mirror of
git://git.gnupg.org/gnupg.git
synced 2025-04-17 15:44:34 +02:00
gpgsm: select unexpired certificates skipping expired ones
* sm/certchain.c (check_validity_period_cm): Make function global. * sm/certlist.c (gpgsm_add_to_certlist): If an expired certificate is found, continue looking for another one. -- This enables the user to select a certificate by subject, and keep old expired certificates in the store in case he wishes to decrypt or verify an old file. This makes renewal of certificate smoother. Due to a broken patch I had to massage the patch and while doing this also fixed the indentation and moved a declaration to the begin of a block. - wk@gnupg.org
This commit is contained in:
Ramón García
Werner Koch
parent
4f4264c4e8
commit
4cf83273e8
@ -1433,7 +1433,7 @@ check_validity_period (ksba_isotime_t current_time,
|
|||||||
model. The extra constraint here is that notBefore and notAfter
|
model. The extra constraint here is that notBefore and notAfter
|
||||||
must exists and if the additional argument CHECK_TIME is given this
|
must exists and if the additional argument CHECK_TIME is given this
|
||||||
time is used to check the validity period of SUBJECT_CERT. */
|
time is used to check the validity period of SUBJECT_CERT. */
|
||||||
static gpg_error_t
|
gpg_error_t
|
||||||
check_validity_period_cm (ksba_isotime_t current_time,
|
check_validity_period_cm (ksba_isotime_t current_time,
|
||||||
ksba_isotime_t check_time,
|
ksba_isotime_t check_time,
|
||||||
ksba_cert_t subject_cert,
|
ksba_cert_t subject_cert,
|
||||||
|
|||||||
@ -337,6 +337,9 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
|
|||||||
KEYDB_SEARCH_DESC desc;
|
KEYDB_SEARCH_DESC desc;
|
||||||
KEYDB_HANDLE kh = NULL;
|
KEYDB_HANDLE kh = NULL;
|
||||||
ksba_cert_t cert = NULL;
|
ksba_cert_t cert = NULL;
|
||||||
|
ksba_isotime_t current_time = {0, };
|
||||||
|
ksba_isotime_t exp_time = {0, };
|
||||||
|
int current_time_loaded = 0;
|
||||||
|
|
||||||
rc = classify_user_id (name, &desc, 0);
|
rc = classify_user_id (name, &desc, 0);
|
||||||
if (!rc)
|
if (!rc)
|
||||||
@ -365,10 +368,20 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
|
|||||||
}
|
}
|
||||||
rc = secret? gpgsm_cert_use_sign_p (cert, 0)
|
rc = secret? gpgsm_cert_use_sign_p (cert, 0)
|
||||||
: gpgsm_cert_use_encrypt_p (cert);
|
: gpgsm_cert_use_encrypt_p (cert);
|
||||||
|
if (!rc)
|
||||||
|
{
|
||||||
|
if (!current_time_loaded)
|
||||||
|
{
|
||||||
|
gnupg_get_isotime (current_time);
|
||||||
|
current_time_loaded = 1;
|
||||||
|
}
|
||||||
|
rc = check_validity_period_cm (current_time, current_time,
|
||||||
|
cert, exp_time, 0, NULL, 0);
|
||||||
|
}
|
||||||
if (gpg_err_code (rc) == GPG_ERR_WRONG_KEY_USAGE)
|
if (gpg_err_code (rc) == GPG_ERR_WRONG_KEY_USAGE)
|
||||||
{
|
{
|
||||||
/* There might be another certificate with the
|
/* There might be another certificate with the
|
||||||
correct usage, so we try again */
|
* correct usage, so we try again */
|
||||||
if (!wrong_usage
|
if (!wrong_usage
|
||||||
|| same_subject_issuer (first_subject, first_issuer,cert))
|
|| same_subject_issuer (first_subject, first_issuer,cert))
|
||||||
{
|
{
|
||||||
@ -381,7 +394,13 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
wrong_usage = rc;
|
wrong_usage = rc;
|
||||||
|
}
|
||||||
|
else if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED)
|
||||||
|
{
|
||||||
|
ksba_cert_release (cert);
|
||||||
|
cert = NULL;
|
||||||
|
log_info (_("looking for another certificate\n"));
|
||||||
|
goto get_next;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
/* We want the error code from the first match in this case. */
|
/* We want the error code from the first match in this case. */
|
||||||
@ -416,14 +435,34 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
|
|||||||
keybox). */
|
keybox). */
|
||||||
if (!keydb_get_cert (kh, &cert2))
|
if (!keydb_get_cert (kh, &cert2))
|
||||||
{
|
{
|
||||||
int tmp = (same_subject_issuer (first_subject,
|
int tmp;
|
||||||
|
|
||||||
|
if (!current_time_loaded)
|
||||||
|
{
|
||||||
|
gnupg_get_isotime (current_time);
|
||||||
|
current_time_loaded = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
tmp =
|
||||||
|
(same_subject_issuer (first_subject,
|
||||||
first_issuer,
|
first_issuer,
|
||||||
cert2)
|
cert2)
|
||||||
&& ((gpg_err_code (
|
&& ((gpg_err_code (
|
||||||
secret? gpgsm_cert_use_sign_p (cert2,0)
|
secret? gpgsm_cert_use_sign_p (cert2, 0)
|
||||||
: gpgsm_cert_use_encrypt_p (cert2)
|
: gpgsm_cert_use_encrypt_p (cert2)
|
||||||
)
|
)
|
||||||
) == GPG_ERR_WRONG_KEY_USAGE));
|
) == GPG_ERR_WRONG_KEY_USAGE
|
||||||
|
|| (gpg_err_code (
|
||||||
|
check_validity_period_cm (current_time,
|
||||||
|
current_time,
|
||||||
|
cert,
|
||||||
|
exp_time,
|
||||||
|
0, NULL, 0)
|
||||||
|
) == GPG_ERR_CERT_EXPIRED
|
||||||
|
)
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
if (tmp)
|
if (tmp)
|
||||||
gpgsm_add_cert_to_certlist (ctrl, cert2,
|
gpgsm_add_cert_to_certlist (ctrl, cert2,
|
||||||
&dup_certs, 0);
|
&dup_certs, 0);
|
||||||
|
|||||||
@ -441,6 +441,11 @@ int gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert,
|
|||||||
ksba_isotime_t r_exptime,
|
ksba_isotime_t r_exptime,
|
||||||
int listmode, estream_t listfp,
|
int listmode, estream_t listfp,
|
||||||
unsigned int flags, unsigned int *retflags);
|
unsigned int flags, unsigned int *retflags);
|
||||||
|
gpg_error_t check_validity_period_cm (ksba_isotime_t current_time,
|
||||||
|
ksba_isotime_t check_time,
|
||||||
|
ksba_cert_t subject_cert,
|
||||||
|
ksba_isotime_t exptime,
|
||||||
|
int listmode, estream_t listfp, int depth);
|
||||||
int gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert);
|
int gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert);
|
||||||
|
|
||||||
/*-- certlist.c --*/
|
/*-- certlist.c --*/
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user