[PATCH gnupg 3/4] Avoid increasing error count when enumerating an expired certificate.
Ramón García
ramon.garcia.f at gmail.com
Sun Feb 16 23:07:48 CET 2025
* sm/gpgsh.h sm/certchain.c: Add a parameter to check_validity_period_cm
to prevent generation of errors that cause the program to abort later.
* sm/certlist.c: Request check_validity_period_cm not to generate an
error when a certificate expiration is checked.
---
sm/certchain.c | 96 ++++++++++++++++++++++++++++----------------------
sm/certlist.c | 4 +--
sm/gpgsm.h | 2 +-
3 files changed, 57 insertions(+), 45 deletions(-)
diff --git a/sm/certchain.c b/sm/certchain.c
index 01ccac907..f755b9997 100644
--- a/sm/certchain.c
+++ b/sm/certchain.c
@@ -1438,7 +1438,7 @@ check_validity_period_cm (ksba_isotime_t current_time,
ksba_isotime_t check_time,
ksba_cert_t subject_cert,
ksba_isotime_t exptime,
- int listmode, estream_t listfp, int depth)
+ int listmode, estream_t listfp, int depth,
int dont_log_expired)
{
gpg_error_t err;
ksba_isotime_t not_before, not_after;
@@ -1454,22 +1454,28 @@ check_validity_period_cm (ksba_isotime_t current_time,
}
if (!*not_before || !*not_after)
{
- do_list (1, listmode, listfp,
- _("required certificate attributes missing: %s%s%s"),
- !*not_before? "notBefore":"",
- (!*not_before && !*not_after)? ", ":"",
- !*not_before? "notAfter":"");
+ if (!dont_log_expired)
+ {
+ do_list (1, listmode, listfp,
+ _("required certificate attributes missing: %s%s%s"),
+ !*not_before? "notBefore":"",
+ (!*not_before && !*not_after)? ", ":"",
+ !*not_before? "notAfter":"");
+ }
return gpg_error (GPG_ERR_BAD_CERT);
}
if (strcmp (not_before, not_after) > 0 )
{
- do_list (1, listmode, listfp,
- _("certificate with invalid validity"));
- log_info (" (valid from ");
- dump_isotime (not_before);
- log_printf (" expired at ");
- dump_isotime (not_after);
- log_printf (")\n");
+ if (!dont_log_expired)
+ {
+ do_list (1, listmode, listfp,
+ _("certificate with invalid validity"));
+ log_info (" (valid from ");
+ dump_isotime (not_before);
+ log_printf (" expired at ");
+ dump_isotime (not_after);
+ log_printf (")\n");
+ }
return gpg_error (GPG_ERR_BAD_CERT);
}
@@ -1480,15 +1486,18 @@ check_validity_period_cm (ksba_isotime_t current_time,
if (strcmp (current_time, not_before) < 0 )
{
- do_list (1, listmode, listfp,
- depth == 0 ? _("certificate not yet valid") :
- depth == -1 ? _("root certificate not yet valid") :
- /* other */ _("intermediate certificate not yet valid"));
- if (!listmode)
+ if (!dont_log_expired)
{
- log_info (" (valid from ");
- dump_isotime (not_before);
- log_printf (")\n");
+ do_list (1, listmode, listfp,
+ depth == 0 ? _("certificate not yet valid") :
+ depth == -1 ? _("root certificate not yet valid") :
+ /* other */ _("intermediate certificate not yet valid"));
+ if (!listmode)
+ {
+ log_info (" (valid from ");
+ dump_isotime (not_before);
+ log_printf (")\n");
+ }
}
return gpg_error (GPG_ERR_CERT_TOO_YOUNG);
}
@@ -1497,27 +1506,30 @@ check_validity_period_cm (ksba_isotime_t current_time,
&& (strcmp (check_time, not_before) < 0
|| strcmp (check_time, not_after) > 0))
{
- /* Note that we don't need a case for the root certificate
- because its own consistency has already been checked. */
- do_list(opt.ignore_expiration?0:1, listmode, listfp,
- depth == 0 ?
- _("signature not created during lifetime of certificate") :
- depth == 1 ?
- _("certificate not created during lifetime of issuer") :
- _("intermediate certificate not created during lifetime "
- "of issuer"));
- if (!listmode)
+ if (!dont_log_expired)
{
- log_info (depth== 0? _(" ( signature created at ") :
- /* */ _(" (certificate created at ") );
- dump_isotime (check_time);
- log_printf (")\n");
- log_info (depth==0? _(" (certificate valid from ") :
- /* */ _(" ( issuer valid from ") );
- dump_isotime (not_before);
- log_info (" to ");
- dump_isotime (not_after);
- log_printf (")\n");
+ /* Note that we don't need a case for the root certificate
+ because its own consistency has already been checked. */
+ do_list(opt.ignore_expiration?0:1, listmode, listfp,
+ depth == 0 ?
+ _("signature not created during lifetime of certificate") :
+ depth == 1 ?
+ _("certificate not created during lifetime of issuer") :
+ _("intermediate certificate not created during lifetime "
+ "of issuer"));
+ if (!listmode)
+ {
+ log_info (depth== 0? _(" ( signature created at ") :
+ /* */ _(" (certificate created at ") );
+ dump_isotime (check_time);
+ log_printf (")\n");
+ log_info (depth==0? _(" (certificate valid from ") :
+ /* */ _(" ( issuer valid from ") );
+ dump_isotime (not_before);
+ log_info (" to ");
+ dump_isotime (not_after);
+ log_printf (")\n");
+ }
}
if (opt.ignore_expiration)
log_info ("WARNING: ignoring expiration\n");
@@ -1737,7 +1749,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t
cert, ksba_isotime_t checktime_arg,
if ( (flags & VALIDATE_FLAG_CHAIN_MODEL) )
rc = check_validity_period_cm (current_time, check_time, subject_cert,
exptime, listmode, listfp,
- (depth && is_root)? -1: depth);
+ (depth && is_root)? -1: depth, 0);
else
rc = check_validity_period (current_time, subject_cert,
exptime, listmode, listfp,
diff --git a/sm/certlist.c b/sm/certlist.c
index a343efe64..c868d378b 100644
--- a/sm/certlist.c
+++ b/sm/certlist.c
@@ -377,7 +377,7 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char
*name, int secret,
current_time_loaded = 1;
}
rc = check_validity_period_cm (current_time, current_time,
- cert, exp_time, 0, NULL, 0);
+ cert, exp_time, 0,
NULL, 0, 1);
}
if (gpg_err_code (rc) == GPG_ERR_WRONG_KEY_USAGE)
{
@@ -454,7 +454,7 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char
*name, int secret,
check_validity_period_cm (current_time,
current_time, cert,
exp_time, 0, NULL,
- 0))
+ 0, 1))
== GPG_ERR_CERT_EXPIRED));
if (tmp)
gpgsm_add_cert_to_certlist (ctrl, cert2,
&dup_certs, 0);
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index 36d5b99e7..cb5269c74 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -445,7 +445,7 @@ gpg_error_t check_validity_period_cm
(ksba_isotime_t current_time,
ksba_isotime_t check_time,
ksba_cert_t subject_cert,
ksba_isotime_t exptime,
- int listmode, estream_t listfp, int depth);
+ int listmode, estream_t listfp, int depth,
int dont_log_expired);
int gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert);
/*-- certlist.c --*/
--
2.43.0
More information about the Gnupg-devel
mailing list