Re: scd: ambiguous certificate IDs for pkcs#15 certificates

Mon, 19 Feb 2024 07:54:24 -0800 

On Mon, 19 Feb 2024 16:33, Mario Haustein said:

> your solution sounds much more simpler than mine and should solve the problem 
> with record files as well. Maybe it's a good idea to separate the counter 
> from 
> the ID by an additional '.', isn't it?

Much more work and code unfortunately.
> At least it shifts the problem from getting the root certificate to just 
> verifying the fingerprint of the root certificate. The latter approach is 
> more 
> robust for end-users IMHO.

Right.

> It seems the counter is application-global, but collision detection is just 
> scoped to the object directory.

Good attach.  Please add the attached patch.


Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein

From 412d3e3f4d16a08f5d1fac54757d8f0c8dec1833 Mon Sep 17 00:00:00 2001
From: Werner Koch <[email protected]>
Date: Mon, 19 Feb 2024 16:50:22 +0100
Subject: [PATCH GnuPG] scd:p15: Check all cert stores for dups.

--
---
 scd/app-p15.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/scd/app-p15.c b/scd/app-p15.c
index 9ed51ae04..8a869279d 100644
--- a/scd/app-p15.c
+++ b/scd/app-p15.c
@@ -2611,7 +2611,14 @@ read_ef_cdf (app_t app, unsigned short fid, int cdftype, cdf_object_t *result)
       /* Card's have been found in the wild which do not have unique
        * IDs for their certificate objects.  If we detect this we
        * append a counter to the ID.  */
-      objidextralen = !!objid_in_cdflist_p (cdflist, objid, objidlen);
+      objidextralen =
+        (objid_in_cdflist_p (cdflist, objid, objidlen)
+         || objid_in_cdflist_p (app->app_local->certificate_info,
+                                objid, objidlen)
+         || objid_in_cdflist_p (app->app_local->trusted_certificate_info,
+                                objid, objidlen)
+         || objid_in_cdflist_p (app->app_local->useful_certificate_info,
+                                objid, objidlen));
       cdf->objidlen = objidlen + objidextralen;
       cdf->objid = xtrymalloc (objidlen + objidextralen);
       if (!cdf->objid)
-- 
2.39.2

Attachment: openpgp-digital-signature.asc
Description: PGP signature

_______________________________________________
Gnupg-devel mailing list
[email protected]
https://lists.gnupg.org/mailman/listinfo/gnupg-devel

Reply via email to