From ad8bce774d91bbd1dbbf43f8b6f018a5e981e176 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ram=C3=B3n=20Garc=C3=ADa?= Date: Tue, 18 Mar 2025 12:14:50 +0100 Subject: [PATCH] gpgsm: Fix error message if all selected certificates are expired. * sm/certlist.c (gpgsm_add_to_certlist): Track expired error. Make the expired check easier to read by using if and case. -- Original ChangeLog: If all selected certificates are expired, don't mislead the user saying that no certificate was found. Instead, return the error of the first certificate selected. * sm/certlist.c: if one expired certificate was found, don't return no certificate found, return instead the expiration error I heavily changed Ramon's original patch and hope that I don't introduced a regression to his patch. - wk@gnupg.org --- sm/certlist.c | 45 ++++++++++++++++++++++++++++----------------- 1 file changed, 28 insertions(+), 17 deletions(-) diff --git a/sm/certlist.c b/sm/certlist.c index 21c163290..5057637ad 100644 --- a/sm/certlist.c +++ b/sm/certlist.c @@ -350,6 +350,7 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, else { int wrong_usage = 0; + int expired_rc = 0; char *first_subject = NULL; char *first_issuer = NULL; @@ -398,6 +399,8 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, else if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED || gpg_err_code (rc) == GPG_ERR_CERT_TOO_YOUNG) { + if (!expired_rc) + expired_rc = rc; ksba_cert_release (cert); cert = NULL; log_info (_("looking for another certificate\n")); @@ -407,6 +410,8 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, /* We want the error code from the first match in this case. */ if (rc && wrong_usage) rc = wrong_usage; + else if (rc && expired_rc) + rc = expired_rc; if (!rc) { @@ -436,7 +441,7 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, keybox). */ if (!keydb_get_cert (kh, &cert2)) { - int tmp; + gpg_err_code_t tmp; if (!current_time_loaded) { @@ -444,25 +449,31 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, current_time_loaded = 1; } - tmp = - (same_subject_issuer (first_subject, - first_issuer, - cert2) - && ((gpg_err_code ( - secret? gpgsm_cert_use_sign_p (cert2, 0) - : gpgsm_cert_use_encrypt_p (cert2) - ) - ) == GPG_ERR_WRONG_KEY_USAGE - || (gpg_err_code ( + if (same_subject_issuer (first_subject, + first_issuer, + cert2)) + { + tmp = gpg_err_code ( + secret? gpgsm_cert_use_sign_p (cert2, 0) + : gpgsm_cert_use_encrypt_p (cert2) + ) == GPG_ERR_WRONG_KEY_USAGE; + if (!tmp) + { + switch (gpg_err_code ( check_validity_period_cm (current_time, current_time, cert, exp_time, - 0, NULL, 0, 1) - ) == GPG_ERR_CERT_EXPIRED - ) - ) - ); + 0, NULL, 0, 1))) + { + case GPG_ERR_CERT_EXPIRED: + case GPG_ERR_CERT_TOO_YOUNG: tmp = 1; break; + default: tmp = 0; break; + } + } + } + else + tmp = 0; if (tmp) gpgsm_add_cert_to_certlist (ctrl, cert2, @@ -470,7 +481,7 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, else { if (is_cert_in_certlist (cert2, dup_certs)) - tmp = 1; + tmp = GPG_ERR_TRUE; } ksba_cert_release (cert2);