gpgsm OCSP question (key usage checking for response verification)

Daiki Ueno ueno at unixuser.org
Thu May 18 09:55:54 CEST 2006


>>>>> In <87iro3dbqa.fsf at wheatstone.g10code.de> 
>>>>>	Werner Koch <wk at gnupg.org> wrote:
> Daiki Ueno <ueno at unixuser.org> writes:

> > I stepped through the execution using GDB, in line 149 use == 0xffffffff
> > (== ~0) and have_ocsp_signing == 1.  Now, my question is, why doesn't it
> > accept the value ~0 for the variable use?  use is corresponding to the

> With use == 0xffffffff (assuming 32 bit unsigned int) this evaluates to

>     if ( 0  && (have_ocsp_signing
>                 || (0xffffffff & (KSBA_KEYUSAGE_KEY_CERT_SIGN
>                                  |KSBA_KEYUSAGE_CRL_SIGN))))
>       return 0;

> Thus you won't get to the return.

Yes, I know that :-)

I think that use == 0xfffffff is valid condition, so I would like to
know why use != ~0 is necessary here.

use is set as

      err = ksba_cert_get_key_usage (cert, &use);
      if (gpg_err_code (err) == GPG_ERR_NO_DATA)
        {
          err = 0;
          if (opt.verbose && mode < 2)
            log_info (_("no key usage specified - assuming all usages\n"));
          use = ~0;
        }

Thus,, use == ~0 indicates cert is usable for all usages.

Regards,
-- 
Daiki Ueno



More information about the Gnupg-devel mailing list