mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
sm: Consider certificates w/o CRL DP as valid.
* sm/certchain.c (is_cert_still_valid): Shortcut if tehre is no DP. * common/audit.c (proc_type_verify): Print "n/a" if a cert has no distribution point. * sm/gpgsm.h (opt): Add field enable_issuer_based_crl_check. * sm/gpgsm.c (oEnableIssuerBasedCRLCheck): New. (opts): Add option --enable-issuer-based-crl-check. (main): Set option. -- If the issuer does not provide a DP and the user wants such an issuer, we expect that a certificate does not need revocation checks. The new option --enable-issuer-based-crl-check can be used to revert to the old behaviour which requires that a suitable LDAP server has been configured to lookup a CRL by issuer. Signed-off-by: Werner Koch <wk@gnupg.org> (cherry picked from master)
This commit is contained in:
parent
bc7e56d9dc
commit
1424c12e4c
@ -1105,6 +1105,7 @@ proc_type_verify (audit_ctx_t ctx)
|
||||
switch (gpg_err_code (item->err))
|
||||
{
|
||||
case 0: ok = "good"; break;
|
||||
case GPG_ERR_TRUE: ok = "n/a"; break;
|
||||
case GPG_ERR_CERT_REVOKED: ok = "bad"; break;
|
||||
case GPG_ERR_NOT_ENABLED: ok = "disabled"; break;
|
||||
case GPG_ERR_NO_CRL_KNOWN:
|
||||
|
@ -438,6 +438,14 @@ hold in the keybox. The suggested way of doing this is by using it
|
||||
along with the option @option{--with-validation} for a key listing
|
||||
command. This option should not be used in a configuration file.
|
||||
|
||||
@item --enable-issuer-based-crl-check
|
||||
@opindex enable-issuer-based-crl-check
|
||||
Run a CRL check even for certificates which do not have any CRL
|
||||
distribution point. This requires that a suitable LDAP server has
|
||||
been configured in Dirmngr and that the CRL can be found using the
|
||||
issuer. This option reverts to what GnuPG did up to version 2.2.20.
|
||||
This option is in general not useful.
|
||||
|
||||
@item --enable-ocsp
|
||||
@itemx --disable-ocsp
|
||||
@opindex enable-ocsp
|
||||
|
@ -1054,6 +1054,24 @@ is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp,
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
if (!(force_ocsp || ctrl->use_ocsp)
|
||||
&& !opt.enable_issuer_based_crl_check)
|
||||
{
|
||||
err = ksba_cert_get_crl_dist_point (subject_cert, 0, NULL, NULL, NULL);
|
||||
if (gpg_err_code (err) == GPG_ERR_EOF)
|
||||
{
|
||||
/* No DP specified in the certificate. Thus the CA does not
|
||||
* consider a CRL useful and the user of the certificate
|
||||
* also does not consider this to be a critical thing. In
|
||||
* this case we can conclude that the certificate shall not
|
||||
* be revocable. Note that we reach this point here only if
|
||||
* no OCSP responder shall be used. */
|
||||
audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, gpg_error (GPG_ERR_TRUE));
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
err = gpgsm_dirmngr_isvalid (ctrl,
|
||||
subject_cert, issuer_cert,
|
||||
force_ocsp? 2 : !!ctrl->use_ocsp);
|
||||
|
@ -144,6 +144,7 @@ enum cmd_and_opt_values {
|
||||
oDisableTrustedCertCRLCheck,
|
||||
oEnableTrustedCertCRLCheck,
|
||||
oForceCRLRefresh,
|
||||
oEnableIssuerBasedCRLCheck,
|
||||
|
||||
oDisableOCSP,
|
||||
oEnableOCSP,
|
||||
@ -402,6 +403,8 @@ static ARGPARSE_OPTS opts[] = {
|
||||
ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"),
|
||||
ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"),
|
||||
ARGPARSE_s_n (oNoAutostart, "no-autostart", "@"),
|
||||
ARGPARSE_s_n (oEnableIssuerBasedCRLCheck, "enable-issuer-based-crl-check",
|
||||
"@"),
|
||||
|
||||
/* Command aliases. */
|
||||
ARGPARSE_c (aListKeys, "list-key", "@"),
|
||||
@ -1202,6 +1205,9 @@ main ( int argc, char **argv)
|
||||
case oForceCRLRefresh:
|
||||
opt.force_crl_refresh = 1;
|
||||
break;
|
||||
case oEnableIssuerBasedCRLCheck:
|
||||
opt.enable_issuer_based_crl_check = 1;
|
||||
break;
|
||||
|
||||
case oDisableOCSP:
|
||||
ctrl.use_ocsp = opt.enable_ocsp = 0;
|
||||
|
@ -124,6 +124,7 @@ struct
|
||||
int no_crl_check; /* Don't do a CRL check */
|
||||
int no_trusted_cert_crl_check; /* Don't run a CRL check for trusted certs. */
|
||||
int force_crl_refresh; /* Force refreshing the CRL. */
|
||||
int enable_issuer_based_crl_check; /* Backward compatibility hack. */
|
||||
int enable_ocsp; /* Default to use OCSP checks. */
|
||||
|
||||
char *policy_file; /* full pathname of policy file */
|
||||
|
Loading…
x
Reference in New Issue
Block a user