[svn] GnuPG - r4692 - in trunk: . common doc g10 sm
svn author wk
cvs at cvs.gnupg.org
Wed Feb 13 17:47:20 CET 2008
Author: wk
Date: 2008-02-13 17:47:14 +0100 (Wed, 13 Feb 2008)
New Revision: 4692
Modified:
trunk/NEWS
trunk/common/ChangeLog
trunk/common/audit.c
trunk/doc/gpg-agent.texi
trunk/doc/gpgsm.texi
trunk/g10/ChangeLog
trunk/g10/server.c
trunk/sm/ChangeLog
trunk/sm/call-agent.c
trunk/sm/call-dirmngr.c
trunk/sm/certchain.c
trunk/sm/certlist.c
trunk/sm/gpgsm.h
trunk/sm/import.c
trunk/sm/keylist.c
trunk/sm/server.c
trunk/sm/sign.c
Log:
Always search missing certifcates using a running Dirmngr's cache.
[The diff below has been truncated]
Modified: trunk/common/ChangeLog
===================================================================
--- trunk/common/ChangeLog 2008-02-09 00:49:36 UTC (rev 4691)
+++ trunk/common/ChangeLog 2008-02-13 16:47:14 UTC (rev 4692)
@@ -1,3 +1,8 @@
+2008-01-31 Werner Koch <wk at g10code.com>
+
+ * audit.c (audit_print_result): Make sure that the output is
+ always UTF8.
+
2008-01-27 Werner Koch <wk at g10code.com>
* exechelp.c (gnupg_spawn_process): Add arg FLAGS and changed all
Modified: trunk/g10/ChangeLog
===================================================================
--- trunk/g10/ChangeLog 2008-02-09 00:49:36 UTC (rev 4691)
+++ trunk/g10/ChangeLog 2008-02-13 16:47:14 UTC (rev 4692)
@@ -1,3 +1,8 @@
+2008-02-11 Werner Koch <wk at g10code.com>
+
+ * server.c (cmd_getinfo): New.
+ (register_commands): Register GETINFO.
+
2008-02-09 Marcus Brinkmann <marcus at g10code.de>
* gpg.c (main): New variable default_configname. Use it if
Modified: trunk/sm/ChangeLog
===================================================================
--- trunk/sm/ChangeLog 2008-02-09 00:49:36 UTC (rev 4691)
+++ trunk/sm/ChangeLog 2008-02-13 16:47:14 UTC (rev 4692)
@@ -1,3 +1,20 @@
+2008-02-13 Werner Koch <wk at g10code.com>
+
+ * call-dirmngr.c (gpgsm_dirmngr_lookup): Add arg CACHE_ONLY.
+ * keylist.c (list_external_keys): Pass false for new arg.
+ * certchain.c (find_up_dirmngr): New.
+ (find_up): Also try to read from the dirmngr cache.
+ (find_up, find_up_external, gpgsm_walk_cert_chain)
+ (gpgsm_basic_cert_check, allowed_ca): Add arg CTRL and changed all
+ callers.
+ * call-agent.c (struct learn_parm_s): Add field CTRL.
+ (gpgsm_agent_learn): Set it.
+
+2008-02-11 Werner Koch <wk at g10code.com>
+
+ * server.c (cmd_getinfo): New.
+ (gpgsm_server): Register GETINFO.
+
2008-01-29 Marcus Brinkmann <marcus at g10code.de>
* keylist.c (list_internal_keys): New variable lastcert. Use it
@@ -35,7 +52,7 @@
2007-12-03 Werner Koch <wk at g10code.com>
- * gpgsm.c (main): All gnupg_reopen_std.
+ * gpgsm.c (main): Call gnupg_reopen_std.
h2007-11-22 Werner Koch <wk at g10code.com>
Modified: trunk/NEWS
===================================================================
--- trunk/NEWS 2008-02-09 00:49:36 UTC (rev 4691)
+++ trunk/NEWS 2008-02-13 16:47:14 UTC (rev 4692)
@@ -1,7 +1,10 @@
Noteworthy changes in version 2.0.9 (unreleased)
------------------------------------------------
+ * Gpgsm always tries to locate missing certificates from a running
+ Dirmngr's cache.
+
Noteworthy changes in version 2.0.8 (2007-12-20)
------------------------------------------------
Modified: trunk/common/audit.c
===================================================================
--- trunk/common/audit.c 2008-02-09 00:49:36 UTC (rev 4691)
+++ trunk/common/audit.c 2008-02-13 16:47:14 UTC (rev 4692)
@@ -938,10 +938,13 @@
helptag_t helptag;
const char *s;
int show_raw = 0;
+ char *orig_codeset;
if (!ctx)
return;
+ orig_codeset = i18n_switchto_utf8 ();
+
/* We use an environment variable to include some debug info in the
log. */
if ((s = getenv ("gnupg_debug_audit")))
@@ -1090,5 +1093,6 @@
ctx->outstream = NULL;
ctx->use_html = 0;
clear_helptags (ctx);
+ i18n_switchback (orig_codeset);
}
Modified: trunk/doc/gpg-agent.texi
===================================================================
--- trunk/doc/gpg-agent.texi 2008-02-09 00:49:36 UTC (rev 4691)
+++ trunk/doc/gpg-agent.texi 2008-02-13 16:47:14 UTC (rev 4692)
@@ -1182,6 +1182,8 @@
@table @code
@item version
Return the version of the program.
+ at item pid
+Return the process id of the process.
@item socket_name
Return the name of the socket used to connect the agent.
@item ssh_socket_name
Modified: trunk/doc/gpgsm.texi
===================================================================
--- trunk/doc/gpgsm.texi 2008-02-09 00:49:36 UTC (rev 4691)
+++ trunk/doc/gpgsm.texi 2008-02-13 16:47:14 UTC (rev 4692)
@@ -928,6 +928,7 @@
* GPGSM EXPORT:: Export certificates.
* GPGSM IMPORT:: Import certificates.
* GPGSM DELETE:: Delete certificates.
+* GPGSM GETINFO:: Information about the process
@end menu
@@ -1197,7 +1198,7 @@
@node GPGSM DELETE
@subsection Delete certificates
-To delete certificate the command
+To delete a certificate the command
@example
DELKEYS @var{pattern}
@@ -1210,7 +1211,23 @@
The certificates must be specified unambiguously otherwise an error is
returned.
+ at node GPGSM GETINFO
+ at subsection Return information about the process
+This is a multipurpose function to return a variety of information.
+
+ at example
+GETINFO @var{what}
+ at end example
+
+The value of @var{what} specifies the kind of information returned:
+ at table @code
+ at item version
+Return the version of the program.
+ at item pid
+Return the process id of the process.
+ at end table
+
@mansect see also
@ifset isman
@command{gpg2}(1),
Modified: trunk/g10/server.c
===================================================================
--- trunk/g10/server.c 2008-02-09 00:49:36 UTC (rev 4691)
+++ trunk/g10/server.c 2008-02-13 16:47:14 UTC (rev 4692)
@@ -1,5 +1,5 @@
/* server.c - server mode for gpg
- * Copyright (C) 2006 Free Software Foundation, Inc.
+ * Copyright (C) 2006, 2008 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
@@ -386,9 +386,38 @@
}
+/* GETINFO <what>
+ Multipurpose function to return a variety of information.
+ Supported values for WHAT are:
+ version - Return the version of the program.
+ pid - Return the process id of the server.
+ */
+static int
+cmd_getinfo (assuan_context_t ctx, char *line)
+{
+ int rc;
+
+ if (!strcmp (line, "version"))
+ {
+ const char *s = VERSION;
+ rc = assuan_send_data (ctx, s, strlen (s));
+ }
+ else if (!strcmp (line, "pid"))
+ {
+ char numbuf[50];
+
+ snprintf (numbuf, sizeof numbuf, "%lu", (unsigned long)getpid ());
+ rc = assuan_send_data (ctx, numbuf, strlen (numbuf));
+ }
+ else
+ rc = set_error (GPG_ERR_ASS_PARAMETER, "unknown value for WHAT");
+ return rc;
+}
+
+
�
/* Helper to register our commands with libassuan. */
static int
@@ -414,6 +443,7 @@
{ "LISTSECRETKEYS",cmd_listsecretkeys },
{ "GENKEY", cmd_genkey },
{ "DELKEYS", cmd_delkeys },
+ { "GETINFO", cmd_getinfo },
{ NULL }
};
int i, rc;
Modified: trunk/sm/call-agent.c
===================================================================
--- trunk/sm/call-agent.c 2008-02-09 00:49:36 UTC (rev 4691)
+++ trunk/sm/call-agent.c 2008-02-13 16:47:14 UTC (rev 4692)
@@ -59,6 +59,7 @@
struct learn_parm_s
{
int error;
+ ctrl_t ctrl;
assuan_context_t ctx;
membuf_t *data;
};
@@ -638,7 +639,7 @@
return 0;
}
- rc = gpgsm_basic_cert_check (cert);
+ rc = gpgsm_basic_cert_check (parm->ctrl, cert);
if (gpg_err_code (rc) == GPG_ERR_MISSING_CERT)
{ /* For later use we store it in the ephemeral database. */
log_info ("issuer certificate missing - storing as ephemeral\n");
@@ -679,6 +680,7 @@
init_membuf (&data, 4096);
learn_parm.error = 0;
+ learn_parm.ctrl = ctrl;
learn_parm.ctx = agent_ctx;
learn_parm.data = &data;
rc = assuan_transact (agent_ctx, "LEARN --send",
Modified: trunk/sm/call-dirmngr.c
===================================================================
--- trunk/sm/call-dirmngr.c 2008-02-09 00:49:36 UTC (rev 4691)
+++ trunk/sm/call-dirmngr.c 2008-02-13 16:47:14 UTC (rev 4692)
@@ -1,5 +1,5 @@
/* call-dirmngr.c - communication with the dromngr
- * Copyright (C) 2002, 2003, 2005, 2007 Free Software Foundation, Inc.
+ * Copyright (C) 2002, 2003, 2005, 2007, 2008 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
@@ -704,9 +704,10 @@
/* Run the Directroy Managers lookup command using the pattern
compiled from the strings given in NAMES. The caller must provide
the callback CB which will be passed cert by cert. Note that CTRL
- is optional. */
+ is optional. With CACHE_ONLY the dirmngr will search only its own
+ key cache. */
int
-gpgsm_dirmngr_lookup (ctrl_t ctrl, strlist_t names,
+gpgsm_dirmngr_lookup (ctrl_t ctrl, strlist_t names, int cache_only,
void (*cb)(void*, ksba_cert_t), void *cb_value)
{
int rc;
@@ -722,7 +723,8 @@
pattern = pattern_from_strlist (names);
if (!pattern)
return out_of_core ();
- snprintf (line, DIM(line)-1, "LOOKUP %s", pattern);
+ snprintf (line, DIM(line)-1, "LOOKUP%s %s",
+ cache_only? " --cache-only":"", pattern);
line[DIM(line)-1] = 0;
xfree (pattern);
Modified: trunk/sm/certchain.c
===================================================================
--- trunk/sm/certchain.c 2008-02-09 00:49:36 UTC (rev 4691)
+++ trunk/sm/certchain.c 2008-02-13 16:47:14 UTC (rev 4692)
@@ -60,7 +60,7 @@
typedef struct chain_item_s *chain_item_t;
-static int get_regtp_ca_info (ksba_cert_t cert, int *chainlen);
+static int get_regtp_ca_info (ctrl_t ctrl, ksba_cert_t cert, int *chainlen);
/* This function returns true if we already asked during this session
@@ -259,7 +259,8 @@
BasicConstraints extension. The function returns 0 on success and
the awlloed length of the chain at CHAINLEN. */
static int
-allowed_ca (ksba_cert_t cert, int *chainlen, int listmode, estream_t fp)
+allowed_ca (ctrl_t ctrl,
+ ksba_cert_t cert, int *chainlen, int listmode, estream_t fp)
{
gpg_error_t err;
int flag;
@@ -269,7 +270,7 @@
return err;
if (!flag)
{
- if (get_regtp_ca_info (cert, chainlen))
+ if (get_regtp_ca_info (ctrl, cert, chainlen))
{
/* Note that dirmngr takes a different way to cope with such
certs. */
@@ -417,7 +418,7 @@
/* Helper function for find_up. This resets the key handle and search
for an issuer ISSUER with a subjectKeyIdentifier of KEYID. Returns
- 0 obn success or -1 when not found. */
+ 0 on success or -1 when not found. */
static int
find_up_search_by_keyid (KEYDB_HANDLE kh,
const char *issuer, ksba_sexp_t keyid)
@@ -464,9 +465,10 @@
external lookup. KH is the keydb context we are currently using.
On success 0 is returned and the certificate may be retrieved from
the keydb using keydb_get_cert(). KEYID is the keyIdentifier from
- the AKI or NULL. */
+ the AKI or NULL. */
static int
-find_up_external (KEYDB_HANDLE kh, const char *issuer, ksba_sexp_t keyid)
+find_up_external (ctrl_t ctrl, KEYDB_HANDLE kh,
+ const char *issuer, ksba_sexp_t keyid)
{
int rc;
strlist_t names = NULL;
@@ -476,14 +478,13 @@
if (opt.verbose)
log_info (_("looking up issuer at external location\n"));
- /* The DIRMNGR process is confused about unknown attributes. As a
+ /* The Dirmngr process is confused about unknown attributes. As a
quick and ugly hack we locate the CN and use the issuer string
starting at this attribite. Fixme: we should have far better
- parsing in the dirmngr. */
+ parsing for external lookups in the Dirmngr. */
s = strstr (issuer, "CN=");
if (!s || s == issuer || s[-1] != ',')
s = issuer;
-
pattern = xtrymalloc (strlen (s)+2);
if (!pattern)
return gpg_error_from_syserror ();
@@ -491,7 +492,7 @@
add_to_strlist (&names, pattern);
xfree (pattern);
- rc = gpgsm_dirmngr_lookup (NULL, names, find_up_store_certs_cb, &count);
+ rc = gpgsm_dirmngr_lookup (ctrl, names, 0, find_up_store_certs_cb, &count);
free_strlist (names);
if (opt.verbose)
@@ -522,6 +523,54 @@
}
+/* Helper for find_up(). Ask the dirmngr for the certificate for
+ ISSUER with optional SERIALNO. KH is the keydb context we are
+ currently using. With SUBJECT_MODE set, ISSUER is searched as the
+ subject. On success 0 is returned and the certificate is available
+ in the ephemeral DB. */
+static int
+find_up_dirmngr (ctrl_t ctrl, KEYDB_HANDLE kh,
+ ksba_sexp_t serialno, const char *issuer, int subject_mode)
+{
+ int rc;
+ strlist_t names = NULL;
+ int count = 0;
+ char *pattern;
+
+ if (opt.verbose)
+ log_info (_("looking up issuer from the Dirmngr cache\n"));
+ if (subject_mode)
+ {
+ pattern = xtrymalloc (strlen (issuer)+2);
+ if (pattern)
+ strcpy (stpcpy (pattern, "/"), issuer);
+ }
+ else if (serialno)
+ pattern = gpgsm_format_sn_issuer (serialno, issuer);
+ else
+ {
+ pattern = xtrymalloc (strlen (issuer)+3);
+ if (pattern)
+ strcpy (stpcpy (pattern, "#/"), issuer);
+ }
+ if (!pattern)
+ return gpg_error_from_syserror ();
+ add_to_strlist (&names, pattern);
+ xfree (pattern);
+
+ rc = gpgsm_dirmngr_lookup (ctrl, names, 1, find_up_store_certs_cb, &count);
+ free_strlist (names);
+
+ if (opt.verbose)
+ log_info (_("number of matching certificates: %d\n"), count);
+ if (rc)
+ log_info (_("dirmngr cache-only key lookup failed: %s\n"),
+ gpg_strerror (rc));
+ return (!rc && count)? 0 : -1;
+}
+
+
+
/* Locate issuing certificate for CERT. ISSUER is the name of the
issuer used as a fallback if the other methods don't work. If
FIND_NEXT is true, the function shall return the next possible
@@ -529,7 +578,8 @@
keydb_get_cert on the keyDb context KH will return it. Returns 0
on success, -1 if not found or an error code. */
static int
-find_up (KEYDB_HANDLE kh, ksba_cert_t cert, const char *issuer, int find_next)
+find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
+ ksba_cert_t cert, const char *issuer, int find_next)
{
ksba_name_t authid;
ksba_sexp_t authidno;
@@ -545,6 +595,14 @@
if (rc)
keydb_search_reset (kh);
+ /* In case of an error, try to get the certifcate from the
+ dirmngr. That is done by trying to put that certifcate
+ into the ephemeral DB and let the code below do the
+ actual retrieve. Thus there is no error checking.
+ Skipped in find_next mode as usual. */
+ if (rc == -1 && !find_next)
+ find_up_dirmngr (ctrl, kh, authidno, s, 0);
+
/* In case of an error try the ephemeral DB. We can't do
that in find_next mode because we can't keep the search
state then. */
@@ -559,7 +617,8 @@
}
keydb_set_ephemeral (kh, old);
}
-
+ if (rc)
+ rc = -1; /* Need to make sure to have this error code. */
}
if (rc == -1 && keyid && !find_next)
@@ -568,6 +627,7 @@
instead. Loop over all certificates with that issuer as
subject and stop for the one with a matching
subjectKeyIdentifier. */
+ /* Fixme: Should we also search in the dirmngr? */
rc = find_up_search_by_keyid (kh, issuer, keyid);
if (rc)
{
@@ -580,9 +640,29 @@
rc = -1; /* Need to make sure to have this error code. */
}
+ /* If we still didn't found it, try to find it via the subject
+ from the dirmngr-cache. */
+ if (rc == -1 && !find_next)
+ {
+ if (!find_up_dirmngr (ctrl, kh, NULL, issuer, 1))
+ {
+ int old = keydb_set_ephemeral (kh, 1);
+ if (keyid)
+ rc = find_up_search_by_keyid (kh, issuer, keyid);
+ else
+ {
+ keydb_search_reset (kh);
+ rc = keydb_search_subject (kh, issuer);
+ }
+ keydb_set_ephemeral (kh, old);
+ }
+ if (rc)
+ rc = -1; /* Need to make sure to have this error code. */
+ }
+
/* If we still didn't found it, try an external lookup. */
if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next)
- rc = find_up_external (kh, issuer, keyid);
+ rc = find_up_external (ctrl, kh, issuer, keyid);
/* Print a note so that the user does not feel too helpless when
an issuer certificate was found and gpgsm prints BAD
@@ -617,6 +697,10 @@
rc = keydb_search_subject (kh, issuer);
if (rc == -1 && !find_next)
{
+ /* Also try to get it from the Dirmngr cache. The function
+ merely puts it into the ephemeral database. */
+ find_up_dirmngr (ctrl, kh, NULL, issuer, 0);
+
/* Not found, let us see whether we have one in the ephemeral key DB. */
int old = keydb_set_ephemeral (kh, 1);
if (!old)
@@ -629,7 +713,7 @@
/* Still not found. If enabled, try an external lookup. */
if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next)
- rc = find_up_external (kh, issuer, NULL);
+ rc = find_up_external (ctrl, kh, issuer, NULL);
return rc;
}
@@ -638,7 +722,7 @@
/* Return the next certificate up in the chain starting at START.
Returns -1 when there are no more certificates. */
int
-gpgsm_walk_cert_chain (ksba_cert_t start, ksba_cert_t *r_next)
+gpgsm_walk_cert_chain (ctrl_t ctrl, ksba_cert_t start, ksba_cert_t *r_next)
{
int rc = 0;
char *issuer = NULL;
@@ -674,7 +758,7 @@
goto leave;
}
- rc = find_up (kh, start, issuer, 0);
+ rc = find_up (ctrl, kh, start, issuer, 0);
if (rc)
{
/* It is quite common not to have a certificate, so better don't
@@ -1194,7 +1278,7 @@
}
if (!rootca_flags->relax)
{
- rc = allowed_ca (subject_cert, NULL, listmode, listfp);
+ rc = allowed_ca (ctrl, subject_cert, NULL, listmode, listfp);
if (rc)
goto leave;
}
@@ -1301,7 +1385,7 @@
/* Find the next cert up the tree. */
keydb_search_reset (kh);
- rc = find_up (kh, subject_cert, issuer, 0);
+ rc = find_up (ctrl, kh, subject_cert, issuer, 0);
if (rc)
{
if (rc == -1)
@@ -1353,7 +1437,7 @@
root certificates. */
/* FIXME: Do this only if we don't have an
AKI.keyIdentifier */
- rc = find_up (kh, subject_cert, issuer, 1);
+ rc = find_up (ctrl, kh, subject_cert, issuer, 1);
if (!rc)
{
ksba_cert_t tmp_cert;
More information about the Gnupg-commits
mailing list