1
/* certlist.c - build list of certificates
2
* Copyright (C) 2001, 2003, 2004 Free Software Foundation, Inc.
4
* This file is part of GnuPG.
6
* GnuPG is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License as published by
8
* the Free Software Foundation; either version 2 of the License, or
9
* (at your option) any later version.
11
* GnuPG is distributed in the hope that it will be useful,
12
* but WITHOUT ANY WARRANTY; without even the implied warranty of
13
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
* GNU General Public License for more details.
16
* You should have received a copy of the GNU General Public License
17
* along with this program; if not, write to the Free Software
18
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
38
static const char oid_kp_serverAuth[] = "1.3.6.1.5.5.7.3.1";
39
static const char oid_kp_clientAuth[] = "1.3.6.1.5.5.7.3.2";
40
static const char oid_kp_codeSigning[] = "1.3.6.1.5.5.7.3.3";
41
static const char oid_kp_emailProtection[]= "1.3.6.1.5.5.7.3.4";
42
static const char oid_kp_timeStamping[] = "1.3.6.1.5.5.7.3.8";
43
static const char oid_kp_ocspSigning[] = "1.3.6.1.5.5.7.3.9";
45
/* Return 0 if the cert is usable for encryption. A MODE of 0 checks
46
for signing a MODE of 1 checks for encryption, a MODE of 2 checks
47
for verification and a MODE of 3 for decryption (just for
48
debugging). MODE 4 is for certificate signing, MODE for COSP
51
cert_usage_p (ksba_cert_t cert, int mode)
56
int have_ocsp_signing = 0;
58
err = ksba_cert_get_ext_key_usages (cert, &extkeyusages);
59
if (gpg_err_code (err) == GPG_ERR_NO_DATA)
60
err = 0; /* no policy given */
63
unsigned int extusemask = ~0; /* Allow all. */
73
while (p && (pend=strchr (p, ':')))
76
/* Only care about critical flagged usages. */
80
if ( !strcmp (p, oid_kp_serverAuth))
81
extusemask |= (KSBA_KEYUSAGE_DIGITAL_SIGNATURE
82
| KSBA_KEYUSAGE_KEY_ENCIPHERMENT
83
| KSBA_KEYUSAGE_KEY_AGREEMENT);
84
else if ( !strcmp (p, oid_kp_clientAuth))
85
extusemask |= (KSBA_KEYUSAGE_DIGITAL_SIGNATURE
86
| KSBA_KEYUSAGE_KEY_AGREEMENT);
87
else if ( !strcmp (p, oid_kp_codeSigning))
88
extusemask |= (KSBA_KEYUSAGE_DIGITAL_SIGNATURE);
89
else if ( !strcmp (p, oid_kp_emailProtection))
90
extusemask |= (KSBA_KEYUSAGE_DIGITAL_SIGNATURE
91
| KSBA_KEYUSAGE_NON_REPUDIATION
92
| KSBA_KEYUSAGE_KEY_ENCIPHERMENT
93
| KSBA_KEYUSAGE_KEY_AGREEMENT);
94
else if ( !strcmp (p, oid_kp_timeStamping))
95
extusemask |= (KSBA_KEYUSAGE_DIGITAL_SIGNATURE
96
| KSBA_KEYUSAGE_NON_REPUDIATION);
99
/* This is a hack to cope with OCSP. Note that we do
100
not yet fully comply with the requirements and that
101
the entire CRL/OCSP checking thing should undergo a
102
thorough review and probably redesign. */
103
if ( !strcmp (p, oid_kp_ocspSigning))
104
have_ocsp_signing = 1;
106
if ((p = strchr (pend, '\n')))
109
xfree (extkeyusages);
113
extusemask = ~0; /* Reset to the don't care mask. */
117
err = ksba_cert_get_key_usage (cert, &use);
118
if (gpg_err_code (err) == GPG_ERR_NO_DATA)
121
if (opt.verbose && mode < 2)
122
log_info (_("no key usage specified - assuming all usages\n"));
126
/* Apply extKeyUsage. */
132
log_error (_("error getting key usage information: %s\n"),
134
xfree (extkeyusages);
140
if ((use & (KSBA_KEYUSAGE_KEY_CERT_SIGN)))
142
log_info (_("certificate should have not "
143
"been used for certification\n"));
144
return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
150
&& (have_ocsp_signing
151
|| (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
152
|KSBA_KEYUSAGE_CRL_SIGN))))
154
log_info (_("certificate should have not "
155
"been used for OCSP response signing\n"));
156
return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
159
if ((use & ((mode&1)?
160
(KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT):
161
(KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION)))
165
log_info (mode==3? _("certificate should have not been used for encryption\n"):
166
mode==2? _("certificate should have not been used for signing\n"):
167
mode==1? _("certificate is not usable for encryption\n"):
168
_("certificate is not usable for signing\n"));
169
return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
173
/* Return 0 if the cert is usable for signing */
175
gpgsm_cert_use_sign_p (ksba_cert_t cert)
177
return cert_usage_p (cert, 0);
181
/* Return 0 if the cert is usable for encryption */
183
gpgsm_cert_use_encrypt_p (ksba_cert_t cert)
185
return cert_usage_p (cert, 1);
189
gpgsm_cert_use_verify_p (ksba_cert_t cert)
191
return cert_usage_p (cert, 2);
195
gpgsm_cert_use_decrypt_p (ksba_cert_t cert)
197
return cert_usage_p (cert, 3);
201
gpgsm_cert_use_cert_p (ksba_cert_t cert)
203
return cert_usage_p (cert, 4);
207
gpgsm_cert_use_ocsp_p (ksba_cert_t cert)
209
return cert_usage_p (cert, 5);
214
same_subject_issuer (const char *subject, const char *issuer, ksba_cert_t cert)
216
char *subject2 = ksba_cert_get_subject (cert, 0);
217
char *issuer2 = ksba_cert_get_subject (cert, 0);
220
tmp = (subject && subject2
221
&& !strcmp (subject, subject2)
223
&& !strcmp (issuer, issuer2));
229
/* Return true if CERT is already contained in CERTLIST. */
231
is_cert_in_certlist (ksba_cert_t cert, certlist_t certlist)
233
const unsigned char *img_a, *img_b;
236
img_a = ksba_cert_get_image (cert, &len_a);
239
for ( ; certlist; certlist = certlist->next)
241
img_b = ksba_cert_get_image (certlist->cert, &len_b);
242
if (img_b && len_a == len_b && !memcmp (img_a, img_b, len_a))
243
return 1; /* Already contained. */
250
/* Add CERT to the list of certificates at CERTADDR but avoid
253
gpgsm_add_cert_to_certlist (ctrl_t ctrl, ksba_cert_t cert,
254
certlist_t *listaddr, int is_encrypt_to)
256
if (!is_cert_in_certlist (cert, *listaddr))
258
certlist_t cl = xtrycalloc (1, sizeof *cl);
260
return OUT_OF_CORE (errno);
262
ksba_cert_ref (cert);
263
cl->next = *listaddr;
264
cl->is_encrypt_to = is_encrypt_to;
270
/* Add a certificate to a list of certificate and make sure that it is
271
a valid certificate. With SECRET set to true a secret key must be
272
available for the certificate. IS_ENCRYPT_TO sets the corresponding
273
flag in the new create LISTADDR item. */
275
gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
276
CERTLIST *listaddr, int is_encrypt_to)
279
KEYDB_SEARCH_DESC desc;
280
KEYDB_HANDLE kh = NULL;
281
ksba_cert_t cert = NULL;
283
rc = keydb_classify_name (name, &desc);
288
rc = gpg_error (GPG_ERR_ENOMEM);
292
char *subject = NULL;
296
rc = keydb_search (kh, &desc, 1);
298
rc = keydb_get_cert (kh, &cert);
301
rc = secret? gpgsm_cert_use_sign_p (cert)
302
: gpgsm_cert_use_encrypt_p (cert);
303
if (gpg_err_code (rc) == GPG_ERR_WRONG_KEY_USAGE)
305
/* There might be another certificate with the
306
correct usage, so we try again */
308
{ /* save the first match */
310
subject = ksba_cert_get_subject (cert, 0);
311
issuer = ksba_cert_get_subject (cert, 0);
312
ksba_cert_release (cert);
316
else if (same_subject_issuer (subject, issuer, cert))
319
ksba_cert_release (cert);
328
/* We want the error code from the first match in this case. */
329
if (rc && wrong_usage)
335
rc = keydb_search (kh, &desc, 1);
340
ksba_cert_t cert2 = NULL;
342
/* We have to ignore ambigious names as long as
343
there only fault is a bad key usage */
344
if (!keydb_get_cert (kh, &cert2))
346
int tmp = (same_subject_issuer (subject, issuer, cert2)
348
secret? gpgsm_cert_use_sign_p (cert2)
349
: gpgsm_cert_use_encrypt_p (cert2)
351
) == GPG_ERR_WRONG_KEY_USAGE));
352
ksba_cert_release (cert2);
356
rc = gpg_error (GPG_ERR_AMBIGUOUS_NAME);
362
if (!rc && !is_cert_in_certlist (cert, *listaddr))
368
rc = gpg_error (GPG_ERR_NO_SECKEY);
369
p = gpgsm_get_keygrip_hexstring (cert);
372
if (!gpgsm_agent_havekey (ctrl, p))
378
rc = gpgsm_validate_chain (ctrl, cert, NULL, 0, NULL, 0);
381
CERTLIST cl = xtrycalloc (1, sizeof *cl);
383
rc = OUT_OF_CORE (errno);
386
cl->cert = cert; cert = NULL;
387
cl->next = *listaddr;
388
cl->is_encrypt_to = is_encrypt_to;
397
ksba_cert_release (cert);
398
return rc == -1? gpg_error (GPG_ERR_NO_PUBKEY): rc;
402
gpgsm_release_certlist (CERTLIST list)
406
CERTLIST cl = list->next;
407
ksba_cert_release (list->cert);
414
/* Like gpgsm_add_to_certlist, but look only for one certificate. No
415
chain validation is done */
417
gpgsm_find_cert (const char *name, ksba_cert_t *r_cert)
420
KEYDB_SEARCH_DESC desc;
421
KEYDB_HANDLE kh = NULL;
424
rc = keydb_classify_name (name, &desc);
429
rc = gpg_error (GPG_ERR_ENOMEM);
432
rc = keydb_search (kh, &desc, 1);
434
rc = keydb_get_cert (kh, r_cert);
437
rc = keydb_search (kh, &desc, 1);
443
rc = gpg_error (GPG_ERR_AMBIGUOUS_NAME);
444
ksba_cert_release (*r_cert);
452
return rc == -1? gpg_error (GPG_ERR_NO_PUBKEY): rc;