aboutsummaryrefslogtreecommitdiffstats
path: root/sm/gpgsm.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
* sm: Exclude rsaPSS from de-vs compliance mode.Werner Koch2020-07-031-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | * common/compliance.h (PK_ALGO_FLAG_RSAPSS): New. * common/compliance.c (gnupg_pk_is_compliant): Add arg alog_flags and test rsaPSS. Adjust all callers. * common/util.c (pubkey_algo_to_string): New. (gnupg_pk_is_allowed): Ditto. * sm/misc.c (gpgsm_ksba_cms_get_sig_val): New wrapper function. (gpgsm_get_hash_algo_from_sigval): New. * sm/certcheck.c (gpgsm_check_cms_signature): Change type of sigval arg. Add arg pkalgoflags. Use the PK_ALGO_FLAG_RSAPSS. * sm/verify.c (gpgsm_verify): Use the new wrapper and new fucntion to also get the algo flags. Pass algo flags along. Change some of the info output to be more like current master. -- Signed-off-by: Werner Koch <[email protected]> This backport from master commit 969abcf40cdfc65f3ee859c5e62889e1a8ccde91 also includes some changes taken from commit a759fa963a42e0652134130029217270b6d5d00b (sm: Improve readability of the data verification output.) Signed-off-by: Werner Koch <[email protected]>
* sm: Print the serial number of a cert also in decimal.Werner Koch2020-06-261-0/+1
| | | | | | | | | | | | * sm/certdump.c: Include membuf.h. (gpgsm_print_serial_decimal): New. * sm/keylist.c (list_cert_raw): Print s/n also in decimal (list_cert_std): Ditto. -- Many CA's print the serial number in decimal on their cards. Signed-off-by: Werner Koch <[email protected]>
* sm: Lookup missing issuers first using authorityInfoAccess.Werner Koch2020-04-161-1/+2
| | | | | | | | | | | | | | | | * sm/call-dirmngr.c (gpgsm_dirmngr_lookup): Add optional arg URL and adjust all callers. * sm/certchain.c (oidstr_caIssuers): New. (struct find_up_store_certs_s): Add additional fields. (find_up_store_certs_cb): Store the fingerprint. (find_up_via_auth_info_access): New. (find_up): Try the AIA URI first. -- Note that --auto-issuer-key-retrieve is required to use that. GnuPG-bug-id: 4898 Signed-off-by: Werner Koch <[email protected]>
* sm: Consider certificates w/o CRL DP as valid.Werner Koch2020-03-271-0/+1
| | | | | | | | | | | | | | | | | | | | | * sm/certchain.c (is_cert_still_valid): Shortcut if tehre is no DP. * common/audit.c (proc_type_verify): Print "n/a" if a cert has no distribution point. * sm/gpgsm.h (opt): Add field enable_issuer_based_crl_check. * sm/gpgsm.c (oEnableIssuerBasedCRLCheck): New. (opts): Add option --enable-issuer-based-crl-check. (main): Set option. -- If the issuer does not provide a DP and the user wants such an issuer, we expect that a certificate does not need revocation checks. The new option --enable-issuer-based-crl-check can be used to revert to the old behaviour which requires that a suitable LDAP server has been configured to lookup a CRL by issuer. Signed-off-by: Werner Koch <[email protected]> (cherry picked from master)
* build: Always use EXTERN_UNLESS_MAIN_MODULE pattern.Werner Koch2020-02-101-0/+1
| | | | | | | | | | | | | | | | | | | | | | * common/util.h (EXTERN_UNLESS_MAIN_MODULE): Add the definion only here but now without the Norcroft-C. Change all other places where it gets defined. * common/iobuf.h (iobuf_debug_mode): Declare unconditionally as extern. * common/iobuf.c (iobuf_debug_mode): Define it here. * agent/gpg-agent.c (INCLUDED_BY_MAIN_MODULE): Define here and also in all main modules of all other programs. * g10/main.h: Put util.h before the local header files. -- This change is required for use with gcc/ld's LTO feature which does not allow common blocks. Further gcc 10 will make -fno-common the default and thus this chnage is always needed. What a pitty. Co-authored-by: Tomáš Mráz GnuPG-bug-id: 4831 Signed-off-by: Werner Koch <[email protected]>
* sm: Add special case for expired intermediate certificates.Werner Koch2019-12-061-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | * sm/gpgsm.h (struct server_control_s): Add field 'current_time'. * sm/certchain.c (find_up_search_by_keyid): Detect a corner case. Also simplify by using ref-ed cert objects in place of an anyfound var. -- See the code for a description of the problem. Tested using the certs from the bug report and various command lines gpgsm --faked-system-time=XXXX --disable-crl-checks \ -ea -v --debug x509 -r 0x95599828 with XXXX being 20190230T000000 -> target cert too young with XXXX being 20190330T000000 -> okay with XXXX being 20190830T000000 -> okay, using the long term cert with XXXX being 20220330T000000 -> target cert expired The --disabled-crl-checks option is required because in our a simple test setting dirmngr does not know about the faked time. GnuPG-bug-id: 4696 Signed-off-by: Werner Koch <[email protected]> (cherry picked from commit d246f317c04862cacfefc899c98da182ee2805a5)
* sm: Avoid confusing diagnostic for the default key.Werner Koch2019-05-271-1/+1
| | | | | | | | | | | | | * sm/certlist.c (cert_usage_p): Add arg 'silent' and change all callers. (gpgsm_cert_use_sign_p): Add arg 'silent' and pass to cert_usage_p. Change all callers. * sm/sign.c (gpgsm_get_default_cert): Set SILENT when calling gpgsm_cert_use_sign_p -- GnuPG-bug-id: 4535 Signed-off-by: Werner Koch <[email protected]>
* gpg,sm: New option --request-origin.Werner Koch2018-03-231-0/+1
| | | | | | | | | | | | | | | * g10/gpg.c (oRequestOrigin): New const. (opts): New option --request-origin. (main): Parse that option. * g10/options.h (struct opt): Add field request_origin. * g10/call-agent.c (start_agent): Send option to the agent. * sm/gpgsm.c (oRequestOrigin): New const. (opts): New option --request-origin. (main): Parse that option. * sm/gpgsm.h (struct opt): Add field request_origin. * sm/call-agent.c (start_agent): Send option to the agent. Signed-off-by: Werner Koch <[email protected]>
* sm: Do not expect X.509 keyids to be uniqueRainer Perske2017-10-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * sm/certlist.c (gpgsm_find_cert): Add arg allow_ambiguous and use it. * sm/call-dirmngr.c (inq_certificate): Pass true to ALLOW_AMBIGUOUS (run_command_inq_cb): Ditto. * sm/gpgsm.c (main): Pass false. * sm/server.c (cmd_passwd): Pass false. -- As described in my report T1644, it is possible that multiple certificates exist with the same Distinguished Name and the same key. In this case, verifying S/MIME signatures and other actions fail with "certificate not found: Ambiguous name". For details see the bug report. To circumvent the problem, I am patching GnuPG since 2014 so that in this case the newest of the ambiguous certificates is used. This is not an ultimate solution of the problem: You should try every certificate with the same DN until verification succeeds or until all certificates fail, and if multiple certificates of a chain are ambiguous you even have to check every combination. You may even consider checking the keyUsage attributes of the ambiguous certificates to reduce the number of combinations. But in the existing case of the certificates in the German Research Network (DFN) PKI where the newest one is the valid one and all ambiguous certificates have the same keyUsage attributes, this patch has proven to be sufficient over the last three years. With every GnuPG update, I have adapted the patch, luckily I never needed to change anything except line numbers. GnuPG-bug-id: 1644 ChangeLog log written by wk, comment taken from mail. Signed-off line was missing in the plain diff. However the mail with the patch and the DCO posted as reply to that mail were both signed. Signed-off-by: Werner Koch <[email protected]>
* common,gpg,sm: Move the compliance option parser.Justus Winter2017-06-071-0/+2
| | | | | | | | | | | | | | * common/compliance.c (gnupg_parse_compliance_option): New function. * common/compliance.h (struct gnupg_compliance_option): New type. (gnupg_parse_compliance_option): New prototype. * g10/gpg.c (parse_compliance_option): Remove function. (compliance_options): New variable. (main): Adapt callsite. * sm/gpgsm.c (main): Use the new common function. * sm/gpgsm.h (opt): New field 'compliance'. GnuPG-bug-id: 3191 Signed-off-by: Justus Winter <[email protected]>
* common: Remove gpgsm dependencies from ksba-io-support.Werner Koch2017-02-161-17/+1
| | | | | | | | | | | | | | | | | * common/ksba-io-support.c: Include ksba-io-support.h instead of ../sm/gpgsm.h. Include util.h. (writer_cb_parm_s): Remove const from 'pem_name'. (gpgsm_destroy_writer): Free 'pem_name'. (gpgsm_create_reader): Rename to ... (gnupg_ksba_create_reader): this. Replace args CTRL and ALLOW_MULTI_PEM by a new arg FLAGS. Change the code to evaluate FLAGS. Change all callers to pass the FLAGS. (gpgsm_create_writer): Rename to ... (gnupg_ksba_create_writer): this. Replace arg CTRL by new arg FLAGS. Add arg PEM_NAME. Evaluate FLAGS. Store a copy of PEM_NAME. Change all callers to pass the FLAGS and PEM_NAME. Signed-off-by: Werner Koch <[email protected]>
* gpg,sm: Add STATUS_ERROR keydb_search and keydb_add-resource.Werner Koch2016-11-101-1/+4
| | | | | | | | | | | | | | | | * g10/keydb.c (keydb_add_resource): Make ANY_REGISTERED file-global. Write a STATUS_ERROR. (maybe_create_keyring_or_box): Check for non-accessible but existant file. (keydb_search): Write a STATUS_ERROR if no keyring has been registered but continue to return NOT_FOUND. * sm/keydb.c (keydb_add_resource): Rename ANY_PUBLIC to ANY_REGISTERED and make file-global. Write a STATUS_ERROR. (keydb_search): Write a STATUS_ERROR if no keyring has been registered but continue to return NOT_FOUND. Also add new arg CTRL and change all callers to pass it down. Signed-off-by: Werner Koch <[email protected]>
* Change all http://www.gnu.org in license notices to https://Werner Koch2016-11-051-1/+1
| | | | --
* Replace use of opt.homedir by accessor functions.Werner Koch2016-06-071-1/+0
| | | | | | | | | | | | | | | | | | | * common/homedir.c (the_gnupg_homedir): New var. (gnupg_set_homedir): New. (gnupg_homedir): New. * g10/options.h (struct opt): Remove 'homedir' and replace all users by the new accessor functions. * g13/g13-common.h (struct opt): Ditto. * scd/scdaemon.h (struct opt): Ditto. * sm/gpgsm.h (struct opt): Ditto. * dirmngr/dirmngr.h (struct opt): Ditto. * agent/preset-passphrase.c (opt_homedir): Ditto. * agent/protect-tool.c (opt_homedir): Ditto. -- This will make detection of a non-default homedir easier. Signed-off-by: Werner Koch <[email protected]>
* sm: Implement pinentry loopback and reading passphrases from fd.Justus Winter2016-03-071-0/+2
| | | | | | | | | | | | | | | | | | * doc/gpgsm.texi: Document '--pinentry-mode' and '--passphrase-fd'. * sm/Makefile.am (gpgsm_SOURCES): Add new files * sm/call-agent.c (struct default_inq_parm_s): New definition. (start_agent): Pass in the pinentry mode. (default_inq_cb): Handle 'PASSPHRASE' and 'NEW_PASSPHRASE' inquiries. Adapt all call sites to the new callback cookie. * sm/gpgsm.c (cmd_and_opt_values): Add new values. (opts): Add new options. (main): Handle new options. * sm/gpgsm.h (struct opt): Add field 'pinentry_mode'. * sm/passphrase.c: New file. * sm/passphrase.h: Likewise. GnuPG-bug-id: 1970 Signed-off-by: Justus Winter <[email protected]>
* sm: Remove unused argument '--fixed-passphrase'.Justus Winter2016-03-071-1/+0
| | | | | | | | | | * doc/gpgsm.texi: Drop description. * sm/gpgsm.c (cmd_and_opt_values): Drop enum value. (opts): Drop argument. (main): Drop argument handling. * sm/gpgsm.h (struct opt): Drop field 'fixed_passphrase'. Signed-off-by: Justus Winter <[email protected]>
* Replace GNUPG_GCC_A_ macros by GPGRT_ATTR_ macros.Werner Koch2015-07-261-1/+1
| | | | | | | | | | | | | * common/util.h: Provide replacement for GPGRT_ATTR_ macros when using libgpg-error < 1.20. * common/mischelp.h: Ditto. * common/types.h: Ditto. -- Given that libgpg-error is a dependency of all GnuPG related libraries it is better to define such macros at only one place instead of having similar macros at a lot of places. For now we need repalcement macros, though.
* gpgsm: Add command option "offline".Werner Koch2015-06-291-0/+1
| | | | | | | | | | | | | | | | | * sm/server.c (option_handler): Add "offline". (cmd_getinfo): Ditto. * sm/certchain.c (is_cert_still_valid): (do_validate_chain): * sm/gpgsm.c (gpgsm_init_default_ctrl): Default "offline" to the value of --disable-dirmngr. * sm/call-dirmngr.c (start_dirmngr_ext): Better also check for ctrl->offline. -- Adding this option makes it easier to implement the corresponding feature in gpgme. Signed-off-by: Werner Koch <[email protected]>
* Rename DBG_ASSUAN to DBG_IPC and add separate DBG_EXTPROG.Werner Koch2015-04-061-2/+2
| | | | * g10/options.h (DBG_EXTPROG_VALUE): Separate from DBG_IPC_VALUE.
* Add option --no-autostart.Werner Koch2014-11-281-0/+1
| | | | | | | | | | | | | | * g10/gpg.c: Add option --no-autostart. * sm/gpgsm.c: Ditto. * g10/options.h (opt): Add field autostart. * sm/gpgsm.h (opt): Ditto. * g10/call-agent.c (start_agent): Print note if agent was not autostarted. * sm/call-agent.c (start_agent): Ditto. * g10/call-dirmngr.c (create_context): Likewise. * sm/call-dirmngr.c (start_dirmngr_ext): Ditto. Signed-off-by: Werner Koch <[email protected]>
* sm: Create homedir and lock empty keybox creation.Werner Koch2014-08-141-0/+1
| | | | | | | | | * sm/gpgsm.h (opt): Add field "no_homedir_creation". * sm/gpgsm.c (main): Set it if --no-options is used. * sm/keydb.c (try_make_homedir): New. Similar to the one from g10/openfile.c. (maybe_create_keybox): New. Similar to the one from g10/keydb.c. (keydb_add_resource): Replace some code by maybe_create_keybox.
* Add new option --with-secret.Werner Koch2014-06-031-0/+1
| | | | | | | | | | | | | | | | | | | * g10/gpg.c: Add option --with-secret. * g10/options.h (struct opt): Add field with_secret. * g10/keylist.c (public_key_list): Pass opt.with_secret to list_all and list_one. (list_all, list_one): Add arg mark_secret. (list_keyblock_colon): Add arg has_secret. * sm/gpgsm.c: Add option --with-secret. * sm/server.c (option_handler): Add option "with-secret". * sm/gpgsm.h (server_control_s): Add field with_secret. * sm/keylist.c (list_cert_colon): Take care of with_secret. Also move the token string from the wrong field 14 to 15. -- This option is useful for key managers which need to know whether a key has a secret key. This change allows to collect this information in one pass.
* gpgsm: New commands --export-secret-key-{p8,raw}Werner Koch2014-06-031-1/+2
| | | | | | | | | * sm/gpgsm.c: Add new commands. * sm/minip12.c (build_key_sequence): Add arg mode. (p12_raw_build): New. * sm/export.c (export_p12): Add arg rawmode. Call p12_raw_build. (gpgsm_p12_export): Ditto. (print_short_info): Print the keygrip.
* gpgsm: Add new validation model "steed".Werner Koch2011-12-071-2/+5
| | | | | | | | | | | | | | | | | | | | * sm/gpgsm.h (VALIDATE_FLAG_STEED): New. * sm/gpgsm.c (gpgsm_parse_validation_model): Add model "steed". * sm/server.c (option_handler): Allow validation model "steed". * sm/certlist.c (gpgsm_cert_has_well_known_private_key): New. * sm/certchain.c (do_validate_chain): Handle the well-known-private-key attribute. Support the "steed" model. (gpgsm_validate_chain): Ditto. * sm/verify.c (gpgsm_verify): Return "steed" in the trust status line. * sm/keylist.c (list_cert_colon): Print the new 'w' flag. -- This is the first part of changes to implement the STEED proposal as described at http://g10code.com/steed.html . The idea for X.509 is not to use plain self-signed certificates but certificates signed by a dummy CA (i.e. one for which the private key is known). Having a single CA as an indication for the use of STEED might help other X.509 implementations to implement STEED.
* Support X.509 certificate creation.Werner Koch2011-03-011-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | Using "gpgsm --genkey" allows the creation of a self-signed certificate via a new prompt. Using "gpgsm --genkey --batch" should allow the creation of arbitrary certificates controlled by a parameter file. An example parameter file is Key-Type: RSA Key-Length: 1024 Key-Grip: 2C50DC6101C10C9C643E315FE3EADCCBC24F4BEA Key-Usage: sign, encrypt Serial: random Name-DN: CN=some test key Name-Email: [email protected] Name-Email: [email protected] Hash-Algo: SHA384 not-after: 2038-01-16 12:44 This creates a self-signed X.509 certificate using the key given by the keygrip and using SHA-384 as hash algorithm. The keyword signing-key can be used to sign the certificate with a different key. See sm/certreggen.c for details.
* Nuked almost all trailing white space.post-nuke-of-trailing-wsWerner Koch2011-02-041-7/+7
| | | | | | | | We better do this once and for all instead of cluttering all future commits with diffs of trailing white spaces. In the majority of cases blank or single lines are affected and thus this change won't disturb a git blame too much. For future commits the pre-commit scripts checks that this won't happen again.
* Remove superfluous parameter.Werner Koch2010-11-261-1/+1
| | | | | Make self-check interval larger
* Add new option --with-keygripWerner Koch2010-10-081-0/+2
|
* Auto-start dirmngr.Werner Koch2010-08-161-1/+0
|
* Implement export of pkcs#12 objects using a direct agent connection.Werner Koch2010-06-211-2/+6
|
* Avoid using the protect-tool to import pkcs#12.Werner Koch2010-06-171-0/+6
|
* Merged jnlib into common.Werner Koch2010-03-101-1/+0
|
* Removed almost al dup calls.Werner Koch2010-03-081-3/+3
|
* Replace use stdio by estream functions.Werner Koch2010-03-081-6/+8
|
* Add option --cert-extension.Werner Koch2009-12-101-1/+6
|
* Impleemned gpgsm's IMPORT --re-import feature.Werner Koch2009-07-071-1/+1
| | | | | Typo fix.
* Reworked passing of envars to Pinentry.Werner Koch2009-07-071-6/+5
|
* Create a pkcs#10 request directly from a card.Werner Koch2009-07-021-0/+2
| | | | | Deprecate gpgsm-gencert.sh script.
* Signing using Netkey 3 cards does now work.Werner Koch2009-03-261-2/+3
|
* Print NO_SECKEY status line in gpgsm.Werner Koch2009-03-251-2/+3
| | | | | This fixes bug#1020.
* Add server option with-ephemeral-keys.Werner Koch2009-03-181-3/+2
| | | | | Extend SCD LEARN command.
* New gpg-agent command to list key information.Werner Koch2009-03-061-0/+2
| | | | | | Gpgsm does now print the S/N of cards. Consider ephemeral keys during listing an export.
* fixed a bug in the prompt formatter.Werner Koch2008-10-281-0/+1
|
* Help dirmngr to use supplied trust anchors.Werner Koch2008-10-211-1/+1
|
* Add gpgsm server command GETINFO agent-check.Werner Koch2008-09-301-0/+1
| | | | | Fix tests.
* 2008-08-08 Marcus Brinkmann <[email protected]>Marcus Brinkmann2008-08-081-2/+0
| | | | | | | | | | | | | | | | * gpgsm.h (struct server_control_s): Remove member dirmngr_seen. * call-dirmngr.c (dirmngr2_ctx, dirmngr_ctx_locked) (dirmngr2_ctx_locked): New global variables. (prepare_dirmngr): Don't check dirmngr_seen anymore. (start_dirmngr): Move bunch of code to ... (start_dirmngr_ext): ... this new function. (release_dirmngr, start_dirmngr2, release_dirmngr2): New functions. (gpgsm_dirmngr_isvalid): Call release_dirmngr. (gpgsm_dirmngr_lookup): Call release_dirmngr. If dirmngr_ctx is locked, use dirmngr2_locked. (gpgsm_dirmngr_run_command): Call release_dirmngr.
* Start support of TCOS 3 cards.Werner Koch2008-06-261-0/+2
| | | | | | | Support restriction attribute. Fix utf-8 printing problems. Use AES by default.
* sm/Marcus Brinkmann2008-06-121-0/+14
| | | | | | | | | | | | | | | | 2008-06-12 Marcus Brinkmann <[email protected]> * gpgsm.h (struct keyserver_spec): New struct. (opt): Add member keyserver. * gpgsm.c (keyserver_list_free, parse_keyserver_line): New functions. (main): Implement --keyserver option. * call-dirmngr.c (prepare_dirmngr): Send LDAPSERVER commands. tools/ 2008-06-12 Marcus Brinkmann <[email protected]> * gpgconf-comp.c (gc_options_gpgsm): Add option keyserver.
* Improve certificate chain construction.Werner Koch2008-02-191-0/+1
| | | | | Extend PKITS framework
* Poems for AllowSetForegroundWindow (W32)Werner Koch2008-02-141-0/+2
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-23 08:14:48 +0000