1
1
/* certlist.c - build list of certificates
2
* Copyright (C) 2001, 2003, 2004, 2005 Free Software Foundation, Inc.
2
* Copyright (C) 2001, 2003, 2004, 2005, 2007,
3
* 2008 Free Software Foundation, Inc.
4
5
* This file is part of GnuPG.
6
7
* GnuPG is free software; you can redistribute it and/or modify
7
8
* it under the terms of the GNU General Public License as published by
8
* the Free Software Foundation; either version 2 of the License, or
9
* the Free Software Foundation; either version 3 of the License, or
9
10
* (at your option) any later version.
11
12
* GnuPG is distributed in the hope that it will be useful,
14
15
* GNU General Public License for more details.
16
17
* You should have received a copy of the GNU General Public License
17
* along with this program; if not, write to the Free Software
18
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
18
* along with this program; if not, see <http://www.gnu.org/licenses/>.
21
21
#include <config.h>
214
214
same_subject_issuer (const char *subject, const char *issuer, ksba_cert_t cert)
216
216
char *subject2 = ksba_cert_get_subject (cert, 0);
217
char *issuer2 = ksba_cert_get_subject (cert, 0);
217
char *issuer2 = ksba_cert_get_issuer (cert, 0);
220
220
tmp = (subject && subject2
230
/* Return true if CERT_A is the same as CERT_B. */
232
gpgsm_certs_identical_p (ksba_cert_t cert_a, ksba_cert_t cert_b)
234
const unsigned char *img_a, *img_b;
237
img_a = ksba_cert_get_image (cert_a, &len_a);
240
img_b = ksba_cert_get_image (cert_b, &len_b);
241
if (img_b && len_a == len_b && !memcmp (img_a, img_b, len_a))
242
return 1; /* Identical. */
229
248
/* Return true if CERT is already contained in CERTLIST. */
231
250
is_cert_in_certlist (ksba_cert_t cert, certlist_t certlist)
273
292
flag in the new create LISTADDR item. */
275
294
gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
276
CERTLIST *listaddr, int is_encrypt_to)
295
certlist_t *listaddr, int is_encrypt_to)
279
298
KEYDB_SEARCH_DESC desc;
298
317
rc = keydb_get_cert (kh, &cert);
322
/* Save the the subject and the issuer for key usage
323
and ambiguous name tests. */
324
first_subject = ksba_cert_get_subject (cert, 0);
325
first_issuer = ksba_cert_get_issuer (cert, 0);
301
327
rc = secret? gpgsm_cert_use_sign_p (cert)
302
328
: gpgsm_cert_use_encrypt_p (cert);
303
329
if (gpg_err_code (rc) == GPG_ERR_WRONG_KEY_USAGE)
307
333
if (!wrong_usage)
308
334
{ /* save the first match */
309
335
wrong_usage = rc;
310
subject = ksba_cert_get_subject (cert, 0);
311
issuer = ksba_cert_get_subject (cert, 0);
312
336
ksba_cert_release (cert);
316
else if (same_subject_issuer (subject, issuer, cert))
340
else if (same_subject_issuer (first_subject, first_issuer,
318
343
wrong_usage = rc;
319
344
ksba_cert_release (cert);
340
367
ksba_cert_t cert2 = NULL;
369
/* If this is the first possible duplicate, add the original
370
certificate to our list of duplicates. */
372
gpgsm_add_cert_to_certlist (ctrl, cert, &dup_certs, 0);
342
374
/* We have to ignore ambigious names as long as
343
there only fault is a bad key usage */
375
there only fault is a bad key usage. This is
376
required to support encryption and signing
377
certificates of the same subject.
379
Further we ignore them if they are due to an
380
identical certificate (which may happen if a
381
certificate is accidential duplicated in the
344
383
if (!keydb_get_cert (kh, &cert2))
346
int tmp = (same_subject_issuer (subject, issuer, cert2)
385
int tmp = (same_subject_issuer (first_subject,
347
388
&& ((gpg_err_code (
348
389
secret? gpgsm_cert_use_sign_p (cert2)
349
: gpgsm_cert_use_encrypt_p (cert2)
390
: gpgsm_cert_use_encrypt_p (cert2)
351
392
) == GPG_ERR_WRONG_KEY_USAGE));
394
gpgsm_add_cert_to_certlist (ctrl, cert2,
398
if (is_cert_in_certlist (cert2, dup_certs))
352
402
ksba_cert_release (cert2);
354
404
goto next_ambigious;
356
406
rc = gpg_error (GPG_ERR_AMBIGUOUS_NAME);
408
gpgsm_release_certlist (dup_certs);
410
xfree (first_subject);
411
xfree (first_issuer);
412
first_subject = NULL;
362
415
if (!rc && !is_cert_in_certlist (cert, *listaddr))
378
rc = gpgsm_validate_chain (ctrl, cert, NULL, 0, NULL, 0);
431
rc = gpgsm_validate_chain (ctrl, cert, "", NULL,
381
CERTLIST cl = xtrycalloc (1, sizeof *cl);
435
certlist_t cl = xtrycalloc (1, sizeof *cl);
383
rc = OUT_OF_CORE (errno);
386
440
cl->cert = cert; cert = NULL;
398
452
return rc == -1? gpg_error (GPG_ERR_NO_PUBKEY): rc;
402
gpgsm_release_certlist (CERTLIST list)
457
gpgsm_release_certlist (certlist_t list)
406
CERTLIST cl = list->next;
461
certlist_t cl = list->next;
407
462
ksba_cert_release (list->cert);
414
469
/* Like gpgsm_add_to_certlist, but look only for one certificate. No
415
chain validation is done. If KEYID is not NULL it is take as an
470
chain validation is done. If KEYID is not NULL it is taken as an
416
471
additional filter value which must match the
417
472
subjectKeyIdentifier. */
464
519
won't lead to ambiguous names. */
465
520
if (!rc && !keyid)
467
523
rc = keydb_search (kh, &desc, 1);
473
rc = gpg_error (GPG_ERR_AMBIGUOUS_NAME);
530
ksba_cert_t cert2 = NULL;
532
if (!keydb_get_cert (kh, &cert2))
534
if (gpgsm_certs_identical_p (*r_cert, cert2))
536
ksba_cert_release (cert2);
539
ksba_cert_release (cert2);
541
rc = gpg_error (GPG_ERR_AMBIGUOUS_NAME);
474
543
ksba_cert_release (*r_cert);