sm: Consider certificates w/o CRL DP as valid.

* sm/certchain.c (is_cert_still_valid): Shortcut if tehre is no DP. * common/audit.c (proc_type_verify): Print "n/a" if a cert has no distribution point. * sm/gpgsm.h (opt): Add field enable_issuer_based_crl_check. * sm/gpgsm.c (oEnableIssuerBasedCRLCheck): New. (opts): Add option --enable-issuer-based-crl-check. (main): Set option. -- If the issuer does not provide a DP and the user wants such an issuer, we expect that a certificate does not need revocation checks. The new option --enable-issuer-based-crl-check can be used to revert to the old behaviour which requires that a suitable LDAP server has been configured to lookup a CRL by issuer. Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-27 21:11:25 +01:00 · 2020-03-27 21:11:25 +01:00 · 0b583a555e
parent 4c4999b818
commit 0b583a555e
5 changed files with 34 additions and 0 deletions
--- a/common/audit.c
+++ b/common/audit.c
@ -1105,6 +1105,7 @@ proc_type_verify (audit_ctx_t ctx)
          switch (gpg_err_code (item->err))
            {
            case 0:                    ok = "good"; break;
+            case GPG_ERR_TRUE:         ok = "n/a";  break;
            case GPG_ERR_CERT_REVOKED: ok = "bad"; break;
            case GPG_ERR_NOT_ENABLED:  ok = "disabled"; break;
            case GPG_ERR_NO_CRL_KNOWN:
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@ -469,6 +469,14 @@ hold in the keybox.  The suggested way of doing this is by using it
 along with the option @option{--with-validation} for a key listing
 command.  This option should not be used in a configuration file.

+@item --enable-issuer-based-crl-check
+@opindex enable-issuer-based-crl-check
+Run a CRL check even for certificates which do not have any CRL
+distribution point.  This requires that a suitable LDAP server has
+been configured in Dirmngr and that the CRL can be found using the
+issuer.  This option reverts to what GnuPG did up to version 2.2.20.
+This option is in general not useful.
+
@item  --enable-ocsp
@itemx --disable-ocsp
@opindex enable-ocsp
--- a/sm/certchain.c
+++ b/sm/certchain.c
@ -1055,6 +1055,24 @@ is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp,
      return 0;
    }

+
+  if (!(force_ocsp || ctrl->use_ocsp)
+      && !opt.enable_issuer_based_crl_check)
+    {
+      err = ksba_cert_get_crl_dist_point (subject_cert, 0, NULL, NULL, NULL);
+      if (gpg_err_code (err) == GPG_ERR_EOF)
+        {
+          /* No DP specified in the certificate.  Thus the CA does not
+           * consider a CRL useful and the user of the certificate
+           * also does not consider this to be a critical thing.  In
+           * this case we can conclude that the certificate shall not
+           * be revocable.  Note that we reach this point here only if
+           * no OCSP responder shall be used.  */
+          audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, gpg_error (GPG_ERR_TRUE));
+          return 0;
+        }
+    }
+
  err = gpgsm_dirmngr_isvalid (ctrl,
                               subject_cert, issuer_cert,
                               force_ocsp? 2 : !!ctrl->use_ocsp);
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@ -146,6 +146,7 @@ enum cmd_and_opt_values {
  oDisableTrustedCertCRLCheck,
  oEnableTrustedCertCRLCheck,
  oForceCRLRefresh,
+  oEnableIssuerBasedCRLCheck,

  oDisableOCSP,
  oEnableOCSP,
@ -412,6 +413,8 @@ static gpgrt_opt_t opts[] = {
  ARGPARSE_s_n (oDryRun, "dry-run", N_("do not make any changes")),
  ARGPARSE_s_s (oRequestOrigin,   "request-origin", "@"),
  ARGPARSE_s_n (oForceCRLRefresh, "force-crl-refresh", "@"),
+  ARGPARSE_s_n (oEnableIssuerBasedCRLCheck, "enable-issuer-based-crl-check",
+                "@"),
  ARGPARSE_s_s (oAuditLog, "audit-log",
                N_("|FILE|write an audit log to FILE")),
  ARGPARSE_s_s (oHtmlAuditLog, "html-audit-log", "@"),
@ -1268,6 +1271,9 @@ main ( int argc, char **argv)
        case oForceCRLRefresh:
          opt.force_crl_refresh = 1;
          break;
+        case oEnableIssuerBasedCRLCheck:
+          opt.enable_issuer_based_crl_check = 1;
+          break;

        case oDisableOCSP:
          ctrl.use_ocsp = opt.enable_ocsp = 0;
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@ -127,6 +127,7 @@ struct
  int no_crl_check;         /* Don't do a CRL check */
  int no_trusted_cert_crl_check; /* Don't run a CRL check for trusted certs. */
  int force_crl_refresh;    /* Force refreshing the CRL. */
+  int enable_issuer_based_crl_check; /* Backward compatibility hack.  */
  int enable_ocsp;          /* Default to use OCSP checks. */

  char *policy_file;        /* full pathname of policy file */