summaryrefslogtreecommitdiffstats
path: root/sm/keylist.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-18 21:21:03 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-18 21:21:03 +0000
commit3675f65888fde5fddde20ff811638a338bf08ca6 (patch)
tree065688bbb6355a8a4784ec9c8e112cec342eac5e /sm/keylist.c
parentAdding upstream version 2.2.40. (diff)
downloadgnupg2-3675f65888fde5fddde20ff811638a338bf08ca6.tar.xz
gnupg2-3675f65888fde5fddde20ff811638a338bf08ca6.zip
Adding upstream version 2.2.43.upstream/2.2.43upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'sm/keylist.c')
-rw-r--r--sm/keylist.c53
1 files changed, 30 insertions, 23 deletions
diff --git a/sm/keylist.c b/sm/keylist.c
index 2d51aa7..4e2d999 100644
--- a/sm/keylist.c
+++ b/sm/keylist.c
@@ -247,7 +247,7 @@ print_key_data (ksba_cert_t cert, estream_t fp)
}
static void
-print_capabilities (ksba_cert_t cert, estream_t fp)
+print_capabilities (ksba_cert_t cert, int algo, estream_t fp)
{
gpg_error_t err;
unsigned int use;
@@ -299,7 +299,7 @@ print_capabilities (ksba_cert_t cert, estream_t fp)
/* We need to returned the faked key usage to frontends so that they
* can select the right key. Note that we don't do this for the
* human readable keyUsage. */
- if ((opt.compat_flags & COMPAT_ALLOW_KA_TO_ENCR)
+ if ((algo == GCRY_PK_ECC || (opt.compat_flags & COMPAT_ALLOW_KA_TO_ENCR))
&& (use & KSBA_KEYUSAGE_KEY_AGREEMENT))
is_encr = 1;
@@ -375,14 +375,14 @@ email_kludge (const char *name)
* number. NBITS is the length of the key in bits. */
static void
print_compliance_flags (ksba_cert_t cert, int algo, unsigned int nbits,
- estream_t fp)
+ const char *curvename, estream_t fp)
{
int hashalgo;
/* Note that we do not need to test for PK_ALGO_FLAG_RSAPSS because
* that is not a property of the key but one of the created
* signature. */
- if (gnupg_pk_is_compliant (CO_DE_VS, algo, 0, NULL, nbits, NULL))
+ if (gnupg_pk_is_compliant (CO_DE_VS, algo, 0, NULL, nbits, curvename))
{
hashalgo = gcry_md_map_name (ksba_cert_get_digest_algo (cert));
if (gnupg_digest_is_compliant (CO_DE_VS, hashalgo))
@@ -408,13 +408,15 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
gpg_error_t valerr;
int algo;
unsigned int nbits;
+ char *curve = NULL;
const char *chain_id;
char *chain_id_buffer = NULL;
int is_root = 0;
char *kludge_uid;
if (ctrl->with_validation)
- valerr = gpgsm_validate_chain (ctrl, cert, "", NULL, 1, NULL, 0, NULL);
+ valerr = gpgsm_validate_chain (ctrl, cert,
+ GNUPG_ISOTIME_NONE, NULL, 1, NULL, 0, NULL);
else
valerr = 0;
@@ -432,8 +434,9 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
chain_id = chain_id_buffer;
ksba_cert_release (next);
}
- else if (rc == -1) /* We have reached the root certificate. */
+ else if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND)
{
+ /* We have reached the root certificate. */
chain_id = fpr;
is_root = 1;
}
@@ -469,6 +472,8 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
{
if (gpgsm_cert_has_well_known_private_key (cert))
*truststring = 'w'; /* Well, this is dummy CA. */
+ else if (gpg_err_code (valerr) == GPG_ERR_NOT_TRUSTED)
+ *truststring = 'n'; /* Likely the root cert is not trusted. */
else
*truststring = 'i';
}
@@ -499,7 +504,7 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
if (*truststring)
es_fputs (truststring, fp);
- algo = gpgsm_get_key_algo_info (cert, &nbits);
+ algo = gpgsm_get_key_algo_info (cert, &nbits, &curve);
es_fprintf (fp, ":%u:%d:%s:", nbits, algo, fpr+24);
ksba_cert_get_validity (cert, 0, t);
@@ -538,7 +543,7 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
/* Field 11, signature class - not used */
es_putc (':', fp);
/* Field 12, capabilities: */
- print_capabilities (cert, fp);
+ print_capabilities (cert, algo, fp);
es_putc (':', fp);
/* Field 13, not used: */
es_putc (':', fp);
@@ -563,8 +568,10 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
}
es_putc (':', fp); /* End of field 15. */
es_putc (':', fp); /* End of field 16. */
+ if (curve)
+ es_fputs (curve, fp);
es_putc (':', fp); /* End of field 17. */
- print_compliance_flags (cert, algo, nbits, fp);
+ print_compliance_flags (cert, algo, nbits, curve, fp);
es_putc (':', fp); /* End of field 18. */
es_putc ('\n', fp);
@@ -626,6 +633,7 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
xfree (p);
}
xfree (kludge_uid);
+ xfree (curve);
}
@@ -829,12 +837,11 @@ list_cert_raw (ctrl_t ctrl, KEYDB_HANDLE hd,
es_fprintf (fp, " hashAlgo: %s%s%s%s\n", oid, s?" (":"",s?s:"",s?")":"");
{
- const char *algoname;
- unsigned int nbits;
+ char *algostr;
- algoname = gcry_pk_algo_name (gpgsm_get_key_algo_info (cert, &nbits));
- es_fprintf (fp, " keyType: %u bit %s\n",
- nbits, algoname? algoname:"?");
+ algostr = gpgsm_pubkey_algo_string (cert, NULL);
+ es_fprintf (fp, " keyType: %s\n", algostr? algostr : "[error]");
+ xfree (algostr);
}
/* subjectKeyIdentifier */
@@ -1103,7 +1110,8 @@ list_cert_raw (ctrl_t ctrl, KEYDB_HANDLE hd,
if (with_validation)
{
- err = gpgsm_validate_chain (ctrl, cert, "", NULL, 1, fp, 0, NULL);
+ err = gpgsm_validate_chain (ctrl, cert,
+ GNUPG_ISOTIME_NONE, NULL, 1, fp, 0, NULL);
if (!err)
es_fprintf (fp, " [certificate is good]\n");
else
@@ -1192,15 +1200,13 @@ list_cert_std (ctrl_t ctrl, ksba_cert_t cert, estream_t fp, int have_secret,
{
- const char *algoname;
- unsigned int nbits;
+ char *algostr;
- algoname = gcry_pk_algo_name (gpgsm_get_key_algo_info (cert, &nbits));
- es_fprintf (fp, " key type: %u bit %s\n",
- nbits, algoname? algoname:"?");
+ algostr = gpgsm_pubkey_algo_string (cert, NULL);
+ es_fprintf (fp, " key type: %s\n", algostr? algostr : "[error]");
+ xfree (algostr);
}
-
err = ksba_cert_get_key_usage (cert, &kusage);
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
{
@@ -1352,7 +1358,8 @@ list_cert_std (ctrl_t ctrl, ksba_cert_t cert, estream_t fp, int have_secret,
size_t buflen;
char buffer[1];
- err = gpgsm_validate_chain (ctrl, cert, "", NULL, 1, fp, 0, NULL);
+ err = gpgsm_validate_chain (ctrl, cert,
+ GNUPG_ISOTIME_NONE, NULL, 1, fp, 0, NULL);
tmperr = ksba_cert_get_user_data (cert, "is_qualified",
&buffer, sizeof (buffer), &buflen);
if (!tmperr && buflen)
@@ -1586,7 +1593,7 @@ list_internal_keys (ctrl_t ctrl, strlist_t names, estream_t fp,
lastcert = cert;
cert = NULL;
}
- if (gpg_err_code (rc) == GPG_ERR_EOF || rc == -1 )
+ if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND)
rc = 0;
if (rc)
log_error ("keydb_search failed: %s\n", gpg_strerror (rc));