security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-03 22:56:33 +02:00
Code Activity

* configure.ac: Do not build gpg by default.

Browse source 
* gpgsm.c: New options --{enable,disable}-trusted-cert-crl-check.
* certchain.c (gpgsm_validate_chain): Make use of it.

* certchain.c (gpgsm_validate_chain): Check revocations even for
expired certificates.  This is required because on signature
verification an expired key is fine whereas a revoked one is not.

* gpgconf-comp.c: Add gpgsm option disable-trusted-cert-crl-check.
This commit is contained in:
Werner Koch 2005-04-21 09:33:07 +00:00
parent 314c234e7d
commit 3ff9a743bf
15 changed files with 97 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

3
sm/ChangeLog
View file

@ -1,5 +1,8 @@
2005-04-21 Werner Koch <wk@g10code.com>
* gpgsm.c: New options --{enable,disable}-trusted-cert-crl-check.
* certchain.c (gpgsm_validate_chain): Make use of it.
* certchain.c (gpgsm_validate_chain): Check revocations even for
expired certificates. This is required because on signature
verification an expired key is fine whereas a revoked one is not.

10
sm/certchain.c
View file

@ -752,13 +752,13 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
}
/* Is this a self-signed certificate? */
/* Is this a self-issued certificate? */
if (subject && !strcmp (issuer, subject))
{ /* Yes. */
if (gpgsm_check_cert_sig (subject_cert, subject_cert) )
{
do_list (1, lm, fp,
_("selfsigned certificate has a BAD signature"));
_("self-signed certificate has a BAD signature"));
if (DBG_X509)
{
gpgsm_dump_cert ("self-signing cert", subject_cert);
@ -816,7 +816,9 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
/* Check for revocations etc. */
if ((flags & 1))
rc = 0;
;
else if (opt.no_trusted_cert_crl_check)
;
else
rc = is_cert_still_valid (ctrl, lm, fp,
subject_cert, subject_cert,
@ -1045,7 +1047,7 @@ gpgsm_basic_cert_check (ksba_cert_t cert)
rc = gpgsm_check_cert_sig (cert, cert);
if (rc)
{
log_error ("selfsigned certificate has a BAD signature: %s\n",
log_error ("self-signed certificate has a BAD signature: %s\n",
gpg_strerror (rc));
if (DBG_X509)
{

12
sm/gpgsm.c
View file

@ -130,6 +130,8 @@ enum cmd_and_opt_values {
oDisableCRLChecks,
oEnableCRLChecks,
oDisableTrustedCertCRLCheck,
oEnableTrustedCertCRLCheck,
oForceCRLRefresh,
oDisableOCSP,
@ -285,6 +287,8 @@ static ARGPARSE_OPTS opts[] = {
N_("use system's dirmngr if available")},
{ oDisableCRLChecks, "disable-crl-checks", 0, N_("never consult a CRL")},
{ oEnableCRLChecks, "enable-crl-checks", 0, "@"},
{ oDisableTrustedCertCRLCheck, "disable-trusted-cert-crl-check", 0, "@"},
{ oEnableTrustedCertCRLCheck, "enable-trusted-cert-crl-check", 0, "@"},
{ oForceCRLRefresh, "force-crl-refresh", 0, "@"},
{ oDisableOCSP, "disable-ocsp", 0, "@" },
@ -973,6 +977,12 @@ main ( int argc, char **argv)
case oEnableCRLChecks:
opt.no_crl_check = 0;
break;
case oDisableTrustedCertCRLCheck:
opt.no_trusted_cert_crl_check = 1;
break;
case oEnableTrustedCertCRLCheck:
opt.no_trusted_cert_crl_check = 0;
break;
case oForceCRLRefresh:
opt.force_crl_refresh = 1;
break;
@ -1352,6 +1362,8 @@ main ( int argc, char **argv)
GC_OPT_FLAG_NONE );
printf ("disable-crl-checks:%lu:\n",
GC_OPT_FLAG_NONE );
printf ("disable-trusted-cert-crl-check:%lu:\n",
GC_OPT_FLAG_NONE );
printf ("enable-ocsp:%lu:\n",
GC_OPT_FLAG_NONE );
printf ("include-certs:%lu:1:\n",

1
sm/gpgsm.h
View file

@ -97,6 +97,7 @@ struct {
int ignore_time_conflict; /* Ignore certain time conflicts */
int no_crl_check; /* Don't do a CRL check */
int no_trusted_cert_crl_check; /* Don't run a CRL check for trusted certs. */
int force_crl_refresh; /* Force refreshing the CRL. */
int enable_ocsp; /* Default to use OCSP checks. */