1
0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-23 15:07:03 +01:00

dirmngr: Reject certificate which is not valid into cache.

* dirmngr/certcache.c (put_cert): When PERMANENT, reject the
certificate which is obviously invalid.

--

With this change, invalid certificates from system won't be registered
into cache.  Then, an intermediate certificate which is issued by an
entity certified by such an invalid certificate will be also rejected
with GPG_ERR_INV_CERT_OBJ.  With less invalid certificates in cache,
it helps the validate_cert_chain function work better.

GnuPG-bug-id: 6142
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
This commit is contained in:
NIIBE Yutaka 2022-08-26 09:24:00 +09:00 committed by Werner Koch
parent aa0c942521
commit 14ccabe7f8
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B

View File

@ -271,6 +271,20 @@ put_cert (ksba_cert_t cert, int permanent, unsigned int trustclass,
cert_item_t ci;
fingerprint_list_t ignored;
if (permanent)
{ /* Do a little validation. */
ksba_isotime_t not_after;
ksba_isotime_t current_time;
if (ksba_cert_get_validity (cert, 1, not_after))
return gpg_error (GPG_ERR_BAD_CERT);
gnupg_get_isotime (current_time);
if (*not_after && strcmp (current_time, not_after) > 0)
return gpg_error (GPG_ERR_CERT_EXPIRED);
}
fpr = fpr_buffer? fpr_buffer : &help_fpr_buffer;
/* If we already reached the caching limit, drop a couple of certs