From cb6c506e4e41e174411669c880eedc8a8790430c Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 27 Sep 2024 15:50:46 +0200 Subject: [PATCH] sm: Optmize clearing of the ephemeral flag. * kbx/keybox-search.c (keybox_get_cert): Store the blob clags in the cert object. * sm/certchain.c (do_validate_chain): Skip clearing of the ephemeral flag if we know that it is not set. -- GnuPG-bug-id: 7308 --- kbx/keybox-search.c | 12 ++++++++++++ sm/certchain.c | 13 +++++++++++++ 2 files changed, 25 insertions(+) diff --git a/kbx/keybox-search.c b/kbx/keybox-search.c index 303c19b79..ed982cee7 100644 --- a/kbx/keybox-search.c +++ b/kbx/keybox-search.c @@ -1363,6 +1363,7 @@ keybox_get_cert (KEYBOX_HANDLE hd, ksba_cert_t *r_cert) size_t cert_off, cert_len; ksba_reader_t reader = NULL; ksba_cert_t cert = NULL; + unsigned int blobflags; int rc; if (!hd) @@ -1408,6 +1409,17 @@ keybox_get_cert (KEYBOX_HANDLE hd, ksba_cert_t *r_cert) return gpg_error (GPG_ERR_GENERAL); } + rc = get_flag_from_image (buffer, length, KEYBOX_FLAG_BLOB, &blobflags); + if (!rc) + rc = ksba_cert_set_user_data (cert, "keydb.blobflags", + &blobflags, sizeof blobflags); + if (rc) + { + ksba_cert_release (cert); + ksba_reader_release (reader); + return gpg_error (rc); + } + *r_cert = cert; ksba_reader_release (reader); return 0; diff --git a/sm/certchain.c b/sm/certchain.c index 539280ed1..f115eb96c 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -2085,9 +2085,22 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, { gpg_error_t err; chain_item_t ci; + unsigned int blobflags; + size_t userdatalen; for (ci = chain; ci; ci = ci->next) { + /* First do a quick check by looking at the blob flags to + * see whether the certificate is flagged ephemeral. This + * avoids the overhead of looking up the certificate again + * just to decide that there is no need to clear it. */ + if (!ksba_cert_get_user_data (cert, "keydb.blobflags", + &blobflags, sizeof (blobflags), + &userdatalen) + && userdatalen == sizeof blobflags + && !(blobflags & KEYBOX_FLAG_BLOB_EPHEMERAL)) + continue; + /* Note that it is possible for the last certificate in the chain (i.e. our target certificate) that it has not yet been stored in the keybox and thus the flag can't be set.