Package: gnupg2 / 2.2.12-1+deb10u1

from-2.2.14/sm-Print-Yubikey-attestation-extensions-with-dump-cert.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
From: Werner Koch <wk@gnupg.org>
Date: Fri, 1 Mar 2019 15:23:49 +0100
Subject: sm: Print Yubikey attestation extensions with --dump-cert.

* sm/keylist.c (oidtranstbl): Add Yubikey OIDs.
(OID_FLAG_HEX): New.
(print_hex_extn): New.
(list_cert_raw): Make use of that flag.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 86c241a8c9a952ea8007066b70b04f435e2e483e)
(cherry picked from commit b3c8ce9e4343f1b68b9ba94bdd71b7d8e13b139a)
---
 sm/keylist.c | 40 +++++++++++++++++++++++++++++++++++++---
 1 file changed, 37 insertions(+), 3 deletions(-)

diff --git a/sm/keylist.c b/sm/keylist.c
index 3fe75a1..6efc6bd 100644
--- a/sm/keylist.c
+++ b/sm/keylist.c
@@ -84,6 +84,8 @@ struct
 #define OID_FLAG_SKIP 1
 /* The extension is a simple UTF8String and should be printed.  */
 #define OID_FLAG_UTF8 2
+/* The extension can be trnted as a hex string.  */
+#define OID_FLAG_HEX  4
 
 /* A table mapping OIDs to a descriptive string. */
 static struct
@@ -193,6 +195,12 @@ static struct
   /* Extensions used by the Bundesnetzagentur.  */
   { "1.3.6.1.4.1.8301.3.5", "validityModel" },
 
+  /* Yubikey extensions for attestation certificates.  */
+  { "1.3.6.1.4.1.41482.3.3", "yubikey-firmware-version", OID_FLAG_HEX },
+  { "1.3.6.1.4.1.41482.3.7", "yubikey-serial-number", OID_FLAG_HEX },
+  { "1.3.6.1.4.1.41482.3.8", "yubikey-pin-touch-policy", OID_FLAG_HEX },
+  { "1.3.6.1.4.1.41482.3.9", "yubikey-formfactor", OID_FLAG_HEX },
+
   { NULL }
 };
 
@@ -685,6 +693,21 @@ print_utf8_extn (estream_t fp, int indent,
 }
 
 
+/* Print the extension described by (DER,DERLEN) in hex.  */
+static void
+print_hex_extn (estream_t fp, int indent,
+                const unsigned char *der, size_t derlen)
+{
+  if (indent < 0)
+    indent = - indent;
+
+  es_fprintf (fp, "%*s(", indent, "");
+  for (; derlen; der++, derlen--)
+    es_fprintf (fp, "%02X%s", *der, derlen > 1? " ":"");
+  es_fprintf (fp, ")\n");
+}
+
+
 /* List one certificate in raw mode useful to have a closer look at
    the certificate.  This one does no beautification and only minimal
    output sanitation.  It is mainly useful for debugging. */
@@ -1022,16 +1045,27 @@ list_cert_raw (ctrl_t ctrl, KEYDB_HANDLE hd,
       if ((flag & OID_FLAG_SKIP))
         continue;
 
-      es_fprintf (fp, "     %s: %s%s%s%s  [%d octets]\n",
+      es_fprintf (fp, "     %s: %s%s%s%s",
                   i? "critExtn":"    extn",
-                  oid, s?" (":"", s?s:"", s?")":"", (int)len);
+                  oid, s?" (":"", s?s:"", s?")":"");
       if ((flag & OID_FLAG_UTF8))
         {
           if (!cert_der)
             cert_der = ksba_cert_get_image (cert, NULL);
-          assert (cert_der);
+          log_assert (cert_der);
+          es_fprintf (fp, "\n");
           print_utf8_extn_raw (fp, -15, cert_der+off, len);
         }
+      else if ((flag & OID_FLAG_HEX))
+        {
+          if (!cert_der)
+            cert_der = ksba_cert_get_image (cert, NULL);
+          log_assert (cert_der);
+          es_fprintf (fp, "\n");
+          print_hex_extn (fp, -15, cert_der+off, len);
+        }
+      else
+        es_fprintf (fp, "  [%d octets]\n", (int)len);
     }