dimngr: Do not check the self-signature of a root CA cert.

* dirmngr/validate.c (validate_cert_chain): Comment out that code.
This commit is contained in:
Werner Koch 2022-02-27 12:11:23 +01:00
parent de87c8e1ea
commit b901e63b4d
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 8 additions and 8 deletions

View File

@ -551,14 +551,14 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
/* Is this a self-signed certificate? */
if (is_root_cert (subject_cert, issuer, subject))
{
/* Yes, this is our trust anchor. */
if (check_cert_sig (subject_cert, subject_cert) )
{
log_error (_("selfsigned certificate has a BAD signature"));
err = gpg_error (depth? GPG_ERR_BAD_CERT_CHAIN
: GPG_ERR_BAD_CERT);
goto leave;
}
/* There is no need to check the signature of the trust anchor. */
/* if (check_cert_sig (subject_cert, subject_cert) ) */
/* { */
/* log_error (_("selfsigned certificate has a BAD signature")); */
/* err = gpg_error (depth? GPG_ERR_BAD_CERT_CHAIN */
/* : GPG_ERR_BAD_CERT); */
/* goto leave; */
/* } */
/* Is this certificate allowed to act as a CA. */
err = allowed_ca (subject_cert, NULL);