mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
dirmngr: Add framework to implement a fake CRL feature.
* dirmngr/fakecrl.c: New. * dirmngr/dirmngr.h (opt): Add fake_crl. * dirmngr/dirmngr.c (enum cmd_and_opt_values): Add oFakeCRL. (opts): Add "fake-crl" (parse_rereadable_options): Set opt.fake_crl. * dirmngr/server.c (cmd_isvalid): Take care of fakce CRLs.
This commit is contained in:
parent
e4ac3e7dec
commit
f5347fbc25
@ -58,6 +58,7 @@ endif
|
||||
noinst_HEADERS = dirmngr.h crlcache.h crlfetch.h misc.h
|
||||
|
||||
dirmngr_SOURCES = dirmngr.c dirmngr.h server.c crlcache.c crlfetch.c \
|
||||
fakecrl.c \
|
||||
certcache.c certcache.h \
|
||||
domaininfo.c \
|
||||
workqueue.c \
|
||||
|
@ -45,6 +45,7 @@ crl_sig_result_t;
|
||||
struct crl_cache_entry_s;
|
||||
typedef struct crl_cache_entry_s *crl_cache_entry_t;
|
||||
|
||||
/*-- crlcache.c --*/
|
||||
|
||||
void crl_cache_init (void);
|
||||
void crl_cache_deinit (void);
|
||||
@ -68,4 +69,11 @@ gpg_error_t crl_cache_load (ctrl_t ctrl, const char *filename);
|
||||
gpg_error_t crl_cache_reload_crl (ctrl_t ctrl, ksba_cert_t cert);
|
||||
|
||||
|
||||
/*-- fakecrl.c --*/
|
||||
crl_cache_result_t fakecrl_isvalid (ctrl_t ctrl,
|
||||
const char *issuer_hash,
|
||||
const char *cert_id);
|
||||
|
||||
|
||||
|
||||
#endif /* CRLCACHE_H */
|
||||
|
@ -158,6 +158,7 @@ enum cmd_and_opt_values {
|
||||
oConnectTimeout,
|
||||
oConnectQuickTimeout,
|
||||
oListenBacklog,
|
||||
oFakeCRL,
|
||||
aTest
|
||||
};
|
||||
|
||||
@ -274,7 +275,7 @@ static gpgrt_opt_t opts[] = {
|
||||
" points to serverlist")),
|
||||
ARGPARSE_s_i (oLDAPTimeout, "ldaptimeout",
|
||||
N_("|N|set LDAP timeout to N seconds")),
|
||||
|
||||
ARGPARSE_s_s (oFakeCRL, "fake-crl", "@"),
|
||||
|
||||
ARGPARSE_header ("OCSP", N_("Configuration for OCSP")),
|
||||
|
||||
@ -709,6 +710,8 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
|
||||
opt.ldaptimeout = DEFAULT_LDAP_TIMEOUT;
|
||||
ldapserver_list_needs_reset = 1;
|
||||
opt.debug_cache_expired_certs = 0;
|
||||
xfree (opt.fake_crl);
|
||||
opt.fake_crl = NULL;
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -871,6 +874,11 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
|
||||
opt.debug_cache_expired_certs = 0;
|
||||
break;
|
||||
|
||||
case oFakeCRL:
|
||||
xfree (opt.fake_crl);
|
||||
opt.fake_crl = *pargs->r.ret_str? xstrdup (pargs->r.ret_str) : NULL;
|
||||
break;
|
||||
|
||||
default:
|
||||
return 0; /* Not handled. */
|
||||
}
|
||||
|
@ -104,6 +104,7 @@ struct
|
||||
|
||||
int force; /* Force loading outdated CRLs. */
|
||||
|
||||
char *fake_crl; /* Name of a file with faked CRL entries. */
|
||||
|
||||
unsigned int connect_timeout; /* Timeout for connect. */
|
||||
unsigned int connect_quick_timeout; /* Shorter timeout for connect. */
|
||||
|
63
dirmngr/fakecrl.c
Normal file
63
dirmngr/fakecrl.c
Normal file
@ -0,0 +1,63 @@
|
||||
/* fakecrl.c - Debug code to test revocations.
|
||||
* Copyright (C) 2023 g10 Code GmbH
|
||||
*
|
||||
* This file is part of GnuPG.
|
||||
*
|
||||
* GnuPG is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* GnuPG is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, see <https://www.gnu.org/licenses/>.
|
||||
* SPDX-License-Identifier: GPL-3.0-or-later
|
||||
*/
|
||||
|
||||
/*
|
||||
* For regression testing it is useful to have a way to claim that
|
||||
* certain certificates are revoked. We achieve this with the
|
||||
* --fake-crl option which takes a file name as argument. The format
|
||||
* of the file is: empty lines and lines starting with a hash sign are
|
||||
* ignored. A line with the issuer DN in brackets starts entries for
|
||||
* this issuer. All following lines up to the next line with a
|
||||
* bracket list revoked certificates. For each revoked certificate
|
||||
* the hexadecimal encoded serial number is listed, followed by the
|
||||
* revocation date in ISO 14 byte notation, optionally followed by a
|
||||
* reason keyword. Example:
|
||||
*---------------------
|
||||
* # Sample Fake CRL
|
||||
* [CN=Bayern-Softtoken-Issuing-CA-2019,OU=IT-DLZ,O=Freistaat Bayern,C=DE]
|
||||
* 7FD62B1A9EA5BBC84971183080717004 20221125T074346
|
||||
* 11223344556677 20230101T000000 key_compromise
|
||||
* 0000000000000042 20221206T121200 certificate_hold
|
||||
*
|
||||
* [CN=CA IVBB Deutsche Telekom AG 18,OU=Bund,O=PKI-1-Verwaltung,C=DE]
|
||||
* 735D1B97389F 20230210T083947
|
||||
*---------------------
|
||||
*/
|
||||
#include <config.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include "dirmngr.h"
|
||||
#include "crlcache.h"
|
||||
|
||||
|
||||
|
||||
/* Returns 0 if the given certificate is not listed in the faked CRL
|
||||
* or no fake CRL is configured. It is expected that the caller then
|
||||
* consults the real CRL. */
|
||||
gpg_error_t
|
||||
fakecrl_isvalid (ctrl_t ctrl, const char *issuer_hash, const char *cert_id)
|
||||
{
|
||||
(void)ctrl;
|
||||
(void)issuer_hash;
|
||||
(void)cert_id;
|
||||
return 0;
|
||||
}
|
@ -1339,6 +1339,10 @@ cmd_isvalid (assuan_context_t ctx, char *line)
|
||||
}
|
||||
else if (only_ocsp)
|
||||
err = gpg_error (GPG_ERR_NO_CRL_KNOWN);
|
||||
else if (opt.fake_crl && (err = fakecrl_isvalid (ctrl, issuerhash, serialno)))
|
||||
{
|
||||
/* We already got the error code. */
|
||||
}
|
||||
else
|
||||
{
|
||||
switch (crl_cache_isvalid (ctrl,
|
||||
@ -1377,7 +1381,7 @@ cmd_isvalid (assuan_context_t ctx, char *line)
|
||||
|
||||
|
||||
/* If the line contains a SHA-1 fingerprint as the first argument,
|
||||
return the FPR vuffer on success. The function checks that the
|
||||
return the FPR buffer on success. The function checks that the
|
||||
fingerprint consists of valid characters and prints and error
|
||||
message if it does not and returns NULL. Fingerprints are
|
||||
considered optional and thus no explicit error is returned. NULL is
|
||||
|
Loading…
x
Reference in New Issue
Block a user