sm: Fix issuer certificate look error due to legacy error code.

* sm/certchain.c (find_up): Get rid of the legacy return code -1 and chnage var name rc to err. (gpgsm_walk_cert_chain): Change var name rc to err. (do_validate_chain): Get rid of the legacy return code -1. * sm/keydb.c (keydb_search): Replace return code -1 by GPG_ERR_NOT_FOUND. (keydb_set_cert_flags): Replace return code -1 by GPG_ERR_NOT_FOUND. * sm/certchain.c (find_up_search_by_keyid): Ditto. (find_up_external, find_up, find_up_dirmngr): Ditto. (gpgsm_walk_cert_chain): Ditto. (get_regtp_ca_info): Ditto. * sm/certlist.c (gpgsm_add_to_certlist): Ditto. (gpgsm_find_cert): Ditto. * sm/delete.c (delete_one): Ditto. * sm/export.c (gpgsm_export): Ditto. (gpgsm_p12_export): Ditto. * sm/import.c (gpgsm_import_files): Ditto. * sm/keylist.c (list_cert_colon): Ditto. (list_internal_keys): Ditto. * sm/sign.c (add_certificate_list): Ditto. -- This bug was detected while fixing GnuPG-bug-id: 4757 Backported-from-master: 473b83d1b9efe51fcca68708580597dddf3f50b7 Some extra code has been taken from commit ed6ebb696e4063dc664d7ee74fc492025881c459
2025-05-24 16:43:28 +02:00 · 2021-02-25 09:00:38 +01:00 · 2021-02-25 09:00:38 +01:00 · 332098a0f7
commit 332098a0f7
parent d6aa8bcbbb
8 changed files with 115 additions and 101 deletions
--- a/sm/certchain.c
+++ b/sm/certchain.c
@ -461,7 +461,7 @@ find_up_search_by_keyid (ctrl_t ctrl, KEYDB_HANDLE kh,
      if (rc)
        {
          log_error ("keydb_get_cert() failed: rc=%d\n", rc);
-          rc = -1;
+          rc = gpg_error (GPG_ERR_NOT_FOUND);
          goto leave;
        }
      xfree (subj);
@ -476,7 +476,7 @@ find_up_search_by_keyid (ctrl_t ctrl, KEYDB_HANDLE kh,
              if (rc)
                {
                  log_error ("keydb_get_validity() failed: rc=%d\n", rc);
-                  rc = -1;
+                  rc = gpg_error (GPG_ERR_NOT_FOUND);
                  goto leave;
                }
@ -545,7 +545,7 @@ find_up_search_by_keyid (ctrl_t ctrl, KEYDB_HANDLE kh,
  if (rc)
    {
      log_error ("keydb_get_validity() failed: rc=%d\n", rc);
-      rc = -1;
+      rc = gpg_error (GPG_ERR_NOT_FOUND);
      goto leave;
    }
  if (*not_after && strcmp (ctrl->current_time, not_after) > 0 )
@ -559,7 +559,7 @@ find_up_search_by_keyid (ctrl_t ctrl, KEYDB_HANDLE kh,
      if (rc)
        {
          log_error ("keydb_search_fpr() failed: rc=%d\n", rc);
-          rc = -1;
+          rc = gpg_error (GPG_ERR_NOT_FOUND);
          goto leave;
        }
      /* Ready.  The NE_FOUND_CERT is availabale via keydb_get_cert.  */
@ -570,7 +570,7 @@ find_up_search_by_keyid (ctrl_t ctrl, KEYDB_HANDLE kh,
  ksba_cert_release (ne_found_cert);
  ksba_cert_release (cert);
  xfree (subj);
-  return rc? -1:0;
+  return rc? gpg_error (GPG_ERR_NOT_FOUND) : 0;
 }
@ -647,10 +647,10 @@ find_up_external (ctrl_t ctrl, KEYDB_HANDLE kh,
  if (rc)
    {
      log_error ("external key lookup failed: %s\n", gpg_strerror (rc));
-      rc = -1;
+      rc = gpg_error (GPG_ERR_NOT_FOUND);
    }
  else if (!find_up_store_certs_parm.count)
-    rc = -1;
+    rc = gpg_err_code (rc) == GPG_ERR_NOT_FOUND;
  else
    {
      int old;
@ -819,7 +819,8 @@ find_up_dirmngr (ctrl_t ctrl, KEYDB_HANDLE kh,
  if (rc && !opt.quiet)
    log_info (_("dirmngr cache-only key lookup failed: %s\n"),
              gpg_strerror (rc));
-  return (!rc && find_up_store_certs_parm.count)? 0 : -1;
+  return ((!rc && find_up_store_certs_parm.count)
          ? 0 : gpg_error (GPG_ERR_NOT_FOUND));
 }
@ -829,15 +830,15 @@ find_up_dirmngr (ctrl_t ctrl, KEYDB_HANDLE kh,
   FIND_NEXT is true, the function shall return the next possible
   issuer.  The certificate itself is not directly returned but a
   keydb_get_cert on the keydb context KH will return it.  Returns 0
-   on success, -1 if not found or an error code.  */
+   on success, GPG_ERR_NOT_FOUND if not found or another error code.  */
-static int
+static gpg_error_t
 find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
         ksba_cert_t cert, const char *issuer, int find_next)
 {
  ksba_name_t authid;
  ksba_sexp_t authidno;
  ksba_sexp_t keyid;
-  int rc = -1;
+  gpg_error_t err = gpg_error (GPG_ERR_NOT_FOUND);
  if (DBG_X509)
    log_debug ("looking for parent certificate\n");
@ -846,90 +847,91 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
      const char *s = ksba_name_enum (authid, 0);
      if (s && *authidno)
        {
-          rc = keydb_search_issuer_sn (ctrl, kh, s, authidno);
+          err = keydb_search_issuer_sn (ctrl, kh, s, authidno);
-          if (rc)
+          if (err)
            keydb_search_reset (kh);
-          if (!rc && DBG_X509)
+          if (!err && DBG_X509)
            log_debug ("  found via authid and sn+issuer\n");
          /* In case of an error, try to get the certificate from the
-             dirmngr.  That is done by trying to put that certifcate
+             dirmngr.  That is done by trying to put that certificate
             into the ephemeral DB and let the code below do the
             actual retrieve.  Thus there is no error checking.
             Skipped in find_next mode as usual. */
-          if (rc == -1 && !find_next)
+          if (gpg_err_code (err) == GPG_ERR_NOT_FOUND && !find_next)
            find_up_dirmngr (ctrl, kh, authidno, s, 0);
          /* In case of an error try the ephemeral DB.  We can't do
             that in find_next mode because we can't keep the search
             state then. */
-          if (rc == -1 && !find_next)
+          if (gpg_err_code (err) == GPG_ERR_NOT_FOUND && !find_next)
            {
              int old = keydb_set_ephemeral (kh, 1);
              if (!old)
                {
-                  rc = keydb_search_issuer_sn (ctrl, kh, s, authidno);
+                  err = keydb_search_issuer_sn (ctrl, kh, s, authidno);
-                  if (rc)
+                  if (err)
                    keydb_search_reset (kh);
-                  if (!rc && DBG_X509)
+                  if (!err && DBG_X509)
                    log_debug ("  found via authid and sn+issuer (ephem)\n");
                }
              keydb_set_ephemeral (kh, old);
            }
-          if (rc)
+          if (err) /* Need to make sure to have this error code. */
-            rc = -1; /* Need to make sure to have this error code. */
+            err = gpg_error (GPG_ERR_NOT_FOUND);
        }
-      if (rc == -1 && keyid && !find_next)
+      if (gpg_err_code (err) == GPG_ERR_NOT_FOUND && keyid && !find_next)
        {
          /* Not found by AKI.issuer_sn.  Lets try the AKI.ki
             instead. Loop over all certificates with that issuer as
             subject and stop for the one with a matching
             subjectKeyIdentifier. */
          /* Fixme: Should we also search in the dirmngr?  */
-          rc = find_up_search_by_keyid (ctrl, kh, issuer, keyid);
+          err = find_up_search_by_keyid (ctrl, kh, issuer, keyid);
-          if (!rc && DBG_X509)
+          if (!err && DBG_X509)
            log_debug ("  found via authid and keyid\n");
-          if (rc)
+          if (err)
            {
              int old = keydb_set_ephemeral (kh, 1);
              if (!old)
-                rc = find_up_search_by_keyid (ctrl, kh, issuer, keyid);
+                err = find_up_search_by_keyid (ctrl, kh, issuer, keyid);
-              if (!rc && DBG_X509)
+              if (!err && DBG_X509)
                log_debug ("  found via authid and keyid (ephem)\n");
              keydb_set_ephemeral (kh, old);
            }
-          if (rc)
+          if (err) /* Need to make sure to have this error code. */
-            rc = -1; /* Need to make sure to have this error code. */
+            err = gpg_error (GPG_ERR_NOT_FOUND);
        }
      /* If we still didn't found it, try to find it via the subject
         from the dirmngr-cache.  */
-      if (rc == -1 && !find_next)
+      if (gpg_err_code (err) == GPG_ERR_NOT_FOUND && !find_next)
        {
          if (!find_up_dirmngr (ctrl, kh, NULL, issuer, 1))
            {
              int old = keydb_set_ephemeral (kh, 1);
              if (keyid)
-                rc = find_up_search_by_keyid (ctrl, kh, issuer, keyid);
+                err = find_up_search_by_keyid (ctrl, kh, issuer, keyid);
              else
                {
                  keydb_search_reset (kh);
-                  rc = keydb_search_subject (ctrl, kh, issuer);
+                  err = keydb_search_subject (ctrl, kh, issuer);
                }
              keydb_set_ephemeral (kh, old);
            }
-          if (rc)
+          if (err) /* Need to make sure to have this error code. */
-            rc = -1; /* Need to make sure to have this error code. */
+            err = gpg_error (GPG_ERR_NOT_FOUND);
-          if (!rc && DBG_X509)
+          if (!err && DBG_X509)
            log_debug ("  found via authid and issuer from dirmngr cache\n");
        }
      /* If we still didn't found it, try an external lookup.  */
-      if (rc == -1 && !find_next && !ctrl->offline)
+      if (gpg_err_code (err) == GPG_ERR_NOT_FOUND
          && !find_next && !ctrl->offline)
        {
          /* We allow AIA also if CRLs are enabled; both can be used
           * as a web bug so it does not make sense to not use AIA if
@ -939,12 +941,12 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
            {
              if (DBG_X509)
                log_debug ("  found via authorityInfoAccess.caIssuers\n");
-              rc = 0;
+              err = 0;
            }
          else if (opt.auto_issuer_key_retrieve)
            {
-              rc = find_up_external (ctrl, kh, issuer, keyid);
+              err = find_up_external (ctrl, kh, issuer, keyid);
-              if (!rc && DBG_X509)
+              if (!err && DBG_X509)
                log_debug ("  found via authid and external lookup\n");
            }
        }
@ -953,9 +955,9 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
      /* Print a note so that the user does not feel too helpless when
         an issuer certificate was found and gpgsm prints BAD
         signature because it is not the correct one. */
-      if (rc == -1 && opt.quiet)
+      if (gpg_err_code (err) == GPG_ERR_NOT_FOUND && opt.quiet)
        ;
-      else if (rc == -1)
+      else if (gpg_err_code (err) == GPG_ERR_NOT_FOUND)
        {
          log_info ("%sissuer certificate ", find_next?"next ":"");
          if (keyid)
@ -974,16 +976,16 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
            }
          log_printf ("not found using authorityKeyIdentifier\n");
        }
-      else if (rc)
+      else if (err)
-        log_error ("failed to find authorityKeyIdentifier: rc=%d\n", rc);
+        log_error ("failed to find authorityKeyIdentifier: err=%d\n", err);
      xfree (keyid);
      ksba_name_release (authid);
      xfree (authidno);
    }
-  if (rc) /* Not found via authorithyKeyIdentifier, try regular issuer name. */
+  if (err) /* Not found via authorithyKeyIdentifier, try regular issuer name. */
-    rc = keydb_search_subject (ctrl, kh, issuer);
+    err = keydb_search_subject (ctrl, kh, issuer);
-  if (rc == -1 && !find_next)
+  if (gpg_err_code (err) == GPG_ERR_NOT_FOUND && !find_next)
    {
      int old;
@ -996,33 +998,33 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
      if (!old)
        {
          keydb_search_reset (kh);
-          rc = keydb_search_subject (ctrl, kh, issuer);
+          err = keydb_search_subject (ctrl, kh, issuer);
        }
      keydb_set_ephemeral (kh, old);
-      if (!rc && DBG_X509)
+      if (!err && DBG_X509)
        log_debug ("  found via issuer\n");
    }
  /* Still not found.  If enabled, try an external lookup.  */
-  if (rc == -1 && !find_next && !ctrl->offline)
+  if (gpg_err_code (err) == GPG_ERR_NOT_FOUND && !find_next && !ctrl->offline)
    {
      if ((opt.auto_issuer_key_retrieve || !opt.no_crl_check)
          && !find_up_via_auth_info_access (ctrl, kh, cert))
        {
          if (DBG_X509)
            log_debug ("  found via authorityInfoAccess.caIssuers\n");
-          rc = 0;
+          err = 0;
        }
      else if (opt.auto_issuer_key_retrieve)
        {
-          rc = find_up_external (ctrl, kh, issuer, NULL);
+          err = find_up_external (ctrl, kh, issuer, NULL);
-          if (!rc && DBG_X509)
+          if (!err && DBG_X509)
            log_debug ("  found via issuer and external lookup\n");
        }
    }
-  return rc;
+  return err;
 }
@ -1031,7 +1033,7 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
 int
 gpgsm_walk_cert_chain (ctrl_t ctrl, ksba_cert_t start, ksba_cert_t *r_next)
 {
-  int rc = 0;
+  gpg_error_t err = 0;
  char *issuer = NULL;
  char *subject = NULL;
  KEYDB_HANDLE kh = keydb_new ();
@ -1040,7 +1042,7 @@ gpgsm_walk_cert_chain (ctrl_t ctrl, ksba_cert_t start, ksba_cert_t *r_next)
  if (!kh)
    {
      log_error (_("failed to allocate keyDB handle\n"));
-      rc = gpg_error (GPG_ERR_GENERAL);
+      err = gpg_error (GPG_ERR_GENERAL);
      goto leave;
    }
@ -1049,45 +1051,47 @@ gpgsm_walk_cert_chain (ctrl_t ctrl, ksba_cert_t start, ksba_cert_t *r_next)
  if (!issuer)
    {
      log_error ("no issuer found in certificate\n");
-      rc = gpg_error (GPG_ERR_BAD_CERT);
+      err = gpg_error (GPG_ERR_BAD_CERT);
      goto leave;
    }
  if (!subject)
    {
      log_error ("no subject found in certificate\n");
-      rc = gpg_error (GPG_ERR_BAD_CERT);
+      err = gpg_error (GPG_ERR_BAD_CERT);
      goto leave;
    }
  if (is_root_cert (start, issuer, subject))
    {
-      rc = -1; /* we are at the root */
+      err = gpg_error (GPG_ERR_NOT_FOUND); /* we are at the root */
      goto leave;
    }
-  rc = find_up (ctrl, kh, start, issuer, 0);
+  err = find_up (ctrl, kh, start, issuer, 0);
-  if (rc)
+  if (err)
    {
      /* It is quite common not to have a certificate, so better don't
         print an error here.  */
-      if (rc != -1 && opt.verbose > 1)
+      if (gpg_err_code (err) != GPG_ERR_NOT_FOUND && opt.verbose > 1)
-        log_error ("failed to find issuer's certificate: rc=%d\n", rc);
+        log_error ("failed to find issuer's certificate: %s <%s>\n",
-      rc = gpg_error (GPG_ERR_MISSING_ISSUER_CERT);
+                   gpg_strerror (err), gpg_strsource (err));
      err = gpg_error (GPG_ERR_MISSING_ISSUER_CERT);
      goto leave;
    }
-  rc = keydb_get_cert (kh, r_next);
+  err = keydb_get_cert (kh, r_next);
-  if (rc)
+  if (err)
    {
-      log_error ("keydb_get_cert() failed: rc=%d\n", rc);
+      log_error ("keydb_get_cert() failed: %s <%s>\n",
-      rc = gpg_error (GPG_ERR_GENERAL);
+                 gpg_strerror (err), gpg_strsource (err));
      err = gpg_error (GPG_ERR_GENERAL);
    }
 leave:
  xfree (issuer);
  xfree (subject);
  keydb_release (kh);
-  return rc;
+  return err;
 }
@ -1116,7 +1120,7 @@ is_root_cert (ksba_cert_t cert, const char *issuerdn, const char *subjectdn)
    {
      if (gpg_err_code (err) == GPG_ERR_NO_DATA)
        return 1; /* Yes. Without a authorityKeyIdentifier this needs
-                     to be the Root certifcate (our trust anchor).  */
+                     to be the Root certificate (our trust anchor).  */
      log_error ("error getting authorityKeyIdentifier: %s\n",
                 gpg_strerror (err));
      return 0; /* Well, it is broken anyway.  Return No. */
@ -1329,7 +1333,7 @@ check_validity_period (ksba_isotime_t current_time,
 }
 /* This is a variant of check_validity_period used with the chain
-   model.  The dextra contraint here is that notBefore and notAfter
+   model.  The extra contraint here is that notBefore and notAfter
   must exists and if the additional argument CHECK_TIME is given this
   time is used to check the validity period of SUBJECT_CERT.  */
 static gpg_error_t
@ -1397,7 +1401,7 @@ check_validity_period_cm (ksba_isotime_t current_time,
          || strcmp (check_time, not_after) > 0))
    {
      /* Note that we don't need a case for the root certificate
-         because its own consitency has already been checked.  */
+         because its own consistency has already been checked.  */
      do_list(opt.ignore_expiration?0:1, listmode, listfp,
              depth == 0 ?
              _("signature not created during lifetime of certificate") :
@ -1568,7 +1572,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
  for (;;)
    {
      int is_root;
-      gpg_error_t istrusted_rc = -1;
+      gpg_error_t istrusted_rc = gpg_error (GPG_ERR_NOT_TRUSTED);
      /* Put the certificate on our list.  */
      {
@ -1712,7 +1716,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
                  err = gpgsm_is_in_qualified_list (ctrl, subject_cert, NULL);
                  if (!err)
                    is_qualified = 1;
-                  else if ( gpg_err_code (err) == GPG_ERR_NOT_FOUND)
+                  else if ( gpg_err_code (err) == GPG_ERR_NOT_FOUND )
                    is_qualified = 0;
                  else
                    log_error ("checking the list of qualified "
@ -1780,7 +1784,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
          if (rc)
            goto leave;
-          break;  /* Okay: a self-signed certicate is an end-point. */
+          break;  /* Okay: a self-signed certificate is an end-point. */
        } /* End is_root.  */
@ -1797,7 +1801,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
      rc = find_up (ctrl, kh, subject_cert, issuer, 0);
      if (rc)
        {
-          if (rc == -1)
+          if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND)
            {
              do_list (0, listmode, listfp, _("issuer certificate not found"));
              if (!listmode)
@ -1808,7 +1812,8 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
                }
            }
          else
-            log_error ("failed to find issuer's certificate: rc=%d\n", rc);
+            log_error ("failed to find issuer's certificate: %s <%s>\n",
                       gpg_strerror (rc), gpg_strsource (rc));
          rc = gpg_error (GPG_ERR_MISSING_ISSUER_CERT);
          goto leave;
        }
@ -1880,7 +1885,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
        }
      is_root = gpgsm_is_root_cert (issuer_cert);
-      istrusted_rc = -1;
+      istrusted_rc = gpg_error (GPG_ERR_NOT_TRUSTED);
      /* Check that a CA is allowed to issue certificates. */
@ -2104,7 +2109,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
   do_validate_chain.  This function is a wrapper to handle a root
   certificate with the chain_model flag set.  If RETFLAGS is not
   NULL, flags indicating now the verification was done are stored
-   there.  The only defined vits for RETFLAGS are
+   there.  The only defined bits for RETFLAGS are
   VALIDATE_FLAG_CHAIN_MODEL and VALIDATE_FLAG_STEED.
   If you are verifying a signature you should set CHECKTIME to the
@ -2230,14 +2235,15 @@ gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert)
      rc = find_up (ctrl, kh, cert, issuer, 0);
      if (rc)
        {
-          if (rc == -1)
+          if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND)
            {
              log_info ("issuer certificate (#/");
              gpgsm_dump_string (issuer);
              log_printf (") not found\n");
            }
          else
-            log_error ("failed to find issuer's certificate: rc=%d\n", rc);
+            log_error ("failed to find issuer's certificate: %s <%s>\n",
                       gpg_strerror (rc), gpg_strsource (rc));
          rc = gpg_error (GPG_ERR_MISSING_ISSUER_CERT);
          goto leave;
        }
--- a/sm/certlist.c
+++ b/sm/certlist.c
@ -400,7 +400,7 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
            next_ambigious:
              rc = keydb_search (ctrl, kh, &desc, 1);
-              if (rc == -1)
+              if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND)
                rc = 0;
              else if (!rc)
                {
@ -489,7 +489,8 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
  keydb_release (kh);
  ksba_cert_release (cert);
-  return rc == -1? gpg_error (GPG_ERR_NO_PUBKEY): rc;
+  return (gpg_err_code (rc) == GPG_ERR_NOT_FOUND
          ? gpg_error (GPG_ERR_NO_PUBKEY): rc);
 }
@ -573,7 +574,7 @@ gpgsm_find_cert (ctrl_t ctrl,
                }
            next_ambiguous:
              rc = keydb_search (ctrl, kh, &desc, 1);
-              if (rc == -1)
+              if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND)
                rc = 0;
              else
                {
@ -627,5 +628,6 @@ gpgsm_find_cert (ctrl_t ctrl,
    }
  keydb_release (kh);
-  return rc == -1? gpg_error (GPG_ERR_NO_PUBKEY): rc;
+  return (gpg_err_code (rc) == GPG_ERR_NOT_FOUND?
          gpg_error (GPG_ERR_NO_PUBKEY): rc);
 }
--- a/sm/delete.c
+++ b/sm/delete.c
@ -83,7 +83,7 @@ delete_one (ctrl_t ctrl, const char *username)
    next_ambigious:
      rc = keydb_search (ctrl, kh, &desc, 1);
-      if (rc == -1)
+      if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND)
        rc = 0;
      else if (!rc)
        {
@ -107,7 +107,7 @@ delete_one (ctrl_t ctrl, const char *username)
    }
  if (rc)
    {
-      if (rc == -1)
+      if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND)
        rc = gpg_error (GPG_ERR_NO_PUBKEY);
      log_error (_("certificate '%s' not found: %s\n"),
                 username, gpg_strerror (rc));
--- a/sm/export.c
+++ b/sm/export.c
@ -298,7 +298,7 @@ gpgsm_export (ctrl_t ctrl, strlist_t names, estream_t stream)
      ksba_cert_release (cert);
      cert = NULL;
    }
-  if (rc && rc != -1)
+  if (rc && gpg_err_code (rc) != GPG_ERR_NOT_FOUND)
    log_error ("keydb_search failed: %s\n", gpg_strerror (rc));
  else if (b64writer)
    {
@ -392,7 +392,7 @@ gpgsm_p12_export (ctrl_t ctrl, const char *name, estream_t stream, int rawmode)
            }
          err = gpg_error (GPG_ERR_AMBIGUOUS_NAME);
        }
-      else if (err == -1 || gpg_err_code (err) == GPG_ERR_EOF)
+      else if (gpg_err_code (err) == GPG_ERR_NOT_FOUND)
        err = 0;
      if (err)
        {
--- a/sm/import.c
+++ b/sm/import.c
@ -551,7 +551,7 @@ gpgsm_import_files (ctrl_t ctrl, int nfiles, char **files,
          int fd = of (*files);
          rc = import_one (ctrl, &stats, fd);
          close (fd);
-          if (rc == -1)
+          if (rc == -1/*legacy*/ || gpg_err_code (rc) == GPG_ERR_NOT_FOUND)
            rc = 0;
        }
    }
--- a/sm/keydb.c
+++ b/sm/keydb.c
@ -941,9 +941,10 @@ keydb_search (ctrl_t ctrl, KEYDB_HANDLE hd,
  rc = lock_all (hd);
  if (rc)
    return rc;
-  rc = -1;
+  rc = gpg_error (GPG_ERR_EOF);
-  while (rc == -1 && hd->current >= 0 && hd->current < hd->used)
+  while (gpg_err_code (rc) == GPG_ERR_EOF
         && hd->current >= 0 && hd->current < hd->used)
    {
      switch (hd->active[hd->current].type)
        {
@ -954,9 +955,11 @@ keydb_search (ctrl_t ctrl, KEYDB_HANDLE hd,
          rc = keybox_search (hd->active[hd->current].u.kr, desc, ndesc,
                              KEYBOX_BLOBTYPE_X509,
                              NULL, &skipped);
          if (rc == -1) /* Map legacy code.  */
            rc = gpg_error (GPG_ERR_EOF);
          break;
        }
-      if (rc == -1 || gpg_err_code (rc) == GPG_ERR_EOF)
+      if (gpg_err_code (rc) == GPG_ERR_EOF)
        { /* EOF -> switch to next resource */
          hd->current++;
        }
@ -964,6 +967,10 @@ keydb_search (ctrl_t ctrl, KEYDB_HANDLE hd,
        hd->found = hd->current;
    }
  /* The NOTHING_FOUND error is triggered by a NEXT command.  */
  if (gpg_err_code (rc) == GPG_ERR_EOF
      || gpg_err_code (rc) == GPG_ERR_NOTHING_FOUND)
    rc = gpg_error (GPG_ERR_NOT_FOUND);
  return rc;
 }
@ -1102,7 +1109,7 @@ keydb_store_cert (ctrl_t ctrl, ksba_cert_t cert, int ephemeral, int *existed)
    return rc;
  rc = keydb_search_fpr (ctrl, kh, fpr);
-  if (rc != -1)
+  if (gpg_err_code (rc) != GPG_ERR_NOT_FOUND)
    {
      keydb_release (kh);
      if (!rc)
@ -1194,9 +1201,7 @@ keydb_set_cert_flags (ctrl_t ctrl, ksba_cert_t cert, int ephemeral,
  err = keydb_search_fpr (ctrl, kh, fpr);
  if (err)
    {
-      if (err == -1)
+      if (gpg_err_code (err) != gpg_error (GPG_ERR_NOT_FOUND))
        err = gpg_error (GPG_ERR_NOT_FOUND);
      else
        log_error (_("problem re-searching certificate: %s\n"),
                   gpg_strerror (err));
      keydb_release (kh);
@ -1313,7 +1318,7 @@ keydb_clear_some_cert_flags (ctrl_t ctrl, strlist_t names)
            }
        }
    }
-  if (rc && rc != -1)
+  if (rc && gpg_err_code (rc) != GPG_ERR_NOT_FOUND)
    log_error ("%s failed: %s\n", __func__, gpg_strerror (rc));
 leave:
--- a/sm/keylist.c
+++ b/sm/keylist.c
@ -433,8 +433,9 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
        chain_id = chain_id_buffer;
        ksba_cert_release (next);
      }
-    else if (rc == -1)  /* We have reached the root certificate. */
+    else if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND)
      {
        /* We have reached the root certificate. */
        chain_id = fpr;
        is_root = 1;
      }
@ -1587,7 +1588,7 @@ list_internal_keys (ctrl_t ctrl, strlist_t names, estream_t fp,
      lastcert = cert;
      cert = NULL;
    }
-  if (gpg_err_code (rc) == GPG_ERR_EOF || rc == -1 )
+  if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND)
    rc = 0;
  if (rc)
    log_error ("keydb_search failed: %s\n", gpg_strerror (rc));
--- a/sm/sign.c
+++ b/sm/sign.c
@ -293,7 +293,7 @@ add_certificate_list (ctrl_t ctrl, ksba_cms_t cms, ksba_cert_t cert)
    }
  ksba_cert_release (cert);
-  return rc == -1? 0: rc;
+  return gpg_err_code (rc) == GPG_ERR_NOT_FOUND? 0 : rc;
 ksba_failure:
  ksba_cert_release (cert);