50
50
static struct marktrusted_info_s *marktrusted_info;
53
/* While running the validation function we want to keep track of the
54
certificates in the chain. This type is used for that. */
57
struct chain_item_s *next;
58
ksba_cert_t cert; /* The certificate. */
59
int is_root; /* The certificate is the root certificate. */
61
typedef struct chain_item_s *chain_item_t;
53
64
static int get_regtp_ca_info (ksba_cert_t cert, int *chainlen);
93
104
LISTMODE is false, use the string to print an log_info or, if
94
105
IS_ERROR is true, and log_error. */
96
do_list (int is_error, int listmode, FILE *fp, const char *format, ...)
107
do_list (int is_error, int listmode, estream_t fp, const char *format, ...)
136
unknown_criticals (ksba_cert_t cert, int listmode, FILE *fp)
147
unknown_criticals (ksba_cert_t cert, int listmode, estream_t fp)
138
149
static const char *known[] = {
139
150
"2.5.29.15", /* keyUsage */
183
194
BasicConstraints extension. The function returns 0 on success and
184
195
the awlloed length of the chain at CHAINLEN. */
186
allowed_ca (ksba_cert_t cert, int *chainlen, int listmode, FILE *fp)
197
allowed_ca (ksba_cert_t cert, int *chainlen, int listmode, estream_t fp)
225
/* STRING is a line delimited list of certifiate policies as stored
236
/* STRING is a line delimited list of certificate policies as stored
226
237
in the certificate. The line itself is colon delimited where the
227
238
first field is the OID of the policy and the second field either
228
239
N or C for normal or critical extension */
490
501
if (rc == -1 && keyid && !find_next)
492
/* Not found by AIK.issuer_sn. Lets try the AIY.ki
503
/* Not found by AIK.issuer_sn. Lets try the AIK.ki
493
504
instead. Loop over all certificates with that issuer as
494
505
subject and stop for the one with a matching
495
506
subjectKeyIdentifier. */
542
553
rc = keydb_search_subject (kh, issuer);
543
554
if (rc == -1 && !find_next)
545
/* Not found, lets see whether we have one in the ephemeral key DB. */
556
/* Not found, let us see whether we have one in the ephemeral key DB. */
546
557
int old = keydb_set_ephemeral (kh, 1);
602
613
rc = find_up (kh, start, issuer, 0);
605
/* it is quite common not to have a certificate, so better don't
606
print an error here */
616
/* It is quite common not to have a certificate, so better don't
617
print an error here. */
607
618
if (rc != -1 && opt.verbose > 1)
608
619
log_error ("failed to find issuer's certificate: rc=%d\n", rc);
609
620
rc = gpg_error (GPG_ERR_MISSING_CERT);
646
657
/* This is a helper for gpgsm_validate_chain. */
647
658
static gpg_error_t
648
is_cert_still_valid (ctrl_t ctrl, int lm, FILE *fp,
659
is_cert_still_valid (ctrl_t ctrl, int lm, estream_t fp,
649
660
ksba_cert_t subject_cert, ksba_cert_t issuer_cert,
650
661
int *any_revoked, int *any_no_crl, int *any_crl_too_old)
669
680
/* Store that in the keybox so that key listings are
670
681
able to return the revoked flag. We don't care
671
682
about error, though. */
672
keydb_set_cert_flags (subject_cert, KEYBOX_FLAG_VALIDITY, 0,
683
keydb_set_cert_flags (subject_cert, 1, KEYBOX_FLAG_VALIDITY, 0,
684
~0, VALIDITY_REVOKED);
675
686
case GPG_ERR_NO_CRL_KNOWN:
676
687
do_list (1, lm, fp, _("no CRL found for certificate"));
706
717
gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
707
int listmode, FILE *fp, unsigned int flags)
718
int listmode, estream_t fp, unsigned int flags)
709
720
int rc = 0, depth = 0, maxdepth;
710
721
char *issuer = NULL;
722
733
from a qualified root certificate.
723
734
-1 = unknown, 0 = no, 1 = yes. */
724
735
int lm = listmode;
736
chain_item_t chain = NULL; /* A list of all certificates in the chain. */
726
739
gnupg_get_isotime (current_time);
755
768
gpg_error_t istrusted_rc = -1;
756
769
struct rootca_flags_s rootca_flags;
771
/* Put the certificate on our list. */
775
ci = xtrycalloc (1, sizeof *ci);
778
rc = gpg_error_from_syserror ();
781
ksba_cert_ref (subject_cert);
782
ci->cert = subject_cert;
760
789
issuer = ksba_cert_get_issuer (subject_cert, 0);
770
800
/* Is this a self-issued certificate (i.e. the root certificate)? */
771
801
is_root = (subject && !strcmp (issuer, subject));
774
805
/* Check early whether the certificate is listed as trusted.
775
806
We used to do this only later but changed it to call the
776
807
check right here so that we can access special flags
1243
/* If we have traversed a complete chain up to the root we will
1244
reset the ephemeral flag for all these certificates. his is done
1245
regardless of any error because those errors may only be
1247
if (chain && chain->is_root)
1252
for (ci = chain; ci; ci = ci->next)
1254
/* Note that it is possible for the last certificate in the
1255
chain (i.e. our target certificate) that it has not yet
1256
been stored in the keybox and thus the flag can't be set.
1257
We ignore this error becuase it will later be stored
1259
err = keydb_set_cert_flags (ci->cert, 1, KEYBOX_FLAG_BLOB, 0,
1260
KEYBOX_FLAG_BLOB_EPHEMERAL, 0);
1261
if (!ci->next && gpg_err_code (err) == GPG_ERR_NOT_FOUND)
1264
log_error ("clearing ephemeral flag failed: %s\n",
1265
gpg_strerror (err));
1269
/* If we have figured something about the qualified signature
1270
capability of the certificate under question, store the result as
1271
user data in all certificates of the chain. We do this even if the
1272
validation itself failed. */
1212
1273
if (is_qualified != -1)
1214
/* We figured something about the qualified signature capability
1215
of the certificate under question. Store the result as user
1216
data in the certificate object. We do this even if the
1217
validation itself failed. */
1218
/* Fixme: We should set this flag for all certificates in the
1219
chain for optimizing reasons. */
1223
1279
buf[0] = !!is_qualified;
1224
err = ksba_cert_set_user_data (cert, "is_qualified", buf, 1);
1281
for (ci = chain; ci; ci = ci->next)
1227
log_error ("set_user_data(is_qualified) failed: %s\n",
1228
gpg_strerror (err));
1283
err = ksba_cert_set_user_data (ci->cert, "is_qualified", buf, 1);
1286
log_error ("set_user_data(is_qualified) failed: %s\n",
1287
gpg_strerror (err));
1234
1295
gnupg_copy_time (r_exptime, exptime);
1235
1296
xfree (issuer);
1236
1297
xfree (subject);
1237
1298
keydb_release (kh);
1301
chain_item_t ci_next = chain->next;
1302
ksba_cert_release (chain->cert);
1238
1306
ksba_cert_release (issuer_cert);
1239
1307
ksba_cert_release (subject_cert);