* gpgsm.c (main): New command --list-sigsNEWPG-0-3-7

* keylist.c (list_cert_std): New.  Use it whenever colon mode is
not used.
(list_cert_chain): New.

5 files changed, 480 insertions, 5 deletions

diff --git a/sm/ChangeLog b/sm/ChangeLog
index 889140034..d5ae4f679 100644
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@@ -1,3 +1,10 @@
+2002-06-04  Werner Koch  <[email protected]>
+
+	* gpgsm.c (main): New command --list-sigs
+	* keylist.c (list_cert_std): New.  Use it whenever colon mode is
+	not used.
+	(list_cert_chain): New.
+
 2002-05-31  Werner Koch  <[email protected]>
 
 	* gpgsm.c (main): Don't print the "go ahead" message for an
diff --git a/sm/certdump.c b/sm/certdump.c
index 4d5e6bf7f..11e9f659f 100644
--- a/sm/certdump.c
+++ b/sm/certdump.c
@@ -32,9 +32,42 @@
 
 #include "gpgsm.h"
 #include "keydb.h"
+#include "i18n.h"
+
+struct dn_array_s {
+  char *key;
+  char *value;
+};
+
 
 /* print the first element of an S-Expression */
 void
+gpgsm_print_serial (FILE *fp, KsbaConstSexp p)
+{
+  unsigned long n;
+  KsbaConstSexp endp;
+
+  if (!p)
+    fputs (_("none"), fp);
+  else if (*p != '(')
+    fputs ("[Internal error - not an S-expression]", fp);
+  else
+    {
+      p++;
+      n = strtoul (p, (char**)&endp, 10);
+      p = endp;
+      if (*p!=':')
+        fputs ("[Internal Error - invalid S-expression]", fp);
+      else
+        {
+          for (p++; n; n--, p++)
+            fprintf (fp, "%02X", *p);
+        }
+    }
+}
+
+
+void
 gpgsm_dump_serial (KsbaConstSexp p)
 {
   unsigned long n;
@@ -59,7 +92,24 @@ gpgsm_dump_serial (KsbaConstSexp p)
     }
 }
 
+void
+gpgsm_print_time (FILE *fp, time_t t)
+{
+  if (!t)
+    fputs (_("none"), fp);
+  else if ( t == (time_t)(-1) )
+    fputs ("[Error - Invalid time]", fp);
+  else
+    {
+      struct tm *tp;
 
+      tp = gmtime (&t);
+      fprintf (fp, "%04d-%02d-%02d %02d:%02d:%02d Z",
+               1900+tp->tm_year, tp->tm_mon+1, tp->tm_mday,
+               tp->tm_hour, tp->tm_min, tp->tm_sec);
+      assert (!tp->tm_isdst);
+    }
+}
 
 void
 gpgsm_dump_time (time_t t)
@@ -82,6 +132,8 @@ gpgsm_dump_time (time_t t)
 }
 
 
+
+
 void
 gpgsm_dump_string (const char *string)
 {
@@ -157,7 +209,261 @@ gpgsm_dump_cert (const char *text, KsbaCert cert)
 }
 
 
+
+/* helper for the rfc2253 string parser */
+static const unsigned char *
+parse_dn_part (struct dn_array_s *array, const unsigned char *string)
+{
+  const unsigned char *s, *s1;
+  size_t n;
+  unsigned char *p;
+
+  /* parse attributeType */
+  for (s = string+1; *s && *s != '='; s++)
+    ;
+  if (!*s)
+    return NULL; /* error */
+  n = s - string;
+  if (!n)
+    return NULL; /* empty key */
+  array->key = p = xtrymalloc (n+1);
+  if (!array->key)
+    return NULL;
+  memcpy (p, string, n); 
+  p[n] = 0;
+  trim_trailing_spaces (p);
+  if ( !strcmp (p, "1.2.840.113549.1.9.1") )
+    strcpy (p, "EMail");
+  string = s + 1;
+
+  if (*string == '#')
+    { /* hexstring */
+      string++;
+      for (s=string; hexdigitp (s); s++)
+        s++;
+      n = s - string;
+      if (!n || (n & 1))
+        return NULL; /* empty or odd number of digits */
+      n /= 2;
+      array->value = p = xtrymalloc (n+1);
+      if (!p)
+        return NULL;
+      for (s1=string; n; s1 += 2, n--)
+        *p++ = xtoi_2 (s1);
+      *p = 0;
+   }
+  else
+    { /* regular v3 quoted string */
+      for (n=0, s=string; *s; s++)
+        {
+          if (*s == '\\')
+            { /* pair */
+              s++;
+              if (*s == ',' || *s == '=' || *s == '+'
+                  || *s == '<' || *s == '>' || *s == '#' || *s == ';' 
+                  || *s == '\\' || *s == '\"' || *s == ' ')
+                n++;
+              else if (hexdigitp (s) && hexdigitp (s+1))
+                {
+                  s++;
+                  n++;
+                }
+              else
+                return NULL; /* invalid escape sequence */
+            }
+          else if (*s == '\"')
+            return NULL; /* invalid encoding */
+          else if (*s == ',' || *s == '=' || *s == '+'
+                   || *s == '<' || *s == '>' || *s == '#' || *s == ';' )
+            break; 
+          else
+            n++;
+        }
+
+      array->value = p = xtrymalloc (n+1);
+      if (!p)
+        return NULL;
+      for (s=string; n; s++, n--)
+        {
+          if (*s == '\\')
+            { 
+              s++;
+              if (hexdigitp (s))
+                {
+                  *p++ = xtoi_2 (s);
+                  s++;
+                }
+              else
+                *p++ = *s;
+            }
+          else
+            *p++ = *s;
+        }
+      *p = 0;
+    }
+  return s;
+}
+
 
+/* Parse a DN and return an array-ized one.  This is not a validating
+   parser and it does not support any old-stylish syntax; KSBA is
+   expected to return only rfc2253 compatible strings. */
+static struct dn_array_s *
+parse_dn (const unsigned char *string)
+{
+  struct dn_array_s *array;
+  size_t arrayidx, arraysize;
+  int i;
+
+  arraysize = 7; /* C,ST,L,O,OU,CN,email */
+  arrayidx = 0;
+  array = xtrymalloc ((arraysize+1) * sizeof *array);
+  if (!array)
+    return NULL;
+  while (*string)
+    {
+      while (*string == ' ')
+        string++;
+      if (!*string)
+        break; /* ready */
+      if (arrayidx >= arraysize)
+        { 
+          struct dn_array_s *a2;
+
+          arraysize += 5;
+          a2 = xtryrealloc (array, (arraysize+1) * sizeof *array);
+          if (!a2)
+            goto failure;
+          array = a2;
+        }
+      array[arrayidx].key = NULL;
+      array[arrayidx].value = NULL;
+      string = parse_dn_part (array+arrayidx, string);
+      arrayidx++;
+      if (!string)
+        goto failure;
+      while (*string == ' ')
+        string++;
+      if (*string && *string != ',' && *string != ';' && *string != '+')
+        goto failure; /* invalid delimiter */
+      if (*string)
+        string++;
+    }
+  array[arrayidx].key = NULL;
+  array[arrayidx].value = NULL;
+  return array;
+
+ failure:
+  for (i=0; i < arrayidx; i++)
+    {
+      xfree (array[i].key);
+      xfree (array[i].value);
+    }
+  xfree (array);
+  return NULL;
+}
+
+
+static int
+print_dn_part (FILE *fp, struct dn_array_s *dn, const char *key,
+               int need_delim)
+{
+  int any = 0;
+
+  for (; dn->key; dn++)
+    {
+      if (!strcmp (dn->key, key) && dn->value && *dn->value)
+        {
+          if (need_delim)
+            {
+              putc ('/', fp);
+              need_delim = 0;
+            }
+          if (any)
+            fputs (" + ", fp);
+          else
+            fprintf (fp, "%s=", key);
+          print_sanitized_utf8_string (fp, dn->value, '/');
+          any = 1;
+        }
+    }
+  return any;
+}
+
+/* Print all parts of a DN in a "standard" sequence.  We first print
+   all the known parts, followed by the uncommon ones */
+static void
+print_dn_parts (FILE *fp, struct dn_array_s *dn)
+{
+  const char *stdpart[] = {
+    "CN", "OU", "O", "STREET", "L", "ST", "C", "EMail", NULL 
+  };
+  int any=0, i;
+  
+  for (i=0; stdpart[i]; i++)
+    {
+      if (print_dn_part (fp, dn, stdpart[i], any))
+        any = 1;
+    }
+
+  /* now print the rest without any specific ordering */
+  for (; dn->key; dn++)
+    {
+      for (i=0; stdpart[i]; i++)
+        {
+          if (!strcmp (dn->key, stdpart[i]))
+            break;
+        }
+      if (!stdpart[i])
+        {
+          if (print_dn_part (fp, dn, dn->key, any))
+            any = 1;
+        }
+    }
+}
+
+
+
+void
+gpgsm_print_name (FILE *fp, const char *name)
+{
+  const unsigned char *s;
+  int i;
+
+  s = name;
+  if (!s)
+    {
+      fputs (_("[Error - No name]"), fp);
+    }
+  else if (*s == '<')
+    {
+      const unsigned char *s2 = strchr (s+1, '>');
+      if (s2)
+        print_sanitized_utf8_buffer (fp, s + 1, s2 - s - 1, 0);
+    }
+  else if (*s == '(')
+    fputs (_("[Error - unknown encoding]"), fp);
+  else if (!((*s >= '0' && *s < '9')
+             || (*s >= 'A' && *s <= 'Z')
+             || (*s >= 'a' && *s <= 'z')))
+    fputs (_("[Error - invalid encoding]"), fp);
+  else
+    {
+      struct dn_array_s *dn = parse_dn (s);
+      if (!dn)
+        fputs (_("[Error - invalid DN]"), fp);
+      else 
+        {
+          print_dn_parts (fp, dn);          
+          for (i=0; dn[i].key; i++)
+            {
+              xfree (dn[i].key);
+              xfree (dn[i].value);
+            }
+          xfree (dn);
+        }
+    }
+}
 
 
 
diff --git a/sm/gpgsm.c b/sm/gpgsm.c
index 17344ec22..3aeddd845 100644
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@@ -213,8 +213,8 @@ static ARGPARSE_OPTS opts[] = {
     { aListKeys, "list-keys", 256, N_("list keys")},
     { aListKeys, "list-public-keys", 256, "@" },
     { aListSecretKeys, "list-secret-keys", 256, N_("list secret keys")},
-    { aDummy,    "list-sigs", 256, "@"}, 
-    { aDummy,    "check-sigs",256, "@"},
+    { aListSigs,   "list-sigs", 256, N_("list certificate chain")}, 
+    { aListSigs,   "check-sigs",256, "@"},
     { oFingerprint, "fingerprint", 256, N_("list keys and fingerprints")},
     { aListSecretKeys, "list-secret-keys", 256, N_("list secret keys")},
     { aKeygen,	   "gen-key",  256, N_("generate a new key pair")},
@@ -360,7 +360,7 @@ static ARGPARSE_OPTS opts[] = {
     { oWithKeyData,"with-key-data", 0, "@"},
     { aListKeys, "list-key", 0, "@" }, /* alias */
     { aListSigs, "list-sig", 0, "@" }, /* alias */
-    { aCheckKeys, "check-sig",0, "@" }, /* alias */
+    { aListSigs, "check-sig",0, "@" }, /* alias */
     { oSkipVerify, "skip-verify",0, "@" },
     { oCompressKeys, "compress-keys",0, "@"},
     { oCompressSigs, "compress-sigs",0, "@"},
@@ -727,6 +727,7 @@ main ( int argc, char **argv)
         case aExport: set_cmd (&cmd, aExport); break;
         case aListKeys: set_cmd (&cmd, aListKeys); break;
         case aListSecretKeys: set_cmd (&cmd, aListSecretKeys); break;
+        case aListSigs: set_cmd (&cmd, aListSigs); break;
 
         case aLearnCard: set_cmd (&cmd, aLearnCard); break;
 
@@ -1179,6 +1180,8 @@ main ( int argc, char **argv)
 /*        xfree(username); */
       break;
 
+    case aListSigs:
+      ctrl.with_chain = 1;
     case aListKeys:
       for (sl=NULL; argc; argc--, argv++)
         add_to_strlist (&sl, *argv);
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index b1969112c..2ecb3169e 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -107,6 +107,7 @@ struct server_control_s {
   int  status_fd;    /* only for non-server mode */
   struct server_local_s *server_local;
   int with_colons;  /* use column delimited output format */
+  int with_chain;   /* include the certifying certs in a listing */
 
   int autodetect_encoding; /* try to detect the input encoding */
   int is_pem;         /* Is in PEM format */
@@ -162,11 +163,17 @@ void gpgsm_destroy_writer (Base64Context ctx);
 
 
 /*-- certdump.c --*/
+void gpgsm_print_serial (FILE *fp, KsbaConstSexp p);
+void gpgsm_print_time (FILE *fp, time_t t);
+void gpgsm_print_name (FILE *fp, const char *string);
+
 void gpgsm_dump_cert (const char *text, KsbaCert cert);
 void gpgsm_dump_serial (KsbaConstSexp p);
 void gpgsm_dump_time (time_t t);
 void gpgsm_dump_string (const char *string);
 
+
+
 /*-- certcheck.c --*/
 int gpgsm_check_cert_sig (KsbaCert issuer_cert, KsbaCert cert);
 int gpgsm_check_cms_signature (KsbaCert cert, KsbaConstSexp sigval,
diff --git a/sm/keylist.c b/sm/keylist.c
index b53b10f16..d52790f2b 100644
--- a/sm/keylist.c
+++ b/sm/keylist.c
@@ -38,6 +38,7 @@ struct list_external_parm_s {
   FILE *fp;
   int print_header;
   int with_colons;
+  int with_chain;
 };
 
 
@@ -269,6 +270,146 @@ list_cert_colon (KsbaCert cert, FILE *fp, int have_secret)
 }
 
 
+/* List one certificate in standard mode */
+static void
+list_cert_std (KsbaCert cert, FILE *fp, int have_secret)
+{
+  KsbaError kerr;
+  KsbaSexp sexp;
+  char *dn;
+  time_t t;
+  int idx;
+  int is_ca, pathlen;
+  unsigned int kusage;
+  char *string, *p;
+
+  sexp = ksba_cert_get_serial (cert);
+  fputs ("Serial number: ", fp);
+  gpgsm_print_serial (fp, sexp);
+  ksba_free (sexp);
+  putc ('\n', fp);
+
+  dn = ksba_cert_get_issuer (cert, 0);
+  fputs ("       Issuer: ", fp);
+  gpgsm_print_name (fp, dn);
+  ksba_free (dn);
+  putc ('\n', fp);
+  for (idx=1; (dn = ksba_cert_get_issuer (cert, idx)); idx++)
+    {
+      fputs ("          aka: ", fp);
+      gpgsm_print_name (fp, dn);
+      ksba_free (dn);
+      putc ('\n', fp);
+    }
+
+  dn = ksba_cert_get_subject (cert, 0);
+  fputs ("      Subject: ", fp);
+  gpgsm_print_name (fp, dn);
+  ksba_free (dn);
+  putc ('\n', fp);
+  for (idx=1; (dn = ksba_cert_get_subject (cert, idx)); idx++)
+    {
+      fputs ("          aka: ", fp);
+      gpgsm_print_name (fp, dn);
+      ksba_free (dn);
+      putc ('\n', fp);
+    }
+
+  t = ksba_cert_get_validity (cert, 0);
+  fputs ("     validity: ", fp);
+  gpgsm_print_time (fp, t);
+  fputs (" through ", fp);
+  t = ksba_cert_get_validity (cert, 1);
+  gpgsm_print_time (fp, t);
+  putc ('\n', fp);
+
+  kerr = ksba_cert_get_key_usage (cert, &kusage);
+  if (kerr != KSBA_No_Data)
+    {
+      fputs ("    key usage:", fp);
+      if (kerr)
+        fprintf (fp, " [error: %s]", ksba_strerror (kerr));
+      else
+        {
+          if ( (kusage & KSBA_KEYUSAGE_DIGITAL_SIGNATURE))
+            fputs (" digitalSignature", fp);
+          if ( (kusage & KSBA_KEYUSAGE_NON_REPUDIATION))  
+            fputs (" nonRepudiation", fp);
+          if ( (kusage & KSBA_KEYUSAGE_KEY_ENCIPHERMENT)) 
+            fputs (" keyEncipherment", fp);
+          if ( (kusage & KSBA_KEYUSAGE_DATA_ENCIPHERMENT))
+            fputs (" dataEncripherment", fp);
+          if ( (kusage & KSBA_KEYUSAGE_KEY_AGREEMENT))    
+            fputs (" keyAgreement", fp);
+          if ( (kusage & KSBA_KEYUSAGE_KEY_CERT_SIGN))
+            fputs (" certSign", fp);
+          if ( (kusage & KSBA_KEYUSAGE_CRL_SIGN))  
+            fputs (" crlSign", fp);
+          if ( (kusage & KSBA_KEYUSAGE_ENCIPHER_ONLY))
+            fputs (" encipherOnly", fp);
+          if ( (kusage & KSBA_KEYUSAGE_DECIPHER_ONLY))  
+            fputs (" decipherOnly", fp);
+        }
+      putc ('\n', fp);
+    }
+
+  kerr = ksba_cert_get_cert_policies (cert, &string);
+  if (kerr != KSBA_No_Data)
+    {
+      fputs ("     policies: ", fp);
+      if (kerr)
+        fprintf (fp, "[error: %s]", ksba_strerror (kerr));
+      else
+        {
+          for (p=string; *p; p++)
+            {
+              if (*p == '\n')
+                *p = ',';
+            }
+          print_sanitized_string (fp, string, 0);
+          xfree (string);
+        }
+      putc ('\n', fp);
+    }
+
+  kerr = ksba_cert_is_ca (cert, &is_ca, &pathlen);
+  if (kerr || is_ca)
+    {
+      fputs ("  path length: ", fp);
+      if (kerr)
+        fprintf (fp, "[error: %s]", ksba_strerror (kerr));
+      else if (pathlen == -1)
+        fputs ("unlimited", fp);
+      else
+        fprintf (fp, "%d", pathlen);
+      putc ('\n', fp);
+    }
+
+
+  dn = gpgsm_get_fingerprint_string (cert, 0);
+  fprintf (fp, "  fingerprint: %s\n", dn?dn:"error");
+  xfree (dn);
+}
+
+/* Same as standard mode mode list all certifying certts too */
+static void
+list_cert_chain (KsbaCert cert, FILE *fp)
+{
+  KsbaCert next = NULL;
+
+  list_cert_std (cert, fp, 0);
+  ksba_cert_ref (cert);
+  while (!gpgsm_walk_cert_chain (cert, &next))
+    {
+      ksba_cert_release (cert);
+      fputs ("Certified by\n", fp);
+      list_cert_std (next, fp, 0);
+      cert = next;
+    }
+  ksba_cert_release (cert);
+  putc ('\n', fp);
+}
+
 
 
 /* List all internal keys or just the key given as NAMES.
@@ -380,8 +521,13 @@ list_internal_keys (CTRL ctrl, STRLIST names, FILE *fp, unsigned int mode)
         {
           if (ctrl->with_colons)
             list_cert_colon (cert, fp, have_secret);
+          else if (ctrl->with_chain)
+            list_cert_chain (cert, fp);
           else
-            list_cert_colon (cert, fp, have_secret);
+            {
+              list_cert_std (cert, fp, have_secret);
+              putc ('\n', fp);
+            }
         }
       ksba_cert_release (cert); 
       cert = NULL;
@@ -416,8 +562,13 @@ list_external_cb (void *cb_value, KsbaCert cert)
 
   if (parm->with_colons)
     list_cert_colon (cert, parm->fp, 0);
+  else if (parm->with_chain)
+    list_cert_chain (cert, parm->fp);
   else
-    list_cert_colon (cert, parm->fp, 0);
+    {
+      list_cert_std (cert, parm->fp, 0);
+      putc ('\n', parm->fp);
+    }
 }
 
 
@@ -433,6 +584,7 @@ list_external_keys (CTRL ctrl, STRLIST names, FILE *fp)
   parm.fp = fp;
   parm.print_header = ctrl->no_server;
   parm.with_colons = ctrl->with_colons;
+  parm.with_chain = ctrl->with_chain;
 
   rc = gpgsm_dirmngr_lookup (names, list_external_cb, &parm);
   if (rc)