security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-03 22:56:33 +02:00
Code Activity

sm: Consider certificates w/o CRL DP as valid.

Browse source 
* sm/certchain.c (is_cert_still_valid): Shortcut if tehre is no DP.
* common/audit.c (proc_type_verify): Print "n/a" if a cert has no
distribution point.
* sm/gpgsm.h (opt): Add field enable_issuer_based_crl_check.
* sm/gpgsm.c (oEnableIssuerBasedCRLCheck): New.
(opts): Add option --enable-issuer-based-crl-check.
(main): Set option.
--

If the issuer does not provide a DP and the user wants such an issuer,
we expect that a certificate does not need revocation checks.  The new
option --enable-issuer-based-crl-check can be used to revert to the
old behaviour which requires that a suitable LDAP server has been
configured to lookup a CRL by issuer.

Signed-off-by: Werner Koch <wk@gnupg.org>

(cherry picked from master)
This commit is contained in:
Werner Koch 2020-03-27 21:11:25 +01:00
parent bc7e56d9dc
commit 1424c12e4c
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
5 changed files with 34 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
common/audit.c
View file

@ -1105,6 +1105,7 @@ proc_type_verify (audit_ctx_t ctx)
switch (gpg_err_code (item->err))
{
case 0: ok = "good"; break;
case GPG_ERR_TRUE: ok = "n/a"; break;
case GPG_ERR_CERT_REVOKED: ok = "bad"; break;
case GPG_ERR_NOT_ENABLED: ok = "disabled"; break;
case GPG_ERR_NO_CRL_KNOWN: