From 0662b9444b5be61f6019ec301314f245c8f8fa3f Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Fri, 26 Aug 2022 09:24:00 +0900
Subject: [PATCH] dirmngr: Reject certificate which is not valid into cache.

* dirmngr/certcache.c (put_cert): When PERMANENT, reject the
certificate which is obviously invalid.

--

With this change, invalid certificates from system won't be registered
into cache.  Then, an intermediate certificate which is issued by an
entity certified by such an invalid certificate will be also rejected
with GPG_ERR_INV_CERT_OBJ.  With less invalid certificates in cache,
it helps the validate_cert_chain function work better.

GnuPG-bug-id: 6142
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
 dirmngr/certcache.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c
index 7f29ec859..30d4d89fa 100644
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@@ -271,6 +271,20 @@ put_cert (ksba_cert_t cert, int permanent, unsigned int trustclass,
   cert_item_t ci;
   fingerprint_list_t ignored;
 
+  if (permanent)
+    {                           /* Do a little validation.  */
+      ksba_isotime_t not_after;
+      ksba_isotime_t current_time;
+
+      if (ksba_cert_get_validity (cert, 1, not_after))
+        return gpg_error (GPG_ERR_BAD_CERT);
+
+      gnupg_get_isotime (current_time);
+
+      if (*not_after && strcmp (current_time, not_after) > 0)
+        return gpg_error (GPG_ERR_CERT_EXPIRED);
+    }
+
   fpr = fpr_buffer? fpr_buffer : &help_fpr_buffer;
 
   /* If we already reached the caching limit, drop a couple of certs