mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-21 14:47:03 +01:00
sm: Always allow authorityInfoAccess lookup if CRLs are also enabled.
* sm/certchain.c (find_up): Disable external lookups in offline mode. Always allow AKI lookup if CRLs are also enabled. -- GnuPG-bug-id: 4898 Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
parent
d57209553d
commit
aec7d136e4
@ -409,9 +409,14 @@ change it.
|
||||
@itemx --disable-crl-checks
|
||||
@opindex enable-crl-checks
|
||||
@opindex disable-crl-checks
|
||||
By default the @acronym{CRL} checks are enabled and the DirMngr is used
|
||||
to check for revoked certificates. The disable option is most useful
|
||||
with an off-line network connection to suppress this check.
|
||||
By default the @acronym{CRL} checks are enabled and the DirMngr is
|
||||
used to check for revoked certificates. The disable option is most
|
||||
useful with an off-line network connection to suppress this check and
|
||||
also to avoid that new certificates introduce a web bug by including a
|
||||
certificate specific CRL DP. The disable option also disables an
|
||||
issuer certificate lookup via the authorityInfoAccess property of the
|
||||
certificate; the @option{--enable-issuer-key-retrieve} can be used
|
||||
to make use of that property anyway.
|
||||
|
||||
@item --enable-trusted-cert-crl-check
|
||||
@itemx --disable-trusted-cert-crl-check
|
||||
|
@ -928,15 +928,19 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
|
||||
}
|
||||
|
||||
/* If we still didn't found it, try an external lookup. */
|
||||
if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next)
|
||||
if (rc == -1 && !find_next && !ctrl->offline)
|
||||
{
|
||||
if (!find_up_via_auth_info_access (ctrl, kh, cert))
|
||||
/* We allow AIA also if CRLs are enabled; both can be used
|
||||
* as a web bug so it does not make sense to not use AIA if
|
||||
* CRL checks are enabled. */
|
||||
if ((opt.auto_issuer_key_retrieve || !opt.no_crl_check)
|
||||
&& !find_up_via_auth_info_access (ctrl, kh, cert))
|
||||
{
|
||||
if (DBG_X509)
|
||||
log_debug (" found via authorityInfoAccess.caIssuers\n");
|
||||
rc = 0;
|
||||
}
|
||||
else
|
||||
else if (opt.auto_issuer_key_retrieve)
|
||||
{
|
||||
rc = find_up_external (ctrl, kh, issuer, keyid);
|
||||
if (!rc && DBG_X509)
|
||||
@ -1000,15 +1004,16 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
|
||||
}
|
||||
|
||||
/* Still not found. If enabled, try an external lookup. */
|
||||
if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next)
|
||||
if (rc == -1 && !find_next && !ctrl->offline)
|
||||
{
|
||||
if (!find_up_via_auth_info_access (ctrl, kh, cert))
|
||||
if ((opt.auto_issuer_key_retrieve || !opt.no_crl_check)
|
||||
&& !find_up_via_auth_info_access (ctrl, kh, cert))
|
||||
{
|
||||
if (DBG_X509)
|
||||
log_debug (" found via authorityInfoAccess.caIssuers\n");
|
||||
rc = 0;
|
||||
}
|
||||
else
|
||||
else if (opt.auto_issuer_key_retrieve)
|
||||
{
|
||||
rc = find_up_external (ctrl, kh, issuer, NULL);
|
||||
if (!rc && DBG_X509)
|
||||
|
Loading…
x
Reference in New Issue
Block a user