diff options
| author | Werner Koch <wk@gnupg.org> | 2021-11-15 17:51:01 +0100 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2021-11-15 17:51:38 +0100 |
| commit | 74c5b350624b5636706bc39605857f10762371b1 (patch) | |
| tree | 0f8c0f0f0a62f1d76da22e7a66b96da067b96a9b /sm | |
| parent | scd:openpgp: Support longer data for INTERNAL_AUTHENTICATE. (diff) | |
| download | gnupg2-74c5b350624b5636706bc39605857f10762371b1.tar.xz gnupg2-74c5b350624b5636706bc39605857f10762371b1.zip | |
sm: Detect circular chains in --list-chain.
* sm/keylist.c (list_cert_chain): Break loop for a too long chain.
--
This avoids endless loops in case of circular chain definitions. We
use such a limit at other palces as well. Example for such a chain is
# ------------------------ >8 ------------------------
ID: 0xBE231B05
S/N: 51260A931CE27F9CC3A55F79E072AE82
(dec): 107864989418777835411218143713715990146
Issuer: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
sha2_fpr: 92:5E:4B:37:2B:A3:2E:5E:87:30:22:84:B2:D7:C9:DF:BF:82:00:FF:CB:A0:D1:66:03:A1:A0:6F:F7:6C:D3:53
sha1_fpr: 31:93:78:6A:48:BD:F2:D4:D2:0B:8F:C6:50:1F:4D:E8:BE:23:1B:05
md5_fpr: AC:F3:10:0D:1A:96:A9:2E:B8:8B:9B:F8:7E:09:FA:E6
pgp_fpr: E8D2CA1449A80D784FB1532C06B1611DB06A1678
certid: 610C27E9D37835A8962EA5B8368D3FBED1A8A15D.51260A931CE27F9CC3A55F79E072AE82
keygrip: CFCA58448222ECAAF77EEF8CC45F0D6DB4E412C9
notBefore: 2005-06-07 08:09:10
notAfter: 2019-06-24 19:06:30
hashAlgo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption)
keyType: rsa2048
subjKeyId: ADBD987A34B426F7FAC42654EF03BDE024CB541A
authKeyId: [none]
authKeyId.ki: 5332D1B3CF7FFAE0F1A05D854E92D29E451DB44F
[...]
Certified by
ID: 0xCE2E4C63
S/N: 46EAF096054CC5E3FA65EA6E9F42C664
(dec): 94265836834010752231943569188608722532
Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
Subject: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
sha2_fpr: 21:3F:AD:03:B1:C5:23:47:E9:A8:0F:29:9A:F0:89:9B:CA:FF:3F:62:B3:4E:B0:60:66:F4:D7:EE:A5:EE:1A:73
sha1_fpr: 9E:99:81:7D:12:28:0C:96:77:67:44:30:49:2E:DA:1D:CE:2E:4C:63
md5_fpr: 55:07:0F:1F:9A:E5:EA:21:61:F3:72:2B:8B:41:7F:27
pgp_fpr: 922A6D0A1C0027E75038F8A1503DA72CF2C53840
certid: 14673DA5792E145E9FA1425F9EF3BFC1C4B4957C.46EAF096054CC5E3FA65EA6E9F42C664
keygrip: 10678FB5A458D99B7692851E49849F507688B847
notBefore: 2005-06-07 08:09:10
notAfter: 2020-05-30 10:48:38
hashAlgo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption)
keyType: rsa2048
subjKeyId: 5332D1B3CF7FFAE0F1A05D854E92D29E451DB44F
authKeyId: [none]
authKeyId.ki: ADBD987A34B426F7FAC42654EF03BDE024CB541A
keyUsage: certSign crlSign
[...]
Which has a circular dependency on subKeyId/authkeyId.ki.
Diffstat (limited to 'sm')
| -rw-r--r-- | sm/keylist.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/sm/keylist.c b/sm/keylist.c index 08b2dc816..8907628f8 100644 --- a/sm/keylist.c +++ b/sm/keylist.c @@ -1460,6 +1460,7 @@ list_cert_chain (ctrl_t ctrl, KEYDB_HANDLE hd, estream_t fp, int with_validation) { ksba_cert_t next = NULL; + int depth = 0; if (raw_mode) list_cert_raw (ctrl, hd, cert, fp, 0, with_validation); @@ -1468,8 +1469,13 @@ list_cert_chain (ctrl_t ctrl, KEYDB_HANDLE hd, ksba_cert_ref (cert); while (!gpgsm_walk_cert_chain (ctrl, cert, &next)) { - ksba_cert_release (cert); es_fputs ("Certified by\n", fp); + if (++depth > 50) + { + es_fputs (_("certificate chain too long\n"), fp); + break; + } + ksba_cert_release (cert); if (raw_mode) list_cert_raw (ctrl, hd, next, fp, 0, with_validation); else |