[svn] dirmngr - r274 - in trunk: . doc src
svn author wk
cvs at cvs.gnupg.org
Wed Nov 14 20:07:53 CET 2007
Author: wk
Date: 2007-11-14 20:07:43 +0100 (Wed, 14 Nov 2007)
New Revision: 274
Modified:
trunk/NEWS
trunk/TODO
trunk/doc/dirmngr.texi
trunk/src/ChangeLog
trunk/src/crlcache.c
trunk/src/crlfetch.c
trunk/src/crlfetch.h
trunk/src/dirmngr-client.c
trunk/src/server.c
Log:
Add --url option
Modified: trunk/NEWS
===================================================================
--- trunk/NEWS 2007-10-24 21:01:17 UTC (rev 273)
+++ trunk/NEWS 2007-11-14 19:07:43 UTC (rev 274)
@@ -1,7 +1,9 @@
Noteworthy changes in version 1.0.2
------------------------------------------------
+ * New option --url for the LOOKUP command and dirmngr-client.
+
Noteworthy changes in version 1.0.1 (2007-08-16)
------------------------------------------------
Modified: trunk/TODO
===================================================================
--- trunk/TODO 2007-10-24 21:01:17 UTC (rev 273)
+++ trunk/TODO 2007-11-14 19:07:43 UTC (rev 274)
@@ -25,3 +25,7 @@
* Test OCSP responder redirection.
We need to figure out an OCSP responder actually using redirection.
+* Restrict validtroot certificates
+ For some purposes (e.g. Poldi) it might make sense to allow the
+ caller to restrict what root certificates are to be used for the
+ chain validation.
Modified: trunk/doc/dirmngr.texi
===================================================================
--- trunk/doc/dirmngr.texi 2007-10-24 21:01:17 UTC (rev 273)
+++ trunk/doc/dirmngr.texi 2007-11-14 19:07:43 UTC (rev 274)
@@ -679,7 +679,16 @@
To indicate that the output was truncated to N items due to a
limitation of the server or by an arbitrary set limit.
+The option @option{--url} may be used if instaead of a search pattern a
+completeURL to the certificate is known:
+ at example
+ C: LOOKUP --url CN%3DWerner%20Koch,o%3DIntevation%20GmbH,c%3DDE?userCertificate
+ at end example
+
+
+
+
@node Dirmngr ISVALID
@section Validate a certificate using a CRL or OCSP
@@ -979,6 +988,10 @@
may be used to retrieve certificates from a server. However the output
format is not very well suited if more than one certificate is returned.
+ at item --url
+ at opindex url
+Modify the @command{lookup} command to take an URL and not a pattern.
+
@item --squid-mode
@opindex squid-mode
Run @sc{dirmngr-client} in a mode suitable as a helper program for
Modified: trunk/src/ChangeLog
===================================================================
--- trunk/src/ChangeLog 2007-10-24 21:01:17 UTC (rev 273)
+++ trunk/src/ChangeLog 2007-11-14 19:07:43 UTC (rev 274)
@@ -1,3 +1,39 @@
+2007-11-14 Werner Koch <wk at g10code.com>
+
+ * dirmngr-client.c: Replace --lookup-url by --url.
+ (main): Remove extra code for --lookup-url.
+ (do_lookup): Remove LOOKUP_URL arg and use the
+ global option OPT.URL.
+
+ * server.c (has_leading_option): New.
+ (cmd_lookup): Use it.
+
+ * crlfetch.c (fetch_cert_by_url): Use GPG_ERR_INV_CERT_OBJ.
+ (fetch_cert_by_url): Use gpg_error_from_syserror.
+
+2007-11-14 Moritz <moritz at gnu.org> (wk)
+
+ * dirmngr-client.c: New command: --lookup-url <URL>.
+ (do_lookup): New parameter: lookup_url. If TRUE, include "--url"
+ switch in LOOKUP transaction.
+ (enum): New entry: oLookupUrl.
+ (opts): Likewise.
+ (main): Handle oLookupUrl. New variable: cmd_lookup_url, set
+ during option parsing, pass to do_lookup() and substitute some
+ occurences of "cmd_lookup" with "cmd_lookup OR cmd_lookup_url".
+ * crlfetch.c (fetch_cert_by_url): New function, uses
+ url_fetch_ldap() to create a reader object and libksba functions
+ to read a single cert from that reader.
+ * server.c (lookup_cert_by_url, lookup_cert_by_pattern): New
+ functions.
+ (cmd_lookup): Moved almost complete code ...
+ (lookup_cert_by_pattern): ... here.
+ (cmd_lookup): Support new optional argument: --url. Depending on
+ the presence of that switch, call lookup_cert_by_url() or
+ lookup_cert_by_pattern().
+ (lookup_cert_by_url): Heavily stripped down version of
+ lookup_cert_by_pattern(), using fetch_cert_by_url.
+
2007-10-24 Marcus Brinkmann <marcus at g10code.de>
* exechelp.c (dirmngr_spawn_process): Fix child handles.
Modified: trunk/src/crlcache.c
===================================================================
--- trunk/src/crlcache.c 2007-10-24 21:01:17 UTC (rev 273)
+++ trunk/src/crlcache.c 2007-11-14 19:07:43 UTC (rev 274)
@@ -123,6 +123,7 @@
static const char oidstr_crlNumber[] = "2.5.29.20";
+static const char oidstr_issuingDistributionPoint[] = "2.5.29.28";
static const char oidstr_authorityKeyIdentifier[] = "2.5.29.35";
Modified: trunk/src/crlfetch.c
===================================================================
--- trunk/src/crlfetch.c 2007-10-24 21:01:17 UTC (rev 273)
+++ trunk/src/crlfetch.c 2007-11-14 19:07:43 UTC (rev 274)
@@ -1,6 +1,6 @@
/* crlfetch.c - LDAP access
* Copyright (C) 2002 Klarälvdalens Datakonsult AB
- * Copyright (C) 2003, 2004, 2005, 2006 g10 Code GmbH
+ * Copyright (C) 2003, 2004, 2005, 2006, 2007 g10 Code GmbH
*
* This file is part of DirMngr.
*
@@ -13,11 +13,9 @@
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include <config.h>
@@ -273,6 +271,7 @@
return start_cert_fetch_ldap (ctrl, context, patterns, server);
}
+
gpg_error_t
fetch_next_cert (cert_fetch_context_t context,
unsigned char **value, size_t * valuelen)
@@ -325,6 +324,60 @@
}
+/* Lookup a cert by it's URL. */
+gpg_error_t
+fetch_cert_by_url (ctrl_t ctrl, const char *url,
+ unsigned char **value, size_t *valuelen)
+{
+ const unsigned char *cert_image;
+ size_t cert_image_n;
+ ksba_reader_t reader;
+ ksba_cert_t cert;
+ gpg_error_t err;
+
+ *value = NULL;
+ *valuelen = 0;
+ cert_image = NULL;
+ reader = NULL;
+ cert = NULL;
+
+ err = url_fetch_ldap (ctrl, url, NULL, 0, &reader);
+ if (err)
+ goto leave;
+
+ err = ksba_cert_new (&cert);
+ if (err)
+ goto leave;
+
+ err = ksba_cert_read_der (cert, reader);
+ if (err)
+ goto leave;
+
+ cert_image = ksba_cert_get_image (cert, &cert_image_n);
+ if (!cert_image || !cert_image_n)
+ {
+ err = gpg_error (GPG_ERR_INV_CERT_OBJ);
+ goto leave;
+ }
+
+ *value = xtrymalloc (cert_image_n);
+ if (!*value)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+
+ memcpy (*value, cert_image, cert_image_n);
+ *valuelen = cert_image_n;
+
+ leave:
+
+ ksba_cert_release (cert);
+ ldap_wrapper_release_context (reader);
+
+ return err;
+}
+
/* This function is to be used to close the reader object. In
addition to running ksba_reader_release it also releases the LDAP
or HTTP contexts associated with that reader. */
Modified: trunk/src/crlfetch.h
===================================================================
--- trunk/src/crlfetch.h 2007-10-24 21:01:17 UTC (rev 273)
+++ trunk/src/crlfetch.h 2007-11-14 19:07:43 UTC (rev 274)
@@ -14,8 +14,7 @@
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#ifndef CRLFETCH_H
@@ -54,6 +53,10 @@
ksba_cert_t *r_cert);
void end_cert_fetch (cert_fetch_context_t context);
+/* Lookup a cert by it's URL. */
+gpg_error_t fetch_cert_by_url (ctrl_t ctrl, const char *url,
+ unsigned char **value, size_t *valuelen);
+
/* Close a reader object. */
void crl_close_reader (ksba_reader_t reader);
Modified: trunk/src/dirmngr-client.c
===================================================================
--- trunk/src/dirmngr-client.c 2007-10-24 21:01:17 UTC (rev 273)
+++ trunk/src/dirmngr-client.c 2007-11-14 19:07:43 UTC (rev 274)
@@ -15,9 +15,7 @@
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
- * USA.
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include <config.h>
@@ -56,6 +54,7 @@
oCacheCert,
oValidate,
oLookup,
+ oUrl,
oLoadCRL,
oSquidMode,
oPEM,
@@ -73,6 +72,7 @@
{ oCacheCert,"cache-cert",0, N_("add a certificate to the cache")},
{ oValidate, "validate", 0, N_("validate a certificate")},
{ oLookup, "lookup", 0, N_("lookup a certificate")},
+ { oUrl, "url", 0, N_("expect an URL for --lookup")},
{ oLoadCRL, "load-crl", 0, N_("load a CRL into the dirmngr")},
{ oSquidMode,"squid-mode",0, N_("special mode for use by Squid")},
{ oPEM, "pem", 0, N_("certificates are expected in PEM format")},
@@ -92,9 +92,9 @@
int force_default_responder;
int pem;
int escaped_pem; /* PEM is additional percent encoded. */
-
+ int url; /* Expect an URL. */
+
int use_ocsp;
-
} opt;
@@ -231,6 +231,7 @@
case oCacheCert: cmd_cache_cert = 1; break;
case oValidate: cmd_validate = 1; break;
case oLookup: cmd_lookup = 1; break;
+ case oUrl: opt.url = 1; break;
case oLoadCRL: cmd_loadcrl = 1; break;
case oPEM: opt.pem = 1; break;
case oSquidMode:
@@ -370,7 +371,7 @@
log_info (_("a dirmngr daemon is up and running\n"));
return 0;
}
- else if (cmd_lookup||cmd_loadcrl||cmd_squid_mode)
+ else if (cmd_lookup|| cmd_loadcrl || cmd_squid_mode)
return err? 1:0;
else if (cmd_cache_cert)
{
@@ -939,9 +940,11 @@
if (err)
return err;
- line = xmalloc (10 + strlen (pattern)*3 + 1);
+ line = xmalloc (10 + 6 + strlen (pattern)*3 + 1);
p = stpcpy (line, "LOOKUP ");
+ if (opt.url)
+ p = stpcpy (p, "--url ");
for (s=pattern; *s; s++)
{
if (*s < ' ' || *s == '+')
Modified: trunk/src/server.c
===================================================================
--- trunk/src/server.c 2007-10-24 21:01:17 UTC (rev 273)
+++ trunk/src/server.c 2007-11-14 19:07:43 UTC (rev 274)
@@ -1,6 +1,6 @@
/* dirmngr.c - LDAP access
* Copyright (C) 2002 Klarälvdalens Datakonsult AB
- * Copyright (C) 2003, 2004, 2005 g10 Code GmbH
+ * Copyright (C) 2003, 2004, 2005, 2007 g10 Code GmbH
*
* This file is part of DirMngr.
*
@@ -15,8 +15,7 @@
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include <config.h>
@@ -96,7 +95,32 @@
return (s && (s == line || spacep (s-1)) && (!s[n] || spacep (s+n)));
}
+/* Same as has_option but only considers options at the begin of the
+ line. This is useful for commands which allow arbitrary strings on
+ the line. */
+static int
+has_leading_option (const char *line, const char *name)
+{
+ const char *s;
+ int n;
+ if (name[0] != '-' || name[1] != '-' || !name[2] || spacep (name+2))
+ return 0;
+ n = strlen (name);
+ while ( *line == '-' && line[1] == '-' )
+ {
+ s = line;
+ while (*line && !spacep (line))
+ line++;
+ if (n == (line - s) && !strncmp (s, name, n))
+ return 1;
+ while (spacep (line))
+ line++;
+ }
+ return 0;
+}
+
+
/* Same as has_option but does only test for the name of the option
and ignores an argument, i.e. with NAME being "--hash" it would
return a pointer for "--hash" as well as for "--hash=foo". If
@@ -670,18 +694,41 @@
return err;
}
+static int
+lookup_cert_by_url (assuan_context_t ctx, const char *url)
+{
+ ctrl_t ctrl = assuan_get_pointer (ctx);
+ gpg_error_t err = 0;
+ unsigned char *value = NULL;
+ size_t valuelen;
+ /* Fetch single certificate given it's URL. */
+ err = fetch_cert_by_url (ctrl, url, &value, &valuelen);
+ if (err)
+ {
+ log_error (_("fetch_cert_by_url failed: %s\n"), gpg_strerror (err));
+ goto leave;
+ }
-/* LOOKUP <pattern>
+ /* Send the data, flush the buffer and then send an END. */
+ err = assuan_send_data (ctx, value, valuelen);
+ if (!err)
+ err = assuan_send_data (ctx, NULL, 0);
+ if (!err)
+ err = assuan_write_line (ctx, "END");
+ if (err)
+ {
+ log_error (_("error sending data: %s\n"), gpg_strerror (err));
+ goto leave;
+ }
- Lookup certificates matching PATTERN. To allow for multiple
- patterns (which are ORed) quoting is required: Spaces are to be
- translated into "+" or into "%20"; obviously this requires that the
- usual escape quoting rules are applied.
-*/
+ leave:
+ return err;
+}
+
static int
-cmd_lookup (assuan_context_t ctx, char *line)
+lookup_cert_by_pattern (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err = 0;
@@ -820,9 +867,41 @@
err = gpg_error (GPG_ERR_NO_DATA);
leave:
+ free_strlist (list);
+ return err;
+}
+
+
+/* LOOKUP [--url] <pattern>
+
+ Lookup certificates matching PATTERN.
+
+ If --url is not given: To allow for multiple
+ patterns (which are ORed) quoting is required: Spaces are to be
+ translated into "+" or into "%20"; obviously this requires that the
+ usual escape quoting rules are applied.
+
+ If --url is given no special escaping is required because URLs are
+ already escaped this way.
+*/
+
+static int
+cmd_lookup (assuan_context_t ctx, char *line)
+{
+ gpg_error_t err;
+ int lookup_url;
+
+ lookup_url = has_leading_option (line, "--url");
+ line = skip_options (line);
+
+ if (lookup_url)
+ err = lookup_cert_by_url (ctx, line);
+ else
+ err = lookup_cert_by_pattern (ctx, line);
+
if (err)
log_error (_("command %s failed: %s\n"), "LOOKUP", gpg_strerror (err));
- free_strlist (list);
+
return err;
}
More information about the Gnupg-commits
mailing list