Page MenuHome GnuPG
Files F37926927

No OneTemporary
Actions

View Options

This document is not UTF8. It was detected as ISO-8859-1 (Latin 1) and converted to UTF8 for display.
diff --git a/po/ChangeLog b/po/ChangeLog
index c1bcd81e1..25d7d4595 100644
--- a/po/ChangeLog
+++ b/po/ChangeLog
@@ -1,48 +1,54 @@
+2004-09-30 Werner Koch <wk@g10code.com>
+
+ * de.po: Updated.
+
+ * POTFILES.in: Add more files.
+
2004-07-22 Werner Koch <wk@g10code.de>
* de.po: Updated.
2004-04-06 Werner Koch <wk@gnupg.org>
* Makevars (DOMAIN): Init from PACKAGE_GT
2003-12-09 Werner Koch <wk@gnupg.org>
* Makevars (MSGID_BUGS_ADDRESS): New.
2003-04-29 Werner Koch <wk@gnupg.org>
* LINUGAS: NEW.
2003-04-29 gettextize <bug-gnu-gettext@gnu.org>
* Rules-quot: New file, from gettext-0.11.5.
* boldquot.sed: New file, from gettext-0.11.5.
* en@boldquot.header: New file, from gettext-0.11.5.
* en@quot.header: New file, from gettext-0.11.5.
* insert-header.sin: New file, from gettext-0.11.5.
* quot.sed: New file, from gettext-0.11.5.
* remove-potcdate.sin: New file, from gettext-0.11.5.
2002-08-21 Werner Koch <wk@gnupg.org>
* de.po: Updated the translation.
2002-08-10 Werner Koch <wk@gnupg.org>
* Makefile.in.in: Installed from gettext-0.10.40.
* POTFILES.in: New.
* de.po: New.
Copyright 2002 Free Software Foundation, Inc.
This file is free software; as a special exception the author gives
unlimited permission to copy and/or distribute it, with or without
modifications, as long as this notice is preserved.
This file is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
diff --git a/po/POTFILES.in b/po/POTFILES.in
index ae54716ac..eb4e36c85 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -1,36 +1,38 @@
# List of files with translatable strings.
agent/gpg-agent.c
agent/protect-tool.c
agent/divert-scd.c
agent/genkey.c
agent/query.c
common/sysutils.c
common/simple-pwquery.c
jnlib/argparse.c
jnlib/logging.c
kbx/kbxutil.c
scd/scdaemon.c
+scd/sc-investigate.c
+scd/app-openpgp.c
sm/base64.c
sm/call-agent.c
sm/call-dirmngr.c
sm/certdump.c
sm/certlist.c
sm/certchain.c
sm/decrypt.c
sm/delete.c
sm/encrypt.c
sm/gpgsm.c
sm/import.c
sm/keydb.c
sm/keylist.c
sm/sign.c
sm/verify.c
tools/gpgconf.c
tools/gpgconf-comp.c
diff --git a/po/de.po b/po/de.po
index a09f0024d..3c4d90a44 100644
--- a/po/de.po
+++ b/po/de.po
@@ -1,1296 +1,1393 @@
# German translation for GnuPG 1.9.x -*-coding: latin-1;-*-
# Copyright (C) 2002, 2004 Free Software Foundation, Inc.
# Werner Koch <wk@gnupg.org>, 2002.
#
#
# Note that we use "gnupg2" as the domain to avoid conflicts with
# already installed domains "gnupg" from GnuPG < 1.9.
#
msgid ""
msgstr ""
"Project-Id-Version: gnupg2 1.9.10\n"
"Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2004-09-29 18:01+0200\n"
-"PO-Revision-Date: 2004-09-29 18:10+0200\n"
+"POT-Creation-Date: 2004-09-30 15:22+0200\n"
+"PO-Revision-Date: 2004-09-30 15:23+0200\n"
"Last-Translator: Werner Koch <wk@gnupg.org>\n"
"Language-Team: de\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=iso-8859-1\n"
"Content-Transfer-Encoding: 8bit\n"
#: agent/gpg-agent.c:97 agent/protect-tool.c:101 scd/scdaemon.c:93
msgid ""
"@Options:\n"
" "
msgstr ""
"@Optionen:\n"
" "
#: agent/gpg-agent.c:99 scd/scdaemon.c:95
msgid "run in server mode (foreground)"
msgstr "Im Server Modus ausführen"
#: agent/gpg-agent.c:100 scd/scdaemon.c:96
msgid "run in daemon mode (background)"
msgstr "Im Daemon Modus ausführen"
#: agent/gpg-agent.c:101 kbx/kbxutil.c:81 scd/scdaemon.c:97 sm/gpgsm.c:315
#: tools/gpgconf.c:62
msgid "verbose"
msgstr "ausführlich"
#: agent/gpg-agent.c:102 kbx/kbxutil.c:82 scd/scdaemon.c:98 sm/gpgsm.c:316
msgid "be somewhat more quiet"
msgstr "etwas weniger Aussageb erzeugen"
#: agent/gpg-agent.c:103 scd/scdaemon.c:99
msgid "sh-style command output"
msgstr "Ausgabe für /bin/sh"
#: agent/gpg-agent.c:104 scd/scdaemon.c:100
msgid "csh-style command output"
msgstr "Ausgabe für /bin/csh"
#: agent/gpg-agent.c:105
msgid "|FILE|read options from FILE"
msgstr "|DATEI|Konfigurationsoptionen aus DATEI lesen"
#: agent/gpg-agent.c:110 scd/scdaemon.c:107
msgid "do not detach from the console"
msgstr "Im Vordergrund laufen lassen"
#: agent/gpg-agent.c:111
msgid "do not grab keyboard and mouse"
msgstr "Tastatur und Maus nicht \"grabben\""
#: agent/gpg-agent.c:112 scd/scdaemon.c:108 sm/gpgsm.c:318
msgid "use a log file for the server"
msgstr "Logausgaben in eine Datei umlenken"
#: agent/gpg-agent.c:113
msgid "do not allow multiple connections"
msgstr "Nicht mehr als eine Verbindung erlauben"
#: agent/gpg-agent.c:116
msgid "|PGM|use PGM as the PIN-Entry program"
msgstr "|PGM|benutze PGM as PIN-Entry"
#: agent/gpg-agent.c:118
msgid "|PGM|use PGM as the SCdaemon program"
msgstr "|PGM|benutze PGM as SCdaemon"
#: agent/gpg-agent.c:125
msgid "ignore requests to change the TTY"
msgstr "Ignoriere Anfragen, das TTY zu wechseln"
#: agent/gpg-agent.c:127
msgid "ignore requests to change the X display"
msgstr "Ignoriere Anfragen, das X-Display zu wechseln"
#: agent/gpg-agent.c:130
msgid "|N|expire cached PINs after N seconds"
msgstr "|N|lasse PINs im Cache nach N Sekunden verfallen"
#: agent/gpg-agent.c:133
msgid "do not use the PIN cache when signing"
msgstr "benutze PINs im Cache nicht bem Signieren"
#: agent/gpg-agent.c:135
msgid "allow clients to mark keys as \"trusted\""
msgstr "erlaube Aufrufern Schlüssel als \"vertrauenswürdig\" zu markieren"
#: agent/gpg-agent.c:195 agent/protect-tool.c:134 scd/scdaemon.c:168
-#: sm/gpgsm.c:485 tools/gpgconf.c:85
+#: scd/sc-investigate.c:113 sm/gpgsm.c:485 tools/gpgconf.c:85
msgid "Please report bugs to <"
msgstr "Fehlerberichte bitte an <"
#: agent/gpg-agent.c:195 agent/protect-tool.c:134 scd/scdaemon.c:168
-#: sm/gpgsm.c:485 tools/gpgconf.c:85
+#: scd/sc-investigate.c:113 sm/gpgsm.c:485 tools/gpgconf.c:85
msgid ">.\n"
msgstr ">.\n"
#: agent/gpg-agent.c:198
msgid "Usage: gpg-agent [options] (-h for help)"
msgstr "Gebrauch: gpg-agent [Optionen] (-h für Hilfe)"
#: agent/gpg-agent.c:200
msgid ""
"Syntax: gpg-agent [options] [command [args]]\n"
"Secret key management for GnuPG\n"
msgstr ""
"Syntax: gpg-agent [Optionen] [Kommando [Argumente]]\n"
"Verwaltung von geheimen Schlüssel für GnuPG\n"
#: agent/gpg-agent.c:271 scd/scdaemon.c:242 sm/gpgsm.c:608
#, c-format
msgid "invalid debug-level `%s' given\n"
msgstr "ungültige Debugebene `%s' angegeben\n"
#: agent/gpg-agent.c:446 agent/protect-tool.c:1050 kbx/kbxutil.c:436
-#: scd/scdaemon.c:357 sm/gpgsm.c:731
+#: scd/scdaemon.c:357 scd/sc-investigate.c:181 sm/gpgsm.c:731
#, c-format
msgid "libgcrypt is too old (need %s, have %s)\n"
msgstr ""
"Die Bibliothek \"libgcrypt\" is zu alt (benötigt wird %s, vorhanden ist %s)\n"
#: agent/gpg-agent.c:519 scd/scdaemon.c:437 sm/gpgsm.c:829
#, c-format
msgid "NOTE: no default option file `%s'\n"
msgstr "Notiz: Voreingestellte Konfigurationsdatei `%s' fehlt\n"
#: agent/gpg-agent.c:524 agent/gpg-agent.c:998 scd/scdaemon.c:442
#: sm/gpgsm.c:833
#, c-format
msgid "option file `%s': %s\n"
msgstr "Konfigurationsdatei `%s': %s\n"
#: agent/gpg-agent.c:532 scd/scdaemon.c:450 sm/gpgsm.c:840
#, c-format
msgid "reading options from `%s'\n"
msgstr "Optionen werden aus `%s' gelesen\n"
#: agent/gpg-agent.c:1031 agent/gpg-agent.c:1065
#, c-format
msgid "can't create directory `%s': %s\n"
msgstr "Das Verzeichniss `%s' kann nicht erstell werden: %s\n"
#: agent/gpg-agent.c:1034 agent/gpg-agent.c:1070
#, c-format
msgid "directory `%s' created\n"
msgstr "Verzeichniss `%s' wurde erstellt\n"
#: agent/gpg-agent.c:1248
msgid "no gpg-agent running in this session\n"
msgstr "Der gpg-agent läuft nicht für diese Session\n"
#: agent/gpg-agent.c:1255 common/simple-pwquery.c:286 sm/call-agent.c:128
msgid "malformed GPG_AGENT_INFO environment variable\n"
msgstr "Die Variable GPG_AGENT_INFO ist fehlerhaft\n"
#: agent/gpg-agent.c:1267 common/simple-pwquery.c:298 sm/call-agent.c:140
#, c-format
msgid "gpg-agent protocol version %d is not supported\n"
msgstr "Das gpg-agent Protocol %d wird nicht unterstützt\n"
#: agent/protect-tool.c:137
msgid "Usage: gpg-protect-tool [options] (-h for help)\n"
msgstr "Gebrauch: gpg-protect-tool [Optionen] (-h für Hilfe)\n"
#: agent/protect-tool.c:139
msgid ""
"Syntax: gpg-protect-tool [options] [args]]\n"
"Secret key maintenance tool\n"
msgstr ""
"Syntax: gpg-protect-tool [Optionen] [Argumente]\n"
"Werkzeug zum Bearbeiten von geheimen Schlüsseln\n"
#: agent/protect-tool.c:1187
msgid "Please enter the passphrase to unprotect the PKCS#12 object."
msgstr "Bitte geben Sie die Passphrase zum Entsperren des PKCS#12 Objekts ein"
#: agent/protect-tool.c:1190
msgid "Please enter the passphrase to protect the new PKCS#12 object."
msgstr ""
"Bitte geben Sie die Passphrase zum Schützen des neuen PKCS#12 Objekts ein"
#: agent/protect-tool.c:1193
msgid ""
"Please enter the passphrase to protect the imported object within the GnuPG "
"system."
msgstr ""
"Bitte geben Sie die Passphrase ein, um das importierte Objket im GnuPG "
"System zu schützen."
#: agent/protect-tool.c:1196 agent/genkey.c:110 agent/genkey.c:224
msgid "Please re-enter this passphrase"
msgstr "Bitte geben Sie das Mantra (Passphrase) noch einmal ein:"
#: agent/protect-tool.c:1198
msgid ""
"Please enter the passphrase or the PIN\n"
"needed to complete this operation."
msgstr ""
"Die Eingabe des Mantras (Passphrase) bzw. der PIN\n"
"wird benötigt um diese Aktion auszuführen."
#: agent/protect-tool.c:1202 agent/genkey.c:131 agent/genkey.c:244
msgid "does not match - try again"
msgstr "Keine Übereinstimmung - bitte nochmal versuchen"
#: agent/protect-tool.c:1203
msgid "Passphrase:"
msgstr "Passphrase:"
#: agent/divert-scd.c:200
#, c-format
msgid "Please enter the PIN%s%s%s to unlock the card"
msgstr "Bitte geben Sie die PIN%s%s%s ein um die Karte zu entsperren"
#: agent/genkey.c:108
#, c-format
msgid "Please enter the passphrase to%0Ato protect your new key"
msgstr ""
"Bitte geben Sie das Mantra (Passphrase) ein%0Aum Ihren Schlüssel zu schützen"
#: agent/genkey.c:223
msgid "Please enter the new passphrase"
msgstr "Bitte geben Sie das Mantra (Passphrase) ein:"
#: agent/query.c:126
#, c-format
msgid "failed to acquire the pinentry lock: %s\n"
msgstr "Die Sperre für das Pinentry kann nicht gesetzt werden: %s\n"
#: agent/query.c:288
msgid ""
"Please enter your PIN, so that the secret key can be unlocked for this "
"session"
msgstr ""
"Bitte geben Sie Ihre PIN ein, so daß der geheime Schlüssel benutzt werden "
"kann"
#: agent/query.c:291
msgid ""
"Please enter your passphrase, so that the secret key can be unlocked for "
"this session"
msgstr ""
"Bitte geben Sie Ihr Mantra (Passphrase) ein, so daß der geheime Schlüssel "
"benutzt werden kann"
#: agent/query.c:346 agent/query.c:358
msgid "PIN too long"
msgstr "Die PIN ist zu lang"
#: agent/query.c:347
msgid "Passphrase too long"
msgstr "Das Matra (Passphrase) ist zu lang"
#: agent/query.c:355
msgid "Invalid characters in PIN"
msgstr "Ungültige Zeichen in der PIN"
#: agent/query.c:360
msgid "PIN too short"
msgstr "Die PIN ist zu kurz"
#: agent/query.c:372
msgid "Bad PIN"
msgstr "Falsche PIN"
#: agent/query.c:373
msgid "Bad Passphrase"
msgstr "Falsches Mantra (Passphrase)"
#: agent/query.c:412
msgid "Passphrase"
msgstr "Mantra"
#: common/sysutils.c:87
#, c-format
msgid "can't disable core dumps: %s\n"
msgstr ""
"Das Erstellen eines Speicherabzugs (core-dump) kann nicht verhindert werden: "
"%s\n"
#: common/sysutils.c:182
#, c-format
msgid "Warning: unsafe ownership on %s \"%s\"\n"
msgstr "WARNUNG: Unsichere Besitzrechte für %s \"%s\"\n"
#: common/sysutils.c:214
#, c-format
msgid "Warning: unsafe permissions on %s \"%s\"\n"
msgstr "WARNUNG: Unsichere Zugriffsrechte für %s \"%s\"\n"
#: common/simple-pwquery.c:272
msgid "gpg-agent is not available in this session\n"
msgstr "Der gpg-agent ist nicht verfügbar\n"
#: common/simple-pwquery.c:320
#, c-format
msgid "can't connect to `%s': %s\n"
msgstr "Verbindung zu `%s' kann nicht aufgebaut werden: %s\n"
#: common/simple-pwquery.c:331
msgid "communication problem with gpg-agent\n"
msgstr "Kommunikationsproblem mit gpg-agent\n"
#: common/simple-pwquery.c:341
msgid "problem setting the gpg-agent options\n"
msgstr "Beim setzen der gpg-agent Optionen ist ein problem aufgetreten\n"
#: common/simple-pwquery.c:479
msgid "canceled by user\n"
msgstr "Vom Benutzer abgebrochen\n"
#: common/simple-pwquery.c:486
msgid "problem with the agent\n"
msgstr "Problem mit dem Agenten\n"
#: jnlib/logging.c:555
#, c-format
msgid "you found a bug ... (%s:%d)\n"
msgstr "Sie haben einen Bug (Softwarefehler) gefunden ... (%s:%d)\n"
#: kbx/kbxutil.c:68 sm/gpgsm.c:226 tools/gpgconf.c:53
msgid ""
"@Commands:\n"
" "
msgstr ""
"@Kommandos:\n"
" "
#: kbx/kbxutil.c:76 sm/gpgsm.c:261 tools/gpgconf.c:59
msgid ""
"@\n"
"Options:\n"
" "
msgstr ""
"@\n"
"Optionen:\n"
" "
#: kbx/kbxutil.c:83 sm/gpgsm.c:323 tools/gpgconf.c:64
msgid "do not make any changes"
msgstr "Keine Änderungen durchführen"
#: kbx/kbxutil.c:85
msgid "set debugging flags"
msgstr "Debug Flags setzen"
#: kbx/kbxutil.c:86
msgid "enable full debugging"
msgstr "Alle Debug Flags setzen"
#: kbx/kbxutil.c:107
msgid "Please report bugs to "
msgstr "Bite richten sie Berichte über Bugs (Softwarefehler) an "
#: kbx/kbxutil.c:107
msgid ".\n"
msgstr ".\n"
#: kbx/kbxutil.c:111
msgid "Usage: kbxutil [options] [files] (-h for help)"
msgstr "Gebrauch: kbxutil [Optionen] [Dateien] (-h für Hilfe)"
#: kbx/kbxutil.c:114
msgid ""
"Syntax: kbxutil [options] [files]\n"
"list, export, import Keybox data\n"
msgstr ""
"Syntax: kbxutil [Optionen] [Dateien]\n"
"Anlistem exportieren und Importieren von KeyBox Dateien\n"
#: scd/scdaemon.c:101 sm/gpgsm.c:335
msgid "read options from file"
msgstr "Konfigurationsoptionen aus Datei lesen"
#: scd/scdaemon.c:106
msgid "|N|set OpenSC debug level to N"
msgstr "|N|Den OpenSC Debugstufe auf N setzen"
#: scd/scdaemon.c:109
msgid "|N|connect to reader at port N"
msgstr "|N|Verbinde mit dem Leser auf Port N"
#: scd/scdaemon.c:110
msgid "|NAME|use NAME as ct-API driver"
msgstr "|NAME|Benutze NAME als CT-API Treiber"
#: scd/scdaemon.c:111
msgid "|NAME|use NAME as PC/SC driver"
msgstr "|NAME|Benutze NAME als PC/SC Treiber"
#: scd/scdaemon.c:114
msgid "do not use the internal CCID driver"
msgstr "Den internen CCID Treiber nicht benutzen"
#: scd/scdaemon.c:121
msgid "do not use the OpenSC layer"
msgstr "Den OpenSC basierten Kartenzugriff nicht nutzen"
#: scd/scdaemon.c:126
msgid "allow the use of admin card commands"
msgstr "Erlaube die Benuztung von \"Admin\" Kommandos"
#: scd/scdaemon.c:171
msgid "Usage: scdaemon [options] (-h for help)"
msgstr "Gebrauch: scdaemon [Optionen] (-h für Hilfe)"
#: scd/scdaemon.c:173
msgid ""
"Syntax: scdaemon [options] [command [args]]\n"
"Smartcard daemon for GnuPG\n"
msgstr ""
"Synatx: scdaemon [Optionen] [Kommando [Argumente]]\n"
"Smartcard Daemon für GnuPG\n"
#: scd/scdaemon.c:630
msgid "please use the option `--daemon' to run the program in the background\n"
msgstr ""
"Bitte die Option `--daemon' nutzen um das Programm im Hintergund "
"auszuführen\n"
+#: scd/sc-investigate.c:116
+msgid "Usage: sc-investigate [options] (-h for help)\n"
+msgstr "Gebrauch: sc-investigate [Optionen] (-h für Hilfe)\n"
+
+#: scd/sc-investigate.c:118
+msgid ""
+"Syntax: sc-investigate [options] [args]]\n"
+"Have a look at smartcards\n"
+msgstr ""
+"Gebrauch: sc-investigate [Optionen] [Argumente]\n"
+"Den Inhalt einer Smartcard inspizieren\n"
+
+#: scd/app-openpgp.c:458
+#, c-format
+msgid "failed to store the fingerprint: %s\n"
+msgstr "Der Fingerprint kann nicht gespeichert werden: %s\n"
+
+#: scd/app-openpgp.c:471
+#, c-format
+msgid "failed to store the creation date: %s\n"
+msgstr "Das Erzeugungsdatum kann nicht gespeichert werden: %s\n"
+
+#: scd/app-openpgp.c:656 scd/app-openpgp.c:745
+#, c-format
+msgid "PIN callback returned error: %s\n"
+msgstr "Fehler vom PIN \"callback\": %s\n"
+
+#: scd/app-openpgp.c:662 scd/app-openpgp.c:751 scd/app-openpgp.c:1236
+#, c-format
+msgid "prassphrase (CHV%d) is too short; minimum length is %d\n"
+msgstr "Die Passphrase (CHV%d) ist zu kurz; Mindestlänge ist %d\n"
+
+#: scd/app-openpgp.c:671 scd/app-openpgp.c:685 scd/app-openpgp.c:761
+#: scd/app-openpgp.c:1245 scd/app-openpgp.c:1259
+#, c-format
+msgid "verify CHV%d failed: %s\n"
+msgstr "Prüfen von CHV%d fehlgeschlagen: %s\n"
+
+#: scd/app-openpgp.c:708
+msgid "access to admin commands is not configured\n"
+msgstr "Zugriff auf Admin Kommandos ist nicht konfiguriert\n"
+
+#: scd/app-openpgp.c:725
+msgid "error retrieving CHV status from card\n"
+msgstr "Fehler beim Holen des CHV Status von der Karte\n"
+
+#: scd/app-openpgp.c:731
+msgid "card is permanently locked!\n"
+msgstr "Die Karte ist dauerhaft gesperrt!\n"
+
+#: scd/app-openpgp.c:738
+#, c-format
+msgid "%d Admin PIN attempts remaining before card is permanently locked\n"
+msgstr ""
+"Noch %d Admin PIN Versuche möglich bevor die Karte dauerhaft gesperrt wird\n"
+
+#: scd/app-openpgp.c:742
+msgid "Admin PIN"
+msgstr "Admin PIN"
+
+#: scd/app-openpgp.c:1504
+msgid "can't access CHV Status Bytes - invalid OpenPGP card?\n"
+msgstr ""
+"Zugriff auf die CHV Status Bytes nicht möglich - ungültige OpenPGP Karte?\n"
+
+#: scd/app-openpgp.c:1514
+msgid "can't access Extended Capability Flags - invalid OpenPGP card?\n"
+msgstr ""
+"Zugriff auf die Extended Capability Flags nicht möglich - ungültige OpenPGP "
+"Karte?\n"
+
+#: scd/app-openpgp.c:1584
+#, c-format
+msgid "error getting serial number: %s\n"
+msgstr "Fehler beim Holen der Seriennummer: %s\n"
+
+#: scd/app-openpgp.c:1679
+#, c-format
+msgid "failed to store the key: %s\n"
+msgstr "Fehler beim Speichern des Schlüssels: %s\n"
+
+#: scd/app-openpgp.c:1721
+msgid "reading the key failed\n"
+msgstr "Fehler beim Lesen des Schlüssels: %s\n"
+
+#: scd/app-openpgp.c:1728
+msgid "response does not contain the public key data\n"
+msgstr "Die Antwort enthält keine Public Key Daten\n"
+
+#: scd/app-openpgp.c:1736
+msgid "response does not contain the RSA modulus\n"
+msgstr "Die Antwort enthält keinen RSA Modulus\n"
+
+#: scd/app-openpgp.c:1747
+msgid "response does not contain the RSA public exponent\n"
+msgstr "Die Antwort enthält keinen öffenlichen RSA Exponent\n"
+
#: sm/base64.c:315
#, c-format
msgid "invalid radix64 character %02x skipped\n"
msgstr "Ungültiges Basis-64 Zeichen %02X wurde übergangen\n"
#: sm/call-agent.c:88
msgid "no running gpg-agent - starting one\n"
msgstr "Kein aktiver gpg-agent - es wird einer gestarted\n"
#: sm/call-agent.c:151
msgid "can't connect to the agent - trying fall back\n"
msgstr "Verbindung zum gpg-agent nicht möglich - Ersatzmethode wird versucht\n"
#: sm/call-dirmngr.c:164
msgid "no running dirmngr - starting one\n"
msgstr "Kein aktiver Dirmngr - es wird einer gestartet\n"
#: sm/call-dirmngr.c:202
msgid "malformed DIRMNGR_INFO environment variable\n"
msgstr "Die Variable DIRMNGR_INFO ist fehlerhaft\n"
#: sm/call-dirmngr.c:214
#, c-format
msgid "dirmngr protocol version %d is not supported\n"
msgstr "Die Dirmngr Protokollversion %d wird nicht unterstützt\n"
#: sm/call-dirmngr.c:225
msgid "can't connect to the dirmngr - trying fall back\n"
msgstr ""
"Verbindung zum Dirmngr kann nicht aufgebaut werden - Ersatzmethode wird "
"versucht\n"
#: sm/certdump.c:59 sm/certdump.c:142
msgid "none"
msgstr "keine"
#: sm/certdump.c:151
msgid "[none]"
msgstr "[keine]"
#: sm/certdump.c:490
msgid "[Error - No name]"
msgstr "[Fehler - Kein Name]"
#: sm/certdump.c:499
msgid "[Error - unknown encoding]"
msgstr "[Fehler - Unbekannte Kodierung]"
#: sm/certdump.c:503
msgid "[Error - invalid encoding]"
msgstr "[Fehler - Ungültige Kodierung]"
#: sm/certdump.c:508
msgid "[Error - invalid DN]"
msgstr "[Fehler - Ungültiger DN]"
-#: sm/certdump.c:652
+#: sm/certdump.c:655
#, c-format
msgid ""
"Please enter the passphrase to unlock the secret key for:\n"
"\"%s\"\n"
"S/N %s, ID %08lX, created %s"
msgstr ""
"Bitte geben Sie die Passphrase an, um den \n"
-"geheimen Schlüssels von\n"
+"geheimen Schlüssel von\n"
"\"%s\"\n"
"S/N %s, ID %08lX, erzeugt %s\n"
"zu entsperren"
#: sm/certlist.c:122
msgid "no key usage specified - assuming all usages\n"
msgstr ""
"Schlüsselverwendungszweck nicht vorhanden - für alle Zwecke akzeptiert\n"
#: sm/certlist.c:132 sm/keylist.c:224
#, c-format
msgid "error getting key usage information: %s\n"
msgstr "Fehler beim holen der Schlüsselbenutzungsinformationen: %s\n"
#: sm/certlist.c:142
msgid "certificate should have not been used for certification\n"
msgstr "Das Zertifikat hätte nicht zum Zertifizieren benutzt werden sollen\n"
#: sm/certlist.c:154
msgid "certificate should have not been used for OCSP response signing\n"
msgstr ""
"Das Zertifikat hätte nicht zum Signieren von OCSP Antworten benutzt werden "
"sollen\n"
#: sm/certlist.c:165
msgid "certificate should have not been used for encryption\n"
msgstr "Das Zertifikat hätte nicht zum Verschlüsseln benutzt werden sollen\n"
#: sm/certlist.c:166
msgid "certificate should have not been used for signing\n"
msgstr "Das Zertifikat hätte nicht zum Signieren benutzt werden sollen\n"
#: sm/certlist.c:167
msgid "certificate is not usable for encryption\n"
msgstr "Das Zertifikat kann nicht zum Verschlüsseln benutzt werden\n"
#: sm/certlist.c:168
msgid "certificate is not usable for signing\n"
msgstr "Das Zertifikat kann nicht zum Signieren benutzt werden\n"
#: sm/certchain.c:109
#, c-format
msgid "critical certificate extension %s is not supported"
msgstr "Die kritische Zertifikaterweiterung %s wird nicht unterstützt"
#: sm/certchain.c:131
msgid "issuer certificate is not marked as a CA"
msgstr "Das Herausgeberzertifikat ist nicht für eine CA gekennzeichnet"
#: sm/certchain.c:169
msgid "critical marked policy without configured policies"
msgstr "kritische Richtlinie ohne konfigurierte Richtlinien"
#: sm/certchain.c:185 sm/certchain.c:214
msgid "note: non-critical certificate policy not allowed"
msgstr "Notiz: Die unkritische Zertifikatrichtlinie ist nicht erlaubt"
#: sm/certchain.c:189 sm/certchain.c:218
msgid "certificate policy not allowed"
msgstr "Die Zertifikatrichtlinie ist nicht erlaubt"
#: sm/certchain.c:349
msgid "looking up issuer at external location\n"
msgstr "Der Herausgeber wird von einer externen Stelle gesucht\n"
#: sm/certchain.c:367
#, c-format
msgid "number of issuers matching: %d\n"
msgstr "Anzahl der übereinstimmenden Heruasgeber: %d\n"
#: sm/certchain.c:403 sm/certchain.c:561 sm/certchain.c:921 sm/decrypt.c:260
#: sm/encrypt.c:341 sm/sign.c:324 sm/verify.c:106
msgid "failed to allocated keyDB handle\n"
msgstr "Ein keyDB Handle konnte nicht bereitgestellt werden\n"
#: sm/certchain.c:492
msgid "certificate has been revoked"
msgstr "Das Zertifikat wurde widerrufen"
#: sm/certchain.c:501
msgid "no CRL found for certificate"
msgstr "Keine CRL für das Zertifikat gefunden"
#: sm/certchain.c:505
msgid "the available CRL is too old"
msgstr "Die vorhandene CRL ist zu alt"
#: sm/certchain.c:507
msgid "please make sure that the \"dirmngr\" is properly installed\n"
msgstr ""
"Bite vergewissern Sie sich das der \"dirmngr\" richtig installierrt ist\n"
#: sm/certchain.c:512
#, c-format
msgid "checking the CRL failed: %s"
msgstr "Die CRL konnte nicht geprüft werden: %s"
#: sm/certchain.c:581
msgid "no issuer found in certificate"
msgstr "Im Zertifikat ist kein Herausgeber enthalten"
#: sm/certchain.c:594
#, c-format
msgid "certificate with invalid validity: %s"
msgstr "Zertifikat mit unzulässiger Gültigkeit: %s"
#: sm/certchain.c:610
msgid "certificate not yet valid"
msgstr "Das Zertifikat ist noch nicht gültig"
#: sm/certchain.c:623
msgid "certificate has expired"
msgstr "Das Zertifikat ist abgelaufen"
#: sm/certchain.c:660
msgid "selfsigned certificate has a BAD signature"
msgstr "Das eigenbeglaubigte Zertifikat hat eine FALSCHE Signatur"
#: sm/certchain.c:674
msgid "root certificate is not marked trusted"
msgstr "Das Wurzelzertifikat ist nicht als vertrauenswürdig markiert"
#: sm/certchain.c:685
#, c-format
msgid "fingerprint=%s\n"
msgstr "Fingerprint=%s\n"
#: sm/certchain.c:690
msgid "root certificate has now been marked as trusted\n"
msgstr "Das Wurzelzertifikat wurde nun als vertrauenswürdig markiert\n"
#: sm/certchain.c:705
#, c-format
msgid "checking the trust list failed: %s\n"
msgstr "Fehler beim Prüfen der vertrauenswürdigen Zertifikate: %s\n"
#: sm/certchain.c:731 sm/import.c:166
msgid "certificate chain too long\n"
msgstr "Der Zertifikatkette ist zu lang\n"
#: sm/certchain.c:743
msgid "issuer certificate not found"
msgstr "Herausgeberzertifikat nicht gefunden"
#: sm/certchain.c:776
msgid "certificate has a BAD signature"
msgstr "Das Zertifikat hat eine FALSCHE Signatur"
#: sm/certchain.c:799
msgid "found another possible matching CA certificate - trying again"
msgstr ""
"Eine anderes möglicherweise passendes CA-Zertifikat gefunden - versuche "
"nochmal"
#: sm/certchain.c:822
#, c-format
msgid "certificate chain longer than allowed by CA (%d)"
msgstr "Die Zertifikatkette ist länger als von der CA erlaubt (%d)"
#: sm/decrypt.c:127
msgid ""
"WARNING: message was encrypted with a weak key in the symmetric cipher.\n"
msgstr ""
"WARNUNG: Die Nachricht wurde mich einem schwachen Schlüssel (Weak Key) "
"erzeugt\n"
#: sm/decrypt.c:325
msgid "(this is the RC2 algorithm)\n"
msgstr "(Dies ist der RC-2 Algorithmus)\n"
#: sm/decrypt.c:327
msgid "(this does not seem to be an encrypted message)\n"
msgstr "(dies is wahrscheinlich keine verschlüsselte Nachricht)\n"
#: sm/delete.c:51 sm/delete.c:102
#, c-format
msgid "certificate `%s' not found: %s\n"
msgstr "Zertifikat `%s' nicht gefunden: %s\n"
#: sm/delete.c:112 sm/keydb.c:1403 sm/keydb.c:1496
#, c-format
msgid "error locking keybox: %s\n"
msgstr "Fehler beim Sperren der Keybox: %s\n"
#: sm/delete.c:133
#, c-format
msgid "duplicated certificate `%s' deleted\n"
msgstr "Doppeltes Zertifikat `%s' gelöscht\n"
#: sm/delete.c:135
#, c-format
msgid "certificate `%s' deleted\n"
msgstr "Zertifikat `%s' gelöscht\n"
#: sm/delete.c:165
#, c-format
msgid "deleting certificate \"%s\" failed: %s\n"
msgstr "Fehler beim Löschen des Zertifikats \"%s\": %s\n"
#: sm/encrypt.c:120
msgid "weak key created - retrying\n"
msgstr "Schwacher Schlüssel - es wird erneut versucht\n"
#: sm/encrypt.c:332
msgid "no valid recipients given\n"
msgstr "Keine gültigen Empfänger angegeben\n"
#: sm/gpgsm.c:228
msgid "|[FILE]|make a signature"
msgstr "|[DATEI]|Erzeuge eine Signatur"
#: sm/gpgsm.c:229
msgid "|[FILE]|make a clear text signature"
msgstr "|[DATEI]|Erzeuge eine Klartextsignatur"
#: sm/gpgsm.c:230
msgid "make a detached signature"
msgstr "Erzeuge eine abgetrennte Signatur"
#: sm/gpgsm.c:231
msgid "encrypt data"
msgstr "Verschlüssele die Daten"
#: sm/gpgsm.c:232
msgid "encryption only with symmetric cipher"
msgstr "Verschlüsselung nur mit symmetrischem Algrithmus"
#: sm/gpgsm.c:233
msgid "decrypt data (default)"
msgstr "Enschlüssele die Daten"
#: sm/gpgsm.c:234
msgid "verify a signature"
msgstr "Überprüfen einer Signatur"
#: sm/gpgsm.c:236
msgid "list keys"
msgstr "Schlüssel anzeigen"
#: sm/gpgsm.c:237
msgid "list external keys"
msgstr "Externe Schlüssel anzeigen"
#: sm/gpgsm.c:238
msgid "list secret keys"
msgstr "Geheime Schlüssel anzeigen"
#: sm/gpgsm.c:239
msgid "list certificate chain"
msgstr "Schlüssel mit Zertifikatekette anzeigen"
#: sm/gpgsm.c:241
msgid "list keys and fingerprints"
msgstr "Schlüssel und Fingerprint anzeigen"
#: sm/gpgsm.c:242
msgid "generate a new key pair"
msgstr "Neues Schlüsselpaar erzeugen"
#: sm/gpgsm.c:243
msgid "remove key from the public keyring"
msgstr "Schlüssel aus dem öffentlichen Schlüsselbund löschen"
#: sm/gpgsm.c:244
msgid "export keys to a key server"
msgstr "Schlüssen an eine Schlüsselserver exportieren"
#: sm/gpgsm.c:245
msgid "import keys from a key server"
msgstr "Schlüssel von einem Schlüsselserver importieren"
#: sm/gpgsm.c:246
msgid "import certificates"
msgstr "Zertifikate importieren"
#: sm/gpgsm.c:247
msgid "export certificates"
msgstr "Zertifikate exportieren"
#: sm/gpgsm.c:248
msgid "register a smartcard"
msgstr "Smartcard registrieren"
#: sm/gpgsm.c:249
msgid "run in server mode"
msgstr "Im Server Modus ausführen"
#: sm/gpgsm.c:250
msgid "pass a command to the dirmngr"
msgstr "Das Kommand an den Dirmngr durchreichen"
#: sm/gpgsm.c:252
msgid "invoke gpg-protect-tool"
msgstr "Rufe das gpg-protect-tool auf"
#: sm/gpgsm.c:253
msgid "change a passphrase"
msgstr "Das Mantra (Passphrase) ändern"
#: sm/gpgsm.c:263
msgid "create ascii armored output"
msgstr "Ausgabe mit ASCII Hülle wird erzeugt"
#: sm/gpgsm.c:265
msgid "create base-64 encoded output"
msgstr "Ausgabe im Basis-64 format erzeugen"
#: sm/gpgsm.c:267
msgid "assume input is in PEM format"
msgstr "Eingabedaten sind im PEM Format"
#: sm/gpgsm.c:269
msgid "assume input is in base-64 format"
msgstr "Eingabedaten sin im Basis-64 Format"
#: sm/gpgsm.c:271
msgid "assume input is in binary format"
msgstr "Eingabedaten sind im Binärformat"
#: sm/gpgsm.c:273
msgid "|NAME|encrypt for NAME"
msgstr "|NAME|Verschlüsseln für NAME"
#: sm/gpgsm.c:276
msgid "never consult a CRL"
msgstr "Niemals eine CRL konsultieren"
#: sm/gpgsm.c:281
msgid "check validity using OCSP"
msgstr "Die Gültigkeit mittels OCSP prüfen"
#: sm/gpgsm.c:284
msgid "|N|number of certificates to include"
msgstr "|N|Sende N Zertifikate mit"
#: sm/gpgsm.c:287
msgid "|FILE|take policy information from FILE"
msgstr "|DATEI|Richtlinieninformationen DATEI entnehmen"
#: sm/gpgsm.c:290
msgid "do not check certificate policies"
msgstr "Zertikikatrichtlinien nicht überprüfen"
#: sm/gpgsm.c:294
msgid "fetch missing issuer certificates"
msgstr "Fehlende Zertifikate automatisch holen"
#: sm/gpgsm.c:298
msgid "|NAME|use NAME as default recipient"
msgstr "|NAME|Benutze NAME als voreingestellten Empfänger"
#: sm/gpgsm.c:300
msgid "use the default key as default recipient"
msgstr "Benuzte voreingestellten Schlüssel als Standardempfänger"
#: sm/gpgsm.c:306
msgid "use this user-id to sign or decrypt"
msgstr "Benuzte diese Benutzer ID zum Signieren oder Entschlüsseln"
#: sm/gpgsm.c:309
msgid "|N|set compress level N (0 disables)"
msgstr "|N|Benutze Komprimierungsstufe N"
#: sm/gpgsm.c:311
msgid "use canonical text mode"
msgstr "Kanonischen Textmodus benutzen"
#: sm/gpgsm.c:314 tools/gpgconf.c:61
msgid "use as output file"
msgstr "als Ausgabedatei benutzen"
#: sm/gpgsm.c:317
msgid "don't use the terminal at all"
msgstr "Das Terminal überhaupt nicht benutzen"
#: sm/gpgsm.c:320
msgid "force v3 signatures"
msgstr "Version 3 Signaturen erzwingen"
#: sm/gpgsm.c:321
msgid "always use a MDC for encryption"
msgstr "Immer das MDC Verfahren zum verschlüsseln mitbenutzen"
#: sm/gpgsm.c:326
msgid "batch mode: never ask"
msgstr "Stapelverarbeitungs Modus: Nie nachfragen"
#: sm/gpgsm.c:327
msgid "assume yes on most questions"
msgstr "\"Ja\" auf die meisten Anfragen annehmen"
#: sm/gpgsm.c:328
msgid "assume no on most questions"
msgstr "\"Nein\" auf die meisten Anfragen annehmen"
#: sm/gpgsm.c:330
msgid "add this keyring to the list of keyrings"
msgstr "Diesen Keyring in die Liste der Keyrings aufnehmen"
#: sm/gpgsm.c:331
msgid "add this secret keyring to the list"
msgstr "Diese geheimen Keyring in die Liste aufnehmen"
#: sm/gpgsm.c:332
msgid "|NAME|use NAME as default secret key"
msgstr "|NAME|Benutze NAME als voreingestellten Schlüssel"
#: sm/gpgsm.c:333
msgid "|HOST|use this keyserver to lookup keys"
msgstr "|HOST|Benutze HOST als Schlüsselserver"
#: sm/gpgsm.c:334
msgid "|NAME|set terminal charset to NAME"
msgstr "|NAME|Den Zeichensatz für das Terminal auf NAME setzen"
#: sm/gpgsm.c:345
msgid "|FD|write status info to this FD"
msgstr "|FD|Statusinformationen auf Dateidescriptor FD schreiben"
#: sm/gpgsm.c:352
msgid "|FILE|load extension module FILE"
msgstr "|DATEI|Das Erweiterungsmodul DATEI laden"
#: sm/gpgsm.c:358
msgid "|NAME|use cipher algorithm NAME"
msgstr "|NAME|Den Verhsclüsselungsalgrithmus NAME benutzen"
#: sm/gpgsm.c:360
msgid "|NAME|use message digest algorithm NAME"
msgstr "|NAME|Den Hashalgorithmus NAME benutzen"
#: sm/gpgsm.c:362
msgid "|N|use compress algorithm N"
msgstr "|N|Den Kompressionsalgorithmus Nummer N benutzen"
#: sm/gpgsm.c:370
msgid ""
"@\n"
"(See the man page for a complete listing of all commands and options)\n"
msgstr ""
"@\n"
"(Die \"man\" Seite beschreibt alle Kommands und Optionen)\n"
#: sm/gpgsm.c:373
msgid ""
"@\n"
"Examples:\n"
"\n"
" -se -r Bob [file] sign and encrypt for user Bob\n"
" --clearsign [file] make a clear text signature\n"
" --detach-sign [file] make a detached signature\n"
" --list-keys [names] show keys\n"
" --fingerprint [names] show fingerprints\n"
msgstr ""
"@\n"
"Beispiele:\n"
"\n"
" -se -r Bob [Datei] Signieren und verschlüsseln für Benutzer Bob\\n\n"
" --clearsign [Datei] Eine Klartextsignatur erzeugen\\n\n"
" --detach-sign [Datei] Eine abgetrennte Signatur erzeugen\\n\n"
" --list-keys [Namen] Schlüssel anzeigenn\n"
" --fingerprint [Namen] \"Fingerabdrücke\" anzeigen\\n\n"
#: sm/gpgsm.c:488
msgid "Usage: gpgsm [options] [files] (-h for help)"
msgstr "Gebrauch: gpgsm [Optionen] [Dateien] (-h für Hilfe)"
#: sm/gpgsm.c:491
msgid ""
"Syntax: gpgsm [options] [files]\n"
"sign, check, encrypt or decrypt using the S/MIME protocol\n"
"default operation depends on the input data\n"
msgstr ""
"Gebrauch: gpgsm [Optionen] [Dateien]\n"
"Signieren, prüfen, ver- und entschlüsseln mittels S/MIME protocol\n"
#: sm/gpgsm.c:498
msgid ""
"\n"
"Supported algorithms:\n"
msgstr ""
"\n"
"Unterstützte Algorithmen:\n"
#: sm/gpgsm.c:579
msgid "usage: gpgsm [options] "
msgstr "Gebrauch: gpgsm [Optionen] "
#: sm/gpgsm.c:645
msgid "conflicting commands\n"
msgstr "Widersprechende Kommandos\n"
#: sm/gpgsm.c:661
#, c-format
msgid "can't encrypt to `%s': %s\n"
msgstr "Verschlüsseln für `%s' nicht möglich: %s\n"
#: sm/gpgsm.c:736
#, c-format
msgid "libksba is too old (need %s, have %s)\n"
msgstr "Die Bibliothek Libksba is nicht aktuell (benötige %s, habe %s)\n"
-#: sm/gpgsm.c:1182
+#: sm/gpgsm.c:1183
msgid "WARNING: program may create a core file!\n"
msgstr "WARNUNG: Programm könnte eine core-dump-Datei schreiben!\n"
-#: sm/gpgsm.c:1194
+#: sm/gpgsm.c:1195
msgid "WARNING: running with faked system time: "
msgstr "WARNUNG: Ausführung mit gefälschter Systemzeit: "
-#: sm/gpgsm.c:1220
+#: sm/gpgsm.c:1221
msgid "selected cipher algorithm is invalid\n"
msgstr "Das ausgewählte Verschlüsselungsverfahren ist ungültig\n"
-#: sm/gpgsm.c:1228
+#: sm/gpgsm.c:1229
msgid "selected digest algorithm is invalid\n"
msgstr "Das ausgewählte Hashverfahren ist ungültig\n"
-#: sm/gpgsm.c:1258
+#: sm/gpgsm.c:1259
#, c-format
msgid "can't sign using `%s': %s\n"
msgstr "Signieren mit `%s' nicht möglich: %s\n"
-#: sm/gpgsm.c:1422
+#: sm/gpgsm.c:1423
msgid "this command has not yet been implemented\n"
msgstr "Diee Kommando wurde noch nicht implementiert\n"
-#: sm/gpgsm.c:1645 sm/gpgsm.c:1678
+#: sm/gpgsm.c:1646 sm/gpgsm.c:1679
#, c-format
msgid "can't open `%s': %s\n"
msgstr "Datei `%s' kann nicht geöffnet werden: %s\n"
#: sm/import.c:118
#, c-format
msgid "total number processed: %lu\n"
msgstr "gesamte verarbeitete Anzahl: %lu\n"
#: sm/import.c:121
#, c-format
msgid " imported: %lu"
msgstr " importiert: %lu"
#: sm/import.c:125
#, c-format
msgid " unchanged: %lu\n"
msgstr " nicht geändert: %lu\n"
#: sm/import.c:127
#, c-format
msgid " secret keys read: %lu\n"
msgstr " gelesene private Schlüssel: %lu\n"
#: sm/import.c:129
#, c-format
msgid " secret keys imported: %lu\n"
msgstr "importierte priv. Schlüssel: %lu\n"
#: sm/import.c:131
#, c-format
msgid " secret keys unchanged: %lu\n"
msgstr "ungeänderte priv. Schlüssel: %lu\n"
#: sm/import.c:133
#, c-format
msgid " not imported: %lu\n"
msgstr " nicht importiert: %lu\n"
#: sm/import.c:235
msgid "error storing certificate\n"
msgstr "Fehler beim speichern des Zertifikats\n"
#: sm/import.c:243
msgid "basic certificate checks failed - not imported\n"
msgstr "Grundlegende Zertifikatprüfungen fehlgeschlagen - nicht importiert\n"
#: sm/import.c:429 sm/import.c:461
#, c-format
msgid "error importing certificate: %s\n"
msgstr "Fehler beim Importieren des Zertifikats: %s\n"
#: sm/import.c:490
#, c-format
msgid "error creating a pipe: %s\n"
msgstr "Fehler beim Erzeugen einer \"Pipe\": %s\n"
#: sm/import.c:498
#, c-format
msgid "error forking process: %s\n"
msgstr "Fehler beim \"Forken\" des Prozess: %s\n"
#: sm/import.c:609 sm/import.c:634
#, c-format
msgid "error creating temporary file: %s\n"
msgstr "Fehler beim Erstellen einer temporären Datei: %s\n"
#: sm/import.c:617
#, c-format
msgid "error writing to temporary file: %s\n"
msgstr "Fehler beim Schreiben auf eine temporäre Datei: %s\n"
#: sm/import.c:626
#, c-format
msgid "error reading input: %s\n"
msgstr "Fehler beim Lesen der Eingabe: %s\n"
#: sm/import.c:728
#, c-format
msgid "waiting for protect-tool to terminate failed: %s\n"
msgstr ""
"Das Warten auf die Beendigung des protect-tools ist fehlgeschlagen: %s\n"
#: sm/import.c:731
#, c-format
msgid "error running `%s': probably not installed\n"
msgstr "Feler bei Ausführung von `%s': wahrscheinlich nicht installiert\n"
#: sm/import.c:733
#, c-format
msgid "error running `%s': exit status %d\n"
msgstr "Fehler bei Ausführung von `%s': Endestatus %d\n"
#: sm/import.c:736
#, c-format
msgid "error running `%s': terminated\n"
msgstr "Fehler beim Ausführen von `%s': beendet\n"
#: sm/keydb.c:189
#, c-format
msgid "error creating keybox `%s': %s\n"
msgstr "Die \"Keybox\" `%s' konnte nicht erstellt werden: %s\n"
#: sm/keydb.c:192
msgid "you may want to start the gpg-agent first\n"
msgstr "Sie sollten zuerst den gpg-agent starten\n"
#: sm/keydb.c:197
#, c-format
msgid "keybox `%s' created\n"
msgstr "Die \"Keybox\" `%s' wurde erstellt\n"
#: sm/keydb.c:220
#, c-format
msgid "can't create lock for `%s'\n"
msgstr "Datei `%s' konnte nicht gesperrt werden\n"
#: sm/keydb.c:1327 sm/keydb.c:1389
msgid "failed to get the fingerprint\n"
msgstr "Kann den Fingerprint nicht ermitteln\n"
#: sm/keydb.c:1334 sm/keydb.c:1396
msgid "failed to allocate keyDB handle\n"
msgstr "Kann keinen KeyDB Handler bereitstellen\n"
#: sm/keydb.c:1351
#, c-format
msgid "problem looking for existing certificate: %s\n"
msgstr "Problem bei der Suche nach vorhandenem Zertifikat: %s\n"
#: sm/keydb.c:1359
#, c-format
msgid "error finding writable keyDB: %s\n"
msgstr "Fehler bei der Suche nach einer schreibbaren KeyDB: %s\n"
#: sm/keydb.c:1367
#, c-format
msgid "error storing certificate: %s\n"
msgstr "Fehler beim Speichern des Zertifikats: %s\n"
#: sm/keydb.c:1411
#, c-format
msgid "problem re-searching certificate: %s\n"
msgstr "Problem bei Wiederfinden des Zertifikats: %s\n"
#: sm/keydb.c:1420 sm/keydb.c:1508
#, c-format
msgid "error getting stored flags: %s\n"
msgstr "Fehler beim Holen der gespeicherten Flags: %s\n"
#: sm/keydb.c:1429 sm/keydb.c:1519
#, c-format
msgid "error storing flags: %s\n"
msgstr "Fehler beim Speichern der Flags: %s\n"
#: sm/verify.c:381
msgid "Signature made "
msgstr "Signatur erzeugt am "
#: sm/verify.c:385
msgid "[date not given]"
msgstr "[Datum nicht vorhanden]"
#: sm/verify.c:386
#, c-format
msgid " using certificate ID %08lX\n"
msgstr "mittels Zertifikat ID %08lX\n"
#: sm/verify.c:499
msgid "Good signature from"
msgstr "Korrekte Signatur von"
#: sm/verify.c:500
msgid " aka"
msgstr " alias"
#: tools/gpgconf.c:55
msgid "list all components"
msgstr "Liste aller Komponenten"
#: tools/gpgconf.c:56
msgid "|COMPONENT|list options"
msgstr "|KOMPONENTE|Zeige die Optionen an"
#: tools/gpgconf.c:57
msgid "|COMPONENT|change options"
msgstr "|KOMPONENTE|Ändere die Optionen"
#: tools/gpgconf.c:63
msgid "quiet"
msgstr "Weniger Ausgaben"
#: tools/gpgconf.c:65
msgid "activate changes at runtime, if possible"
msgstr "Aktiviere Änderungen zur Laufzeit; falls möglich"
#: tools/gpgconf.c:88
msgid "Usage: gpgconf [options] (-h for help)"
msgstr "Gebrauch: gpgconf [Optionen] (-h für Hilfe)"
#: tools/gpgconf.c:91
msgid ""
"Syntax: gpgconf [options]\n"
"Manage configuration options for tools of the GnuPG system\n"
msgstr ""
"Syntax: gpgconf {Optionen]\n"
"Verwalte Konfigurationsoptionen für Programme des GnuPG Systems\n"
#: tools/gpgconf.c:180
msgid "usage: gpgconf [options] "
msgstr "Gebrauch: gpgconf [Optionen] "
#: tools/gpgconf.c:181
msgid "Need one component argument"
msgstr "Benötige ein Komponenten Argument"
#: tools/gpgconf.c:190
msgid "Component not found"
msgstr "Komponente nicht gefunden"
#: tools/gpgconf-comp.c:432 tools/gpgconf-comp.c:493 tools/gpgconf-comp.c:558
#: tools/gpgconf-comp.c:611 tools/gpgconf-comp.c:674
msgid "Options controlling the diagnostic output"
msgstr "Optionen zur Einstellung Diagnoseausgaben"
#: tools/gpgconf-comp.c:445 tools/gpgconf-comp.c:506 tools/gpgconf-comp.c:571
#: tools/gpgconf-comp.c:624 tools/gpgconf-comp.c:697
msgid "Options controlling the configuration"
msgstr "Optionen zur Einstellung der Konfiguration"
#: tools/gpgconf-comp.c:452 tools/gpgconf-comp.c:529 tools/gpgconf-comp.c:578
#: tools/gpgconf-comp.c:631 tools/gpgconf-comp.c:704
msgid "Options useful for debugging"
msgstr "Nützliche Optionen zum Debuggen"
#: tools/gpgconf-comp.c:465 tools/gpgconf-comp.c:539 tools/gpgconf-comp.c:644
msgid "Options controlling the security"
msgstr "Optionen zur Einstellung der Sicherheit"
#: tools/gpgconf-comp.c:591
msgid "Configuration for Keyservers"
msgstr "Konfiguration der Schlüsselserver"
#: tools/gpgconf-comp.c:687
msgid "Options controlling the format of the output"
msgstr "Optionen zum Einstellen der Ausgabeformate"
#: tools/gpgconf-comp.c:723
msgid "Options controlling the interactivity and enforcement"
msgstr "Optionen zur Einstellung der Interaktivität und Geltendmachung"
#: tools/gpgconf-comp.c:733
msgid "Configuration of LDAP servers to use"
msgstr "Konfiguration der zu nutzenden LDAP-Server"
#: tools/gpgconf-comp.c:758
msgid "Configuration for OCSP"
msgstr "Konfiguration zu OCSP"
#~ msgid "Enter passphrase:"
#~ msgstr "Bitte das Mantra (Passphrase) eingeben:"
#~ msgid "[error]"
#~ msgstr "[Fehler]"
#~ msgid "no key usage specified - accepted for encryption\n"
#~ msgstr ""
#~ "Schlüsselverwendungszweck nicht vorhanden - wird zum Verschlüsseln "
#~ "akzeptiert\n"
diff --git a/scd/ChangeLog b/scd/ChangeLog
index e6789fcb2..9640ef6b2 100644
--- a/scd/ChangeLog
+++ b/scd/ChangeLog
@@ -1,758 +1,829 @@
+2004-09-30 Werner Koch <wk@g10code.com>
+
+ * app-openpgp.c (do_sign): Add the error string to the verify
+ failed messages.
+
+2004-09-27 Werner Koch <wk@g10code.com>
+
+ From gnupg 1.3
+
+ * app-openpgp.c: Made all strings translatable.
+ (verify_chv3) [GNUPG_MAJOR_VERSION]: Make opt.allow_admin
+ available for use in gnupg 2.
+ (verify_chv3): Reimplemented countdown showing to use only
+ functions from this module. Flush the CVH status cache on a
+ successful read.
+ (get_one_do): Hack to bypass the cache for cards versions > 1.0.
+ (store_fpr): Store the creation date for card version > 1.0.
+
+ * app-openpgp.c (app_openpgp_storekey): Call flush_cache.
+ (get_cached_data): Move local data initialization to ..
+ (app_select_openpgp): .. here. Read some flags for later use.
+ (do_getattr): New read-only attribute EXTCAP.
+
+ * apdu.c (open_pcsc_reader): Do not print empty reader string.
+
+ * ccid-driver.c (do_close_reader): Factored some code out from ...
+ (ccid_close_reader): ..here.
+ (ccid_shutdown_reader): New.
+
+ * apdu.c (apdu_shutdown_reader): New.
+ (shutdown_ccid_reader): New.
+
+ * apdu.c (open_ccid_reader): New arg PORTSTR. Pass it to
+ ccid_open_reader.
+ (apdu_open_reader): Pass portstr to open_ccid_reader.
+ (apdu_open_reader): No fallback if a full CCID reader id has been
+ given.
+
+ * ccid-driver.c (ccid_get_reader_list): New.
+ (ccid_open_reader): Changed API to take a string for the reader.
+ Removed al the cruft for the libusb development vesion which seems
+ not to be maintained anymore and there are no packages anyway.
+ The stable library works just fine.
+ (struct ccid_reader_id_s): Deleted and replaced everywhere by a
+ simple string.
+ (usb_get_string_simple): Removed.
+ (bulk_in): Do valgrind hack here and not just everywhere.
+
+ * ccid-driver.c (read_device_info): Removed.
+ (make_reader_id, scan_or_find_devices): New.
+ (ccid_open_reader): Simplified by make use of the new functions.
+ (ccid_set_debug_level): New. Changed the macros to make use of
+ it. It has turned out that it is often useful to enable debugging
+ at runtime so I added this option.
+
+ From gnupg 1.3 - David Shaw <dshaw@jabberwocky.com>
+
+ * app-openpgp.c (verify_chv3): Show a countdown of how many wrong
+ admin PINs can be entered before the card is locked.
+
+ * app-openpgp.c (get_cached_data): Avoid mallocing zero since it
+ breaks us when using --enable-m-guard.
+
+ * ccid-driver.c (usb_get_string_simple): Replacement function to
+ work with older libusb.
+
+ * ccid-driver.c (read_device_info): Fix segfault when usb device
+ is not accessible.
+ (ccid_open_reader): Allow working with an even older version of
+ libusb (usb_busses global instead of usb_get_busses()).
+
2004-09-11 Werner Koch <wk@g10code.com>
* app-openpgp.c (app_select_openpgp): Its app_munge_serialno and
not app_number_serialno.
2004-08-20 Werner Koch <wk@g10code.de>
* app.c (select_application): Fixed serial number extraction and
added the BMI card workaround.
(app_munge_serialno): New.
* app-openpgp.c (app_select_openpgp): Try munging serialno.
2004-08-05 Werner Koch <wk@g10code.de>
* scdaemon.c (main): New option --disable-application.
* app.c (is_app_allowed): New.
(select_application): Use it to check for disabled applications.
* ccid-driver.h (CCID_DRIVER_ERR_ABORTED): New.
* ccid-driver.c (ccid_open_reader): Support the stable 0.1 version
of libusb.
(ccid_get_atr): Handle short messages.
* apdu.c (my_rapdu_get_status): Implemented.
2004-07-27 Moritz Schulte <moritz@g10code.com>
* apdu.c: Include <signal.h>.
* Makefile.am: Use @DL_LIBS@ instead of -ldl.
2004-07-22 Werner Koch <wk@g10code.de>
* Makefile.am: Make OpenSC lib link after libgcrypt. Do not link
to pth.
* apdu.c: Don't use Pth if we use OpenSC.
* sc-investigate.c, scdaemon.c: Disable use of pth if OpenSC is used.
* scdaemon.c (main): Bumbed thread stack size up to 512k.
2004-07-16 Werner Koch <wk@gnupg.org>
* apdu.c (reader_table_s): Add function pointers for the backends.
(apdu_close_reader, apdu_get_status, apdu_activate)
(send_apdu): Make use of them.
(new_reader_slot): Intialize them to NULL.
(dump_ccid_reader_status, ct_dump_reader_status): New.
(dump_pcsc_reader_status): New.
(open_ct_reader, open_pcsc_reader, open_ccid_reader)
(open_osc_reader, open_rapdu_reader): Intialize function pointers.
(ct_activate_card, ct_send_apdu, pcsc_send_apdu, osc_send_apdu)
(error_string): Removed. Replaced by apdu_strerror.
(get_ccid_error_string): Removed.
(ct_activate_card): Remove the unused loop.
(reset_ct_reader): Implemented.
(ct_send_apdu): Activate the card if not yet done.
(pcsc_send_apdu): Ditto.
2004-07-15 Werner Koch <wk@gnupg.org>
* ccid-driver.h: Add error codes.
* ccid-driver.c: Implement more or less proper error codes all
over the place.
* apdu.c (apdu_send_direct): New.
(get_ccid_error_string): Add some error code mappings.
(send_apdu): Pass error codes along for drivers already supporting
them.
(host_sw_string): New.
(get_ccid_error_string): Use above.
(send_apdu_ccid): Reset the reader if it has not yet been done.
(open_ccid_reader): Don't care if the ATR can't be read.
(apdu_activate_card): New.
(apdu_strerror): New.
(dump_reader_status): Only enable it with opt.VERBOSE.
* iso7816.c (map_sw): Add mappings for the new error codes.
2004-07-02 Werner Koch <wk@gnupg.org>
* apdu.c (open_ct_reader, open_pcsc_reader, open_ccid_reader)
(reset_ccid_reader, open_osc_reader): Call dump_reader_status only
in verbose mode.
2004-07-01 Werner Koch <wk@gnupg.org>
* sc-investigate.c: Initialize Pth which is now required.
(interactive_shell): New command "readpk".
* app-openpgp.c (do_getattr): Fix for sending CA-FPR.
2004-06-30 Werner Koch <wk@gnupg.org>
* app-openpgp.c (app_openpgp_readkey): Fixed check for valid
exponent.
2004-06-18 Werner Koch <wk@g10code.com>
* sc-investigate.c (my_read_line): Renamed from read_line.
2004-06-16 Werner Koch <wk@gnupg.org>
* apdu.c (osc_get_status): Fixed type in function name. Noted by
Axel Thimm. Yes, I didn't tested it with OpenSC :-(.
2004-04-28 Werner Koch <wk@gnupg.org>
* app-openpgp.c (do_setattr): Sync FORCE_CHV1.
2004-04-27 Werner Koch <wk@gnupg.org>
* app-common.h: Do not include ksba.h for gnupg 1.
2004-04-26 Werner Koch <wk@gnupg.org>
* app-common.h: New members FNC.DEINIT and APP_LOCAL.
* app.c (release_application): Call new deconstructor.
* app-openpgp.c (do_deinit): New.
(get_cached_data, flush_cache_item, flush_cache_after_error)
(flush_cache): New.
(get_one_do): Replaced arg SLOT by APP. Make used of cached data.
(verify_chv2, verify_chv3): Flush some cache item after error.
(do_change_pin): Ditto.
(do_sign): Ditto.
(do_setattr): Flush cache item.
(do_genkey): Flush the entire cache.
(compare_fingerprint): Use cached data.
* scdaemon.c (main): Do the last change the usual way. This is so
that we can easily test for versioned config files above.
2004-04-26 Marcus Brinkmann <marcus@g10code.de>
* scdaemon.c (main): For now, always print default filename for
--gpgconf-list, and never /dev/null.
2004-04-21 Werner Koch <wk@gnupg.org>
* command.c (scd_update_reader_status_file): Send a signal back to
the client.
(option_handler): Parse the new event-signal option.
* scdaemon.c (handle_signal): Do not use SIGUSR{1,2} anymore for
changing the verbosity.
2004-04-20 Werner Koch <wk@gnupg.org>
* command.c (scd_update_reader_status_file): Write status files.
* app-help.c (app_help_read_length_of_cert): Fixed calculation of
R_CERTOFF.
* pcsc-wrapper.c: New.
* Makefile.am (pkglib_PROGRAMS): Install it here.
* apdu.c (writen, readn): New.
(open_pcsc_reader, pcsc_send_apdu, close_pcsc_reader): Use the
pcsc-wrapper if we are using Pth.
(apdu_send_le): Reinitialize RESULTLEN. Handle SW_EOF_REACHED
like SW_SUCCESS.
2004-04-19 Werner Koch <wk@gnupg.org>
* ccid-driver.c (parse_ccid_descriptor): Store some of the reader
features away. New arg HANDLE
(read_device_info): New arg HANDLE. Changed caller.
(bulk_in): Handle time extension requests.
(ccid_get_atr): Setup parameters and the IFSD.
(compute_edc): New. Factored out code.
(ccid_transceive): Use default NADs when required.
2004-04-14 Werner Koch <wk@gnupg.org>
* scdaemon.h (server_control_s): Add member READER_SLOT.
* scdaemon.c (scd_init_default_ctrl): Initialize READER_SLOT to -1.
* command.c (open_card): Reuse an open slot.
(reset_notify): Just reset the slot if supported by the reader.
(do_reset): Factored code from above out.
(scd_command_handler): Use it for cleanup.
* apdu.h: New pseudo stati SW_HOST_NOT_SUPPORTED,
SW_HOST_LOCKING_FAILED and SW_HOST_BUSY.
* iso7816.c (map_sw): Map it.
* ccid-driver.c (ccid_slot_status): Add arg STATUSBITS.
* apdu.c (apdu_get_status): New.
(ct_get_status, pcsc_get_status, ocsc_get_status): New stubs.
(get_status_ccid): New.
(apdu_reset): New.
(reset_ct_reader, reset_pcsc_reader, reset_osc_reader): New stubs.
(reset_ccid_reader): New.
(apdu_enum_reader): New.
* apdu.c (lock_slot, trylock_slot, unlock_slot): New helpers.
(new_reader_slot) [USE_GNU_PTH]: Init mutex.
(apdu_reset, apdu_get_status, apdu_send_le): Run functions
in locked mode.
* command.c (scd_update_reader_status_file): New.
* scdaemon.c (handle_tick): Call it.
2004-04-13 Werner Koch <wk@gnupg.org>
* scdaemon.c: Convert to a Pth application.
(handle_signal, ticker_thread, handle_tick): New.
(main): Fire up the ticker thread in server mode.
2004-03-23 Werner Koch <wk@gnupg.org>
* scdaemon.c (main) <gpgconf_list>: Fixed output for pcsc_driver.
2004-03-17 Werner Koch <wk@gnupg.org>
* tlv.c (parse_ber_header): Do not check for tag overflow - it
does not make sense. Simplified the check for length overflow.
* scdaemon.c (main) <gpgconf>: Fixed default value quoting.
2004-03-16 Werner Koch <wk@gnupg.org>
* app-dinsig.c: Implemented. Based on app-nks.c and card-dinsig.c
* app-nks.c (get_length_of_cert): Removed.
* app-help.c: New.
(app_help_read_length_of_cert): New. Code taken from above. New
optional arg R_CERTOFF.
* card-dinsig.c: Removed.
* card.c (card_get_serial_and_stamp): Do not bind to the old and
never finsiged card-dinsig.c.
* iso7816.c (iso7816_read_binary): Allow for an NMAX > 254.
2004-03-11 Werner Koch <wk@gnupg.org>
* scdaemon.h (out_of_core): Removed. Replaced callers by standard
gpg_error function.
* apdu.c, iso7816.c, ccid-driver.c [GNUPG_SCD_MAIN_HEADER]: Allow
to include a header defined by the compiler. This helps us to
reuse the source in other software.
2004-03-10 Werner Koch <wk@gnupg.org>
* iso7816.c (iso7816_read_record): New arg SHORT_EF. Changed all
callers.
2004-02-18 Werner Koch <wk@gnupg.org>
* sc-investigate.c (main): Setup the used character set.
* scdaemon.c (main): Ditto.
* scdaemon.c (set_debug): New. Add option --debug-level.
(main): Add option --gpgconf-list.
2004-02-12 Werner Koch <wk@gnupg.org>
* Makefile.am: Include cmacros.am for common flags.
2004-01-29 Werner Koch <wk@gnupg.org>
* command.c (reset_notify): Release the application context and
close the reader.
2004-01-28 Werner Koch <wk@gnupg.org>
* iso7816.c (iso7816_manage_security_env): New.
(iso7816_decipher): Add PADIND argument.
2004-01-27 Werner Koch <wk@gnupg.org>
* command.c (cmd_readcert, cmd_readkey): Work on a copy of LINE.
* app-common.h (app_ctx_s): Added readcert field.
* app.c (app_readcert): New.
* tlv.c (parse_ber_header): Added; taken from libksba.
2004-01-26 Werner Koch <wk@gnupg.org>
* card.c (map_sc_err): Use SCD as the error source.
* command.c (open_card): ADD arg NAME to allow requesting a
specific application. Changed all callers.
(cmd_serialno): Allow optional argument to select the desired
application.
* app-nks.c: New.
* scdaemon.h (opt): Add READER_PORT.
* scdaemon.c (main): Set it here.
* app.c (app_set_default_reader_port): Removed.
(select_application): Add NAME arg and figure out a
default serial number from the GDO. Add SLOT arg and remove all
reader management.
(release_application): New.
(app_write_learn_status): Output an APPTYPE status line.
* command.c (open_card): Adapt for select_application change.
* app-openpgp.c (app_select_openpgp): Removed SN and SNLEN args
and set it directly. Changed all callers.
2004-01-25 Werner Koch <wk@gnupg.org>
* iso7816.c (iso7816_select_application): P1 kludge for OpenPGP
card.
* app-openpgp.c (find_tlv): Factor out this function to ..
* tlv.c, tlv.h: .. new.
* scdaemon.h: Introduced app_t and ctrl_t as the new types for APP
and CTRL.
2004-01-21 Werner Koch <wk@gnupg.org>
* apdu.c (apdu_send_le): Treat SW_EOF_REACHED as a warning.
2004-01-20 Werner Koch <wk@gnupg.org>
* iso7816.c (iso7816_read_binary): New.
(iso7816_select_file): New.
(iso7816_list_directory): New.
* sc-investigate.c: Add option -i.
(select_app, read_line, interactive_shell): New.
2004-01-16 Werner Koch <wk@gnupg.org>
* apdu.h: Add SW_FILE_NOT_FOUND.
* iso7816.c (map_sw): Map it to GPG_ERR_ENOENT.
* iso7816.c (iso7816_select_file): New.
* app-dinsig.c: New file w/o any real code yet.
* Makefile.am (scdaemon_SOURCES,sc_investigate_SOURCES): Add file.
* sc-investigate.c: Add option --disable-ccid.
2003-12-19 Werner Koch <wk@gnupg.org>
* apdu.c (apdu_send_le): Send a get_response with the indicated
length and not the 64 bytes we used for testing.
* app-openpgp.c (verify_chv2, verify_chv3, do_sign): Check the
minimum length of the passphrase, so that we don't need to
decrement the retry counter.
2003-12-17 Werner Koch <wk@gnupg.org>
* card-p15.c (p15_enum_keypairs): Replaced KRC by RC.
* card-dinsig.c (dinsig_enum_keypairs): Ditto.
2003-12-16 Werner Koch <wk@gnupg.org>
* scdaemon.c (main): Set the prefixes for assuan logging.
2003-11-17 Werner Koch <wk@gnupg.org>
* scdaemon.c, scdaemon.h: New options --allow-admin and --deny-admin.
* app-openpgp.c (verify_chv3): Check it here.
2003-11-12 Werner Koch <wk@gnupg.org>
Adjusted for API changes in Libksba.
2003-10-30 Werner Koch <wk@gnupg.org>
* apdu.c (close_ct_reader, close_pcsc_reader): Implemented.
(get_ccid_error_string): New. Not very useful messages, though.
2003-10-25 Werner Koch <wk@gnupg.org>
* ccid-driver.c (ccid_open_reader): Return an error if no USB
devices are found.
* command.c (cmd_genkey, cmd_passwd): Fixed faulty use of
!spacep().
* apdu.c (apdu_open_reader): Hacks for PC/SC under Windows.
2003-10-20 Werner Koch <wk@gnupg.org>
* command.c (cmd_checkpin): New.
(register_commands): Add command CHECKPIN.
* app.c (app_check_pin): New.
* app-openpgp.c (check_against_given_fingerprint): New. Factored
out that code elsewhere.
(do_check_pin): New.
2003-10-10 Werner Koch <wk@gnupg.org>
* ccid-driver.c (ccid_close_reader): New.
* apdu.c (close_ccid_reader, close_ct_reader, close_csc_reader)
(close_osc_reader, apdu_close_reader): New. Not all are properly
implemented yet.
2003-10-09 Werner Koch <wk@gnupg.org>
* ccid-driver.c (ccid_transceive): Add T=1 chaining for sending.
2003-10-08 Werner Koch <wk@gnupg.org>
* app-openpgp.c (do_getattr): Support SERIALNO and AID.
2003-10-01 Werner Koch <wk@gnupg.org>
* ccid-driver.c: Detect GnuPG 1.3 and include appropriate files.
* apdu.c: Ditto.
* app-openpgp.c: Ditto.
* iso7816.c: Ditto.
(generate_keypair): Renamed to ..
(do_generate_keypair): .. this.
* app-common.h [GNUPG_MAJOR_VERSION]: New.
* iso7816.h [GNUPG_MAJOR_VERSION]: Include cardglue.h
2003-09-30 Werner Koch <wk@gnupg.org>
* command.c (cmd_getattr): New command GETATTR.
* app.c (app_setattr): New.
(do_getattr): New.
(do_learn_status): Reimplemented in terms of do_getattr.
* app-openpgp.c (do_change_pin): Make sure CVH1 and CHV2 are
always synced.
(verify_chv2, verify_chv3): New. Factored out common code.
(do_setattr, do_sign, do_auth, do_decipher): Change the names of
the prompts to match that we have only 2 different PINs.
(app_select_openpgp): Check whether the card enforced CHV1.
(convert_sig_counter_value): New. Factor out code from
get_sig_counter.
2003-09-28 Werner Koch <wk@gnupg.org>
* app-openpgp.c (dump_all_do): Use gpg_err_code and not gpg_error.
2003-09-19 Werner Koch <wk@gnupg.org>
* ccid-driver.c (parse_ccid_descriptor): New.
(read_device_info): New.
(ccid_open_reader): Check that the device has all required features.
2003-09-06 Werner Koch <wk@gnupg.org>
* scdaemon.c (main): --pcsc-driver again defaults to pcsclite.
David Corcoran was so kind to remove the GPL incompatible
advertisng clause from pcsclite.
* apdu.c (apdu_open_reader): Actually make pcsc-driver option work.
2003-09-05 Werner Koch <wk@gnupg.org>
* ccid-driver.c: More work, data can now actually be retrieved.
* ccid-driver.c, ccid-driver.h: Alternativley allow use under BSD
conditions.
2003-09-02 Werner Koch <wk@gnupg.org>
* scdaemon.c, scdaemon.h: New option --pcsc-ccid.
* ccid-driver.c, ccid-driver.h: New but far from being useful.
* Makefile.am: Add above.
* apdu.c: Add support for that ccid driver.
2003-08-26 Timo Schulz <twoaday@freakmail.de>
* apdu.c (new_reader_slot): Only set 'is_osc' when OpenSC
is used.
2003-08-25 Werner Koch <wk@gnupg.org>
* command.c (cmd_setattr): Use a copy of LINE.
(cmd_genkey): Use a copy of KEYNO.
(cmd_passwd): Use a copy of CHVNOSTR.
(cmd_pksign, cmd_pkauth, cmd_pkdecrypt): s/strdup/xtrystrdup/.
2003-08-19 Werner Koch <wk@gnupg.org>
* scdaemon.c, scdaemon.h: New option --pcsc-driver.
* apdu.c (apdu_open_reader): Use that option here instead of a
hardcoded one.
2003-08-18 Werner Koch <wk@gnupg.org>
* Makefile.am: Add OPENSC_LIBS to all programs.
* scdaemon.c, scdaemon.h: New option --disable-opensc.
* card.c (card_open): Implement it.
* apdu.c (open_osc_reader, osc_send_apdu): New.
(apdu_open_reader) [HAVE_OPENSC]: Use the opensc driver if not
disabled.
(error_string) [HAVE_OPENSC]: Use sc_strerror.
(send_apdu) [HAVE_OPENSC]: Call osc_apdu_send.
* card-p15.c (p15_enum_keypairs, p15_prepare_key): Adjusted for
libgpg-error.
2003-08-14 Timo Schulz <twoaday@freakmail.de>
* apdu.c (ct_activate_card): Change the code a little to avoid
problems with other readers.
* Always use 'dynload.h' instead of 'dlfcn.h'.
2003-08-05 Werner Koch <wk@gnupg.org>
* app-openpgp.c (dump_all_do): Don't analyze constructed DOs after
an error.
2003-08-04 Werner Koch <wk@gnupg.org>
* app.c (app_set_default_reader_port): New.
(select_application): Use it here.
* scdaemon.c (main): and here.
* sc-copykeys.c: --reader-port does now take a string.
* sc-investigate.c, scdaemon.c: Ditto.
* apdu.c (apdu_open_reader): Ditto. Load pcsclite if no ctapi
driver is configured. Always include code for ctapi.
(new_reader_slot): Don't test for already used ports and remove
port arg.
(open_pcsc_reader, pcsc_send_apdu, pcsc_error_string): New.
(apdu_send_le): Changed RC to long to cope with PC/SC.
* scdaemon.c, scdaemon.h: New option --ctapi-driver.
* sc-investigate.c, sc-copykeys.c: Ditto.
2003-07-31 Werner Koch <wk@gnupg.org>
* Makefile.am (scdaemon_LDADD): Added INTLLIBS.
2003-07-28 Werner Koch <wk@gnupg.org>
* app-openpgp.c (do_setattr): Change implementation. Allow all
useful DOs.
2003-07-27 Werner Koch <wk@gnupg.org>
Adjusted for gcry_mpi_print and gcry_mpi_scan API change.
2003-07-24 Werner Koch <wk@gnupg.org>
* app-openpgp.c (do_learn_status): Print more status information.
(app_select_openpgp): Store the card version.
(store_fpr): Add argument card_version and fix DOs for old cards.
(app_openpgp_storekey): Likewise.
2003-07-23 Werner Koch <wk@gnupg.org>
* command.c (cmd_pkauth): New.
(cmd_setdata): Check whether data was given at all to avoid
passing 0 to malloc.
* app.c (app_auth): New.
* app-openpgp.c (do_auth): New.
2003-07-22 Werner Koch <wk@gnupg.org>
* command.c (cmd_passwd): New.
* app.c (app_change_pin): New.
* app-openpgp.c (do_change_pin): New.
* iso7816.c (iso7816_reset_retry_counter): Implemented.
* sc-investigate.c (main): New option --gen-random.
* iso7816.c (iso7816_get_challenge): Don't create APDUs with a
length larger than 255.
2003-07-17 Werner Koch <wk@gnupg.org>
* command.c (cmd_random): New command RANDOM.
* iso7816.c (map_sw): New. Use it in this file to return
meaningful error messages. Changed all public fucntions to return
a gpg_error_t.
(iso7816_change_reference_data): New.
* apdu.c (apdu_open_reader): Use faked status words for soem
system errors.
2003-07-16 Werner Koch <wk@gnupg.org>
* apdu.c (apdu_send_simple): Use apdu_send_le so that we can
specify not to send Le as it should be.
2003-07-15 Werner Koch <wk@gnupg.org>
* Makefile.am: Add sc-copykeys program.
* sc-copykeys.c: New.
* app-openpgp.c (app_openpgp_storekey): New.
(app_openpgp_cardinfo): New.
(count_bits): New.
(store_fpr): And use it here to get the actual length in bit.
2003-07-03 Werner Koch <wk@gnupg.org>
* app-openpgp.c (do_setattr): Add setting of the URL.
(app_select_openpgp): Dump card data only in very verbose mode.
(do_decipher): New.
2003-07-02 Werner Koch <wk@gnupg.org>
* app-openpgp.c (get_sig_counter): New.
(do_sign): Print the signature counter and enable the PIN callback.
(do_genkey): Implement the PIN callback.
2003-07-01 Werner Koch <wk@gnupg.org>
* app-openpgp.c (store_fpr): Fixed fingerprint calculation.
2003-06-26 Werner Koch <wk@gnupg.org>
* app-openpgp.c (find_tlv): Fixed length header parsing.
* app.c (app_genkey): New.
* command.c (cmd_genkey): New.
2003-06-25 Werner Koch <wk@gnupg.org>
* command.c (percent_plus_unescape): New.
(cmd_setattr): New.
2003-06-24 Werner Koch <wk@gnupg.org>
* command.c (send_status_info): New.
* app-openpgp.c (app_select_openpgp): Replace SLOT arg by APP arg
and setup the function pointers in APP on success. Changed callers.
* app.c: New.
* app-common.h: New.
* scdaemon.h (APP): New type to handle applications.
(server_control_s): Add an APP context field.
* command.c (cmd_serialno): Handle applications.
(cmd_pksign): Ditto.
(cmd_pkdecrypt): Ditto.
(reset_notify): Ditto.
(cmd_learn): For now return error for application contexts.
(cmd_readcert): Ditto.
(cmd_readkey): Ditto.
2003-06-04 Werner Koch <wk@gnupg.org>
* card.c (map_sc_err): Renamed gpg_make_err to gpg_err_make.
Renamed error codes from INVALID to INV and removed _ERROR suffixes.
2003-06-03 Werner Koch <wk@gnupg.org>
Changed all error codes in all files to the new libgpg-error scheme.
* scdaemon.h: Include gpg-error.h and errno.h
* card.c (map_sc_err): Use unknown for the error source.
* Makefile.am: Link with libgpg-error
2003-05-14 Werner Koch <wk@gnupg.org>
* atr.c, atr.h: New.
* sc-investigate.c: Dump the ATR in a human readable format.
2003-05-08 Werner Koch <wk@gnupg.org>
* scdaemon.h (DBG_CARD_IO_VALUE): New.
* sc-investigate.c: New.
* scdaemon.c (main): Removed --print-atr option.
* iso7816.c, iso7816.h, app-openpgp.c: New.
2003-04-29 Werner Koch <wk@gnupg.org>
* scdaemon.c: New options --print-atr and --reader-port
* apdu.c, apdu.h: New
* card.c, card-p15.c, card-dinsig.c: Allow build without OpenSC.
* Makefile.am (LDFLAGS): Removed.
* command.c (register_commands): Adjusted for new Assuan semantics.
2002-08-21 Werner Koch <wk@gnupg.org>
* scdaemon.c (main): New option --daemon so that the program is
not accidently started in the background.
2002-08-16 Werner Koch <wk@gnupg.org>
* scdaemon.c: Include i18n.h.
* card-common.h (struct p15_private_s): Forward declaration. Add
it to card_ctx_s.
* card.c (card_close): Make sure private data is released.
(card_enum_certs): New.
* card-p15.c (p15_release_private_data): New.
(init_private_data): New to work around an OpenSC weirdness.
(p15_enum_keypairs): Do an OpenSC get_objects only once.
(p15_enum_certs): New.
(card_p15_bind): Bind new function.
* command.c (cmd_learn): Return information about the certificates.
2002-08-09 Werner Koch <wk@gnupg.org>
* card.c (card_get_serial_and_stamp): Use the tokeinfo serial
number as a fallback. Add a special prefix for serial numbers.
2002-07-30 Werner Koch <wk@gnupg.org>
Changes to cope with OpenSC 0.7.0:
* card.c: Removed the check for the packed opensc version.
Changed include file names of opensc.
(map_sc_err): Adjusted error codes for new opensc version.
* card-p15.c: Changed include filename of opensc.
* card-dinsig.c: Ditto.
* card-p15.c (p15_decipher): Add flags argument to OpenSC call.
2002-07-24 Werner Koch <wk@gnupg.org>
* card.c (find_simple_tlv, find_iccsn): New.
(card_get_serial_and_stamp): Improved serial number parser.
2002-06-27 Werner Koch <wk@gnupg.org>
* scdaemon.c (main): Use GNUPG_DEFAULT_HOMEDIR constant.
2002-06-15 Werner Koch <wk@gnupg.org>
* card-dinsig.c: Documented some stuff from the DIN norm.
2002-04-15 Werner Koch <wk@gnupg.org>
* command.c (cmd_pksign, cmd_pkdecrypt): Use a copy of the key ID.
2002-04-12 Werner Koch <wk@gnupg.org>
* scdaemon.c: New option --debug-sc N.
* card.c (card_open): set it here.
* card-p15.c (p15_prepare_key): Factored out common code from ...
(p15_sign, p15_decipher): here and made the decryption work the
regular way.
2002-04-10 Werner Koch <wk@gnupg.org>
* card.c (card_open): Return immediately when no reader is available.
2002-03-27 Werner Koch <wk@gnupg.org>
* card.c (card_open, card_close): Adjusted for changes in OpenSC.
2002-03-10 Werner Koch <wk@gnupg.org>
* card-p15.c, card-dinsig.c, card-common.h: New.
* card.c: Factored most code out to the new modules, so that we
can better support different types of card applications.
2002-01-26 Werner Koch <wk@gnupg.org>
* scdaemon.c scdaemon.h, command.c: New. Based on the code from
the gpg-agent.
Copyright 2002 Free Software Foundation, Inc.
This file is free software; as a special exception the author gives
unlimited permission to copy and/or distribute it, with or without
modifications, as long as this notice is preserved.
This file is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c
index 1617ab888..6f9837c90 100644
--- a/scd/app-openpgp.c
+++ b/scd/app-openpgp.c
@@ -1,1647 +1,1763 @@
/* app-openpgp.c - The OpenPGP card application.
* Copyright (C) 2003, 2004 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
*/
#include <config.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>
#include <time.h>
#if GNUPG_MAJOR_VERSION == 1
/* This is used with GnuPG version < 1.9. The code has been source
copied from the current GnuPG >= 1.9 and is maintained over
there. */
#include "options.h"
#include "errors.h"
#include "memory.h"
#include "util.h"
-#include "i18n.h"
#include "cardglue.h"
#else /* GNUPG_MAJOR_VERSION != 1 */
#include "scdaemon.h"
#endif /* GNUPG_MAJOR_VERSION != 1 */
+#include "i18n.h"
#include "iso7816.h"
#include "app-common.h"
#include "tlv.h"
static struct {
int tag;
int constructed;
int get_from; /* Constructed DO with this DO or 0 for direct access. */
int binary;
int dont_cache;
int flush_on_error;
+ int get_immediate_in_v11; /* Enable a hack to bypass the cache of
+ this data object if it is used in 1.1
+ and later versions of the card. This
+ does not work with composite DO and is
+ currently only useful for the CHV
+ status bytes. */
char *desc;
} data_objects[] = {
- { 0x005E, 0, 0, 1, 0, 0, "Login Data" },
- { 0x5F50, 0, 0, 0, 0, 0, "URL" },
- { 0x0065, 1, 0, 1, 0, 0, "Cardholder Related Data"},
- { 0x005B, 0, 0x65, 0, 0, 0, "Name" },
- { 0x5F2D, 0, 0x65, 0, 0, 0, "Language preferences" },
- { 0x5F35, 0, 0x65, 0, 0, 0, "Sex" },
- { 0x006E, 1, 0, 1, 0, 0, "Application Related Data" },
- { 0x004F, 0, 0x6E, 1, 0, 0, "AID" },
- { 0x0073, 1, 0, 1, 0, 0, "Discretionary Data Objects" },
- { 0x0047, 0, 0x6E, 1, 0, 0, "Card Capabilities" },
- { 0x00C0, 0, 0x6E, 1, 0, 0, "Extended Card Capabilities" },
- { 0x00C1, 0, 0x6E, 1, 0, 0, "Algorithm Attributes Signature" },
- { 0x00C2, 0, 0x6E, 1, 0, 0, "Algorithm Attributes Decryption" },
- { 0x00C3, 0, 0x6E, 1, 0, 0, "Algorithm Attributes Authentication" },
- { 0x00C4, 0, 0x6E, 1, 0, 1, "CHV Status Bytes" },
- { 0x00C5, 0, 0x6E, 1, 0, 0, "Fingerprints" },
- { 0x00C6, 0, 0x6E, 1, 0, 0, "CA Fingerprints" },
- { 0x007A, 1, 0, 1, 0, 0, "Security Support Template" },
- { 0x0093, 0, 0x7A, 1, 1, 0, "Digital Signature Counter" },
+ { 0x005E, 0, 0, 1, 0, 0, 0, "Login Data" },
+ { 0x5F50, 0, 0, 0, 0, 0, 0, "URL" },
+ { 0x0065, 1, 0, 1, 0, 0, 0, "Cardholder Related Data"},
+ { 0x005B, 0, 0x65, 0, 0, 0, 0, "Name" },
+ { 0x5F2D, 0, 0x65, 0, 0, 0, 0, "Language preferences" },
+ { 0x5F35, 0, 0x65, 0, 0, 0, 0, "Sex" },
+ { 0x006E, 1, 0, 1, 0, 0, 0, "Application Related Data" },
+ { 0x004F, 0, 0x6E, 1, 0, 0, 0, "AID" },
+ { 0x0073, 1, 0, 1, 0, 0, 0, "Discretionary Data Objects" },
+ { 0x0047, 0, 0x6E, 1, 1, 0, 0, "Card Capabilities" },
+ { 0x00C0, 0, 0x6E, 1, 1, 0, 0, "Extended Card Capabilities" },
+ { 0x00C1, 0, 0x6E, 1, 1, 0, 0, "Algorithm Attributes Signature" },
+ { 0x00C2, 0, 0x6E, 1, 1, 0, 0, "Algorithm Attributes Decryption" },
+ { 0x00C3, 0, 0x6E, 1, 1, 0, 0, "Algorithm Attributes Authentication" },
+ { 0x00C4, 0, 0x6E, 1, 0, 1, 1, "CHV Status Bytes" },
+ { 0x00C5, 0, 0x6E, 1, 0, 0, 0, "Fingerprints" },
+ { 0x00C6, 0, 0x6E, 1, 0, 0, 0, "CA Fingerprints" },
+ { 0x007A, 1, 0, 1, 0, 0, 0, "Security Support Template" },
+ { 0x0093, 0, 0x7A, 1, 1, 0, 0, "Digital Signature Counter" },
{ 0 }
};
struct cache_s {
struct cache_s *next;
int tag;
size_t length;
unsigned char data[1];
};
struct app_local_s {
struct cache_s *cache;
+ struct
+ {
+ unsigned int get_challenge:1;
+ unsigned int key_import:1;
+ unsigned int change_force_chv:1;
+ unsigned int private_dos:1;
+ } extcap;
};
static unsigned long convert_sig_counter_value (const unsigned char *value,
size_t valuelen);
static unsigned long get_sig_counter (APP app);
/* Deconstructor. */
static void
do_deinit (app_t app)
{
if (app && app->app_local)
{
struct cache_s *c, *c2;
for (c = app->app_local->cache; c; c = c2)
{
c2 = c->next;
xfree (c);
}
xfree (app->app_local);
app->app_local = NULL;
}
}
/* Wrapper around iso7816_get_data which first tries to get the data
from the cache. */
static gpg_error_t
get_cached_data (app_t app, int tag,
unsigned char **result, size_t *resultlen)
{
gpg_error_t err;
int i;
unsigned char *p;
size_t len;
struct cache_s *c;
-
*result = NULL;
*resultlen = 0;
- if (app->app_local)
- {
- for (c=app->app_local->cache; c; c = c->next)
- if (c->tag == tag)
+ for (c=app->app_local->cache; c; c = c->next)
+ if (c->tag == tag)
+ {
+ if(c->length)
{
- p = xtrymalloc (c->length);
- if (!p)
- return gpg_error (gpg_err_code_from_errno (errno));
- memcpy (p, c->data, c->length);
- *resultlen = c->length;
- *result = p;
- return 0;
+ p = xtrymalloc (c->length);
+ if (!p)
+ return gpg_error (gpg_err_code_from_errno (errno));
+ memcpy (p, c->data, c->length);
+ *result = p;
}
- }
+
+ *resultlen = c->length;
+
+ return 0;
+ }
+
err = iso7816_get_data (app->slot, tag, &p, &len);
if (err)
return err;
*result = p;
*resultlen = len;
/* Check whether we should cache this object. */
for (i=0; data_objects[i].tag; i++)
if (data_objects[i].tag == tag)
{
if (data_objects[i].dont_cache)
return 0;
break;
}
/* No, cache it. */
- if (!app->app_local)
- app->app_local = xtrycalloc (1, sizeof *app->app_local);
- /* Note that we can safely ignore out of core errors. */
- if (app->app_local)
+ for (c=app->app_local->cache; c; c = c->next)
+ assert (c->tag != tag);
+
+ c = xtrymalloc (sizeof *c + len);
+ if (c)
{
- for (c=app->app_local->cache; c; c = c->next)
- assert (c->tag != tag);
-
- c = xtrymalloc (sizeof *c + len);
- if (c)
- {
- memcpy (c->data, p, len);
- c->length = len;
- c->tag = tag;
- c->next = app->app_local->cache;
- app->app_local->cache = c;
- }
+ memcpy (c->data, p, len);
+ c->length = len;
+ c->tag = tag;
+ c->next = app->app_local->cache;
+ app->app_local->cache = c;
}
return 0;
}
/* Remove DO at TAG from the cache. */
static void
flush_cache_item (app_t app, int tag)
{
struct cache_s *c, *cprev;
int i;
if (!app->app_local)
return;
for (c=app->app_local->cache, cprev=NULL; c ; cprev=c, c = c->next)
if (c->tag == tag)
{
if (cprev)
cprev->next = c->next;
else
app->app_local->cache = c->next;
xfree (c);
for (c=app->app_local->cache; c ; c = c->next)
- assert (c->tag != tag); /* Oops: duplicated entry. */
+ {
+ assert (c->tag != tag); /* Oops: duplicated entry. */
+ }
return;
}
/* Try again if we have an outer tag. */
for (i=0; data_objects[i].tag; i++)
if (data_objects[i].tag == tag && data_objects[i].get_from
&& data_objects[i].get_from != tag)
flush_cache_item (app, data_objects[i].get_from);
}
/* Flush all entries from the cache which might be out of sync after
an error. */
static void
flush_cache_after_error (app_t app)
{
int i;
for (i=0; data_objects[i].tag; i++)
if (data_objects[i].flush_on_error)
flush_cache_item (app, data_objects[i].tag);
}
/* Flush the entire cache. */
static void
flush_cache (app_t app)
{
if (app && app->app_local)
{
struct cache_s *c, *c2;
for (c = app->app_local->cache; c; c = c2)
{
c2 = c->next;
xfree (c);
}
app->app_local->cache = NULL;
}
}
/* Get the DO identified by TAG from the card in SLOT and return a
buffer with its content in RESULT and NBYTES. The return value is
NULL if not found or a pointer which must be used to release the
buffer holding value. */
static void *
get_one_do (app_t app, int tag, unsigned char **result, size_t *nbytes)
{
int rc, i;
unsigned char *buffer;
size_t buflen;
unsigned char *value;
size_t valuelen;
*result = NULL;
*nbytes = 0;
for (i=0; data_objects[i].tag && data_objects[i].tag != tag; i++)
;
+ if (app->card_version > 0x0100 && data_objects[i].get_immediate_in_v11)
+ {
+ if( iso7816_get_data (app->slot, tag, &buffer, &buflen))
+ return NULL;
+ *result = buffer;
+ *nbytes = buflen;
+ return buffer;
+ }
+
value = NULL;
rc = -1;
if (data_objects[i].tag && data_objects[i].get_from)
{
rc = get_cached_data (app, data_objects[i].get_from,
&buffer, &buflen);
if (!rc)
{
const unsigned char *s;
s = find_tlv (buffer, buflen, tag, &valuelen);
if (!s)
value = NULL; /* not found */
else if (valuelen > buflen - (s - buffer))
{
log_error ("warning: constructed DO too short\n");
value = NULL;
xfree (buffer); buffer = NULL;
}
else
value = buffer + (s - buffer);
}
}
if (!value) /* Not in a constructed DO, try simple. */
{
rc = get_cached_data (app, tag, &buffer, &buflen);
if (!rc)
{
value = buffer;
valuelen = buflen;
}
}
if (!rc)
{
*nbytes = valuelen;
*result = value;
return buffer;
}
return NULL;
}
static void
dump_all_do (int slot)
{
int rc, i, j;
unsigned char *buffer;
size_t buflen;
for (i=0; data_objects[i].tag; i++)
{
if (data_objects[i].get_from)
continue;
rc = iso7816_get_data (slot, data_objects[i].tag, &buffer, &buflen);
if (gpg_err_code (rc) == GPG_ERR_NO_OBJ)
;
else if (rc)
log_info ("DO `%s' not available: %s\n",
data_objects[i].desc, gpg_strerror (rc));
else
{
if (data_objects[i].binary)
{
log_info ("DO `%s': ", data_objects[i].desc);
log_printhex ("", buffer, buflen);
}
else
log_info ("DO `%s': `%.*s'\n",
data_objects[i].desc,
(int)buflen, buffer); /* FIXME: sanitize */
if (data_objects[i].constructed)
{
for (j=0; data_objects[j].tag; j++)
{
const unsigned char *value;
size_t valuelen;
if (j==i || data_objects[i].tag != data_objects[j].get_from)
continue;
value = find_tlv (buffer, buflen,
data_objects[j].tag, &valuelen);
if (!value)
; /* not found */
else if (valuelen > buflen - (value - buffer))
log_error ("warning: constructed DO too short\n");
else
{
if (data_objects[j].binary)
{
log_info ("DO `%s': ", data_objects[j].desc);
log_printhex ("", value, valuelen);
}
else
log_info ("DO `%s': `%.*s'\n",
data_objects[j].desc,
(int)valuelen, value); /* FIXME: sanitize */
}
}
}
}
xfree (buffer); buffer = NULL;
}
}
/* Count the number of bits, assuming the A represents an unsigned big
integer of length LEN bytes. */
static unsigned int
count_bits (const unsigned char *a, size_t len)
{
unsigned int n = len * 8;
int i;
for (; len && !*a; len--, a++, n -=8)
;
if (len)
{
for (i=7; i && !(*a & (1<<i)); i--)
n--;
}
return n;
}
/* Note, that FPR must be at least 20 bytes. */
static int
store_fpr (int slot, int keynumber, u32 timestamp,
const unsigned char *m, size_t mlen,
const unsigned char *e, size_t elen,
unsigned char *fpr, unsigned int card_version)
{
unsigned int n, nbits;
unsigned char *buffer, *p;
int rc;
for (; mlen && !*m; mlen--, m++) /* strip leading zeroes */
;
for (; elen && !*e; elen--, e++) /* strip leading zeroes */
;
n = 6 + 2 + mlen + 2 + elen;
p = buffer = xtrymalloc (3 + n);
if (!buffer)
return gpg_error (gpg_err_code_from_errno (errno));
*p++ = 0x99; /* ctb */
*p++ = n >> 8; /* 2 byte length header */
*p++ = n;
*p++ = 4; /* key packet version */
*p++ = timestamp >> 24;
*p++ = timestamp >> 16;
*p++ = timestamp >> 8;
*p++ = timestamp;
*p++ = 1; /* RSA */
nbits = count_bits (m, mlen);
*p++ = nbits >> 8;
*p++ = nbits;
memcpy (p, m, mlen); p += mlen;
nbits = count_bits (e, elen);
*p++ = nbits >> 8;
*p++ = nbits;
memcpy (p, e, elen); p += elen;
- log_printhex ("fprbuf:", buffer, n+3);
gcry_md_hash_buffer (GCRY_MD_SHA1, fpr, buffer, n+3);
xfree (buffer);
rc = iso7816_put_data (slot, (card_version > 0x0007? 0xC7 : 0xC6)
+ keynumber, fpr, 20);
if (rc)
- log_error ("failed to store the fingerprint: %s\n",gpg_strerror (rc));
+ log_error (_("failed to store the fingerprint: %s\n"),gpg_strerror (rc));
+
+ if (!rc && card_version > 0x0100)
+ {
+ unsigned char buf[4];
+
+ buf[0] = timestamp >> 24;
+ buf[1] = timestamp >> 16;
+ buf[2] = timestamp >> 8;
+ buf[3] = timestamp;
+
+ rc = iso7816_put_data (slot, 0xCE + keynumber, buf, 4);
+ if (rc)
+ log_error (_("failed to store the creation date: %s\n"),
+ gpg_strerror (rc));
+ }
return rc;
}
static void
send_fpr_if_not_null (CTRL ctrl, const char *keyword,
int number, const unsigned char *fpr)
{
int i;
char buf[41];
char numbuf[25];
for (i=0; i < 20 && !fpr[i]; i++)
;
if (i==20)
return; /* All zero. */
for (i=0; i< 20; i++)
sprintf (buf+2*i, "%02X", fpr[i]);
if (number == -1)
*numbuf = 0; /* Don't print the key number */
else
sprintf (numbuf, "%d", number);
send_status_info (ctrl, keyword,
numbuf, (size_t)strlen(numbuf),
buf, (size_t)strlen (buf), NULL, 0);
}
static void
send_key_data (CTRL ctrl, const char *name,
const unsigned char *a, size_t alen)
{
char *p, *buf = xmalloc (alen*2+1);
for (p=buf; alen; a++, alen--, p += 2)
sprintf (p, "%02X", *a);
send_status_info (ctrl, "KEY-DATA",
name, (size_t)strlen(name),
buf, (size_t)strlen (buf),
NULL, 0);
xfree (buf);
}
/* Implement the GETATTR command. This is similar to the LEARN
command but returns just one value via the status interface. */
static int
do_getattr (APP app, CTRL ctrl, const char *name)
{
static struct {
const char *name;
int tag;
int special;
} table[] = {
{ "DISP-NAME", 0x005B },
{ "LOGIN-DATA", 0x005E },
{ "DISP-LANG", 0x5F2D },
{ "DISP-SEX", 0x5F35 },
{ "PUBKEY-URL", 0x5F50 },
{ "KEY-FPR", 0x00C5, 3 },
{ "CA-FPR", 0x00C6, 3 },
{ "CHV-STATUS", 0x00C4, 1 },
{ "SIG-COUNTER", 0x0093, 2 },
{ "SERIALNO", 0x004F, -1 },
{ "AID", 0x004F },
+ { "EXTCAP", 0x0000, -2 },
{ NULL, 0 }
};
int idx, i;
void *relptr;
unsigned char *value;
size_t valuelen;
for (idx=0; table[idx].name && strcmp (table[idx].name, name); idx++)
;
if (!table[idx].name)
return gpg_error (GPG_ERR_INV_NAME);
if (table[idx].special == -1)
{
/* The serial number is very special. We could have used the
AID DO to retrieve it, but we have it already in the app
context and the stamp argument is required anyway which we
can't by other means. The AID DO is available anyway but not
hex formatted. */
char *serial;
time_t stamp;
char tmp[50];
if (!app_get_serial_and_stamp (app, &serial, &stamp))
{
sprintf (tmp, "%lu", (unsigned long)stamp);
send_status_info (ctrl, "SERIALNO",
serial, strlen (serial),
tmp, strlen (tmp),
NULL, 0);
xfree (serial);
}
return 0;
}
+ if (table[idx].special == -2)
+ {
+ char tmp[50];
+
+ sprintf (tmp, "gc=%d ki=%d fc=%d pd=%d",
+ app->app_local->extcap.get_challenge,
+ app->app_local->extcap.key_import,
+ app->app_local->extcap.change_force_chv,
+ app->app_local->extcap.private_dos);
+ send_status_info (ctrl, table[idx].name, tmp, strlen (tmp), NULL, 0);
+ return 0;
+ }
relptr = get_one_do (app, table[idx].tag, &value, &valuelen);
if (relptr)
{
if (table[idx].special == 1)
{
char numbuf[7*23];
for (i=0,*numbuf=0; i < valuelen && i < 7; i++)
sprintf (numbuf+strlen (numbuf), " %d", value[i]);
send_status_info (ctrl, table[idx].name,
numbuf, strlen (numbuf), NULL, 0);
}
else if (table[idx].special == 2)
{
char numbuf[50];
sprintf (numbuf, "%lu", convert_sig_counter_value (value, valuelen));
send_status_info (ctrl, table[idx].name,
numbuf, strlen (numbuf), NULL, 0);
}
else if (table[idx].special == 3)
{
if (valuelen >= 60)
for (i=0; i < 3; i++)
send_fpr_if_not_null (ctrl, table[idx].name, i+1, value+i*20);
}
else
send_status_info (ctrl, table[idx].name, value, valuelen, NULL, 0);
xfree (relptr);
}
return 0;
}
static int
do_learn_status (APP app, CTRL ctrl)
{
+ do_getattr (app, ctrl, "EXTCAP");
do_getattr (app, ctrl, "DISP-NAME");
do_getattr (app, ctrl, "DISP-LANG");
do_getattr (app, ctrl, "DISP-SEX");
do_getattr (app, ctrl, "PUBKEY-URL");
do_getattr (app, ctrl, "LOGIN-DATA");
do_getattr (app, ctrl, "KEY-FPR");
do_getattr (app, ctrl, "CA-FPR");
do_getattr (app, ctrl, "CHV-STATUS");
do_getattr (app, ctrl, "SIG-COUNTER");
return 0;
}
/* Verify CHV2 if required. Depending on the configuration of the
card CHV1 will also be verified. */
static int
verify_chv2 (app_t app,
int (*pincb)(void*, const char *, char **),
void *pincb_arg)
{
int rc = 0;
if (!app->did_chv2)
{
char *pinvalue;
rc = pincb (pincb_arg, "PIN", &pinvalue);
if (rc)
{
- log_info ("PIN callback returned error: %s\n", gpg_strerror (rc));
+ log_info (_("PIN callback returned error: %s\n"), gpg_strerror (rc));
return rc;
}
if (strlen (pinvalue) < 6)
{
- log_error ("prassphrase (CHV2) is too short; minimum length is 6\n");
+ log_error (_("prassphrase (CHV%d) is too short;"
+ " minimum length is %d\n"), 2, 6);
xfree (pinvalue);
return gpg_error (GPG_ERR_BAD_PIN);
}
rc = iso7816_verify (app->slot, 0x82, pinvalue, strlen (pinvalue));
if (rc)
{
- log_error ("verify CHV2 failed: %s\n", gpg_strerror (rc));
+ log_error (_("verify CHV%d failed: %s\n"), 2, gpg_strerror (rc));
xfree (pinvalue);
flush_cache_after_error (app);
return rc;
}
app->did_chv2 = 1;
if (!app->did_chv1 && !app->force_chv1)
{
rc = iso7816_verify (app->slot, 0x81, pinvalue, strlen (pinvalue));
if (gpg_err_code (rc) == GPG_ERR_BAD_PIN)
rc = gpg_error (GPG_ERR_PIN_NOT_SYNCED);
if (rc)
{
- log_error ("verify CHV1 failed: %s\n", gpg_strerror (rc));
+ log_error (_("verify CHV%d failed: %s\n"), 1, gpg_strerror (rc));
xfree (pinvalue);
flush_cache_after_error (app);
return rc;
}
app->did_chv1 = 1;
}
xfree (pinvalue);
}
return rc;
}
/* Verify CHV3 if required. */
static int
verify_chv3 (APP app,
int (*pincb)(void*, const char *, char **),
void *pincb_arg)
{
int rc = 0;
+#if GNUPG_MAJOR_VERSION != 1
if (!opt.allow_admin)
{
- log_info ("access to admin commands is not configured\n");
+ log_info (_("access to admin commands is not configured\n"));
return gpg_error (GPG_ERR_EACCES);
}
+#endif
if (!app->did_chv3)
{
char *pinvalue;
+ void *relptr;
+ unsigned char *value;
+ size_t valuelen;
+ int reread_chv_status;
+
- rc = pincb (pincb_arg, "Admin PIN", &pinvalue);
+ relptr = get_one_do (app, 0x00C4, &value, &valuelen);
+ if (!relptr || valuelen < 7)
+ {
+ log_error (_("error retrieving CHV status from card\n"));
+ xfree (relptr);
+ return gpg_error (GPG_ERR_CARD);
+ }
+ if (value[6] == 0)
+ {
+ log_info (_("card is permanently locked!\n"));
+ xfree (relptr);
+ return gpg_error (GPG_ERR_BAD_PIN);
+ }
+
+ reread_chv_status = (value[6] < 3);
+
+ log_info(_("%d Admin PIN attempts remaining before card"
+ " is permanently locked\n"), value[6]);
+ xfree (relptr);
+
+ rc = pincb (pincb_arg, _("Admin PIN"), &pinvalue);
if (rc)
{
- log_info ("PIN callback returned error: %s\n", gpg_strerror (rc));
+ log_info (_("PIN callback returned error: %s\n"), gpg_strerror (rc));
return rc;
}
if (strlen (pinvalue) < 6)
{
- log_error ("prassphrase (CHV3) is too short; minimum length is 6\n");
+ log_error (_("prassphrase (CHV%d) is too short;"
+ " minimum length is %d\n"), 3, 6);
xfree (pinvalue);
return gpg_error (GPG_ERR_BAD_PIN);
}
rc = iso7816_verify (app->slot, 0x83, pinvalue, strlen (pinvalue));
xfree (pinvalue);
if (rc)
{
- log_error ("verify CHV3 failed: %s\n", gpg_strerror (rc));
+ log_error (_("verify CHV%d failed: %s\n"), 3, gpg_strerror (rc));
flush_cache_after_error (app);
return rc;
}
app->did_chv3 = 1;
+ /* If the PIN has been entered wrongly before, we need to flush
+ the cached value so that the next read correctly reflects the
+ resetted retry counter. Note that version 1.1 of the specs
+ allow direct reading of that DO, so that we could actually
+ flush it in all cases. */
+ if (reread_chv_status)
+ flush_cache_item (app, 0x00C4);
}
return rc;
}
/* Handle the SETATTR operation. All arguments are already basically
checked. */
static int
do_setattr (APP app, const char *name,
int (*pincb)(void*, const char *, char **),
void *pincb_arg,
const unsigned char *value, size_t valuelen)
{
gpg_error_t rc;
int idx;
static struct {
const char *name;
int tag;
int special;
} table[] = {
{ "DISP-NAME", 0x005B },
{ "LOGIN-DATA", 0x005E },
{ "DISP-LANG", 0x5F2D },
{ "DISP-SEX", 0x5F35 },
{ "PUBKEY-URL", 0x5F50 },
{ "CHV-STATUS-1", 0x00C4, 1 },
{ "CA-FPR-1", 0x00CA },
{ "CA-FPR-2", 0x00CB },
{ "CA-FPR-3", 0x00CC },
{ NULL, 0 }
};
for (idx=0; table[idx].name && strcmp (table[idx].name, name); idx++)
;
if (!table[idx].name)
return gpg_error (GPG_ERR_INV_NAME);
rc = verify_chv3 (app, pincb, pincb_arg);
if (rc)
return rc;
/* Flush the cache before writing it, so that the next get operation
will reread the data from the card and thus get synced in case of
errors (e.g. data truncated by the card). */
flush_cache_item (app, table[idx].tag);
rc = iso7816_put_data (app->slot, table[idx].tag, value, valuelen);
if (rc)
log_error ("failed to set `%s': %s\n", table[idx].name, gpg_strerror (rc));
if (table[idx].special == 1)
app->force_chv1 = (valuelen && *value == 0);
return rc;
}
/* Handle the PASSWD command. */
static int
do_change_pin (APP app, CTRL ctrl, const char *chvnostr, int reset_mode,
int (*pincb)(void*, const char *, char **),
void *pincb_arg)
{
int rc = 0;
int chvno = atoi (chvnostr);
char *pinvalue;
if (reset_mode && chvno == 3)
{
rc = gpg_error (GPG_ERR_INV_ID);
goto leave;
}
else if (reset_mode || chvno == 3)
{
/* we always require that the PIN is entered. */
app->did_chv3 = 0;
rc = verify_chv3 (app, pincb, pincb_arg);
if (rc)
goto leave;
}
else if (chvno == 1 || chvno == 2)
{
/* CHV1 and CVH2 should always have the same value, thus we
enforce it here. */
int save_force = app->force_chv1;
app->force_chv1 = 0;
app->did_chv1 = 0;
app->did_chv2 = 0;
rc = verify_chv2 (app, pincb, pincb_arg);
app->force_chv1 = save_force;
if (rc)
goto leave;
}
else
{
rc = gpg_error (GPG_ERR_INV_ID);
goto leave;
}
if (chvno == 3)
app->did_chv3 = 0;
else
app->did_chv1 = app->did_chv2 = 0;
rc = pincb (pincb_arg, chvno == 3? "New Admin PIN" : "New PIN", &pinvalue);
if (rc)
{
log_error ("error getting new PIN: %s\n", gpg_strerror (rc));
goto leave;
}
if (reset_mode)
{
rc = iso7816_reset_retry_counter (app->slot, 0x81,
pinvalue, strlen (pinvalue));
if (!rc)
rc = iso7816_reset_retry_counter (app->slot, 0x82,
pinvalue, strlen (pinvalue));
}
else
{
if (chvno == 1 || chvno == 2)
{
rc = iso7816_change_reference_data (app->slot, 0x81, NULL, 0,
pinvalue, strlen (pinvalue));
if (!rc)
rc = iso7816_change_reference_data (app->slot, 0x82, NULL, 0,
pinvalue, strlen (pinvalue));
}
else
rc = iso7816_change_reference_data (app->slot, 0x80 + chvno, NULL, 0,
pinvalue, strlen (pinvalue));
}
xfree (pinvalue);
if (rc)
flush_cache_after_error (app);
leave:
return rc;
}
/* Handle the GENKEY command. */
static int
do_genkey (APP app, CTRL ctrl, const char *keynostr, unsigned int flags,
int (*pincb)(void*, const char *, char **),
void *pincb_arg)
{
int rc;
int i;
char numbuf[30];
unsigned char fprbuf[20];
const unsigned char *fpr;
const unsigned char *keydata, *m, *e;
unsigned char *buffer;
size_t buflen, keydatalen, n, mlen, elen;
time_t created_at;
int keyno = atoi (keynostr);
int force = (flags & 1);
time_t start_at;
if (keyno < 1 || keyno > 3)
return gpg_error (GPG_ERR_INV_ID);
keyno--;
/* We flush the cache to increase the traffic before a key
generation. This _might_ help a card to gather more entropy. */
flush_cache (app);
rc = iso7816_get_data (app->slot, 0x006E, &buffer, &buflen);
if (rc)
{
log_error ("error reading application data\n");
return gpg_error (GPG_ERR_GENERAL);
}
fpr = find_tlv (buffer, buflen, 0x00C5, &n);
if (!fpr || n != 60)
{
rc = gpg_error (GPG_ERR_GENERAL);
log_error ("error reading fingerprint DO\n");
goto leave;
}
fpr += 20*keyno;
for (i=0; i < 20 && !fpr[i]; i++)
;
if (i!=20 && !force)
{
rc = gpg_error (GPG_ERR_EEXIST);
log_error ("key already exists\n");
goto leave;
}
else if (i!=20)
log_info ("existing key will be replaced\n");
else
log_info ("generating new key\n");
rc = verify_chv3 (app, pincb, pincb_arg);
if (rc)
goto leave;
xfree (buffer); buffer = NULL;
#if 1
log_info ("please wait while key is being generated ...\n");
start_at = time (NULL);
rc = iso7816_generate_keypair
#else
#warning key generation temporary replaced by reading an existing key.
rc = iso7816_read_public_key
#endif
(app->slot,
keyno == 0? "\xB6" :
keyno == 1? "\xB8" : "\xA4",
2,
&buffer, &buflen);
if (rc)
{
rc = gpg_error (GPG_ERR_CARD);
log_error ("generating key failed\n");
goto leave;
}
log_info ("key generation completed (%d seconds)\n",
(int)(time (NULL) - start_at));
keydata = find_tlv (buffer, buflen, 0x7F49, &keydatalen);
if (!keydata)
{
rc = gpg_error (GPG_ERR_CARD);
log_error ("response does not contain the public key data\n");
goto leave;
}
m = find_tlv (keydata, keydatalen, 0x0081, &mlen);
if (!m)
{
rc = gpg_error (GPG_ERR_CARD);
log_error ("response does not contain the RSA modulus\n");
goto leave;
}
/* log_printhex ("RSA n:", m, mlen); */
send_key_data (ctrl, "n", m, mlen);
e = find_tlv (keydata, keydatalen, 0x0082, &elen);
if (!e)
{
rc = gpg_error (GPG_ERR_CARD);
log_error ("response does not contain the RSA public exponent\n");
goto leave;
}
/* log_printhex ("RSA e:", e, elen); */
send_key_data (ctrl, "e", e, elen);
created_at = gnupg_get_time ();
sprintf (numbuf, "%lu", (unsigned long)created_at);
send_status_info (ctrl, "KEY-CREATED-AT",
numbuf, (size_t)strlen(numbuf), NULL, 0);
rc = store_fpr (app->slot, keyno, (u32)created_at,
m, mlen, e, elen, fprbuf, app->card_version);
if (rc)
goto leave;
send_fpr_if_not_null (ctrl, "KEY-FPR", -1, fprbuf);
leave:
xfree (buffer);
return rc;
}
static unsigned long
convert_sig_counter_value (const unsigned char *value, size_t valuelen)
{
unsigned long ul;
if (valuelen == 3 )
ul = (value[0] << 16) | (value[1] << 8) | value[2];
else
{
log_error ("invalid structure of OpenPGP card (DO 0x93)\n");
ul = 0;
}
return ul;
}
static unsigned long
get_sig_counter (APP app)
{
void *relptr;
unsigned char *value;
size_t valuelen;
unsigned long ul;
relptr = get_one_do (app, 0x0093, &value, &valuelen);
if (!relptr)
return 0;
ul = convert_sig_counter_value (value, valuelen);
xfree (relptr);
return ul;
}
static int
compare_fingerprint (APP app, int keyno, unsigned char *sha1fpr)
{
const unsigned char *fpr;
unsigned char *buffer;
size_t buflen, n;
int rc, i;
assert (keyno >= 1 && keyno <= 3);
rc = get_cached_data (app, 0x006E, &buffer, &buflen);
if (rc)
{
log_error ("error reading application data\n");
return gpg_error (GPG_ERR_GENERAL);
}
fpr = find_tlv (buffer, buflen, 0x00C5, &n);
if (!fpr || n != 60)
{
xfree (buffer);
log_error ("error reading fingerprint DO\n");
return gpg_error (GPG_ERR_GENERAL);
}
fpr += (keyno-1)*20;
for (i=0; i < 20; i++)
if (sha1fpr[i] != fpr[i])
{
xfree (buffer);
return gpg_error (GPG_ERR_WRONG_SECKEY);
}
xfree (buffer);
return 0;
}
/* If a fingerprint has been specified check it against the one on
the card. This is allows for a meaningful error message in case
the key on the card has been replaced but the shadow information
known to gpg was not updated. If there is no fingerprint we
assume that this is okay. */
static int
check_against_given_fingerprint (APP app, const char *fpr, int keyno)
{
unsigned char tmp[20];
const char *s;
int n;
for (s=fpr, n=0; hexdigitp (s); s++, n++)
;
if (n != 40)
return gpg_error (GPG_ERR_INV_ID);
else if (!*s)
; /* okay */
else
return gpg_error (GPG_ERR_INV_ID);
for (s=fpr, n=0; n < 20; s += 2, n++)
tmp[n] = xtoi_2 (s);
return compare_fingerprint (app, keyno, tmp);
}
/* Compute a digital signature on INDATA which is expected to be the
raw message digest. For this application the KEYIDSTR consists of
the serialnumber and the fingerprint delimited by a slash.
Note that this fucntion may return the error code
GPG_ERR_WRONG_CARD to indicate that the card currently present does
not match the one required for the requested action (e.g. the
serial number does not match). */
static int
do_sign (APP app, const char *keyidstr, int hashalgo,
int (*pincb)(void*, const char *, char **),
void *pincb_arg,
const void *indata, size_t indatalen,
unsigned char **outdata, size_t *outdatalen )
{
static unsigned char sha1_prefix[15] = /* Object ID is 1.3.14.3.2.26 */
{ 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03,
0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 };
static unsigned char rmd160_prefix[15] = /* Object ID is 1.3.36.3.2.1 */
{ 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x24, 0x03,
0x02, 0x01, 0x05, 0x00, 0x04, 0x14 };
int rc;
unsigned char data[35];
unsigned char tmp_sn[20]; /* actually 16 but we use it also for the fpr. */
const char *s;
int n;
const char *fpr = NULL;
unsigned long sigcount;
if (!keyidstr || !*keyidstr)
return gpg_error (GPG_ERR_INV_VALUE);
if (indatalen != 20)
return gpg_error (GPG_ERR_INV_VALUE);
/* Check whether an OpenPGP card of any version has been requested. */
if (strlen (keyidstr) < 32 || strncmp (keyidstr, "D27600012401", 12))
return gpg_error (GPG_ERR_INV_ID);
for (s=keyidstr, n=0; hexdigitp (s); s++, n++)
;
if (n != 32)
return gpg_error (GPG_ERR_INV_ID);
else if (!*s)
; /* no fingerprint given: we allow this for now. */
else if (*s == '/')
fpr = s + 1;
else
return gpg_error (GPG_ERR_INV_ID);
for (s=keyidstr, n=0; n < 16; s += 2, n++)
tmp_sn[n] = xtoi_2 (s);
if (app->serialnolen != 16)
return gpg_error (GPG_ERR_INV_CARD);
if (memcmp (app->serialno, tmp_sn, 16))
return gpg_error (GPG_ERR_WRONG_CARD);
/* If a fingerprint has been specified check it against the one on
the card. This is allows for a meaningful error message in case
the key on the card has been replaced but the shadow information
known to gpg was not updated. If there is no fingerprint, gpg
will detect a bogus signature anyway due to the
verify-after-signing feature. */
rc = fpr? check_against_given_fingerprint (app, fpr, 1) : 0;
if (rc)
return rc;
if (hashalgo == GCRY_MD_SHA1)
memcpy (data, sha1_prefix, 15);
else if (hashalgo == GCRY_MD_RMD160)
memcpy (data, rmd160_prefix, 15);
else
return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
memcpy (data+15, indata, indatalen);
sigcount = get_sig_counter (app);
log_info ("signatures created so far: %lu\n", sigcount);
if (!app->did_chv1 || app->force_chv1 )
{
char *pinvalue;
{
char *prompt;
if (asprintf (&prompt, "PIN [sigs done: %lu]", sigcount) < 0)
return gpg_error_from_errno (errno);
rc = pincb (pincb_arg, prompt, &pinvalue);
free (prompt);
}
if (rc)
{
log_info ("PIN callback returned error: %s\n", gpg_strerror (rc));
return rc;
}
if (strlen (pinvalue) < 6)
{
- log_error ("prassphrase (CHV1) is too short; minimum length is 6\n");
+ log_error (_("prassphrase (CHV%d) is too short;"
+ " minimum length is %d\n"), 1, 6);
xfree (pinvalue);
return gpg_error (GPG_ERR_BAD_PIN);
}
rc = iso7816_verify (app->slot, 0x81, pinvalue, strlen (pinvalue));
if (rc)
{
- log_error ("verify CHV1 failed\n");
+ log_error (_("verify CHV%d failed: %s\n"), 1, gpg_strerror (rc));
xfree (pinvalue);
flush_cache_after_error (app);
return rc;
}
app->did_chv1 = 1;
if (!app->did_chv2)
{
/* We should also verify CHV2. */
rc = iso7816_verify (app->slot, 0x82, pinvalue, strlen (pinvalue));
if (gpg_err_code (rc) == GPG_ERR_BAD_PIN)
rc = gpg_error (GPG_ERR_PIN_NOT_SYNCED);
if (rc)
{
- log_error ("verify CHV2 failed\n");
+ log_error (_("verify CHV%d failed: %s\n"), 2, gpg_strerror (rc));
xfree (pinvalue);
flush_cache_after_error (app);
return rc;
}
app->did_chv2 = 1;
}
xfree (pinvalue);
}
rc = iso7816_compute_ds (app->slot, data, 35, outdata, outdatalen);
return rc;
}
/* Compute a digital signature using the INTERNAL AUTHENTICATE command
on INDATA which is expected to be the raw message digest. For this
application the KEYIDSTR consists of the serialnumber and the
fingerprint delimited by a slash.
Note that this fucntion may return the error code
GPG_ERR_WRONG_CARD to indicate that the card currently present does
not match the one required for the requested action (e.g. the
serial number does not match). */
static int
do_auth (APP app, const char *keyidstr,
int (*pincb)(void*, const char *, char **),
void *pincb_arg,
const void *indata, size_t indatalen,
unsigned char **outdata, size_t *outdatalen )
{
int rc;
unsigned char tmp_sn[20]; /* actually 16 but we use it also for the fpr. */
const char *s;
int n;
const char *fpr = NULL;
if (!keyidstr || !*keyidstr)
return gpg_error (GPG_ERR_INV_VALUE);
if (indatalen > 50) /* For a 1024 bit key. */
return gpg_error (GPG_ERR_INV_VALUE);
/* Check whether an OpenPGP card of any version has been requested. */
if (strlen (keyidstr) < 32 || strncmp (keyidstr, "D27600012401", 12))
return gpg_error (GPG_ERR_INV_ID);
for (s=keyidstr, n=0; hexdigitp (s); s++, n++)
;
if (n != 32)
return gpg_error (GPG_ERR_INV_ID);
else if (!*s)
; /* no fingerprint given: we allow this for now. */
else if (*s == '/')
fpr = s + 1;
else
return gpg_error (GPG_ERR_INV_ID);
for (s=keyidstr, n=0; n < 16; s += 2, n++)
tmp_sn[n] = xtoi_2 (s);
if (app->serialnolen != 16)
return gpg_error (GPG_ERR_INV_CARD);
if (memcmp (app->serialno, tmp_sn, 16))
return gpg_error (GPG_ERR_WRONG_CARD);
/* If a fingerprint has been specified check it against the one on
the card. This is allows for a meaningful error message in case
the key on the card has been replaced but the shadow information
known to gpg was not updated. If there is no fingerprint, gpg
will detect a bogus signature anyway due to the
verify-after-signing feature. */
rc = fpr? check_against_given_fingerprint (app, fpr, 3) : 0;
if (rc)
return rc;
rc = verify_chv2 (app, pincb, pincb_arg);
if (!rc)
rc = iso7816_internal_authenticate (app->slot, indata, indatalen,
outdata, outdatalen);
return rc;
}
static int
do_decipher (APP app, const char *keyidstr,
int (pincb)(void*, const char *, char **),
void *pincb_arg,
const void *indata, size_t indatalen,
unsigned char **outdata, size_t *outdatalen )
{
int rc;
unsigned char tmp_sn[20]; /* actually 16 but we use it also for the fpr. */
const char *s;
int n;
const char *fpr = NULL;
if (!keyidstr || !*keyidstr || !indatalen)
return gpg_error (GPG_ERR_INV_VALUE);
/* Check whether an OpenPGP card of any version has been requested. */
if (strlen (keyidstr) < 32 || strncmp (keyidstr, "D27600012401", 12))
return gpg_error (GPG_ERR_INV_ID);
for (s=keyidstr, n=0; hexdigitp (s); s++, n++)
;
if (n != 32)
return gpg_error (GPG_ERR_INV_ID);
else if (!*s)
; /* no fingerprint given: we allow this for now. */
else if (*s == '/')
fpr = s + 1;
else
return gpg_error (GPG_ERR_INV_ID);
for (s=keyidstr, n=0; n < 16; s += 2, n++)
tmp_sn[n] = xtoi_2 (s);
if (app->serialnolen != 16)
return gpg_error (GPG_ERR_INV_CARD);
if (memcmp (app->serialno, tmp_sn, 16))
return gpg_error (GPG_ERR_WRONG_CARD);
/* If a fingerprint has been specified check it against the one on
the card. This is allows for a meaningful error message in case
the key on the card has been replaced but the shadow information
known to gpg was not updated. If there is no fingerprint, the
decryption will won't produce the right plaintext anyway. */
rc = fpr? check_against_given_fingerprint (app, fpr, 2) : 0;
if (rc)
return rc;
rc = verify_chv2 (app, pincb, pincb_arg);
if (!rc)
rc = iso7816_decipher (app->slot, indata, indatalen, 0,
outdata, outdatalen);
return rc;
}
/* Perform a simple verify operation for CHV1 and CHV2, so that
further operations won't ask for CHV2 and it is possible to do a
cheap check on the PIN: If there is something wrong with the PIN
entry system, only the regular CHV will get blocked and not the
dangerous CHV3. KEYIDSTR is the usual card's serial number; an
optional fingerprint part will be ignored. */
static int
do_check_pin (APP app, const char *keyidstr,
int (pincb)(void*, const char *, char **),
void *pincb_arg)
{
unsigned char tmp_sn[20];
const char *s;
int n;
if (!keyidstr || !*keyidstr)
return gpg_error (GPG_ERR_INV_VALUE);
/* Check whether an OpenPGP card of any version has been requested. */
if (strlen (keyidstr) < 32 || strncmp (keyidstr, "D27600012401", 12))
return gpg_error (GPG_ERR_INV_ID);
for (s=keyidstr, n=0; hexdigitp (s); s++, n++)
;
if (n != 32)
return gpg_error (GPG_ERR_INV_ID);
else if (!*s)
; /* No fingerprint given: we allow this for now. */
else if (*s == '/')
; /* We ignore a fingerprint. */
else
return gpg_error (GPG_ERR_INV_ID);
for (s=keyidstr, n=0; n < 16; s += 2, n++)
tmp_sn[n] = xtoi_2 (s);
if (app->serialnolen != 16)
return gpg_error (GPG_ERR_INV_CARD);
if (memcmp (app->serialno, tmp_sn, 16))
return gpg_error (GPG_ERR_WRONG_CARD);
/* Yes, there is a race conditions: The user might pull the card
right here and we won't notice that. However this is not a
problem and the check above is merely for a graceful failure
between operations. */
return verify_chv2 (app, pincb, pincb_arg);
}
/* Select the OpenPGP application on the card in SLOT. This function
must be used before any other OpenPGP application functions. */
int
app_select_openpgp (APP app)
{
static char const aid[] = { 0xD2, 0x76, 0x00, 0x01, 0x24, 0x01 };
int slot = app->slot;
int rc;
unsigned char *buffer;
size_t buflen;
void *relptr;
rc = iso7816_select_application (slot, aid, sizeof aid);
if (!rc)
{
+ unsigned int manufacturer;
+
app->apptype = "OPENPGP";
app->did_chv1 = 0;
app->did_chv2 = 0;
app->did_chv3 = 0;
+ app->app_local = NULL;
/* The OpenPGP card returns the serial number as part of the
AID; because we prefer to use OpenPGP serial numbers, we
replace a possibly already set one from a EF.GDO with this
one. Note, that for current OpenPGP cards, no EF.GDO exists
and thus it won't matter at all. */
rc = iso7816_get_data (slot, 0x004F, &buffer, &buflen);
if (rc)
goto leave;
if (opt.verbose)
{
- log_info ("got AID: ");
+ log_info ("AID: ");
log_printhex ("", buffer, buflen);
}
-#if GNUPG_MAJOR_VERSION != 1
- /* A valid OpenPGP card should never need this but well the test
- is cheap. */
- rc = app_munge_serialno (app);
- if (rc)
- goto leave;
-#endif
app->card_version = buffer[6] << 8;
app->card_version |= buffer[7];
+ manufacturer = (buffer[8]<<8 | buffer[9]);
+
xfree (app->serialno);
app->serialno = buffer;
app->serialnolen = buflen;
buffer = NULL;
+ app->app_local = xtrycalloc (1, sizeof *app->app_local);
+ if (!app->app_local)
+ {
+ rc = gpg_error (gpg_err_code_from_errno (errno));
+ goto leave;
+ }
relptr = get_one_do (app, 0x00C4, &buffer, &buflen);
if (!relptr)
{
- log_error ("can't access CHV Status Bytes - invalid OpenPGP card?\n");
+ log_error (_("can't access CHV Status Bytes "
+ "- invalid OpenPGP card?\n"));
goto leave;
}
app->force_chv1 = (buflen && *buffer == 0);
xfree (relptr);
-
+
+ relptr = get_one_do (app, 0x00C0, &buffer, &buflen);
+ if (!relptr)
+ {
+ log_error (_("can't access Extended Capability Flags - "
+ "invalid OpenPGP card?\n"));
+ goto leave;
+ }
+ if (buflen)
+ {
+ app->app_local->extcap.get_challenge = !!(*buffer & 0x40);
+ app->app_local->extcap.key_import = !!(*buffer & 0x20);
+ app->app_local->extcap.change_force_chv = !!(*buffer & 0x10);
+ app->app_local->extcap.private_dos = !!(*buffer & 0x08);
+ }
+ xfree (relptr);
+
+ /* Some of the first cards accidently don't set the
+ CHANGE_FORCE_CHV bit but allow it anyway. */
+ if (app->card_version <= 0x0100 && manufacturer == 1)
+ app->app_local->extcap.change_force_chv = 1;
+
+
if (opt.verbose > 1)
dump_all_do (slot);
app->fnc.deinit = do_deinit;
app->fnc.learn_status = do_learn_status;
app->fnc.readcert = NULL;
app->fnc.getattr = do_getattr;
app->fnc.setattr = do_setattr;
app->fnc.genkey = do_genkey;
app->fnc.sign = do_sign;
app->fnc.auth = do_auth;
app->fnc.decipher = do_decipher;
app->fnc.change_pin = do_change_pin;
app->fnc.check_pin = do_check_pin;
}
leave:
+ if (rc)
+ do_deinit (app);
return rc;
}
/* This function is a hack to retrieve essential information about the
card to be displayed by simple tools. It mostly resembles what the
LEARN command returns. All parameters return allocated strings or
buffers or NULL if the data object is not available. All returned
values are sanitized. */
int
app_openpgp_cardinfo (APP app,
char **serialno,
char **disp_name,
char **pubkey_url,
unsigned char **fpr1,
unsigned char **fpr2,
unsigned char **fpr3)
{
int rc;
void *relptr;
unsigned char *value;
size_t valuelen;
if (serialno)
{
time_t dummy;
*serialno = NULL;
rc = app_get_serial_and_stamp (app, serialno, &dummy);
if (rc)
{
- log_error ("error getting serial number: %s\n", gpg_strerror (rc));
+ log_error (_("error getting serial number: %s\n"),
+ gpg_strerror (rc));
return rc;
}
}
if (disp_name)
{
*disp_name = NULL;
relptr = get_one_do (app, 0x005B, &value, &valuelen);
if (relptr)
{
*disp_name = make_printable_string (value, valuelen, 0);
xfree (relptr);
}
}
if (pubkey_url)
{
*pubkey_url = NULL;
relptr = get_one_do (app, 0x5F50, &value, &valuelen);
if (relptr)
{
*pubkey_url = make_printable_string (value, valuelen, 0);
xfree (relptr);
}
}
if (fpr1)
*fpr1 = NULL;
if (fpr2)
*fpr2 = NULL;
if (fpr3)
*fpr3 = NULL;
relptr = get_one_do (app, 0x00C5, &value, &valuelen);
if (relptr && valuelen >= 60)
{
if (fpr1)
{
*fpr1 = xmalloc (20);
memcpy (*fpr1, value + 0, 20);
}
if (fpr2)
{
*fpr2 = xmalloc (20);
memcpy (*fpr2, value + 20, 20);
}
if (fpr3)
{
*fpr3 = xmalloc (20);
memcpy (*fpr3, value + 40, 20);
}
}
xfree (relptr);
return 0;
}
/* This function is currently only used by the sc-copykeys program to
store a key on the smartcard. APP ist the application handle,
KEYNO is the number of the key and PINCB, PINCB_ARG are used to ask
for the SO PIN. TEMPLATE and TEMPLATE_LEN describe a buffer with
the key template to store. CREATED_AT is the timestamp used to
create the fingerprint. M, MLEN is the RSA modulus and E, ELEN the
RSA public exponent. This function silently overwrites an existing
key.*/
int
app_openpgp_storekey (APP app, int keyno,
unsigned char *template, size_t template_len,
time_t created_at,
const unsigned char *m, size_t mlen,
const unsigned char *e, size_t elen,
int (*pincb)(void*, const char *, char **),
void *pincb_arg)
{
int rc;
unsigned char fprbuf[20];
if (keyno < 1 || keyno > 3)
return gpg_error (GPG_ERR_INV_ID);
keyno--;
rc = verify_chv3 (app, pincb, pincb_arg);
if (rc)
goto leave;
+ flush_cache (app);
rc = iso7816_put_data (app->slot,
(app->card_version > 0x0007? 0xE0 : 0xE9) + keyno,
template, template_len);
if (rc)
{
- log_error ("failed to store the key: rc=%s\n", gpg_strerror (rc));
+ log_error (_("failed to store the key: %s\n"), gpg_strerror (rc));
rc = gpg_error (GPG_ERR_CARD);
goto leave;
}
/* log_printhex ("RSA n:", m, mlen); */
/* log_printhex ("RSA e:", e, elen); */
rc = store_fpr (app->slot, keyno, (u32)created_at,
m, mlen, e, elen, fprbuf, app->card_version);
leave:
return rc;
}
/* Utility function for external tools: Read the public RSA key at
KEYNO and return modulus and exponent in (M,MLEN) and (E,ELEN). */
int
app_openpgp_readkey (APP app, int keyno, unsigned char **m, size_t *mlen,
unsigned char **e, size_t *elen)
{
int rc;
const unsigned char *keydata, *a;
unsigned char *buffer;
size_t buflen, keydatalen, alen;
*m = NULL;
*e = NULL;
if (keyno < 1 || keyno > 3)
return gpg_error (GPG_ERR_INV_ID);
keyno--;
rc = iso7816_read_public_key(app->slot,
keyno == 0? "\xB6" :
keyno == 1? "\xB8" : "\xA4",
2,
&buffer, &buflen);
if (rc)
{
rc = gpg_error (GPG_ERR_CARD);
- log_error ("reading key failed\n");
+ log_error (_("reading the key failed\n"));
goto leave;
}
keydata = find_tlv (buffer, buflen, 0x7F49, &keydatalen);
if (!keydata)
{
- log_error ("response does not contain the public key data\n");
+ log_error (_("response does not contain the public key data\n"));
rc = gpg_error (GPG_ERR_CARD);
goto leave;
}
a = find_tlv (keydata, keydatalen, 0x0081, &alen);
if (!a)
{
- log_error ("response does not contain the RSA modulus\n");
+ log_error (_("response does not contain the RSA modulus\n"));
rc = gpg_error (GPG_ERR_CARD);
goto leave;
}
*mlen = alen;
*m = xmalloc (alen);
memcpy (*m, a, alen);
a = find_tlv (keydata, keydatalen, 0x0082, &alen);
if (!a)
{
- log_error ("response does not contain the RSA public exponent\n");
+ log_error (_("response does not contain the RSA public exponent\n"));
rc = gpg_error (GPG_ERR_CARD);
goto leave;
}
*elen = alen;
*e = xmalloc (alen);
memcpy (*e, a, alen);
leave:
xfree (buffer);
if (rc)
{
xfree (*m); *m = NULL;
xfree (*e); *e = NULL;
}
return rc;
}
diff --git a/sm/ChangeLog b/sm/ChangeLog
index 2391deb18..28a397182 100644
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@@ -1,1287 +1,1292 @@
+2004-09-30 Werner Koch <wk@g10code.com>
+
+ * keylist.c (list_cert_colon): Make sure that the expired flag has
+ a higher precedence than the invalid flag.
+
2004-09-29 Werner Koch <wk@g10code.com>
* import.c (parse_p12): Write an error status line for bad
passphrases. Add new arg CTRL and changed caller.
* export.c (export_p12): Likewise.
2004-09-14 Werner Koch <wk@g10code.com>
* certchain.c (gpgsm_validate_chain): Give expired certificates a
higher error precedence and don't bother to check any CRL in that
case.
2004-08-24 Werner Koch <wk@g10code.de>
* certlist.c: Fixed typo in ocsp OID.
2004-08-18 Werner Koch <wk@g10code.de>
* certlist.c (gpgsm_cert_use_ocsp_p): New.
(cert_usage_p): Support it here.
* call-dirmngr.c (gpgsm_dirmngr_isvalid): Use it here.
2004-08-17 Marcus Brinkmann <marcus@g10code.de>
* import.c: Fix typo in last change.
2004-08-17 Werner Koch <wk@g10code.de>
* import.c (check_and_store): Do a full validation if
--with-validation is set.
* certchain.c (gpgsm_basic_cert_check): Print more detailed error
messages.
* certcheck.c (do_encode_md): Partly support DSA. Add new arg
PKALGO. Changed all callers to pass it.
(pk_algo_from_sexp): New.
2004-08-16 Werner Koch <wk@g10code.de>
* gpgsm.c: New option --fixed-passphrase.
* import.c (popen_protect_tool): Pass it to the protect-tool.
* server.c (cmd_encrypt): Use DEFAULT_RECPLIST and not recplist
for encrypt-to keys.
2004-08-06 Werner Koch <wk@g10code.com>
* gpgsm.c: New option --with-ephemeral-keys.
* keylist.c (list_internal_keys): Set it here.
(list_cert_raw): And indicate those keys. Changed all our callers
to pass the new arg HD through.
2004-07-23 Werner Koch <wk@g10code.de>
* certreqgen.c (proc_parameters): Do not allow key length below
1024.
2004-07-22 Werner Koch <wk@g10code.de>
* keylist.c (list_cert_raw): Print the keygrip.
2004-07-20 Werner Koch <wk@gnupg.org>
* certchain.c (gpgsm_validate_chain): The trust check didn't
worked anymore, probably due to the changes at 2003-03-04. Fixed.
2004-06-06 Werner Koch <wk@gnupg.org>
* certreqgen.c (get_parameter_uint, create_request): Create
an extension for key usage when requested.
2004-05-12 Werner Koch <wk@gnupg.org>
* gpgsm.c (main): Install emergency_cleanup also as an atexit
handler.
* verify.c (gpgsm_verify): Removed the separate error code
handling for KSBA. We use shared error codes anyway.
* export.c (export_p12): Removed debugging code.
* encrypt.c (gpgsm_encrypt): Put the session key in to secure memory.
2004-05-11 Werner Koch <wk@gnupg.org>
* sign.c (gpgsm_sign): Include the error source in the final error
message.
* decrypt.c (gpgsm_decrypt): Ditto.
* fingerprint.c (gpgsm_get_key_algo_info): New.
* sign.c (gpgsm_sign): Don't assume RSA in the status line.
* keylist.c (list_cert_colon): Really print the algorithm and key
length.
(list_cert_raw, list_cert_std): Ditto.
(list_cert_colon): Reorganized to be able to tell whether a root
certificate is trusted.
* gpgsm.c: New option --debug-allow-core-dump.
* gpgsm.h (opt): Add member CONFIG_FILENAME.
* gpgsm.c (main): Use it here instead of the local var.
* server.c (gpgsm_server): Print some additional information with
the hello in verbose mode.
2004-04-30 Werner Koch <wk@gnupg.org>
* import.c (check_and_store): Do not update the stats for hidden
imports of issuer certs.
(popen_protect_tool): Request statusmessages from the protect-tool.
(parse_p12): Detect status messages. Add new arg STATS and update them.
(print_imported_summary): Include secret key stats.
2004-04-28 Werner Koch <wk@gnupg.org>
* gpgsm.c: New command --keydb-clear-some-cert-flags.
* keydb.c (keydb_clear_some_cert_flags): New.
(keydb_update_keyblock, keydb_set_flags): Change error code
CONFLICT to NOT_LOCKED.
2004-04-26 Werner Koch <wk@gnupg.org>
* gpgsm.c (main) <gpgconf>: Do not use /dev/null as default config
filename.
* call-agent.c (gpgsm_agent_pksign, gpgsm_agent_pkdecrypt)
(gpgsm_agent_genkey, gpgsm_agent_istrusted)
(gpgsm_agent_marktrusted, gpgsm_agent_havekey)
(gpgsm_agent_passwd): Add new arg CTRL and changed all callers.
(start_agent): New arg CTRL. Send progress item when starting a
new agent.
* sign.c (gpgsm_get_default_cert, get_default_signer): New arg
CTRL to be passed down to the agent function.
* decrypt.c (prepare_decryption): Ditto.
* certreqgen.c (proc_parameters, read_parameters): Ditto.
* certcheck.c (gpgsm_create_cms_signature): Ditto.
2004-04-23 Werner Koch <wk@gnupg.org>
* keydb.c (keydb_add_resource): Try to compress the file on init.
* keylist.c (oidtranstbl): New. OIDs collected from several sources.
(print_name_raw, print_names_raw, list_cert_raw): New.
(gpgsm_list_keys): Check the dump mode and pass it down as
necessary.
2004-04-22 Werner Koch <wk@gnupg.org>
* gpgsm.c (main): New commands --dump-keys, --dump-external-keys,
--dump-secret-keys.
2004-04-13 Werner Koch <wk@gnupg.org>
* misc.c (setup_pinentry_env): New.
* import.c (popen_protect_tool): Call it.
* export.c (popen_protect_tool): Call it.
2004-04-08 Werner Koch <wk@gnupg.org>
* decrypt.c (gpgsm_decrypt): Return GPG_ERR_NO_DATA if it is not a
encrypted message.
2004-04-07 Werner Koch <wk@gnupg.org>
* gpgsm.c: New option --force-crl-refresh.
* call-dirmngr.c (gpgsm_dirmngr_isvalid): Pass option to dirmngr.
2004-04-05 Werner Koch <wk@gnupg.org>
* server.c (get_status_string): Add STATUS_NEWSIG.
* verify.c (gpgsm_verify): Print STATUS_NEWSIG for each signature.
* certchain.c (gpgsm_validate_chain) <gpgsm_cert_use_cer_p>: Do
not just warn if a cert is not suitable; bail out immediately.
2004-04-01 Werner Koch <wk@gnupg.org>
* call-dirmngr.c (isvalid_status_cb): New.
(unhexify_fpr): New. Taken from ../g10/call-agent.c
(gpgsm_dirmngr_isvalid): Add new arg CTRL, changed caller to pass
it thru. Detect need to check the respondert cert and do that.
* certchain.c (gpgsm_validate_chain): Add new arg FLAGS. Changed
all callers.
2004-03-24 Werner Koch <wk@gnupg.org>
* sign.c (gpgsm_sign): Include a short list of capabilities.
2004-03-17 Werner Koch <wk@gnupg.org>
* gpgsm.c (main) <gpgconf>: Fixed default value quoting.
2004-03-16 Werner Koch <wk@gnupg.org>
* gpgsm.c (main): Implemented --gpgconf-list.
2004-03-15 Werner Koch <wk@gnupg.org>
* keylist.c (list_cert_colon): Hack to set the expired flag.
2004-03-09 Werner Koch <wk@gnupg.org>
* gpgsm.c (main): Correctly intitialze USE_OCSP flag.
* keydb.c (keydb_delete): s/GPG_ERR_CONFLICT/GPG_ERR_NOT_LOCKED/
2004-03-04 Werner Koch <wk@gnupg.org>
* call-dirmngr.c (gpgsm_dirmngr_isvalid): New arg ISSUER_CERT.
* certchain.c (is_cert_still_valid): New. Code moved from ...
(gpgsm_validate_chain): ... here because we now need to check at
two places and at a later stage, so that we can pass the issuer
cert down to the dirmngr.
2004-03-03 Werner Koch <wk@gnupg.org>
* call-agent.c (start_agent): Replaced pinentry setup code by a
call to a new common function.
* certdump.c (gpgsm_format_keydesc): Make sure the string is
returned as utf-8.
* export.c (gpgsm_export): Make sure that we don't export more
than one certificate.
2004-03-02 Werner Koch <wk@gnupg.org>
* export.c (create_duptable, destroy_duptable)
(insert_duptable): New.
(gpgsm_export): Avoid duplicates.
2004-02-26 Werner Koch <wk@gnupg.org>
* certchain.c (compare_certs): New.
(gpgsm_validate_chain): Fixed infinite certificate checks after
bad signatures.
2004-02-24 Werner Koch <wk@gnupg.org>
* keylist.c (list_cert_colon): Print the fingerprint as the
cert-id for root certificates.
2004-02-21 Werner Koch <wk@gnupg.org>
* keylist.c (list_internal_keys): Return error codes.
(list_external_keys, gpgsm_list_keys): Ditto.
* server.c (do_listkeys): Ditto.
* gpgsm.c (main): Display a key description for --passwd.
* call-agent.c (gpgsm_agent_passwd): New arg DESC.
2004-02-20 Werner Koch <wk@gnupg.org>
* gpgsm.c (main): New option --debug-ignore-expiration.
* certchain.c (gpgsm_validate_chain): Use it here.
* certlist.c (cert_usage_p): Apply extKeyUsage.
2004-02-19 Werner Koch <wk@gnupg.org>
* export.c (export_p12, popen_protect_tool)
(gpgsm_p12_export): New.
* gpgsm.c (main): New command --export-secret-key-p12.
2004-02-18 Werner Koch <wk@gnupg.org>
* gpgsm.c (set_debug): Set the new --debug-level flags.
(main): New option --gpgconf-list.
(main): Do not setup -u and -r keys when not required.
(main): Setup the used character set.
* keydb.c (keydb_add_resource): Print a hint to start the
gpg-agent.
2004-02-17 Werner Koch <wk@gnupg.org>
* gpgsm.c: Fixed value parsing for --with-validation.
* call-agent.c (start_agent): Ignore an empty GPG_AGENT_INFO.
* call-dirmngr.c (start_dirmngr): Likewise for DIRMNGR_INFO.
* gpgsm.c: New option --with-md5-fingerprint.
* keylist.c (list_cert_std): Print MD5 fpr.
* gpgsm.c: New options --with-validation.
* server.c (option_handler): New option "with-validation".
* keylist.c (list_cert_std, list_internal_keys): New args CTRL and
WITH_VALIDATION. Changed callers to set it.
(list_external_cb, list_external_keys): Pass CTRL to the callback.
(list_cert_colon): Add arg CTRL. Check validation if requested.
* certchain.c (unknown_criticals, allowed_ca, check_cert_policy)
(gpgsm_validate_chain): New args LISTMODE and FP.
(do_list): New helper for info output.
(find_up): New arg FIND_NEXT.
(gpgsm_validate_chain): After a bad signature try again with other
CA certificates.
* import.c (print_imported_status): New arg NEW_CERT. Print
additional STATUS_IMPORT_OK becuase that is what gpgme expects.
(check_and_store): Always call above function after import.
* server.c (get_status_string): Added STATUS_IMPORT_OK.
2004-02-13 Werner Koch <wk@gnupg.org>
* certcheck.c (gpgsm_create_cms_signature): Format a description
for use by the pinentry.
* decrypt.c (gpgsm_decrypt): Ditto. Free HEXKEYGRIP.
* certdump.c (format_name_cookie, format_name_writer)
(gpgsm_format_name): New.
(gpgsm_format_serial): New.
(gpgsm_format_keydesc): New.
* call-agent.c (gpgsm_agent_pksign): New arg DESC.
(gpgsm_agent_pkdecrypt): Ditto.
* encrypt.c (init_dek): Check for too weak algorithms.
* import.c (parse_p12, popen_protect_tool): New.
* base64.c (gpgsm_create_reader): New arg ALLOW_MULTI_PEM.
Changed all callers.
(base64_reader_cb): Handle it here.
(gpgsm_reader_eof_seen): New.
(base64_reader_cb): Set a flag for EOF.
(simple_reader_cb): Ditto.
2004-02-12 Werner Koch <wk@gnupg.org>
* gpgsm.h, gpgsm.c: New option --protect-tool-program.
* gpgsm.c (run_protect_tool): Use it.
2004-02-11 Werner Koch <wk@gnupg.org>
* Makefile.am (AM_CPPFLAGS): Pass directory constants via -D; this
will allow to override directory names at make time.
2004-02-02 Werner Koch <wk@gnupg.org>
* import.c (check_and_store): Import certificates even with
missing issuer's cert. Fixed an "depending on the verbose
setting" bug.
* certchain.c (gpgsm_validate_chain): Mark revoked certs in the
keybox.
* keylist.c (list_cert_colon): New arg VALIDITY; use it to print a
revoked flag.
(list_internal_keys): Retrieve validity flag.
(list_external_cb): Pass 0 as validity flag.
* keydb.c (keydb_get_flags, keydb_set_flags): New.
(keydb_set_cert_flags): New.
(lock_all): Return a proper error code.
(keydb_lock): New.
(keydb_delete): Don't lock but check that it has been locked.
(keydb_update_keyblock): Ditto.
* delete.c (delete_one): Take a lock.
2004-01-30 Werner Koch <wk@gnupg.org>
* certchain.c (check_cert_policy): Fixed read error checking.
(check_cert_policy): With no critical policies issue only a
warning if the policy file does not exists.
* sign.c (add_certificate_list): Decrement N for the first cert.
2004-01-29 Werner Koch <wk@gnupg.org>
* certdump.c (parse_dn_part): Map common OIDs to human readable
labels. Make sure that a value won't get truncated if it includes
a Nul.
2004-01-28 Werner Koch <wk@gnupg.org>
* certchain.c (gpgsm_validate_chain): Changed the message printed
for an untrusted root certificate.
2004-01-27 Werner Koch <wk@gnupg.org>
* certdump.c (parse_dn_part): Pretty print the nameDistinguisher OID.
(print_dn_part): Do not delimit multiple RDN by " + ". Handle
multi-valued RDNs in a special way, i.e. in the order specified by
the certificate.
(print_dn_parts): Simplified.
2004-01-16 Werner Koch <wk@gnupg.org>
* sign.c (gpgsm_sign): Print an error message on all failures.
* decrypt.c (gpgsm_decrypt): Ditto.
2003-12-17 Werner Koch <wk@gnupg.org>
* server.c (gpgsm_server): Add arg DEFAULT_RECPLIST.
(cmd_encrypt): Add all enrypt-to marked certs to the list.
* encrypt.c (gpgsm_encrypt): Check that real recipients are
available.
* gpgsm.c (main): Make the --encrypt-to and --no-encrypt-to
options work. Pass the list of recients to gpgsm_server.
* gpgsm.h (certlist_s): Add field IS_ENCRYPT_TO.
(opt): Add NO_ENCRYPT_TO.
* certlist.c (gpgsm_add_to_certlist): New arg IS_ENCRYPT_TO.
Changed all callers and ignore duplicate entries.
(is_cert_in_certlist): New.
(gpgsm_add_cert_to_certlist): New.
* certdump.c (gpgsm_print_serial): Cleaned up cast use in strtoul.
(gpgsm_dump_serial): Ditto.
* decrypt.c (gpgsm_decrypt): Replaced ERR by RC.
2003-12-16 Werner Koch <wk@gnupg.org>
* gpgsm.c (main): Set the prefixes for assuan logging.
* sign.c (gpgsm_sign): Add validation checks for the default
certificate.
* gpgsm.c: Add -k as alias for --list-keys and -K for
--list-secret-keys.
2003-12-15 Werner Koch <wk@gnupg.org>
* encrypt.c (init_dek): Use gry_create_nonce for the IV; there is
not need for real strong random here and it even better protect
the random bits used for the key.
2003-12-01 Werner Koch <wk@gnupg.org>
* gpgsm.c, gpgsm.h: New options --{enable,disable}-ocsp.
(gpgsm_init_default_ctrl): Set USE_OCSP to the default value.
* certchain.c (gpgsm_validate_chain): Handle USE_OCSP.
* call-dirmngr.c (gpgsm_dirmngr_isvalid): Add arg USE_OCSP and
proceed accordingly.
2003-11-19 Werner Koch <wk@gnupg.org>
* verify.c (gpgsm_verify): Use "0" instead of an empty string for
the VALIDSIG status.
2003-11-18 Werner Koch <wk@gnupg.org>
* verify.c (gpgsm_verify): Fixed for changes API of gcry_md_info.
* certchain.c (unknown_criticals): Fixed an error code test.
2003-11-12 Werner Koch <wk@gnupg.org>
Adjusted for API changes in Libksba.
2003-10-31 Werner Koch <wk@gnupg.org>
* certchain.c (gpgsm_validate_chain): Changed to use ksba_isotime_t.
* verify.c (strtimestamp_r, gpgsm_verify): Ditto.
* sign.c (gpgsm_sign): Ditto.
* keylist.c (print_time, list_cert_std, list_cert_colon): Ditto.
* certdump.c (gpgsm_print_time, gpgsm_dump_time, gpgsm_dump_cert):
Ditto.
2003-10-25 Werner Koch <wk@gnupg.org>
* certreqgen.c (read_parameters): Fixed faulty of !spacep().
2003-08-20 Marcus Brinkmann <marcus@g10code.de>
* encrypt.c (encode_session_key): Allocate enough space. Cast key
byte to unsigned char to prevent sign extension.
(encrypt_dek): Check return value before error.
2003-08-14 Timo Schulz <twoaday@freakmail.de>
* encrypt.c (encode_session_key): Use new Libgcrypt interface.
2003-07-31 Werner Koch <wk@gnupg.org>
* Makefile.am (gpgsm_LDADD): Added INTLLIBS.
2003-07-29 Werner Koch <wk@gnupg.org>
* gpgsm.c (main): Add secmem features and set the random seed file.
(gpgsm_exit): Update the random seed file and enable debug output.
2003-07-27 Werner Koch <wk@gnupg.org>
Adjusted for gcry_mpi_print and gcry_mpi_scan API change.
2003-06-24 Werner Koch <wk@gnupg.org>
* server.c (gpgsm_status_with_err_code): New.
* verify.c (gpgsm_verify): Use it here instead of the old
tokenizing version.
* verify.c (strtimestamp): Renamed to strtimestamp_r
Adjusted for changes in the libgcrypt API. Some more fixes for the
libgpg-error stuff.
2003-06-04 Werner Koch <wk@gnupg.org>
* call-agent.c (init_membuf,put_membuf,get_membuf): Removed.
Include new membuf header and changed used type.
Renamed error codes from INVALID to INV and removed _ERROR suffixes.
2003-06-03 Werner Koch <wk@gnupg.org>
Changed all error codes in all files to the new libgpg-error scheme.
* gpgsm.h: Include gpg-error.h .
* Makefile.am: Link with libgpg-error.
2003-04-29 Werner Koch <wk@gnupg.org>
* Makefile.am: Use libassuan. Don't override LDFLAGS anymore.
* server.c (register_commands): Adjust for new Assuan semantics.
2002-12-03 Werner Koch <wk@gnupg.org>
* call-agent.c (gpgsm_agent_passwd): New.
* gpgsm.c (main): New command --passwd and --call-protect-tool
(run_protect_tool): New.
2002-11-25 Werner Koch <wk@gnupg.org>
* verify.c (gpgsm_verify): Handle content-type attribute.
2002-11-13 Werner Koch <wk@gnupg.org>
* call-agent.c (start_agent): Try to use $GPG_TTY instead of
ttyname. Changed ttyname to test stdin becuase it can be assumed
that output redirection is more common that input redirection.
2002-11-12 Werner Koch <wk@gnupg.org>
* gpgsm.c: New command --call-dirmngr.
* call-dirmngr.c (gpgsm_dirmngr_run_command)
(run_command_inq_cb,run_command_cb)
(run_command_status_cb): New.
2002-11-11 Werner Koch <wk@gnupg.org>
* certcheck.c (gpgsm_check_cms_signature): Don't double free
s_sig but free s_pkey at leave.
2002-11-10 Werner Koch <wk@gnupg.org>
* gpgsm.c: Removed duplicate --list-secret-key entry.
2002-09-19 Werner Koch <wk@gnupg.org>
* certcheck.c (gpgsm_check_cert_sig): Add cert hash debugging.
* certchain.c (find_up): Print info when the cert was not found
by the autorithyKeyIdentifier.
2002-09-03 Werner Koch <wk@gnupg.org>
* gpgsm.c (main): Disable the internal libgcrypt locking.
2002-08-21 Werner Koch <wk@gnupg.org>
* import.c (print_imported_summary): Cleaned up. Print new
not_imported value.
(check_and_store): Update non_imported counter.
(print_import_problem): New.
(check_and_store): Print error status message.
* server.c (get_status_string): Added STATUS_IMPORT_PROBLEM.
2002-08-20 Werner Koch <wk@gnupg.org>
* gpgsm.c (main): Use the log file only in server mode.
* import.c (print_imported_summary): New.
(check_and_store): Update the counters, take new argument.
(import_one): Factored out core of gpgsm_import.
(gpgsm_import): Print counters.
(gpgsm_import_files): New.
* gpgsm.c (main): Use the new function for import.
2002-08-19 Werner Koch <wk@gnupg.org>
* decrypt.c (gpgsm_decrypt): Return a better error status token.
* verify.c (gpgsm_verify): Don't error on messages with no signing
time or no message digest. This is only the case for messages
without any signed attributes.
2002-08-16 Werner Koch <wk@gnupg.org>
* certpath.c: Renamed to ..
* certchain.c: this. Renamed all all other usages of "path" in the
context of certificates to "chain".
* call-agent.c (learn_cb): Special treatment when the issuer
certificate is missing.
2002-08-10 Werner Koch <wk@gnupg.org>
* Makefile.am (INCLUDES): Add definition for localedir.
* keylist.c (list_cert_colon): Print the short fingerprint in the
key ID field.
* fingerprint.c (gpgsm_get_short_fingerprint): New.
* verify.c (gpgsm_verify): Print more verbose info for a good
signature.
2002-08-09 Werner Koch <wk@gnupg.org>
* decrypt.c (prepare_decryption): Hack to detected already
unpkcsedone keys.
* gpgsm.c (emergency_cleanup): New.
(main): Initialize the signal handler.
* sign.c (gpgsm_sign): Reset the hash context for subsequent
signers and release it at the end.
2002-08-05 Werner Koch <wk@gnupg.org>
* server.c (cmd_signer): New command "SIGNER"
(register_commands): Register it.
(cmd_sign): Pass the signer list to gpgsm_sign.
* certlist.c (gpgsm_add_to_certlist): Add SECRET argument, check
for secret key if set and changed all callers.
* sign.c (gpgsm_sign): New argument SIGNERLIST and implemt
multiple signers.
* gpgsm.c (main): Support more than one -u.
* server.c (cmd_recipient): Return reason code 1 for No_Public_Key
which is actually what gets returned from add_to_certlist.
2002-07-26 Werner Koch <wk@gnupg.org>
* certcheck.c (gpgsm_check_cert_sig): Implement proper cleanup.
(gpgsm_check_cms_signature): Ditto.
2002-07-22 Werner Koch <wk@gnupg.org>
* keydb.c (keydb_add_resource): Register a lock file.
(lock_all, unlock_all): Implemented.
* delete.c: New.
* gpgsm.c: Made --delete-key work.
* server.c (cmd_delkeys): New.
(register_commands): New command DELKEYS.
* decrypt.c (gpgsm_decrypt): Print a convenience note when RC2 is
used and a STATUS_ERROR with the algorithm oid.
2002-07-03 Werner Koch <wk@gnupg.org>
* server.c (gpgsm_status2): Insert a blank between all optional
arguments when using assuan.
* server.c (cmd_recipient): No more need for extra blank in constants.
* import.c (print_imported_status): Ditto.
* gpgsm.c (main): Ditto.
2002-07-02 Werner Koch <wk@gnupg.org>
* verify.c (gpgsm_verify): Extend the STATUS_BADSIG line with
the fingerprint.
* certpath.c (check_cert_policy): Don't use log_error to print a
warning.
* keydb.c (keydb_store_cert): Add optional ar EXISTED and changed
all callers.
* call-agent.c (learn_cb): Print info message only for real imports.
* import.c (gpgsm_import): Moved duplicated code to ...
(check_and_store): new function. Added magic to import the entire
chain. Print status only for real imports and moved printing code
to ..
(print_imported_status): New.
* call-dirmngr.c (gpgsm_dirmngr_isvalid): print status of dirmngr
call in very verbose mode.
* gpgsm.c (main): Use the same error codes for STATUS_INV_RECP as
with the server mode.
2002-06-29 Werner Koch <wk@gnupg.org>
* gpgsm.c: New option --auto-issuer-key-retrieve.
* certpath.c (find_up): Try to retrieve an issuer key from an
external source and from the ephemeral key DB.
(find_up_store_certs_cb): New.
* keydb.c (keydb_set_ephemeral): Does now return the old
state. Call the backend only when required.
* call-dirmngr.c (start_dirmngr): Use GNUPG_DEFAULT_DIRMNGR.
(lookup_status_cb): Issue status only when CTRL is not NULL.
(gpgsm_dirmngr_lookup): Document that CTRL is optional.
* call-agent.c (start_agent): Use GNUPG_DEFAULT_AGENT.
2002-06-28 Werner Koch <wk@gnupg.org>
* server.c (cmd_recipient): Add more reason codes.
2002-06-27 Werner Koch <wk@gnupg.org>
* certpath.c (gpgsm_basic_cert_check): Use
--debug-no-path-validation to also bypass this basic check.
* gpgsm.c (main): Use GNUPG_DEFAULT_HOMEDIR constant.
* call-agent.c (start_agent): Create and pass the list of FD to
keep in the child to assuan.
* call-dirmngr.c (start_dirmngr): Ditto.
2002-06-26 Werner Koch <wk@gnupg.org>
* import.c (gpgsm_import): Print an STATUS_IMPORTED.
* gpgsm.c: --debug-no-path-validation does not take an argument.
2002-06-25 Werner Koch <wk@gnupg.org>
* certdump.c (print_dn_part): Always print a leading slash,
removed NEED_DELIM arg and changed caller.
* export.c (gpgsm_export): Print LFs to FP and not stdout.
(print_short_info): Ditto. Make use of gpgsm_print_name.
* server.c (cmd_export): Use output-fd instead of data lines; this
was actually the specified way.
2002-06-24 Werner Koch <wk@gnupg.org>
* gpgsm.c: Removed duped help entry for --list-keys.
* gpgsm.c, gpgsm.h: New option --debug-no-path-validation.
* certpath.c (gpgsm_validate_path): Use it here instead of the
debug flag hack.
* certpath.c (check_cert_policy): Return No_Policy_Match if the
policy file could not be opened.
2002-06-20 Werner Koch <wk@gnupg.org>
* certlist.c (gpgsm_add_to_certlist): Fixed locating of a
certificate with the required key usage.
* gpgsm.c (main): Fixed a segv when using --outfile without an
argument.
* keylist.c (print_capabilities): Also check for non-repudiation
and data encipherment.
* certlist.c (cert_usage_p): Test for signing and encryption was
swapped. Add a case for certification usage, handle
non-repudiation and data encipherment.
(gpgsm_cert_use_cert_p): New.
(gpgsm_add_to_certlist): Added a CTRL argument and changed all
callers to pass it.
* certpath.c (gpgsm_validate_path): Use it here to print a status
message. Added a CTRL argument and changed all callers to pass it.
* decrypt.c (gpgsm_decrypt): Print a status message for wrong key
usage.
* verify.c (gpgsm_verify): Ditto.
* keydb.c (classify_user_id): Allow a colon delimited fingerprint.
2002-06-19 Werner Koch <wk@gnupg.org>
* call-agent.c (learn_cb): Use log_info instead of log_error on
successful import.
* keydb.c (keydb_set_ephemeral): New.
(keydb_store_cert): New are ephemeral, changed all callers.
* keylist.c (list_external_cb): Store cert as ephemeral.
* export.c (gpgsm_export): Kludge to export epehmeral certificates.
* gpgsm.c (main): New command --list-external-keys.
2002-06-17 Werner Koch <wk@gnupg.org>
* certreqgen.c (read_parameters): Improved error handling.
(gpgsm_genkey): Print error message.
2002-06-13 Werner Koch <wk@gnupg.org>
* gpgsm.c (main): New option --log-file.
2002-06-12 Werner Koch <wk@gnupg.org>
* call-dirmngr.c (lookup_status_cb): New.
(gpgsm_dirmngr_lookup): Use the status CB. Add new arg CTRL and
changed caller to pass it.
* gpgsm.c (open_fwrite): New.
(main): Allow --output for --verify.
* sign.c (hash_and_copy_data): New.
(gpgsm_sign): Implemented normal (non-detached) signatures.
* gpgsm.c (main): Ditto.
* certpath.c (gpgsm_validate_path): Special error handling for
no policy match.
2002-06-10 Werner Koch <wk@gnupg.org>
* server.c (get_status_string): Add STATUS_ERROR.
* certpath.c (gpgsm_validate_path): Tweaked the error checking to
return error codes in a more sensitive way.
* verify.c (gpgsm_verify): Send status TRUST_NEVER also for a bad
CA certificate and when the certificate has been revoked. Issue
TRUST_FULLY even when the cert has expired. Append an error token
to these status lines. Issue the new generic error status when a
cert was not found and when leaving the function.
2002-06-04 Werner Koch <wk@gnupg.org>
* gpgsm.c (main): New command --list-sigs
* keylist.c (list_cert_std): New. Use it whenever colon mode is
not used.
(list_cert_chain): New.
2002-05-31 Werner Koch <wk@gnupg.org>
* gpgsm.c (main): Don't print the "go ahead" message for an
invalid command.
2002-05-23 Werner Koch <wk@gnupg.org>
* import.c (gpgsm_import): Add error messages.
2002-05-21 Werner Koch <wk@gnupg.org>
* keylist.c (list_internal_keys): Renamed from gpgsm_list_keys.
(list_external_keys): New.
(gpgsm_list_keys): Dispatcher for above.
* call-dirmngr.c (lookup_cb,pattern_from_strlist)
(gpgsm_dirmngr_lookup): New.
* server.c (option_handler): Handle new option --list-mode.
(do_listkeys): Handle options and actually use the mode argument.
(get_status_string): New code TRUNCATED.
* import.c (gpgsm_import): Try to identify the type of input and
handle certs-only messages.
2002-05-14 Werner Koch <wk@gnupg.org>
* gpgsm.c: New option --faked-system-time
* sign.c (gpgsm_sign): And use it here.
* certpath.c (gpgsm_validate_path): Ditto.
2002-05-03 Werner Koch <wk@gnupg.org>
* certpath.c (gpgsm_validate_path): Added EXPTIME arg and changed
all callers.
* verify.c (gpgsm_verify): Tweaked usage of log_debug and
log_error. Return EXPSIG status and add expiretime to VALIDSIG.
2002-04-26 Werner Koch <wk@gnupg.org>
* gpgsm.h (DBG_AGENT,DBG_AGENT_VALUE): Replaced by DBG_ASSUAN_*.
Changed all users.
* call-agent.c (start_agent): Be more silent without -v.
* call-dirmngr.c (start_dirmngr): Ditto.
2002-04-25 Werner Koch <wk@gnupg.org>
* call-agent.c (start_agent): Make copies of old locales and check
for setlocale.
2002-04-25 Marcus Brinkmann <marcus@g10code.de>
* call-agent.c (start_agent): Fix error handling logic so the
locale is always correctly reset.
2002-04-25 Marcus Brinkmann <marcus@g10code.de>
* server.c (option_handler): Accept display, ttyname, ttytype,
lc_ctype and lc_messages options.
* gpgsm.c (main): Allocate memory for these options.
* gpgsm.h (struct opt): Make corresponding members non-const.
2002-04-24 Marcus Brinkmann <marcus@g10code.de>
* gpgsm.h (struct opt): New members display, ttyname, ttytype,
lc_ctype, lc_messages.
* gpgsm.c (enum cmd_and_opt_values): New members oDisplay,
oTTYname, oTTYtype, oLCctype, oLCmessages.
(opts): New entries for these options.
(main): Handle these new options.
* call-agent.c (start_agent): Set the various display and tty
parameter after resetting.
2002-04-18 Werner Koch <wk@gnupg.org>
* certreqgen.c (gpgsm_genkey): Write status output on success.
2002-04-15 Werner Koch <wk@gnupg.org>
* gpgsm.c (main): Check ksba version.
* certpath.c (find_up): New to use the authorithKeyIdentifier.
Use it in all other functions to locate the signing cert..
2002-04-11 Werner Koch <wk@gnupg.org>
* certlist.c (cert_usable_p): New.
(gpgsm_cert_use_sign_p,gpgsm_cert_use_encrypt_p): New.
(gpgsm_cert_use_verify_p,gpgsm_cert_use_decrypt_p): New.
(gpgsm_add_to_certlist): Check the key usage.
* sign.c (gpgsm_sign): Ditto.
* verify.c (gpgsm_verify): Print a message wehn an unsuitable
certificate was used.
* decrypt.c (gpgsm_decrypt): Ditto
* keylist.c (print_capabilities): Determine values from the cert.
2002-03-28 Werner Koch <wk@gnupg.org>
* keylist.c (list_cert_colon): Fixed listing of crt record; the
issuer is not at the right place. Print a chainingID.
* certpath.c (gpgsm_walk_cert_chain): Be a bit more silent on
common errors.
2002-03-21 Werner Koch <wk@gnupg.org>
* export.c: New.
* gpgsm.c: Add command --export.
* server.c (cmd_export): New.
2002-03-13 Werner Koch <wk@gnupg.org>
* decrypt.c (gpgsm_decrypt): Allow multiple recipients.
2002-03-12 Werner Koch <wk@gnupg.org>
* certpath.c (check_cert_policy): Print the policy list.
* verify.c (gpgsm_verify): Detect certs-only message.
2002-03-11 Werner Koch <wk@gnupg.org>
* import.c (gpgsm_import): Print a notice about imported certificates
when in verbose mode.
* gpgsm.c (main): Print INV_RECP status.
* server.c (cmd_recipient): Ditto.
* server.c (gpgsm_status2): New. Allows for a list of strings.
(gpgsm_status): Divert to gpgsm_status2.
* encrypt.c (gpgsm_encrypt): Don't use a default key when no
recipients are given. Print a NO_RECP status.
2002-03-06 Werner Koch <wk@gnupg.org>
* server.c (cmd_listkeys, cmd_listsecretkeys): Divert to
(do_listkeys): new. Add pattern parsing.
* keylist.c (gpgsm_list_keys): Handle selection pattern.
* gpgsm.c: New command --learn-card
* call-agent.c (learn_cb,gpgsm_agent_learn): New.
* gpgsm.c (main): Print error messages for non-implemented commands.
* base64.c (base64_reader_cb): Use case insensitive compare of the
Content-Type string to detect plain base-64.
2002-03-05 Werner Koch <wk@gnupg.org>
* gpgsm.c, gpgsm.h: Add local_user.
* sign.c (gpgsm_get_default_cert): New.
(get_default_signer): Use the new function if local_user is not
set otherwise used that value.
* encrypt.c (get_default_recipient): Removed.
(gpgsm_encrypt): Use gpgsm_get_default_cert.
* verify.c (gpgsm_verify): Better error text for a bad signature
found by comparing the hashs.
2002-02-27 Werner Koch <wk@gnupg.org>
* call-dirmngr.c, call-agent.c: Add 2 more arguments to all uses
of assuan_transact.
2002-02-25 Werner Koch <wk@gnupg.org>
* server.c (option_handler): Allow to use -2 for "send all certs
except the root cert".
* sign.c (add_certificate_list): Implement it here.
* certpath.c (gpgsm_is_root_cert): New.
2002-02-19 Werner Koch <wk@gnupg.org>
* certpath.c (check_cert_policy): New.
(gpgsm_validate_path): And call it from here.
* gpgsm.c (main): New options --policy-file,
--disable-policy-checks and --enable-policy-checks.
* gpgsm.h (opt): Added policy_file, no_policy_checks.
2002-02-18 Werner Koch <wk@gnupg.org>
* certpath.c (gpgsm_validate_path): Ask the agent to add the
certificate into the trusted list.
* call-agent.c (gpgsm_agent_marktrusted): New.
2002-02-07 Werner Koch <wk@gnupg.org>
* certlist.c (gpgsm_add_to_certlist): Check that the specified
name identifies a certificate unambiguously.
(gpgsm_find_cert): Ditto.
* server.c (cmd_listkeys): Check that the data stream is available.
(cmd_listsecretkeys): Ditto.
(has_option): New.
(cmd_sign): Fix ambiguousity in option recognition.
* gpgsm.c (main): Enable --logger-fd.
* encrypt.c (gpgsm_encrypt): Increased buffer size for better
performance.
* call-agent.c (gpgsm_agent_pksign): Check the S-Exp received from
the agent.
* keylist.c (list_cert_colon): Filter out control characters.
2002-02-06 Werner Koch <wk@gnupg.org>
* decrypt.c (gpgsm_decrypt): Bail out after an decryption error.
* server.c (reset_notify): Close input and output FDs.
(cmd_encrypt,cmd_decrypt,cmd_verify,cmd_sign.cmd_import)
(cmd_genkey): Close the FDs and release the recipient list even in
the error case.
2002-02-01 Marcus Brinkmann <marcus@g10code.de>
* sign.c (gpgsm_sign): Do not release certificate twice.
2002-01-29 Werner Koch <wk@gnupg.org>
* call-agent.c (gpgsm_agent_havekey): New.
* keylist.c (list_cert_colon): New arg HAVE_SECRET, print "crs"
when we know that the secret key is available.
(gpgsm_list_keys): New arg MODE, check whether a secret key is
available. Changed all callers.
* gpgsm.c (main): New command --list-secret-keys.
* server.c (cmd_listsecretkeys): New.
(cmd_listkeys): Return secret keys with "crs" record.
2002-01-28 Werner Koch <wk@gnupg.org>
* certreqgen.c (create_request): Store the email address in the req.
2002-01-25 Werner Koch <wk@gnupg.org>
* gpgsm.c (main): Disable core dumps.
* sign.c (add_certificate_list): New.
(gpgsm_sign): Add the certificates to the CMS object.
* certpath.c (gpgsm_walk_cert_chain): New.
* gpgsm.h (server_control_s): Add included_certs.
* gpgsm.c: Add option --include-certs.
(gpgsm_init_default_ctrl): New.
(main): Call it.
* server.c (gpgsm_server): Ditto.
(option_handler): Support --include-certs.
2002-01-23 Werner Koch <wk@gnupg.org>
* certpath.c (gpgsm_validate_path): Print the DN of a missing issuer.
* certdump.c (gpgsm_dump_string): New.
(print_dn): Replaced by above.
2002-01-22 Werner Koch <wk@gnupg.org>
* certpath.c (unknown_criticals): New.
(allowed_ca): New.
(gpgsm_validate_path): Check validity, CA attribute, path length
and unknown critical extensions.
2002-01-21 Werner Koch <wk@gnupg.org>
* gpgsm.c: Add option --enable-crl-checks.
* call-agent.c (start_agent): Implemented socket based access.
* call-dirmngr.c (start_dirmngr): Ditto.
2002-01-20 Werner Koch <wk@gnupg.org>
* server.c (option_handler): New.
(gpgsm_server): Register it with assuan.
2002-01-19 Werner Koch <wk@gnupg.org>
* server.c (gpgsm_server): Use assuan_deinit_server and setup
assuan logging if enabled.
* call-agent.c (inq_ciphertext_cb): Don't show the session key in
an Assuan log file.
* gpgsm.c (my_strusage): Take bugreport address from configure.ac
2002-01-15 Werner Koch <wk@gnupg.org>
* import.c (gpgsm_import): Just do a basic cert check before
storing it.
* certpath.c (gpgsm_basic_cert_check): New.
* keydb.c (keydb_store_cert): New.
* import.c (store_cert): Removed and change all caller to use
the new function.
* verify.c (store_cert): Ditto.
* certlist.c (gpgsm_add_to_certlist): Validate the path
* certpath.c (gpgsm_validate_path): Check the trust list.
* call-agent.c (gpgsm_agent_istrusted): New.
2002-01-14 Werner Koch <wk@gnupg.org>
* call-dirmngr.c (inq_certificate): Changed for new interface semantic.
* certlist.c (gpgsm_find_cert): New.
2002-01-13 Werner Koch <wk@gnupg.org>
* fingerprint.c (gpgsm_get_certid): Print the serial and not the
hash after the dot.
2002-01-11 Werner Koch <wk@gnupg.org>
* call-dirmngr.c: New.
* certpath.c (gpgsm_validate_path): Check the CRL here.
* fingerprint.c (gpgsm_get_certid): New.
* gpgsm.c: New options --dirmngr-program and --disable-crl-checks.
2002-01-10 Werner Koch <wk@gnupg.org>
* base64.c (gpgsm_create_writer): Allow to set the object name
2002-01-08 Werner Koch <wk@gnupg.org>
* keydb.c (spacep): Removed because it is now in util.c
* server.c (cmd_genkey): New.
* certreqgen.c: New. The parameter handling code has been taken
from gnupg/g10/keygen.c version 1.0.6.
* call-agent.c (gpgsm_agent_genkey): New.
2002-01-02 Werner Koch <wk@gnupg.org>
* server.c (rc_to_assuan_status): Removed and changed all callers
to use map_to_assuan_status.
2001-12-20 Werner Koch <wk@gnupg.org>
* verify.c (gpgsm_verify): Implemented non-detached signature
verification. Add OUT_FP arg, initialize a writer and changed all
callers.
* server.c (cmd_verify): Pass an out_fp if one has been set.
* base64.c (base64_reader_cb): Try to detect an S/MIME body part.
* certdump.c (print_sexp): Renamed to gpgsm_dump_serial, made
global.
(print_time): Renamed to gpgsm_dump_time, made global.
(gpgsm_dump_serial): Take a real S-Expression as argument and
print the first item.
* keylist.c (list_cert_colon): Ditto.
* keydb.c (keydb_search_issuer_sn): Ditto.
* decrypt.c (print_integer_sexp): Removed and made callers
use gpgsm_dump_serial.
* verify.c (print_time): Removed, made callers use gpgsm_dump_time.
2001-12-19 Marcus Brinkmann <marcus@g10code.de>
* call-agent.c (start_agent): Add new argument to assuan_pipe_connect.
2001-12-18 Werner Koch <wk@gnupg.org>
* verify.c (print_integer_sexp): Renamed from print_integer and
print the serial number according to the S-Exp rules.
* decrypt.c (print_integer_sexp): Ditto.
2001-12-17 Werner Koch <wk@gnupg.org>
* keylist.c (list_cert_colon): Changed for new return value of
get_serial.
* keydb.c (keydb_search_issuer_sn): Ditto.
* certcheck.c (gpgsm_check_cert_sig): Likewise for other S-Exp
returingin functions.
* fingerprint.c (gpgsm_get_keygrip): Ditto.
* encrypt.c (encrypt_dek): Ditto
* certcheck.c (gpgsm_check_cms_signature): Ditto
* decrypt.c (prepare_decryption): Ditto.
* call-agent.c (gpgsm_agent_pkdecrypt): Removed arg ciphertextlen,
use KsbaSexp type and calculate the length.
* certdump.c (print_sexp): Remaned from print_integer, changed caller.
* Makefile.am: Use the LIBGCRYPT and LIBKSBA variables.
* fingerprint.c (gpgsm_get_keygrip): Use the new
gcry_pk_get_keygrip to calculate the grip - note the algorithm and
therefore the grip values changed.
2001-12-15 Werner Koch <wk@gnupg.org>
* certcheck.c (gpgsm_check_cms_signature): Removed the faked-key
kludge.
(gpgsm_create_cms_signature): Removed the commented fake key
code. This makes the function pretty simple.
* gpgsm.c (main): Renamed the default key database to "keyring.kbx".
* decrypt.c (gpgsm_decrypt): Write STATUS_DECRYPTION_*.
* sign.c (gpgsm_sign): Write a STATUS_SIG_CREATED.
2001-12-14 Werner Koch <wk@gnupg.org>
* keylist.c (list_cert_colon): Kludge to show an email address
encoded in the subject's DN.
* verify.c (gpgsm_verify): Add hash debug helpers
* sign.c (gpgsm_sign): Ditto.
* base64.c (base64_reader_cb): Reset the linelen when we need to
skip the line and adjusted test; I somehow forgot about DeMorgan.
* server.c (cmd_encrypt,cmd_decrypt,cmd_sign,cmd_verify)
(cmd_import): Close the FDs on success.
(close_message_fd): New.
(input_notify): Setting autodetect_encoding to 0 after initializing
it to 0 is pretty pointless. Easy to fix.
* gpgsm.c (main): New option --debug-wait n, so that it is
possible to attach gdb when used in server mode.
* sign.c (get_default_signer): Use keydb_classify_name here.
2001-12-14 Marcus Brinkmann <marcus@g10code.de>
* call-agent.c (LINELENGTH): Removed.
(gpgsm_agent_pksign): Use ASSUAN_LINELENGTH, not LINELENGTH.
(gpgsm_agent_pkdecrypt): Likewise.
2001-12-13 Werner Koch <wk@gnupg.org>
* keylist.c (list_cert_colon): Print alternative names of subject
and a few other values.
2001-12-12 Werner Koch <wk@gnupg.org>
* gpgsm.c (main): New options --assume-{armor,base64,binary}.
* base64.c (base64_reader_cb): Fixed non-autodetection mode.
2001-12-04 Werner Koch <wk@gnupg.org>
* call-agent.c (read_from_agent): Check for inquire responses.
(request_reply): Handle them using a new callback arg, changed all
callers.
(gpgsm_agent_pkdecrypt): New.
2001-11-27 Werner Koch <wk@gnupg.org>
* base64.c: New. Changed all other functions to use this instead
of direct creation of ksba_reader/writer.
* gpgsm.c (main): Set ctrl.auto_encoding unless --no-armor is used.
2001-11-26 Werner Koch <wk@gnupg.org>
* gpgsm.c: New option --agent-program
* call-agent.c (start_agent): Allow to override the default path
to the agent.
* keydb.c (keydb_add_resource): Create keybox
* keylist.c (gpgsm_list_keys): Fixed non-server keylisting.
* server.c (rc_to_assuan_status): New. Use it for all commands.
Copyright 2001, 2002, 2003 Free Software Foundation, Inc.
This file is free software; as a special exception the author gives
unlimited permission to copy and/or distribute it, with or without
modifications, as long as this notice is preserved.
This file is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
diff --git a/sm/keylist.c b/sm/keylist.c
index 0c8ebd33e..e9985f3ec 100644
--- a/sm/keylist.c
+++ b/sm/keylist.c
@@ -1,1274 +1,1277 @@
/* keylist.c
* Copyright (C) 1998, 1999, 2000, 2001, 2003,
* 2004 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
*/
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <time.h>
#include <assert.h>
#include "gpgsm.h"
#include <gcrypt.h>
#include <ksba.h>
#include "keydb.h"
#include "../kbx/keybox.h" /* for KEYBOX_FLAG_* */
#include "i18n.h"
struct list_external_parm_s {
ctrl_t ctrl;
FILE *fp;
int print_header;
int with_colons;
int with_chain;
int raw_mode;
};
/* This table is to map Extended Key Usage OIDs to human readable
names. */
struct {
const char *oid;
const char *name;
} key_purpose_map[] = {
{ "1.3.6.1.5.5.7.3.1", "serverAuth" },
{ "1.3.6.1.5.5.7.3.2", "clientAuth" },
{ "1.3.6.1.5.5.7.3.3", "codeSigning" },
{ "1.3.6.1.5.5.7.3.4", "emailProtection" },
{ "1.3.6.1.5.5.7.3.5", "ipsecEndSystem" },
{ "1.3.6.1.5.5.7.3.6", "ipsecTunnel" },
{ "1.3.6.1.5.5.7.3.7", "ipsecUser" },
{ "1.3.6.1.5.5.7.3.8", "timeStamping" },
{ "1.3.6.1.5.5.7.3.9", "ocspSigning" },
{ "1.3.6.1.5.5.7.3.10", "dvcs" },
{ "1.3.6.1.5.5.7.3.11", "sbgpCertAAServerAuth" },
{ "1.3.6.1.5.5.7.3.13", "eapOverPPP" },
{ "1.3.6.1.5.5.7.3.14", "wlanSSID" },
{ NULL, NULL }
};
/* A table mapping OIDs to a descriptive string. */
static struct {
char *oid;
char *name;
unsigned int flag;
} oidtranstbl[] = {
/* Algorithms. */
{ "1.2.840.10040.4.1", "dsa" },
{ "1.2.840.10040.4.3", "dsaWithSha1" },
{ "1.2.840.113549.1.1.1", "rsaEncryption" },
{ "1.2.840.113549.1.1.2", "md2WithRSAEncryption" },
{ "1.2.840.113549.1.1.3", "md4WithRSAEncryption" },
{ "1.2.840.113549.1.1.4", "md5WithRSAEncryption" },
{ "1.2.840.113549.1.1.5", "sha1WithRSAEncryption" },
{ "1.2.840.113549.1.1.7", "rsaOAEP" },
{ "1.2.840.113549.1.1.8", "rsaOAEP-MGF" },
{ "1.2.840.113549.1.1.9", "rsaOAEP-pSpecified" },
{ "1.2.840.113549.1.1.10", "rsaPSS" },
{ "1.2.840.113549.1.1.11", "sha256WithRSAEncryption" },
{ "1.2.840.113549.1.1.12", "sha384WithRSAEncryption" },
{ "1.2.840.113549.1.1.13", "sha512WithRSAEncryption" },
{ "1.3.14.3.2.26", "sha1" },
{ "1.3.14.3.2.29", "sha-1WithRSAEncryption" },
{ "1.3.36.3.3.1.2", "rsaSignatureWithripemd160" },
/* Telesec extensions. */
{ "0.2.262.1.10.12.0", "certExtensionLiabilityLimitationExt" },
{ "0.2.262.1.10.12.1", "telesecCertIdExt" },
{ "0.2.262.1.10.12.2", "telesecPolicyIdentifier" },
{ "0.2.262.1.10.12.3", "telesecPolicyQualifierID" },
{ "0.2.262.1.10.12.4", "telesecCRLFilteredExt" },
{ "0.2.262.1.10.12.5", "telesecCRLFilterExt"},
{ "0.2.262.1.10.12.6", "telesecNamingAuthorityExt" },
/* PKIX private extensions. */
{ "1.3.6.1.5.5.7.1.1", "authorityInfoAccess" },
{ "1.3.6.1.5.5.7.1.2", "biometricInfo" },
{ "1.3.6.1.5.5.7.1.3", "qcStatements" },
{ "1.3.6.1.5.5.7.1.4", "acAuditIdentity" },
{ "1.3.6.1.5.5.7.1.5", "acTargeting" },
{ "1.3.6.1.5.5.7.1.6", "acAaControls" },
{ "1.3.6.1.5.5.7.1.7", "sbgp-ipAddrBlock" },
{ "1.3.6.1.5.5.7.1.8", "sbgp-autonomousSysNum" },
{ "1.3.6.1.5.5.7.1.9", "sbgp-routerIdentifier" },
{ "1.3.6.1.5.5.7.1.10", "acProxying" },
{ "1.3.6.1.5.5.7.1.11", "subjectInfoAccess" },
/* X.509 id-ce */
{ "2.5.29.14", "subjectKeyIdentifier"},
{ "2.5.29.15", "keyUsage", 1 },
{ "2.5.29.16", "privateKeyUsagePeriod" },
{ "2.5.29.17", "subjectAltName", 1 },
{ "2.5.29.18", "issuerAltName", 1 },
{ "2.5.29.19", "basicConstraints", 1},
{ "2.5.29.20", "cRLNumber" },
{ "2.5.29.21", "cRLReason" },
{ "2.5.29.22", "expirationDate" },
{ "2.5.29.23", "instructionCode" },
{ "2.5.29.24", "invalidityDate" },
{ "2.5.29.27", "deltaCRLIndicator" },
{ "2.5.29.28", "issuingDistributionPoint" },
{ "2.5.29.29", "certificateIssuer" },
{ "2.5.29.30", "nameConstraints" },
{ "2.5.29.31", "cRLDistributionPoints", 1 },
{ "2.5.29.32", "certificatePolicies", 1 },
{ "2.5.29.32.0", "anyPolicy" },
{ "2.5.29.33", "policyMappings" },
{ "2.5.29.35", "authorityKeyIdentifier", 1 },
{ "2.5.29.36", "policyConstraints" },
{ "2.5.29.37", "extKeyUsage", 1 },
{ "2.5.29.46", "freshestCRL" },
{ "2.5.29.54", "inhibitAnyPolicy" },
/* Netscape certificate extensions. */
{ "2.16.840.1.113730.1.1", "netscape-cert-type" },
{ "2.16.840.1.113730.1.2", "netscape-base-url" },
{ "2.16.840.1.113730.1.3", "netscape-revocation-url" },
{ "2.16.840.1.113730.1.4", "netscape-ca-revocation-url" },
{ "2.16.840.1.113730.1.7", "netscape-cert-renewal-url" },
{ "2.16.840.1.113730.1.8", "netscape-ca-policy-url" },
{ "2.16.840.1.113730.1.9", "netscape-homePage-url" },
{ "2.16.840.1.113730.1.10", "netscape-entitylogo" },
{ "2.16.840.1.113730.1.11", "netscape-userPicture" },
{ "2.16.840.1.113730.1.12", "netscape-ssl-server-name" },
{ "2.16.840.1.113730.1.13", "netscape-comment" },
{ NULL }
};
/* Return the description for OID; if no description is available
NULL is returned. */
static const char *
get_oid_desc (const char *oid, unsigned int *flag)
{
int i;
if (oid)
for (i=0; oidtranstbl[i].oid; i++)
if (!strcmp (oidtranstbl[i].oid, oid))
{
if (flag)
*flag = oidtranstbl[i].flag;
return oidtranstbl[i].name;
}
if (flag)
*flag = 0;
return NULL;
}
static void
print_key_data (ksba_cert_t cert, FILE *fp)
{
#if 0
int n = pk ? pubkey_get_npkey( pk->pubkey_algo ) : 0;
int i;
for(i=0; i < n; i++ )
{
fprintf (fp, "pkd:%d:%u:", i, mpi_get_nbits( pk->pkey[i] ) );
mpi_print(stdout, pk->pkey[i], 1 );
putchar(':');
putchar('\n');
}
#endif
}
static void
print_capabilities (ksba_cert_t cert, FILE *fp)
{
gpg_error_t err;
unsigned int use;
err = ksba_cert_get_key_usage (cert, &use);
if (gpg_err_code (err) == GPG_ERR_NO_DATA)
{
putc ('e', fp);
putc ('s', fp);
putc ('c', fp);
putc ('E', fp);
putc ('S', fp);
putc ('C', fp);
return;
}
if (err)
{
log_error (_("error getting key usage information: %s\n"),
gpg_strerror (err));
return;
}
if ((use & (KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT)))
putc ('e', fp);
if ((use & (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION)))
putc ('s', fp);
if ((use & KSBA_KEYUSAGE_KEY_CERT_SIGN))
putc ('c', fp);
if ((use & (KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT)))
putc ('E', fp);
if ((use & (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION)))
putc ('S', fp);
if ((use & KSBA_KEYUSAGE_KEY_CERT_SIGN))
putc ('C', fp);
}
static void
print_time (gnupg_isotime_t t, FILE *fp)
{
if (!t || !*t)
;
else
fputs (t, fp);
}
/* return an allocated string with the email address extracted from a
DN */
static char *
email_kludge (const char *name)
{
const unsigned char *p;
unsigned char *buf;
int n;
if (strncmp (name, "1.2.840.113549.1.9.1=#", 22))
return NULL;
/* This looks pretty much like an email address in the subject's DN
we use this to add an additional user ID entry. This way,
openSSL generated keys get a nicer and usable listing */
name += 22;
for (n=0, p=name; hexdigitp (p) && hexdigitp (p+1); p +=2, n++)
;
if (*p != '#' || !n)
return NULL;
buf = xtrymalloc (n+3);
if (!buf)
return NULL; /* oops, out of core */
*buf = '<';
for (n=1, p=name; *p != '#'; p +=2, n++)
buf[n] = xtoi_2 (p);
buf[n++] = '>';
buf[n] = 0;
return buf;
}
/* List one certificate in colon mode */
static void
list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
FILE *fp, int have_secret)
{
int rc;
int idx;
char truststring[2];
char *p;
ksba_sexp_t sexp;
char *fpr;
ksba_isotime_t t;
gpg_error_t valerr;
int algo;
unsigned int nbits;
const char *chain_id;
char *chain_id_buffer = NULL;
int is_root = 0;
if (ctrl->with_validation)
valerr = gpgsm_validate_chain (ctrl, cert, NULL, 1, NULL, 0);
else
valerr = 0;
/* We need to get the fingerprint and the chaining ID in advance. */
fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
{
ksba_cert_t next;
rc = gpgsm_walk_cert_chain (cert, &next);
if (!rc) /* We known the issuer's certificate. */
{
p = gpgsm_get_fingerprint_hexstring (next, GCRY_MD_SHA1);
chain_id_buffer = p;
chain_id = chain_id_buffer;
ksba_cert_release (next);
}
else if (rc == -1) /* We have reached the root certificate. */
{
chain_id = fpr;
is_root = 1;
}
else
chain_id = NULL;
}
fputs (have_secret? "crs:":"crt:", fp);
+
+ /* Note: We can't use multiple flags, like "ei", because the
+ validation check does only return one error. */
truststring[0] = 0;
truststring[1] = 0;
if ((validity & VALIDITY_REVOKED)
|| gpg_err_code (valerr) == GPG_ERR_CERT_REVOKED)
*truststring = 'r';
else if (gpg_err_code (valerr) == GPG_ERR_CERT_EXPIRED)
*truststring = 'e';
- else if (valerr)
- *truststring = 'i';
else
{
/* Lets also check whether the certificate under question
expired. This is merely a hack until we found a proper way
to store the expiration flag in the keybox. */
ksba_isotime_t current_time, not_after;
gnupg_get_isotime (current_time);
if (!opt.ignore_expiration
&& !ksba_cert_get_validity (cert, 1, not_after)
&& *not_after && strcmp (current_time, not_after) > 0 )
*truststring = 'e';
+ else if (valerr)
+ *truststring = 'i';
}
/* Is we have no truststring yet (i.e. the certificate might be
good) and this is a root certificate, we ask the agent whether
this is a trusted root certificate. */
if (!*truststring && is_root)
{
rc = gpgsm_agent_istrusted (ctrl, cert);
if (!rc)
*truststring = 'u'; /* Yes, we trust this one (ultimately). */
else if (gpg_err_code (rc) == GPG_ERR_NOT_TRUSTED)
*truststring = 'n'; /* No, we do not trust this one. */
/* (in case of an error we can't tell anything.) */
}
if (*truststring)
fputs (truststring, fp);
algo = gpgsm_get_key_algo_info (cert, &nbits);
fprintf (fp, ":%u:%d:%s:", nbits, algo, fpr+24);
/* We assume --fixed-list-mode for gpgsm */
ksba_cert_get_validity (cert, 0, t);
print_time (t, fp);
putc (':', fp);
ksba_cert_get_validity (cert, 1, t);
print_time ( t, fp);
putc (':', fp);
/* Field 8, serial number: */
if ((sexp = ksba_cert_get_serial (cert)))
{
int len;
const unsigned char *s = sexp;
if (*s == '(')
{
s++;
for (len=0; *s && *s != ':' && digitp (s); s++)
len = len*10 + atoi_1 (s);
if (*s == ':')
for (s++; len; len--, s++)
fprintf (fp,"%02X", *s);
}
xfree (sexp);
}
putc (':', fp);
/* Field 9, ownertrust - not used here */
putc (':', fp);
/* field 10, old user ID - we use it here for the issuer DN */
if ((p = ksba_cert_get_issuer (cert,0)))
{
print_sanitized_string (fp, p, ':');
xfree (p);
}
putc (':', fp);
/* Field 11, signature class - not used */
putc (':', fp);
/* Field 12, capabilities: */
print_capabilities (cert, fp);
putc (':', fp);
putc ('\n', fp);
/* FPR record */
fprintf (fp, "fpr:::::::::%s:::", fpr);
/* Print chaining ID (field 13)*/
if (chain_id)
fputs (chain_id, fp);
putc (':', fp);
putc ('\n', fp);
xfree (fpr); fpr = NULL; chain_id = NULL;
xfree (chain_id_buffer); chain_id_buffer = NULL;
if (opt.with_key_data)
{
if ( (p = gpgsm_get_keygrip_hexstring (cert)))
{
fprintf (fp, "grp:::::::::%s:\n", p);
xfree (p);
}
print_key_data (cert, fp);
}
for (idx=0; (p = ksba_cert_get_subject (cert,idx)); idx++)
{
fprintf (fp, "uid:%s::::::::", truststring);
print_sanitized_string (fp, p, ':');
putc (':', fp);
putc (':', fp);
putc ('\n', fp);
if (!idx)
{
/* It would be better to get the faked email address from
the keydb. But as long as we don't have a way to pass
the meta data back, we just check it the same way as the
code used to create the keybox meta data does */
char *pp = email_kludge (p);
if (pp)
{
fprintf (fp, "uid:%s::::::::", truststring);
print_sanitized_string (fp, pp, ':');
putc (':', fp);
putc (':', fp);
putc ('\n', fp);
xfree (pp);
}
}
xfree (p);
}
}
static void
print_name_raw (FILE *fp, const char *string)
{
if (!string)
fputs ("[error]", fp);
else
print_sanitized_string (fp, string, 0);
}
static void
print_names_raw (FILE *fp, int indent, ksba_name_t name)
{
int idx;
const char *s;
int indent_all;
if ((indent_all = (indent < 0)))
indent = - indent;
if (!name)
{
fputs ("none\n", fp);
return;
}
for (idx=0; (s = ksba_name_enum (name, idx)); idx++)
{
char *p = ksba_name_get_uri (name, idx);
printf ("%*s%s\n", idx||indent_all?indent:0, "", p?p:s);
xfree (p);
}
}
/* List one certificate in raw mode useful to have a closer look at
the certificate. This one does no beautification and only minimal
output sanitation. It is mainly useful for debugging. */
static void
list_cert_raw (ctrl_t ctrl, KEYDB_HANDLE hd,
ksba_cert_t cert, FILE *fp, int have_secret,
int with_validation)
{
gpg_error_t err;
size_t off, len;
ksba_sexp_t sexp;
char *dn;
ksba_isotime_t t;
int idx, i;
int is_ca, chainlen;
unsigned int kusage;
char *string, *p, *pend;
const char *oid, *s;
ksba_name_t name, name2;
unsigned int reason;
sexp = ksba_cert_get_serial (cert);
fputs ("Serial number: ", fp);
gpgsm_print_serial (fp, sexp);
ksba_free (sexp);
putc ('\n', fp);
dn = ksba_cert_get_issuer (cert, 0);
fputs (" Issuer: ", fp);
print_name_raw (fp, dn);
ksba_free (dn);
putc ('\n', fp);
for (idx=1; (dn = ksba_cert_get_issuer (cert, idx)); idx++)
{
fputs (" aka: ", fp);
print_name_raw (fp, dn);
ksba_free (dn);
putc ('\n', fp);
}
dn = ksba_cert_get_subject (cert, 0);
fputs (" Subject: ", fp);
print_name_raw (fp, dn);
ksba_free (dn);
putc ('\n', fp);
for (idx=1; (dn = ksba_cert_get_subject (cert, idx)); idx++)
{
fputs (" aka: ", fp);
print_name_raw (fp, dn);
ksba_free (dn);
putc ('\n', fp);
}
dn = gpgsm_get_fingerprint_string (cert, 0);
fprintf (fp, " sha1_fpr: %s\n", dn?dn:"error");
xfree (dn);
dn = gpgsm_get_fingerprint_string (cert, GCRY_MD_MD5);
fprintf (fp, " md5_fpr: %s\n", dn?dn:"error");
xfree (dn);
dn = gpgsm_get_keygrip_hexstring (cert);
fprintf (fp, " keygrip: %s\n", dn?dn:"error");
xfree (dn);
ksba_cert_get_validity (cert, 0, t);
fputs (" notBefore: ", fp);
gpgsm_print_time (fp, t);
putc ('\n', fp);
fputs (" notAfter: ", fp);
ksba_cert_get_validity (cert, 1, t);
gpgsm_print_time (fp, t);
putc ('\n', fp);
oid = ksba_cert_get_digest_algo (cert);
s = get_oid_desc (oid, NULL);
fprintf (fp, " hashAlgo: %s%s%s%s\n", oid, s?" (":"",s?s:"",s?")":"");
{
const char *algoname;
unsigned int nbits;
algoname = gcry_pk_algo_name (gpgsm_get_key_algo_info (cert, &nbits));
fprintf (fp, " keyType: %u bit %s\n", nbits, algoname? algoname:"?");
}
/* authorityKeyIdentifier */
fputs (" authKeyId: ", fp);
err = ksba_cert_get_auth_key_id (cert, NULL, &name, &sexp);
if (!err || gpg_err_code (err) == GPG_ERR_NO_DATA)
{
if (gpg_err_code (err) == GPG_ERR_NO_DATA || !name)
fputs ("[none]\n", fp);
else
{
gpgsm_print_serial (fp, sexp);
ksba_free (sexp);
putc ('\n', fp);
print_names_raw (fp, -15, name);
ksba_name_release (name);
}
}
else
fputs ("[?]\n", fp);
fputs (" keyUsage:", fp);
err = ksba_cert_get_key_usage (cert, &kusage);
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
{
if (err)
fprintf (fp, " [error: %s]", gpg_strerror (err));
else
{
if ( (kusage & KSBA_KEYUSAGE_DIGITAL_SIGNATURE))
fputs (" digitalSignature", fp);
if ( (kusage & KSBA_KEYUSAGE_NON_REPUDIATION))
fputs (" nonRepudiation", fp);
if ( (kusage & KSBA_KEYUSAGE_KEY_ENCIPHERMENT))
fputs (" keyEncipherment", fp);
if ( (kusage & KSBA_KEYUSAGE_DATA_ENCIPHERMENT))
fputs (" dataEncipherment", fp);
if ( (kusage & KSBA_KEYUSAGE_KEY_AGREEMENT))
fputs (" keyAgreement", fp);
if ( (kusage & KSBA_KEYUSAGE_KEY_CERT_SIGN))
fputs (" certSign", fp);
if ( (kusage & KSBA_KEYUSAGE_CRL_SIGN))
fputs (" crlSign", fp);
if ( (kusage & KSBA_KEYUSAGE_ENCIPHER_ONLY))
fputs (" encipherOnly", fp);
if ( (kusage & KSBA_KEYUSAGE_DECIPHER_ONLY))
fputs (" decipherOnly", fp);
}
putc ('\n', fp);
}
else
fputs ("[none]\n", fp);
fputs (" extKeyUsage: ", fp);
err = ksba_cert_get_ext_key_usages (cert, &string);
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
{
if (err)
fprintf (fp, "[error: %s]", gpg_strerror (err));
else
{
p = string;
while (p && (pend=strchr (p, ':')))
{
*pend++ = 0;
for (i=0; key_purpose_map[i].oid; i++)
if ( !strcmp (key_purpose_map[i].oid, p) )
break;
fputs (key_purpose_map[i].oid?key_purpose_map[i].name:p, fp);
p = pend;
if (*p != 'C')
fputs (" (suggested)", fp);
if ((p = strchr (p, '\n')))
{
p++;
fputs ("\n ", fp);
}
}
xfree (string);
}
putc ('\n', fp);
}
else
fputs ("[none]\n", fp);
fputs (" policies: ", fp);
err = ksba_cert_get_cert_policies (cert, &string);
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
{
if (err)
fprintf (fp, "[error: %s]", gpg_strerror (err));
else
{
p = string;
while (p && (pend=strchr (p, ':')))
{
*pend++ = 0;
for (i=0; key_purpose_map[i].oid; i++)
if ( !strcmp (key_purpose_map[i].oid, p) )
break;
fputs (p, fp);
p = pend;
if (*p == 'C')
fputs (" (critical)", fp);
if ((p = strchr (p, '\n')))
{
p++;
fputs ("\n ", fp);
}
}
xfree (string);
}
putc ('\n', fp);
}
else
fputs ("[none]\n", fp);
fputs (" chainLength: ", fp);
err = ksba_cert_is_ca (cert, &is_ca, &chainlen);
if (err || is_ca)
{
if (err)
fprintf (fp, "[error: %s]", gpg_strerror (err));
else if (chainlen == -1)
fputs ("unlimited", fp);
else
fprintf (fp, "%d", chainlen);
putc ('\n', fp);
}
else
fputs ("not a CA\n", fp);
/* CRL distribution point */
for (idx=0; !(err=ksba_cert_get_crl_dist_point (cert, idx, &name, &name2,
&reason)) ;idx++)
{
fputs (" crlDP: ", fp);
print_names_raw (fp, 15, name);
if (reason)
{
fputs (" reason: ", fp);
if ( (reason & KSBA_CRLREASON_UNSPECIFIED))
fputs (" unused", stdout);
if ( (reason & KSBA_CRLREASON_KEY_COMPROMISE))
fputs (" keyCompromise", stdout);
if ( (reason & KSBA_CRLREASON_CA_COMPROMISE))
fputs (" caCompromise", stdout);
if ( (reason & KSBA_CRLREASON_AFFILIATION_CHANGED))
fputs (" affiliationChanged", stdout);
if ( (reason & KSBA_CRLREASON_SUPERSEDED))
fputs (" superseded", stdout);
if ( (reason & KSBA_CRLREASON_CESSATION_OF_OPERATION))
fputs (" cessationOfOperation", stdout);
if ( (reason & KSBA_CRLREASON_CERTIFICATE_HOLD))
fputs (" certificateHold", stdout);
putchar ('\n');
}
fputs (" issuer: ", fp);
print_names_raw (fp, 23, name2);
ksba_name_release (name);
ksba_name_release (name2);
}
if (err && gpg_err_code (err) != GPG_ERR_EOF)
fputs (" crlDP: [error]\n", fp);
else if (!idx)
fputs (" crlDP: [none]\n", fp);
/* authorityInfoAccess. */
for (idx=0; !(err=ksba_cert_get_authority_info_access (cert, idx, &string,
&name)); idx++)
{
fputs (" authInfo: ", fp);
s = get_oid_desc (string, NULL);
fprintf (fp, "%s%s%s%s\n", string, s?" (":"", s?s:"", s?")":"");
print_names_raw (fp, -15, name);
ksba_name_release (name);
ksba_free (string);
}
if (err && gpg_err_code (err) != GPG_ERR_EOF)
fputs (" authInfo: [error]\n", fp);
else if (!idx)
fputs (" authInfo: [none]\n", fp);
/* subjectInfoAccess. */
for (idx=0; !(err=ksba_cert_get_subject_info_access (cert, idx, &string,
&name)); idx++)
{
fputs (" subjectInfo: ", fp);
s = get_oid_desc (string, NULL);
fprintf (fp, "%s%s%s%s\n", string, s?" (":"", s?s:"", s?")":"");
print_names_raw (fp, -15, name);
ksba_name_release (name);
ksba_free (string);
}
if (err && gpg_err_code (err) != GPG_ERR_EOF)
fputs (" subjInfo: [error]\n", fp);
else if (!idx)
fputs (" subjInfo: [none]\n", fp);
for (idx=0; !(err=ksba_cert_get_extension (cert, idx,
&oid, &i, &off, &len));idx++)
{
unsigned int flag;
s = get_oid_desc (oid, &flag);
if (!(flag & 1))
fprintf (fp, " %s: %s%s%s%s [%d octets]\n",
i? "critExtn":" extn",
oid, s?" (":"", s?s:"", s?")":"", (int)len);
}
if (with_validation)
{
err = gpgsm_validate_chain (ctrl, cert, NULL, 1, fp, 0);
if (!err)
fprintf (fp, " [certificate is good]\n");
else
fprintf (fp, " [certificate is bad: %s]\n", gpg_strerror (err));
}
if (opt.with_ephemeral_keys && hd)
{
unsigned int blobflags;
err = keydb_get_flags (hd, KEYBOX_FLAG_BLOB, 0, &blobflags);
if (err)
fprintf (fp, " [error getting keyflags: %s]\n", gpg_strerror (err));
else if ((blobflags & 2))
fprintf (fp, " [stored as ephemeral]\n");
}
}
/* List one certificate in standard mode */
static void
list_cert_std (ctrl_t ctrl, ksba_cert_t cert, FILE *fp, int have_secret,
int with_validation)
{
gpg_error_t err;
ksba_sexp_t sexp;
char *dn;
ksba_isotime_t t;
int idx, i;
int is_ca, chainlen;
unsigned int kusage;
char *string, *p, *pend;
sexp = ksba_cert_get_serial (cert);
fputs ("Serial number: ", fp);
gpgsm_print_serial (fp, sexp);
ksba_free (sexp);
putc ('\n', fp);
dn = ksba_cert_get_issuer (cert, 0);
fputs (" Issuer: ", fp);
gpgsm_print_name (fp, dn);
ksba_free (dn);
putc ('\n', fp);
for (idx=1; (dn = ksba_cert_get_issuer (cert, idx)); idx++)
{
fputs (" aka: ", fp);
gpgsm_print_name (fp, dn);
ksba_free (dn);
putc ('\n', fp);
}
dn = ksba_cert_get_subject (cert, 0);
fputs (" Subject: ", fp);
gpgsm_print_name (fp, dn);
ksba_free (dn);
putc ('\n', fp);
for (idx=1; (dn = ksba_cert_get_subject (cert, idx)); idx++)
{
fputs (" aka: ", fp);
gpgsm_print_name (fp, dn);
ksba_free (dn);
putc ('\n', fp);
}
ksba_cert_get_validity (cert, 0, t);
fputs (" validity: ", fp);
gpgsm_print_time (fp, t);
fputs (" through ", fp);
ksba_cert_get_validity (cert, 1, t);
gpgsm_print_time (fp, t);
putc ('\n', fp);
{
const char *algoname;
unsigned int nbits;
algoname = gcry_pk_algo_name (gpgsm_get_key_algo_info (cert, &nbits));
fprintf (fp, " key type: %u bit %s\n", nbits, algoname? algoname:"?");
}
err = ksba_cert_get_key_usage (cert, &kusage);
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
{
fputs (" key usage:", fp);
if (err)
fprintf (fp, " [error: %s]", gpg_strerror (err));
else
{
if ( (kusage & KSBA_KEYUSAGE_DIGITAL_SIGNATURE))
fputs (" digitalSignature", fp);
if ( (kusage & KSBA_KEYUSAGE_NON_REPUDIATION))
fputs (" nonRepudiation", fp);
if ( (kusage & KSBA_KEYUSAGE_KEY_ENCIPHERMENT))
fputs (" keyEncipherment", fp);
if ( (kusage & KSBA_KEYUSAGE_DATA_ENCIPHERMENT))
fputs (" dataEncipherment", fp);
if ( (kusage & KSBA_KEYUSAGE_KEY_AGREEMENT))
fputs (" keyAgreement", fp);
if ( (kusage & KSBA_KEYUSAGE_KEY_CERT_SIGN))
fputs (" certSign", fp);
if ( (kusage & KSBA_KEYUSAGE_CRL_SIGN))
fputs (" crlSign", fp);
if ( (kusage & KSBA_KEYUSAGE_ENCIPHER_ONLY))
fputs (" encipherOnly", fp);
if ( (kusage & KSBA_KEYUSAGE_DECIPHER_ONLY))
fputs (" decipherOnly", fp);
}
putc ('\n', fp);
}
err = ksba_cert_get_ext_key_usages (cert, &string);
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
{
fputs ("ext key usage: ", fp);
if (err)
fprintf (fp, "[error: %s]", gpg_strerror (err));
else
{
p = string;
while (p && (pend=strchr (p, ':')))
{
*pend++ = 0;
for (i=0; key_purpose_map[i].oid; i++)
if ( !strcmp (key_purpose_map[i].oid, p) )
break;
fputs (key_purpose_map[i].oid?key_purpose_map[i].name:p, fp);
p = pend;
if (*p != 'C')
fputs (" (suggested)", fp);
if ((p = strchr (p, '\n')))
{
p++;
fputs (", ", fp);
}
}
xfree (string);
}
putc ('\n', fp);
}
err = ksba_cert_get_cert_policies (cert, &string);
if (gpg_err_code (err) != GPG_ERR_NO_DATA)
{
fputs (" policies: ", fp);
if (err)
fprintf (fp, "[error: %s]", gpg_strerror (err));
else
{
for (p=string; *p; p++)
{
if (*p == '\n')
*p = ',';
}
print_sanitized_string (fp, string, 0);
xfree (string);
}
putc ('\n', fp);
}
err = ksba_cert_is_ca (cert, &is_ca, &chainlen);
if (err || is_ca)
{
fputs (" chain length: ", fp);
if (err)
fprintf (fp, "[error: %s]", gpg_strerror (err));
else if (chainlen == -1)
fputs ("unlimited", fp);
else
fprintf (fp, "%d", chainlen);
putc ('\n', fp);
}
if (opt.with_md5_fingerprint)
{
dn = gpgsm_get_fingerprint_string (cert, GCRY_MD_MD5);
fprintf (fp, " md5 fpr: %s\n", dn?dn:"error");
xfree (dn);
}
dn = gpgsm_get_fingerprint_string (cert, 0);
fprintf (fp, " fingerprint: %s\n", dn?dn:"error");
xfree (dn);
if (with_validation)
{
err = gpgsm_validate_chain (ctrl, cert, NULL, 1, fp, 0);
if (!err)
fprintf (fp, " [certificate is good]\n");
else
fprintf (fp, " [certificate is bad: %s]\n", gpg_strerror (err));
}
}
/* Same as standard mode mode list all certifying certs too. */
static void
list_cert_chain (ctrl_t ctrl, KEYDB_HANDLE hd,
ksba_cert_t cert, int raw_mode,
FILE *fp, int with_validation)
{
ksba_cert_t next = NULL;
if (raw_mode)
list_cert_raw (ctrl, hd, cert, fp, 0, with_validation);
else
list_cert_std (ctrl, cert, fp, 0, with_validation);
ksba_cert_ref (cert);
while (!gpgsm_walk_cert_chain (cert, &next))
{
ksba_cert_release (cert);
fputs ("Certified by\n", fp);
if (raw_mode)
list_cert_raw (ctrl, hd, next, fp, 0, with_validation);
else
list_cert_std (ctrl, next, fp, 0, with_validation);
cert = next;
}
ksba_cert_release (cert);
putc ('\n', fp);
}
/* List all internal keys or just the keys given as NAMES. MODE is a
bit vector to specify what keys are to be included; see
gpgsm_list_keys (below) for details. If RAW_MODE is true, the raw
output mode will be used intead of the standard beautified one.
*/
static gpg_error_t
list_internal_keys (ctrl_t ctrl, STRLIST names, FILE *fp,
unsigned int mode, int raw_mode)
{
KEYDB_HANDLE hd;
KEYDB_SEARCH_DESC *desc = NULL;
STRLIST sl;
int ndesc;
ksba_cert_t cert = NULL;
gpg_error_t rc = 0;
const char *lastresname, *resname;
int have_secret;
hd = keydb_new (0);
if (!hd)
{
log_error ("keydb_new failed\n");
rc = gpg_error (GPG_ERR_GENERAL);
goto leave;
}
if (!names)
ndesc = 1;
else
{
for (sl=names, ndesc=0; sl; sl = sl->next, ndesc++)
;
}
desc = xtrycalloc (ndesc, sizeof *desc);
if (!ndesc)
{
rc = gpg_error_from_errno (errno);
log_error ("out of core\n");
goto leave;
}
if (!names)
desc[0].mode = KEYDB_SEARCH_MODE_FIRST;
else
{
for (ndesc=0, sl=names; sl; sl = sl->next)
{
rc = keydb_classify_name (sl->d, desc+ndesc);
if (rc)
{
log_error ("key `%s' not found: %s\n",
sl->d, gpg_strerror (rc));
rc = 0;
}
else
ndesc++;
}
}
if (opt.with_ephemeral_keys)
keydb_set_ephemeral (hd, 1);
/* It would be nice to see which of the given users did actually
match one in the keyring. To implement this we need to have a
found flag for each entry in desc and to set this we must check
all those entries after a match to mark all matched one -
currently we stop at the first match. To do this we need an
extra flag to enable this feature so */
lastresname = NULL;
while (!(rc = keydb_search (hd, desc, ndesc)))
{
unsigned int validity;
if (!names)
desc[0].mode = KEYDB_SEARCH_MODE_NEXT;
rc = keydb_get_flags (hd, KEYBOX_FLAG_VALIDITY, 0, &validity);
if (rc)
{
log_error ("keydb_get_flags failed: %s\n", gpg_strerror (rc));
goto leave;
}
rc = keydb_get_cert (hd, &cert);
if (rc)
{
log_error ("keydb_get_cert failed: %s\n", gpg_strerror (rc));
goto leave;
}
resname = keydb_get_resource_name (hd);
if (lastresname != resname )
{
int i;
if (ctrl->no_server)
{
fprintf (fp, "%s\n", resname );
for (i=strlen(resname); i; i-- )
putchar('-');
putc ('\n', fp);
lastresname = resname;
}
}
have_secret = 0;
if (mode)
{
char *p = gpgsm_get_keygrip_hexstring (cert);
if (p)
{
rc = gpgsm_agent_havekey (ctrl, p);
if (!rc)
have_secret = 1;
else if ( gpg_err_code (rc) != GPG_ERR_NO_SECKEY)
goto leave;
rc = 0;
xfree (p);
}
}
if (!mode
|| ((mode & 1) && !have_secret)
|| ((mode & 2) && have_secret) )
{
if (ctrl->with_colons)
list_cert_colon (ctrl, cert, validity, fp, have_secret);
else if (ctrl->with_chain)
list_cert_chain (ctrl, hd, cert,
raw_mode, fp, ctrl->with_validation);
else
{
if (raw_mode)
list_cert_raw (ctrl, hd, cert, fp, have_secret,
ctrl->with_validation);
else
list_cert_std (ctrl, cert, fp, have_secret,
ctrl->with_validation);
putc ('\n', fp);
}
}
ksba_cert_release (cert);
cert = NULL;
}
if (gpg_err_code (rc) == GPG_ERR_EOF || rc == -1 )
rc = 0;
if (rc)
log_error ("keydb_search failed: %s\n", gpg_strerror (rc));
leave:
ksba_cert_release (cert);
xfree (desc);
keydb_release (hd);
return rc;
}
static void
list_external_cb (void *cb_value, ksba_cert_t cert)
{
struct list_external_parm_s *parm = cb_value;
if (keydb_store_cert (cert, 1, NULL))
log_error ("error storing certificate as ephemeral\n");
if (parm->print_header)
{
const char *resname = "[external keys]";
int i;
fprintf (parm->fp, "%s\n", resname );
for (i=strlen(resname); i; i-- )
putchar('-');
putc ('\n', parm->fp);
parm->print_header = 0;
}
if (parm->with_colons)
list_cert_colon (parm->ctrl, cert, 0, parm->fp, 0);
else if (parm->with_chain)
list_cert_chain (parm->ctrl, NULL, cert, parm->raw_mode, parm->fp, 0);
else
{
if (parm->raw_mode)
list_cert_raw (parm->ctrl, NULL, cert, parm->fp, 0, 0);
else
list_cert_std (parm->ctrl, cert, parm->fp, 0, 0);
putc ('\n', parm->fp);
}
}
/* List external keys similar to internal one. Note: mode does not
make sense here because it would be unwise to list external secret
keys */
static gpg_error_t
list_external_keys (CTRL ctrl, STRLIST names, FILE *fp, int raw_mode)
{
int rc;
struct list_external_parm_s parm;
parm.fp = fp;
parm.ctrl = ctrl,
parm.print_header = ctrl->no_server;
parm.with_colons = ctrl->with_colons;
parm.with_chain = ctrl->with_chain;
parm.raw_mode = raw_mode;
rc = gpgsm_dirmngr_lookup (ctrl, names, list_external_cb, &parm);
if (rc)
log_error ("listing external keys failed: %s\n", gpg_strerror (rc));
return rc;
}
/* List all keys or just the key given as NAMES.
MODE controls the operation mode:
Bit 0-2:
0 = list all public keys but don't flag secret ones
1 = list only public keys
2 = list only secret keys
3 = list secret and public keys
Bit 6: list internal keys
Bit 7: list external keys
Bit 8: Do a raw format dump.
*/
gpg_error_t
gpgsm_list_keys (CTRL ctrl, STRLIST names, FILE *fp, unsigned int mode)
{
gpg_error_t err = 0;
if ((mode & (1<<6)))
err = list_internal_keys (ctrl, names, fp, (mode & 3), (mode&256));
if (!err && (mode & (1<<7)))
err = list_external_keys (ctrl, names, fp, (mode&256));
return err;
}

File Metadata

Mime Type
text/x-diff
Expires
Thu, Mar 19, 5:30 AM (13 h, 38 m)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
26/f1/0b6e96de89ff0bc18bcbf931246c

Event Timeline