gpgsm: Handle re-issued CA certificates in a better way.
authorWerner Koch <wk@gnupg.org>
Mon, 2 Jun 2014 14:02:30 +0000 (16:02 +0200)
committerWerner Koch <wk@gnupg.org>
Mon, 2 Jun 2014 14:07:26 +0000 (16:07 +0200)
commit684b0bd4bfb846d03a531385e2d1251391dee1f5
tree00a9542d84faf911d3dc79b56fd0f19c8636449d
parent3121c4b6c17b19cbf2119d2658d69ce4cca908c6
gpgsm: Handle re-issued CA certificates in a better way.

* sm/certchain.c (find_up_search_by_keyid): Consider all matching
certificates.
(find_up): Add some debug messages.
--

The DFN-Verein recently re-issued its CA certificates without
generating new keys.  Thus looking up the chain using the authority
keyids works but may use still existing old certificates.  This may
break the CRL lookup in the Dirmngr.  The hack to fix this is by using
the latest issued certificate with the same subject key identifier.

As usual Peter Gutman's X.509 style guide has some comments on that
re-issuing.

GnuPG-bug-id: 1644

Resolved conflicts:
sm/certchain.c  - whitespace fixes.
sm/certchain.c