[svn] dirmngr - r228 - in trunk: . doc src
svn author wk
cvs at cvs.gnupg.org
Tue Jun 27 13:04:49 CEST 2006
Author: wk
Date: 2006-06-27 13:04:47 +0200 (Tue, 27 Jun 2006)
New Revision: 228
Modified:
trunk/ChangeLog
trunk/NEWS
trunk/configure.ac
trunk/doc/Makefile.am
trunk/doc/internals.texi
trunk/src/ChangeLog
trunk/src/crlcache.c
trunk/src/dirmngr-client.c
trunk/src/ldap.c
trunk/src/validate.c
trunk/src/validate.h
Log:
About to do a new release
Modified: trunk/ChangeLog
===================================================================
--- trunk/ChangeLog 2006-06-23 18:56:26 UTC (rev 227)
+++ trunk/ChangeLog 2006-06-27 11:04:47 UTC (rev 228)
@@ -1,3 +1,7 @@
+2006-06-27 Werner Koch <wk at g10code.com>
+
+ Released 0.9.5.
+
2006-06-23 Werner Koch <wk at g10code.com>
* doc/internals.texi: new.
Modified: trunk/NEWS
===================================================================
--- trunk/NEWS 2006-06-23 18:56:26 UTC (rev 227)
+++ trunk/NEWS 2006-06-27 11:04:47 UTC (rev 228)
@@ -1,7 +1,10 @@
-Noteworthy changes in version 0.9.5 (unreleased)
+Noteworthy changes in version 0.9.5 (2006-06-27)
------------------------------------------------
+ * Fixed a problems with the CRL caching and CRL certificate
+ validation.
+ * Improved diagnostics.
Noteworthy changes in version 0.9.4 (2006-05-16)
Modified: trunk/configure.ac
===================================================================
--- trunk/configure.ac 2006-06-23 18:56:26 UTC (rev 227)
+++ trunk/configure.ac 2006-06-27 11:04:47 UTC (rev 228)
@@ -23,7 +23,7 @@
AC_PREREQ(2.59)
min_automake_version="1.9.3"
-AC_INIT(dirmngr, 0.9.5-cvs, gpa-dev at gnupg.org)
+AC_INIT(dirmngr, 0.9.5, gpa-dev at gnupg.org)
NEED_GPG_ERROR_VERSION=0.7
Modified: trunk/doc/Makefile.am
===================================================================
--- trunk/doc/Makefile.am 2006-06-23 18:56:26 UTC (rev 227)
+++ trunk/doc/Makefile.am 2006-06-27 11:04:47 UTC (rev 228)
@@ -19,6 +19,8 @@
## Process this file with automake to produce Makefile.in
+EXTRA_DIST = internals.texi
+
info_TEXINFOS = dirmngr.texi
dirmngr_TEXINFOS = gpl.texi fdl.texi
Modified: trunk/doc/internals.texi
===================================================================
--- trunk/doc/internals.texi 2006-06-23 18:56:26 UTC (rev 227)
+++ trunk/doc/internals.texi 2006-06-27 11:04:47 UTC (rev 228)
@@ -1,53 +1,62 @@
@c internals.texi - this file describes internals of DirMngr.
+!!! UNDER CONSTRUCTION !!!
+
+
@section Verifying a Certificate
There are several ways to request services from Dirmngr. Almost all of
them are done using the Assuan protocol. What we describe here is the
-Assuan Command CHECKCRL as used for example by the dirmnr-client tool if
+Assuan command CHECKCRL as used for example by the dirmnr-client tool if
invoked as
+ at example
dirmngr-client foo.crt
+ at end example
This command will send an Assuan request to an already running Dirmngr
instance. foo.crt is expected to be a standard X.509 certificate and
dirmngr will receive the Assuan command
- CHECKCRL [<fingerprint>]
+ at example
+ CHECKCRL @var [{fingerprint}]
+ at end example
-<fingerprint> is optional and expected to be the SHA-1 has of the DER
-encosing of the certificate under question. It is to be HEX encoded.
-The rationale for sending the fingerprint is that it allows dirmngr to
-rely immediatly if it has already cached such an request. Only if this
-is not the case and no certificate has been found in dirmngr's internal
-certificate storage, dirmngr will request the certificate using the
-Assuan inquiry
+ at var{fingerprint} is optional and expected to be the SHA-1 has of the
+DER encoding of the certificate under question. It is to be HEX
+encoded. The rationale for sending the fingerprint is that it allows
+dirmngr to reply immediatly if it has already cached such a request. If
+this is not the case and no certificate has been found in dirmngr's
+internal certificate storage, dirmngr will request the certificate using
+the Assuan inquiry
+ at example
INQUIRE TARGETCERT
+ at end example
The caller (in our example dirmngr-client) is then expected to return
-the certificate for the request (which should match FINGERPRINT) as a
-binary blob.
+the certificate for the request (which should match @var{fingerprint})
+as a binary blob.
-Dirmngr now passes control to @func{crl_cache_cert_isvalid}. This
+Dirmngr now passes control to @code{crl_cache_cert_isvalid}. This
function checks whether a CRL item exists for target certificate. These
CRL items are kept in a database of already loaded and verified CRLs.
This mechanism is called the CRL cache. Obviously timestamps are kept
there with each item to cope with the expiration date of the CRL. The
-possible return values are: Success to indicate that a valid CRL is
-available for the certificate and the certificate itself is not listen
-in this CRL, GPG_ERR_CERT_REVOKED to indicate that the certificate is
-listed in the CRL or GPG_ERR_NO_CRL_KNOWN in cases where no or no
-information is available. he first two codes are immediatly returned to
+possible return values are: @code{0} to indicate that a valid CRL is
+available for the certificate and the certificate itself is not listed
+in this CRL, @code{GPG_ERR_CERT_REVOKED} to indicate that the certificate is
+listed in the CRL or @code{GPG_ERR_NO_CRL_KNOWN} in cases where no CRL or no
+information is available. The first two codes are immediatly returned to
the caller and the processing of this request has been done.
-Only the GPG_ERR_NO_CRL_KNOWN needs more attention: Dirmngr now call
- at func(clr_cache_reload_crl} and if this succeeds calls
- at func(crl_cache_cert_isvald) one more. All further errors are
+Only the @code{GPG_ERR_NO_CRL_KNOWN} needs more attention: Dirmngr now
+calls @code{clr_cache_reload_crl} and if this succeeds calls
+ at code{crl_cache_cert_isvald) once more. All further errors are
immediately returned to the caller.
- at func(clr_cache_reload_crl} is the actual heart of the CRL management.
+ at code{crl_cache_reload_crl} is the actual heart of the CRL management.
It locates the corresponding CRL for the target certificate, reads and
verifies this CRL and stores it in the CRL cache. It works like this:
@@ -57,12 +66,12 @@
* If the URL scheme is unknown or not enabled
(--ignore-http-dp, --ignore-ldap-dp) continues with
the next name.
- * @func{crl_fetch} is called to actually retrieve the CRL.
+ * @code{crl_fetch} is called to actually retrieve the CRL.
In case of problems this name is ignore and we continue with
- the next name. Note that @func{crl_fetch} does only return
+ the next name. Note that @code{crl_fetch} does only return
a descriptor for the CRL for further reading so does the CRL
does not yet end up in memory.
- * @func{crl_cache_insert} is called with that descriptor to
+ * @code{crl_cache_insert} is called with that descriptor to
actually read the CRL into the cache. See below for a
description of this function. If there is any error (e.g. read
problem, CRL not correctly signed or verification of signature
@@ -74,13 +83,13 @@
this condition is not true.
* Try to load a CRL from all configured servers (ldapservers.conf)
in turn. The first server returning a CRL is used.
- * @func(crl_cache_insert) is then used to actually insert the CRL
+ * @code(crl_cache_insert) is then used to actually insert the CRL
into the cache. If this failed we give up immediatley without
checking the rest of the servers from the first step.
* Ready.
-The @func{crl_cache_insert} function takes care of reading the bulk of
+The @code{crl_cache_insert} function takes care of reading the bulk of
the CRL, parsing it and checking the signature. It works like this: A
new database file is created using a temporary file name. The CRL
parsing machinery is started and all items of the CRL are put into
@@ -88,7 +97,7 @@
needs to be retrieved. Three cases are to be distinguished:
a) An authorityKeyIdentifier with an issuer and serialno exits: The
- certificate is retrieved using @func{find_cert_bysn}. If
+ certificate is retrieved using @code{find_cert_bysn}. If
the certificate is in the certificate cache, it is directly
returned. Then the requester (i.e. the client who requested the
CRL check) is asked via the Assuan inquiry ``SENDCERT'' whether
@@ -98,14 +107,14 @@
It is in the interest of the client to return a useful certificate
as otherwise the service request will fail due to a bad signature.
The last way to get the certificate is by looking it up at
- external resources. This is done using the @func{ca_cert_fetch}
- and @func{fetch_next_ksba_cert} and comparing the returned
+ external resources. This is done using the @code{ca_cert_fetch}
+ and @code{fetch_next_ksba_cert} and comparing the returned
certificate to match the requested issuer and seriano (This is
needed because the LDAP layer may return several certificates as
LDAP as no standard way to retrieve by serial number).
b) An authorityKeyIdentifier with a key ID exists: The certificate is
- retrieved using @func{find_cert_bysubject}. If the certificate is
+ retrieved using @code{find_cert_bysubject}. If the certificate is
in the certificate cache, it is directly returned. Then the
requester is asked via the Assuan inquiry ``SENDCERT_SKI'' whether
he can provide this certificate. If this succeed the returned
@@ -114,12 +123,12 @@
It is in the interest of the client to return a useful certificate
as otherwise the service request will fail due to a bad signature.
The last way to get the certificate is by looking it up at
- external resources. This is done using the @func{ca_cert_fetch}
- and @func{fetch_next_ksba_cert} and comparing the returned
+ external resources. This is done using the @code{ca_cert_fetch}
+ and @code{fetch_next_ksba_cert} and comparing the returned
certificate to match the requested subject and key ID.
c) No authorityKeyIdentifier exits: The certificate is retrieved
- using @func{find_cert_bysubject} without the key ID argument. If
+ using @code{find_cert_bysubject} without the key ID argument. If
the certificate is in the certificate cache the first one with a
matching subject is is directly returned. Then the requester is
asked via the Assuan inquiry ``SENDCERT'' and an exact
@@ -130,21 +139,21 @@
It is in the interest of the client to return a useful certificate
as otherwise the service request will fail due to a bad signature.
The last way to get the certificate is by looking it up at
- external resources. This is done using the @func{ca_cert_fetch}
- and @func{fetch_next_ksba_cert} and comparing the returned
+ external resources. This is done using the @code{ca_cert_fetch}
+ and @code{fetch_next_ksba_cert} and comparing the returned
certificate to match the requested subject; the first certificate
with a matching subject is then returned.
If no certificate was found, the function returns with the error
GPG_ERR_MISSING_CERT. Now the signature is verified. If this fails,
-the erro is returned. On success the @func{validate_cert_chain} is
+the erro is returned. On success the @code{validate_cert_chain} is
used to verify that the certificate is actually valid.
Here we may encounter a recursive situation:
- at func{validate_cert_chain} needs to look at other certificates and
+ at code{validate_cert_chain} needs to look at other certificates and
also at CRLs to check whether tehse other certificates and well, the
CRL issuer certificate itself are not revoked. FIXME: We need to make
-sure that @func{validate_cert_chain} does not try to lookup the CRL we
+sure that @code{validate_cert_chain} does not try to lookup the CRL we
are currently processing. This would be a catch-22 and may indicate a
broken PKI. However, due to overlapping expiring times and imprecise
clocks thsi may actually happen.
@@ -160,7 +169,7 @@
@section Validating a certificate
-We describe here how the internal function @func{validate_cert_chain}
+We describe here how the internal function @code{validate_cert_chain}
works. Note that mainly testing purposes this functionality may be
called directly using @cmd{dirmngr-client --validate @file{foo.crt}}.
@@ -198,18 +207,18 @@
authorityKeyIdentifier is available, this one is used to locate the
certificate either using issuer and serialnumber or subject DN
(i.e. the issuer's DN) and the keyID. The functions
- at func{find_cert_bysn) and @func{find_cert_bysubject} are used
+ at code{find_cert_bysn) and @code{find_cert_bysubject} are used
respectively. The have already been described above under the
-description of @func{crl_cache_insert}. If no certificate was found
+description of @code{crl_cache_insert}. If no certificate was found
or with no authorityKeyIdentifier, only the cache is consulted using
- at func{get_cert_bysubject}. The latter is is done under the assumption
+ at code{get_cert_bysubject}. The latter is is done under the assumption
that a matching certificate has explicitly been put into the
certificate cache. If the issuer's certificate could not be found,
-the validation terminates with the error code GPG_ERR_MISSING_CERT.
+the validation terminates with the error code @code{GPG_ERR_MISSING_CERT}.
If the issuer's certificate has been found, the signature of the
actual certificate is checked and in case this fails the error
-GPG_ERR_BAD_CERT_CHAIN is returned. IF the signature checks out, the
+#code{GPG_ERR_BAD_CERT_CHAIN} is returned. If the signature checks out, the
maximum cahin length of the issueing certificate is checked as well as
the capiblity of the certificate (i.e. whether he may be used for
certificate signing). Then the certificate is prepended to our list
@@ -222,7 +231,7 @@
met. In any of these cases the validation terminates with an
appropriate error.
-Finally the function @func{check_revocations} is called to verify no
+Finally the function @code{check_revocations} is called to verify no
certificate in the assempled chain has been revoked: This is an
recursive process because a CRL has to be checked for each certificate
in the chain except for the root certificate, of which we already know
@@ -236,7 +245,7 @@
@section Looking up certificates through LDAP.
This describes the LDAP layer to retrieve certificates.
-the functions @func{ca_cert_fetch} and @func{fetch_next_ksba_cert} are
+the functions @code{ca_cert_fetch} and @code{fetch_next_ksba_cert} are
used for this. The first one starts a search and the second one is
used to retrieve certificate after certificate.
Modified: trunk/src/ChangeLog
===================================================================
--- trunk/src/ChangeLog 2006-06-23 18:56:26 UTC (rev 227)
+++ trunk/src/ChangeLog 2006-06-27 11:04:47 UTC (rev 228)
@@ -1,3 +1,12 @@
+2006-06-27 Werner Koch <wk at g10code.com>
+
+ * dirmngr-client.c (inq_cert): Take care of SENDCERT_SKI.
+
+2006-06-26 Werner Koch <wk at g10code.com>
+
+ * crlcache.c (lock_db_file): Count open files when needed.
+ (find_entry): Fixed deleted case.
+
2006-06-23 Werner Koch <wk at g10code.com>
* misc.c (cert_log_name): New.
@@ -5,14 +14,15 @@
* certcache.c (load_certs_from_dir): Also print certificate name.
(find_cert_bysn): Release ISSDN.
- * validate.h: New VALIDATED_MODE_CERT.
+ * validate.h: New VALIDATE_MODE_CERT.
* server.c (cmd_validate): Use it here so that no policy checks
are done. Try to validated a cached copy of the target.
* validate.c (validate_cert_chain): Implement a validation cache.
(check_revocations): Print more diagnostics. Actually use the
loop variable and not the head of the list.
-
+ (validate_cert_chain): Do not check revocations of CRL issuer
+ certificates in plain CRL check mode.
* ocsp.c (ocsp_isvalid): Make sure it is reset for a status of
revoked.
Modified: trunk/src/crlcache.c
===================================================================
--- trunk/src/crlcache.c 2006-06-23 18:56:26 UTC (rev 227)
+++ trunk/src/crlcache.c 2006-06-27 11:04:47 UTC (rev 228)
@@ -153,7 +153,6 @@
struct crl_cache_s
{
crl_cache_entry_t entries;
- unsigned int cdb_open_count; /* Currently open cache files. */
};
typedef struct crl_cache_s *crl_cache_t;
@@ -951,6 +950,8 @@
{
char *fname;
int fd;
+ int open_count;
+ crl_cache_entry_t e;
if (entry->cdb)
{
@@ -958,12 +959,20 @@
return entry->cdb;
}
+ for (open_count = 0, e = cache->entries; e; e = e->next)
+ {
+ if (e->cdb)
+ open_count++;
+/* log_debug ("CACHE: cdb=%p use_count=%u lru_count=%u\n", */
+/* e->cdb,e->cdb_use_count,e->cdb_lru_count); */
+ }
+
/* If there are too many file open, find the least recent used DB
file and close it. Note that for Pth thread safeness we need to
use a loop here. */
- while (cache->cdb_open_count >= MAX_OPEN_DB_FILES )
+ while (open_count >= MAX_OPEN_DB_FILES )
{
- crl_cache_entry_t e, last_e = NULL;
+ crl_cache_entry_t last_e = NULL;
unsigned int last_lru = (unsigned int)(-1);
for (e = cache->entries; e; e = e->next)
@@ -978,14 +987,15 @@
return NULL;
}
+/* log_debug ("CACHE: closing file at cdb=%p\n", last_e->cdb); */
+
fd = cdb_fileno (last_e->cdb);
cdb_free (last_e->cdb);
xfree (last_e->cdb);
last_e->cdb = NULL;
if (close (fd))
log_error (_("error closing cache file: %s\n"), strerror(errno));
- assert (cache->cdb_open_count);
- cache->cdb_open_count--;
+ open_count--;
}
@@ -1031,7 +1041,6 @@
entry->cdb_use_count = 1;
entry->cdb_lru_count = 0;
- cache->cdb_open_count++;
return entry->cdb;
}
@@ -1074,7 +1083,7 @@
static crl_cache_entry_t
find_entry (crl_cache_entry_t first, const char *issuer_hash)
{
- while (first && !first->deleted && strcmp (issuer_hash, first->issuer_hash) )
+ while (first && (first->deleted || strcmp (issuer_hash, first->issuer_hash)))
first = first->next;
return first;
}
@@ -1660,7 +1669,7 @@
goto failure;
}
err = validate_cert_chain (ctrl, crlissuer_cert,
- NULL, VALIDATE_MODE_CRL);
+ NULL, VALIDATE_MODE_CRL_RECURSIVE);
if (err)
{
log_error (_("error checking validity of CRL "
Modified: trunk/src/dirmngr-client.c
===================================================================
--- trunk/src/dirmngr-client.c 2006-06-23 18:56:26 UTC (rev 227)
+++ trunk/src/dirmngr-client.c 2006-06-27 11:04:47 UTC (rev 228)
@@ -760,17 +760,28 @@
simply ignore it by sending back and empty value. */
ae = assuan_send_data (parm->ctx, NULL, 0);
}
+ else if (!strncmp (line, "SENDCERT_SKI", 12)
+ && (line[12]==' ' || !line[12]))
+ {
+ /* We don't support this but dirmngr might ask for it. So
+ simply ignore it by sending back an empty value. */
+ ae = assuan_send_data (parm->ctx, NULL, 0);
+ }
else if (!strncmp (line, "SENDISSUERCERT", 14)
&& (line[14] == ' ' || !line[14]))
{
/* We don't support this but dirmngr might ask for it. So
- simply ignore it by sending back and empty value. */
+ simply ignore it by sending back an empty value. */
ae = assuan_send_data (parm->ctx, NULL, 0);
}
else
{
log_info (_("unsupported inquiry `%s'\n"), line);
ae = ASSUAN_Inquire_Unknown;
+ /* Note that this error will let assuan_transact terminate
+ immediately instead of return the error to the caller. It is
+ not clear whether this is the desired behaviour - it may
+ change in future. */
}
return ae;
Modified: trunk/src/ldap.c
===================================================================
--- trunk/src/ldap.c 2006-06-23 18:56:26 UTC (rev 227)
+++ trunk/src/ldap.c 2006-06-27 11:04:47 UTC (rev 228)
@@ -841,7 +841,7 @@
NULL, NULL, NULL, url,
reader);
- /* FIXME: This option might be used for DoS attacks. Becuase it
+ /* FIXME: This option might be used for DoS attacks. Because it
will enlarge the list of servers to consult without a limit and
all LDAP queries w/o a host are will then try each host in
turn. */
Modified: trunk/src/validate.c
===================================================================
--- trunk/src/validate.c 2006-06-23 18:56:26 UTC (rev 227)
+++ trunk/src/validate.c 2006-06-27 11:04:47 UTC (rev 228)
@@ -626,7 +626,7 @@
cert_log_name (" certificate", citem->cert);
}
- if (!err)
+ if (!err && mode != VALIDATE_MODE_CRL)
{ /* Now that everything is fine, walk the chain and check each
certificate for revocations.
Modified: trunk/src/validate.h
===================================================================
--- trunk/src/validate.h 2006-06-23 18:56:26 UTC (rev 227)
+++ trunk/src/validate.h 2006-06-27 11:04:47 UTC (rev 228)
@@ -23,9 +23,14 @@
enum {
+ /* Simple certificate validation mode. */
VALIDATE_MODE_CERT = 0,
+ /* Standard CRL issuer certificate validation; i.e. CRLs are not
+ considered for CRL issuer certificates. */
VALIDATE_MODE_CRL = 1,
+ /* Full CRL validation. */
VALIDATE_MODE_CRL_RECURSIVE = 2,
+ /* Validation as used for OCSP. */
VALIDATE_MODE_OCSP = 3
};
More information about the Gnupg-commits
mailing list