sm: Consider certificates w/o CRL DP as valid.

* sm/certchain.c (is_cert_still_valid): Shortcut if tehre is no DP. * common/audit.c (proc_type_verify): Print "n/a" if a cert has no distribution point. * sm/gpgsm.h (opt): Add field enable_issuer_based_crl_check. * sm/gpgsm.c (oEnableIssuerBasedCRLCheck): New. (opts): Add option --enable-issuer-based-crl-check. (main): Set option. -- If the issuer does not provide a DP and the user wants such an issuer, we expect that a certificate does not need revocation checks. The new option --enable-issuer-based-crl-check can be used to revert to the old behaviour which requires that a suitable LDAP server has been configured to lookup a CRL by issuer. Signed-off-by: Werner Koch <[email protected]>
author: Werner Koch <[email protected]> 2020-03-27 20:11:25 +0000
committer: Werner Koch <[email protected]> 2020-03-27 20:16:07 +0000
commit: 0b583a555e75fbb9140310390a267febd3329a12 (patch)
tree: ff1ac042ea3b436a44d945b5e1ea8cde4330b7f5
parent: scd:openpgp: Allow PKSIGN with keygrip also for OPENPGP.3. (diff)
download: gnupg-0b583a555e75fbb9140310390a267febd3329a12.tar.gz
gnupg-0b583a555e75fbb9140310390a267febd3329a12.zip
5 files changed, 34 insertions, 0 deletions
diff --git a/common/audit.c b/common/audit.c
index 6185df37c..803523c94 100644
--- a/common/audit.c
+++ b/common/audit.c
@@ -1105,6 +1105,7 @@ proc_type_verify (audit_ctx_t ctx)
           switch (gpg_err_code (item->err))
             {
             case 0:                    ok = "good"; break;
+            case GPG_ERR_TRUE:         ok = "n/a";  break;
             case GPG_ERR_CERT_REVOKED: ok = "bad"; break;
             case GPG_ERR_NOT_ENABLED:  ok = "disabled"; break;
             case GPG_ERR_NO_CRL_KNOWN:
diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index 130b217a5..8b34085e4 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -469,6 +469,14 @@ hold in the keybox.  The suggested way of doing this is by using it
 along with the option @option{--with-validation} for a key listing
 command.  This option should not be used in a configuration file.
 
+@item --enable-issuer-based-crl-check
+@opindex enable-issuer-based-crl-check
+Run a CRL check even for certificates which do not have any CRL
+distribution point.  This requires that a suitable LDAP server has
+been configured in Dirmngr and that the CRL can be found using the
+issuer.  This option reverts to what GnuPG did up to version 2.2.20.
+This option is in general not useful.
+
 @item  --enable-ocsp
 @itemx --disable-ocsp
 @opindex enable-ocsp
diff --git a/sm/certchain.c b/sm/certchain.c
index 77e91f003..c30be324e 100644
--- a/sm/certchain.c
+++ b/sm/certchain.c
@@ -1055,6 +1055,24 @@ is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp,
       return 0;
     }
 
+
+  if (!(force_ocsp || ctrl->use_ocsp)
+      && !opt.enable_issuer_based_crl_check)
+    {
+      err = ksba_cert_get_crl_dist_point (subject_cert, 0, NULL, NULL, NULL);
+      if (gpg_err_code (err) == GPG_ERR_EOF)
+        {
+          /* No DP specified in the certificate.  Thus the CA does not
+           * consider a CRL useful and the user of the certificate
+           * also does not consider this to be a critical thing.  In
+           * this case we can conclude that the certificate shall not
+           * be revocable.  Note that we reach this point here only if
+           * no OCSP responder shall be used.  */
+          audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, gpg_error (GPG_ERR_TRUE));
+          return 0;
+        }
+    }
+
   err = gpgsm_dirmngr_isvalid (ctrl,
                                subject_cert, issuer_cert,
                                force_ocsp? 2 : !!ctrl->use_ocsp);
diff --git a/sm/gpgsm.c b/sm/gpgsm.c
index b4a81e368..ef3fe91b8 100644
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@@ -146,6 +146,7 @@ enum cmd_and_opt_values {
   oDisableTrustedCertCRLCheck,
   oEnableTrustedCertCRLCheck,
   oForceCRLRefresh,
+  oEnableIssuerBasedCRLCheck,
 
   oDisableOCSP,
   oEnableOCSP,
@@ -412,6 +413,8 @@ static gpgrt_opt_t opts[] = {
   ARGPARSE_s_n (oDryRun, "dry-run", N_("do not make any changes")),
   ARGPARSE_s_s (oRequestOrigin,   "request-origin", "@"),
   ARGPARSE_s_n (oForceCRLRefresh, "force-crl-refresh", "@"),
+  ARGPARSE_s_n (oEnableIssuerBasedCRLCheck, "enable-issuer-based-crl-check",
+                "@"),
   ARGPARSE_s_s (oAuditLog, "audit-log",
                 N_("|FILE|write an audit log to FILE")),
   ARGPARSE_s_s (oHtmlAuditLog, "html-audit-log", "@"),
@@ -1268,6 +1271,9 @@ main ( int argc, char **argv)
         case oForceCRLRefresh:
           opt.force_crl_refresh = 1;
           break;
+        case oEnableIssuerBasedCRLCheck:
+          opt.enable_issuer_based_crl_check = 1;
+          break;
 
         case oDisableOCSP:
           ctrl.use_ocsp = opt.enable_ocsp = 0;
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index 15b49782b..6c68cdab3 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -127,6 +127,7 @@ struct
   int no_crl_check;         /* Don't do a CRL check */
   int no_trusted_cert_crl_check; /* Don't run a CRL check for trusted certs. */
   int force_crl_refresh;    /* Force refreshing the CRL. */
+  int enable_issuer_based_crl_check; /* Backward compatibility hack.  */
   int enable_ocsp;          /* Default to use OCSP checks. */
 
   char *policy_file;        /* full pathname of policy file */
author	Werner Koch <[email protected]>	2020-03-27 20:11:25 +0000
committer	Werner Koch <[email protected]>	2020-03-27 20:16:07 +0000
commit	0b583a555e75fbb9140310390a267febd3329a12 (patch)
tree	ff1ac042ea3b436a44d945b5e1ea8cde4330b7f5
parent	scd:openpgp: Allow PKSIGN with keygrip also for OPENPGP.3. (diff)
download	gnupg-0b583a555e75fbb9140310390a267febd3329a12.tar.gz gnupg-0b583a555e75fbb9140310390a267febd3329a12.zip