From 0d6c0bc071b2e571c18781271972f6f9ee62dc8a Mon Sep 17 00:00:00 2001 From: JinWang An Date: Wed, 1 Feb 2023 18:02:19 +0900 Subject: Imported Upstream version 2.4.0 --- sm/Makefile.am | 4 ++-- sm/Makefile.in | 16 +++------------- sm/call-dirmngr.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++------- sm/certchain.c | 51 ++++++++++++++++++++++++++++++++++++++++++--------- sm/certlist.c | 45 +++++++++++++++++++++++++++++---------------- sm/fingerprint.c | 8 ++++++++ sm/gpgsm.c | 6 +++++- sm/gpgsm.h | 13 ++++++++++--- sm/keydb.c | 2 +- sm/keylist.c | 24 +++++++++++++++++++++--- sm/sign.c | 17 ++++++++++------- sm/verify.c | 4 ++-- 12 files changed, 181 insertions(+), 64 deletions(-) (limited to 'sm') diff --git a/sm/Makefile.am b/sm/Makefile.am index c676ada..cfcc36c 100644 --- a/sm/Makefile.am +++ b/sm/Makefile.am @@ -70,8 +70,8 @@ common_libs = ../kbx/libkeybox509.a $(libcommonpth) gpgsm_LDADD = $(common_libs) ../common/libgpgrl.a \ $(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(LIBASSUAN_LIBS) \ $(NPTH_LIBS) $(GPG_ERROR_LIBS) $(LIBREADLINE) $(LIBINTL) \ - $(LIBICONV) $(resource_objs) $(extra_sys_libs) $(NETLIBS) -gpgsm_LDFLAGS = $(extra_bin_ldflags) + $(LIBICONV) $(resource_objs) $(NETLIBS) +gpgsm_LDFLAGS = module_tests = diff --git a/sm/Makefile.in b/sm/Makefile.in index af9670c..e4079b4 100644 --- a/sm/Makefile.in +++ b/sm/Makefile.in @@ -185,7 +185,7 @@ gpgsm_DEPENDENCIES = $(common_libs) ../common/libgpgrl.a \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(resource_objs) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) + $(am__DEPENDENCIES_1) gpgsm_LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(gpgsm_LDFLAGS) \ $(LDFLAGS) -o $@ am__objects_1 = @@ -498,16 +498,6 @@ AM_CPPFLAGS = -DKEYBOX_WITH_X509=1 -DLOCALEDIR=\"$(localedir)\" \ $(am__append_1) $(am__append_2) $(am__append_3) \ $(am__append_4) $(am__append_5) $(am__append_6) \ $(am__append_7) $(am__append_8) -@HAVE_W32CE_SYSTEM_FALSE@extra_sys_libs = - -# Under Windows we use LockFileEx. WindowsCE provides this only on -# the WindowsMobile 6 platform and thus we need to use the coredll6 -# import library. We also want to use a stacksize of 256k instead of -# the 2MB which is the default with cegcc. 256k is the largest stack -# we use with pth. -@HAVE_W32CE_SYSTEM_TRUE@extra_sys_libs = -lcoredll6 -@HAVE_W32CE_SYSTEM_FALSE@extra_bin_ldflags = -@HAVE_W32CE_SYSTEM_TRUE@extra_bin_ldflags = -Wl,--stack=0x40000 resource_objs = $(am__append_9) # Convenience macros @@ -545,9 +535,9 @@ common_libs = ../kbx/libkeybox509.a $(libcommonpth) gpgsm_LDADD = $(common_libs) ../common/libgpgrl.a \ $(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(LIBASSUAN_LIBS) \ $(NPTH_LIBS) $(GPG_ERROR_LIBS) $(LIBREADLINE) $(LIBINTL) \ - $(LIBICONV) $(resource_objs) $(extra_sys_libs) $(NETLIBS) + $(LIBICONV) $(resource_objs) $(NETLIBS) -gpgsm_LDFLAGS = $(extra_bin_ldflags) +gpgsm_LDFLAGS = module_tests = module_maint_tests = t-minip12 t_common_src = diff --git a/sm/call-dirmngr.c b/sm/call-dirmngr.c index 5dd8a39..cc958cc 100644 --- a/sm/call-dirmngr.c +++ b/sm/call-dirmngr.c @@ -64,6 +64,8 @@ struct isvalid_status_parm_s { ctrl_t ctrl; int seen; unsigned char fpr[20]; + gnupg_isotime_t revoked_at; + char *revocation_reason; /* malloced or NULL */ }; @@ -491,6 +493,19 @@ isvalid_status_cb (void *opaque, const char *line) if (!*s || !unhexify_fpr (s, parm->fpr)) parm->seen++; /* Bump it to indicate an error. */ } + else if ((s = has_leading_keyword (line, "REVOCATIONINFO"))) + { + if (*s && strlen (s) >= 15) + { + memcpy (parm->revoked_at, s, 15); + parm->revoked_at[15] = 0; + } + s += 15; + while (*s && spacep (s)) + s++; + xfree (parm->revocation_reason); + parm->revocation_reason = *s? xtrystrdup (s) : NULL; + } else if (warning_and_note_printer (line)) { } @@ -510,12 +525,17 @@ isvalid_status_cb (void *opaque, const char *line) Values for USE_OCSP: 0 = Do CRL check. - 1 = Do an OCSP check but fallback to CRL unless CRLS are disabled. - 2 = Do only an OCSP check using only the default responder. + 1 = Do an OCSP check but fallback to CRL unless CRLs are disabled. + 2 = Do only an OCSP check (used for the chain model). + + If R_REVOKED_AT pr R_REASON are not NULL and the certificate has + been revoked the revocation time and the reason are copied to there. + The caller needs to free R_REASON. */ -int +gpg_error_t gpgsm_dirmngr_isvalid (ctrl_t ctrl, - ksba_cert_t cert, ksba_cert_t issuer_cert, int use_ocsp) + ksba_cert_t cert, ksba_cert_t issuer_cert, int use_ocsp, + gnupg_isotime_t r_revoked_at, char **r_reason) { static int did_options; int rc; @@ -524,6 +544,11 @@ gpgsm_dirmngr_isvalid (ctrl_t ctrl, struct inq_certificate_parm_s parm; struct isvalid_status_parm_s stparm; + if (r_revoked_at) + *r_revoked_at = 0; + if (r_reason) + *r_reason = NULL; + rc = start_dirmngr (ctrl); if (rc) return rc; @@ -553,6 +578,8 @@ gpgsm_dirmngr_isvalid (ctrl_t ctrl, stparm.ctrl = ctrl; stparm.seen = 0; memset (stparm.fpr, 0, 20); + stparm.revoked_at[0] = 0; + stparm.revocation_reason = NULL; /* It is sufficient to send the options only once because we have * one connection per process only. */ @@ -563,9 +590,8 @@ gpgsm_dirmngr_isvalid (ctrl_t ctrl, NULL, NULL, NULL, NULL, NULL, NULL); did_options = 1; } - snprintf (line, DIM(line), "ISVALID%s%s %s%s%s", - use_ocsp == 2 || opt.no_crl_check ? " --only-ocsp":"", - use_ocsp == 2? " --force-default-responder":"", + snprintf (line, DIM(line), "ISVALID%s %s%s%s", + (use_ocsp == 2 || opt.no_crl_check) ? " --only-ocsp":"", certid, use_ocsp? " ":"", use_ocsp? certfpr:""); @@ -578,6 +604,19 @@ gpgsm_dirmngr_isvalid (ctrl_t ctrl, if (opt.verbose > 1) log_info ("response of dirmngr: %s\n", rc? gpg_strerror (rc): "okay"); + if (gpg_err_code (rc) == GPG_ERR_CERT_REVOKED + && !check_isotime (stparm.revoked_at)) + { + if (r_revoked_at) + gnupg_copy_time (r_revoked_at, stparm.revoked_at); + if (r_reason) + { + *r_reason = stparm.revocation_reason; + stparm.revocation_reason = NULL; + } + + } + if (!rc && stparm.seen) { /* Need to also check the certificate validity. */ @@ -635,7 +674,9 @@ gpgsm_dirmngr_isvalid (ctrl_t ctrl, ksba_cert_release (rspcert); } } + release_dirmngr (ctrl); + xfree (stparm.revocation_reason); return rc; } diff --git a/sm/certchain.c b/sm/certchain.c index 4050680..9813eca 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -350,7 +350,7 @@ check_cert_policy (ksba_cert_t cert, int listmode, estream_t fplist) /* With no critical policies this is only a warning */ if (!any_critical) { - if (!opt.quiet) + if (opt.verbose) do_list (0, listmode, fplist, _("Note: non-critical certificate policy not allowed")); return 0; @@ -380,7 +380,8 @@ check_cert_policy (ksba_cert_t cert, int listmode, estream_t fplist) /* With no critical policies this is only a warning */ if (!any_critical) { - do_list (0, listmode, fplist, + if (opt.verbose) + do_list (0, listmode, fplist, _("Note: non-critical certificate policy not allowed")); return 0; } @@ -1187,11 +1188,13 @@ gpgsm_is_root_cert (ksba_cert_t cert) /* This is a helper for gpgsm_validate_chain. */ static gpg_error_t -is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp, +is_cert_still_valid (ctrl_t ctrl, int chain_model, int lm, estream_t fp, ksba_cert_t subject_cert, ksba_cert_t issuer_cert, int *any_revoked, int *any_no_crl, int *any_crl_too_old) { gpg_error_t err; + gnupg_isotime_t revoked_at; + char *reason; if (ctrl->offline || (opt.no_crl_check && !ctrl->use_ocsp)) { @@ -1201,7 +1204,7 @@ is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp, } - if (!(force_ocsp || ctrl->use_ocsp) + if (!(chain_model || ctrl->use_ocsp) && !opt.enable_issuer_based_crl_check) { err = ksba_cert_get_crl_dist_point (subject_cert, 0, NULL, NULL, NULL); @@ -1220,7 +1223,20 @@ is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp, err = gpgsm_dirmngr_isvalid (ctrl, subject_cert, issuer_cert, - force_ocsp? 2 : !!ctrl->use_ocsp); + chain_model? 2 : !!ctrl->use_ocsp, + revoked_at, &reason); + if (gpg_err_code (err) == GPG_ERR_CERT_REVOKED) + { + gnupg_copy_time (ctrl->revoked_at, revoked_at); + xfree (ctrl->revocation_reason); + ctrl->revocation_reason = reason; + reason = NULL; + } + else + { + xfree (reason); + reason = (NULL); + } audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, err); if (err) @@ -1230,7 +1246,22 @@ is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp, switch (gpg_err_code (err)) { case GPG_ERR_CERT_REVOKED: - do_list (1, lm, fp, _("certificate has been revoked")); + if (!check_isotime (ctrl->revoked_at)) + { + char *tmpstr; + const unsigned char *t = ctrl->revoked_at; + + tmpstr = xtryasprintf ("%.4s-%.2s-%.2s %.2s:%.2s:%s (%s)", + t, t+4, t+6, t+9, t+11, t+13, + ctrl->revocation_reason? + ctrl->revocation_reason : ""); + + do_list (1, lm, fp, "%s: %s", + _("certificate has been revoked"), tmpstr); + xfree (tmpstr); + } + else + do_list (1, lm, fp, _("certificate has been revoked")); *any_revoked = 1; /* Store that in the keybox so that key listings are able to return the revoked flag. We don't care about error, @@ -2158,10 +2189,12 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime, { *retflags |= VALIDATE_FLAG_STEED; } - else if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED - && !(flags & VALIDATE_FLAG_CHAIN_MODEL) - && (rootca_flags.valid && rootca_flags.chain_model)) + else if (!(flags & VALIDATE_FLAG_CHAIN_MODEL) + && (rootca_flags.valid && rootca_flags.chain_model)) { + /* The root CA indicated that the chain model is to be used but + * we have not yet used it. Thus do the validation again using + * the chain model. */ do_list (0, listmode, listfp, _("switching to chain model")); rc = do_validate_chain (ctrl, cert, checktime, r_exptime, listmode, listfp, diff --git a/sm/certlist.c b/sm/certlist.c index f06a23f..b5f9f78 100644 --- a/sm/certlist.c +++ b/sm/certlist.c @@ -33,7 +33,16 @@ #include "keydb.h" #include "../common/i18n.h" - +/* Mode values for cert_usage_p. + * Take care: the values have a semantic. */ +#define USE_MODE_SIGN 0 +#define USE_MODE_ENCR 1 +#define USE_MODE_VRFY 2 +#define USE_MODE_DECR 3 +#define USE_MODE_CERT 4 +#define USE_MODE_OCSP 5 + +/* OIDs we use here. */ static const char oid_kp_serverAuth[] = "1.3.6.1.5.5.7.3.1"; static const char oid_kp_clientAuth[] = "1.3.6.1.5.5.7.3.2"; static const char oid_kp_codeSigning[] = "1.3.6.1.5.5.7.3.3"; @@ -41,6 +50,7 @@ static const char oid_kp_emailProtection[]= "1.3.6.1.5.5.7.3.4"; static const char oid_kp_timeStamping[] = "1.3.6.1.5.5.7.3.8"; static const char oid_kp_ocspSigning[] = "1.3.6.1.5.5.7.3.9"; + /* Return 0 if the cert is usable for encryption. A MODE of 0 checks for signing a MODE of 1 checks for encryption, a MODE of 2 checks for verification and a MODE of 3 for decryption (just for @@ -119,7 +129,7 @@ cert_usage_p (ksba_cert_t cert, int mode, int silent) if (gpg_err_code (err) == GPG_ERR_NO_DATA) { err = 0; - if (opt.verbose && mode < 2 && !silent) + if (opt.verbose && mode < USE_MODE_VRFY && !silent) log_info (_("no key usage specified - assuming all usages\n")); use = ~0; } @@ -136,7 +146,7 @@ cert_usage_p (ksba_cert_t cert, int mode, int silent) return err; } - if (mode == 4) + if (mode == USE_MODE_CERT) { if ((use & (KSBA_KEYUSAGE_KEY_CERT_SIGN))) return 0; @@ -146,7 +156,7 @@ cert_usage_p (ksba_cert_t cert, int mode, int silent) return gpg_error (GPG_ERR_WRONG_KEY_USAGE); } - if (mode == 5) + if (mode == USE_MODE_OCSP) { if (use != ~0 && (have_ocsp_signing @@ -160,7 +170,8 @@ cert_usage_p (ksba_cert_t cert, int mode, int silent) } encr_bits = (KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT); - if ((opt.compat_flags & COMPAT_ALLOW_KA_TO_ENCR)) + if ((opt.compat_flags & COMPAT_ALLOW_KA_TO_ENCR) + || gpgsm_is_ecc_key (cert)) encr_bits |= KSBA_KEYUSAGE_KEY_AGREEMENT; sign_bits = (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION); @@ -169,11 +180,13 @@ cert_usage_p (ksba_cert_t cert, int mode, int silent) return 0; if (!silent) - log_info - (mode==3? _("certificate should not have been used for encryption\n"): - mode==2? _("certificate should not have been used for signing\n"): - mode==1? _("certificate is not usable for encryption\n"): - /**/ _("certificate is not usable for signing\n")); + log_info (mode == USE_MODE_DECR? + _("certificate should not have been used for encryption\n") : + mode == USE_MODE_VRFY? + _("certificate should not have been used for signing\n") : + mode == USE_MODE_ENCR? + _("certificate is not usable for encryption\n") : + _("certificate is not usable for signing\n")); return gpg_error (GPG_ERR_WRONG_KEY_USAGE); } @@ -183,7 +196,7 @@ cert_usage_p (ksba_cert_t cert, int mode, int silent) int gpgsm_cert_use_sign_p (ksba_cert_t cert, int silent) { - return cert_usage_p (cert, 0, silent); + return cert_usage_p (cert, USE_MODE_SIGN, silent); } @@ -191,31 +204,31 @@ gpgsm_cert_use_sign_p (ksba_cert_t cert, int silent) int gpgsm_cert_use_encrypt_p (ksba_cert_t cert) { - return cert_usage_p (cert, 1, 0); + return cert_usage_p (cert, USE_MODE_ENCR, 0); } int gpgsm_cert_use_verify_p (ksba_cert_t cert) { - return cert_usage_p (cert, 2, 0); + return cert_usage_p (cert, USE_MODE_VRFY, 0); } int gpgsm_cert_use_decrypt_p (ksba_cert_t cert) { - return cert_usage_p (cert, 3, 0); + return cert_usage_p (cert, USE_MODE_DECR, 0); } int gpgsm_cert_use_cert_p (ksba_cert_t cert) { - return cert_usage_p (cert, 4, 0); + return cert_usage_p (cert, USE_MODE_CERT, 0); } int gpgsm_cert_use_ocsp_p (ksba_cert_t cert) { - return cert_usage_p (cert, 5, 0); + return cert_usage_p (cert, USE_MODE_OCSP, 0); } diff --git a/sm/fingerprint.c b/sm/fingerprint.c index 70ca0e9..5f3f6f5 100644 --- a/sm/fingerprint.c +++ b/sm/fingerprint.c @@ -306,6 +306,14 @@ gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits) } +/* Return true if CERT is an ECC key. */ +int +gpgsm_is_ecc_key (ksba_cert_t cert) +{ + return GCRY_PK_ECC == gpgsm_get_key_algo_info2 (cert, NULL, NULL); +} + + /* This is a wrapper around pubkey_algo_string which takes a KSBA * certificate instead of a Gcrypt public key. Note that this * function may return NULL on error. */ diff --git a/sm/gpgsm.c b/sm/gpgsm.c index bc22d68..f8b3856 100644 --- a/sm/gpgsm.c +++ b/sm/gpgsm.c @@ -516,7 +516,7 @@ static int default_include_certs = DEFAULT_INCLUDE_CERTS; static int default_validation_model; /* The default cipher algo. */ -#define DEFAULT_CIPHER_ALGO "AES" +#define DEFAULT_CIPHER_ALGO "AES256" static char *build_list (const char *text, @@ -2228,6 +2228,8 @@ gpgsm_init_default_ctrl (struct server_control_s *ctrl) ctrl->use_ocsp = opt.enable_ocsp; ctrl->validation_model = default_validation_model; ctrl->offline = opt.disable_dirmngr; + ctrl->revoked_at[0] = 0; + ctrl->revocation_reason = NULL; } @@ -2237,6 +2239,8 @@ void gpgsm_deinit_default_ctrl (ctrl_t ctrl) { gpgsm_keydb_deinit_session_data (ctrl); + xfree (ctrl->revocation_reason); + ctrl->revocation_reason = NULL; } diff --git a/sm/gpgsm.h b/sm/gpgsm.h index 8765f9f..ced2d67 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -264,6 +264,10 @@ struct server_control_s /* The current time. Used as a helper in certchain.c. */ ksba_isotime_t current_time; + + /* The revocation info. Used as a helper inc ertchain.c */ + gnupg_isotime_t revoked_at; + char *revocation_reason; }; @@ -324,6 +328,7 @@ char *gpgsm_get_keygrip_hexstring (ksba_cert_t cert); int gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits); int gpgsm_get_key_algo_info2 (ksba_cert_t cert, unsigned int *nbits, char **r_curve); +int gpgsm_is_ecc_key (ksba_cert_t cert); char *gpgsm_pubkey_algo_string (ksba_cert_t cert, int *r_algoid); gcry_mpi_t gpgsm_get_rsa_modulus (ksba_cert_t cert); char *gpgsm_get_certid (ksba_cert_t cert); @@ -493,9 +498,11 @@ gpg_error_t gpgsm_agent_export_key (ctrl_t ctrl, const char *keygrip, size_t *r_resultlen); /*-- call-dirmngr.c --*/ -int gpgsm_dirmngr_isvalid (ctrl_t ctrl, - ksba_cert_t cert, ksba_cert_t issuer_cert, - int use_ocsp); +gpg_error_t gpgsm_dirmngr_isvalid (ctrl_t ctrl, + ksba_cert_t cert, ksba_cert_t issuer_cert, + int use_ocsp, + gnupg_isotime_t r_revoked_at, + char **r_reason); int gpgsm_dirmngr_lookup (ctrl_t ctrl, strlist_t names, const char *uri, int cache_only, void (*cb)(void*, ksba_cert_t), void *cb_value); diff --git a/sm/keydb.c b/sm/keydb.c index 5b28df7..fbe28f2 100644 --- a/sm/keydb.c +++ b/sm/keydb.c @@ -2027,7 +2027,7 @@ keydb_set_cert_flags (ctrl_t ctrl, ksba_cert_t cert, int ephemeral, err = keydb_search_fpr (ctrl, kh, fpr); if (err) { - if (gpg_err_code (err) != gpg_error (GPG_ERR_NOT_FOUND)) + if (gpg_err_code (err) != GPG_ERR_NOT_FOUND) log_error (_("problem re-searching certificate: %s\n"), gpg_strerror (err)); keydb_release (kh); diff --git a/sm/keylist.c b/sm/keylist.c index 9e2c79c..fabd822 100644 --- a/sm/keylist.c +++ b/sm/keylist.c @@ -300,7 +300,7 @@ print_pk_screening (ksba_cert_t cert, int colon_mode, estream_t fp) static void -print_capabilities (ksba_cert_t cert, estream_t fp) +print_capabilities (ksba_cert_t cert, int algo, estream_t fp) { gpg_error_t err; unsigned int use; @@ -352,7 +352,7 @@ print_capabilities (ksba_cert_t cert, estream_t fp) /* We need to returned the faked key usage to frontends so that they * can select the right key. Note that we don't do this for the * human readable keyUsage. */ - if ((opt.compat_flags & COMPAT_ALLOW_KA_TO_ENCR) + if ((algo == GCRY_PK_ECC || (opt.compat_flags & COMPAT_ALLOW_KA_TO_ENCR)) && (use & KSBA_KEYUSAGE_KEY_AGREEMENT)) is_encr = 1; @@ -599,7 +599,7 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity, /* Field 11, signature class - not used */ es_putc (':', fp); /* Field 12, capabilities: */ - print_capabilities (cert, fp); + print_capabilities (cert, algo, fp); es_putc (':', fp); /* Field 13, not used: */ es_putc (':', fp); @@ -1201,6 +1201,15 @@ list_cert_raw (ctrl_t ctrl, KEYDB_HANDLE hd, { err = gpgsm_validate_chain (ctrl, cert, GNUPG_ISOTIME_NONE, NULL, 1, fp, 0, NULL); + if (gpg_err_code (err) == GPG_ERR_CERT_REVOKED + && !check_isotime (ctrl->revoked_at)) + { + es_fputs (" revoked: ", fp); + gpgsm_print_time (fp, ctrl->revoked_at); + if (ctrl->revocation_reason) + es_fprintf (fp, " (%s)", ctrl->revocation_reason); + es_putc ('\n', fp); + } if (!err) es_fprintf (fp, " [certificate is good]\n"); else @@ -1451,6 +1460,15 @@ list_cert_std (ctrl_t ctrl, ksba_cert_t cert, estream_t fp, int have_secret, err = gpgsm_validate_chain (ctrl, cert, GNUPG_ISOTIME_NONE, NULL, 1, fp, 0, NULL); + if (gpg_err_code (err) == GPG_ERR_CERT_REVOKED + && !check_isotime (ctrl->revoked_at)) + { + es_fputs (" revoked: ", fp); + gpgsm_print_time (fp, ctrl->revoked_at); + if (ctrl->revocation_reason) + es_fprintf (fp, " (%s)", ctrl->revocation_reason); + es_putc ('\n', fp); + } tmperr = ksba_cert_get_user_data (cert, "is_qualified", &buffer, sizeof (buffer), &buflen); if (!tmperr && buflen) diff --git a/sm/sign.c b/sm/sign.c index 943589f..9290fc1 100644 --- a/sm/sign.c +++ b/sm/sign.c @@ -774,13 +774,16 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, /* We need to write at least a minimal list of our capabilities to - try to convince some MUAs to use 3DES and not the crippled - RC2. Our list is: - - aes128-CBC - des-EDE3-CBC - */ - err = ksba_cms_add_smime_capability (cms, "2.16.840.1.101.3.4.1.2", NULL, 0); + * try to convince some MUAs to use 3DES and not the crippled + * RC2. Our list is: + * + * aes256-CBC + * aes128-CBC + * des-EDE3-CBC + */ + err = ksba_cms_add_smime_capability (cms, "2.16.840.1.101.3.4.1.42", NULL,0); + if (!err) + err = ksba_cms_add_smime_capability (cms, "2.16.840.1.101.3.4.1.2", NULL,0); if (!err) err = ksba_cms_add_smime_capability (cms, "1.2.840.113549.3.7", NULL, 0); if (err) diff --git a/sm/verify.c b/sm/verify.c index 10d5d5c..2e40c02 100644 --- a/sm/verify.c +++ b/sm/verify.c @@ -634,8 +634,8 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) /* FIXME: INFO_PKALGO correctly shows ECDSA but PKALGO is then * ECC. We should use the ECDSA here and need to find a way to - * figure this oult without using the bodus assumtion in - * gpgsm_check_cms_signature that ECC is alwas ECDSA. */ + * figure this out without using the bogus assumption in + * gpgsm_check_cms_signature that ECC is always ECDSA. */ fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1); tstr = strtimestamp_r (sigtime); -- cgit v1.2.3