[svn] GnuPG - r4857 - trunk/sm
svn author wk
cvs at cvs.gnupg.org
Tue Oct 21 17:03:52 CEST 2008
Author: wk
Date: 2008-10-21 17:03:51 +0200 (Tue, 21 Oct 2008)
New Revision: 4857
Modified:
trunk/sm/ChangeLog
trunk/sm/call-agent.c
trunk/sm/call-dirmngr.c
trunk/sm/certchain.c
trunk/sm/gpgsm.h
trunk/sm/keylist.c
Log:
Help dirmngr to use supplied trust anchors.
Modified: trunk/sm/ChangeLog
===================================================================
--- trunk/sm/ChangeLog 2008-10-21 13:53:08 UTC (rev 4856)
+++ trunk/sm/ChangeLog 2008-10-21 15:03:51 UTC (rev 4857)
@@ -1,3 +1,12 @@
+2008-10-21 Werner Koch <wk at g10code.com>
+
+ * call-dirmngr.c (inq_certificate_parm_s): Add field CTRL.
+ (gpgsm_dirmngr_isvalid): Supply a value for that field.
+ (inq_certificate): Add inquiry ISTRUSTED.
+
+ * call-agent.c (gpgsm_agent_istrusted): Add new optional arg
+ HEXFPR. Changed all callers.
+
2008-10-20 Werner Koch <wk at g10code.com>
* keydb.c (keydb_locate_writable): Mark unused arg.
Modified: trunk/sm/call-agent.c
===================================================================
--- trunk/sm/call-agent.c 2008-10-21 13:53:08 UTC (rev 4856)
+++ trunk/sm/call-agent.c 2008-10-21 15:03:51 UTC (rev 4857)
@@ -560,31 +560,45 @@
/* Ask the agent whether the certificate is in the list of trusted
- keys. ROOTCA_FLAGS is guaranteed to be cleared on error. */
+ keys. The certificate is either specified by the CERT object or by
+ the fingerprint HEXFPR. ROOTCA_FLAGS is guaranteed to be cleared
+ on error. */
int
-gpgsm_agent_istrusted (ctrl_t ctrl, ksba_cert_t cert,
+gpgsm_agent_istrusted (ctrl_t ctrl, ksba_cert_t cert, const char *hexfpr,
struct rootca_flags_s *rootca_flags)
{
int rc;
- char *fpr;
char line[ASSUAN_LINELENGTH];
memset (rootca_flags, 0, sizeof *rootca_flags);
+ if (cert && hexfpr)
+ return gpg_error (GPG_ERR_INV_ARG);
+
rc = start_agent (ctrl);
if (rc)
return rc;
- fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
- if (!fpr)
+ if (hexfpr)
{
- log_error ("error getting the fingerprint\n");
- return gpg_error (GPG_ERR_GENERAL);
+ snprintf (line, DIM(line)-1, "ISTRUSTED %s", hexfpr);
+ line[DIM(line)-1] = 0;
}
+ else
+ {
+ char *fpr;
- snprintf (line, DIM(line)-1, "ISTRUSTED %s", fpr);
- line[DIM(line)-1] = 0;
- xfree (fpr);
+ fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
+ if (!fpr)
+ {
+ log_error ("error getting the fingerprint\n");
+ return gpg_error (GPG_ERR_GENERAL);
+ }
+
+ snprintf (line, DIM(line)-1, "ISTRUSTED %s", fpr);
+ line[DIM(line)-1] = 0;
+ xfree (fpr);
+ }
rc = assuan_transact (agent_ctx, line, NULL, NULL, NULL, NULL,
istrusted_status_cb, rootca_flags);
Modified: trunk/sm/call-dirmngr.c
===================================================================
--- trunk/sm/call-dirmngr.c 2008-10-21 13:53:08 UTC (rev 4856)
+++ trunk/sm/call-dirmngr.c 2008-10-21 15:03:51 UTC (rev 4857)
@@ -55,6 +55,7 @@
static int force_pipe_server = 0;
struct inq_certificate_parm_s {
+ ctrl_t ctrl;
assuan_context_t ctx;
ksba_cert_t cert;
ksba_cert_t issuer_cert;
@@ -408,6 +409,33 @@
line += 14;
issuer_mode = 1;
}
+ else if (!strncmp (line, "ISTRUSTED", 9) && (line[9]==' ' || !line[9]))
+ {
+ /* The server is asking us whether the certificate is a trusted
+ root certificate. */
+ const char *s;
+ size_t n;
+ char fpr[41];
+ struct rootca_flags_s rootca_flags;
+
+ line += 9;
+ while (*line == ' ')
+ line++;
+
+ for (s=line,n=0; hexdigitp (s); s++, n++)
+ ;
+ if (*s || n != 40)
+ return gpg_error (GPG_ERR_ASS_PARAMETER);
+ for (s=line, n=0; n < 40; s++, n++)
+ fpr[n] = (*s >= 'a')? (*s & 0xdf): *s;
+ fpr[n] = 0;
+
+ if (!gpgsm_agent_istrusted (parm->ctrl, NULL, fpr, &rootca_flags))
+ rc = assuan_send_data (parm->ctx, "1", 1);
+ else
+ rc = 0;
+ return rc;
+ }
else
{
log_error ("unsupported inquiry `%s'\n", line);
@@ -555,6 +583,7 @@
}
parm.ctx = dirmngr_ctx;
+ parm.ctrl = ctrl;
parm.cert = cert;
parm.issuer_cert = issuer_cert;
Modified: trunk/sm/certchain.c
===================================================================
--- trunk/sm/certchain.c 2008-10-21 13:53:08 UTC (rev 4856)
+++ trunk/sm/certchain.c 2008-10-21 15:03:51 UTC (rev 4857)
@@ -1284,7 +1284,7 @@
We used to do this only later but changed it to call the
check right here so that we can access special flags
associated with that specific root certificate. */
- istrusted_rc = gpgsm_agent_istrusted (ctrl, subject_cert,
+ istrusted_rc = gpgsm_agent_istrusted (ctrl, subject_cert, NULL,
rootca_flags);
audit_log_cert (ctrl->audit, AUDIT_ROOT_TRUSTED,
subject_cert, istrusted_rc);
@@ -1565,7 +1565,7 @@
performance reasons. */
if (is_root)
{
- istrusted_rc = gpgsm_agent_istrusted (ctrl, issuer_cert,
+ istrusted_rc = gpgsm_agent_istrusted (ctrl, issuer_cert, NULL,
rootca_flags);
if (!istrusted_rc && rootca_flags->relax)
{
Modified: trunk/sm/gpgsm.h
===================================================================
--- trunk/sm/gpgsm.h 2008-10-21 13:53:08 UTC (rev 4856)
+++ trunk/sm/gpgsm.h 2008-10-21 15:03:51 UTC (rev 4857)
@@ -386,7 +386,7 @@
ksba_const_sexp_t keyparms, ksba_sexp_t *r_pubkey);
int gpgsm_agent_readkey (ctrl_t ctrl, int fromcard, const char *hexkeygrip,
ksba_sexp_t *r_pubkey);
-int gpgsm_agent_istrusted (ctrl_t ctrl, ksba_cert_t cert,
+int gpgsm_agent_istrusted (ctrl_t ctrl, ksba_cert_t cert, const char *hexfpr,
struct rootca_flags_s *rootca_flags);
int gpgsm_agent_havekey (ctrl_t ctrl, const char *hexkeygrip);
int gpgsm_agent_marktrusted (ctrl_t ctrl, ksba_cert_t cert);
Modified: trunk/sm/keylist.c
===================================================================
--- trunk/sm/keylist.c 2008-10-21 13:53:08 UTC (rev 4856)
+++ trunk/sm/keylist.c 2008-10-21 15:03:51 UTC (rev 4857)
@@ -429,7 +429,7 @@
{
struct rootca_flags_s dummy_flags;
- rc = gpgsm_agent_istrusted (ctrl, cert, &dummy_flags);
+ rc = gpgsm_agent_istrusted (ctrl, cert, NULL, &dummy_flags);
if (!rc)
*truststring = 'u'; /* Yes, we trust this one (ultimately). */
else if (gpg_err_code (rc) == GPG_ERR_NOT_TRUSTED)
More information about the Gnupg-commits
mailing list