gpgsm: not checking root certificate

Werner Koch wk at gnupg.org
Tue Jul 27 08:57:01 CEST 2010


On Mon, 26 Jul 2010 09:26, smueller at chronox.de said:

> Do you think of something like the attached patches (they are not tested yet)?

Yes, that was my idea.  However, while looking at the code I realized
that we don't check the root certificate if it is already trusted
(i.e. listed in trustlist.txt).  The check is only done for
not-yet-trusted certificates, so that the user can get some info on the
certificate.

The problem you encounter is due to the import function which calls
gpgsm_basic_cert_check() for each certificate.  There are two ways to
avoid this:

  gpgsm --import --debug-no-chain-validation ROOTCERT

or change the code in gpgsm_basic_cert_check to look at the
trustlist.txt first.  Thus if you put the fingerprint of the root
certificate into trustlist.txt before importing the certificate, it
should work fine.

Given the required changes I think that adding MD2 to libgcrypt would be
easier.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-devel mailing list