sm: Add special case for expired intermediate certificates.

* sm/gpgsm.h (struct server_control_s): Add field 'current_time'. * sm/certchain.c (find_up_search_by_keyid): Detect a corner case. Also simplify by using ref-ed cert objects in place of an anyfound var. -- See the code for a description of the problem. Tested using the certs from the bug report and various command lines gpgsm --faked-system-time=XXXX --disable-crl-checks \ -ea -v --debug x509 -r 0x95599828 with XXXX being 20190230T000000 -> target cert too young with XXXX being 20190330T000000 -> okay with XXXX being 20190830T000000 -> okay, using the long term cert with XXXX being 20220330T000000 -> target cert expired The --disabled-crl-checks option is required because in our a simple test setting dirmngr does not know about the faked time. GnuPG-bug-id: 4696 Signed-off-by: Werner Koch <wk@gnupg.org> (cherry picked from commit d246f317c0)
2025-07-03 22:56:33 +02:00 · 2019-12-06 20:12:22 +01:00 · 2019-12-06 20:12:22 +01:00 · 8c167febc0
commit 8c167febc0
parent 78bb81e9de
2 changed files with 91 additions and 17 deletions
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@ -206,6 +206,9 @@ struct server_control_s
                           1 := chain model,
                           2 := STEED model. */
  int offline;        /* If true gpgsm won't do any network access.  */
+
+  /* The current time.  Used as a helper in certchain.c.  */
+  ksba_isotime_t current_time;
 };