sm: Consider certificates w/o CRL DP as valid.

* sm/certchain.c (is_cert_still_valid): Shortcut if tehre is no DP. * common/audit.c (proc_type_verify): Print "n/a" if a cert has no distribution point. * sm/gpgsm.h (opt): Add field enable_issuer_based_crl_check. * sm/gpgsm.c (oEnableIssuerBasedCRLCheck): New. (opts): Add option --enable-issuer-based-crl-check. (main): Set option. -- If the issuer does not provide a DP and the user wants such an issuer, we expect that a certificate does not need revocation checks. The new option --enable-issuer-based-crl-check can be used to revert to the old behaviour which requires that a suitable LDAP server has been configured to lookup a CRL by issuer. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-03 22:56:33 +02:00 · 2020-03-27 21:11:25 +01:00 · 2020-03-27 21:11:25 +01:00 · 0b583a555e
commit 0b583a555e
parent 4c4999b818
5 changed files with 34 additions and 0 deletions
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@ -146,6 +146,7 @@ enum cmd_and_opt_values {
  oDisableTrustedCertCRLCheck,
  oEnableTrustedCertCRLCheck,
  oForceCRLRefresh,
+  oEnableIssuerBasedCRLCheck,

  oDisableOCSP,
  oEnableOCSP,
@ -412,6 +413,8 @@ static gpgrt_opt_t opts[] = {
  ARGPARSE_s_n (oDryRun, "dry-run", N_("do not make any changes")),
  ARGPARSE_s_s (oRequestOrigin,   "request-origin", "@"),
  ARGPARSE_s_n (oForceCRLRefresh, "force-crl-refresh", "@"),
+  ARGPARSE_s_n (oEnableIssuerBasedCRLCheck, "enable-issuer-based-crl-check",
+                "@"),
  ARGPARSE_s_s (oAuditLog, "audit-log",
                N_("|FILE|write an audit log to FILE")),
  ARGPARSE_s_s (oHtmlAuditLog, "html-audit-log", "@"),
@ -1268,6 +1271,9 @@ main ( int argc, char **argv)
        case oForceCRLRefresh:
          opt.force_crl_refresh = 1;
          break;
+        case oEnableIssuerBasedCRLCheck:
+          opt.enable_issuer_based_crl_check = 1;
+          break;

        case oDisableOCSP:
          ctrl.use_ocsp = opt.enable_ocsp = 0;