security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-04-11 22:01:08 +02:00
Code Activity

gpgsm: Avoid increasing error count when enumerating an expired cert.

Browse Source 
* sm/certchain.c (check_validity_period_cm): Add arg no_log_expired to
avoid bumping of the error counter due to the do_list function.
* sm/certlist.c (gpgsm_add_to_certlist): Set no_log_expired when
checking the expiration.
--

I modified the original patch to make the patch smaller and the code
easier to read.  - wk@gnupg.org
This commit is contained in:
Ramón García 2025-03-18 10:04:37 +01:00 committed by Werner Koch
parent 029ac17b40
commit 53f5aad905
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
3 changed files with 42 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
sm/certchain.c
View File

@ -1430,15 +1430,18 @@ check_validity_period (ksba_isotime_t current_time,
} }
/* This is a variant of check_validity_period used with the chain /* This is a variant of check_validity_period used with the chain
model. The extra constraint here is that notBefore and notAfter * model. The extra constraint here is that notBefore and notAfter
must exists and if the additional argument CHECK_TIME is given this * must exists and if the additional argument CHECK_TIME is given this
time is used to check the validity period of SUBJECT_CERT. */ * time is used to check the validity period of SUBJECT_CERT. With
* NO_LOG_EXPIRED the function does not log diagnostics about cert
* expiration et al. */
gpg_error_t gpg_error_t
check_validity_period_cm (ksba_isotime_t current_time, check_validity_period_cm (ksba_isotime_t current_time,
ksba_isotime_t check_time, ksba_isotime_t check_time,
ksba_cert_t subject_cert, ksba_cert_t subject_cert,
ksba_isotime_t exptime, ksba_isotime_t exptime,
int listmode, estream_t listfp, int depth) int listmode, estream_t listfp, int depth,
int no_log_expired)
{ {
gpg_error_t err; gpg_error_t err;
ksba_isotime_t not_before, not_after; ksba_isotime_t not_before, not_after;
@ -1454,22 +1457,26 @@ check_validity_period_cm (ksba_isotime_t current_time,
} }
if (!*not_before || !*not_after) if (!*not_before || !*not_after)
{ {
do_list (1, listmode, listfp, if (!no_log_expired)
_("required certificate attributes missing: %s%s%s"), do_list (1, listmode, listfp,
!*not_before? "notBefore":"", _("required certificate attributes missing: %s%s%s"),
(!*not_before && !*not_after)? ", ":"", !*not_before? "notBefore":"",
!*not_before? "notAfter":""); (!*not_before && !*not_after)? ", ":"",
!*not_before? "notAfter":"");
return gpg_error (GPG_ERR_BAD_CERT); return gpg_error (GPG_ERR_BAD_CERT);
} }
if (strcmp (not_before, not_after) > 0 ) if (strcmp (not_before, not_after) > 0 )
{ {
do_list (1, listmode, listfp, if (!no_log_expired)
_("certificate with invalid validity")); {
log_info (" (valid from "); do_list (1, listmode, listfp,
dump_isotime (not_before); _("certificate with invalid validity"));
log_printf (" expired at "); log_info (" (valid from ");
dump_isotime (not_after); dump_isotime (not_before);
log_printf (")\n"); log_printf (" expired at ");
dump_isotime (not_after);
log_printf (")\n");
}
return gpg_error (GPG_ERR_BAD_CERT); return gpg_error (GPG_ERR_BAD_CERT);
} }
@ -1480,15 +1487,18 @@ check_validity_period_cm (ksba_isotime_t current_time,
if (strcmp (current_time, not_before) < 0 ) if (strcmp (current_time, not_before) < 0 )
{ {
do_list (1, listmode, listfp, if (!no_log_expired)
depth == 0 ? _("certificate not yet valid") :
depth == -1 ? _("root certificate not yet valid") :
/* other */ _("intermediate certificate not yet valid"));
if (!listmode)
{ {
log_info (" (valid from "); do_list (1, listmode, listfp,
dump_isotime (not_before); depth == 0 ? _("certificate not yet valid") :
log_printf (")\n"); depth == -1 ? _("root certificate not yet valid") :
/* other */ _("intermediate certificate not yet valid"));
if (!listmode)
{
log_info (" (valid from ");
dump_isotime (not_before);
log_printf (")\n");
}
} }
return gpg_error (GPG_ERR_CERT_TOO_YOUNG); return gpg_error (GPG_ERR_CERT_TOO_YOUNG);
} }
@ -1499,14 +1509,15 @@ check_validity_period_cm (ksba_isotime_t current_time,
{ {
/* Note that we don't need a case for the root certificate /* Note that we don't need a case for the root certificate
because its own consistency has already been checked. */ because its own consistency has already been checked. */
do_list(opt.ignore_expiration?0:1, listmode, listfp, if (!no_log_expired)
do_list (opt.ignore_expiration?0:1, listmode, listfp,
depth == 0 ? depth == 0 ?
_("signature not created during lifetime of certificate") : _("signature not created during lifetime of certificate") :
depth == 1 ? depth == 1 ?
_("certificate not created during lifetime of issuer") : _("certificate not created during lifetime of issuer") :
_("intermediate certificate not created during lifetime " _("intermediate certificate not created during lifetime "
"of issuer")); "of issuer"));
if (!listmode) if (!listmode && !no_log_expired)
{ {
log_info (depth== 0? _(" ( signature created at ") : log_info (depth== 0? _(" ( signature created at ") :
/* */ _(" (certificate created at ") ); /* */ _(" (certificate created at ") );
@ -1737,7 +1748,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
if ( (flags & VALIDATE_FLAG_CHAIN_MODEL) ) if ( (flags & VALIDATE_FLAG_CHAIN_MODEL) )
rc = check_validity_period_cm (current_time, check_time, subject_cert, rc = check_validity_period_cm (current_time, check_time, subject_cert,
exptime, listmode, listfp, exptime, listmode, listfp,
(depth && is_root)? -1: depth); (depth && is_root)? -1: depth, 0);
else else
rc = check_validity_period (current_time, subject_cert, rc = check_validity_period (current_time, subject_cert,
exptime, listmode, listfp, exptime, listmode, listfp,

4
sm/certlist.c
View File

@ -376,7 +376,7 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
current_time_loaded = 1; current_time_loaded = 1;
} }
rc = check_validity_period_cm (current_time, current_time, rc = check_validity_period_cm (current_time, current_time,
cert, exp_time, 0, NULL, 0); cert, exp_time, 0, NULL, 0, 0);
} }
if (gpg_err_code (rc) == GPG_ERR_WRONG_KEY_USAGE) if (gpg_err_code (rc) == GPG_ERR_WRONG_KEY_USAGE)
{ {
@ -458,7 +458,7 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
current_time, current_time,
cert, cert,
exp_time, exp_time,
0, NULL, 0) 0, NULL, 0, 1)
) == GPG_ERR_CERT_EXPIRED ) == GPG_ERR_CERT_EXPIRED
) )
) )

3
sm/gpgsm.h
View File

@ -445,7 +445,8 @@ gpg_error_t check_validity_period_cm (ksba_isotime_t current_time,
ksba_isotime_t check_time, ksba_isotime_t check_time,
ksba_cert_t subject_cert, ksba_cert_t subject_cert,
ksba_isotime_t exptime, ksba_isotime_t exptime,
int listmode, estream_t listfp, int depth); int listmode, estream_t listfp, int depth,
int no_log_expired);
int gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert); int gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert);
/*-- certlist.c --*/ /*-- certlist.c --*/