aboutsummaryrefslogtreecommitdiffstats
path: root/sm/certchain.c (unfollow)
Commit message (Collapse)AuthorFilesLines
2014-06-02gpgsm: Handle re-issued CA certificates in a better way.Werner Koch1-86/+142
* sm/certchain.c (find_up_search_by_keyid): Consider all matching certificates. (find_up): Add some debug messages. -- The DFN-Verein recently re-issued its CA certificates without generating new keys. Thus looking up the chain using the authority keyids works but may use still existing old certificates. This may break the CRL lookup in the Dirmngr. The hack to fix this is by using the latest issued certificate with the same subject key identifier. As usual Peter Gutman's X.509 style guide has some comments on that re-issuing. GnuPG-bug-id: 1644 Resolved conflicts: sm/certchain.c - whitespace fixes.
2012-08-24Fix typos spotted during translationsDavid Prévot1-3/+3
agent/genkey.c: s/to to/to/ sm/*.c: s/failed to allocated/failed to allocate/ sm/certlist.c: s/should have not/should not have/ Consistency fix: * g10/gpg.c, kbx/kbxutil.c, sm/gpgsm.c: uppercase after Syntax
2010-09-16Return a more specific error code for missing issuer certificatesWerner Koch1-3/+3
2009-12-10Add option --ignore-cert-extensionWerner Koch1-1/+16
2009-07-23Print status of CRL checks in the audit log.Werner Koch1-1/+7
2009-03-16Remove duplicated code.Werner Koch1-8/+8
2008-10-21Help dirmngr to use supplied trust anchors.Werner Koch1-2/+2
2008-10-20Marked all unused args on non-W32 platforms.Werner Koch1-0/+2
2008-04-23Fixed a C-89 incompatibility.Werner Koch1-1/+3
Minor changes to make it build on Debian bo. Thanks to Alain Guibert.
2008-04-01Fix a problem with dirmngr looked up certificates.Werner Koch1-2/+2
Typo fixes.
2008-02-19Improve certificate chain construction.Werner Koch1-14/+85
Extend PKITS framework
2008-02-13Always search missing certifcates using a running Dirmngr's cache.Werner Koch1-24/+108
2007-12-12Support DSA2.Werner Koch1-0/+2
Support Camellia for testing. More audit stuff.
2007-11-19Started to implement the audit log feature.Werner Koch1-1/+16
Pass PINENTRY_USER_DATA and XAUTHORITY to Pinentry. Improved support for the quality bar. Minor internal restructuring. Translation fixes.
2007-08-16About to do a releasegnupg-2.0.6Werner Koch1-1/+1
2007-08-10Implemented the chain model for X.509 validation.Werner Koch1-179/+507
2007-07-04Changed to GPLv3.Werner Koch1-6/+3
Removed intl/.
2007-03-20kbx/Werner Koch1-21/+89
* keybox.h (KEYBOX_FLAG_BLOB_SECRET, KEYBOX_FLAG_BLOB_EPHEMERAL): New. * keybox-update.c (keybox_compress): Use it here instead of a magic constant. sm/ * fingerprint.c (gpgsm_get_fingerprint): Add caching. (gpgsm_get_fingerprint_string): Use bin2hexcolon(). (gpgsm_get_fingerprint_hexstring): Use bin2hex and allocate only as much memory as required. (gpgsm_get_keygrip_hexstring): Use bin2hex. * certchain.c (gpgsm_validate_chain): Keep track of the certificate chain and reset the ephemeral flags. * keydb.c (keydb_set_cert_flags): New args EPHEMERAL and MASK. Changed caller to use a mask of ~0. Return a proper error code if the certificate is not available.
2007-03-19Changes to let the key listing use estream to help systems withoutWerner Koch1-9/+9
funopen.
2007-01-05Add subjectAltName to the list of known critical extensionsWerner Koch1-0/+6
2006-12-212006-12-21 Marcus Brinkmann <[email protected]>Marcus Brinkmann1-0/+1
* certchain.c (gpgsm_basic_cert_check): Release SUBJECT.
2006-10-18Preparing a releasegnupg-1.9.93Werner Koch1-2/+3
2006-10-16Fixed aegypten bug 299Werner Koch1-4/+71
2006-10-02Fix for bug 537Werner Koch1-1/+1
2006-09-26Finished implementation of the "relax" flag.Werner Koch1-21/+70
2006-09-25New "relax" option for trustlist.txtWerner Koch1-8/+33
2006-09-14Take advantage of newer gpg-error features.Werner Koch1-1/+1
2006-09-06Minor changes and typo fixes.Werner Koch1-0/+2
2006-06-27Various smaller changesWerner Koch1-0/+2
2006-06-20Updated FSF's address.Werner Koch1-1/+2
2006-03-21Add Kludge for RegTP sillyness.Werner Koch1-5/+122
2005-11-13Added qualified signature features.Werner Koch1-2/+74
2005-07-27Removed directories which are only used by the 1.9 branchWerner Koch1-793/+0
2005-04-21* configure.ac: Do not build gpg by default.Werner Koch1-4/+6
* gpgsm.c: New options --{enable,disable}-trusted-cert-crl-check. * certchain.c (gpgsm_validate_chain): Make use of it. * certchain.c (gpgsm_validate_chain): Check revocations even for expired certificates. This is required because on signature verification an expired key is fine whereas a revoked one is not. * gpgconf-comp.c: Add gpgsm option disable-trusted-cert-crl-check.
2005-04-21(gpgsm_validate_chain): Check revocations even forWerner Koch1-6/+3
expired certificates. This is required because on signature verification an expired key is fine whereas a revoked one is not.
2005-04-18* configure.ac: Require libksba 0.9.11.Werner Koch1-20/+93
sm/ * call-dirmngr.c (inq_certificate): Add new inquire SENDCERT_SKI. * certlist.c (gpgsm_find_cert): Add new arg KEYID and implement this filter. Changed all callers. * certchain.c (find_up_search_by_keyid): New helper. (find_up): Also try using the AKI.keyIdentifier. (find_up_external): Ditto.
2005-03-17* certcheck.c: Fixed use of DBG_CRYPTO and DBG_X509.Werner Koch1-50/+83
* certchain.c (gpgsm_basic_cert_check): Dump certificates after a failed gcry_pk_verify. (find_up): Do an external lookup also for an authorityKeyIdentifier lookup. Factored external lookup code out to .. (find_up_external): .. new.
2004-12-03Preparing 1.9.13Werner Koch1-4/+17
2004-10-082004-10-08 Moritz Schulte <[email protected]>Moritz Schulte1-2/+3
* certchain.c (gpgsm_validate_chain): Do not use keydb_new() in case the no_chain_validation-return-short-cut is used (fixes memory leak).
2004-09-20(show_key_with_all_names): Print the card S/N.Werner Koch1-3/+12
* app-openpgp.c (app_select_openpgp): Its app_munge_serialno and not app_number_serialno.
2004-08-17* import.c (check_and_store): Do a full validation ifWerner Koch1-6/+10
--with-validation is set. * certchain.c (gpgsm_basic_cert_check): Print more detailed error messages. * certcheck.c (do_encode_md): Partly support DSA. Add new arg PKALGO. Changed all callers to pass it. (pk_algo_from_sexp): New. tests/pkits: New directory
2004-07-20(gpgsm_validate_chain): The trust check didn'tWerner Koch1-0/+3
worked anymore, probably due to the changes at 2003-03-04. Fixed.
2004-04-26* call-agent.c (gpgsm_agent_pksign, gpgsm_agent_pkdecrypt)Werner Koch1-2/+2
(gpgsm_agent_genkey, gpgsm_agent_istrusted) (gpgsm_agent_marktrusted, gpgsm_agent_havekey) (gpgsm_agent_passwd): Add new arg CTRL and changed all callers. (start_agent): New arg CTRL. Send progress item when starting a new agent. * sign.c (gpgsm_get_default_cert, get_default_signer): New arg CTRL to be passed down to the agent function. * decrypt.c (prepare_decryption): Ditto. * certreqgen.c (proc_parameters, read_parameters): Ditto. * certcheck.c (gpgsm_create_cms_signature): Ditto.
2004-04-05* verify.c (gpgsm_verify): Print STATUS_NEWSIG for each signature.Werner Koch1-11/+21
* certchain.c (gpgsm_validate_chain) <gpgsm_cert_use_cer_p>: Do not just warn if a cert is not suitable; bail out immediately. * call-dirmngr.c (isvalid_status_cb): New. (unhexify_fpr): New. Taken from ../g10/call-agent.c (gpgsm_dirmngr_isvalid): Add new arg CTRL, changed caller to pass it thru. Detect need to check the respondert cert and do that. * certchain.c (gpgsm_validate_chain): Add new arg FLAGS. Changed all callers.
2004-03-06still preparing for a releaseV1-9-6Werner Koch1-2/+2
2004-03-06Preparing for a releaseWerner Koch1-40/+69
2004-02-26(compare_certs): New.Werner Koch1-4/+40
(gpgsm_validate_chain): Fixed infinite certificate checks after bad signatures.
2004-02-20* gpgsm.c (main): New option --debug-ignore-expiration.Werner Koch1-5/+9
* certchain.c (gpgsm_validate_chain): Use it here. * certlist.c (cert_usage_p): Apply extKeyUsage.
2004-02-17* gpgsm.c: New option --with-md5-fingerprint.Werner Koch1-92/+177
* keylist.c (list_cert_std): Print MD5 fpr. * gpgsm.c: New options --with-validation. * server.c (option_handler): New option "with-validation". * keylist.c (list_cert_std, list_internal_keys): New args CTRL and WITH_VALIDATION. Changed callers to set it. (list_external_cb, list_external_keys): Pass CTRL to the callback. (list_cert_colon): Add arg CTRL. Check validation if requested. * certchain.c (unknown_criticals, allowed_ca, check_cert_policy) (gpgsm_validate_chain): New args LISTMODE and FP. (do_list): New helper for info output. (find_up): New arg FIND_NEXT. (gpgsm_validate_chain): After a bad signature try again with other CA certificates. * import.c (print_imported_status): New arg NEW_CERT. Print additional STATUS_IMPORT_OK becuase that is what gpgme expects. (check_and_store): Always call above function after import. * server.c (get_status_string): Added STATUS_IMPORT_OK.
2004-02-02* keybox.h (keybox_flag_t): New.Werner Koch1-0/+6
* keybox-search.c (get_flag_from_image, keybox_get_flags): New. (_keybox_get_flag_location): New. * certchain.c (gpgsm_validate_chain): Mark revoked certs in the keybox. * keylist.c (list_cert_colon): New arg VALIDITY; use it to print a revoked flag. (list_internal_keys): Retrieve validity flag. (list_external_cb): Pass 0 as validity flag. * keydb.c (keydb_get_flags, keydb_set_flags): New. (keydb_set_cert_flags): New. (lock_all): Return a proper error code. (keydb_lock): New. (keydb_delete): Don't lock but check that it has been locked. (keydb_update_keyblock): Ditto. * delete.c (delete_one): Take a lock.
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-24 12:26:49 +0000