mirror of git://git.gnupg.org/gnupg.git
Fixed aegypten bug 299
This commit is contained in:
Werner Koch
parent
694dcf5d35
commit
d7160c2e34
|
|
@ -1,3 +1,10 @@
|
||||||
|
2006-10-16 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
|
* certchain.c (already_asked_marktrusted)
|
||||||
|
(set_already_asked_marktrusted): New.
|
||||||
|
(gpgsm_validate_chain) <not trusted>: Keep track of certificates
|
||||||
|
we already asked for.
|
||||||
|
|
||||||
2006-10-11 Werner Koch <wk@g10code.com>
|
2006-10-11 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
* certreqgen.c (proc_parameters, create_request): Allow for
|
* certreqgen.c (proc_parameters, create_request): Allow for
|
||||||
|
|
|
||||||
|
|
@ -41,9 +41,53 @@
|
||||||
#include "i18n.h"
|
#include "i18n.h"
|
||||||
|
|
||||||
|
|
||||||
|
/* Object to keep track of certain root certificates. */
|
||||||
|
struct marktrusted_info_s
|
||||||
|
{
|
||||||
|
struct marktrusted_info_s *next;
|
||||||
|
unsigned char fpr[20];
|
||||||
|
};
|
||||||
|
static struct marktrusted_info_s *marktrusted_info;
|
||||||
|
|
||||||
|
|
||||||
static int get_regtp_ca_info (ksba_cert_t cert, int *chainlen);
|
static int get_regtp_ca_info (ksba_cert_t cert, int *chainlen);
|
||||||
|
|
||||||
|
|
||||||
|
/* This function returns true if we already asked during this session
|
||||||
|
whether the root certificate CERT shall be marked as trusted. */
|
||||||
|
static int
|
||||||
|
already_asked_marktrusted (ksba_cert_t cert)
|
||||||
|
{
|
||||||
|
unsigned char fpr[20];
|
||||||
|
struct marktrusted_info_s *r;
|
||||||
|
|
||||||
|
gpgsm_get_fingerprint (cert, GCRY_MD_SHA1, fpr, NULL);
|
||||||
|
/* No context switches in the loop! */
|
||||||
|
for (r=marktrusted_info; r; r= r->next)
|
||||||
|
if (!memcmp (r->fpr, fpr, 20))
|
||||||
|
return 1;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Flag certificate CERT as already asked whether it shall be marked
|
||||||
|
as trusted. */
|
||||||
|
static void
|
||||||
|
set_already_asked_marktrusted (ksba_cert_t cert)
|
||||||
|
{
|
||||||
|
unsigned char fpr[20];
|
||||||
|
struct marktrusted_info_s *r;
|
||||||
|
|
||||||
|
gpgsm_get_fingerprint (cert, GCRY_MD_SHA1, fpr, NULL);
|
||||||
|
for (r=marktrusted_info; r; r= r->next)
|
||||||
|
if (!memcmp (r->fpr, fpr, 20))
|
||||||
|
return; /* Already marked. */
|
||||||
|
r = xtrycalloc (1, sizeof *r);
|
||||||
|
if (!r)
|
||||||
|
return;
|
||||||
|
memcpy (r->fpr, fpr, 20);
|
||||||
|
r->next = marktrusted_info;
|
||||||
|
marktrusted_info = r;
|
||||||
|
}
|
||||||
|
|
||||||
/* If LISTMODE is true, print FORMAT using LISTMODE to FP. If
|
/* If LISTMODE is true, print FORMAT using LISTMODE to FP. If
|
||||||
LISTMODE is false, use the string to print an log_info or, if
|
LISTMODE is false, use the string to print an log_info or, if
|
||||||
|
|
@ -883,28 +927,51 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
|
||||||
expired it does not make much sense to ask the user
|
expired it does not make much sense to ask the user
|
||||||
whether we wants to trust the root certificate. He
|
whether we wants to trust the root certificate. He
|
||||||
should do this only if the certificate under question
|
should do this only if the certificate under question
|
||||||
will then be usable. */
|
will then be usable. We also check whether the agent
|
||||||
if (!lm && !any_expired)
|
is at all enabled to allo marktrusted and don't call
|
||||||
|
it in this session again if it is not. */
|
||||||
|
if ( !any_expired
|
||||||
|
&& (!lm || !already_asked_marktrusted (subject_cert)))
|
||||||
{
|
{
|
||||||
|
static int no_more_questions; /* during this session. */
|
||||||
int rc2;
|
int rc2;
|
||||||
char *fpr = gpgsm_get_fingerprint_string (subject_cert,
|
char *fpr = gpgsm_get_fingerprint_string (subject_cert,
|
||||||
GCRY_MD_SHA1);
|
GCRY_MD_SHA1);
|
||||||
log_info (_("fingerprint=%s\n"), fpr? fpr : "?");
|
log_info (_("fingerprint=%s\n"), fpr? fpr : "?");
|
||||||
xfree (fpr);
|
xfree (fpr);
|
||||||
rc2 = gpgsm_agent_marktrusted (ctrl, subject_cert);
|
if (no_more_questions)
|
||||||
|
rc2 = gpg_error (GPG_ERR_NOT_SUPPORTED);
|
||||||
|
else
|
||||||
|
rc2 = gpgsm_agent_marktrusted (ctrl, subject_cert);
|
||||||
if (!rc2)
|
if (!rc2)
|
||||||
{
|
{
|
||||||
log_info (_("root certificate has now"
|
log_info (_("root certificate has now"
|
||||||
" been marked as trusted\n"));
|
" been marked as trusted\n"));
|
||||||
rc = 0;
|
rc = 0;
|
||||||
}
|
}
|
||||||
else
|
else if (!lm)
|
||||||
{
|
{
|
||||||
gpgsm_dump_cert ("issuer", subject_cert);
|
gpgsm_dump_cert ("issuer", subject_cert);
|
||||||
log_info ("after checking the fingerprint, you may want "
|
log_info ("after checking the fingerprint, you may want "
|
||||||
"to add it manually to the list of trusted "
|
"to add it manually to the list of trusted "
|
||||||
"certificates.\n");
|
"certificates.\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (gpg_err_code (rc2) == GPG_ERR_NOT_SUPPORTED)
|
||||||
|
{
|
||||||
|
if (!no_more_questions)
|
||||||
|
log_info (_("interactive marking as trusted "
|
||||||
|
"not enabled in gpg-agent\n"));
|
||||||
|
no_more_questions = 1;
|
||||||
|
}
|
||||||
|
else if (gpg_err_code (rc2) == GPG_ERR_CANCELED)
|
||||||
|
{
|
||||||
|
log_info (_("interactive marking as trusted "
|
||||||
|
"disabled for this session\n"));
|
||||||
|
no_more_questions = 1;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
set_already_asked_marktrusted (subject_cert);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue