From 9543b3567b04aa5423852c29ecb77ff004c220f4 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 27 Sep 2024 15:50:46 +0200 Subject: [PATCH] sm: Optmize clearing of the ephemeral flag. * kbx/keybox-search.c (keybox_get_cert): Store the blob clags in the cert object. * sm/certchain.c (do_validate_chain): Skip clearing of the ephemeral flag if we know that it is not set. -- GnuPG-bug-id: 7308 --- kbx/keybox-search.c | 12 ++++++++++++ sm/certchain.c | 13 +++++++++++++ 2 files changed, 25 insertions(+) diff --git a/kbx/keybox-search.c b/kbx/keybox-search.c index b1aee9e85..d4cdf91a9 100644 --- a/kbx/keybox-search.c +++ b/kbx/keybox-search.c @@ -1196,6 +1196,7 @@ keybox_get_cert (KEYBOX_HANDLE hd, ksba_cert_t *r_cert) size_t cert_off, cert_len; ksba_reader_t reader = NULL; ksba_cert_t cert = NULL; + unsigned int blobflags; int rc; if (!hd) @@ -1241,6 +1242,17 @@ keybox_get_cert (KEYBOX_HANDLE hd, ksba_cert_t *r_cert) return gpg_error (GPG_ERR_GENERAL); } + rc = get_flag_from_image (buffer, length, KEYBOX_FLAG_BLOB, &blobflags); + if (!rc) + rc = ksba_cert_set_user_data (cert, "keydb.blobflags", + &blobflags, sizeof blobflags); + if (rc) + { + ksba_cert_release (cert); + ksba_reader_release (reader); + return gpg_error (rc); + } + *r_cert = cert; ksba_reader_release (reader); return 0; diff --git a/sm/certchain.c b/sm/certchain.c index 57de48301..8c25bdec1 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -2048,9 +2048,22 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, { gpg_error_t err; chain_item_t ci; + unsigned int blobflags; + size_t userdatalen; for (ci = chain; ci; ci = ci->next) { + /* First do a quick check by looking at the blob flags to + * see whether the certificate is flagged ephemeral. This + * avoids the overhead of looking up the certificate again + * just to decide that there is no need to clear it. */ + if (!ksba_cert_get_user_data (cert, "keydb.blobflags", + &blobflags, sizeof (blobflags), + &userdatalen) + && userdatalen == sizeof blobflags + && !(blobflags & KEYBOX_FLAG_BLOB_EPHEMERAL)) + continue; + /* Note that it is possible for the last certificate in the chain (i.e. our target certificate) that it has not yet been stored in the keybox and thus the flag can't be set.