diff options
| -rw-r--r-- | sm/ChangeLog | 7 | ||||
| -rw-r--r-- | sm/certchain.c | 18 | ||||
| -rw-r--r-- | sm/certcheck.c | 1 | ||||
| -rw-r--r-- | sm/certpath.c | 18 | ||||
| -rw-r--r-- | sm/gpgsm.c | 2 | ||||
| -rw-r--r-- | sm/gpgsm.h | 3 | ||||
| -rw-r--r-- | sm/keylist.c | 2 | ||||
| -rw-r--r-- | sm/server.c | 6 | ||||
| -rw-r--r-- | sm/sign.c | 18 |
9 files changed, 69 insertions, 6 deletions
diff --git a/sm/ChangeLog b/sm/ChangeLog index 167e88316..8388b3921 100644 --- a/sm/ChangeLog +++ b/sm/ChangeLog @@ -1,3 +1,10 @@ +2002-02-25 Werner Koch <[email protected]> + + * server.c (option_handler): Allow to use -2 for "send all certs + except the root cert". + * sign.c (add_certificate_list): Implement it here. + * certpath.c (gpgsm_is_root_cert): New. + 2002-02-19 Werner Koch <[email protected]> * certpath.c (check_cert_policy): New. diff --git a/sm/certchain.c b/sm/certchain.c index 0dac59acf..c3c09dcdd 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -253,6 +253,24 @@ gpgsm_walk_cert_chain (KsbaCert start, KsbaCert *r_next) return rc; } + +/* Check whether the CERT is a root certificate. Returns True if this + is the case. */ +int +gpgsm_is_root_cert (KsbaCert cert) +{ + char *issuer; + char *subject; + int yes; + + issuer = ksba_cert_get_issuer (cert, 0); + subject = ksba_cert_get_subject (cert, 0); + yes = (issuer && subject && !strcmp (issuer, subject)); + xfree (issuer); + xfree (subject); + return yes; +} + int gpgsm_validate_path (KsbaCert cert) diff --git a/sm/certcheck.c b/sm/certcheck.c index 524ed26b8..28689fcae 100644 --- a/sm/certcheck.c +++ b/sm/certcheck.c @@ -263,3 +263,4 @@ gpgsm_create_cms_signature (KsbaCert cert, GCRY_MD_HD md, int mdalgo, } + diff --git a/sm/certpath.c b/sm/certpath.c index 0dac59acf..c3c09dcdd 100644 --- a/sm/certpath.c +++ b/sm/certpath.c @@ -253,6 +253,24 @@ gpgsm_walk_cert_chain (KsbaCert start, KsbaCert *r_next) return rc; } + +/* Check whether the CERT is a root certificate. Returns True if this + is the case. */ +int +gpgsm_is_root_cert (KsbaCert cert) +{ + char *issuer; + char *subject; + int yes; + + issuer = ksba_cert_get_issuer (cert, 0); + subject = ksba_cert_get_subject (cert, 0); + yes = (issuer && subject && !strcmp (issuer, subject)); + xfree (issuer); + xfree (subject); + return yes; +} + int gpgsm_validate_path (KsbaCert cert) diff --git a/sm/gpgsm.c b/sm/gpgsm.c index 9927357ec..7476e6e9a 100644 --- a/sm/gpgsm.c +++ b/sm/gpgsm.c @@ -1239,7 +1239,7 @@ gpgsm_exit (int rc) void gpgsm_init_default_ctrl (struct server_control_s *ctrl) { - ctrl->include_certs = 1; + ctrl->include_certs = 1; /* only include the signer's cert */ } diff --git a/sm/gpgsm.h b/sm/gpgsm.h index ab2d3660d..dac0a00e2 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -170,10 +170,11 @@ int gpgsm_create_cms_signature (KsbaCert cert, GCRY_MD_HD md, int mdalgo, /*-- certpath.c --*/ int gpgsm_walk_cert_chain (KsbaCert start, KsbaCert *r_next); +int gpgsm_is_root_cert (KsbaCert cert); int gpgsm_validate_path (KsbaCert cert); int gpgsm_basic_cert_check (KsbaCert cert); -/*-- cetrlist.c --*/ +/*-- certlist.c --*/ int gpgsm_add_to_certlist (const char *name, CERTLIST *listaddr); void gpgsm_release_certlist (CERTLIST list); int gpgsm_find_cert (const char *name, KsbaCert *r_cert); diff --git a/sm/keylist.c b/sm/keylist.c index f681725b7..d3dd839d6 100644 --- a/sm/keylist.c +++ b/sm/keylist.c @@ -232,6 +232,8 @@ gpgsm_list_keys (CTRL ctrl, STRLIST names, FILE *fp, unsigned int mode) const char *lastresname, *resname; int have_secret; +#warning there is no key selection yet + /* We must take care of qouting here */ hd = keydb_new (0); if (!hd) rc = GNUPG_General_Error; diff --git a/sm/server.c b/sm/server.c index be45060be..ebcb7f9ad 100644 --- a/sm/server.c +++ b/sm/server.c @@ -73,7 +73,7 @@ option_handler (ASSUAN_CONTEXT ctx, const char *key, const char *value) if (!strcmp (key, "include-certs")) { int i = *value? atoi (value) : -1; - if (ctrl->include_certs < -1) + if (ctrl->include_certs < -2) return ASSUAN_Parameter_Error; ctrl->include_certs = i; } @@ -369,6 +369,10 @@ cmd_message (ASSUAN_CONTEXT ctx, char *line) return 0; } + +/* Note that the line contains a space separated list of pappern where + each pappern is percent escaped and spacesmay be replaced by + '+'. */ static int cmd_listkeys (ASSUAN_CONTEXT ctx, char *line) { @@ -103,7 +103,7 @@ get_default_signer (void) } -/* Depending on the options in CTRL add the certifcate CERT as well as +/* Depending on the options in CTRL add the certificate CERT as well as other certificate up in the chain to the Root-CA to the CMS object. */ static int @@ -113,22 +113,34 @@ add_certificate_list (CTRL ctrl, KsbaCMS cms, KsbaCert cert) int rc = 0; KsbaCert next = NULL; int n; + int not_root = 0; ksba_cert_ref (cert); n = ctrl->include_certs; + if (n == -2) + { + not_root = 1; + n = -1; + } if (n < 0 || n > 50) n = 50; /* We better apply an upper bound */ if (n) { - err = ksba_cms_add_cert (cms, cert); + if (not_root && gpgsm_is_root_cert (cert)) + err = 0; + else + err = ksba_cms_add_cert (cms, cert); if (err) goto ksba_failure; } while ( n-- && !(rc = gpgsm_walk_cert_chain (cert, &next)) ) { - err = ksba_cms_add_cert (cms, next); + if (not_root && gpgsm_is_root_cert (next)) + err = 0; + else + err = ksba_cms_add_cert (cms, next); ksba_cert_release (cert); cert = next; next = NULL; if (err) |