diff --git a/kbx/keybox-search.c b/kbx/keybox-search.c index 303c19b79..ed982cee7 100644 --- a/kbx/keybox-search.c +++ b/kbx/keybox-search.c @@ -1363,6 +1363,7 @@ keybox_get_cert (KEYBOX_HANDLE hd, ksba_cert_t *r_cert) size_t cert_off, cert_len; ksba_reader_t reader = NULL; ksba_cert_t cert = NULL; + unsigned int blobflags; int rc; if (!hd) @@ -1408,6 +1409,17 @@ keybox_get_cert (KEYBOX_HANDLE hd, ksba_cert_t *r_cert) return gpg_error (GPG_ERR_GENERAL); } + rc = get_flag_from_image (buffer, length, KEYBOX_FLAG_BLOB, &blobflags); + if (!rc) + rc = ksba_cert_set_user_data (cert, "keydb.blobflags", + &blobflags, sizeof blobflags); + if (rc) + { + ksba_cert_release (cert); + ksba_reader_release (reader); + return gpg_error (rc); + } + *r_cert = cert; ksba_reader_release (reader); return 0; diff --git a/sm/certchain.c b/sm/certchain.c index 539280ed1..f115eb96c 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -2085,9 +2085,22 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, { gpg_error_t err; chain_item_t ci; + unsigned int blobflags; + size_t userdatalen; for (ci = chain; ci; ci = ci->next) { + /* First do a quick check by looking at the blob flags to + * see whether the certificate is flagged ephemeral. This + * avoids the overhead of looking up the certificate again + * just to decide that there is no need to clear it. */ + if (!ksba_cert_get_user_data (cert, "keydb.blobflags", + &blobflags, sizeof (blobflags), + &userdatalen) + && userdatalen == sizeof blobflags + && !(blobflags & KEYBOX_FLAG_BLOB_EPHEMERAL)) + continue; + /* Note that it is possible for the last certificate in the chain (i.e. our target certificate) that it has not yet been stored in the keybox and thus the flag can't be set.