security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

dimngr: Do not check the self-signature of a root CA cert. 

* dirmngr/validate.c (validate_cert_chain): Comment out that code.
This commit is contained in:
Werner Koch 2022-02-27 12:11:23 +01:00
parent de87c8e1ea
commit b901e63b4d
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
dirmngr/validate.c
View File

@ -551,14 +551,14 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
/* Is this a self-signed certificate? */ /* Is this a self-signed certificate? */
if (is_root_cert (subject_cert, issuer, subject)) if (is_root_cert (subject_cert, issuer, subject))
{ {
/* Yes, this is our trust anchor. */ /* There is no need to check the signature of the trust anchor. */
if (check_cert_sig (subject_cert, subject_cert) ) /* if (check_cert_sig (subject_cert, subject_cert) ) */
{ /* { */
log_error (_("selfsigned certificate has a BAD signature")); /* log_error (_("selfsigned certificate has a BAD signature")); */
err = gpg_error (depth? GPG_ERR_BAD_CERT_CHAIN /* err = gpg_error (depth? GPG_ERR_BAD_CERT_CHAIN */
: GPG_ERR_BAD_CERT); /* : GPG_ERR_BAD_CERT); */
goto leave; /* goto leave; */
} /* } */
/* Is this certificate allowed to act as a CA. */ /* Is this certificate allowed to act as a CA. */
err = allowed_ca (subject_cert, NULL); err = allowed_ca (subject_cert, NULL);