security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-04-11 22:01:08 +02:00
Code Activity

gpgsm: Fix error message if all selected certificates are expired.

Browse Source 
* sm/certlist.c (gpgsm_add_to_certlist): Track expired error.  Make
the expired check easier to read by using if and case.
--

Original ChangeLog:
  If all selected certificates are expired, don't mislead the user
  saying that no certificate was found. Instead, return the error
  of the first certificate selected.

  * sm/certlist.c: if one expired certificate was found, don't return
    no certificate found, return instead the expiration error

I heavily changed Ramon's original patch and hope that I don't
introduced a regression to his patch. - wk@gnupg.org
This commit is contained in:
Ramón García 2025-03-18 12:14:50 +01:00 committed by Werner Koch
parent 53f5aad905
commit ad8bce774d
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 28 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
sm/certlist.c
View File

@ -350,6 +350,7 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
else else
{ {
int wrong_usage = 0; int wrong_usage = 0;
int expired_rc = 0;
char *first_subject = NULL; char *first_subject = NULL;
char *first_issuer = NULL; char *first_issuer = NULL;
@ -398,6 +399,8 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
else if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED else if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED
|| gpg_err_code (rc) == GPG_ERR_CERT_TOO_YOUNG) || gpg_err_code (rc) == GPG_ERR_CERT_TOO_YOUNG)
{ {
if (!expired_rc)
expired_rc = rc;
ksba_cert_release (cert); ksba_cert_release (cert);
cert = NULL; cert = NULL;
log_info (_("looking for another certificate\n")); log_info (_("looking for another certificate\n"));
@ -407,6 +410,8 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
/* We want the error code from the first match in this case. */ /* We want the error code from the first match in this case. */
if (rc && wrong_usage) if (rc && wrong_usage)
rc = wrong_usage; rc = wrong_usage;
else if (rc && expired_rc)
rc = expired_rc;
if (!rc) if (!rc)
{ {
@ -436,7 +441,7 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
keybox). */ keybox). */
if (!keydb_get_cert (kh, &cert2)) if (!keydb_get_cert (kh, &cert2))
{ {
int tmp; gpg_err_code_t tmp;
if (!current_time_loaded) if (!current_time_loaded)
{ {
@ -444,25 +449,31 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
current_time_loaded = 1; current_time_loaded = 1;
} }
tmp = if (same_subject_issuer (first_subject,
(same_subject_issuer (first_subject, first_issuer,
first_issuer, cert2))
cert2) {
&& ((gpg_err_code ( tmp = gpg_err_code (
secret? gpgsm_cert_use_sign_p (cert2, 0) secret? gpgsm_cert_use_sign_p (cert2, 0)
: gpgsm_cert_use_encrypt_p (cert2) : gpgsm_cert_use_encrypt_p (cert2)
) ) == GPG_ERR_WRONG_KEY_USAGE;
) == GPG_ERR_WRONG_KEY_USAGE if (!tmp)
|| (gpg_err_code ( {
switch (gpg_err_code (
check_validity_period_cm (current_time, check_validity_period_cm (current_time,
current_time, current_time,
cert, cert,
exp_time, exp_time,
0, NULL, 0, 1) 0, NULL, 0, 1)))
) == GPG_ERR_CERT_EXPIRED {
) case GPG_ERR_CERT_EXPIRED:
) case GPG_ERR_CERT_TOO_YOUNG: tmp = 1; break;
); default: tmp = 0; break;
}
}
}
else
tmp = 0;
if (tmp) if (tmp)
gpgsm_add_cert_to_certlist (ctrl, cert2, gpgsm_add_cert_to_certlist (ctrl, cert2,
@ -470,7 +481,7 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
else else
{ {
if (is_cert_in_certlist (cert2, dup_certs)) if (is_cert_in_certlist (cert2, dup_certs))
tmp = 1; tmp = GPG_ERR_TRUE;
} }
ksba_cert_release (cert2); ksba_cert_release (cert2);