diff options
| author | Marcus Brinkmann <[email protected]> | 2012-01-03 17:13:19 +0000 |
|---|---|---|
| committer | Marcus Brinkmann <[email protected]> | 2012-01-03 17:13:19 +0000 |
| commit | 0868997e186cd847663668f9d7a29806a12da2d2 (patch) | |
| tree | 73645f778a2d16213723121a76d2b38ca90edfcc /sm | |
| parent | Add lost ChangeLog entry. (diff) | |
| parent | Silence gcc warning. (diff) | |
| download | gnupg-npth.tar.gz gnupg-npth.zip | |
Merge branch 'master' into npthnpth
Conflicts:
ChangeLog-2011
Makefile.am
agent/ChangeLog-2011
agent/gpg-agent.c
dirmngr/ChangeLog-2011
dirmngr/dirmngr.c
doc/HACKING
g13/g13.c
po/de.po
scd/ChangeLog-2011
scd/apdu.c
scd/command.c
scd/scdaemon.c
scripts/gitlog-to-changelog
tools/ChangeLog-2011
Diffstat (limited to '')
| -rw-r--r-- | sm/call-dirmngr.c | 2 | ||||
| -rw-r--r-- | sm/certchain.c | 61 | ||||
| -rw-r--r-- | sm/certlist.c | 17 | ||||
| -rw-r--r-- | sm/certreqgen.c | 242 | ||||
| -rw-r--r-- | sm/gpgsm.c | 2 | ||||
| -rw-r--r-- | sm/gpgsm.h | 7 | ||||
| -rw-r--r-- | sm/keylist.c | 29 | ||||
| -rw-r--r-- | sm/server.c | 2 | ||||
| -rw-r--r-- | sm/verify.c | 2 |
9 files changed, 335 insertions, 29 deletions
diff --git a/sm/call-dirmngr.c b/sm/call-dirmngr.c index cdaa9dcfa..92f7a0e2c 100644 --- a/sm/call-dirmngr.c +++ b/sm/call-dirmngr.c @@ -816,7 +816,7 @@ get_cached_cert (assuan_context_t ctx, char hexfpr[2*20+1]; struct membuf mb; char *buf; - size_t buflen; + size_t buflen = 0; ksba_cert_t cert; *r_cert = NULL; diff --git a/sm/certchain.c b/sm/certchain.c index 1a2632504..54c7a5772 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -1,6 +1,6 @@ /* certchain.c - certificate chain validation * Copyright (C) 2001, 2002, 2003, 2004, 2005, - * 2006, 2007, 2008 Free Software Foundation, Inc. + * 2006, 2007, 2008, 2011 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -1193,6 +1193,7 @@ ask_marktrusted (ctrl_t ctrl, ksba_cert_t cert, int listmode) VALIDATE_FLAG_NO_DIRMNGR - Do not do any dirmngr isvalid checks. VALIDATE_FLAG_CHAIN_MODEL - Check according to chain model. + VALIDATE_FLAG_STEED - Check according to the STEED model. */ static int do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, @@ -1305,13 +1306,21 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, We used to do this only later but changed it to call the check right here so that we can access special flags associated with that specific root certificate. */ - istrusted_rc = gpgsm_agent_istrusted (ctrl, subject_cert, NULL, - rootca_flags); + if (gpgsm_cert_has_well_known_private_key (subject_cert)) + { + memset (rootca_flags, 0, sizeof *rootca_flags); + istrusted_rc = ((flags & VALIDATE_FLAG_STEED) + ? 0 : gpg_error (GPG_ERR_NOT_TRUSTED)); + } + else + istrusted_rc = gpgsm_agent_istrusted (ctrl, subject_cert, NULL, + rootca_flags); audit_log_cert (ctrl->audit, AUDIT_ROOT_TRUSTED, subject_cert, istrusted_rc); /* If the chain model extended attribute is used, make sure that our chain model flag is set. */ - if (has_validation_model_chain (subject_cert, listmode, listfp)) + if (!(flags & VALIDATE_FLAG_STEED) + && has_validation_model_chain (subject_cert, listmode, listfp)) rootca_flags->chain_model = 1; } @@ -1383,7 +1392,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, /* Set the flag for qualified signatures. This flag is deduced from a list of root certificates allowed for qualified signatures. */ - if (is_qualified == -1) + if (is_qualified == -1 && !(flags & VALIDATE_FLAG_STEED)) { gpg_error_t err; size_t buflen; @@ -1437,8 +1446,11 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, expired it does not make much sense to ask the user whether we wants to trust the root certificate. We should do this only if the certificate under question - will then be usable. */ + will then be usable. If the certificate has a well + known private key asking the user does not make any + sense. */ if ( !any_expired + && !gpgsm_cert_has_well_known_private_key (subject_cert) && (!listmode || !already_asked_marktrusted (subject_cert)) && ask_marktrusted (ctrl, subject_cert, listmode) ) rc = 0; @@ -1455,6 +1467,8 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, /* Check for revocations etc. */ if ((flags & VALIDATE_FLAG_NO_DIRMNGR)) ; + else if ((flags & VALIDATE_FLAG_STEED)) + ; /* Fixme: check revocations via DNS. */ else if (opt.no_trusted_cert_crl_check || rootca_flags->relax) ; else @@ -1586,8 +1600,16 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, performance reasons. */ if (is_root) { - istrusted_rc = gpgsm_agent_istrusted (ctrl, issuer_cert, NULL, - rootca_flags); + if (gpgsm_cert_has_well_known_private_key (issuer_cert)) + { + memset (rootca_flags, 0, sizeof *rootca_flags); + istrusted_rc = ((flags & VALIDATE_FLAG_STEED) + ? 0 : gpg_error (GPG_ERR_NOT_TRUSTED)); + } + else + istrusted_rc = gpgsm_agent_istrusted + (ctrl, issuer_cert, NULL, rootca_flags); + if (!istrusted_rc && rootca_flags->relax) { /* Ignore the error due to the relax flag. */ @@ -1627,6 +1649,8 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, be fixed. */ if ((flags & VALIDATE_FLAG_NO_DIRMNGR)) rc = 0; + else if ((flags & VALIDATE_FLAG_STEED)) + rc = 0; /* Fixme: XXX */ else if (is_root && (opt.no_trusted_cert_crl_check || (!istrusted_rc && rootca_flags->relax))) rc = 0; @@ -1722,7 +1746,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, capability of the certificate under question, store the result as user data in all certificates of the chain. We do this even if the validation itself failed. */ - if (is_qualified != -1) + if (is_qualified != -1 && !(flags & VALIDATE_FLAG_STEED)) { gpg_error_t err; chain_item_t ci; @@ -1780,8 +1804,8 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, do_validate_chain. This function is a wrapper to handle a root certificate with the chain_model flag set. If RETFLAGS is not NULL, flags indicating now the verification was done are stored - there. The only defined flag for RETFLAGS is - VALIDATE_FLAG_CHAIN_MODEL. + there. The only defined vits for RETFLAGS are + VALIDATE_FLAG_CHAIN_MODEL and VALIDATE_FLAG_STEED. If you are verifying a signature you should set CHECKTIME to the creation time of the signature. If your are verifying a @@ -1801,16 +1825,27 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime, if (!retflags) retflags = &dummy_retflags; + /* If the session requested a certain validation mode make sure the + corresponding flags are set. */ if (ctrl->validation_model == 1) flags |= VALIDATE_FLAG_CHAIN_MODEL; + else if (ctrl->validation_model == 2) + flags |= VALIDATE_FLAG_STEED; + /* If the chain model was forced, set this immediately into + RETFLAGS. */ *retflags = (flags & VALIDATE_FLAG_CHAIN_MODEL); + memset (&rootca_flags, 0, sizeof rootca_flags); rc = do_validate_chain (ctrl, cert, checktime, r_exptime, listmode, listfp, flags, &rootca_flags); - if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED + if (!rc && (flags & VALIDATE_FLAG_STEED)) + { + *retflags |= VALIDATE_FLAG_STEED; + } + else if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED && !(flags & VALIDATE_FLAG_CHAIN_MODEL) && (rootca_flags.valid && rootca_flags.chain_model)) { @@ -1824,6 +1859,8 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime, if (opt.verbose) do_list (0, listmode, listfp, _("validation model used: %s"), + (*retflags & VALIDATE_FLAG_STEED)? + "steed" : (*retflags & VALIDATE_FLAG_CHAIN_MODEL)? _("chain"):_("shell")); diff --git a/sm/certlist.c b/sm/certlist.c index 0e9031953..241364a3a 100644 --- a/sm/certlist.c +++ b/sm/certlist.c @@ -1,6 +1,6 @@ /* certlist.c - build list of certificates * Copyright (C) 2001, 2003, 2004, 2005, 2007, - * 2008 Free Software Foundation, Inc. + * 2008, 2011 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -210,6 +210,21 @@ gpgsm_cert_use_ocsp_p (ksba_cert_t cert) } +/* Return true if CERT has the well known private key extension. */ +int +gpgsm_cert_has_well_known_private_key (ksba_cert_t cert) +{ + int idx; + const char *oid; + + for (idx=0; !ksba_cert_get_extension (cert, idx, + &oid, NULL, NULL, NULL);idx++) + if (!strcmp (oid, "1.3.6.1.4.1.11591.2.2.2") ) + return 1; /* Yes. */ + return 0; /* No. */ +} + + static int same_subject_issuer (const char *subject, const char *issuer, ksba_cert_t cert) { diff --git a/sm/certreqgen.c b/sm/certreqgen.c index 41a6d7f05..de7c39c65 100644 --- a/sm/certreqgen.c +++ b/sm/certreqgen.c @@ -33,6 +33,22 @@ %commit %echo done EOF + + This parameter file was used to create the STEED CA: + Key-Type: RSA + Key-Length: 1024 + Key-Grip: 68A638998DFABAC510EA645CE34F9686B2EDF7EA + Key-Usage: cert + Serial: 1 + Name-DN: CN=The STEED Self-Signing Nonthority + Not-Before: 2011-11-11 + Not-After: 2106-02-06 + Subject-Key-Id: 68A638998DFABAC510EA645CE34F9686B2EDF7EA + Extension: 2.5.29.19 c 30060101ff020101 + Extension: 1.3.6.1.4.1.11591.2.2.2 n 0101ff + Signing-Key: 68A638998DFABAC510EA645CE34F9686B2EDF7EA + %commit + */ @@ -68,7 +84,10 @@ enum para_name pNOTBEFORE, pNOTAFTER, pSIGNINGKEY, - pHASHALGO + pHASHALGO, + pAUTHKEYID, + pSUBJKEYID, + pEXTENSION }; struct para_data_s @@ -89,6 +108,8 @@ struct reqgen_ctrl_s }; +static const char oidstr_authorityKeyIdentifier[] = "2.5.29.35"; +static const char oidstr_subjectKeyIdentifier[] = "2.5.29.14"; static const char oidstr_keyUsage[] = "2.5.29.15"; static const char oidstr_basicConstraints[] = "2.5.29.19"; static const char oidstr_standaloneCertificate[] = "1.3.6.1.4.1.11591.2.2.1"; @@ -170,8 +191,11 @@ parse_parameter_usage (struct para_data_s *para, enum para_name key) ; else if ( !ascii_strcasecmp (p, "sign") ) use |= GCRY_PK_USAGE_SIGN; - else if ( !ascii_strcasecmp (p, "encrypt") ) + else if ( !ascii_strcasecmp (p, "encrypt") + || !ascii_strcasecmp (p, "encr") ) use |= GCRY_PK_USAGE_ENCR; + else if ( !ascii_strcasecmp (p, "cert") ) + use |= GCRY_PK_USAGE_CERT; else { log_error ("line %d: invalid usage list\n", r->lnr); @@ -225,6 +249,9 @@ read_parameters (ctrl_t ctrl, estream_t fp, estream_t out_fp) { "Not-After", pNOTAFTER }, { "Signing-Key", pSIGNINGKEY }, { "Hash-Algo", pHASHALGO }, + { "Authority-Key-Id", pAUTHKEYID }, + { "Subject-Key-Id", pSUBJKEYID }, + { "Extension", pEXTENSION, 1 }, { NULL, 0 } }; char line[1024], *p; @@ -594,6 +621,74 @@ proc_parameters (ctrl_t ctrl, struct para_data_s *para, } } + /* Check the optional AuthorityKeyId. */ + string = get_parameter_value (para, pAUTHKEYID, 0); + if (string) + { + for (s=string, i=0; hexdigitp (s); s++, i++) + ; + if (*s || (i&1)) + { + r = get_parameter (para, pAUTHKEYID, 0); + log_error (_("line %d: invalid authority-key-id\n"), r->lnr); + xfree (cardkeyid); + return gpg_error (GPG_ERR_INV_PARAMETER); + } + } + + /* Check the optional SubjectKeyId. */ + string = get_parameter_value (para, pSUBJKEYID, 0); + if (string) + { + for (s=string, i=0; hexdigitp (s); s++, i++) + ; + if (*s || (i&1)) + { + r = get_parameter (para, pSUBJKEYID, 0); + log_error (_("line %d: invalid subject-key-id\n"), r->lnr); + xfree (cardkeyid); + return gpg_error (GPG_ERR_INV_PARAMETER); + } + } + + /* Check the optional extensions. */ + for (seq=0; (string=get_parameter_value (para, pEXTENSION, seq)); seq++) + { + int okay = 0; + + s = strpbrk (string, " \t:"); + if (s) + { + s++; + while (spacep (s)) + s++; + if (*s && strchr ("nNcC", *s)) + { + s++; + while (spacep (s)) + s++; + if (*s == ':') + s++; + if (*s) + { + while (spacep (s)) + s++; + for (i=0; hexdigitp (s); s++, i++) + ; + if (!((*s && *s != ':') || !i || (i&1))) + okay = 1; + } + } + } + if (!okay) + { + r = get_parameter (para, pEXTENSION, seq); + log_error (_("line %d: invalid extension syntax\n"), r->lnr); + xfree (cardkeyid); + return gpg_error (GPG_ERR_INV_PARAMETER); + } + } + /* Create or retrieve the public key. */ if (cardkeyid) /* Take the key from the current smart card. */ { @@ -838,6 +933,14 @@ create_request (ctrl_t ctrl, err = ksba_certreq_add_extension (cr, oidstr_keyUsage, 1, "\x03\x02\x04\x30", 4); } + else if (use == GCRY_PK_USAGE_CERT) + { + /* For certify only we encode the bits: + KSBA_KEYUSAGE_KEY_CERT_SIGN + KSBA_KEYUSAGE_CRL_SIGN */ + err = ksba_certreq_add_extension (cr, oidstr_keyUsage, 1, + "\x03\x02\x01\x06", 4); + } else err = 0; /* Both or none given: don't request one. */ if (err) @@ -889,7 +992,7 @@ create_request (ctrl_t ctrl, *p++ = '0'; strcpy (p, string); for (p=hexbuf, len=0; p[0] && p[1]; p += 2) - ((unsigned char*)hexbuf)[len++] = xtoi_2 (s); + ((unsigned char*)hexbuf)[len++] = xtoi_2 (p); /* Now build the S-expression. */ snprintf (numbuf, DIM(numbuf), "%u:", (unsigned int)len); buf = p = xtrymalloc (1 + strlen (numbuf) + len + 1 + 1); @@ -1009,6 +1112,139 @@ create_request (ctrl_t ctrl, goto leave; } } + + /* Insert the AuthorityKeyId. */ + string = get_parameter_value (para, pAUTHKEYID, 0); + if (string) + { + char *hexbuf; + + /* Allocate a buffer for in-place conversion. We also add 4 + extra bytes space for the tags and lengths fields. */ + hexbuf = xtrymalloc (4 + strlen (string) + 1); + if (!hexbuf) + { + err = gpg_error_from_syserror (); + goto leave; + } + strcpy (hexbuf+4, string); + for (p=hexbuf+4, len=0; p[0] && p[1]; p += 2) + ((unsigned char*)hexbuf)[4+len++] = xtoi_2 (p); + if (len > 125) + { + err = gpg_error (GPG_ERR_TOO_LARGE); + xfree (hexbuf); + goto leave; + } + hexbuf[0] = 0x30; /* Tag for a Sequence. */ + hexbuf[1] = len+2; + hexbuf[2] = 0x80; /* Context tag for an implicit Octet string. */ + hexbuf[3] = len; + err = ksba_certreq_add_extension (cr, oidstr_authorityKeyIdentifier, + 0, + hexbuf, 4+len); + xfree (hexbuf); + if (err) + { + log_error ("error setting the authority-key-id: %s\n", + gpg_strerror (err)); + goto leave; + } + } + + /* Insert the SubjectKeyId. */ + string = get_parameter_value (para, pSUBJKEYID, 0); + if (string) + { + char *hexbuf; + + /* Allocate a buffer for in-place conversion. We also add 2 + extra bytes space for the tag and length field. */ + hexbuf = xtrymalloc (2 + strlen (string) + 1); + if (!hexbuf) + { + err = gpg_error_from_syserror (); + goto leave; + } + strcpy (hexbuf+2, string); + for (p=hexbuf+2, len=0; p[0] && p[1]; p += 2) + ((unsigned char*)hexbuf)[2+len++] = xtoi_2 (p); + if (len > 127) + { + err = gpg_error (GPG_ERR_TOO_LARGE); + xfree (hexbuf); + goto leave; + } + hexbuf[0] = 0x04; /* Tag for an Octet string. */ + hexbuf[1] = len; + err = ksba_certreq_add_extension (cr, oidstr_subjectKeyIdentifier, 0, + hexbuf, 2+len); + xfree (hexbuf); + if (err) + { + log_error ("error setting the subject-key-id: %s\n", + gpg_strerror (err)); + goto leave; + } + } + + /* Insert additional extensions. */ + for (seq=0; (string = get_parameter_value (para, pEXTENSION, seq)); seq++) + { + char *hexbuf; + char *oidstr; + int crit = 0; + + s = strpbrk (string, " \t:"); + if (!s) + { + err = gpg_error (GPG_ERR_INTERNAL); + goto leave; + } + + oidstr = xtrymalloc (s - string + 1); + if (!oidstr) + { + err = gpg_error_from_syserror (); + goto leave; + } + memcpy (oidstr, string, (s-string)); + oidstr[(s-string)] = 0; + + s++; + while (spacep (s)) + s++; + if (!*s) + { + err = gpg_error (GPG_ERR_INTERNAL); + xfree (oidstr); + goto leave; + } + + if (strchr ("cC", *s)) + crit = 1; + s++; + while (spacep (s)) + s++; + if (*s == ':') + s++; + while (spacep (s)) + s++; + + hexbuf = xtrystrdup (s); + if (!hexbuf) + { + err = gpg_error_from_syserror (); + xfree (oidstr); + goto leave; + } + for (p=hexbuf, len=0; p[0] && p[1]; p += 2) + ((unsigned char*)hexbuf)[len++] = xtoi_2 (p); + err = ksba_certreq_add_extension (cr, oidstr, crit, + hexbuf, len); + xfree (oidstr); + xfree (hexbuf); + } } else sigkey = public; diff --git a/sm/gpgsm.c b/sm/gpgsm.c index dc9f2e032..7164f4274 100644 --- a/sm/gpgsm.c +++ b/sm/gpgsm.c @@ -2004,6 +2004,8 @@ gpgsm_parse_validation_model (const char *model) return 0; else if ( !ascii_strcasecmp (model, "chain") ) return 1; + else if ( !ascii_strcasecmp (model, "steed") ) + return 2; else return -1; } diff --git a/sm/gpgsm.h b/sm/gpgsm.h index 31cd95150..6c68af746 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -195,7 +195,9 @@ struct server_control_s certificates up the chain (0 = none, 1 = only signer) */ int use_ocsp; /* Set to true if OCSP should be used. */ - int validation_model; /* Set to 1 for the chain model. */ + int validation_model; /* 0 := standard model (shell), + 1 := chain model, + 2 := STEED model. */ }; @@ -307,7 +309,7 @@ int gpgsm_create_cms_signature (ctrl_t ctrl, /* Flags used with gpgsm_validate_chain. */ #define VALIDATE_FLAG_NO_DIRMNGR 1 #define VALIDATE_FLAG_CHAIN_MODEL 2 - +#define VALIDATE_FLAG_STEED 4 int gpgsm_walk_cert_chain (ctrl_t ctrl, ksba_cert_t start, ksba_cert_t *r_next); @@ -326,6 +328,7 @@ int gpgsm_cert_use_verify_p (ksba_cert_t cert); int gpgsm_cert_use_decrypt_p (ksba_cert_t cert); int gpgsm_cert_use_cert_p (ksba_cert_t cert); int gpgsm_cert_use_ocsp_p (ksba_cert_t cert); +int gpgsm_cert_has_well_known_private_key (ksba_cert_t cert); int gpgsm_certs_identical_p (ksba_cert_t cert_a, ksba_cert_t cert_b); int gpgsm_add_cert_to_certlist (ctrl_t ctrl, ksba_cert_t cert, certlist_t *listaddr, int is_encrypt_to); diff --git a/sm/keylist.c b/sm/keylist.c index e67c2d8d3..42c533a6d 100644 --- a/sm/keylist.c +++ b/sm/keylist.c @@ -1,6 +1,6 @@ /* keylist.c - Print certificates in various formats. - * Copyright (C) 1998, 1999, 2000, 2001, 2003, - * 2004, 2005, 2008, 2009 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2008, 2009, + * 2010, 2011 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -187,6 +187,7 @@ static struct /* GnuPG extensions */ { "1.3.6.1.4.1.11591.2.1.1", "pkaAddress" }, { "1.3.6.1.4.1.11591.2.2.1", "standaloneCertificate" }, + { "1.3.6.1.4.1.11591.2.2.2", "wellKnownPrivateKey" }, /* Extensions used by the Bundesnetzagentur. */ { "1.3.6.1.4.1.8301.3.5", "validityModel" }, @@ -420,7 +421,12 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity, && *not_after && strcmp (current_time, not_after) > 0 ) *truststring = 'e'; else if (valerr) - *truststring = 'i'; + { + if (gpgsm_cert_has_well_known_private_key (cert)) + *truststring = 'w'; /* Well, this is dummy CA. */ + else + *truststring = 'i'; + } else if (ctrl->with_validation && !is_root) *truststring = 'f'; } @@ -432,12 +438,17 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity, { struct rootca_flags_s dummy_flags; - rc = gpgsm_agent_istrusted (ctrl, cert, NULL, &dummy_flags); - if (!rc) - *truststring = 'u'; /* Yes, we trust this one (ultimately). */ - else if (gpg_err_code (rc) == GPG_ERR_NOT_TRUSTED) - *truststring = 'n'; /* No, we do not trust this one. */ - /* (in case of an error we can't tell anything.) */ + if (gpgsm_cert_has_well_known_private_key (cert)) + *truststring = 'w'; /* Well, this is dummy CA. */ + else + { + rc = gpgsm_agent_istrusted (ctrl, cert, NULL, &dummy_flags); + if (!rc) + *truststring = 'u'; /* Yes, we trust this one (ultimately). */ + else if (gpg_err_code (rc) == GPG_ERR_NOT_TRUSTED) + *truststring = 'n'; /* No, we do not trust this one. */ + /* (in case of an error we can't tell anything.) */ + } } if (*truststring) diff --git a/sm/server.c b/sm/server.c index 19c4a1678..385eb538a 100644 --- a/sm/server.c +++ b/sm/server.c @@ -277,7 +277,7 @@ option_handler (assuan_context_t ctx, const char *key, const char *value) else if (!strcmp (key, "validation-model")) { int i = gpgsm_parse_validation_model (value); - if ( i >= 0 && i <= 1 ) + if ( i >= 0 && i <= 2 ) ctrl->validation_model = i; else err = gpg_error (GPG_ERR_ASS_PARAMETER); diff --git a/sm/verify.c b/sm/verify.c index c77eb5744..1173f66d1 100644 --- a/sm/verify.c +++ b/sm/verify.c @@ -624,6 +624,8 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) } gpgsm_status (ctrl, STATUS_TRUST_FULLY, + (verifyflags & VALIDATE_FLAG_STEED)? + "0 steed": (verifyflags & VALIDATE_FLAG_CHAIN_MODEL)? "0 chain": "0 shell"); |