diff options
| author | Werner Koch <[email protected]> | 2024-09-27 13:50:46 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2024-09-27 13:50:51 +0000 |
| commit | cb6c506e4e41e174411669c880eedc8a8790430c (patch) | |
| tree | 40dd48834996ad3a837c848cdb3380bc9675aa3b | |
| parent | agent: Replace hack for old Libgcrypt versions for auto-expand-secmem. (diff) | |
| download | gnupg-cb6c506e4e41e174411669c880eedc8a8790430c.tar.gz gnupg-cb6c506e4e41e174411669c880eedc8a8790430c.zip | |
sm: Optmize clearing of the ephemeral flag.
* kbx/keybox-search.c (keybox_get_cert): Store the blob clags in the
cert object.
* sm/certchain.c (do_validate_chain): Skip clearing of the ephemeral
flag if we know that it is not set.
--
GnuPG-bug-id: 7308
| -rw-r--r-- | kbx/keybox-search.c | 12 | ||||
| -rw-r--r-- | sm/certchain.c | 13 |
2 files changed, 25 insertions, 0 deletions
diff --git a/kbx/keybox-search.c b/kbx/keybox-search.c index 303c19b79..ed982cee7 100644 --- a/kbx/keybox-search.c +++ b/kbx/keybox-search.c @@ -1363,6 +1363,7 @@ keybox_get_cert (KEYBOX_HANDLE hd, ksba_cert_t *r_cert) size_t cert_off, cert_len; ksba_reader_t reader = NULL; ksba_cert_t cert = NULL; + unsigned int blobflags; int rc; if (!hd) @@ -1408,6 +1409,17 @@ keybox_get_cert (KEYBOX_HANDLE hd, ksba_cert_t *r_cert) return gpg_error (GPG_ERR_GENERAL); } + rc = get_flag_from_image (buffer, length, KEYBOX_FLAG_BLOB, &blobflags); + if (!rc) + rc = ksba_cert_set_user_data (cert, "keydb.blobflags", + &blobflags, sizeof blobflags); + if (rc) + { + ksba_cert_release (cert); + ksba_reader_release (reader); + return gpg_error (rc); + } + *r_cert = cert; ksba_reader_release (reader); return 0; diff --git a/sm/certchain.c b/sm/certchain.c index 539280ed1..f115eb96c 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -2085,9 +2085,22 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, { gpg_error_t err; chain_item_t ci; + unsigned int blobflags; + size_t userdatalen; for (ci = chain; ci; ci = ci->next) { + /* First do a quick check by looking at the blob flags to + * see whether the certificate is flagged ephemeral. This + * avoids the overhead of looking up the certificate again + * just to decide that there is no need to clear it. */ + if (!ksba_cert_get_user_data (cert, "keydb.blobflags", + &blobflags, sizeof (blobflags), + &userdatalen) + && userdatalen == sizeof blobflags + && !(blobflags & KEYBOX_FLAG_BLOB_EPHEMERAL)) + continue; + /* Note that it is possible for the last certificate in the chain (i.e. our target certificate) that it has not yet been stored in the keybox and thus the flag can't be set. |