mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-31 11:41:32 +01:00
* configure.ac: Do not build gpg by default.
* gpgsm.c: New options --{enable,disable}-trusted-cert-crl-check. * certchain.c (gpgsm_validate_chain): Make use of it. * certchain.c (gpgsm_validate_chain): Check revocations even for expired certificates. This is required because on signature verification an expired key is fine whereas a revoked one is not. * gpgconf-comp.c: Add gpgsm option disable-trusted-cert-crl-check.
This commit is contained in:
parent
314c234e7d
commit
3ff9a743bf
@ -1,3 +1,12 @@
|
|||||||
|
2005-04-21 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
|
* configure.ac: Do not build gpg by default.
|
||||||
|
|
||||||
|
2005-04-20 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
|
* configure.ac: Test whether GPG_ERR_LOCKED is declared and
|
||||||
|
provide a replacement if not.
|
||||||
|
|
||||||
2005-04-15 Werner Koch <wk@g10code.com>
|
2005-04-15 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
* configure.ac: Require libksba 0.9.11.
|
* configure.ac: Require libksba 0.9.11.
|
||||||
|
5
README
5
README
@ -11,7 +11,8 @@ available in 1.9.
|
|||||||
|
|
||||||
You should use this GnuPG version if you want to use the gpg-agent or
|
You should use this GnuPG version if you want to use the gpg-agent or
|
||||||
gpgsm (the S/MIME variant of gpg). Note that the gpg-agent is also
|
gpgsm (the S/MIME variant of gpg). Note that the gpg-agent is also
|
||||||
helpful when using the standard gpg versions (1.2.x or 1.3.x).
|
helpful when using the standard gpg versions (1.3.x as well as some of
|
||||||
|
the old 1.2.x).
|
||||||
|
|
||||||
|
|
||||||
BUILD INSTRUCTIONS
|
BUILD INSTRUCTIONS
|
||||||
@ -51,7 +52,7 @@ If everything succeeds, you have a working GnuPG with support for
|
|||||||
S/MIME and smartcards. Note that there is no binary gpg but a gpg2 so
|
S/MIME and smartcards. Note that there is no binary gpg but a gpg2 so
|
||||||
that this package won't confict with a GnuPG 1.2 or 1.3
|
that this package won't confict with a GnuPG 1.2 or 1.3
|
||||||
installation. gpg2 behaves just like gpg; it is however suggested to
|
installation. gpg2 behaves just like gpg; it is however suggested to
|
||||||
keep using gpg 1.2.x or 1.3.x.
|
keep using gpg 1.2.x or 1.3.x. gpg2 is not even build by default.
|
||||||
|
|
||||||
In case of problem please ask on gpa-dev@gnupg.org for advise. Note
|
In case of problem please ask on gpa-dev@gnupg.org for advise. Note
|
||||||
that this release is only expected to build on GNU and *BSD systems.
|
that this release is only expected to build on GNU and *BSD systems.
|
||||||
|
29
TODO
29
TODO
@ -1,10 +1,5 @@
|
|||||||
-*- outline -*-
|
-*- outline -*-
|
||||||
|
|
||||||
* IMPORTANT
|
|
||||||
Check that openpty and pty.h are available and build symcryptrun only
|
|
||||||
then. Run shred on the temporary files.
|
|
||||||
|
|
||||||
|
|
||||||
* src/base64
|
* src/base64
|
||||||
** Make parsing more robust
|
** Make parsing more robust
|
||||||
Currently we don't cope with overlong lines in the best way.
|
Currently we don't cope with overlong lines in the best way.
|
||||||
@ -23,14 +18,7 @@ might want to have an agent context for each service request
|
|||||||
|
|
||||||
* sm/certchain.c
|
* sm/certchain.c
|
||||||
** When a certificate chain was sucessfully verified, make ephemeral certs used in this chain permanent.
|
** When a certificate chain was sucessfully verified, make ephemeral certs used in this chain permanent.
|
||||||
** figure out how to auto retrieve a key by serialno+issuer.
|
|
||||||
Dirmngr is currently not able to parse more than the CN.
|
|
||||||
|
|
||||||
* sm/certlist.c
|
|
||||||
** ocspSigning usage is not fully implemented
|
|
||||||
We should review the entire CRL and OCSP validation system.
|
|
||||||
Okay. This has been fixed in dirmngr when running it in system
|
|
||||||
daemon mode.
|
|
||||||
|
|
||||||
* sm/decrypt.c
|
* sm/decrypt.c
|
||||||
** replace leading zero in integer hack by a cleaner solution
|
** replace leading zero in integer hack by a cleaner solution
|
||||||
@ -58,8 +46,6 @@ might want to have an agent context for each service request
|
|||||||
** A SIGHUP should also restart the scdaemon
|
** A SIGHUP should also restart the scdaemon
|
||||||
But do this only after all connections terminated. As of now we
|
But do this only after all connections terminated. As of now we
|
||||||
only send a RESET.
|
only send a RESET.
|
||||||
** Watch the child process if not invoked as a daemon
|
|
||||||
and terminate after the child has terminated
|
|
||||||
|
|
||||||
* agent/command.c
|
* agent/command.c
|
||||||
** Make sure that secure memory is used where appropriate
|
** Make sure that secure memory is used where appropriate
|
||||||
@ -69,7 +55,8 @@ might want to have an agent context for each service request
|
|||||||
** Support DSA
|
** Support DSA
|
||||||
|
|
||||||
* agent/divert-scd.c
|
* agent/divert-scd.c
|
||||||
Remove the agent_reset_scd kludge.
|
Remove the agent_reset_scd kludge. We will do this after Scdaemon
|
||||||
|
has been changed to allow multiple sessions. Currently in progress.
|
||||||
|
|
||||||
* Move pkcs-1 encoding into libgcrypt.
|
* Move pkcs-1 encoding into libgcrypt.
|
||||||
|
|
||||||
@ -93,11 +80,7 @@ might want to have an agent context for each service request
|
|||||||
** Explain how to setup a root CA key as trusted
|
** Explain how to setup a root CA key as trusted
|
||||||
** Explain how trustlist.txt might be managed.
|
** Explain how trustlist.txt might be managed.
|
||||||
** Write a script to generate man pages from texi.
|
** Write a script to generate man pages from texi.
|
||||||
|
In progress (yatm)
|
||||||
* Requirements by the BSI
|
|
||||||
** Support authorityKeyIdentifier.keyIdentifier
|
|
||||||
This needs support in libksba/src/cert.c as well as in sm/*.c.
|
|
||||||
Need test certs as well. Same goes for CRL authorityKeyIdentifier.
|
|
||||||
|
|
||||||
|
|
||||||
* Windows port
|
* Windows port
|
||||||
@ -108,5 +91,9 @@ might want to have an agent context for each service request
|
|||||||
** No card status notifications.
|
** No card status notifications.
|
||||||
|
|
||||||
|
|
||||||
* [scdaemon] release the card after use so that gpg 1.4 is abale to access it
|
* scd/
|
||||||
|
** Release the card after use so that gpg 1.4 is able to access it
|
||||||
|
This won't be a sufficient change. we need to change gpg 1.4 to make
|
||||||
|
use of the agent. Work is underway.
|
||||||
|
|
||||||
|
|
||||||
|
11
configure.ac
11
configure.ac
@ -62,7 +62,7 @@ have_ksba=no
|
|||||||
have_opensc=no
|
have_opensc=no
|
||||||
have_pth=no
|
have_pth=no
|
||||||
|
|
||||||
GNUPG_BUILD_PROGRAM(gpg, yes)
|
GNUPG_BUILD_PROGRAM(gpg, no)
|
||||||
GNUPG_BUILD_PROGRAM(gpgsm, yes)
|
GNUPG_BUILD_PROGRAM(gpgsm, yes)
|
||||||
GNUPG_BUILD_PROGRAM(agent, yes)
|
GNUPG_BUILD_PROGRAM(agent, yes)
|
||||||
GNUPG_BUILD_PROGRAM(scdaemon, yes)
|
GNUPG_BUILD_PROGRAM(scdaemon, yes)
|
||||||
@ -313,6 +313,11 @@ AH_BOTTOM([
|
|||||||
#define EXEC_TEMPFILE_ONLY
|
#define EXEC_TEMPFILE_ONLY
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/* Temporary hacks to avoid requring a libgpg-error update. */
|
||||||
|
#if !HAVE_DECL_GPG_ERR_LOCKED
|
||||||
|
#define GPG_ERR_LOCKED 173
|
||||||
|
#endif
|
||||||
|
|
||||||
])
|
])
|
||||||
|
|
||||||
AM_MAINTAINER_MODE
|
AM_MAINTAINER_MODE
|
||||||
@ -437,6 +442,10 @@ AM_CONDITIONAL(HAVE_W32_SYSTEM, test "$have_w32_system" = yes)
|
|||||||
#
|
#
|
||||||
AM_PATH_GPG_ERROR("$NEED_GPG_ERROR_VERSION",
|
AM_PATH_GPG_ERROR("$NEED_GPG_ERROR_VERSION",
|
||||||
have_gpg_error=yes,have_gpg_error=no)
|
have_gpg_error=yes,have_gpg_error=no)
|
||||||
|
_tmp_gpg_error_save_cflags="$CFLAGS"
|
||||||
|
CFLAGS="$CFLAGS $GPG_ERROR_CFLAGS"
|
||||||
|
AC_CHECK_DECLS(GPG_ERR_LOCKED,,,[#include <gpg-error.h>])
|
||||||
|
CFLAGS="${_tmp_gpg_error_save_cflags}"
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -315,6 +315,18 @@ By default the @acronym{CRL} checks are enabled and the DirMngr is used
|
|||||||
to check for revoked certificates. The disable option is most useful
|
to check for revoked certificates. The disable option is most useful
|
||||||
with an off-line network connection to suppress this check.
|
with an off-line network connection to suppress this check.
|
||||||
|
|
||||||
|
@item --enable-trusted-cert-crl-check
|
||||||
|
@itemx --disable-trusted-cert-crl-check
|
||||||
|
@opindex enable-trusted-cert-crl-check
|
||||||
|
@opindex disable-trusted-cert-crl-check
|
||||||
|
By default the @acronym{CRL} for trusted root certificates are checked
|
||||||
|
like for any other certificates. This allows a CA to revoke its own
|
||||||
|
certificates voluntary without the need of putting all ever issued
|
||||||
|
certificates into a CRL. The disable option may be used to switch this
|
||||||
|
extra check off. Due to the caching done by the Dirmngr, there won't be
|
||||||
|
any noticeable performance gain. Note, that this also disables possible
|
||||||
|
OCSP checks for trusted root certificates.
|
||||||
|
|
||||||
@item --force-crl-refresh
|
@item --force-crl-refresh
|
||||||
@opindex force-crl-refresh
|
@opindex force-crl-refresh
|
||||||
Tell the dirmngr to reload the CRL for each request. For better
|
Tell the dirmngr to reload the CRL for each request. For better
|
||||||
|
@ -1,3 +1,7 @@
|
|||||||
|
2005-04-20 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
|
* command.c: Use GPG_ERR_LOCKED instead of EBUSY.
|
||||||
|
|
||||||
2005-04-14 Werner Koch <wk@g10code.com>
|
2005-04-14 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
* app-openpgp.c (retrieve_key_material): Rewritten. Return a
|
* app-openpgp.c (retrieve_key_material): Rewritten. Return a
|
||||||
|
@ -1274,7 +1274,7 @@ ccid_poll (ccid_driver_t handle)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/* Note that this fucntion won't return the error codes NO_CARD or
|
/* Note that this function won't return the error codes NO_CARD or
|
||||||
CARD_INACTIVE */
|
CARD_INACTIVE */
|
||||||
int
|
int
|
||||||
ccid_slot_status (ccid_driver_t handle, int *statusbits)
|
ccid_slot_status (ccid_driver_t handle, int *statusbits)
|
||||||
|
@ -263,7 +263,7 @@ open_card (ctrl_t ctrl, const char *apptype)
|
|||||||
return 0; /* Already initialized using a card context. */
|
return 0; /* Already initialized using a card context. */
|
||||||
|
|
||||||
if ( IS_LOCKED (ctrl) )
|
if ( IS_LOCKED (ctrl) )
|
||||||
return gpg_error (GPG_ERR_EBUSY);
|
return gpg_error (GPG_ERR_LOCKED);
|
||||||
|
|
||||||
if (ctrl->reader_slot != -1)
|
if (ctrl->reader_slot != -1)
|
||||||
slot = ctrl->reader_slot;
|
slot = ctrl->reader_slot;
|
||||||
@ -360,7 +360,7 @@ cmd_serialno (assuan_context_t ctx, char *line)
|
|||||||
if (ctrl->server_local->card_removed)
|
if (ctrl->server_local->card_removed)
|
||||||
{
|
{
|
||||||
if ( IS_LOCKED (ctrl) )
|
if ( IS_LOCKED (ctrl) )
|
||||||
return gpg_error (GPG_ERR_EBUSY);
|
return gpg_error (GPG_ERR_LOCKED);
|
||||||
do_reset (ctrl, 0);
|
do_reset (ctrl, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -745,7 +745,7 @@ cmd_setdata (assuan_context_t ctx, char *line)
|
|||||||
unsigned char *buf;
|
unsigned char *buf;
|
||||||
|
|
||||||
if (locked_session && locked_session != ctrl->server_local)
|
if (locked_session && locked_session != ctrl->server_local)
|
||||||
return gpg_error (GPG_ERR_EBUSY);
|
return gpg_error (GPG_ERR_LOCKED);
|
||||||
|
|
||||||
/* Parse the hexstring. */
|
/* Parse the hexstring. */
|
||||||
for (p=line,n=0; hexdigitp (p); p++, n++)
|
for (p=line,n=0; hexdigitp (p); p++, n++)
|
||||||
@ -817,7 +817,7 @@ cmd_pksign (assuan_context_t ctx, char *line)
|
|||||||
char *keyidstr;
|
char *keyidstr;
|
||||||
|
|
||||||
if ( IS_LOCKED (ctrl) )
|
if ( IS_LOCKED (ctrl) )
|
||||||
return gpg_error (GPG_ERR_EBUSY);
|
return gpg_error (GPG_ERR_LOCKED);
|
||||||
|
|
||||||
if ((rc = open_card (ctrl, NULL)))
|
if ((rc = open_card (ctrl, NULL)))
|
||||||
return rc;
|
return rc;
|
||||||
@ -871,7 +871,7 @@ cmd_pkauth (assuan_context_t ctx, char *line)
|
|||||||
char *keyidstr;
|
char *keyidstr;
|
||||||
|
|
||||||
if ( IS_LOCKED (ctrl) )
|
if ( IS_LOCKED (ctrl) )
|
||||||
return gpg_error (GPG_ERR_EBUSY);
|
return gpg_error (GPG_ERR_LOCKED);
|
||||||
|
|
||||||
if ((rc = open_card (ctrl, NULL)))
|
if ((rc = open_card (ctrl, NULL)))
|
||||||
return rc;
|
return rc;
|
||||||
@ -921,7 +921,7 @@ cmd_pkdecrypt (assuan_context_t ctx, char *line)
|
|||||||
char *keyidstr;
|
char *keyidstr;
|
||||||
|
|
||||||
if ( IS_LOCKED (ctrl) )
|
if ( IS_LOCKED (ctrl) )
|
||||||
return gpg_error (GPG_ERR_EBUSY);
|
return gpg_error (GPG_ERR_LOCKED);
|
||||||
|
|
||||||
if ((rc = open_card (ctrl, NULL)))
|
if ((rc = open_card (ctrl, NULL)))
|
||||||
return rc;
|
return rc;
|
||||||
@ -1021,7 +1021,7 @@ cmd_setattr (assuan_context_t ctx, char *orig_line)
|
|||||||
char *line, *linebuf;
|
char *line, *linebuf;
|
||||||
|
|
||||||
if ( IS_LOCKED (ctrl) )
|
if ( IS_LOCKED (ctrl) )
|
||||||
return gpg_error (GPG_ERR_EBUSY);
|
return gpg_error (GPG_ERR_LOCKED);
|
||||||
|
|
||||||
if ((rc = open_card (ctrl, NULL)))
|
if ((rc = open_card (ctrl, NULL)))
|
||||||
return rc;
|
return rc;
|
||||||
@ -1076,7 +1076,7 @@ cmd_genkey (assuan_context_t ctx, char *line)
|
|||||||
int force = has_option (line, "--force");
|
int force = has_option (line, "--force");
|
||||||
|
|
||||||
if ( IS_LOCKED (ctrl) )
|
if ( IS_LOCKED (ctrl) )
|
||||||
return gpg_error (GPG_ERR_EBUSY);
|
return gpg_error (GPG_ERR_LOCKED);
|
||||||
|
|
||||||
/* Skip over options. */
|
/* Skip over options. */
|
||||||
while ( *line == '-' && line[1] == '-' )
|
while ( *line == '-' && line[1] == '-' )
|
||||||
@ -1165,7 +1165,7 @@ cmd_passwd (assuan_context_t ctx, char *line)
|
|||||||
int reset_mode = has_option (line, "--reset");
|
int reset_mode = has_option (line, "--reset");
|
||||||
|
|
||||||
if ( IS_LOCKED (ctrl) )
|
if ( IS_LOCKED (ctrl) )
|
||||||
return gpg_error (GPG_ERR_EBUSY);
|
return gpg_error (GPG_ERR_LOCKED);
|
||||||
|
|
||||||
/* Skip over options. */
|
/* Skip over options. */
|
||||||
while (*line == '-' && line[1] == '-')
|
while (*line == '-' && line[1] == '-')
|
||||||
@ -1212,7 +1212,7 @@ cmd_checkpin (assuan_context_t ctx, char *line)
|
|||||||
char *keyidstr;
|
char *keyidstr;
|
||||||
|
|
||||||
if ( IS_LOCKED (ctrl) )
|
if ( IS_LOCKED (ctrl) )
|
||||||
return gpg_error (GPG_ERR_EBUSY);
|
return gpg_error (GPG_ERR_LOCKED);
|
||||||
|
|
||||||
if ((rc = open_card (ctrl, NULL)))
|
if ((rc = open_card (ctrl, NULL)))
|
||||||
return rc;
|
return rc;
|
||||||
@ -1244,7 +1244,7 @@ cmd_checkpin (assuan_context_t ctx, char *line)
|
|||||||
Grant exclusive card access to this session. Note that there is
|
Grant exclusive card access to this session. Note that there is
|
||||||
no lock counter used and a second lock from the same session will
|
no lock counter used and a second lock from the same session will
|
||||||
get ignore. A single unlock (or RESET) unlocks the session.
|
get ignore. A single unlock (or RESET) unlocks the session.
|
||||||
Return GPG_ERR_EBUSY if another session has locked the reader.
|
Return GPG_ERR_LOCKED if another session has locked the reader.
|
||||||
|
|
||||||
If the option --wait is given the command will wait until a
|
If the option --wait is given the command will wait until a
|
||||||
lock has been released.
|
lock has been released.
|
||||||
@ -1259,7 +1259,7 @@ cmd_lock (assuan_context_t ctx, char *line)
|
|||||||
if (locked_session)
|
if (locked_session)
|
||||||
{
|
{
|
||||||
if (locked_session != ctrl->server_local)
|
if (locked_session != ctrl->server_local)
|
||||||
rc = gpg_error (GPG_ERR_EBUSY);
|
rc = gpg_error (GPG_ERR_LOCKED);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
locked_session = ctrl->server_local;
|
locked_session = ctrl->server_local;
|
||||||
@ -1293,7 +1293,7 @@ cmd_unlock (assuan_context_t ctx, char *line)
|
|||||||
if (locked_session)
|
if (locked_session)
|
||||||
{
|
{
|
||||||
if (locked_session != ctrl->server_local)
|
if (locked_session != ctrl->server_local)
|
||||||
rc = gpg_error (GPG_ERR_EBUSY);
|
rc = gpg_error (GPG_ERR_LOCKED);
|
||||||
else
|
else
|
||||||
locked_session = NULL;
|
locked_session = NULL;
|
||||||
}
|
}
|
||||||
|
@ -1,5 +1,8 @@
|
|||||||
2005-04-21 Werner Koch <wk@g10code.com>
|
2005-04-21 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
|
* gpgsm.c: New options --{enable,disable}-trusted-cert-crl-check.
|
||||||
|
* certchain.c (gpgsm_validate_chain): Make use of it.
|
||||||
|
|
||||||
* certchain.c (gpgsm_validate_chain): Check revocations even for
|
* certchain.c (gpgsm_validate_chain): Check revocations even for
|
||||||
expired certificates. This is required because on signature
|
expired certificates. This is required because on signature
|
||||||
verification an expired key is fine whereas a revoked one is not.
|
verification an expired key is fine whereas a revoked one is not.
|
||||||
|
@ -752,13 +752,13 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/* Is this a self-signed certificate? */
|
/* Is this a self-issued certificate? */
|
||||||
if (subject && !strcmp (issuer, subject))
|
if (subject && !strcmp (issuer, subject))
|
||||||
{ /* Yes. */
|
{ /* Yes. */
|
||||||
if (gpgsm_check_cert_sig (subject_cert, subject_cert) )
|
if (gpgsm_check_cert_sig (subject_cert, subject_cert) )
|
||||||
{
|
{
|
||||||
do_list (1, lm, fp,
|
do_list (1, lm, fp,
|
||||||
_("selfsigned certificate has a BAD signature"));
|
_("self-signed certificate has a BAD signature"));
|
||||||
if (DBG_X509)
|
if (DBG_X509)
|
||||||
{
|
{
|
||||||
gpgsm_dump_cert ("self-signing cert", subject_cert);
|
gpgsm_dump_cert ("self-signing cert", subject_cert);
|
||||||
@ -816,7 +816,9 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
|
|||||||
|
|
||||||
/* Check for revocations etc. */
|
/* Check for revocations etc. */
|
||||||
if ((flags & 1))
|
if ((flags & 1))
|
||||||
rc = 0;
|
;
|
||||||
|
else if (opt.no_trusted_cert_crl_check)
|
||||||
|
;
|
||||||
else
|
else
|
||||||
rc = is_cert_still_valid (ctrl, lm, fp,
|
rc = is_cert_still_valid (ctrl, lm, fp,
|
||||||
subject_cert, subject_cert,
|
subject_cert, subject_cert,
|
||||||
@ -1045,7 +1047,7 @@ gpgsm_basic_cert_check (ksba_cert_t cert)
|
|||||||
rc = gpgsm_check_cert_sig (cert, cert);
|
rc = gpgsm_check_cert_sig (cert, cert);
|
||||||
if (rc)
|
if (rc)
|
||||||
{
|
{
|
||||||
log_error ("selfsigned certificate has a BAD signature: %s\n",
|
log_error ("self-signed certificate has a BAD signature: %s\n",
|
||||||
gpg_strerror (rc));
|
gpg_strerror (rc));
|
||||||
if (DBG_X509)
|
if (DBG_X509)
|
||||||
{
|
{
|
||||||
|
12
sm/gpgsm.c
12
sm/gpgsm.c
@ -130,6 +130,8 @@ enum cmd_and_opt_values {
|
|||||||
|
|
||||||
oDisableCRLChecks,
|
oDisableCRLChecks,
|
||||||
oEnableCRLChecks,
|
oEnableCRLChecks,
|
||||||
|
oDisableTrustedCertCRLCheck,
|
||||||
|
oEnableTrustedCertCRLCheck,
|
||||||
oForceCRLRefresh,
|
oForceCRLRefresh,
|
||||||
|
|
||||||
oDisableOCSP,
|
oDisableOCSP,
|
||||||
@ -285,6 +287,8 @@ static ARGPARSE_OPTS opts[] = {
|
|||||||
N_("use system's dirmngr if available")},
|
N_("use system's dirmngr if available")},
|
||||||
{ oDisableCRLChecks, "disable-crl-checks", 0, N_("never consult a CRL")},
|
{ oDisableCRLChecks, "disable-crl-checks", 0, N_("never consult a CRL")},
|
||||||
{ oEnableCRLChecks, "enable-crl-checks", 0, "@"},
|
{ oEnableCRLChecks, "enable-crl-checks", 0, "@"},
|
||||||
|
{ oDisableTrustedCertCRLCheck, "disable-trusted-cert-crl-check", 0, "@"},
|
||||||
|
{ oEnableTrustedCertCRLCheck, "enable-trusted-cert-crl-check", 0, "@"},
|
||||||
{ oForceCRLRefresh, "force-crl-refresh", 0, "@"},
|
{ oForceCRLRefresh, "force-crl-refresh", 0, "@"},
|
||||||
|
|
||||||
{ oDisableOCSP, "disable-ocsp", 0, "@" },
|
{ oDisableOCSP, "disable-ocsp", 0, "@" },
|
||||||
@ -973,6 +977,12 @@ main ( int argc, char **argv)
|
|||||||
case oEnableCRLChecks:
|
case oEnableCRLChecks:
|
||||||
opt.no_crl_check = 0;
|
opt.no_crl_check = 0;
|
||||||
break;
|
break;
|
||||||
|
case oDisableTrustedCertCRLCheck:
|
||||||
|
opt.no_trusted_cert_crl_check = 1;
|
||||||
|
break;
|
||||||
|
case oEnableTrustedCertCRLCheck:
|
||||||
|
opt.no_trusted_cert_crl_check = 0;
|
||||||
|
break;
|
||||||
case oForceCRLRefresh:
|
case oForceCRLRefresh:
|
||||||
opt.force_crl_refresh = 1;
|
opt.force_crl_refresh = 1;
|
||||||
break;
|
break;
|
||||||
@ -1352,6 +1362,8 @@ main ( int argc, char **argv)
|
|||||||
GC_OPT_FLAG_NONE );
|
GC_OPT_FLAG_NONE );
|
||||||
printf ("disable-crl-checks:%lu:\n",
|
printf ("disable-crl-checks:%lu:\n",
|
||||||
GC_OPT_FLAG_NONE );
|
GC_OPT_FLAG_NONE );
|
||||||
|
printf ("disable-trusted-cert-crl-check:%lu:\n",
|
||||||
|
GC_OPT_FLAG_NONE );
|
||||||
printf ("enable-ocsp:%lu:\n",
|
printf ("enable-ocsp:%lu:\n",
|
||||||
GC_OPT_FLAG_NONE );
|
GC_OPT_FLAG_NONE );
|
||||||
printf ("include-certs:%lu:1:\n",
|
printf ("include-certs:%lu:1:\n",
|
||||||
|
@ -97,6 +97,7 @@ struct {
|
|||||||
int ignore_time_conflict; /* Ignore certain time conflicts */
|
int ignore_time_conflict; /* Ignore certain time conflicts */
|
||||||
|
|
||||||
int no_crl_check; /* Don't do a CRL check */
|
int no_crl_check; /* Don't do a CRL check */
|
||||||
|
int no_trusted_cert_crl_check; /* Don't run a CRL check for trusted certs. */
|
||||||
int force_crl_refresh; /* Force refreshing the CRL. */
|
int force_crl_refresh; /* Force refreshing the CRL. */
|
||||||
int enable_ocsp; /* Default to use OCSP checks. */
|
int enable_ocsp; /* Default to use OCSP checks. */
|
||||||
|
|
||||||
|
@ -1,3 +1,11 @@
|
|||||||
|
2005-04-21 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
|
* gpgconf-comp.c: Add gpgsm option disable-trusted-cert-crl-check.
|
||||||
|
|
||||||
|
2005-04-20 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
|
* gpgconf-comp.c: Add gpg-agent:disable-scdaemon.
|
||||||
|
|
||||||
2005-04-19 Marcus Brinkmann <marcus@g10code.de>
|
2005-04-19 Marcus Brinkmann <marcus@g10code.de>
|
||||||
|
|
||||||
* symcryptrun.c: Add --input option.
|
* symcryptrun.c: Add --input option.
|
||||||
|
@ -449,6 +449,9 @@ static gc_option_t gc_options_gpg_agent[] =
|
|||||||
{ "options", GC_OPT_FLAG_NONE, GC_LEVEL_EXPERT,
|
{ "options", GC_OPT_FLAG_NONE, GC_LEVEL_EXPERT,
|
||||||
"gnupg", "|FILE|read options from FILE",
|
"gnupg", "|FILE|read options from FILE",
|
||||||
GC_ARG_TYPE_PATHNAME, GC_BACKEND_GPG_AGENT },
|
GC_ARG_TYPE_PATHNAME, GC_BACKEND_GPG_AGENT },
|
||||||
|
{ "disable-scdaemon", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED,
|
||||||
|
"gnupg", "do not use the SCdaemon",
|
||||||
|
GC_ARG_TYPE_NONE, GC_BACKEND_GPG_AGENT },
|
||||||
|
|
||||||
{ "Debug",
|
{ "Debug",
|
||||||
GC_OPT_FLAG_GROUP, GC_LEVEL_ADVANCED,
|
GC_OPT_FLAG_GROUP, GC_LEVEL_ADVANCED,
|
||||||
@ -651,6 +654,9 @@ static gc_option_t gc_options_gpgsm[] =
|
|||||||
{ "disable-crl-checks", GC_OPT_FLAG_NONE, GC_LEVEL_BASIC,
|
{ "disable-crl-checks", GC_OPT_FLAG_NONE, GC_LEVEL_BASIC,
|
||||||
"gnupg", "never consult a CRL",
|
"gnupg", "never consult a CRL",
|
||||||
GC_ARG_TYPE_NONE, GC_BACKEND_GPGSM },
|
GC_ARG_TYPE_NONE, GC_BACKEND_GPGSM },
|
||||||
|
{ "disable-trusted-cert-crl-check", GC_OPT_FLAG_NONE, GC_LEVEL_EXPERT,
|
||||||
|
"gnupg", N_("do not check CRLs for root certificates"),
|
||||||
|
GC_ARG_TYPE_NONE, GC_BACKEND_GPGSM },
|
||||||
{ "enable-ocsp", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED,
|
{ "enable-ocsp", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED,
|
||||||
"gnupg", "check validity using OCSP",
|
"gnupg", "check validity using OCSP",
|
||||||
GC_ARG_TYPE_NONE, GC_BACKEND_GPGSM },
|
GC_ARG_TYPE_NONE, GC_BACKEND_GPGSM },
|
||||||
|
@ -124,7 +124,7 @@ enum cmd_and_opt_values
|
|||||||
oKeyfile,
|
oKeyfile,
|
||||||
oDecrypt,
|
oDecrypt,
|
||||||
oEncrypt,
|
oEncrypt,
|
||||||
oInput,
|
oInput
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user