diff options
| author | Werner Koch <wk@gnupg.org> | 2002-09-19 14:59:57 +0200 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2002-09-19 14:59:57 +0200 |
| commit | 8bd507e5a2952d88c09fd3393b93d50960818e50 (patch) | |
| tree | 2094bc1dbf163716a27c4f667b11c526c06cb508 /sm | |
| parent | From stable branch (diff) | |
| download | gnupg2-8bd507e5a2952d88c09fd3393b93d50960818e50.tar.xz gnupg2-8bd507e5a2952d88c09fd3393b93d50960818e50.zip | |
* certcheck.c (gpgsm_check_cert_sig): Add cert hash debugging.NEWPG-0-9-2
* certchain.c (find_up): Print info when the cert was not found
by the autorithyKeyIdentifier.
Diffstat (limited to 'sm')
| -rw-r--r-- | sm/ChangeLog | 7 | ||||
| -rw-r--r-- | sm/certchain.c | 19 | ||||
| -rw-r--r-- | sm/certcheck.c | 12 |
3 files changed, 35 insertions, 3 deletions
diff --git a/sm/ChangeLog b/sm/ChangeLog index a33416118..8e11e0ddf 100644 --- a/sm/ChangeLog +++ b/sm/ChangeLog @@ -1,3 +1,10 @@ +2002-09-19 Werner Koch <wk@gnupg.org> + + * certcheck.c (gpgsm_check_cert_sig): Add cert hash debugging. + + * certchain.c (find_up): Print info when the cert was not found + by the autorithyKeyIdentifier. + 2002-09-03 Werner Koch <wk@gnupg.org> * gpgsm.c (main): Disable the internal libgcrypt locking. diff --git a/sm/certchain.c b/sm/certchain.c index 8ebd8c023..b01398f18 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -237,6 +237,19 @@ find_up (KEYDB_HANDLE kh, KsbaCert cert, const char *issuer) keydb_set_ephemeral (kh, old); } } + /* print a note so that the user does not feel too helpless when + an issuer certificate was found and gpgsm prints BAD + signature becuase it is not the correct one. */ + if (rc == -1) + { + log_info ("issuer certificate (#"); + gpgsm_dump_serial (authidno); + log_printf ("/"); + gpgsm_dump_string (s); + log_printf (") not found\n"); + } + else if (rc) + log_error ("failed to find authorityKeyIdentifier: rc=%d\n", rc); ksba_name_release (authid); xfree (authidno); /* Fixme: don't know how to do dirmngr lookup with serial+issuer. */ @@ -267,7 +280,7 @@ find_up (KEYDB_HANDLE kh, KsbaCert cert, const char *issuer) log_info (_("looking up issuer at external location\n")); /* dirmngr is confused about unknown attributes so has a quick and ugly hack we locate the CN and use this and the - following. Fixme: we should have far ebtter parsing in the + following. Fixme: we should have far better parsing in the dirmngr. */ s = strstr (issuer, "CN="); if (!s || s == issuer || s[-1] != ',') @@ -588,7 +601,7 @@ gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, time_t *r_exptime) { if (rc == -1) { - log_info ("issuer certificate ("); + log_info ("issuer certificate (#/"); gpgsm_dump_string (issuer); log_printf (") not found\n"); } @@ -735,7 +748,7 @@ gpgsm_basic_cert_check (KsbaCert cert) { if (rc == -1) { - log_info ("issuer certificate ("); + log_info ("issuer certificate (#/"); gpgsm_dump_string (issuer); log_printf (") not found\n"); } diff --git a/sm/certcheck.c b/sm/certcheck.c index 4700fe723..37d2b00df 100644 --- a/sm/certcheck.c +++ b/sm/certcheck.c @@ -123,6 +123,8 @@ gpgsm_check_cert_sig (KsbaCert issuer_cert, KsbaCert cert) log_error ("md_open failed: %s\n", gcry_strerror (-1)); return GNUPG_General_Error; } + if (DBG_HASHING) + gcry_md_start_debug (md, "hash.cert"); rc = ksba_cert_hash (cert, 1, HASH_FNC, md); if (rc) @@ -142,6 +144,15 @@ gpgsm_check_cert_sig (KsbaCert issuer_cert, KsbaCert cert) ksba_free (p); return GNUPG_Bug; } + if (DBG_X509) + { + int j; + log_debug ("signature value:"); + for (j=0; j < n; j++) + log_printf (" %02X", p[j]); + log_printf ("\n"); + } + rc = gcry_sexp_sscan ( &s_sig, NULL, p, n); ksba_free (p); if (rc) @@ -184,6 +195,7 @@ gpgsm_check_cert_sig (KsbaCert issuer_cert, KsbaCert cert) if ( gcry_sexp_build (&s_hash, NULL, "%m", frame) ) BUG (); gcry_mpi_release (frame); + rc = gcry_pk_verify (s_sig, s_hash, s_pkey); if (DBG_CRYPTO) |