security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Activity

sm: Always allow authorityInfoAccess lookup if CRLs are also enabled. 

* sm/certchain.c (find_up): Disable external lookups in offline mode.
Always allow AKI lookup if CRLs are also enabled.
--

GnuPG-bug-id: 4898
Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2020-04-16 19:05:49 +02:00
parent d57209553d
commit aec7d136e4
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 19 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
doc/gpgsm.texi
View File

@ -409,9 +409,14 @@ change it.
@itemx --disable-crl-checks @itemx --disable-crl-checks
@opindex enable-crl-checks @opindex enable-crl-checks
@opindex disable-crl-checks @opindex disable-crl-checks
By default the @acronym{CRL} checks are enabled and the DirMngr is used By default the @acronym{CRL} checks are enabled and the DirMngr is
to check for revoked certificates. The disable option is most useful used to check for revoked certificates. The disable option is most
with an off-line network connection to suppress this check. useful with an off-line network connection to suppress this check and
also to avoid that new certificates introduce a web bug by including a
certificate specific CRL DP. The disable option also disables an
issuer certificate lookup via the authorityInfoAccess property of the
certificate; the @option{--enable-issuer-key-retrieve} can be used
to make use of that property anyway.
@item --enable-trusted-cert-crl-check @item --enable-trusted-cert-crl-check
@itemx --disable-trusted-cert-crl-check @itemx --disable-trusted-cert-crl-check

17
sm/certchain.c
View File

@ -928,15 +928,19 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
} }
/* If we still didn't found it, try an external lookup. */ /* If we still didn't found it, try an external lookup. */
if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next) if (rc == -1 && !find_next && !ctrl->offline)
{ {
if (!find_up_via_auth_info_access (ctrl, kh, cert)) /* We allow AIA also if CRLs are enabled; both can be used
* as a web bug so it does not make sense to not use AIA if
* CRL checks are enabled. */
if ((opt.auto_issuer_key_retrieve || !opt.no_crl_check)
&& !find_up_via_auth_info_access (ctrl, kh, cert))
{ {
if (DBG_X509) if (DBG_X509)
log_debug (" found via authorityInfoAccess.caIssuers\n"); log_debug (" found via authorityInfoAccess.caIssuers\n");
rc = 0; rc = 0;
} }
else else if (opt.auto_issuer_key_retrieve)
{ {
rc = find_up_external (ctrl, kh, issuer, keyid); rc = find_up_external (ctrl, kh, issuer, keyid);
if (!rc && DBG_X509) if (!rc && DBG_X509)
@ -1000,15 +1004,16 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
} }
/* Still not found. If enabled, try an external lookup. */ /* Still not found. If enabled, try an external lookup. */
if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next) if (rc == -1 && !find_next && !ctrl->offline)
{ {
if (!find_up_via_auth_info_access (ctrl, kh, cert)) if ((opt.auto_issuer_key_retrieve || !opt.no_crl_check)
&& !find_up_via_auth_info_access (ctrl, kh, cert))
{ {
if (DBG_X509) if (DBG_X509)
log_debug (" found via authorityInfoAccess.caIssuers\n"); log_debug (" found via authorityInfoAccess.caIssuers\n");
rc = 0; rc = 0;
} }
else else if (opt.auto_issuer_key_retrieve)
{ {
rc = find_up_external (ctrl, kh, issuer, NULL); rc = find_up_external (ctrl, kh, issuer, NULL);
if (!rc && DBG_X509) if (!rc && DBG_X509)