diff options
| author | Ramón García <[email protected]> | 2025-03-18 08:43:26 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2025-03-18 08:43:26 +0000 |
| commit | 4cf83273e84c19d0326c41ac45f6ee3b4526fc23 (patch) | |
| tree | 50bc25d1347154e47fea61e4800b49fd89e6a138 | |
| parent | doc: Register DCO for Ramon García F. (diff) | |
| download | gnupg-4cf83273e84c19d0326c41ac45f6ee3b4526fc23.tar.gz gnupg-4cf83273e84c19d0326c41ac45f6ee3b4526fc23.zip | |
gpgsm: select unexpired certificates skipping expired ones
* sm/certchain.c (check_validity_period_cm): Make function global.
* sm/certlist.c (gpgsm_add_to_certlist): If an expired certificate is
found, continue looking for another one.
--
This enables the user to select a certificate by subject, and keep
old expired certificates in the store in case he wishes to decrypt
or verify an old file. This makes renewal of certificate smoother.
Due to a broken patch I had to massage the patch and while doing this
also fixed the indentation and moved a declaration to the begin of a
block. - [email protected]
| -rw-r--r-- | sm/certchain.c | 2 | ||||
| -rw-r--r-- | sm/certlist.c | 59 | ||||
| -rw-r--r-- | sm/gpgsm.h | 5 |
3 files changed, 55 insertions, 11 deletions
diff --git a/sm/certchain.c b/sm/certchain.c index 16449fb02..01ccac907 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -1433,7 +1433,7 @@ check_validity_period (ksba_isotime_t current_time, model. The extra constraint here is that notBefore and notAfter must exists and if the additional argument CHECK_TIME is given this time is used to check the validity period of SUBJECT_CERT. */ -static gpg_error_t +gpg_error_t check_validity_period_cm (ksba_isotime_t current_time, ksba_isotime_t check_time, ksba_cert_t subject_cert, diff --git a/sm/certlist.c b/sm/certlist.c index 53d90ac30..3c3993058 100644 --- a/sm/certlist.c +++ b/sm/certlist.c @@ -337,6 +337,9 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, KEYDB_SEARCH_DESC desc; KEYDB_HANDLE kh = NULL; ksba_cert_t cert = NULL; + ksba_isotime_t current_time = {0, }; + ksba_isotime_t exp_time = {0, }; + int current_time_loaded = 0; rc = classify_user_id (name, &desc, 0); if (!rc) @@ -365,10 +368,20 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, } rc = secret? gpgsm_cert_use_sign_p (cert, 0) : gpgsm_cert_use_encrypt_p (cert); + if (!rc) + { + if (!current_time_loaded) + { + gnupg_get_isotime (current_time); + current_time_loaded = 1; + } + rc = check_validity_period_cm (current_time, current_time, + cert, exp_time, 0, NULL, 0); + } if (gpg_err_code (rc) == GPG_ERR_WRONG_KEY_USAGE) { /* There might be another certificate with the - correct usage, so we try again */ + * correct usage, so we try again */ if (!wrong_usage || same_subject_issuer (first_subject, first_issuer,cert)) { @@ -381,7 +394,13 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, } else wrong_usage = rc; - + } + else if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED) + { + ksba_cert_release (cert); + cert = NULL; + log_info (_("looking for another certificate\n")); + goto get_next; } } /* We want the error code from the first match in this case. */ @@ -416,14 +435,34 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, keybox). */ if (!keydb_get_cert (kh, &cert2)) { - int tmp = (same_subject_issuer (first_subject, - first_issuer, - cert2) - && ((gpg_err_code ( - secret? gpgsm_cert_use_sign_p (cert2,0) - : gpgsm_cert_use_encrypt_p (cert2) - ) - ) == GPG_ERR_WRONG_KEY_USAGE)); + int tmp; + + if (!current_time_loaded) + { + gnupg_get_isotime (current_time); + current_time_loaded = 1; + } + + tmp = + (same_subject_issuer (first_subject, + first_issuer, + cert2) + && ((gpg_err_code ( + secret? gpgsm_cert_use_sign_p (cert2, 0) + : gpgsm_cert_use_encrypt_p (cert2) + ) + ) == GPG_ERR_WRONG_KEY_USAGE + || (gpg_err_code ( + check_validity_period_cm (current_time, + current_time, + cert, + exp_time, + 0, NULL, 0) + ) == GPG_ERR_CERT_EXPIRED + ) + ) + ); + if (tmp) gpgsm_add_cert_to_certlist (ctrl, cert2, &dup_certs, 0); diff --git a/sm/gpgsm.h b/sm/gpgsm.h index 4a4bd5ac4..c837cbee3 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -441,6 +441,11 @@ int gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime, int listmode, estream_t listfp, unsigned int flags, unsigned int *retflags); +gpg_error_t check_validity_period_cm (ksba_isotime_t current_time, + ksba_isotime_t check_time, + ksba_cert_t subject_cert, + ksba_isotime_t exptime, + int listmode, estream_t listfp, int depth); int gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert); /*-- certlist.c --*/ |