tryu harder to ignore duplicate specified keyrings and -boxes.

Documentation updates.

14 files changed, 137 insertions, 16 deletions

diff --git a/NEWS b/NEWS
index 689c8ede7..d36033402 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,11 @@
 Noteworthy changes in version 2.0.7
 ------------------------------------------------
 
+ * Fixed encryption problem if duplicate certificates are in the
+   keybox.
+
+ * Made it work on Windows Vista.
+
 
 Noteworthy changes in version 2.0.6 (2007-08-16)
 ------------------------------------------------
diff --git a/doc/ChangeLog b/doc/ChangeLog
index 07c497cc7..d4ade07d9 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,8 @@
+2007-08-24  Werner Koch  <wk@g10code.com>
+
+	* debugging.texi (Common Problems): Add "A root certifciate does
+	not validate."
+
 2007-08-14  Werner Koch  <wk@g10code.com>
 
 	* glossary.texi (Glossary): Add a more items.
diff --git a/doc/debugging.texi b/doc/debugging.texi
index e1a62d7eb..fb27b2710 100644
--- a/doc/debugging.texi
+++ b/doc/debugging.texi
@@ -77,6 +77,13 @@ are flagges as ephemeral, meaning that they are only temporary stored
 provided by @command{gpgsm} or @command{gpg}. 81 certifcates are stored
 in a standard way and directly available from @command{gpgsm}.
 
+@noindent
+To find duplicated certificates and keyblocks in a keybox file (this
+should not occur but sometimes things go wrong), run it using
+
+@samp{kbxutil --find-dups ~/.gnupg/pubring.kbx}
+
+
 
 
 
@@ -165,6 +172,18 @@ stored private keys because some private keys are used for Secure Shell
 or other purposes and don't have a corresponding certificate.
 
 
+@item A root certificate does not verify
+
+A common problem is that the root certificate misses the required
+basicConstrains attribute and thus @command{gpgsm} rejects this
+certificate.  An error message indicating ``no value'' is a sign for
+such a certificate.  You may use the @code{relax} flag in
+@file{trustlist.txt} to accept the certificate anyway.  Note that the
+fingerprint and this flag may only be added manually to
+@file{trustlist.txt}.
+
+
+
 @end itemize
 
 
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
index 829530bd8..156fe533e 100644
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@@ -502,7 +502,9 @@ caller:
 
 @table @code
 @item relax
-Relax checking of some root certificate requirements.
+Relax checking of some root certificate requirements.  This is for
+example required if the certificate is missing the basicConstraints
+attribute (despite that it is a MUST for CA certificates).
 
 @item cm
 If validation of a certificate finally issued by a CA with this flag set
diff --git a/g10/ChangeLog b/g10/ChangeLog
index be41ada5a..90501d090 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,7 @@
+2007-08-24  Werner Koch  <wk@g10code.com>
+
+	* keyring.c (keyring_register_filename): Use same_file_p().
+
 2007-08-21  Werner Koch  <wk@g10code.com>
 
 	* misc.c (openpgp_md_test_algo): Remove rfc2440bis hash algorithms.
diff --git a/g10/keyring.c b/g10/keyring.c
index 67ac018c6..937502ab2 100644
--- a/g10/keyring.c
+++ b/g10/keyring.c
@@ -206,10 +206,10 @@ keyring_register_filename (const char *fname, int secret, void **ptr)
 
     for (kr=kr_names; kr; kr = kr->next)
       {
-        if ( !compare_filenames (kr->fname, fname) )
+        if (same_file_p (kr->fname, fname))
 	  {
             *ptr=kr;
-	    return 0; /* already registered */
+	    return 0; /* Already registered.  */
 	  }
       }
 
diff --git a/jnlib/ChangeLog b/jnlib/ChangeLog
index c7722876b..1d0adec0e 100644
--- a/jnlib/ChangeLog
+++ b/jnlib/ChangeLog
@@ -1,3 +1,9 @@
+2007-08-24  Werner Koch  <wk@g10code.com>
+
+	* mischelp.c (same_file_p): New.
+	(libjnlib_dummy_mischelp_func): Remove as we now always have one
+	function.
+
 2007-08-09  Werner Koch  <wk@g10code.com>
 
 	* argparse.c (show_help): Expand the @EMAIL@ macro in the package
diff --git a/jnlib/mischelp.c b/jnlib/mischelp.c
index b2248288e..f7df5c154 100644
--- a/jnlib/mischelp.c
+++ b/jnlib/mischelp.c
@@ -1,5 +1,5 @@
 /* mischelp.c - Miscellaneous helper functions
- * Copyright (C) 1998, 2000, 2001, 2006 Free Software Foundation, Inc.
+ * Copyright (C) 1998, 2000, 2001, 2006, 2007 Free Software Foundation, Inc.
  *
  * This file is part of JNLIB.
  *
@@ -21,16 +21,63 @@
 #include <stdlib.h>
 #include <string.h>
 #include <time.h>
+#ifdef HAVE_W32_SYSTEM
+# define WIN32_LEAN_AND_MEAN
+# include <windows.h>
+#else /*!HAVE_W32_SYSTEM*/
+# include <sys/types.h>
+# include <sys/stat.h>
+# include <unistd.h>
+#endif /*!HAVE_W32_SYSTEM*/
 
 #include "libjnlib-config.h"
+#include "stringhelp.h"
 #include "mischelp.h"
 
-/* A dummy function to prevent an empty compilation unit.  Some
-   compilers bail out in this case. */
-time_t
-libjnlib_dummy_mischelp_func (void)
+
+/* Check whether the files NAME1 and NAME2 are identical.  This is for
+   example achieved by comparing the inode numbers of the files.  */
+int
+same_file_p (const char *name1, const char *name2)
 {
-  return time (NULL);
+  int yes;
+      
+  /* First try a shortcut.  */
+  if (!compare_filenames (name1, name2))
+    yes = 1;
+  else
+    {
+#ifdef HAVE_W32_SYSTEM  
+      HANDLE file1, file2;
+      BY_HANDLE_FILE_INFORMATION info1, info2;
+      
+      file1 = CreateFile (name1, 0, 0, NULL, OPEN_EXISTING, 0, NULL);
+      if (file1 == INVALID_HANDLE_VALUE)
+        yes = 0; /* If we can't open the file, it is not the same.  */
+      else
+        {
+          file2 = CreateFile (name2, 0, 0, NULL, OPEN_EXISTING, 0, NULL);
+          if (file1 == INVALID_HANDLE_VALUE)
+            yes = 0; /* If we can't open the file, it is not the same.  */
+          else
+            {
+              yes = (GetFileInformationByHandle (file1, &info1)
+                     && GetFileInformationByHandle (file2, &info2)
+                     && info1.dwVolumeSerialNumber==info2.dwVolumeSerialNumber
+                     && info1.nFileIndexHigh == info2.nFileIndexHigh
+                     && info1.nFileIndexLow == info2.nFileIndexLow);
+              CloseHandle (file2);
+            }
+          CloseHandle (file1);
+        }
+#else /*!HAVE_W32_SYSTEM*/
+      struct stat info1, info2;
+      
+      yes = (!stat (name1, &info1) && !stat (name2, &info2)
+             && info1.st_dev == info2.st_dev && info1.st_ino == info2.st_ino);
+#endif /*!HAVE_W32_SYSTEM*/
+    }
+  return yes;
 }
 
 
diff --git a/jnlib/mischelp.h b/jnlib/mischelp.h
index a00764106..2f003e1ce 100644
--- a/jnlib/mischelp.h
+++ b/jnlib/mischelp.h
@@ -1,6 +1,6 @@
 /* mischelp.h - Miscellaneous helper macros and functions
  * Copyright (C) 1999, 2000, 2001, 2002, 2003,
- *               2006  Free Software Foundation, Inc.
+ *               2006, 2007  Free Software Foundation, Inc.
  *
  * This file is part of JNLIB.
  *
@@ -22,6 +22,11 @@
 #define LIBJNLIB_MISCHHELP_H
 
 
+/* Check whether the files NAME1 and NAME2 are identical.  This is for
+   example achieved by comparing the inode numbers of the files.  */
+int same_file_p (const char *name1, const char *name2);
+
+
 #ifndef HAVE_TIMEGM
 #include <time.h>
 time_t timegm (struct tm *tm);
diff --git a/jnlib/stringhelp.c b/jnlib/stringhelp.c
index b1f6f73db..e7fd0ce45 100644
--- a/jnlib/stringhelp.c
+++ b/jnlib/stringhelp.c
@@ -338,11 +338,14 @@ make_filename( const char *first_part, ... )
 }
 
 
+/* Compare whether the filenames are identical.  This is a
+   specialversion of strcmp() taking the semantics of filenames in
+   account.  Note that this function works only on the supplied names
+   without considereing any context like the current directory.  See
+   also same_file_p(). */
 int
 compare_filenames (const char *a, const char *b)
 {
-  /* ? check whether this is an absolute filename and resolve
-     symlinks?  */
 #ifdef HAVE_DRIVE_LETTERS
   for ( ; *a && *b; a++, b++ ) 
     {
diff --git a/kbx/ChangeLog b/kbx/ChangeLog
index edcf917fd..f7c79ee1a 100644
--- a/kbx/ChangeLog
+++ b/kbx/ChangeLog
@@ -1,3 +1,7 @@
+2007-08-24  Werner Koch  <wk@g10code.com>
+
+	* keybox-init.c (keybox_register_file): Use same_file_p.
+
 2007-08-23  Werner Koch  <wk@g10code.com>
 
 	* kbxutil.c: New commands --find-dups and --cut.  New options
diff --git a/kbx/keybox-init.c b/kbx/keybox-init.c
index ea95c5f67..fcf3c7cee 100644
--- a/kbx/keybox-init.c
+++ b/kbx/keybox-init.c
@@ -24,10 +24,9 @@
 #include <unistd.h>
 #include <assert.h>
 
+#include "../jnlib/mischelp.h"
 #include "keybox-defs.h"
 
-#define compare_filenames strcmp
-
 static KB_NAME kb_names;
 
 
@@ -42,8 +41,8 @@ keybox_register_file (const char *fname, int secret)
 
   for (kr=kb_names; kr; kr = kr->next)
     {
-      if ( !compare_filenames (kr->fname, fname) )
-        return NULL; /* already registered */
+      if (same_file_p (kr->fname, fname) )
+        return NULL; /* Already registered. */
     }
 
   kr = xtrymalloc (sizeof *kr + strlen (fname));
diff --git a/tests/samplekeys/README b/tests/samplekeys/README
index 0e8877907..57ece0dcd 100644
--- a/tests/samplekeys/README
+++ b/tests/samplekeys/README
@@ -13,5 +13,8 @@ webderoot.der      trust.web.de Root CA certificate [2004-02-17]
 webdeca.der        trust.web.de CA certificate [2004-02-17]
 
 
+gte.pem            GTE CyberTrust Global Root
+
+
 
 		  
diff --git a/tests/samplekeys/gte.pem b/tests/samplekeys/gte.pem
new file mode 100644
index 000000000..fd6ae9f5f
--- /dev/null
+++ b/tests/samplekeys/gte.pem
@@ -0,0 +1,19 @@
+Issuer ...: /CN=GTE CyberTrust Global Root/OU=GTE CyberTrust Solutions, Inc./O=GTE Corporation/C=US

+Serial ...: 01A5

+Subject ..: /CN=GTE CyberTrust Global Root/OU=GTE CyberTrust Solutions, Inc./O=GTE Corporation/C=US

+

+-----BEGIN CERTIFICATE-----

+MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD

+VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv

+bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv

+b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV

+UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU

+cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds

+b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH

+iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS

+r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4

+04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r

+GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9

+3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P

+lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/

+-----END CERTIFICATE-----