gpgsm: not checking root certificate
Stephan Mueller
smueller at chronox.de
Tue Jul 27 09:15:34 CEST 2010
Am Dienstag, 27. Juli 2010, um 08:57:01 schrieb Werner Koch:
Hi Werner,
> On Mon, 26 Jul 2010 09:26, smueller at chronox.de said:
> > Do you think of something like the attached patches (they are not tested
> > yet)?
>
> Yes, that was my idea. However, while looking at the code I realized
> that we don't check the root certificate if it is already trusted
> (i.e. listed in trustlist.txt). The check is only done for
> not-yet-trusted certificates, so that the user can get some info on the
> certificate.
I see.
>
> The problem you encounter is due to the import function which calls
> gpgsm_basic_cert_check() for each certificate. There are two ways to
> avoid this:
>
> gpgsm --import --debug-no-chain-validation ROOTCERT
>
> or change the code in gpgsm_basic_cert_check to look at the
> trustlist.txt first. Thus if you put the fingerprint of the root
> certificate into trustlist.txt before importing the certificate, it
> should work fine.
>
> Given the required changes I think that adding MD2 to libgcrypt would be
> easier.
I am unsure about your last statement. When we consider --debug-no-chain-
validation and add the fingerprint to trustlist.txt, then we neither need a
code change to gpgsm nor the MD2 hash.
Which change do you think of that are harder than the MD2 addition?
All I currently see is adding some information to the gpgsm man page about how
to handle root certificates based on MD2.
Ciao
Stephan
--
| Cui bono? |
More information about the Gnupg-devel
mailing list