sm: Always allow authorityInfoAccess lookup if CRLs are also enabled.

* sm/certchain.c (find_up): Disable external lookups in offline mode. Always allow AKI lookup if CRLs are also enabled. -- GnuPG-bug-id: 4898 Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-16 19:05:49 +02:00 · 2020-04-16 19:05:49 +02:00 · bbb7edb880
parent f5efbd5a11
commit bbb7edb880
2 changed files with 19 additions and 9 deletions
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@ -440,9 +440,14 @@ change it.
@itemx --disable-crl-checks
@opindex enable-crl-checks
@opindex disable-crl-checks
-By default the @acronym{CRL} checks are enabled and the DirMngr is used
-to check for revoked certificates.  The disable option is most useful
-with an off-line network connection to suppress this check.
+By default the @acronym{CRL} checks are enabled and the DirMngr is
+used to check for revoked certificates.  The disable option is most
+useful with an off-line network connection to suppress this check and
+also to avoid that new certificates introduce a web bug by including a
+certificate specific CRL DP.  The disable option also disables an
+issuer certificate lookup via the authorityInfoAccess property of the
+certificate; the @option{--enable-issuer-key-retrieve} can be used
+to make use of that property anyway.

@item  --enable-trusted-cert-crl-check
@itemx --disable-trusted-cert-crl-check
--- a/sm/certchain.c
+++ b/sm/certchain.c
@ -929,15 +929,19 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
        }

      /* If we still didn't found it, try an external lookup.  */
-      if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next)
+      if (rc == -1 && !find_next && !ctrl->offline)
        {
-          if (!find_up_via_auth_info_access (ctrl, kh, cert))
+          /* We allow AIA also if CRLs are enabled; both can be used
+           * as a web bug so it does not make sense to not use AIA if
+           * CRL checks are enabled.  */
+          if ((opt.auto_issuer_key_retrieve || !opt.no_crl_check)
+              && !find_up_via_auth_info_access (ctrl, kh, cert))
            {
              if (DBG_X509)
                log_debug ("  found via authorityInfoAccess.caIssuers\n");
              rc = 0;
            }
-          else
+          else if (opt.auto_issuer_key_retrieve)
            {
              rc = find_up_external (ctrl, kh, issuer, keyid);
              if (!rc && DBG_X509)
@ -1001,15 +1005,16 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
    }

  /* Still not found.  If enabled, try an external lookup.  */
-  if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next)
+  if (rc == -1 && !find_next && !ctrl->offline)
    {
-      if (!find_up_via_auth_info_access (ctrl, kh, cert))
+      if ((opt.auto_issuer_key_retrieve || !opt.no_crl_check)
+          && !find_up_via_auth_info_access (ctrl, kh, cert))
        {
          if (DBG_X509)
            log_debug ("  found via authorityInfoAccess.caIssuers\n");
          rc = 0;
        }
-      else
+      else if (opt.auto_issuer_key_retrieve)
        {
          rc = find_up_external (ctrl, kh, issuer, NULL);
          if (!rc && DBG_X509)