mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-17 14:07:03 +01:00
(compare_certs): New.
(gpgsm_validate_chain): Fixed infinite certificate checks after bad signatures.
This commit is contained in:
parent
bfd5ed026c
commit
cd8531210b
@ -1,3 +1,9 @@
|
||||
2004-02-26 Werner Koch <wk@gnupg.org>
|
||||
|
||||
* certchain.c (compare_certs): New.
|
||||
(gpgsm_validate_chain): Fixed infinite certificate checks after
|
||||
bad signatures.
|
||||
|
||||
2004-02-24 Werner Koch <wk@gnupg.org>
|
||||
|
||||
* keylist.c (list_cert_colon): Print the fingerprint as the
|
||||
|
@ -65,6 +65,22 @@ do_list (int is_error, int listmode, FILE *fp, const char *format, ...)
|
||||
va_end (arg_ptr);
|
||||
}
|
||||
|
||||
/* Return 0 if A and B are equal. */
|
||||
static int
|
||||
compare_certs (ksba_cert_t a, ksba_cert_t b)
|
||||
{
|
||||
const unsigned char *img_a, *img_b;
|
||||
size_t len_a, len_b;
|
||||
|
||||
img_a = ksba_cert_get_image (a, &len_a);
|
||||
if (!img_a)
|
||||
return 1;
|
||||
img_b = ksba_cert_get_image (b, &len_b);
|
||||
if (!img_b)
|
||||
return 1;
|
||||
return !(len_a == len_b && !memcmp (img_a, img_b, len_a));
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
unknown_criticals (ksba_cert_t cert, int listmode, FILE *fp)
|
||||
@ -700,7 +716,6 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
|
||||
goto leave;
|
||||
}
|
||||
|
||||
try_another_cert:
|
||||
ksba_cert_release (issuer_cert); issuer_cert = NULL;
|
||||
rc = keydb_get_cert (kh, &issuer_cert);
|
||||
if (rc)
|
||||
@ -710,6 +725,7 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
|
||||
goto leave;
|
||||
}
|
||||
|
||||
try_another_cert:
|
||||
if (DBG_X509)
|
||||
{
|
||||
log_debug ("got issuer's certificate:\n");
|
||||
@ -722,14 +738,34 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
|
||||
do_list (0, lm, fp, _("certificate has a BAD signature"));
|
||||
if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
|
||||
{
|
||||
/* We now try to find other issuer certificates which
|
||||
might have been used. This is rquired because some
|
||||
CAs are reusing the issuer and subject DN for new
|
||||
root certificates. */
|
||||
rc = find_up (kh, subject_cert, issuer, 1);
|
||||
if (!rc)
|
||||
{
|
||||
ksba_cert_t tmp_cert;
|
||||
|
||||
rc = keydb_get_cert (kh, &tmp_cert);
|
||||
if (rc || !compare_certs (issuer_cert, tmp_cert))
|
||||
{
|
||||
/* The find next did not work or returned an
|
||||
identical certificate. We better stop here
|
||||
to avoid infinite checks. */
|
||||
rc = gpg_error (GPG_ERR_BAD_SIGNATURE);
|
||||
ksba_cert_release (tmp_cert);
|
||||
}
|
||||
else
|
||||
{
|
||||
do_list (0, lm, fp, _("found another possible matching "
|
||||
"CA certificate - trying again"));
|
||||
ksba_cert_release (issuer_cert);
|
||||
issuer_cert = tmp_cert;
|
||||
goto try_another_cert;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* We give a more descriptive error code than the one
|
||||
returned from the signature checking. */
|
||||
|
Loading…
x
Reference in New Issue
Block a user