From 8a12a2000d82acfa881e8c18d028290100bf5e43 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 7 Dec 2011 16:15:15 +0100 Subject: gpgsm: Add new validation model "steed". * sm/gpgsm.h (VALIDATE_FLAG_STEED): New. * sm/gpgsm.c (gpgsm_parse_validation_model): Add model "steed". * sm/server.c (option_handler): Allow validation model "steed". * sm/certlist.c (gpgsm_cert_has_well_known_private_key): New. * sm/certchain.c (do_validate_chain): Handle the well-known-private-key attribute. Support the "steed" model. (gpgsm_validate_chain): Ditto. * sm/verify.c (gpgsm_verify): Return "steed" in the trust status line. * sm/keylist.c (list_cert_colon): Print the new 'w' flag. -- This is the first part of changes to implement the STEED proposal as described at http://g10code.com/steed.html . The idea for X.509 is not to use plain self-signed certificates but certificates signed by a dummy CA (i.e. one for which the private key is known). Having a single CA as an indication for the use of STEED might help other X.509 implementations to implement STEED. --- sm/certlist.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'sm/certlist.c') diff --git a/sm/certlist.c b/sm/certlist.c index 0e9031953..241364a3a 100644 --- a/sm/certlist.c +++ b/sm/certlist.c @@ -1,6 +1,6 @@ /* certlist.c - build list of certificates * Copyright (C) 2001, 2003, 2004, 2005, 2007, - * 2008 Free Software Foundation, Inc. + * 2008, 2011 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -210,6 +210,21 @@ gpgsm_cert_use_ocsp_p (ksba_cert_t cert) } +/* Return true if CERT has the well known private key extension. */ +int +gpgsm_cert_has_well_known_private_key (ksba_cert_t cert) +{ + int idx; + const char *oid; + + for (idx=0; !ksba_cert_get_extension (cert, idx, + &oid, NULL, NULL, NULL);idx++) + if (!strcmp (oid, "1.3.6.1.4.1.11591.2.2.2") ) + return 1; /* Yes. */ + return 0; /* No. */ +} + + static int same_subject_issuer (const char *subject, const char *issuer, ksba_cert_t cert) { -- cgit v1.2.3