(gpgsm_validate_chain): Check revocations even for

expired certificates. This is required because on signature verification an expired key is fine whereas a revoked one is not.
2024-12-22 10:19:57 +01:00 · 2005-04-21 07:16:41 +00:00 · 2005-04-21 07:16:41 +00:00 · 314c234e7d
commit 314c234e7d
parent 526ed521a7
3 changed files with 21 additions and 7 deletions
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@ -1,3 +1,19 @@
+2005-04-21  Werner Koch  <wk@g10code.com>
+
+	* certchain.c (gpgsm_validate_chain): Check revocations even for
+	expired certificates.  This is required because on signature
+	verification an expired key is fine whereas a revoked one is not.
+
+2005-04-20  Werner Koch  <wk@g10code.com>
+
+	* Makefile.am (AM_CFLAGS): Add PTH_CFLAGS as noted by several folks.
+
+2005-04-19  Werner Koch  <wk@g10code.com>
+
+	* certchain.c (check_cert_policy): Print the diagnostic for a open
+	failure of policies.txt only in verbose mode or when it is not
+	ENOENT.
+
 2005-04-17  Werner Koch  <wk@g10code.com>

 	* call-dirmngr.c (inq_certificate): Add new inquire SENDCERT_SKI.
--- a/sm/Makefile.am
+++ b/sm/Makefile.am
@ -21,7 +21,8 @@

 bin_PROGRAMS = gpgsm

-AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(LIBASSUAN_CFLAGS) $(KSBA_CFLAGS)
+AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(LIBASSUAN_CFLAGS) $(KSBA_CFLAGS) \
+            $(PTH_CFLAGS)

 AM_CPPFLAGS = -I$(top_srcdir)/common -I$(top_srcdir)/intl 
 include $(top_srcdir)/am/cmacros.am
--- a/sm/certchain.c
+++ b/sm/certchain.c
@ -175,8 +175,9 @@ check_cert_policy (ksba_cert_t cert, int listmode, FILE *fplist)
  fp = fopen (opt.policy_file, "r");
  if (!fp)
    {
-      log_error ("failed to open `%s': %s\n",
-                 opt.policy_file, strerror (errno));
+      if (opt.verbose || errno != ENOENT)
+        log_info (_("failed to open `%s': %s\n"),
+                  opt.policy_file, strerror (errno));
      xfree (policies);
      /* With no critical policies this is only a warning */
      if (!any_critical)
@ -816,8 +817,6 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
          /* Check for revocations etc. */
          if ((flags & 1))
            rc = 0;
-          else if (any_expired)
-            ; /* Don't bother to run the expensive CRL check then. */
          else
            rc = is_cert_still_valid (ctrl, lm, fp,
                                      subject_cert, subject_cert,
@ -953,8 +952,6 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
      /* Check for revocations etc. */
      if ((flags & 1))
        rc = 0;
-      else if (any_expired)
-        ; /* Don't bother to run the expensive CRL check then. */
      else
        rc = is_cert_still_valid (ctrl, lm, fp,
                                  subject_cert, issuer_cert,