gpgsm: select unexpired certificates skipping expired ones

* sm/certchain.c (check_validity_period_cm): Make function global. * sm/certlist.c (gpgsm_add_to_certlist): If an expired certificate is found, continue looking for another one. -- This enables the user to select a certificate by subject, and keep old expired certificates in the store in case he wishes to decrypt or verify an old file. This makes renewal of certificate smoother. Due to a broken patch I had to massage the patch and while doing this also fixed the indentation and moved a declaration to the begin of a block. - wk@gnupg.org
2025-04-17 15:44:34 +02:00 · 2025-03-18 09:43:26 +01:00 · 2025-03-18 09:43:26 +01:00 · 4cf83273e8
commit 4cf83273e8
parent 4f4264c4e8
3 changed files with 55 additions and 11 deletions
--- a/sm/certchain.c
+++ b/sm/certchain.c
@ -1433,7 +1433,7 @@ check_validity_period (ksba_isotime_t current_time,
   model.  The extra constraint here is that notBefore and notAfter
   must exists and if the additional argument CHECK_TIME is given this
   time is used to check the validity period of SUBJECT_CERT.  */
-static gpg_error_t
+gpg_error_t
 check_validity_period_cm (ksba_isotime_t current_time,
                          ksba_isotime_t check_time,
                          ksba_cert_t subject_cert,
--- a/sm/certlist.c
+++ b/sm/certlist.c
@ -337,6 +337,9 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
  KEYDB_SEARCH_DESC desc;
  KEYDB_HANDLE kh = NULL;
  ksba_cert_t cert = NULL;
+  ksba_isotime_t current_time = {0, };
+  ksba_isotime_t exp_time = {0, };
+  int current_time_loaded = 0;

  rc = classify_user_id (name, &desc, 0);
  if (!rc)
@ -365,10 +368,20 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
                }
              rc = secret? gpgsm_cert_use_sign_p (cert, 0)
                         : gpgsm_cert_use_encrypt_p (cert);
+              if (!rc)
+                {
+                  if (!current_time_loaded)
+                    {
+                      gnupg_get_isotime (current_time);
+                      current_time_loaded = 1;
+                    }
+                  rc = check_validity_period_cm (current_time, current_time,
+                                                 cert, exp_time, 0, NULL, 0);
+                }
              if (gpg_err_code (rc) == GPG_ERR_WRONG_KEY_USAGE)
                {
                  /* There might be another certificate with the
-                     correct usage, so we try again */
+                   * correct usage, so we try again */
                  if (!wrong_usage
                      || same_subject_issuer (first_subject, first_issuer,cert))
                    {
@ -381,7 +394,13 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
                    }
                  else
                    wrong_usage = rc;
-
+                }
+              else if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED)
+                {
+                  ksba_cert_release (cert);
+                  cert = NULL;
+                  log_info (_("looking for another certificate\n"));
+                  goto get_next;
                }
            }
          /* We want the error code from the first match in this case. */
@ -416,14 +435,34 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
                     keybox).  */
                  if (!keydb_get_cert (kh, &cert2))
                    {
-                      int tmp = (same_subject_issuer (first_subject,
-                                                      first_issuer,
-                                                      cert2)
-                                 && ((gpg_err_code (
-                                      secret? gpgsm_cert_use_sign_p (cert2,0)
-                                            : gpgsm_cert_use_encrypt_p (cert2)
-                                      )
-                                     )  == GPG_ERR_WRONG_KEY_USAGE));
+                      int tmp;
+
+                      if (!current_time_loaded)
+                        {
+                          gnupg_get_isotime (current_time);
+                          current_time_loaded = 1;
+                        }
+
+                      tmp =
+                        (same_subject_issuer (first_subject,
+                                             first_issuer,
+                                             cert2)
+                         && ((gpg_err_code (
+                               secret? gpgsm_cert_use_sign_p (cert2, 0)
+                                     : gpgsm_cert_use_encrypt_p (cert2)
+                               )
+                              ) == GPG_ERR_WRONG_KEY_USAGE
+                             || (gpg_err_code (
+                                  check_validity_period_cm (current_time,
+                                                            current_time,
+                                                            cert,
+                                                            exp_time,
+                                                            0, NULL, 0)
+                                  ) == GPG_ERR_CERT_EXPIRED
+                                )
+                             )
+                         );
+
                      if (tmp)
                        gpgsm_add_cert_to_certlist (ctrl, cert2,
                                                    &dup_certs, 0);
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@ -441,6 +441,11 @@ int gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert,
                          ksba_isotime_t r_exptime,
                          int listmode, estream_t listfp,
                          unsigned int flags, unsigned int *retflags);
+gpg_error_t check_validity_period_cm (ksba_isotime_t current_time,
+                          ksba_isotime_t check_time,
+                          ksba_cert_t subject_cert,
+                          ksba_isotime_t exptime,
+                          int listmode, estream_t listfp, int depth);
 int gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert);

 /*-- certlist.c --*/