38
38
#include "../kbx/keybox.h" /* for KEYBOX_FLAG_* */
43
/* Object to keep track of certain root certificates. */
44
struct marktrusted_info_s
46
struct marktrusted_info_s *next;
47
unsigned char fpr[20];
49
static struct marktrusted_info_s *marktrusted_info;
52
/* While running the validation function we want to keep track of the
53
certificates in the chain. This type is used for that. */
56
struct chain_item_s *next;
57
ksba_cert_t cert; /* The certificate. */
58
int is_root; /* The certificate is the root certificate. */
60
typedef struct chain_item_s *chain_item_t;
63
static int is_root_cert (ksba_cert_t cert,
64
const char *issuerdn, const char *subjectdn);
65
static int get_regtp_ca_info (ctrl_t ctrl, ksba_cert_t cert, int *chainlen);
68
/* This function returns true if we already asked during this session
69
whether the root certificate CERT shall be marked as trusted. */
71
already_asked_marktrusted (ksba_cert_t cert)
73
unsigned char fpr[20];
74
struct marktrusted_info_s *r;
76
gpgsm_get_fingerprint (cert, GCRY_MD_SHA1, fpr, NULL);
77
/* No context switches in the loop! */
78
for (r=marktrusted_info; r; r= r->next)
79
if (!memcmp (r->fpr, fpr, 20))
84
/* Flag certificate CERT as already asked whether it shall be marked
87
set_already_asked_marktrusted (ksba_cert_t cert)
89
unsigned char fpr[20];
90
struct marktrusted_info_s *r;
92
gpgsm_get_fingerprint (cert, GCRY_MD_SHA1, fpr, NULL);
93
for (r=marktrusted_info; r; r= r->next)
94
if (!memcmp (r->fpr, fpr, 20))
95
return; /* Already marked. */
96
r = xtrycalloc (1, sizeof *r);
99
memcpy (r->fpr, fpr, 20);
100
r->next = marktrusted_info;
101
marktrusted_info = r;
42
104
/* If LISTMODE is true, print FORMAT using LISTMODE to FP. If
43
105
LISTMODE is false, use the string to print an log_info or, if
44
106
IS_ERROR is true, and log_error. */
46
do_list (int is_error, int listmode, FILE *fp, const char *format, ...)
108
do_list (int is_error, int listmode, estream_t fp, const char *format, ...)
86
unknown_criticals (ksba_cert_t cert, int listmode, FILE *fp)
147
/* Return true if CERT has the validityModel extensions and defines
148
the use of the chain model. */
150
has_validation_model_chain (ksba_cert_t cert, int listmode, estream_t listfp)
155
size_t off, derlen, objlen, hdrlen;
156
const unsigned char *der;
157
int class, tag, constructed, ndef;
160
for (idx=0; !(err=ksba_cert_get_extension (cert, idx,
161
&oid, NULL, &off, &derlen));idx++)
162
if (!strcmp (oid, "1.3.6.1.4.1.8301.3.5") )
165
return 0; /* Not found. */
166
der = ksba_cert_get_image (cert, NULL);
169
err = gpg_error (GPG_ERR_INV_OBJ); /* Oops */
174
err = parse_ber_header (&der, &derlen, &class, &tag, &constructed,
175
&ndef, &objlen, &hdrlen);
176
if (!err && (objlen > derlen || tag != TAG_SEQUENCE))
177
err = gpg_error (GPG_ERR_INV_OBJ);
181
err = parse_ber_header (&der, &derlen, &class, &tag, &constructed,
182
&ndef, &objlen, &hdrlen);
183
if (!err && (objlen > derlen || tag != TAG_OBJECT_ID))
184
err = gpg_error (GPG_ERR_INV_OBJ);
187
oidbuf = ksba_oid_to_str (der, objlen);
190
err = gpg_error_from_syserror ();
195
do_list (0, listmode, listfp,
196
_("validation model requested by certificate: %s"),
197
!strcmp (oidbuf, "1.3.6.1.4.1.8301.3.5.1")? _("chain") :
198
!strcmp (oidbuf, "1.3.6.1.4.1.8301.3.5.2")? _("shell") :
200
yes = !strcmp (oidbuf, "1.3.6.1.4.1.8301.3.5.1");
206
log_error ("error parsing validityModel: %s\n", gpg_strerror (err));
213
unknown_criticals (ksba_cert_t cert, int listmode, estream_t fp)
88
215
static const char *known[] = {
89
216
"2.5.29.15", /* keyUsage */
217
"2.5.29.17", /* subjectAltName
218
Japanese DoCoMo certs mark them as critical. PKIX
219
only requires them as critical if subjectName is
220
empty. I don't know whether our code gracefully
221
handles such empry subjectNames but that is
90
223
"2.5.29.19", /* basic Constraints */
91
224
"2.5.29.32", /* certificatePolicies */
92
225
"2.5.29.37", /* extendedKeyUsage - handled by certlist.c */
226
"1.3.6.1.4.1.8301.3.5", /* validityModel - handled here. */
95
229
int rc = 0, i, idx, crit;
573
879
/* This is a helper for gpgsm_validate_chain. */
574
880
static gpg_error_t
575
is_cert_still_valid (ctrl_t ctrl, int lm, FILE *fp,
881
is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp,
576
882
ksba_cert_t subject_cert, ksba_cert_t issuer_cert,
577
883
int *any_revoked, int *any_no_crl, int *any_crl_too_old)
579
if (!opt.no_crl_check || ctrl->use_ocsp)
583
err = gpgsm_dirmngr_isvalid (ctrl,
584
subject_cert, issuer_cert, ctrl->use_ocsp);
587
/* Fixme: We should change the wording because we may
589
switch (gpg_err_code (err))
591
case GPG_ERR_CERT_REVOKED:
592
do_list (1, lm, fp, _("certificate has been revoked"));
594
/* Store that in the keybox so that key listings are
595
able to return the revoked flag. We don't care
596
about error, though. */
597
keydb_set_cert_flags (subject_cert, KEYBOX_FLAG_VALIDITY, 0,
600
case GPG_ERR_NO_CRL_KNOWN:
601
do_list (1, lm, fp, _("no CRL found for certificate"));
604
case GPG_ERR_CRL_TOO_OLD:
605
do_list (1, lm, fp, _("the available CRL is too old"));
607
log_info (_("please make sure that the "
608
"\"dirmngr\" is properly installed\n"));
609
*any_crl_too_old = 1;
612
do_list (1, lm, fp, _("checking the CRL failed: %s"),
887
if (opt.no_crl_check && !ctrl->use_ocsp)
890
err = gpgsm_dirmngr_isvalid (ctrl,
891
subject_cert, issuer_cert,
892
force_ocsp? 2 : !!ctrl->use_ocsp);
896
gpgsm_cert_log_name (NULL, subject_cert);
897
switch (gpg_err_code (err))
899
case GPG_ERR_CERT_REVOKED:
900
do_list (1, lm, fp, _("certificate has been revoked"));
902
/* Store that in the keybox so that key listings are able to
903
return the revoked flag. We don't care about error,
905
keydb_set_cert_flags (subject_cert, 1, KEYBOX_FLAG_VALIDITY, 0,
906
~0, VALIDITY_REVOKED);
909
case GPG_ERR_NO_CRL_KNOWN:
910
do_list (1, lm, fp, _("no CRL found for certificate"));
914
case GPG_ERR_NO_DATA:
915
do_list (1, lm, fp, _("the status of the certificate is unknown"));
919
case GPG_ERR_CRL_TOO_OLD:
920
do_list (1, lm, fp, _("the available CRL is too old"));
922
log_info (_("please make sure that the "
923
"\"dirmngr\" is properly installed\n"));
924
*any_crl_too_old = 1;
928
do_list (1, lm, fp, _("checking the CRL failed: %s"),
937
/* Helper for gpgsm_validate_chain to check the validity period of
938
SUBJECT_CERT. The caller needs to pass EXPTIME which will be
939
updated to the nearest expiration time seen. A DEPTH of 0 indicates
940
the target certifciate, -1 the final root certificate and other
941
values intermediate certificates. */
943
check_validity_period (ksba_isotime_t current_time,
944
ksba_cert_t subject_cert,
945
ksba_isotime_t exptime,
946
int listmode, estream_t listfp, int depth)
949
ksba_isotime_t not_before, not_after;
951
err = ksba_cert_get_validity (subject_cert, 0, not_before);
953
err = ksba_cert_get_validity (subject_cert, 1, not_after);
956
do_list (1, listmode, listfp,
957
_("certificate with invalid validity: %s"), gpg_strerror (err));
958
return gpg_error (GPG_ERR_BAD_CERT);
964
gnupg_copy_time (exptime, not_after);
965
else if (strcmp (not_after, exptime) < 0 )
966
gnupg_copy_time (exptime, not_after);
969
if (*not_before && strcmp (current_time, not_before) < 0 )
971
do_list (1, listmode, listfp,
972
depth == 0 ? _("certificate not yet valid") :
973
depth == -1 ? _("root certificate not yet valid") :
974
/* other */ _("intermediate certificate not yet valid"));
977
log_info (" (valid from ");
978
gpgsm_dump_time (not_before);
981
return gpg_error (GPG_ERR_CERT_TOO_YOUNG);
984
if (*not_after && strcmp (current_time, not_after) > 0 )
986
do_list (opt.ignore_expiration?0:1, listmode, listfp,
987
depth == 0 ? _("certificate has expired") :
988
depth == -1 ? _("root certificate has expired") :
989
/* other */ _("intermediate certificate has expired"));
992
log_info (" (expired at ");
993
gpgsm_dump_time (not_after);
996
if (opt.ignore_expiration)
997
log_info ("WARNING: ignoring expiration\n");
999
return gpg_error (GPG_ERR_CERT_EXPIRED);
1005
/* This is a variant of check_validity_period used with the chain
1006
model. The dextra contraint here is that notBefore and notAfter
1007
must exists and if the additional argument CHECK_TIME is given this
1008
time is used to check the validity period of SUBJECT_CERT. */
1010
check_validity_period_cm (ksba_isotime_t current_time,
1011
ksba_isotime_t check_time,
1012
ksba_cert_t subject_cert,
1013
ksba_isotime_t exptime,
1014
int listmode, estream_t listfp, int depth)
1017
ksba_isotime_t not_before, not_after;
1019
err = ksba_cert_get_validity (subject_cert, 0, not_before);
1021
err = ksba_cert_get_validity (subject_cert, 1, not_after);
1024
do_list (1, listmode, listfp,
1025
_("certificate with invalid validity: %s"), gpg_strerror (err));
1026
return gpg_error (GPG_ERR_BAD_CERT);
1028
if (!*not_before || !*not_after)
1030
do_list (1, listmode, listfp,
1031
_("required certificate attributes missing: %s%s%s"),
1032
!*not_before? "notBefore":"",
1033
(!*not_before && !*not_after)? ", ":"",
1034
!*not_before? "notAfter":"");
1035
return gpg_error (GPG_ERR_BAD_CERT);
1037
if (strcmp (not_before, not_after) > 0 )
1039
do_list (1, listmode, listfp,
1040
_("certificate with invalid validity"));
1041
log_info (" (valid from ");
1042
gpgsm_dump_time (not_before);
1043
log_printf (" expired at ");
1044
gpgsm_dump_time (not_after);
1046
return gpg_error (GPG_ERR_BAD_CERT);
1050
gnupg_copy_time (exptime, not_after);
1051
else if (strcmp (not_after, exptime) < 0 )
1052
gnupg_copy_time (exptime, not_after);
1054
if (strcmp (current_time, not_before) < 0 )
1056
do_list (1, listmode, listfp,
1057
depth == 0 ? _("certificate not yet valid") :
1058
depth == -1 ? _("root certificate not yet valid") :
1059
/* other */ _("intermediate certificate not yet valid"));
1062
log_info (" (valid from ");
1063
gpgsm_dump_time (not_before);
1066
return gpg_error (GPG_ERR_CERT_TOO_YOUNG);
1070
&& (strcmp (check_time, not_before) < 0
1071
|| strcmp (check_time, not_after) > 0))
1073
/* Note that we don't need a case for the root certificate
1074
because its own consitency has already been checked. */
1075
do_list(opt.ignore_expiration?0:1, listmode, listfp,
1077
_("signature not created during lifetime of certificate") :
1079
_("certificate not created during lifetime of issuer") :
1080
_("intermediate certificate not created during lifetime "
1084
log_info (depth== 0? _(" ( signature created at ") :
1085
/* */ _(" (certificate created at ") );
1086
gpgsm_dump_time (check_time);
1088
log_info (depth==0? _(" (certificate valid from ") :
1089
/* */ _(" ( issuer valid from ") );
1090
gpgsm_dump_time (not_before);
1092
gpgsm_dump_time (not_after);
1095
if (opt.ignore_expiration)
1096
log_info ("WARNING: ignoring expiration\n");
1098
return gpg_error (GPG_ERR_CERT_EXPIRED);
1106
/* Ask the user whether he wants to mark the certificate CERT trusted.
1107
Returns true if the CERT is the trusted. We also check whether the
1108
agent is at all enabled to allow marktrusted and don't call it in
1109
this session again if it is not. */
1111
ask_marktrusted (ctrl_t ctrl, ksba_cert_t cert, int listmode)
1113
static int no_more_questions;
1118
fpr = gpgsm_get_fingerprint_string (cert, GCRY_MD_SHA1);
1119
log_info (_("fingerprint=%s\n"), fpr? fpr : "?");
1122
if (no_more_questions)
1123
rc = gpg_error (GPG_ERR_NOT_SUPPORTED);
1125
rc = gpgsm_agent_marktrusted (ctrl, cert);
1128
log_info (_("root certificate has now been marked as trusted\n"));
1133
gpgsm_dump_cert ("issuer", cert);
1134
log_info ("after checking the fingerprint, you may want "
1135
"to add it manually to the list of trusted certificates.\n");
1138
if (gpg_err_code (rc) == GPG_ERR_NOT_SUPPORTED)
1140
if (!no_more_questions)
1141
log_info (_("interactive marking as trusted "
1142
"not enabled in gpg-agent\n"));
1143
no_more_questions = 1;
1145
else if (gpg_err_code (rc) == GPG_ERR_CANCELED)
1147
log_info (_("interactive marking as trusted "
1148
"disabled for this session\n"));
1149
no_more_questions = 1;
1152
set_already_asked_marktrusted (cert);
623
1160
/* Validate a chain and optionally return the nearest expiration time
624
1161
in R_EXPTIME. With LISTMODE set to 1 a special listmode is
625
1162
activated where only information about the certificate is printed
626
to FP and no output is send to the usual log stream.
628
Defined flag bits: 0 - do not do any dirmngr isvalid checks.
1163
to LISTFP and no output is send to the usual log stream. If
1164
CHECKTIME_ARG is set, it is used only in the chain model instead of the
1169
VALIDATE_FLAG_NO_DIRMNGR - Do not do any dirmngr isvalid checks.
1170
VALIDATE_FLAG_CHAIN_MODEL - Check according to chain model.
631
gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
632
int listmode, FILE *fp, unsigned int flags)
1173
do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
1174
ksba_isotime_t r_exptime,
1175
int listmode, estream_t listfp, unsigned int flags,
1176
struct rootca_flags_s *rootca_flags)
634
int rc = 0, depth = 0, maxdepth;
1178
int rc = 0, depth, maxdepth;
635
1179
char *issuer = NULL;
636
1180
char *subject = NULL;
637
1181
KEYDB_HANDLE kh = NULL;
638
1182
ksba_cert_t subject_cert = NULL, issuer_cert = NULL;
639
1183
ksba_isotime_t current_time;
1184
ksba_isotime_t check_time;
640
1185
ksba_isotime_t exptime;
641
1186
int any_expired = 0;
642
1187
int any_revoked = 0;
685
do_list (1, lm, fp, _("no issuer found in certificate"));
1268
do_list (1, listmode, listfp, _("no issuer found in certificate"));
686
1269
rc = gpg_error (GPG_ERR_BAD_CERT);
691
ksba_isotime_t not_before, not_after;
693
rc = ksba_cert_get_validity (subject_cert, 0, not_before);
695
rc = ksba_cert_get_validity (subject_cert, 1, not_after);
698
do_list (1, lm, fp, _("certificate with invalid validity: %s"),
700
rc = gpg_error (GPG_ERR_BAD_CERT);
707
gnupg_copy_time (exptime, not_after);
708
else if (strcmp (not_after, exptime) < 0 )
709
gnupg_copy_time (exptime, not_after);
712
if (*not_before && strcmp (current_time, not_before) < 0 )
714
do_list (1, lm, fp, _("certificate not yet valid"));
717
log_info ("(valid from ");
718
gpgsm_dump_time (not_before);
721
rc = gpg_error (GPG_ERR_CERT_TOO_YOUNG);
724
if (*not_after && strcmp (current_time, not_after) > 0 )
726
do_list (opt.ignore_expiration?0:1, lm, fp,
727
_("certificate has expired"));
730
log_info ("(expired at ");
731
gpgsm_dump_time (not_after);
734
if (opt.ignore_expiration)
735
log_info ("WARNING: ignoring expiration\n");
741
rc = unknown_criticals (subject_cert, listmode, fp);
1274
/* Is this a self-issued certificate (i.e. the root certificate)? */
1275
is_root = is_root_cert (subject_cert, issuer, subject);
1279
/* Check early whether the certificate is listed as trusted.
1280
We used to do this only later but changed it to call the
1281
check right here so that we can access special flags
1282
associated with that specific root certificate. */
1283
istrusted_rc = gpgsm_agent_istrusted (ctrl, subject_cert,
1285
audit_log_cert (ctrl->audit, AUDIT_ROOT_TRUSTED,
1286
subject_cert, istrusted_rc);
1287
/* If the chain model extended attribute is used, make sure
1288
that our chain model flag is set. */
1289
if (has_validation_model_chain (subject_cert, listmode, listfp))
1290
rootca_flags->chain_model = 1;
1294
/* Check the validity period. */
1295
if ( (flags & VALIDATE_FLAG_CHAIN_MODEL) )
1296
rc = check_validity_period_cm (current_time, check_time, subject_cert,
1297
exptime, listmode, listfp,
1298
(depth && is_root)? -1: depth);
1300
rc = check_validity_period (current_time, subject_cert,
1301
exptime, listmode, listfp,
1302
(depth && is_root)? -1: depth);
1303
if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED)
1312
/* Assert that we understand all critical extensions. */
1313
rc = unknown_criticals (subject_cert, listmode, listfp);
1317
/* Do a policy check. */
745
1318
if (!opt.no_policy_check)
747
rc = check_cert_policy (subject_cert, listmode, fp);
1320
rc = check_cert_policy (subject_cert, listmode, listfp);
748
1321
if (gpg_err_code (rc) == GPG_ERR_NO_POLICY_MATCH)
750
1323
any_no_policy_match = 1;
1670
/* If we have traversed a complete chain up to the root we will
1671
reset the ephemeral flag for all these certificates. This is done
1672
regardless of any error because those errors may only be
1674
if (chain && chain->is_root)
1679
for (ci = chain; ci; ci = ci->next)
1681
/* Note that it is possible for the last certificate in the
1682
chain (i.e. our target certificate) that it has not yet
1683
been stored in the keybox and thus the flag can't be set.
1684
We ignore this error becuase it will later be stored
1686
err = keydb_set_cert_flags (ci->cert, 1, KEYBOX_FLAG_BLOB, 0,
1687
KEYBOX_FLAG_BLOB_EPHEMERAL, 0);
1688
if (!ci->next && gpg_err_code (err) == GPG_ERR_NOT_FOUND)
1691
log_error ("clearing ephemeral flag failed: %s\n",
1692
gpg_strerror (err));
1696
/* If we have figured something about the qualified signature
1697
capability of the certificate under question, store the result as
1698
user data in all certificates of the chain. We do this even if the
1699
validation itself failed. */
1049
1700
if (is_qualified != -1)
1051
/* We figured something about the qualified signature capability
1052
of the certificate under question. Store the result as user
1053
data in the certificate object. We do this even if the
1054
validation itself failed. */
1055
/* Fixme: We should set this flag for all certificates in the
1056
chain for optimizing reasons. */
1060
1706
buf[0] = !!is_qualified;
1061
err = ksba_cert_set_user_data (cert, "is_qualified", buf, 1);
1064
log_error ("set_user_data(is_qualified) failed: %s\n",
1065
gpg_strerror (err));
1708
for (ci = chain; ci; ci = ci->next)
1710
err = ksba_cert_set_user_data (ci->cert, "is_qualified", buf, 1);
1713
log_error ("set_user_data(is_qualified) failed: %s\n",
1714
gpg_strerror (err));
1721
/* If auditing has been enabled, record what is in the chain. */
1726
audit_log (ctrl->audit, AUDIT_CHAIN_BEGIN);
1727
for (ci = chain; ci; ci = ci->next)
1729
audit_log_cert (ctrl->audit,
1730
ci->is_root? AUDIT_CHAIN_ROOTCERT : AUDIT_CHAIN_CERT,
1733
audit_log (ctrl->audit, AUDIT_CHAIN_END);
1071
1737
gnupg_copy_time (r_exptime, exptime);
1072
1738
xfree (issuer);
1073
1740
keydb_release (kh);
1743
chain_item_t ci_next = chain->next;
1744
ksba_cert_release (chain->cert);
1074
1748
ksba_cert_release (issuer_cert);
1075
if (subject_cert != cert)
1076
ksba_cert_release (subject_cert);
1749
ksba_cert_release (subject_cert);
1754
/* Validate a certificate chain. For a description see
1755
do_validate_chain. This function is a wrapper to handle a root
1756
certificate with the chain_model flag set. If RETFLAGS is not
1757
NULL, flags indicating now the verification was done are stored
1758
there. The only defined flag for RETFLAGS is
1759
VALIDATE_FLAG_CHAIN_MODEL.
1761
If you are verifying a signature you should set CHECKTIME to the
1762
creation time of the signature. If your are verifying a
1763
certificate, set it nil (i.e. the empty string). If the creation
1764
date of the signature is not known use the special date
1765
"19700101T000000" which is treated in a special way here. */
1767
gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime,
1768
ksba_isotime_t r_exptime,
1769
int listmode, estream_t listfp, unsigned int flags,
1770
unsigned int *retflags)
1773
struct rootca_flags_s rootca_flags;
1774
unsigned int dummy_retflags;
1777
retflags = &dummy_retflags;
1779
if (ctrl->validation_model == 1)
1780
flags |= VALIDATE_FLAG_CHAIN_MODEL;
1782
*retflags = (flags & VALIDATE_FLAG_CHAIN_MODEL);
1783
memset (&rootca_flags, 0, sizeof rootca_flags);
1785
rc = do_validate_chain (ctrl, cert, checktime,
1786
r_exptime, listmode, listfp, flags,
1788
if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED
1789
&& !(flags & VALIDATE_FLAG_CHAIN_MODEL)
1790
&& (rootca_flags.valid && rootca_flags.chain_model))
1792
do_list (0, listmode, listfp, _("switching to chain model"));
1793
rc = do_validate_chain (ctrl, cert, checktime,
1794
r_exptime, listmode, listfp,
1795
(flags |= VALIDATE_FLAG_CHAIN_MODEL),
1797
*retflags |= VALIDATE_FLAG_CHAIN_MODEL;
1801
do_list (0, listmode, listfp, _("validation model used: %s"),
1802
(*retflags & VALIDATE_FLAG_CHAIN_MODEL)?
1803
_("chain"):_("shell"));
1173
1901
if (opt.verbose)
1174
log_info ("certificate is good\n");
1902
log_info (_("certificate is good\n"));
1178
1906
xfree (issuer);
1179
1908
keydb_release (kh);
1180
1909
ksba_cert_release (issuer_cert);
1915
/* Check whether the certificate CERT has been issued by the German
1916
authority for qualified signature. They do not set the
1917
basicConstraints and thus we need this workaround. It works by
1918
looking up the root certificate and checking whether that one is
1919
listed as a qualified certificate for Germany.
1921
We also try to cache this data but as long as don't keep a
1922
reference to the certificate this won't be used.
1924
Returns: True if CERT is a RegTP issued CA cert (i.e. the root
1925
certificate itself or one of the CAs). In that case CHAINLEN will
1926
receive the length of the chain which is either 0 or 1.
1929
get_regtp_ca_info (ctrl_t ctrl, ksba_cert_t cert, int *chainlen)
1936
ksba_cert_t array[4];
1942
chainlen = &dummy_chainlen;
1945
err = ksba_cert_get_user_data (cert, "regtp_ca_chainlen",
1946
&buf, sizeof (buf), &buflen);
1950
if (buflen < 2 || !*buf)
1951
return 0; /* Nothing found. */
1953
return 1; /* This is a regtp CA. */
1955
else if (gpg_err_code (err) != GPG_ERR_NOT_FOUND)
1957
log_error ("ksba_cert_get_user_data(%s) failed: %s\n",
1958
"regtp_ca_chainlen", gpg_strerror (err));
1959
return 0; /* Nothing found. */
1962
/* Need to gather the info. This requires to walk up the chain
1963
until we have found the root. Because we are only interested in
1964
German Bundesnetzagentur (former RegTP) derived certificates 3
1965
levels are enough. (The German signature law demands a 3 tier
1966
hierachy; thus there is only one CA between the EE and the Root
1968
memset (&array, 0, sizeof array);
1971
ksba_cert_ref (cert);
1972
array[depth++] = cert;
1973
ksba_cert_ref (cert);
1974
while (depth < DIM(array) && !(rc=gpgsm_walk_cert_chain (ctrl, cert, &next)))
1976
ksba_cert_release (cert);
1977
ksba_cert_ref (next);
1978
array[depth++] = next;
1981
ksba_cert_release (cert);
1982
if (rc != -1 || !depth || depth == DIM(array) )
1984
/* We did not reached the root. */
1988
/* If this is a German signature law issued certificate, we store
1989
additional additional information. */
1990
if (!gpgsm_is_in_qualified_list (NULL, array[depth-1], country)
1991
&& !strcmp (country, "de"))
1993
/* Setting the pathlen for the root CA and the CA flag for the
1994
next one is all what we need to do. */
1995
err = ksba_cert_set_user_data (array[depth-1], "regtp_ca_chainlen",
1997
if (!err && depth > 1)
1998
err = ksba_cert_set_user_data (array[depth-2], "regtp_ca_chainlen",
2001
log_error ("ksba_set_user_data(%s) failed: %s\n",
2002
"regtp_ca_chainlen", gpg_strerror (err));
2003
for (i=0; i < depth; i++)
2004
ksba_cert_release (array[i]);
2005
*chainlen = (depth>1? 0:1);
2010
/* Nothing special with this certificate. Mark the target
2011
certificate anyway to avoid duplicate lookups. */
2012
err = ksba_cert_set_user_data (cert, "regtp_ca_chainlen", "", 1);
2014
log_error ("ksba_set_user_data(%s) failed: %s\n",
2015
"regtp_ca_chainlen", gpg_strerror (err));
2016
for (i=0; i < depth; i++)
2017
ksba_cert_release (array[i]);