1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

Fixed aegypten bug 299

This commit is contained in:
Werner Koch 2006-10-16 17:33:03 +00:00
parent 694dcf5d35
commit d7160c2e34
2 changed files with 78 additions and 4 deletions

View File

@ -1,3 +1,10 @@
2006-10-16 Werner Koch <wk@g10code.com>
* certchain.c (already_asked_marktrusted)
(set_already_asked_marktrusted): New.
(gpgsm_validate_chain) <not trusted>: Keep track of certificates
we already asked for.
2006-10-11 Werner Koch <wk@g10code.com> 2006-10-11 Werner Koch <wk@g10code.com>
* certreqgen.c (proc_parameters, create_request): Allow for * certreqgen.c (proc_parameters, create_request): Allow for

View File

@ -41,9 +41,53 @@
#include "i18n.h" #include "i18n.h"
/* Object to keep track of certain root certificates. */
struct marktrusted_info_s
{
struct marktrusted_info_s *next;
unsigned char fpr[20];
};
static struct marktrusted_info_s *marktrusted_info;
static int get_regtp_ca_info (ksba_cert_t cert, int *chainlen); static int get_regtp_ca_info (ksba_cert_t cert, int *chainlen);
/* This function returns true if we already asked during this session
whether the root certificate CERT shall be marked as trusted. */
static int
already_asked_marktrusted (ksba_cert_t cert)
{
unsigned char fpr[20];
struct marktrusted_info_s *r;
gpgsm_get_fingerprint (cert, GCRY_MD_SHA1, fpr, NULL);
/* No context switches in the loop! */
for (r=marktrusted_info; r; r= r->next)
if (!memcmp (r->fpr, fpr, 20))
return 1;
return 0;
}
/* Flag certificate CERT as already asked whether it shall be marked
as trusted. */
static void
set_already_asked_marktrusted (ksba_cert_t cert)
{
unsigned char fpr[20];
struct marktrusted_info_s *r;
gpgsm_get_fingerprint (cert, GCRY_MD_SHA1, fpr, NULL);
for (r=marktrusted_info; r; r= r->next)
if (!memcmp (r->fpr, fpr, 20))
return; /* Already marked. */
r = xtrycalloc (1, sizeof *r);
if (!r)
return;
memcpy (r->fpr, fpr, 20);
r->next = marktrusted_info;
marktrusted_info = r;
}
/* If LISTMODE is true, print FORMAT using LISTMODE to FP. If /* If LISTMODE is true, print FORMAT using LISTMODE to FP. If
LISTMODE is false, use the string to print an log_info or, if LISTMODE is false, use the string to print an log_info or, if
@ -883,14 +927,21 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
expired it does not make much sense to ask the user expired it does not make much sense to ask the user
whether we wants to trust the root certificate. He whether we wants to trust the root certificate. He
should do this only if the certificate under question should do this only if the certificate under question
will then be usable. */ will then be usable. We also check whether the agent
if (!lm && !any_expired) is at all enabled to allo marktrusted and don't call
it in this session again if it is not. */
if ( !any_expired
&& (!lm || !already_asked_marktrusted (subject_cert)))
{ {
static int no_more_questions; /* during this session. */
int rc2; int rc2;
char *fpr = gpgsm_get_fingerprint_string (subject_cert, char *fpr = gpgsm_get_fingerprint_string (subject_cert,
GCRY_MD_SHA1); GCRY_MD_SHA1);
log_info (_("fingerprint=%s\n"), fpr? fpr : "?"); log_info (_("fingerprint=%s\n"), fpr? fpr : "?");
xfree (fpr); xfree (fpr);
if (no_more_questions)
rc2 = gpg_error (GPG_ERR_NOT_SUPPORTED);
else
rc2 = gpgsm_agent_marktrusted (ctrl, subject_cert); rc2 = gpgsm_agent_marktrusted (ctrl, subject_cert);
if (!rc2) if (!rc2)
{ {
@ -898,13 +949,29 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
" been marked as trusted\n")); " been marked as trusted\n"));
rc = 0; rc = 0;
} }
else else if (!lm)
{ {
gpgsm_dump_cert ("issuer", subject_cert); gpgsm_dump_cert ("issuer", subject_cert);
log_info ("after checking the fingerprint, you may want " log_info ("after checking the fingerprint, you may want "
"to add it manually to the list of trusted " "to add it manually to the list of trusted "
"certificates.\n"); "certificates.\n");
} }
if (gpg_err_code (rc2) == GPG_ERR_NOT_SUPPORTED)
{
if (!no_more_questions)
log_info (_("interactive marking as trusted "
"not enabled in gpg-agent\n"));
no_more_questions = 1;
}
else if (gpg_err_code (rc2) == GPG_ERR_CANCELED)
{
log_info (_("interactive marking as trusted "
"disabled for this session\n"));
no_more_questions = 1;
}
else
set_already_asked_marktrusted (subject_cert);
} }
} }
else else