[svn] GnuPG - r4697 - in trunk: . doc po sm tests/pkits tools
svn author wk
cvs at cvs.gnupg.org
Tue Feb 19 11:33:50 CET 2008
Author: wk
Date: 2008-02-19 11:33:35 +0100 (Tue, 19 Feb 2008)
New Revision: 4697
Added:
trunk/tests/pkits/basic-certificate-revocation
trunk/tests/pkits/certificate-policies
trunk/tests/pkits/delta-crls
trunk/tests/pkits/distribution-points
trunk/tests/pkits/inhibit-any-policy
trunk/tests/pkits/inhibit-policy-mapping
trunk/tests/pkits/key-usage
trunk/tests/pkits/name-constraints
trunk/tests/pkits/policy-mappings
trunk/tests/pkits/private-certificate-extensions
trunk/tests/pkits/require-explicit-policy
trunk/tests/pkits/signature-verification
trunk/tests/pkits/validity-periods
trunk/tests/pkits/verifying-basic-constraints
trunk/tests/pkits/verifying-name-chaining
trunk/tests/pkits/verifying-paths-self-issued
Modified:
trunk/NEWS
trunk/configure.ac
trunk/doc/gpgsm.texi
trunk/po/be.po
trunk/po/ca.po
trunk/po/cs.po
trunk/po/da.po
trunk/po/de.po
trunk/po/el.po
trunk/po/eo.po
trunk/po/es.po
trunk/po/et.po
trunk/po/fi.po
trunk/po/fr.po
trunk/po/gl.po
trunk/po/hu.po
trunk/po/id.po
trunk/po/it.po
trunk/po/ja.po
trunk/po/nb.po
trunk/po/pl.po
trunk/po/pt.po
trunk/po/pt_BR.po
trunk/po/ro.po
trunk/po/ru.po
trunk/po/sk.po
trunk/po/sv.po
trunk/po/tr.po
trunk/po/zh_CN.po
trunk/po/zh_TW.po
trunk/sm/ChangeLog
trunk/sm/call-dirmngr.c
trunk/sm/certchain.c
trunk/sm/gpgsm.c
trunk/sm/gpgsm.h
trunk/tests/pkits/ChangeLog
trunk/tests/pkits/Makefile.am
trunk/tests/pkits/README
trunk/tests/pkits/common.sh
trunk/tests/pkits/import-all-certs
trunk/tests/pkits/import-all-certs.data
trunk/tests/pkits/inittests
trunk/tests/pkits/validate-all-certs
trunk/tools/gpgconf-comp.c
Log:
Improve certificate chain construction.
Extend PKITS framework
[The diff below has been truncated]
Modified: trunk/sm/ChangeLog
===================================================================
--- trunk/sm/ChangeLog 2008-02-18 14:31:46 UTC (rev 4696)
+++ trunk/sm/ChangeLog 2008-02-19 10:33:35 UTC (rev 4697)
@@ -1,3 +1,20 @@
+2008-02-18 Werner Koch <wk at g10code.com>
+
+ * certchain.c (gpgsm_is_root_cert): Factor code out to ...
+ (is_root_cert): New. Extend test for self-issued certificates
+ signed by other CAs.
+ (do_validate_chain, gpgsm_basic_cert_check)
+ (gpgsm_walk_cert_chain): Use it here.
+
+ * gpgsm.c: Add option --no-common-certs-import.
+
+ * certchain.c (find_up_dirmngr, find_up, do_validate_chain)
+ (check_cert_policy): Be more silent with --quiet.
+
+ * gpgsm.c: Add option --disable-dirmngr.
+ * gpgsm.h (opt): Add field DISABLE_DIRMNGR.
+ * call-dirmngr.c (start_dirmngr): Implement option.
+
2008-02-14 Werner Koch <wk at g10code.com>
* server.c (option_handler): Add option allow-pinentry-notify.
Modified: trunk/tests/pkits/ChangeLog
===================================================================
--- trunk/tests/pkits/ChangeLog 2008-02-18 14:31:46 UTC (rev 4696)
+++ trunk/tests/pkits/ChangeLog 2008-02-19 10:33:35 UTC (rev 4697)
@@ -1,3 +1,32 @@
+2008-02-19 Werner Koch <wk at g10code.com>
+
+ * signature-verification: New.
+ * validity-periods: New.
+ * verifying-name-chaining: New.
+ * basic-certificate-revocation: New.
+ * verifying-paths-self-issued: New.
+ * verifying-basic-constraints: New.
+ * key-usage: New.
+ * certificate-policies: New.
+ * require-explicit-policy: New.
+ * policy-mappings: New.
+ * inhibit-policy-mapping: New.
+ * inhibit-any-policy: New.
+ * name-constraints: New.
+ * distribution-points: New.
+ * delta-crls: New.
+ * private-certificate-extensions: New.
+ * Makefile.am (testscripts): Add them.
+
+ * import-all-certs.data: Add section numbers.
+
+2008-02-18 Werner Koch <wk at g10code.com>
+
+ * import-all-certs.data: Adjust import tests results. Almost all
+ certificates should now be importable due to relaxed basic checks.
+
+ * inittests (clean_files): Disable all dirmngr access.
+
2006-05-02 Werner Koch <wk at g10code.com>
* PKITS_data.tar.bz2: Repackaged new copy becuase the old one got
@@ -7,7 +36,7 @@
Started implementing PKITS based tests.
-
+
Copyright 2004 Free Software Foundation, Inc.
This file is free software; as a special exception the author gives
@@ -17,7 +46,3 @@
This file is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
Modified: trunk/NEWS
===================================================================
--- trunk/NEWS 2008-02-18 14:31:46 UTC (rev 4696)
+++ trunk/NEWS 2008-02-19 10:33:35 UTC (rev 4697)
@@ -4,11 +4,15 @@
* Gpgsm always tries to locate missing certificates from a running
Dirmngr's cache.
+ * Tweaks for Windows.
+
+ * Improved certificate chain construction.
+
+ * Extended the PKITS framework.
+
* Minor bug fixes.
- * Tweaks for Windows
-
Noteworthy changes in version 2.0.8 (2007-12-20)
------------------------------------------------
Modified: trunk/configure.ac
===================================================================
--- trunk/configure.ac 2008-02-18 14:31:46 UTC (rev 4696)
+++ trunk/configure.ac 2008-02-19 10:33:35 UTC (rev 4697)
@@ -1412,10 +1412,10 @@
doc/Makefile
tests/Makefile
tests/openpgp/Makefile
+tests/pkits/Makefile
])
AC_OUTPUT
-#tests/pkits/Makefile
Modified: trunk/doc/gpgsm.texi
===================================================================
--- trunk/doc/gpgsm.texi 2008-02-18 14:31:46 UTC (rev 4696)
+++ trunk/doc/gpgsm.texi 2008-02-19 10:33:35 UTC (rev 4697)
@@ -342,6 +342,9 @@
not work. Under Windows this option is ignored because the system dirmngr is
always used.
+ at item --disable-dirmngr
+Entirely disable the use of the Dirmngr.
+
@item --no-secmem-warning
@opindex no-secmem-warning
Don't print a warning when the so called "secure memory" can't be used.
@@ -673,6 +676,10 @@
option is only useful for the regression tests included with this
package and may be revised or removed at any time without notice.
+ at item --no-common-certs-import
+ at opindex no-common-certs-import
+Suppress the import of common certificates on keybox creation.
+
@end table
All the long options may also be given in the configuration file after
Modified: trunk/po/be.po [not shown]
Modified: trunk/po/ca.po [not shown]
Modified: trunk/po/cs.po [not shown]
Modified: trunk/po/da.po [not shown]
Modified: trunk/po/de.po [not shown]
Modified: trunk/po/el.po [not shown]
Modified: trunk/po/eo.po [not shown]
Modified: trunk/po/es.po [not shown]
Modified: trunk/po/et.po [not shown]
Modified: trunk/po/fi.po [not shown]
Modified: trunk/po/fr.po [not shown]
Modified: trunk/po/gl.po [not shown]
Modified: trunk/po/hu.po [not shown]
Modified: trunk/po/id.po [not shown]
Modified: trunk/po/it.po [not shown]
Modified: trunk/po/ja.po [not shown]
Modified: trunk/po/nb.po [not shown]
Modified: trunk/po/pl.po [not shown]
Modified: trunk/po/pt.po [not shown]
Modified: trunk/po/pt_BR.po [not shown]
Modified: trunk/po/ro.po [not shown]
Modified: trunk/po/ru.po [not shown]
Modified: trunk/po/sk.po [not shown]
Modified: trunk/po/sv.po [not shown]
Modified: trunk/po/tr.po [not shown]
Modified: trunk/po/zh_CN.po [not shown]
Modified: trunk/po/zh_TW.po [not shown]
Modified: trunk/sm/call-dirmngr.c
===================================================================
--- trunk/sm/call-dirmngr.c 2008-02-18 14:31:46 UTC (rev 4696)
+++ trunk/sm/call-dirmngr.c 2008-02-19 10:33:35 UTC (rev 4697)
@@ -166,6 +166,9 @@
assuan_context_t ctx;
int try_default = 0;
+ if (opt.disable_dirmngr)
+ return gpg_error (GPG_ERR_NO_DIRMNGR);
+
if (dirmngr_ctx)
{
prepare_dirmngr (ctrl, dirmngr_ctx, 0);
@@ -447,7 +450,6 @@
struct inq_certificate_parm_s parm;
struct isvalid_status_parm_s stparm;
-
rc = start_dirmngr (ctrl);
if (rc)
return rc;
Modified: trunk/sm/certchain.c
===================================================================
--- trunk/sm/certchain.c 2008-02-18 14:31:46 UTC (rev 4696)
+++ trunk/sm/certchain.c 2008-02-19 10:33:35 UTC (rev 4697)
@@ -1,6 +1,6 @@
/* certchain.c - certificate chain validation
* Copyright (C) 2001, 2002, 2003, 2004, 2005,
- * 2006, 2007 Free Software Foundation, Inc.
+ * 2006, 2007, 2008 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
@@ -60,6 +60,8 @@
typedef struct chain_item_s *chain_item_t;
+static int is_root_cert (ksba_cert_t cert,
+ const char *issuerdn, const char *subjectdn);
static int get_regtp_ca_info (ctrl_t ctrl, ksba_cert_t cert, int *chainlen);
@@ -331,8 +333,9 @@
/* With no critical policies this is only a warning */
if (!any_critical)
{
- do_list (0, listmode, fplist,
- _("note: non-critical certificate policy not allowed"));
+ if (!opt.quiet)
+ do_list (0, listmode, fplist,
+ _("note: non-critical certificate policy not allowed"));
return 0;
}
do_list (1, listmode, fplist,
@@ -563,7 +566,7 @@
if (opt.verbose)
log_info (_("number of matching certificates: %d\n"), count);
- if (rc)
+ if (rc && !opt.quiet)
log_info (_("dirmngr cache-only key lookup failed: %s\n"),
gpg_strerror (rc));
return (!rc && count)? 0 : -1;
@@ -667,7 +670,9 @@
/* Print a note so that the user does not feel too helpless when
an issuer certificate was found and gpgsm prints BAD
signature because it is not the correct one. */
- if (rc == -1)
+ if (rc == -1 && opt.quiet)
+ ;
+ else if (rc == -1)
{
log_info ("%sissuer certificate ", find_next?"next ":"");
if (keyid)
@@ -752,7 +757,7 @@
goto leave;
}
- if (!strcmp (issuer, subject))
+ if (is_root_cert (start, issuer, subject))
{
rc = -1; /* we are at the root */
goto leave;
@@ -784,6 +789,75 @@
}
+/* Helper for gpgsm_is_root_cert. This one is used if the subject and
+ issuer DNs are already known. */
+static int
+is_root_cert (ksba_cert_t cert, const char *issuerdn, const char *subjectdn)
+{
+ gpg_error_t err;
+ int result = 0;
+ ksba_sexp_t serialno;
+ ksba_sexp_t ak_keyid;
+ ksba_name_t ak_name;
+ ksba_sexp_t ak_sn;
+ const char *ak_name_str;
+ ksba_sexp_t subj_keyid = NULL;
+
+ if (!issuerdn || !subjectdn)
+ return 0; /* No. */
+
+ if (strcmp (issuerdn, subjectdn))
+ return 0; /* No. */
+
+ err = ksba_cert_get_auth_key_id (cert, &ak_keyid, &ak_name, &ak_sn);
+ if (err)
+ {
+ if (gpg_err_code (err) == GPG_ERR_NO_DATA)
+ return 1; /* Yes. Without a authorityKeyIdentifier this needs
+ to be the Root certifcate (our trust anchor). */
+ log_error ("error getting authorityKeyIdentifier: %s\n",
+ gpg_strerror (err));
+ return 0; /* Well, it is broken anyway. Return No. */
+ }
+
+ serialno = ksba_cert_get_serial (cert);
+ if (!serialno)
+ {
+ log_error ("error getting serialno: %s\n", gpg_strerror (err));
+ goto leave;
+ }
+
+ /* Check whether the auth name's matches the issuer name+sn. If
+ that is the case this is a root certificate. */
+ ak_name_str = ksba_name_enum (ak_name, 0);
+ if (ak_name_str
+ && !strcmp (ak_name_str, issuerdn)
+ && !cmp_simple_canon_sexp (ak_sn, serialno))
+ {
+ result = 1; /* Right, CERT is self-signed. */
+ goto leave;
+ }
+
+ /* Similar for the ak_keyid. */
+ if (ak_keyid && !ksba_cert_get_subj_key_id (cert, NULL, &subj_keyid)
+ && !cmp_simple_canon_sexp (ak_keyid, subj_keyid))
+ {
+ result = 1; /* Right, CERT is self-signed. */
+ goto leave;
+ }
+
+
+ leave:
+ ksba_free (subj_keyid);
+ ksba_free (ak_keyid);
+ ksba_name_release (ak_name);
+ ksba_free (ak_sn);
+ ksba_free (serialno);
+ return result;
+}
+
+
+
/* Check whether the CERT is a root certificate. Returns True if this
is the case. */
int
@@ -795,7 +869,7 @@
issuer = ksba_cert_get_issuer (cert, 0);
subject = ksba_cert_get_subject (cert, 0);
- yes = (issuer && subject && !strcmp (issuer, subject));
+ yes = is_root_cert (cert, issuer, subject);
xfree (issuer);
xfree (subject);
return yes;
@@ -1197,11 +1271,8 @@
}
- /* Is this a self-issued certificate (i.e. the root
- certificate)? This is actually the same test as done by
- gpgsm_is_root_cert but here we want to keep the issuer and
- subject for later use. */
- is_root = (subject && !strcmp (issuer, subject));
+ /* Is this a self-issued certificate (i.e. the root certificate)? */
+ is_root = is_root_cert (subject_cert, issuer, subject);
if (is_root)
{
chain->is_root = 1;
@@ -1570,7 +1641,7 @@
depth++;
} /* End chain traversal. */
- if (!listmode)
+ if (!listmode && !opt.quiet)
{
if (opt.no_policy_check)
log_info ("policies not checked due to %s option\n",
@@ -1771,7 +1842,7 @@
goto leave;
}
- if (subject && !strcmp (issuer, subject))
+ if (is_root_cert (cert, issuer, subject))
{
rc = gpgsm_check_cert_sig (cert, cert);
if (rc)
Modified: trunk/sm/gpgsm.c
===================================================================
--- trunk/sm/gpgsm.c 2008-02-18 14:31:46 UTC (rev 4696)
+++ trunk/sm/gpgsm.c 2008-02-19 10:33:35 UTC (rev 4697)
@@ -1,6 +1,6 @@
/* gpgsm.c - GnuPG for S/MIME
* Copyright (C) 2001, 2002, 2003, 2004, 2005,
- * 2006, 2007 Free Software Foundation, Inc.
+ * 2006, 2007, 2008 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
@@ -122,6 +122,7 @@
oPreferSystemDirmngr,
oDirmngrProgram,
+ oDisableDirmngr,
oProtectToolProgram,
oFakedSystemTime,
@@ -149,7 +150,6 @@
oEnablePolicyChecks,
oAutoIssuerKeyRetrieve,
-
oTextmode,
oFingerprint,
oWithFingerprint,
@@ -231,6 +231,7 @@
oIgnoreTimeConflict,
oNoRandomSeedFile,
oNoAutoKeyRetrieve,
+ oNoCommonCertsImport,
oUseAgent,
oMergeOnly,
oTryAllSecrets,
@@ -431,10 +432,10 @@
{ oLCmessages, "lc-messages", 2, "@" },
{ oXauthority, "xauthority", 2, "@" },
{ oDirmngrProgram, "dirmngr-program", 2 , "@" },
+ { oDisableDirmngr, "disable-dirmngr", 0 , "@" },
{ oProtectToolProgram, "protect-tool-program", 2 , "@" },
{ oFakedSystemTime, "faked-system-time", 2, "@" }, /* (epoch time) */
-
{ oNoBatch, "no-batch", 0, "@" },
{ oWithColons, "with-colons", 0, "@"},
{ oWithKeyData,"with-key-data", 0, "@"},
@@ -462,6 +463,7 @@
{ oListOnly, "list-only", 0, "@"},
{ oIgnoreTimeConflict, "ignore-time-conflict", 0, "@" },
{ oNoRandomSeedFile, "no-random-seed-file", 0, "@" },
+ { oNoCommonCertsImport, "no-common-certs-import", 0, "@" },
{0} };
@@ -842,6 +844,7 @@
int nogreeting = 0;
int debug_wait = 0;
int use_random_seed = 1;
+ int no_common_certs_import = 0;
int with_fpr = 0;
char *def_digest_string = NULL;
char *extra_digest_algo = NULL;
@@ -1215,6 +1218,7 @@
case oLCmessages: opt.lc_messages = xstrdup (pargs.r.ret_str); break;
case oXauthority: opt.xauthority = xstrdup (pargs.r.ret_str); break;
case oDirmngrProgram: opt.dirmngr_program = pargs.r.ret_str; break;
+ case oDisableDirmngr: opt.disable_dirmngr = 1; break;
case oPreferSystemDirmngr: opt.prefer_system_dirmngr = 1; break;
case oProtectToolProgram:
opt.protect_tool_program = pargs.r.ret_str;
@@ -1307,6 +1311,7 @@
case oIgnoreTimeConflict: opt.ignore_time_conflict = 1; break;
case oNoRandomSeedFile: use_random_seed = 0; break;
+ case oNoCommonCertsImport: no_common_certs_import = 1; break;
case oEnableSpecialFilenames: allow_special_filenames =1; break;
@@ -1476,7 +1481,7 @@
int created;
keydb_add_resource ("pubring.kbx", 0, 0, &created);
- if (created)
+ if (created && !no_common_certs_import)
{
/* Import the standard certificates for a new default keybox. */
char *filelist[2];
@@ -1593,6 +1598,8 @@
GC_OPT_FLAG_NONE );
printf ("auto-issuer-key-retrieve:%lu:\n",
GC_OPT_FLAG_NONE );
+ printf ("disable-dirmngr:%lu:\n",
+ GC_OPT_FLAG_NONE );
#ifndef HAVE_W32_SYSTEM
printf ("prefer-system-dirmngr:%lu:\n",
GC_OPT_FLAG_NONE );
Modified: trunk/sm/gpgsm.h
===================================================================
--- trunk/sm/gpgsm.h 2008-02-18 14:31:46 UTC (rev 4696)
+++ trunk/sm/gpgsm.h 2008-02-19 10:33:35 UTC (rev 4697)
@@ -59,6 +59,7 @@
const char *dirmngr_program;
int prefer_system_dirmngr; /* Prefer using a system wide drimngr. */
+ int disable_dirmngr; /* Do not do any dirmngr calls. */
const char *protect_tool_program;
char *outfile; /* name of output file */
Modified: trunk/tests/pkits/Makefile.am
===================================================================
--- trunk/tests/pkits/Makefile.am 2008-02-18 14:31:46 UTC (rev 4696)
+++ trunk/tests/pkits/Makefile.am 2008-02-19 10:33:35 UTC (rev 4697)
@@ -1,11 +1,11 @@
# Makefile.am - tests using NIST's PKITS
-# Copyright (C) 2004 Free Software Foundation, Inc.
+# Copyright (C) 2004, 2008 Free Software Foundation, Inc.
#
# This file is part of GnuPG.
#
# GnuPG is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
+# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# GnuPG is distributed in the hope that it will be useful,
@@ -14,42 +14,35 @@
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
-# USA.
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
## Process this file with automake to produce Makefile.in
GPGSM = ../../sm/gpgsm
TESTS_ENVIRONMENT = GNUPGHOME=`pwd` GPG_AGENT_INFO= LC_ALL=C GPGSM=$(GPGSM) \
- LD_LIBRARY_PATH=$$(seen=0; \
- for i in $(LDFLAGS) $(LIBGCRYPT_LIBS) $(PTH_LIBS); \
- do \
- if echo "$$i" | egrep '^-L' >/dev/null 2>&1; \
- then \
- if test $$seen = 0; \
- then \
- seen=1; \
- else \
- printf ":"; \
- fi; \
- printf "%s" "$${i}" | sed 's/^-L//'; \
- fi; \
- done; \
- if test $$seen != 0 \
- && test x$${LD_LIBRARY_PATH} != x; \
- then \
- printf ":"; \
- fi; \
- printf "%s" "$${LD_LIBRARY_PATH}") $(srcdir)/runtest
+ silent=yes
+testscripts = import-all-certs validate-all-certs \
+ signature-verification \
+ validity-periods \
+ verifying-name-chaining \
+ basic-certificate-revocation \
+ verifying-paths-self-issued \
+ verifying-basic-constraints \
+ key-usage \
+ certificate-policies \
+ require-explicit-policy \
+ policy-mappings \
+ inhibit-policy-mapping \
+ inhibit-any-policy \
+ name-constraints \
+ distribution-points \
+ delta-crls \
+ private-certificate-extensions
-testscripts = import-all-certs validate-all-certs
-
-
EXTRA_DIST = PKITS_data.tar.bz2 inittests runtest $(testscripts)
import-all-certs.data
@@ -68,3 +61,11 @@
srcdir=$(srcdir) $(TESTS_ENVIRONMENT) $(srcdir)/inittests
echo timestamp >./inittests.stamp
+
+run-all-tests:
+ @set -e; \
+ GNUPGHOME=`pwd`; export GNUPGHOME;\
+ unset GPG_AGENT_INFO; \
+ for test in $(testscripts); do \
+ ./$${test} && true; \
+ done
More information about the Gnupg-commits
mailing list