New "relax" option for trustlist.txt

2025-07-02 22:46:30 +02:00 · 2006-09-25 18:29:20 +00:00 · 2006-09-25 18:29:20 +00:00 · d94faf4a3d
commit d94faf4a3d
parent f9ff194bc2
42 changed files with 952 additions and 740 deletions
--- a/sm/certchain.c
+++ b/sm/certchain.c
@ -117,12 +117,21 @@ unknown_criticals (ksba_cert_t cert, int listmode, FILE *fp)
          rc = gpg_error (GPG_ERR_UNSUPPORTED_CERT);
        }
    }
-  if (err && gpg_err_code (err) != GPG_ERR_EOF)
+  /* We ignore the error codes EOF as well as no-value. The later will
+     occur for certificates with no extensions at all. */
+  if (err
+      && gpg_err_code (err) != GPG_ERR_EOF
+      && gpg_err_code (err) != GPG_ERR_NO_VALUE)
    rc = err;

  return rc;
 }

+
+/* Check whether CERT is an allowed certificate.  This requires that
+   CERT matches all requirements for such a CA, i.e. the
+   BasicConstraints extension.  The function returns 0 on success and
+   the awlloed length of the chain at CHAINLEN. */
 static int
 allowed_ca (ksba_cert_t cert, int *chainlen, int listmode, FILE *fp)
 {
@ -773,6 +782,19 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
      /* Is this a self-issued certificate? */
      if (subject && !strcmp (issuer, subject))
        {  /* Yes. */
+          gpg_error_t istrusted_rc;
+          struct rootca_flags_s rootca_flags;
+
+          /* Check early whether the certificate is listed as trusted.
+             We used to do this only later but changed it to call the
+             check right here so that we can access special flags
+             associated with that specific root certificate.  */
+          istrusted_rc = gpgsm_agent_istrusted (ctrl, subject_cert,
+                                                &rootca_flags);
+
+          /* Note, that we could save the following signature check
+             because nobody would be so dump to set up a faked chain
+             and fail in creating a valid self-signed certificate. */
          if (gpgsm_check_cert_sig (subject_cert, subject_cert) )
            {
              do_list (1, lm, fp,
@ -785,10 +807,13 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
                                   : GPG_ERR_BAD_CERT);
              goto leave;
            }
-          rc = allowed_ca (subject_cert, NULL, listmode, fp);
-          if (rc)
-            goto leave;
-
+          if (!rootca_flags.relax)
+            {
+              rc = allowed_ca (subject_cert, NULL, listmode, fp);
+              if (rc)
+                goto leave;
+            }
+              
          
          /* Set the flag for qualified signatures.  This flag is
             deduced from a list of root certificates allowed for
@ -835,8 +860,8 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
            }


-          /* Check whether we really trust this root certificate. */
-          rc = gpgsm_agent_istrusted (ctrl, subject_cert);
+          /* Act on the check for a trusted root certificates. */
+          rc = istrusted_rc;
          if (!rc)
            ;
          else if (gpg_err_code (rc) == GPG_ERR_NOT_TRUSTED)
@ -882,7 +907,7 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
          /* Check for revocations etc. */
          if ((flags & 1))
            ;
-          else if (opt.no_trusted_cert_crl_check)
+          else if (opt.no_trusted_cert_crl_check || rootca_flags.relax)
            ; 
          else
            rc = is_cert_still_valid (ctrl, lm, fp,