgid "adding `%s:%d' to the ldap server list\n"
msgstr ""
-#: src/ldap.c:144 src/misc.c:687
+#: src/ldap.c:144 src/misc.c:716
#, c-format
msgid "malloc failed: %s\n"
msgstr ""
@@ -1111,7 +1110,7 @@
msgid "[none]"
msgstr ""
-#: src/misc.c:703
+#: src/misc.c:732
msgid "bad URL encoding detected\n"
msgstr ""
@@ -1177,7 +1176,7 @@
msgid "no suitable certificate found to verify the OCSP response\n"
msgstr ""
-#: src/ocsp.c:424 src/validate.c:459
+#: src/ocsp.c:424 src/validate.c:505
#, c-format
msgid "issuer certificate not found: %s\n"
msgstr ""
@@ -1228,37 +1227,37 @@
msgid "error getting OCSP status for target certificate: %s\n"
msgstr ""
-#: src/ocsp.c:554
+#: src/ocsp.c:572
#, c-format
msgid "certificate status is: %s (this=%s next=%s)\n"
msgstr ""
-#: src/ocsp.c:555
+#: src/ocsp.c:573
msgid "good"
msgstr ""
-#: src/ocsp.c:556
+#: src/ocsp.c:574
msgid "revoked"
msgstr ""
-#: src/ocsp.c:557
+#: src/ocsp.c:575
msgid "unknown"
msgstr ""
-#: src/ocsp.c:558
+#: src/ocsp.c:576
msgid "none"
msgstr ""
-#: src/ocsp.c:561
+#: src/ocsp.c:579
#, c-format
msgid "certificate has been revoked at: %s due to: %s\n"
msgstr ""
-#: src/ocsp.c:594
+#: src/ocsp.c:612
msgid "OCSP responder returned an too old status\n"
msgstr ""
-#: src/ocsp.c:606
+#: src/ocsp.c:624
msgid "OCSP responder returned a non-current status\n"
msgstr ""
@@ -1272,7 +1271,7 @@
msgstr ""
#: src/server.c:428 src/server.c:544 src/server.c:623 src/server.c:781
-#: src/server.c:809 src/server.c:833 src/server.c:886 src/server.c:939
+#: src/server.c:809 src/server.c:833 src/server.c:886 src/server.c:955
#, c-format
msgid "command %s failed: %s\n"
msgstr ""
@@ -1306,27 +1305,27 @@
msgid "no data stream"
msgstr ""
-#: src/server.c:992
+#: src/server.c:1008
#, c-format
msgid "can't allocate control structure: %s\n"
msgstr ""
-#: src/server.c:1015
+#: src/server.c:1031
#, c-format
msgid "failed to initialize the server: %s\n"
msgstr ""
-#: src/server.c:1023
+#: src/server.c:1039
#, c-format
msgid "failed to the register commands with Assuan: %s\n"
msgstr ""
-#: src/server.c:1043
+#: src/server.c:1059
#, c-format
msgid "Assuan accept problem: %s\n"
msgstr ""
-#: src/server.c:1050
+#: src/server.c:1066
#, c-format
msgid "Assuan processing failed: %s\n"
msgstr ""
@@ -1348,96 +1347,120 @@
msgid "issuer certificate is not marked as a CA"
msgstr ""
-#: src/validate.c:208
+#: src/validate.c:199
msgid "CRL checking too deeply nested\n"
msgstr ""
-#: src/validate.c:326
+#: src/validate.c:217
+msgid "not checking CRL for"
+msgstr ""
+
+#: src/validate.c:222
+msgid "checking CRL for"
+msgstr ""
+
+#: src/validate.c:283
+msgid "running in compatibility mode - certificate chain not checked!\n"
+msgstr ""
+
+#: src/validate.c:368
#, c-format
msgid "certificate with invalid validity: %s"
msgstr ""
-#: src/validate.c:344
+#: src/validate.c:386
msgid "certificate not yet valid"
msgstr ""
-#: src/validate.c:355
+#: src/validate.c:397
msgid "certificate has expired"
msgstr ""
-#: src/validate.c:384
+#: src/validate.c:426
msgid "selfsigned certificate has a BAD signature"
msgstr ""
-#: src/validate.c:402
+#: src/validate.c:444
msgid "root certificate is not marked trusted"
msgstr ""
-#: src/validate.c:404
+#: src/validate.c:446
#, c-format
msgid "fingerprint=%s\n"
msgstr ""
-#: src/validate.c:410
+#: src/validate.c:452
#, c-format
msgid "checking trustworthiness of root certificate failed: %s\n"
msgstr ""
-#: src/validate.c:441
+#: src/validate.c:487
msgid "certificate chain too long\n"
msgstr ""
-#: src/validate.c:453
+#: src/validate.c:499
msgid "issuer certificate not found"
msgstr ""
-#: src/validate.c:479
+#: src/validate.c:525
msgid "certificate has a BAD signature"
msgstr ""
-#: src/validate.c:503
+#: src/validate.c:549
msgid "found another possible matching CA certificate - trying again"
msgstr ""
-#: src/validate.c:528
+#: src/validate.c:574
#, c-format
msgid "certificate chain longer than allowed by CA (%d)"
msgstr ""
-#: src/validate.c:758
+#: src/validate.c:604
+msgid "certificate is good\n"
+msgstr ""
+
+#: src/validate.c:624
+msgid "certificate chain is good\n"
+msgstr ""
+
+#: src/validate.c:838
msgid "DSA requires the use of a 160 bit hash algorithm\n"
msgstr ""
-#: src/validate.c:865
+#: src/validate.c:945
msgid "no key usage specified - assuming all usages\n"
msgstr ""
-#: src/validate.c:875
+#: src/validate.c:955
#, c-format
msgid "error getting key usage information: %s\n"
msgstr ""
-#: src/validate.c:885
+#: src/validate.c:965
msgid "certificate should have not been used for certification\n"
msgstr ""
-#: src/validate.c:897
+#: src/validate.c:977
msgid "certificate should have not been used for OCSP response signing\n"
msgstr ""
-#: src/validate.c:908
+#: src/validate.c:986
+msgid "certificate should have not been used for CRL signing\n"
+msgstr ""
+
+#: src/validate.c:997
msgid "certificate should have not been used for encryption\n"
msgstr ""
-#: src/validate.c:910
+#: src/validate.c:999
msgid "certificate should have not been used for signing\n"
msgstr ""
-#: src/validate.c:911
+#: src/validate.c:1000
msgid "certificate is not usable for encryption\n"
msgstr ""
-#: src/validate.c:912
+#: src/validate.c:1001
msgid "certificate is not usable for signing\n"
msgstr ""
@@ -1485,7 +1508,7 @@
"not valid and other error codes for general failures\n"
msgstr ""
-#: src/dirmngr-client.c:265 src/dirmngr-client.c:959
+#: src/dirmngr-client.c:265 src/dirmngr-client.c:970
#, c-format
msgid "error reading certificate from stdin: %s\n"
msgstr ""
@@ -1518,15 +1541,15 @@
msgid "validation of certificate failed: %s\n"
msgstr ""
-#: src/dirmngr-client.c:384 src/dirmngr-client.c:970
+#: src/dirmngr-client.c:384 src/dirmngr-client.c:981
msgid "certificate is valid\n"
msgstr ""
-#: src/dirmngr-client.c:390 src/dirmngr-client.c:978
+#: src/dirmngr-client.c:390 src/dirmngr-client.c:989
msgid "certificate has been revoked\n"
msgstr ""
-#: src/dirmngr-client.c:395 src/dirmngr-client.c:980
+#: src/dirmngr-client.c:395 src/dirmngr-client.c:991
#, c-format
msgid "certificate check failed: %s\n"
msgstr ""
@@ -1567,16 +1590,16 @@
msgid "can't connect to the dirmngr: %s\n"
msgstr ""
-#: src/dirmngr-client.c:772
+#: src/dirmngr-client.c:779
#, c-format
msgid "unsupported inquiry `%s'\n"
msgstr ""
-#: src/dirmngr-client.c:864
+#: src/dirmngr-client.c:875
msgid "absolute file name expected\n"
msgstr ""
-#: src/dirmngr-client.c:907
+#: src/dirmngr-client.c:918
#, c-format
msgid "looking up `%s'\n"
msgstr ""
Modified: trunk/src/ChangeLog
===================================================================
--- trunk/src/ChangeLog 2006-06-27 11:12:17 UTC (rev 229)
+++ trunk/src/ChangeLog 2006-08-30 20:40:15 UTC (rev 230)
@@ -1,3 +1,27 @@
+2006-08-30 Werner Koch <wk at g10code.com>
+
+ * validate.c (check_cert_sig): Workaround for rimemd160.
+ (allowed_ca): Always allow trusted CAs.
+
+ * dirmngr.h (cert_ref_t): New.
+ (struct server_control_s): Add field OCSP_CERTS.
+ * server.c (start_command_handler): Release new field
+ * ocsp.c (release_ctrl_ocsp_certs): New.
+ (check_signature): Store certificates in OCSP_CERTS.
+
+ * certcache.c (find_issuing_cert): Reset error if cert was found
+ by subject.
+ (put_cert): Add new arg FPR_BUFFER. Changed callers.
+ (cache_cert_silent): New.
+
+ * dirmngr.c (parse_rereadable_options): New options
+ --ocsp-max-clock-skew and --ocsp-current-period.
+ * ocsp.c (ocsp_isvalid): Use them here.
+
+ * ocsp.c (validate_responder_cert): New optional arg signer_cert.
+ (check_signature_core): Ditto.
+ (check_signature): Apss the default signer certificate here.
+
2006-06-27 Werner Koch <wk at g10code.com>
* dirmngr-client.c (inq_cert): Take care of SENDCERT_SKI.
Modified: trunk/src/certcache.c
===================================================================
--- trunk/src/certcache.c 2006-06-27 11:12:17 UTC (rev 229)
+++ trunk/src/certcache.c 2006-08-30 20:40:15 UTC (rev 230)
@@ -199,13 +199,19 @@
/* Put the certificate CERT into the cache. It is assumed that the
- cache is locked while this function is called. */
+ cache is locked while this function is called. If FPR_BUFFER is not
+ NULL the fingerprint of the certificate will be stored there.
+ FPR_BUFFER neds to point to a buffer of at least 20 bytes. The
+ fingerprint will be stored on success or when the function returns
+ gpg_err_code(GPG_ERR_DUP_VALUE). */
static gpg_error_t
-put_cert (ksba_cert_t cert, int is_loaded, int is_trusted)
+put_cert (ksba_cert_t cert, int is_loaded, int is_trusted, void *fpr_buffer)
{
- unsigned char fpr[20];
+ unsigned char help_fpr_buffer[20], *fpr;
cert_item_t ci;
+ fpr = fpr_buffer? fpr_buffer : &help_fpr_buffer;
+
/* If we already reached the caching limit, drop a couple of certs
from the cache. Our dropping strategy is simple: We keep a
static index counter and use this to start looking for
@@ -360,7 +366,7 @@
continue;
}
- err = put_cert (cert, 1, are_trusted);
+ err = put_cert (cert, 1, are_trusted, NULL);
if (gpg_err_code (err) == GPG_ERR_DUP_VALUE)
log_info (_("certificate `%s' already cached\n"), fname);
else if (!err)
@@ -468,20 +474,38 @@
gpg_error_t err;
acquire_cache_write_lock ();
- err = put_cert (cert, 0, 0);
+ err = put_cert (cert, 0, 0, NULL);
release_cache_lock ();
if (gpg_err_code (err) == GPG_ERR_DUP_VALUE)
log_info (_("certificate already cached\n"));
else if (!err)
log_info (_("certificate cached\n"));
else
- log_error (_("error caching certificate: %s\n"),
- gpg_strerror (err));
+ log_error (_("error caching certificate: %s\n"), gpg_strerror (err));
return err;
}
+/* Put CERT into the certificate cache and store the fingerprint of
+ the certificate into FPR_BUFFER. If the certificate is already in
+ the cache do not print a warning; just store the
+ fingerprint. FPR_BUFFER needs to be at least 20 bytes. */
+gpg_error_t
+cache_cert_silent (ksba_cert_t cert, void *fpr_buffer)
+{
+ gpg_error_t err;
+ acquire_cache_write_lock ();
+ err = put_cert (cert, 0, 0, fpr_buffer);
+ release_cache_lock ();
+ if (gpg_err_code (err) == GPG_ERR_DUP_VALUE)
+ err = 0;
+ if (err)
+ log_error (_("error caching certificate: %s\n"), gpg_strerror (err));
+ return err;
+}
+
+
�
/* Return a certificate object for the given fingerprint. FPR is
expected to be a 20 byte binary SHA-1 fingerprint. If no matching
@@ -757,6 +781,37 @@
cert_fetch_context_t context = NULL;
ksba_sexp_t subj;
+ /* If we have certificates from an OCSP request we first try to use
+ them. This is because these certificates will really be the
+ required ones and thus even in the case that they can't be
+ uniquely located by the following code we can use them. This is
+ for example required by Telesec certificates where a keyId is
+ used but the issuer certificate comes without a subject keyId! */
+ if (ctrl->ocsp_certs)
+ {
+ cert_item_t ci;
+ cert_ref_t cr;
+ int i;
+
+ /* For efficiency reasons we won't use get_cert_bysubject here. */
+ acquire_cache_read_lock ();
+ for (i=0; i < 256; i++)
+ for (ci=cert_cache[i]; ci; ci = ci->next)
+ if (ci->cert && ci->subject_dn
+ && !strcmp (ci->subject_dn, subject_dn))
+ for (cr=ctrl->ocsp_certs; cr; cr = cr->next)
+ if (!memcmp (ci->fpr, cr->fpr, 20))
+ {
+ ksba_cert_ref (ci->cert);
+ release_cache_lock ();
+ return ci->cert; /* We use this certificate. */
+ }
+ release_cache_lock ();
+ if (DBG_LOOKUP)
+ log_debug ("find_cert_bysubject: certificate not in ocsp_certs\n");
+ }
+
+
/* First we check whether the certificate is cached. */
for (seq=0; (cert = get_cert_bysubject (subject_dn, seq)); seq++)
{
@@ -774,6 +829,8 @@
if (cert)
return cert; /* Done. */
+ if (DBG_LOOKUP)
+ log_debug ("find_cert_bysubject: certificate not in cache\n");
/* Ask back to the service requester to return the certificate.
This is because we can assume that he already used the
@@ -989,6 +1046,8 @@
if (err || !issuer_cert)
{
issuer_cert = get_cert_bysubject (issuer_dn, 0);
+ if (issuer_cert)
+ err = 0;
}
leave:
Modified: trunk/src/certcache.h
===================================================================
--- trunk/src/certcache.h 2006-06-27 11:12:17 UTC (rev 229)
+++ trunk/src/certcache.h 2006-08-30 20:40:15 UTC (rev 230)
@@ -40,6 +40,9 @@
/* Put CERT into the certificate cache. */
gpg_error_t cache_cert (ksba_cert_t cert);
+/* Put CERT into the certificate cache and return the fingerprint. */
+gpg_error_t cache_cert_silent (ksba_cert_t cert, void *fpr_buffer);
+
/* Return 0 if the certificate is a trusted certificate. Returns
GPG_ERR_NOT_TRUSTED if it is not trusted or other error codes in
case of systems errors. */
Modified: trunk/src/dirmngr.c
===================================================================
--- trunk/src/dirmngr.c 2006-06-27 11:12:17 UTC (rev 229)
+++ trunk/src/dirmngr.c 2006-08-30 20:40:15 UTC (rev 230)
@@ -1,6 +1,6 @@
/* dirmngr.c - LDAP access
* Copyright (C) 2002 Klarälvdalens Datakonsult AB
- * Copyright (C) 2003, 2004 g10 Code GmbH
+ * Copyright (C) 2003, 2004, 2006 g10 Code GmbH
*
* This file is part of DirMngr.
*
@@ -90,6 +90,8 @@
oLDAPAddServers,
oOCSPResponder,
oOCSPSigner,
+ oOCSPMaxClockSkew,
+ oOCSPCurrentPeriod,
oMaxReplies,
oFakedSystemTime,
oForce,
@@ -156,6 +158,8 @@
{ oOCSPResponder, "ocsp-responder", 2, N_("|URL|use OCSP responder at URL")},
{ oOCSPSigner, "ocsp-signer", 2, N_("|FPR|OCSP response signed by FPR")},
+ { oOCSPMaxClockSkew, "ocsp-max-clock-skew", 1, "@" },
+ { oOCSPCurrentPeriod, "ocsp-current-period", 1, "@" },
{ oMaxReplies, "max-replies", 1,
N_("|N|do not return more than N items in one query")},
@@ -217,7 +221,7 @@
case 11: p = "dirmngr";
break;
case 13: p = VERSION; break;
- case 14: p = "Copyright (C) 2004 g10 Code GmbH"; break;
+ case 14: p = "Copyright (C) 2006 g10 Code GmbH"; break;
case 17: p = PRINTABLE_OS_NAME; break;
case 19: p =
_("Please report bugs to <gpa-dev at gnupg.org>.\n");
@@ -401,6 +405,8 @@
opt.allow_ocsp = 0;
opt.ocsp_responder = NULL;
opt.ocsp_signer = NULL;
+ opt.ocsp_max_clock_skew = 10 * 60; /* 10 minutes. */
+ opt.ocsp_current_period = 3 * 60 * 60; /* 3 hours. */
opt.max_replies = DEFAULT_MAX_REPLIES;
return 1;
}
@@ -445,6 +451,8 @@
case oAllowOCSP: opt.allow_ocsp = 1; break;
case oOCSPResponder: opt.ocsp_responder = pargs->r.ret_str; break;
case oOCSPSigner: opt.ocsp_signer = pargs->r.ret_str; break;
+ case oOCSPMaxClockSkew: opt.ocsp_max_clock_skew = pargs->r.ret_int; break;
+ case oOCSPCurrentPeriod: opt.ocsp_current_period = pargs->r.ret_int; break;
case oMaxReplies: opt.max_replies = pargs->r.ret_int; break;
@@ -541,7 +549,7 @@
/* Reset rereadable options to default values. */
parse_rereadable_options (NULL, 0);
- /* LDAP defaults */
+ /* LDAP defaults. */
opt.add_new_ldapservers = 0;
opt.ldaptimeout = DEFAULT_LDAP_TIMEOUT;
Modified: trunk/src/dirmngr.h
===================================================================
--- trunk/src/dirmngr.h 2006-06-27 11:12:17 UTC (rev 229)
+++ trunk/src/dirmngr.h 2006-08-30 20:40:15 UTC (rev 230)
@@ -61,7 +61,8 @@
/* A large struct name "opt" to keep global flags. */
-struct {
+struct
+{
unsigned int debug; /* debug flags (DBG_foo_VALUE) */
int verbose; /* verbosity level */
int quiet; /* be as quiet as possible */
@@ -103,7 +104,9 @@
const char *ocsp_responder; /* Standard OCSP responder's URL. */
const char *ocsp_signer; /* The fingerprint of the standard OCSP
responder signer's certificate. */
-
+ unsigned int ocsp_max_clock_skew; /* Allowed seconds of clocks skew. */
+ unsigned int ocsp_current_period; /* Seconds a response is
+ considered current. */
} opt;
@@ -124,11 +127,20 @@
#define DBG_HASHING (opt.debug & DBG_HASHING_VALUE)
#define DBG_ASSUAN (opt.debug & DBG_ASSUAN_VALUE)
+/* A simple list of certificate references. */
+struct cert_ref_s
+{
+ struct cert_ref_s *next;
+ unsigned char fpr[20];
+};
+typedef struct cert_ref_s *cert_ref_t;
+/* Control structure per connection. */
struct server_local_s;
-struct server_control_s {
+struct server_control_s
+{
int refcount; /* Count additional references to this object. */
int no_server; /* We are not running under server control. */
int status_fd; /* Only for non-server mode. */
@@ -136,6 +148,8 @@
int force_crl_refresh; /* Always load a fresh CRL. */
int check_revocations_nest_level; /* Internal to check_revovations. */
+ cert_ref_t ocsp_certs; /* Certificates from the current OCSP
+ response. */
};
typedef struct server_control_s *ctrl_t;
Modified: trunk/src/ocsp.c
===================================================================
--- trunk/src/ocsp.c 2006-06-27 11:12:17 UTC (rev 229)
+++ trunk/src/ocsp.c 2006-08-30 20:40:15 UTC (rev 230)
@@ -36,6 +36,20 @@
#define MAX_RESPONSE_SIZE 65536
+static const char oidstr_ocsp[] = "1.3.6.1.5.5.7.48.1";
+
+
+/* Telesec attribute used to implement a positive confirmation.
+
+ CertHash ::= SEQUENCE {
+ HashAlgorithm AlgorithmIdentifier,
+ certificateHash OCTET STRING }
+ */
+static const char oidstr_certHash[] = "1.3.36.8.3.13";
+
+
+
+
/* Read from FP and return a newly allocated buffer in R_BUFFER with the
entire data read from FP. */
static gpg_error_t
@@ -241,15 +255,30 @@
}
-/* Validate that CERT is indeed valid to sign an OCSP response. */
+/* Validate that CERT is indeed valid to sign an OCSP response. If
+ signer_fpr is not NULL we simply check that CERT matches this
+ fingerprint. */
static gpg_error_t
-validate_responder_cert (ctrl_t ctrl, ksba_cert_t cert)
+validate_responder_cert (ctrl_t ctrl, ksba_cert_t cert, const char *signer_fpr)
{
gpg_error_t err;
char *fpr;
- if (opt.system_daemon)
+ if (signer_fpr)
{
+ fpr = (strchr (signer_fpr, ':')
+ ? get_fingerprint_hexstring_colon (cert)
+ : get_fingerprint_hexstring (cert));
+ if (ascii_strcasecmp (signer_fpr, fpr))
+ {
+ log_error (_("not signed by default OCSP signer certificate"));
+ err = gpg_error (GPG_ERR_BAD_CA_CERT);
+ }
+ else
+ err = 0;
+ }
+ else if (opt.system_daemon)
+ {
err = validate_cert_chain (ctrl, cert, NULL, VALIDATE_MODE_OCSP);
}
else
@@ -283,7 +312,7 @@
/* Helper for check_signature. */
static int
check_signature_core (ctrl_t ctrl, ksba_cert_t cert, gcry_sexp_t s_sig,
- gcry_sexp_t s_hash)
+ gcry_sexp_t s_hash, const char *signer_fpr)
{
gpg_error_t err;
ksba_sexp_t pubkey;
@@ -298,7 +327,7 @@
if (!err)
err = gcry_pk_verify (s_sig, s_hash, s_pkey);
if (!err)
- err = validate_responder_cert (ctrl, cert);
+ err = validate_responder_cert (ctrl, cert, signer_fpr);
if (!err)
{
gcry_sexp_release (s_pkey);
@@ -344,16 +373,19 @@
return err;
}
+ /* Get rid of old OCSP specific certificate references. */
+ release_ctrl_ocsp_certs (ctrl);
+
if (signer_fpr)
{
- /* We should use the default OCSP reponder's certificate. Get
- it from the fingerprint. */
+ /* We use the default OCSP responder's certificate. Get it from
+ the fingerprint. */
cert = get_cert_byhexfpr (signer_fpr);
if (!cert)
cert = get_cert_local (ctrl, signer_fpr);
if (cert)
{
- err = check_signature_core (ctrl, cert, s_sig, s_hash);
+ err = check_signature_core (ctrl, cert, s_sig, s_hash, signer_fpr);
ksba_cert_release (cert);
cert = NULL;
if (!err)
@@ -365,6 +397,29 @@
}
else
{
+ /* Put all certificates included in the response into the cache
+ and setup a list of those certificate which will later
+ preferred used when locating the issuer certificates. */
+ /* It turned out that thsi is not yet required, so we disable
+ the code here. */
+/* for (cert_idx=0; (cert = ksba_ocsp_get_cert (ocsp, cert_idx)); */
+/* cert_idx++) */
+/* { */
+/* cert_ref_t cref; */
+
+/* cref = xtrymalloc (sizeof *cref); */
+/* if (!cref) */
+/* log_error (_("allocating list item failed: %s\n"), */
+/* gcry_strerror (err)); */
+/* else if (!cache_cert_silent (cert, &cref->fpr)) */
+/* { */
+/* cref->next = ctrl->ocsp_certs; */
+/* ctrl->ocsp_certs = cref; */
+/* } */
+/* else */
+/* xfree (cref); */
+/* } */
+
/* As of now we rely on having a valid certificate in the response.
Obviously this may not be true in all cases and thus we should
get the responder ID and try to locate the certificate by other
@@ -372,7 +427,7 @@
for (cert_idx=0; (cert = ksba_ocsp_get_cert (ocsp, cert_idx));
cert_idx++)
{
- err = check_signature_core (ctrl, cert, s_sig, s_hash);
+ err = check_signature_core (ctrl, cert, s_sig, s_hash, NULL);
ksba_cert_release (cert);
cert = NULL;
if (!err)
@@ -465,7 +520,7 @@
&& !(err=ksba_cert_get_authority_info_access (cert, idx,
&oid, &name)); idx++)
{
- if ( !strcmp (oid, "1.3.6.1.5.5.7.48.1") )
+ if ( !strcmp (oid, oidstr_ocsp) )
{
for (i=0; !url && ksba_name_enum (name, i); i++)
{
@@ -604,9 +659,9 @@
err = gpg_error (GPG_ERR_GENERAL);
get_isotime (current_time);
- /* Allow for 10 minutes of clock skew. Note, that NEXT_UPDATE is
+ /* Allow for some clock skew. Note, that NEXT_UPDATE is
optional. */
- add_isotime (current_time, 10 * 60);
+ add_isotime (current_time, opt.ocsp_max_clock_skew);
if (*next_update && strcmp (next_update, current_time) < 0 )
{
log_error (_("OCSP responder returned an too old status\n"));
@@ -614,11 +669,9 @@
if (!err)
err = gpg_error (GPG_ERR_TIME_CONFLICT);
}
- /* Check that THIS_UPDATE is not too far back in the past. We
- currently use 3 hours (the extra 10 minutes are for the time
- adjust above). */
+ /* Check that THIS_UPDATE is not too far back in the past. */
copy_time (tmp_time, this_update);
- add_isotime (this_update, 3 * 60 * 60 + 10 * 60);
+ add_isotime (this_update, opt.ocsp_current_period + opt.ocsp_max_clock_skew);
if (!*this_update || strcmp (this_update, current_time) < 0 )
{
log_error (_("OCSP responder returned a non-current status\n"));
@@ -639,3 +692,14 @@
}
+/* Release the list of OCSP certificates hold in the CTRL object. */
+void
+release_ctrl_ocsp_certs (ctrl_t ctrl)
+{
+ while (ctrl->ocsp_certs)
+ {
+ cert_ref_t tmp = ctrl->ocsp_certs->next;
+ xfree (ctrl->ocsp_certs);
+ ctrl->ocsp_certs = tmp;
+ }
+}
Modified: trunk/src/ocsp.h
===================================================================
--- trunk/src/ocsp.h 2006-06-27 11:12:17 UTC (rev 229)
+++ trunk/src/ocsp.h 2006-08-30 20:40:15 UTC (rev 230)
@@ -23,4 +23,7 @@
gpg_error_t ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr);
+/* Release the list of OCSP certificates hold in the CTRL object. */
+void release_ctrl_ocsp_certs (ctrl_t ctrl);
+
#endif /*OCSP_H*/
Modified: trunk/src/server.c
===================================================================
--- trunk/src/server.c 2006-06-27 11:12:17 UTC (rev 229)
+++ trunk/src/server.c 2006-08-30 20:40:15 UTC (rev 230)
@@ -1078,6 +1078,7 @@
ctrl->refcount);
else
{
+ release_ctrl_ocsp_certs (ctrl);
xfree (ctrl->server_local);
xfree (ctrl);
}
Modified: trunk/src/validate.c
===================================================================
--- trunk/src/validate.c 2006-06-27 11:12:17 UTC (rev 229)
+++ trunk/src/validate.c 2006-08-30 20:40:15 UTC (rev 230)
@@ -175,8 +175,22 @@
return err;
if (!flag)
{
- log_error (_("issuer certificate is not marked as a CA"));
- return gpg_error (GPG_ERR_BAD_CA_CERT);
+ if (!is_trusted_cert (cert))
+ {
+ /* The German SigG Root CA's certificate does not flag
+ itself as a CA; thus we relax this requirement if we
+ trust a root CA. I think this is reasonable. Note, that
+ gpgsm implements a far stricter scheme here. */
+ if (chainlen)
+ *chainlen = 3; /* That is what the SigG implements. */
+ if (opt.verbose)
+ log_info (_("accepting root CA not marked as a CA"));
+ }
+ else
+ {
+ log_error (_("issuer certificate is not marked as a CA"));
+ return gpg_error (GPG_ERR_BAD_CA_CERT);
+ }
}
return 0;
}
@@ -749,7 +763,11 @@
log_error (_("unknown hash algorithm `%s'\n"), algoid? algoid:"?");
return gpg_error (GPG_ERR_GENERAL);
}
- s = gcry_md_algo_name (algo);
+ /* At some point in time a bug slipped into Libgcrypt returning
+ "ripemd160" as canonical name but only accepting "rmd160" in
+ pk_verify. This will be fixed in libgcrypt 1.2.4 but we use a
+ workaround here. */
+ s = (algo == GCRY_MD_RMD160)? "rmd160": gcry_md_algo_name (algo);
for (i=0; *s && i < sizeof algo_name - 1; s++, i++)
algo_name[i] = tolower (*s);
algo_name[i] = 0;
More information about the Gnupg-commits
mailing list