diff options
| author | Ramón García <[email protected]> | 2025-03-18 09:04:37 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2025-03-18 09:04:37 +0000 |
| commit | 53f5aad90517600a882844f7be552d85e1ad89ea (patch) | |
| tree | 7e6bad27b775bfd4c4f9c32001f648427760a8f4 | |
| parent | gpgsm: When selecting certs also skip certificates too young. (diff) | |
| download | gnupg-53f5aad90517600a882844f7be552d85e1ad89ea.tar.gz gnupg-53f5aad90517600a882844f7be552d85e1ad89ea.zip | |
gpgsm: Avoid increasing error count when enumerating an expired cert.
* sm/certchain.c (check_validity_period_cm): Add arg no_log_expired to
avoid bumping of the error counter due to the do_list function.
* sm/certlist.c (gpgsm_add_to_certlist): Set no_log_expired when
checking the expiration.
--
I modified the original patch to make the patch smaller and the code
easier to read. - [email protected]
| -rw-r--r-- | sm/certchain.c | 65 | ||||
| -rw-r--r-- | sm/certlist.c | 4 | ||||
| -rw-r--r-- | sm/gpgsm.h | 3 |
3 files changed, 42 insertions, 30 deletions
diff --git a/sm/certchain.c b/sm/certchain.c index 01ccac907..0061e8476 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -1430,15 +1430,18 @@ check_validity_period (ksba_isotime_t current_time, } /* This is a variant of check_validity_period used with the chain - model. The extra constraint here is that notBefore and notAfter - must exists and if the additional argument CHECK_TIME is given this - time is used to check the validity period of SUBJECT_CERT. */ + * model. The extra constraint here is that notBefore and notAfter + * must exists and if the additional argument CHECK_TIME is given this + * time is used to check the validity period of SUBJECT_CERT. With + * NO_LOG_EXPIRED the function does not log diagnostics about cert + * expiration et al. */ gpg_error_t check_validity_period_cm (ksba_isotime_t current_time, ksba_isotime_t check_time, ksba_cert_t subject_cert, ksba_isotime_t exptime, - int listmode, estream_t listfp, int depth) + int listmode, estream_t listfp, int depth, + int no_log_expired) { gpg_error_t err; ksba_isotime_t not_before, not_after; @@ -1454,22 +1457,26 @@ check_validity_period_cm (ksba_isotime_t current_time, } if (!*not_before || !*not_after) { - do_list (1, listmode, listfp, - _("required certificate attributes missing: %s%s%s"), - !*not_before? "notBefore":"", - (!*not_before && !*not_after)? ", ":"", - !*not_before? "notAfter":""); + if (!no_log_expired) + do_list (1, listmode, listfp, + _("required certificate attributes missing: %s%s%s"), + !*not_before? "notBefore":"", + (!*not_before && !*not_after)? ", ":"", + !*not_before? "notAfter":""); return gpg_error (GPG_ERR_BAD_CERT); } if (strcmp (not_before, not_after) > 0 ) { - do_list (1, listmode, listfp, - _("certificate with invalid validity")); - log_info (" (valid from "); - dump_isotime (not_before); - log_printf (" expired at "); - dump_isotime (not_after); - log_printf (")\n"); + if (!no_log_expired) + { + do_list (1, listmode, listfp, + _("certificate with invalid validity")); + log_info (" (valid from "); + dump_isotime (not_before); + log_printf (" expired at "); + dump_isotime (not_after); + log_printf (")\n"); + } return gpg_error (GPG_ERR_BAD_CERT); } @@ -1480,15 +1487,18 @@ check_validity_period_cm (ksba_isotime_t current_time, if (strcmp (current_time, not_before) < 0 ) { - do_list (1, listmode, listfp, - depth == 0 ? _("certificate not yet valid") : - depth == -1 ? _("root certificate not yet valid") : - /* other */ _("intermediate certificate not yet valid")); - if (!listmode) + if (!no_log_expired) { - log_info (" (valid from "); - dump_isotime (not_before); - log_printf (")\n"); + do_list (1, listmode, listfp, + depth == 0 ? _("certificate not yet valid") : + depth == -1 ? _("root certificate not yet valid") : + /* other */ _("intermediate certificate not yet valid")); + if (!listmode) + { + log_info (" (valid from "); + dump_isotime (not_before); + log_printf (")\n"); + } } return gpg_error (GPG_ERR_CERT_TOO_YOUNG); } @@ -1499,14 +1509,15 @@ check_validity_period_cm (ksba_isotime_t current_time, { /* Note that we don't need a case for the root certificate because its own consistency has already been checked. */ - do_list(opt.ignore_expiration?0:1, listmode, listfp, + if (!no_log_expired) + do_list (opt.ignore_expiration?0:1, listmode, listfp, depth == 0 ? _("signature not created during lifetime of certificate") : depth == 1 ? _("certificate not created during lifetime of issuer") : _("intermediate certificate not created during lifetime " "of issuer")); - if (!listmode) + if (!listmode && !no_log_expired) { log_info (depth== 0? _(" ( signature created at ") : /* */ _(" (certificate created at ") ); @@ -1737,7 +1748,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, if ( (flags & VALIDATE_FLAG_CHAIN_MODEL) ) rc = check_validity_period_cm (current_time, check_time, subject_cert, exptime, listmode, listfp, - (depth && is_root)? -1: depth); + (depth && is_root)? -1: depth, 0); else rc = check_validity_period (current_time, subject_cert, exptime, listmode, listfp, diff --git a/sm/certlist.c b/sm/certlist.c index 549aaa726..21c163290 100644 --- a/sm/certlist.c +++ b/sm/certlist.c @@ -376,7 +376,7 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, current_time_loaded = 1; } rc = check_validity_period_cm (current_time, current_time, - cert, exp_time, 0, NULL, 0); + cert, exp_time, 0, NULL, 0, 0); } if (gpg_err_code (rc) == GPG_ERR_WRONG_KEY_USAGE) { @@ -458,7 +458,7 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, current_time, cert, exp_time, - 0, NULL, 0) + 0, NULL, 0, 1) ) == GPG_ERR_CERT_EXPIRED ) ) diff --git a/sm/gpgsm.h b/sm/gpgsm.h index c837cbee3..d23223ea9 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -445,7 +445,8 @@ gpg_error_t check_validity_period_cm (ksba_isotime_t current_time, ksba_isotime_t check_time, ksba_cert_t subject_cert, ksba_isotime_t exptime, - int listmode, estream_t listfp, int depth); + int listmode, estream_t listfp, int depth, + int no_log_expired); int gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert); /*-- certlist.c --*/ |