security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00
Code Activity

sm: Consider certificates w/o CRL DP as valid.

Browse Source 
* sm/certchain.c (is_cert_still_valid): Shortcut if tehre is no DP.
* common/audit.c (proc_type_verify): Print "n/a" if a cert has no
distribution point.
* sm/gpgsm.h (opt): Add field enable_issuer_based_crl_check.
* sm/gpgsm.c (oEnableIssuerBasedCRLCheck): New.
(opts): Add option --enable-issuer-based-crl-check.
(main): Set option.
--

If the issuer does not provide a DP and the user wants such an issuer,
we expect that a certificate does not need revocation checks.  The new
option --enable-issuer-based-crl-check can be used to revert to the
old behaviour which requires that a suitable LDAP server has been
configured to lookup a CRL by issuer.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2020-03-27 21:11:25 +01:00
parent 4c4999b818
commit 0b583a555e
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
5 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
common/audit.c
View File

@ -1105,6 +1105,7 @@ proc_type_verify (audit_ctx_t ctx)
switch (gpg_err_code (item->err)) switch (gpg_err_code (item->err))
{ {
case 0: ok = "good"; break; case 0: ok = "good"; break;
case GPG_ERR_TRUE: ok = "n/a"; break;
case GPG_ERR_CERT_REVOKED: ok = "bad"; break; case GPG_ERR_CERT_REVOKED: ok = "bad"; break;
case GPG_ERR_NOT_ENABLED: ok = "disabled"; break; case GPG_ERR_NOT_ENABLED: ok = "disabled"; break;
case GPG_ERR_NO_CRL_KNOWN: case GPG_ERR_NO_CRL_KNOWN:

8
doc/gpgsm.texi
View File

@ -469,6 +469,14 @@ hold in the keybox. The suggested way of doing this is by using it
along with the option @option{--with-validation} for a key listing along with the option @option{--with-validation} for a key listing
command. This option should not be used in a configuration file. command. This option should not be used in a configuration file.
@item --enable-issuer-based-crl-check
@opindex enable-issuer-based-crl-check
Run a CRL check even for certificates which do not have any CRL
distribution point. This requires that a suitable LDAP server has
been configured in Dirmngr and that the CRL can be found using the
issuer. This option reverts to what GnuPG did up to version 2.2.20.
This option is in general not useful.
@item --enable-ocsp @item --enable-ocsp
@itemx --disable-ocsp @itemx --disable-ocsp
@opindex enable-ocsp @opindex enable-ocsp

18
sm/certchain.c
View File

@ -1055,6 +1055,24 @@ is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp,
return 0; return 0;
} }
if (!(force_ocsp || ctrl->use_ocsp)
&& !opt.enable_issuer_based_crl_check)
{
err = ksba_cert_get_crl_dist_point (subject_cert, 0, NULL, NULL, NULL);
if (gpg_err_code (err) == GPG_ERR_EOF)
{
/* No DP specified in the certificate. Thus the CA does not
* consider a CRL useful and the user of the certificate
* also does not consider this to be a critical thing. In
* this case we can conclude that the certificate shall not
* be revocable. Note that we reach this point here only if
* no OCSP responder shall be used. */
audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, gpg_error (GPG_ERR_TRUE));
return 0;
}
}
err = gpgsm_dirmngr_isvalid (ctrl, err = gpgsm_dirmngr_isvalid (ctrl,
subject_cert, issuer_cert, subject_cert, issuer_cert,
force_ocsp? 2 : !!ctrl->use_ocsp); force_ocsp? 2 : !!ctrl->use_ocsp);

6
sm/gpgsm.c
View File

@ -146,6 +146,7 @@ enum cmd_and_opt_values {
oDisableTrustedCertCRLCheck, oDisableTrustedCertCRLCheck,
oEnableTrustedCertCRLCheck, oEnableTrustedCertCRLCheck,
oForceCRLRefresh, oForceCRLRefresh,
oEnableIssuerBasedCRLCheck,
oDisableOCSP, oDisableOCSP,
oEnableOCSP, oEnableOCSP,
@ -412,6 +413,8 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_n (oDryRun, "dry-run", N_("do not make any changes")), ARGPARSE_s_n (oDryRun, "dry-run", N_("do not make any changes")),
ARGPARSE_s_s (oRequestOrigin, "request-origin", "@"), ARGPARSE_s_s (oRequestOrigin, "request-origin", "@"),
ARGPARSE_s_n (oForceCRLRefresh, "force-crl-refresh", "@"), ARGPARSE_s_n (oForceCRLRefresh, "force-crl-refresh", "@"),
ARGPARSE_s_n (oEnableIssuerBasedCRLCheck, "enable-issuer-based-crl-check",
"@"),
ARGPARSE_s_s (oAuditLog, "audit-log", ARGPARSE_s_s (oAuditLog, "audit-log",
N_("|FILE|write an audit log to FILE")), N_("|FILE|write an audit log to FILE")),
ARGPARSE_s_s (oHtmlAuditLog, "html-audit-log", "@"), ARGPARSE_s_s (oHtmlAuditLog, "html-audit-log", "@"),
@ -1268,6 +1271,9 @@ main ( int argc, char **argv)
case oForceCRLRefresh: case oForceCRLRefresh:
opt.force_crl_refresh = 1; opt.force_crl_refresh = 1;
break; break;
case oEnableIssuerBasedCRLCheck:
opt.enable_issuer_based_crl_check = 1;
break;
case oDisableOCSP: case oDisableOCSP:
ctrl.use_ocsp = opt.enable_ocsp = 0; ctrl.use_ocsp = opt.enable_ocsp = 0;

1
sm/gpgsm.h
View File

@ -127,6 +127,7 @@ struct
int no_crl_check; /* Don't do a CRL check */ int no_crl_check; /* Don't do a CRL check */
int no_trusted_cert_crl_check; /* Don't run a CRL check for trusted certs. */ int no_trusted_cert_crl_check; /* Don't run a CRL check for trusted certs. */
int force_crl_refresh; /* Force refreshing the CRL. */ int force_crl_refresh; /* Force refreshing the CRL. */
int enable_issuer_based_crl_check; /* Backward compatibility hack. */
int enable_ocsp; /* Default to use OCSP checks. */ int enable_ocsp; /* Default to use OCSP checks. */
char *policy_file; /* full pathname of policy file */ char *policy_file; /* full pathname of policy file */