2
* Copyright (C) 1998, 1999, 2000, 2001, 2003,
3
* 2004 Free Software Foundation, Inc.
5
* This file is part of GnuPG.
7
* GnuPG is free software; you can redistribute it and/or modify
8
* it under the terms of the GNU General Public License as published by
9
* the Free Software Foundation; either version 2 of the License, or
10
* (at your option) any later version.
12
* GnuPG is distributed in the hope that it will be useful,
13
* but WITHOUT ANY WARRANTY; without even the implied warranty of
14
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
* GNU General Public License for more details.
17
* You should have received a copy of the GNU General Public License
18
* along with this program; if not, write to the Free Software
19
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
37
#include "../kbx/keybox.h" /* for KEYBOX_FLAG_* */
40
struct list_external_parm_s {
50
/* This table is to map Extended Key Usage OIDs to human readable
55
} key_purpose_map[] = {
56
{ "1.3.6.1.5.5.7.3.1", "serverAuth" },
57
{ "1.3.6.1.5.5.7.3.2", "clientAuth" },
58
{ "1.3.6.1.5.5.7.3.3", "codeSigning" },
59
{ "1.3.6.1.5.5.7.3.4", "emailProtection" },
60
{ "1.3.6.1.5.5.7.3.5", "ipsecEndSystem" },
61
{ "1.3.6.1.5.5.7.3.6", "ipsecTunnel" },
62
{ "1.3.6.1.5.5.7.3.7", "ipsecUser" },
63
{ "1.3.6.1.5.5.7.3.8", "timeStamping" },
64
{ "1.3.6.1.5.5.7.3.9", "ocspSigning" },
65
{ "1.3.6.1.5.5.7.3.10", "dvcs" },
66
{ "1.3.6.1.5.5.7.3.11", "sbgpCertAAServerAuth" },
67
{ "1.3.6.1.5.5.7.3.13", "eapOverPPP" },
68
{ "1.3.6.1.5.5.7.3.14", "wlanSSID" },
73
/* A table mapping OIDs to a descriptive string. */
81
{ "1.2.840.10040.4.1", "dsa" },
82
{ "1.2.840.10040.4.3", "dsaWithSha1" },
84
{ "1.2.840.113549.1.1.1", "rsaEncryption" },
85
{ "1.2.840.113549.1.1.2", "md2WithRSAEncryption" },
86
{ "1.2.840.113549.1.1.3", "md4WithRSAEncryption" },
87
{ "1.2.840.113549.1.1.4", "md5WithRSAEncryption" },
88
{ "1.2.840.113549.1.1.5", "sha1WithRSAEncryption" },
89
{ "1.2.840.113549.1.1.7", "rsaOAEP" },
90
{ "1.2.840.113549.1.1.8", "rsaOAEP-MGF" },
91
{ "1.2.840.113549.1.1.9", "rsaOAEP-pSpecified" },
92
{ "1.2.840.113549.1.1.10", "rsaPSS" },
93
{ "1.2.840.113549.1.1.11", "sha256WithRSAEncryption" },
94
{ "1.2.840.113549.1.1.12", "sha384WithRSAEncryption" },
95
{ "1.2.840.113549.1.1.13", "sha512WithRSAEncryption" },
97
{ "1.3.14.3.2.26", "sha1" },
98
{ "1.3.14.3.2.29", "sha-1WithRSAEncryption" },
99
{ "1.3.36.3.3.1.2", "rsaSignatureWithripemd160" },
102
/* Telesec extensions. */
103
{ "0.2.262.1.10.12.0", "certExtensionLiabilityLimitationExt" },
104
{ "0.2.262.1.10.12.1", "telesecCertIdExt" },
105
{ "0.2.262.1.10.12.2", "telesecPolicyIdentifier" },
106
{ "0.2.262.1.10.12.3", "telesecPolicyQualifierID" },
107
{ "0.2.262.1.10.12.4", "telesecCRLFilteredExt" },
108
{ "0.2.262.1.10.12.5", "telesecCRLFilterExt"},
109
{ "0.2.262.1.10.12.6", "telesecNamingAuthorityExt" },
111
/* PKIX private extensions. */
112
{ "1.3.6.1.5.5.7.1.1", "authorityInfoAccess" },
113
{ "1.3.6.1.5.5.7.1.2", "biometricInfo" },
114
{ "1.3.6.1.5.5.7.1.3", "qcStatements" },
115
{ "1.3.6.1.5.5.7.1.4", "acAuditIdentity" },
116
{ "1.3.6.1.5.5.7.1.5", "acTargeting" },
117
{ "1.3.6.1.5.5.7.1.6", "acAaControls" },
118
{ "1.3.6.1.5.5.7.1.7", "sbgp-ipAddrBlock" },
119
{ "1.3.6.1.5.5.7.1.8", "sbgp-autonomousSysNum" },
120
{ "1.3.6.1.5.5.7.1.9", "sbgp-routerIdentifier" },
121
{ "1.3.6.1.5.5.7.1.10", "acProxying" },
122
{ "1.3.6.1.5.5.7.1.11", "subjectInfoAccess" },
125
{ "2.5.29.14", "subjectKeyIdentifier"},
126
{ "2.5.29.15", "keyUsage", 1 },
127
{ "2.5.29.16", "privateKeyUsagePeriod" },
128
{ "2.5.29.17", "subjectAltName", 1 },
129
{ "2.5.29.18", "issuerAltName", 1 },
130
{ "2.5.29.19", "basicConstraints", 1},
131
{ "2.5.29.20", "cRLNumber" },
132
{ "2.5.29.21", "cRLReason" },
133
{ "2.5.29.22", "expirationDate" },
134
{ "2.5.29.23", "instructionCode" },
135
{ "2.5.29.24", "invalidityDate" },
136
{ "2.5.29.27", "deltaCRLIndicator" },
137
{ "2.5.29.28", "issuingDistributionPoint" },
138
{ "2.5.29.29", "certificateIssuer" },
139
{ "2.5.29.30", "nameConstraints" },
140
{ "2.5.29.31", "cRLDistributionPoints", 1 },
141
{ "2.5.29.32", "certificatePolicies", 1 },
142
{ "2.5.29.32.0", "anyPolicy" },
143
{ "2.5.29.33", "policyMappings" },
144
{ "2.5.29.35", "authorityKeyIdentifier", 1 },
145
{ "2.5.29.36", "policyConstraints" },
146
{ "2.5.29.37", "extKeyUsage", 1 },
147
{ "2.5.29.46", "freshestCRL" },
148
{ "2.5.29.54", "inhibitAnyPolicy" },
150
/* Netscape certificate extensions. */
151
{ "2.16.840.1.113730.1.1", "netscape-cert-type" },
152
{ "2.16.840.1.113730.1.2", "netscape-base-url" },
153
{ "2.16.840.1.113730.1.3", "netscape-revocation-url" },
154
{ "2.16.840.1.113730.1.4", "netscape-ca-revocation-url" },
155
{ "2.16.840.1.113730.1.7", "netscape-cert-renewal-url" },
156
{ "2.16.840.1.113730.1.8", "netscape-ca-policy-url" },
157
{ "2.16.840.1.113730.1.9", "netscape-homePage-url" },
158
{ "2.16.840.1.113730.1.10", "netscape-entitylogo" },
159
{ "2.16.840.1.113730.1.11", "netscape-userPicture" },
160
{ "2.16.840.1.113730.1.12", "netscape-ssl-server-name" },
161
{ "2.16.840.1.113730.1.13", "netscape-comment" },
167
/* Return the description for OID; if no description is available
170
get_oid_desc (const char *oid, unsigned int *flag)
175
for (i=0; oidtranstbl[i].oid; i++)
176
if (!strcmp (oidtranstbl[i].oid, oid))
179
*flag = oidtranstbl[i].flag;
180
return oidtranstbl[i].name;
189
print_key_data (ksba_cert_t cert, FILE *fp)
192
int n = pk ? pubkey_get_npkey( pk->pubkey_algo ) : 0;
195
for(i=0; i < n; i++ )
197
fprintf (fp, "pkd:%d:%u:", i, mpi_get_nbits( pk->pkey[i] ) );
198
mpi_print(stdout, pk->pkey[i], 1 );
206
print_capabilities (ksba_cert_t cert, FILE *fp)
211
err = ksba_cert_get_key_usage (cert, &use);
212
if (gpg_err_code (err) == GPG_ERR_NO_DATA)
224
log_error (_("error getting key usage information: %s\n"),
229
if ((use & (KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT)))
231
if ((use & (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION)))
233
if ((use & KSBA_KEYUSAGE_KEY_CERT_SIGN))
235
if ((use & (KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT)))
237
if ((use & (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION)))
239
if ((use & KSBA_KEYUSAGE_KEY_CERT_SIGN))
245
print_time (gnupg_isotime_t t, FILE *fp)
254
/* return an allocated string with the email address extracted from a
257
email_kludge (const char *name)
259
const unsigned char *p;
263
if (strncmp (name, "1.2.840.113549.1.9.1=#", 22))
265
/* This looks pretty much like an email address in the subject's DN
266
we use this to add an additional user ID entry. This way,
267
openSSL generated keys get a nicer and usable listing */
269
for (n=0, p=name; hexdigitp (p) && hexdigitp (p+1); p +=2, n++)
273
buf = xtrymalloc (n+3);
275
return NULL; /* oops, out of core */
277
for (n=1, p=name; *p != '#'; p +=2, n++)
287
/* List one certificate in colon mode */
289
list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
290
FILE *fp, int have_secret)
302
const char *chain_id;
303
char *chain_id_buffer = NULL;
306
if (ctrl->with_validation)
307
valerr = gpgsm_validate_chain (ctrl, cert, NULL, 1, NULL, 0);
312
/* We need to get the fingerprint and the chaining ID in advance. */
313
fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
317
rc = gpgsm_walk_cert_chain (cert, &next);
318
if (!rc) /* We known the issuer's certificate. */
320
p = gpgsm_get_fingerprint_hexstring (next, GCRY_MD_SHA1);
322
chain_id = chain_id_buffer;
323
ksba_cert_release (next);
325
else if (rc == -1) /* We have reached the root certificate. */
335
fputs (have_secret? "crs:":"crt:", fp);
337
/* Note: We can't use multiple flags, like "ei", because the
338
validation check does only return one error. */
341
if ((validity & VALIDITY_REVOKED)
342
|| gpg_err_code (valerr) == GPG_ERR_CERT_REVOKED)
344
else if (gpg_err_code (valerr) == GPG_ERR_CERT_EXPIRED)
348
/* Lets also check whether the certificate under question
349
expired. This is merely a hack until we found a proper way
350
to store the expiration flag in the keybox. */
351
ksba_isotime_t current_time, not_after;
353
gnupg_get_isotime (current_time);
354
if (!opt.ignore_expiration
355
&& !ksba_cert_get_validity (cert, 1, not_after)
356
&& *not_after && strcmp (current_time, not_after) > 0 )
362
/* Is we have no truststring yet (i.e. the certificate might be
363
good) and this is a root certificate, we ask the agent whether
364
this is a trusted root certificate. */
365
if (!*truststring && is_root)
367
rc = gpgsm_agent_istrusted (ctrl, cert);
369
*truststring = 'u'; /* Yes, we trust this one (ultimately). */
370
else if (gpg_err_code (rc) == GPG_ERR_NOT_TRUSTED)
371
*truststring = 'n'; /* No, we do not trust this one. */
372
/* (in case of an error we can't tell anything.) */
376
fputs (truststring, fp);
378
algo = gpgsm_get_key_algo_info (cert, &nbits);
379
fprintf (fp, ":%u:%d:%s:", nbits, algo, fpr+24);
381
/* We assume --fixed-list-mode for gpgsm */
382
ksba_cert_get_validity (cert, 0, t);
385
ksba_cert_get_validity (cert, 1, t);
388
/* Field 8, serial number: */
389
if ((sexp = ksba_cert_get_serial (cert)))
392
const unsigned char *s = sexp;
397
for (len=0; *s && *s != ':' && digitp (s); s++)
398
len = len*10 + atoi_1 (s);
400
for (s++; len; len--, s++)
401
fprintf (fp,"%02X", *s);
406
/* Field 9, ownertrust - not used here */
408
/* field 10, old user ID - we use it here for the issuer DN */
409
if ((p = ksba_cert_get_issuer (cert,0)))
411
print_sanitized_string (fp, p, ':');
415
/* Field 11, signature class - not used */
417
/* Field 12, capabilities: */
418
print_capabilities (cert, fp);
423
fprintf (fp, "fpr:::::::::%s:::", fpr);
424
/* Print chaining ID (field 13)*/
426
fputs (chain_id, fp);
429
xfree (fpr); fpr = NULL; chain_id = NULL;
430
xfree (chain_id_buffer); chain_id_buffer = NULL;
432
if (opt.with_key_data)
434
if ( (p = gpgsm_get_keygrip_hexstring (cert)))
436
fprintf (fp, "grp:::::::::%s:\n", p);
439
print_key_data (cert, fp);
442
for (idx=0; (p = ksba_cert_get_subject (cert,idx)); idx++)
444
fprintf (fp, "uid:%s::::::::", truststring);
445
print_sanitized_string (fp, p, ':');
451
/* It would be better to get the faked email address from
452
the keydb. But as long as we don't have a way to pass
453
the meta data back, we just check it the same way as the
454
code used to create the keybox meta data does */
455
char *pp = email_kludge (p);
458
fprintf (fp, "uid:%s::::::::", truststring);
459
print_sanitized_string (fp, pp, ':');
472
print_name_raw (FILE *fp, const char *string)
475
fputs ("[error]", fp);
477
print_sanitized_string (fp, string, 0);
481
print_names_raw (FILE *fp, int indent, ksba_name_t name)
487
if ((indent_all = (indent < 0)))
492
fputs ("none\n", fp);
496
for (idx=0; (s = ksba_name_enum (name, idx)); idx++)
498
char *p = ksba_name_get_uri (name, idx);
499
printf ("%*s%s\n", idx||indent_all?indent:0, "", p?p:s);
505
/* List one certificate in raw mode useful to have a closer look at
506
the certificate. This one does no beautification and only minimal
507
output sanitation. It is mainly useful for debugging. */
509
list_cert_raw (ctrl_t ctrl, KEYDB_HANDLE hd,
510
ksba_cert_t cert, FILE *fp, int have_secret,
521
char *string, *p, *pend;
523
ksba_name_t name, name2;
526
sexp = ksba_cert_get_serial (cert);
527
fputs ("Serial number: ", fp);
528
gpgsm_print_serial (fp, sexp);
532
dn = ksba_cert_get_issuer (cert, 0);
533
fputs (" Issuer: ", fp);
534
print_name_raw (fp, dn);
537
for (idx=1; (dn = ksba_cert_get_issuer (cert, idx)); idx++)
539
fputs (" aka: ", fp);
540
print_name_raw (fp, dn);
545
dn = ksba_cert_get_subject (cert, 0);
546
fputs (" Subject: ", fp);
547
print_name_raw (fp, dn);
550
for (idx=1; (dn = ksba_cert_get_subject (cert, idx)); idx++)
552
fputs (" aka: ", fp);
553
print_name_raw (fp, dn);
558
dn = gpgsm_get_fingerprint_string (cert, 0);
559
fprintf (fp, " sha1_fpr: %s\n", dn?dn:"error");
562
dn = gpgsm_get_fingerprint_string (cert, GCRY_MD_MD5);
563
fprintf (fp, " md5_fpr: %s\n", dn?dn:"error");
566
dn = gpgsm_get_keygrip_hexstring (cert);
567
fprintf (fp, " keygrip: %s\n", dn?dn:"error");
570
ksba_cert_get_validity (cert, 0, t);
571
fputs (" notBefore: ", fp);
572
gpgsm_print_time (fp, t);
574
fputs (" notAfter: ", fp);
575
ksba_cert_get_validity (cert, 1, t);
576
gpgsm_print_time (fp, t);
579
oid = ksba_cert_get_digest_algo (cert);
580
s = get_oid_desc (oid, NULL);
581
fprintf (fp, " hashAlgo: %s%s%s%s\n", oid, s?" (":"",s?s:"",s?")":"");
584
const char *algoname;
587
algoname = gcry_pk_algo_name (gpgsm_get_key_algo_info (cert, &nbits));
588
fprintf (fp, " keyType: %u bit %s\n", nbits, algoname? algoname:"?");
591
/* authorityKeyIdentifier */
592
fputs (" authKeyId: ", fp);
593
err = ksba_cert_get_auth_key_id (cert, NULL, &name, &sexp);
594
if (!err || gpg_err_code (err) == GPG_ERR_NO_DATA)
596
if (gpg_err_code (err) == GPG_ERR_NO_DATA || !name)
597
fputs ("[none]\n", fp);
600
gpgsm_print_serial (fp, sexp);
603
print_names_raw (fp, -15, name);
604
ksba_name_release (name);
610
fputs (" keyUsage:", fp);
611
err = ksba_cert_get_key_usage (cert, &kusage);
612
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
615
fprintf (fp, " [error: %s]", gpg_strerror (err));
618
if ( (kusage & KSBA_KEYUSAGE_DIGITAL_SIGNATURE))
619
fputs (" digitalSignature", fp);
620
if ( (kusage & KSBA_KEYUSAGE_NON_REPUDIATION))
621
fputs (" nonRepudiation", fp);
622
if ( (kusage & KSBA_KEYUSAGE_KEY_ENCIPHERMENT))
623
fputs (" keyEncipherment", fp);
624
if ( (kusage & KSBA_KEYUSAGE_DATA_ENCIPHERMENT))
625
fputs (" dataEncipherment", fp);
626
if ( (kusage & KSBA_KEYUSAGE_KEY_AGREEMENT))
627
fputs (" keyAgreement", fp);
628
if ( (kusage & KSBA_KEYUSAGE_KEY_CERT_SIGN))
629
fputs (" certSign", fp);
630
if ( (kusage & KSBA_KEYUSAGE_CRL_SIGN))
631
fputs (" crlSign", fp);
632
if ( (kusage & KSBA_KEYUSAGE_ENCIPHER_ONLY))
633
fputs (" encipherOnly", fp);
634
if ( (kusage & KSBA_KEYUSAGE_DECIPHER_ONLY))
635
fputs (" decipherOnly", fp);
640
fputs ("[none]\n", fp);
642
fputs (" extKeyUsage: ", fp);
643
err = ksba_cert_get_ext_key_usages (cert, &string);
644
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
647
fprintf (fp, "[error: %s]", gpg_strerror (err));
651
while (p && (pend=strchr (p, ':')))
654
for (i=0; key_purpose_map[i].oid; i++)
655
if ( !strcmp (key_purpose_map[i].oid, p) )
657
fputs (key_purpose_map[i].oid?key_purpose_map[i].name:p, fp);
660
fputs (" (suggested)", fp);
661
if ((p = strchr (p, '\n')))
672
fputs ("[none]\n", fp);
675
fputs (" policies: ", fp);
676
err = ksba_cert_get_cert_policies (cert, &string);
677
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
680
fprintf (fp, "[error: %s]", gpg_strerror (err));
684
while (p && (pend=strchr (p, ':')))
687
for (i=0; key_purpose_map[i].oid; i++)
688
if ( !strcmp (key_purpose_map[i].oid, p) )
693
fputs (" (critical)", fp);
694
if ((p = strchr (p, '\n')))
705
fputs ("[none]\n", fp);
707
fputs (" chainLength: ", fp);
708
err = ksba_cert_is_ca (cert, &is_ca, &chainlen);
712
fprintf (fp, "[error: %s]", gpg_strerror (err));
713
else if (chainlen == -1)
714
fputs ("unlimited", fp);
716
fprintf (fp, "%d", chainlen);
720
fputs ("not a CA\n", fp);
723
/* CRL distribution point */
724
for (idx=0; !(err=ksba_cert_get_crl_dist_point (cert, idx, &name, &name2,
727
fputs (" crlDP: ", fp);
728
print_names_raw (fp, 15, name);
731
fputs (" reason: ", fp);
732
if ( (reason & KSBA_CRLREASON_UNSPECIFIED))
733
fputs (" unused", stdout);
734
if ( (reason & KSBA_CRLREASON_KEY_COMPROMISE))
735
fputs (" keyCompromise", stdout);
736
if ( (reason & KSBA_CRLREASON_CA_COMPROMISE))
737
fputs (" caCompromise", stdout);
738
if ( (reason & KSBA_CRLREASON_AFFILIATION_CHANGED))
739
fputs (" affiliationChanged", stdout);
740
if ( (reason & KSBA_CRLREASON_SUPERSEDED))
741
fputs (" superseded", stdout);
742
if ( (reason & KSBA_CRLREASON_CESSATION_OF_OPERATION))
743
fputs (" cessationOfOperation", stdout);
744
if ( (reason & KSBA_CRLREASON_CERTIFICATE_HOLD))
745
fputs (" certificateHold", stdout);
748
fputs (" issuer: ", fp);
749
print_names_raw (fp, 23, name2);
750
ksba_name_release (name);
751
ksba_name_release (name2);
753
if (err && gpg_err_code (err) != GPG_ERR_EOF)
754
fputs (" crlDP: [error]\n", fp);
756
fputs (" crlDP: [none]\n", fp);
759
/* authorityInfoAccess. */
760
for (idx=0; !(err=ksba_cert_get_authority_info_access (cert, idx, &string,
763
fputs (" authInfo: ", fp);
764
s = get_oid_desc (string, NULL);
765
fprintf (fp, "%s%s%s%s\n", string, s?" (":"", s?s:"", s?")":"");
766
print_names_raw (fp, -15, name);
767
ksba_name_release (name);
770
if (err && gpg_err_code (err) != GPG_ERR_EOF)
771
fputs (" authInfo: [error]\n", fp);
773
fputs (" authInfo: [none]\n", fp);
775
/* subjectInfoAccess. */
776
for (idx=0; !(err=ksba_cert_get_subject_info_access (cert, idx, &string,
779
fputs (" subjectInfo: ", fp);
780
s = get_oid_desc (string, NULL);
781
fprintf (fp, "%s%s%s%s\n", string, s?" (":"", s?s:"", s?")":"");
782
print_names_raw (fp, -15, name);
783
ksba_name_release (name);
786
if (err && gpg_err_code (err) != GPG_ERR_EOF)
787
fputs (" subjInfo: [error]\n", fp);
789
fputs (" subjInfo: [none]\n", fp);
792
for (idx=0; !(err=ksba_cert_get_extension (cert, idx,
793
&oid, &i, &off, &len));idx++)
797
s = get_oid_desc (oid, &flag);
800
fprintf (fp, " %s: %s%s%s%s [%d octets]\n",
801
i? "critExtn":" extn",
802
oid, s?" (":"", s?s:"", s?")":"", (int)len);
808
err = gpgsm_validate_chain (ctrl, cert, NULL, 1, fp, 0);
810
fprintf (fp, " [certificate is good]\n");
812
fprintf (fp, " [certificate is bad: %s]\n", gpg_strerror (err));
815
if (opt.with_ephemeral_keys && hd)
817
unsigned int blobflags;
819
err = keydb_get_flags (hd, KEYBOX_FLAG_BLOB, 0, &blobflags);
821
fprintf (fp, " [error getting keyflags: %s]\n", gpg_strerror (err));
822
else if ((blobflags & 2))
823
fprintf (fp, " [stored as ephemeral]\n");
831
/* List one certificate in standard mode */
833
list_cert_std (ctrl_t ctrl, ksba_cert_t cert, FILE *fp, int have_secret,
843
char *string, *p, *pend;
845
sexp = ksba_cert_get_serial (cert);
846
fputs ("Serial number: ", fp);
847
gpgsm_print_serial (fp, sexp);
851
dn = ksba_cert_get_issuer (cert, 0);
852
fputs (" Issuer: ", fp);
853
gpgsm_print_name (fp, dn);
856
for (idx=1; (dn = ksba_cert_get_issuer (cert, idx)); idx++)
858
fputs (" aka: ", fp);
859
gpgsm_print_name (fp, dn);
864
dn = ksba_cert_get_subject (cert, 0);
865
fputs (" Subject: ", fp);
866
gpgsm_print_name (fp, dn);
869
for (idx=1; (dn = ksba_cert_get_subject (cert, idx)); idx++)
871
fputs (" aka: ", fp);
872
gpgsm_print_name (fp, dn);
877
ksba_cert_get_validity (cert, 0, t);
878
fputs (" validity: ", fp);
879
gpgsm_print_time (fp, t);
880
fputs (" through ", fp);
881
ksba_cert_get_validity (cert, 1, t);
882
gpgsm_print_time (fp, t);
887
const char *algoname;
890
algoname = gcry_pk_algo_name (gpgsm_get_key_algo_info (cert, &nbits));
891
fprintf (fp, " key type: %u bit %s\n", nbits, algoname? algoname:"?");
895
err = ksba_cert_get_key_usage (cert, &kusage);
896
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
898
fputs (" key usage:", fp);
900
fprintf (fp, " [error: %s]", gpg_strerror (err));
903
if ( (kusage & KSBA_KEYUSAGE_DIGITAL_SIGNATURE))
904
fputs (" digitalSignature", fp);
905
if ( (kusage & KSBA_KEYUSAGE_NON_REPUDIATION))
906
fputs (" nonRepudiation", fp);
907
if ( (kusage & KSBA_KEYUSAGE_KEY_ENCIPHERMENT))
908
fputs (" keyEncipherment", fp);
909
if ( (kusage & KSBA_KEYUSAGE_DATA_ENCIPHERMENT))
910
fputs (" dataEncipherment", fp);
911
if ( (kusage & KSBA_KEYUSAGE_KEY_AGREEMENT))
912
fputs (" keyAgreement", fp);
913
if ( (kusage & KSBA_KEYUSAGE_KEY_CERT_SIGN))
914
fputs (" certSign", fp);
915
if ( (kusage & KSBA_KEYUSAGE_CRL_SIGN))
916
fputs (" crlSign", fp);
917
if ( (kusage & KSBA_KEYUSAGE_ENCIPHER_ONLY))
918
fputs (" encipherOnly", fp);
919
if ( (kusage & KSBA_KEYUSAGE_DECIPHER_ONLY))
920
fputs (" decipherOnly", fp);
925
err = ksba_cert_get_ext_key_usages (cert, &string);
926
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
928
fputs ("ext key usage: ", fp);
930
fprintf (fp, "[error: %s]", gpg_strerror (err));
934
while (p && (pend=strchr (p, ':')))
937
for (i=0; key_purpose_map[i].oid; i++)
938
if ( !strcmp (key_purpose_map[i].oid, p) )
940
fputs (key_purpose_map[i].oid?key_purpose_map[i].name:p, fp);
943
fputs (" (suggested)", fp);
944
if ((p = strchr (p, '\n')))
955
err = ksba_cert_get_cert_policies (cert, &string);
956
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
958
fputs (" policies: ", fp);
960
fprintf (fp, "[error: %s]", gpg_strerror (err));
963
for (p=string; *p; p++)
968
print_sanitized_string (fp, string, 0);
974
err = ksba_cert_is_ca (cert, &is_ca, &chainlen);
977
fputs (" chain length: ", fp);
979
fprintf (fp, "[error: %s]", gpg_strerror (err));
980
else if (chainlen == -1)
981
fputs ("unlimited", fp);
983
fprintf (fp, "%d", chainlen);
987
if (opt.with_md5_fingerprint)
989
dn = gpgsm_get_fingerprint_string (cert, GCRY_MD_MD5);
990
fprintf (fp, " md5 fpr: %s\n", dn?dn:"error");
994
dn = gpgsm_get_fingerprint_string (cert, 0);
995
fprintf (fp, " fingerprint: %s\n", dn?dn:"error");
1000
err = gpgsm_validate_chain (ctrl, cert, NULL, 1, fp, 0);
1002
fprintf (fp, " [certificate is good]\n");
1004
fprintf (fp, " [certificate is bad: %s]\n", gpg_strerror (err));
1009
/* Same as standard mode mode list all certifying certs too. */
1011
list_cert_chain (ctrl_t ctrl, KEYDB_HANDLE hd,
1012
ksba_cert_t cert, int raw_mode,
1013
FILE *fp, int with_validation)
1015
ksba_cert_t next = NULL;
1018
list_cert_raw (ctrl, hd, cert, fp, 0, with_validation);
1020
list_cert_std (ctrl, cert, fp, 0, with_validation);
1021
ksba_cert_ref (cert);
1022
while (!gpgsm_walk_cert_chain (cert, &next))
1024
ksba_cert_release (cert);
1025
fputs ("Certified by\n", fp);
1027
list_cert_raw (ctrl, hd, next, fp, 0, with_validation);
1029
list_cert_std (ctrl, next, fp, 0, with_validation);
1032
ksba_cert_release (cert);
1038
/* List all internal keys or just the keys given as NAMES. MODE is a
1039
bit vector to specify what keys are to be included; see
1040
gpgsm_list_keys (below) for details. If RAW_MODE is true, the raw
1041
output mode will be used intead of the standard beautified one.
1044
list_internal_keys (ctrl_t ctrl, STRLIST names, FILE *fp,
1045
unsigned int mode, int raw_mode)
1048
KEYDB_SEARCH_DESC *desc = NULL;
1051
ksba_cert_t cert = NULL;
1053
const char *lastresname, *resname;
1059
log_error ("keydb_new failed\n");
1060
rc = gpg_error (GPG_ERR_GENERAL);
1068
for (sl=names, ndesc=0; sl; sl = sl->next, ndesc++)
1072
desc = xtrycalloc (ndesc, sizeof *desc);
1075
rc = gpg_error_from_errno (errno);
1076
log_error ("out of core\n");
1081
desc[0].mode = KEYDB_SEARCH_MODE_FIRST;
1084
for (ndesc=0, sl=names; sl; sl = sl->next)
1086
rc = keydb_classify_name (sl->d, desc+ndesc);
1089
log_error ("key `%s' not found: %s\n",
1090
sl->d, gpg_strerror (rc));
1099
if (opt.with_ephemeral_keys)
1100
keydb_set_ephemeral (hd, 1);
1102
/* It would be nice to see which of the given users did actually
1103
match one in the keyring. To implement this we need to have a
1104
found flag for each entry in desc and to set this we must check
1105
all those entries after a match to mark all matched one -
1106
currently we stop at the first match. To do this we need an
1107
extra flag to enable this feature so */
1110
while (!(rc = keydb_search (hd, desc, ndesc)))
1112
unsigned int validity;
1115
desc[0].mode = KEYDB_SEARCH_MODE_NEXT;
1117
rc = keydb_get_flags (hd, KEYBOX_FLAG_VALIDITY, 0, &validity);
1120
log_error ("keydb_get_flags failed: %s\n", gpg_strerror (rc));
1123
rc = keydb_get_cert (hd, &cert);
1126
log_error ("keydb_get_cert failed: %s\n", gpg_strerror (rc));
1130
resname = keydb_get_resource_name (hd);
1132
if (lastresname != resname )
1136
if (ctrl->no_server)
1138
fprintf (fp, "%s\n", resname );
1139
for (i=strlen(resname); i; i-- )
1142
lastresname = resname;
1149
char *p = gpgsm_get_keygrip_hexstring (cert);
1152
rc = gpgsm_agent_havekey (ctrl, p);
1155
else if ( gpg_err_code (rc) != GPG_ERR_NO_SECKEY)
1163
|| ((mode & 1) && !have_secret)
1164
|| ((mode & 2) && have_secret) )
1166
if (ctrl->with_colons)
1167
list_cert_colon (ctrl, cert, validity, fp, have_secret);
1168
else if (ctrl->with_chain)
1169
list_cert_chain (ctrl, hd, cert,
1170
raw_mode, fp, ctrl->with_validation);
1174
list_cert_raw (ctrl, hd, cert, fp, have_secret,
1175
ctrl->with_validation);
1177
list_cert_std (ctrl, cert, fp, have_secret,
1178
ctrl->with_validation);
1182
ksba_cert_release (cert);
1185
if (gpg_err_code (rc) == GPG_ERR_EOF || rc == -1 )
1188
log_error ("keydb_search failed: %s\n", gpg_strerror (rc));
1191
ksba_cert_release (cert);
1200
list_external_cb (void *cb_value, ksba_cert_t cert)
1202
struct list_external_parm_s *parm = cb_value;
1204
if (keydb_store_cert (cert, 1, NULL))
1205
log_error ("error storing certificate as ephemeral\n");
1207
if (parm->print_header)
1209
const char *resname = "[external keys]";
1212
fprintf (parm->fp, "%s\n", resname );
1213
for (i=strlen(resname); i; i-- )
1215
putc ('\n', parm->fp);
1216
parm->print_header = 0;
1219
if (parm->with_colons)
1220
list_cert_colon (parm->ctrl, cert, 0, parm->fp, 0);
1221
else if (parm->with_chain)
1222
list_cert_chain (parm->ctrl, NULL, cert, parm->raw_mode, parm->fp, 0);
1226
list_cert_raw (parm->ctrl, NULL, cert, parm->fp, 0, 0);
1228
list_cert_std (parm->ctrl, cert, parm->fp, 0, 0);
1229
putc ('\n', parm->fp);
1234
/* List external keys similar to internal one. Note: mode does not
1235
make sense here because it would be unwise to list external secret
1238
list_external_keys (CTRL ctrl, STRLIST names, FILE *fp, int raw_mode)
1241
struct list_external_parm_s parm;
1245
parm.print_header = ctrl->no_server;
1246
parm.with_colons = ctrl->with_colons;
1247
parm.with_chain = ctrl->with_chain;
1248
parm.raw_mode = raw_mode;
1250
rc = gpgsm_dirmngr_lookup (ctrl, names, list_external_cb, &parm);
1252
log_error ("listing external keys failed: %s\n", gpg_strerror (rc));
1256
/* List all keys or just the key given as NAMES.
1257
MODE controls the operation mode:
1259
0 = list all public keys but don't flag secret ones
1260
1 = list only public keys
1261
2 = list only secret keys
1262
3 = list secret and public keys
1263
Bit 6: list internal keys
1264
Bit 7: list external keys
1265
Bit 8: Do a raw format dump.
1268
gpgsm_list_keys (CTRL ctrl, STRLIST names, FILE *fp, unsigned int mode)
1270
gpg_error_t err = 0;
1272
if ((mode & (1<<6)))
1273
err = list_internal_keys (ctrl, names, fp, (mode & 3), (mode&256));
1274
if (!err && (mode & (1<<7)))
1275
err = list_external_keys (ctrl, names, fp, (mode&256));