* keydb.c (keydb_store_cert): Add optional ar EXISTED and changed

all callers. * call-agent.c (learn_cb): Print info message only for real imports. * import.c (gpgsm_import): Moved duplicated code to ... (check_and_store): new function. Added magic to import the entire chain. Print status only for real imports and moved printing code to .. (print_imported_status): New.
2025-03-28 22:49:59 +01:00 · 2002-07-02 10:40:12 +00:00 · 2002-07-02 10:40:12 +00:00 · 5795c02b09
commit 5795c02b09
parent 5faca753cb
9 changed files with 96 additions and 44 deletions
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@ -1,5 +1,15 @@
 2002-07-02  Werner Koch  <wk@gnupg.org>

+	* keydb.c (keydb_store_cert): Add optional ar EXISTED and changed
+	all callers.
+	* call-agent.c (learn_cb): Print info message only for real imports.
+
+	* import.c (gpgsm_import): Moved duplicated code to ...
+	(check_and_store): new function.  Added magic to import the entire
+	chain. Print status only for real imports and moved printing code
+	to ..
+	(print_imported_status): New.
+
 	* call-dirmngr.c (gpgsm_dirmngr_isvalid): print status of dirmngr
 	call in very verbose mode.

--- a/sm/call-agent.c
+++ b/sm/call-agent.c
@ -702,8 +702,15 @@ learn_cb (void *opaque, const void *buffer, size_t length)
    log_error ("invalid certificate: %s\n", gnupg_strerror (rc));
  else
    {
-      if (!keydb_store_cert (cert, 0))
-        log_info ("certificate imported\n");
+      int existed;
+
+      if (!keydb_store_cert (cert, 0, &existed))
+        {
+          if (opt.verbose > 1 && existed)
+            log_info ("certificate already in DB\n");
+          else if (opt.verbose && !existed)
+            log_info ("certificate imported\n");
+        }
    }

  ksba_cert_release (cert);
--- a/sm/certchain.c
+++ b/sm/certchain.c
@ -199,7 +199,7 @@ check_cert_policy (KsbaCert cert)
 static void
 find_up_store_certs_cb (void *cb_value, KsbaCert cert)
 {
-  if (keydb_store_cert (cert, 1))
+  if (keydb_store_cert (cert, 1, NULL))
    log_error ("error storing issuer certificate as ephemeral\n");
  ++*(int*)cb_value;
 }
--- a/sm/certpath.c
+++ b/sm/certpath.c
@ -199,7 +199,7 @@ check_cert_policy (KsbaCert cert)
 static void
 find_up_store_certs_cb (void *cb_value, KsbaCert cert)
 {
-  if (keydb_store_cert (cert, 1))
+  if (keydb_store_cert (cert, 1, NULL))
    log_error ("error storing issuer certificate as ephemeral\n");
  ++*(int*)cb_value;
 }
--- a/sm/import.c
+++ b/sm/import.c
@ -35,6 +35,61 @@
 #include "i18n.h"


+static void
+print_imported_status (CTRL ctrl, KsbaCert cert)
+{
+  char *fpr;
+ 
+  fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
+  gpgsm_status2 (ctrl, STATUS_IMPORTED, fpr, " [X.509]", NULL);
+  xfree (fpr);
+}
+
+static void
+check_and_store (CTRL ctrl, KsbaCert cert, int depth)
+{
+  if ( !gpgsm_basic_cert_check (cert) )
+    {
+      int existed;
+
+      if (!keydb_store_cert (cert, 0, &existed))
+        {
+          KsbaCert next = NULL;
+
+          if (!existed)
+            print_imported_status (ctrl, cert);
+          if (opt.verbose > 1 && existed)
+            {
+              if (depth)
+                log_info ("issuer certificate already in DB\n");
+              else
+                log_info ("certificate already in DB\n");
+            }
+          else if (opt.verbose && !existed)
+            {
+              if (depth)
+                log_info ("issuer certificate imported\n");
+              else
+                log_info ("certificate imported\n");
+            }
+          /* Now lets walk up the chain and import all certificates up
+             the chain.*/
+          if ( depth >= 50 )
+            log_error (_("certificate path too long\n"));
+          else if (!gpgsm_walk_cert_chain (cert, &next))
+            {
+              check_and_store (ctrl, next, depth+1);
+              ksba_cert_release (next);
+            }
+        }
+      else
+        log_error (_("error storing certificate\n"));
+    }
+  else
+    log_error (_("basic certificate checks failed - not imported\n"));
+}
+
+

 int
 gpgsm_import (CTRL ctrl, int in_fd)
@ -102,22 +157,7 @@ gpgsm_import (CTRL ctrl, int in_fd)
      
      for (i=0; (cert=ksba_cms_get_cert (cms, i)); i++)
        {
-          if ( !gpgsm_basic_cert_check (cert) )
-            {
-              if (!keydb_store_cert (cert, 0))
-                {
-                  char *fpr;
-                  fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
-                  gpgsm_status2 (ctrl, STATUS_IMPORTED, fpr, " [X.509]", NULL);
-                  xfree (fpr);
-                  if (opt.verbose)
-                    log_info ("certificate imported\n");
-                }
-              else
-                log_error (_("error storing certificate\n"));
-            }
-          else
-            log_error (_("basic certificate checks failed - not imported\n"));
+          check_and_store (ctrl, cert, 0);
          ksba_cert_release (cert); 
          cert = NULL;
        }
@ -140,23 +180,8 @@ gpgsm_import (CTRL ctrl, int in_fd)
          rc = map_ksba_err (rc);
          goto leave;
        }
-      
-      if ( !gpgsm_basic_cert_check (cert) )
-        {
-          if (!keydb_store_cert (cert, 0))
-            {
-              char *fpr;
-              fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
-              gpgsm_status2 (ctrl, STATUS_IMPORTED, fpr, " [X.509]", NULL);
-              xfree (fpr);
-              if (opt.verbose)
-                log_info ("certificate imported\n");
-            }
-          else
-            log_error (_("error storing certificate\n"));
-        }
-      else
-        log_error (_("basic certificate checks failed - not imported\n"));
+
+      check_and_store (ctrl, cert, 0);
    }
  else
    {
--- a/sm/keydb.c
+++ b/sm/keydb.c
@ -1196,15 +1196,20 @@ keydb_classify_name (const char *name, KEYDB_SEARCH_DESC *desc)
 }


-/* Store the certificate in the key Db but make sure that it does not
-   already exists.  We do this simply by comparing the fingerprint */
+/* Store the certificate in the key DB but make sure that it does not
+   already exists.  We do this simply by comparing the fingerprint.
+   If EXISTED is not NULL it will be set to true if the certificate
+   was already in the DB. */
 int
-keydb_store_cert (KsbaCert cert, int ephemeral)
+keydb_store_cert (KsbaCert cert, int ephemeral, int *existed)
 {
  KEYDB_HANDLE kh;
  int rc;
  unsigned char fpr[20];

+  if (existed)
+    *existed = 0;
+
  if (!gpgsm_get_fingerprint (cert, 0, fpr, NULL))
    {
      log_error (_("failed to get the fingerprint\n"));
@ -1226,7 +1231,11 @@ keydb_store_cert (KsbaCert cert, int ephemeral)
    {
      keydb_release (kh);
      if (!rc)
-        return 0; /* okay */
+        {
+          if (existed)
+            *existed = 1;
+          return 0; /* okay */
+        }
      log_error (_("problem looking for existing certificate: %s\n"),
                 gnupg_strerror (rc));
      return rc;
@ -1252,3 +1261,4 @@ keydb_store_cert (KsbaCert cert, int ephemeral)
 }


+
--- a/sm/keydb.h
+++ b/sm/keydb.h
@ -63,7 +63,7 @@ int keydb_search_subject (KEYDB_HANDLE hd, const char *issuer);

 int keydb_classify_name (const char *name, KEYDB_SEARCH_DESC *desc);

-int keydb_store_cert (KsbaCert cert, int ephemeral);
+int keydb_store_cert (KsbaCert cert, int ephemeral, int *existed);


 #endif /*GNUPG_KEYDB_H*/
--- a/sm/keylist.c
+++ b/sm/keylist.c
@ -548,7 +548,7 @@ list_external_cb (void *cb_value, KsbaCert cert)
 {
  struct list_external_parm_s *parm = cb_value;

-  if (keydb_store_cert (cert, 1))
+  if (keydb_store_cert (cert, 1, NULL))
    log_error ("error storing certificate as ephemeral\n");

  if (parm->print_header)
--- a/sm/verify.c
+++ b/sm/verify.c
@ -242,7 +242,7 @@ gpgsm_verify (CTRL ctrl, int in_fd, int data_fd, FILE *out_fp)
         certificate first before entering it into the DB.  This way
         we would avoid cluttering the DB with invalid
         certificates. */
-      keydb_store_cert (cert, 0);
+      keydb_store_cert (cert, 0, NULL);
      ksba_cert_release (cert);
    }