diff options
| author | Ramón García <[email protected]> | 2025-03-18 11:14:50 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2025-03-18 11:14:50 +0000 |
| commit | ad8bce774d91bbd1dbbf43f8b6f018a5e981e176 (patch) | |
| tree | c39a430f7e4a6ef8312ce3350521935b221e9b69 | |
| parent | gpgsm: Avoid increasing error count when enumerating an expired cert. (diff) | |
| download | gnupg-ad8bce774d91bbd1dbbf43f8b6f018a5e981e176.tar.gz gnupg-ad8bce774d91bbd1dbbf43f8b6f018a5e981e176.zip | |
gpgsm: Fix error message if all selected certificates are expired.
* sm/certlist.c (gpgsm_add_to_certlist): Track expired error. Make
the expired check easier to read by using if and case.
--
Original ChangeLog:
If all selected certificates are expired, don't mislead the user
saying that no certificate was found. Instead, return the error
of the first certificate selected.
* sm/certlist.c: if one expired certificate was found, don't return
no certificate found, return instead the expiration error
I heavily changed Ramon's original patch and hope that I don't
introduced a regression to his patch. - [email protected]
| -rw-r--r-- | sm/certlist.c | 45 |
1 files changed, 28 insertions, 17 deletions
diff --git a/sm/certlist.c b/sm/certlist.c index 21c163290..5057637ad 100644 --- a/sm/certlist.c +++ b/sm/certlist.c @@ -350,6 +350,7 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, else { int wrong_usage = 0; + int expired_rc = 0; char *first_subject = NULL; char *first_issuer = NULL; @@ -398,6 +399,8 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, else if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED || gpg_err_code (rc) == GPG_ERR_CERT_TOO_YOUNG) { + if (!expired_rc) + expired_rc = rc; ksba_cert_release (cert); cert = NULL; log_info (_("looking for another certificate\n")); @@ -407,6 +410,8 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, /* We want the error code from the first match in this case. */ if (rc && wrong_usage) rc = wrong_usage; + else if (rc && expired_rc) + rc = expired_rc; if (!rc) { @@ -436,7 +441,7 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, keybox). */ if (!keydb_get_cert (kh, &cert2)) { - int tmp; + gpg_err_code_t tmp; if (!current_time_loaded) { @@ -444,25 +449,31 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, current_time_loaded = 1; } - tmp = - (same_subject_issuer (first_subject, - first_issuer, - cert2) - && ((gpg_err_code ( - secret? gpgsm_cert_use_sign_p (cert2, 0) - : gpgsm_cert_use_encrypt_p (cert2) - ) - ) == GPG_ERR_WRONG_KEY_USAGE - || (gpg_err_code ( + if (same_subject_issuer (first_subject, + first_issuer, + cert2)) + { + tmp = gpg_err_code ( + secret? gpgsm_cert_use_sign_p (cert2, 0) + : gpgsm_cert_use_encrypt_p (cert2) + ) == GPG_ERR_WRONG_KEY_USAGE; + if (!tmp) + { + switch (gpg_err_code ( check_validity_period_cm (current_time, current_time, cert, exp_time, - 0, NULL, 0, 1) - ) == GPG_ERR_CERT_EXPIRED - ) - ) - ); + 0, NULL, 0, 1))) + { + case GPG_ERR_CERT_EXPIRED: + case GPG_ERR_CERT_TOO_YOUNG: tmp = 1; break; + default: tmp = 0; break; + } + } + } + else + tmp = 0; if (tmp) gpgsm_add_cert_to_certlist (ctrl, cert2, @@ -470,7 +481,7 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, else { if (is_cert_in_certlist (cert2, dup_certs)) - tmp = 1; + tmp = GPG_ERR_TRUE; } ksba_cert_release (cert2); |