diff --git a/common/audit.c b/common/audit.c index 179bf72fe..718f7292e 100644 --- a/common/audit.c +++ b/common/audit.c @@ -1105,6 +1105,7 @@ proc_type_verify (audit_ctx_t ctx) switch (gpg_err_code (item->err)) { case 0: ok = "good"; break; + case GPG_ERR_TRUE: ok = "n/a"; break; case GPG_ERR_CERT_REVOKED: ok = "bad"; break; case GPG_ERR_NOT_ENABLED: ok = "disabled"; break; case GPG_ERR_NO_CRL_KNOWN: diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi index eb3036881..5e9a1b181 100644 --- a/doc/gpgsm.texi +++ b/doc/gpgsm.texi @@ -438,6 +438,14 @@ hold in the keybox. The suggested way of doing this is by using it along with the option @option{--with-validation} for a key listing command. This option should not be used in a configuration file. +@item --enable-issuer-based-crl-check +@opindex enable-issuer-based-crl-check +Run a CRL check even for certificates which do not have any CRL +distribution point. This requires that a suitable LDAP server has +been configured in Dirmngr and that the CRL can be found using the +issuer. This option reverts to what GnuPG did up to version 2.2.20. +This option is in general not useful. + @item --enable-ocsp @itemx --disable-ocsp @opindex enable-ocsp diff --git a/sm/certchain.c b/sm/certchain.c index f59dc7573..c71397b4d 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -1054,6 +1054,24 @@ is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp, return 0; } + + if (!(force_ocsp || ctrl->use_ocsp) + && !opt.enable_issuer_based_crl_check) + { + err = ksba_cert_get_crl_dist_point (subject_cert, 0, NULL, NULL, NULL); + if (gpg_err_code (err) == GPG_ERR_EOF) + { + /* No DP specified in the certificate. Thus the CA does not + * consider a CRL useful and the user of the certificate + * also does not consider this to be a critical thing. In + * this case we can conclude that the certificate shall not + * be revocable. Note that we reach this point here only if + * no OCSP responder shall be used. */ + audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, gpg_error (GPG_ERR_TRUE)); + return 0; + } + } + err = gpgsm_dirmngr_isvalid (ctrl, subject_cert, issuer_cert, force_ocsp? 2 : !!ctrl->use_ocsp); diff --git a/sm/gpgsm.c b/sm/gpgsm.c index 387e4d2e4..bb2767283 100644 --- a/sm/gpgsm.c +++ b/sm/gpgsm.c @@ -144,6 +144,7 @@ enum cmd_and_opt_values { oDisableTrustedCertCRLCheck, oEnableTrustedCertCRLCheck, oForceCRLRefresh, + oEnableIssuerBasedCRLCheck, oDisableOCSP, oEnableOCSP, @@ -402,6 +403,8 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"), ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"), ARGPARSE_s_n (oNoAutostart, "no-autostart", "@"), + ARGPARSE_s_n (oEnableIssuerBasedCRLCheck, "enable-issuer-based-crl-check", + "@"), /* Command aliases. */ ARGPARSE_c (aListKeys, "list-key", "@"), @@ -1202,6 +1205,9 @@ main ( int argc, char **argv) case oForceCRLRefresh: opt.force_crl_refresh = 1; break; + case oEnableIssuerBasedCRLCheck: + opt.enable_issuer_based_crl_check = 1; + break; case oDisableOCSP: ctrl.use_ocsp = opt.enable_ocsp = 0; diff --git a/sm/gpgsm.h b/sm/gpgsm.h index a9fb4c89b..d81e39230 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -124,6 +124,7 @@ struct int no_crl_check; /* Don't do a CRL check */ int no_trusted_cert_crl_check; /* Don't run a CRL check for trusted certs. */ int force_crl_refresh; /* Force refreshing the CRL. */ + int enable_issuer_based_crl_check; /* Backward compatibility hack. */ int enable_ocsp; /* Default to use OCSP checks. */ char *policy_file; /* full pathname of policy file */