sm: Optmize clearing of the ephemeral flag.

* kbx/keybox-search.c (keybox_get_cert): Store the blob clags in the cert object. * sm/certchain.c (do_validate_chain): Skip clearing of the ephemeral flag if we know that it is not set. -- GnuPG-bug-id: 7308
2024-12-21 10:09:57 +01:00 · 2024-09-27 15:50:46 +02:00 · 2024-09-27 15:50:46 +02:00 · cb6c506e4e
commit cb6c506e4e
parent ca953ae5f7
2 changed files with 25 additions and 0 deletions
--- a/kbx/keybox-search.c
+++ b/kbx/keybox-search.c
@ -1363,6 +1363,7 @@ keybox_get_cert (KEYBOX_HANDLE hd, ksba_cert_t *r_cert)
  size_t cert_off, cert_len;
  ksba_reader_t reader = NULL;
  ksba_cert_t cert = NULL;
+  unsigned int blobflags;
  int rc;

  if (!hd)
@ -1408,6 +1409,17 @@ keybox_get_cert (KEYBOX_HANDLE hd, ksba_cert_t *r_cert)
      return gpg_error (GPG_ERR_GENERAL);
    }

+  rc = get_flag_from_image (buffer, length, KEYBOX_FLAG_BLOB, &blobflags);
+  if (!rc)
+    rc = ksba_cert_set_user_data (cert, "keydb.blobflags",
+                                  &blobflags, sizeof blobflags);
+  if (rc)
+    {
+      ksba_cert_release (cert);
+      ksba_reader_release (reader);
+      return gpg_error (rc);
+    }
+
  *r_cert = cert;
  ksba_reader_release (reader);
  return 0;
--- a/sm/certchain.c
+++ b/sm/certchain.c
@ -2085,9 +2085,22 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
    {
      gpg_error_t err;
      chain_item_t ci;
+      unsigned int blobflags;
+      size_t userdatalen;

      for (ci = chain; ci; ci = ci->next)
        {
+          /* First do a quick check by looking at the blob flags to
+           * see whether the certificate is flagged ephemeral.  This
+           * avoids the overhead of looking up the certificate again
+           * just to decide that there is no need to clear it.  */
+          if (!ksba_cert_get_user_data (cert, "keydb.blobflags",
+                                        &blobflags, sizeof (blobflags),
+                                        &userdatalen)
+              && userdatalen == sizeof blobflags
+              && !(blobflags & KEYBOX_FLAG_BLOB_EPHEMERAL))
+            continue;
+
          /* Note that it is possible for the last certificate in the
             chain (i.e. our target certificate) that it has not yet
             been stored in the keybox and thus the flag can't be set.