security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-10 21:38:50 +01:00
Code Activity
f32d0c9c0f
gnupg/doc
History
Werner Koch 7fa1d3cc82
gpgsm: Always use the chain model if the root-CA requests this. 
* sm/call-dirmngr.c (gpgsm_dirmngr_isvalid): Do not use
option --force-default-responder.
* sm/certchain.c (is_cert_still_valid): Rename arg for clarity.
(gpgsm_validate_chain): Always switch to chain model.
--

The trustlist.txt may indicate that a root CA issues certificates
which shall be validated using the chain model.  This is for example
the case for qualified signatures.  Before this change we did this
only if the default shell model indicated that a certificate has
expired.  This optimization is technically okay but has one problem:
The chain model requires the use of OCSP but we switch to this only
when running the chain model validation.  To catch revoked
certificates using OCSP we need to always switch to the chain model
unless OCSP has been enabled anyway.

Note that the old --force-default-responder option is not anymore
used.

Test cases are certificates issued by

  # CN=TeleSec qualified Root CA 1
  # O=Deutsche Telekom AG
  # C=DE
  # 2.5.4.97=USt-IdNr. DE 123475223
  90:C6:13:6C:7D:EF:EF:E9:7C:C7:64:F9:D2:67:8E:AD:03:E5:52:96 \
    S cm qual relax

A sample revoked certificate is

-----BEGIN CERTIFICATE-----
MIIDTzCCAvSgAwIBAgIQIXfquQjq32B03CdaflIbiDAMBggqhkjOPQQDAgUAMHEx
CzAJBgNVBAYTAkRFMRwwGgYDVQQKDBNEZXV0c2NoZSBUZWxla29tIEFHMSMwIQYD
VQQDDBpUZWxlU2VjIFBLUyBlSURBUyBRRVMgQ0EgMTEfMB0GA1UEYQwWVVN0LUlk
TnIuIERFIDEyMzQ3NTIyMzAeFw0yMDA2MjIxMDQ1NDJaFw0yMzA2MjUyMzU5MDBa
MDAxCzAJBgNVBAYTAkRFMRUwEwYDVQQDDAxLb2NoLCBXZXJuZXIxCjAIBgNVBAUT
ATMwWjAUBgcqhkjOPQIBBgkrJAMDAggBAQcDQgAEbkEXUuXTriWOwqQhjlh11oCc
6Z8lQdQDz3zY/OEh8fMJS7AKBNo8zkpPKDJ2olPph18b1goEbLiqHQsPRPahDaOC
AaowggGmMB8GA1UdIwQYMBaAFP/0iep1rMXT0iQ0+WUqBvLM6bqBMB0GA1UdDgQW
BBQEI3xsIUDnoOx+gLYbG63v5/f9kjAOBgNVHQ8BAf8EBAMCBkAwDAYDVR0TAQH/
BAIwADAgBgNVHREEGTAXgRV3ZXJuZXIua29jaEBnbnVwZy5jb20wPQYDVR0gBDYw
NDAyBgcEAIvsQAECMCcwJQYIKwYBBQUHAgEWGWh0dHA6Ly9wa3MudGVsZXNlYy5k
ZS9jcHMwgYQGCCsGAQUFBwEBBHgwdjBLBggrBgEFBQcwAoY/aHR0cDovL3RxcmNh
MS5wa2kudGVsZXNlYy5kZS9jcnQvVGVsZVNlY19QS1NfZUlEQVNfUUVTX0NBXzEu
Y3J0MCcGCCsGAQUFBzABhhtodHRwOi8vcGtzLnRlbGVzZWMuZGUvb2NzcHIwXgYI
KwYBBQUHAQMEUjBQMAgGBgQAjkYBATAIBgYEAI5GAQQwOgYGBACORgEFMDAwLhYo
aHR0cHM6Ly93d3cudGVsZXNlYy5kZS9zaWduYXR1cmthcnRlL2FnYhMCZW4wDAYI
KoZIzj0EAwIFAANHADBEAiAqgB8gyZyj05CRdHD5KJcpG68DzQECYnYP6ZPasUYK
AQIgI1GtRMJWvFTIKsZpgY+ty0pRb5/K09fbmvaSAKFpv/I=
-----END CERTIFICATE-----
2022-12-05 14:25:04 +01:00
..
examples gpgconf: Add config file for Windows Registry dumps. 2022-08-03 09:31:44 +02:00
ldap doc: Minor update of the AD schema. 2021-09-09 13:30:22 +02:00
a-decade-of-gnupg.txt doc: Typo fixes. 2014-12-14 12:15:21 +01:00
announce-2.0.txt sm/ 2006-11-14 10:23:21 +00:00
announce-2.1.txt doc: Revert the bug reporting address to bugs.gnupg.org 2017-07-24 10:43:27 +02:00
ChangeLog-2011 Generate the ChangeLog from commit logs. 2011-12-01 11:09:02 +01:00
com-certs.pem Remove all expired common CA certificates. 2014-11-04 21:47:03 +01:00
contrib.texi doc: Fix Martin Hellman's name. 2016-09-20 09:32:25 +09:00
DCO Add missing file. 2013-04-17 11:26:27 +02:00
debugging.texi doc: Fix a debug hint on the keybox format. 2019-07-18 14:11:55 +02:00
DETAILS gpg: New export option "mode1003". 2022-12-02 10:09:58 +01:00
dirmngr.texi dirmngr: New server flag "areconly" (A-record-only) 2022-09-28 09:55:15 +02:00
FAQ doc: Fix FAQ stub and remove faq build rules. 2015-03-04 15:10:52 +01:00
faq.org doc: Always use --edit-key and not just the --edit abbreviation. 2021-03-11 12:38:51 +01:00
fdl.texi Taken from NewPG 2003-01-09 13:24:01 +00:00
glossary.texi doc: Fix typos. 2016-09-20 09:56:22 +09:00
gnupg7.texi Include dirmngr manual 2010-06-10 10:39:44 +00:00
gnupg-badge-openpgp.eps * preset-passphrase.c (preset_passphrase): Handle --passphrase. 2004-12-21 19:05:15 +00:00
gnupg-badge-openpgp.jpg * preset-passphrase.c (preset_passphrase): Handle --passphrase. 2004-12-21 19:05:15 +00:00
gnupg-badge-openpgp.pdf Made make distcheck work again 2006-06-20 17:47:10 +00:00
gnupg-card-architecture.fig Changed to GPLv3. 2007-07-04 19:49:40 +00:00
gnupg-logo-tr.png Beautified the online html manual 2011-08-12 14:40:47 +02:00
gnupg-logo.eps Add new logo. 2007-03-08 18:31:56 +00:00
gnupg-logo.pdf doc: Add gnupg-logo.pdf 2014-07-03 11:03:22 +02:00
gnupg-logo.png doc: Improve the rendering of the manual 2014-06-25 11:15:45 +02:00
gnupg-module-overview.svg doc: Update and extend module overview 2020-09-10 13:58:47 +02:00
gnupg.texi card: Rename gpg-card-tool to gpg-card. 2019-02-25 09:34:30 +01:00
gpg-agent.texi agent: Don't start in --supervised mode if no-autostart is enabled. 2022-09-07 11:54:23 +02:00
gpg-card.texi doc: Improve the gpg-card man page. 2021-02-11 12:15:49 +01:00
gpg.texi gpgsm: Always use the chain model if the root-CA requests this. 2022-12-05 14:25:04 +01:00
gpgsm.texi gpgsm: New option --compatibility-flags. 2022-06-13 17:50:26 +02:00
gpgv.texi gpgv: Improve documentation for keyring choices 2019-03-07 07:54:29 +01:00
gpl.texi Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
HACKING doc: Keep list of RFCs only in DETAILS 2022-09-16 16:49:54 +02:00
help.be.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.ca.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.cs.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.da.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.de.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.el.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.eo.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.es.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.et.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.fi.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.fr.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.gl.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.hu.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.id.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.it.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.ja.txt doc: Update Japanese doc/help.ja.txt. 2020-12-23 11:25:03 +09:00
help.nb.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.pl.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.pt_BR.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.pt.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.ro.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.ru.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.sk.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.sv.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.tr.txt Change all http://www.gnu.org in license notices to https:// 2016-11-05 12:02:19 +01:00
help.txt doc: Minor typo fixes 2022-01-24 22:22:34 +01:00
help.zh_CN.txt doc: Update Simplified Chinese doc/help.zh_CN.txt. 2020-12-23 11:38:50 +09:00
help.zh_TW.txt Update Traditional Chinese doc/help.zh_TW.txt 2020-12-28 17:16:11 +09:00
howto-create-a-server-cert.texi gpgsm: default to 3072-bit keys. 2017-09-08 11:37:42 -04:00
howtos.texi Add a howto section. 2007-05-08 13:59:41 +00:00
instguide.texi doc: Do not end section names with "." 2016-09-20 16:15:19 +09:00
KEYSERVER Migrated more stuff to doc/ 2006-08-21 20:20:23 +00:00
Makefile.am gpgconf: Add config file for Windows Registry dumps. 2022-08-03 09:31:44 +02:00
mkdefsinc.c doc: Escape file names in generated macros. 2016-07-06 19:35:15 +02:00
mksamplekeys Adjust awk to not add trailing whitespace. 2012-11-30 12:43:34 -05:00
Notes Spelling cleanup. 2020-02-18 18:07:46 -05:00
OpenPGP gpg: Remove all support for v3 keys and always create v4-signatures. 2014-10-17 13:32:16 +02:00
opt-homedir.texi doc: Fix typos. 2016-09-20 09:56:22 +09:00
samplekeys.asc Refresh sample keys 2012-11-30 12:47:49 -05:00
scdaemon.texi doc: Deprecate scd-event option of scdaemon. 2022-11-30 11:47:01 +09:00
see-also-note.texi More man pages. Added include files for 2 common paragraphs. 2006-08-18 13:05:39 +00:00
specify-user-id.texi gpg: Implement searching keys via keygrip. 2019-01-29 20:10:11 +01:00
sysnotes.texi doc: Do not end section names with "." 2016-09-20 16:15:19 +09:00
texi.css Beautified the online html manual 2011-08-12 14:40:47 +02:00
tools.texi tools: Minor fix to gpg-connect-agent options. 2022-06-02 15:56:59 +02:00
TRANSLATE Clean up word replication. 2017-02-21 13:11:46 -05:00
trust-values.texi doc: Update description of displayed trust values. 2018-05-07 08:07:07 +02:00
vuln-announce-2007-multiple-message.txt Clean up word replication. 2017-02-21 13:11:46 -05:00
vuln-announce-2010-kbx-realloc.txt Some work on the dirmngr 2010-07-23 16:16:14 +00:00
vuln-announce-cve-2006-6235.txt 2006-12-06 16:38:34 +00:00
whats-new-in-2.1.txt Spelling cleanup. 2020-02-18 18:07:46 -05:00
wks.texi wkd: New option --add-revocs and some fixes. 2022-11-29 17:17:50 +01:00
yat2m.c dirmngr:dns,doc,gpg: Fix for noreturn for C11. 2022-09-16 14:33:50 +09:00