diff options
| author | Werner Koch <[email protected]> | 2004-09-20 18:47:11 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2004-09-20 18:47:11 +0000 |
| commit | f10040147834bbc5cc75f02b7215f2b45642ecaf (patch) | |
| tree | 1619aa4876f59af71818b640b9ce61a0ca84ce46 /sm | |
| parent | Some more new files (diff) | |
| download | gnupg-f10040147834bbc5cc75f02b7215f2b45642ecaf.tar.gz gnupg-f10040147834bbc5cc75f02b7215f2b45642ecaf.zip | |
(show_key_with_all_names): Print the card S/N.
* app-openpgp.c (app_select_openpgp): Its app_munge_serialno and
not app_number_serialno.
Diffstat (limited to 'sm')
| -rw-r--r-- | sm/ChangeLog | 6 | ||||
| -rw-r--r-- | sm/certchain.c | 15 |
2 files changed, 18 insertions, 3 deletions
diff --git a/sm/ChangeLog b/sm/ChangeLog index a8139e2e0..d68759151 100644 --- a/sm/ChangeLog +++ b/sm/ChangeLog @@ -1,3 +1,9 @@ +2004-09-14 Werner Koch <[email protected]> + + * certchain.c (gpgsm_validate_chain): Give expired certificates a + higher error precedence and don't bother to check any CRL in that + case. + 2004-08-24 Werner Koch <[email protected]> * certlist.c: Fixed typo in ocsp OID. diff --git a/sm/certchain.c b/sm/certchain.c index 2ce247f65..ad30a36e1 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -672,7 +672,12 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime, else if (gpg_err_code (rc) == GPG_ERR_NOT_TRUSTED) { do_list (0, lm, fp, _("root certificate is not marked trusted")); - if (!lm) + /* If we already figured out that the certificate is + expired it does not make much sense to ask the user + whether we wants to trust the root certificate. He + should do this only if the certificate under question + will then be usable. */ + if (!lm && !any_expired) { int rc2; char *fpr = gpgsm_get_fingerprint_string (subject_cert, @@ -707,6 +712,8 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime, /* Check for revocations etc. */ if ((flags & 1)) rc = 0; + else if (any_expired) + ; /* Don't bother to run the expensive CRL check then. */ else rc = is_cert_still_valid (ctrl, lm, fp, subject_cert, subject_cert, @@ -835,6 +842,8 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime, /* Check for revocations etc. */ if ((flags & 1)) rc = 0; + else if (any_expired) + ; /* Don't bother to run the expensive CRL check then. */ else rc = is_cert_still_valid (ctrl, lm, fp, subject_cert, issuer_cert, @@ -866,14 +875,14 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime, the error code to the most critical one */ if (any_revoked) rc = gpg_error (GPG_ERR_CERT_REVOKED); + else if (any_expired) + rc = gpg_error (GPG_ERR_CERT_EXPIRED); else if (any_no_crl) rc = gpg_error (GPG_ERR_NO_CRL_KNOWN); else if (any_crl_too_old) rc = gpg_error (GPG_ERR_CRL_TOO_OLD); else if (any_no_policy_match) rc = gpg_error (GPG_ERR_NO_POLICY_MATCH); - else if (any_expired) - rc = gpg_error (GPG_ERR_CERT_EXPIRED); } leave: |