diff options
| author | Werner Koch <[email protected]> | 2023-03-09 17:28:39 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2023-03-09 17:28:39 +0000 |
| commit | b52a0e244ae18aec4b9c93f90432a551fac95a40 (patch) | |
| tree | db5677d70b5d85de0def204d88d43b4f15a597a0 /dirmngr/validate.c | |
| parent | keyboxd: Allow import of v0 certificates. (diff) | |
| download | gnupg-b52a0e244ae18aec4b9c93f90432a551fac95a40.tar.gz gnupg-b52a0e244ae18aec4b9c93f90432a551fac95a40.zip | |
dirmngr: Distinguish between "no crl" and "crl not trusted".
* dirmngr/crlcache.h (CRL_CACHE_NOTTRUSTED): New.
* dirmngr/crlcache.c (cache_isvalid): Set this status.
(crl_cache_cert_isvalid): Map it to GPG_ERR_NOT_TRUSTED.
(crl_cache_reload_crl): Move diagnostic to ...
* dirmngr/crlfetch.c (crl_fetch): here.
* dirmngr/server.c (cmd_isvalid): Map it to GPG_ERR_NOT_TRUSTED.
* dirmngr/validate.c (check_revocations): Handle new status. Improve
diagnostics.
* common/status.c (get_inv_recpsgnr_code): Map INV_CRL_OBJ.
* common/audit.c (proc_type_verify): Ditto.
--
This avoids repeated loading of CRLs in case of untrusted root
certificates.
Diffstat (limited to 'dirmngr/validate.c')
| -rw-r--r-- | dirmngr/validate.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/dirmngr/validate.c b/dirmngr/validate.c index 399cca3a4..02db3c270 100644 --- a/dirmngr/validate.c +++ b/dirmngr/validate.c @@ -255,6 +255,7 @@ check_revocations (ctrl_t ctrl, chain_item_t chain) int any_revoked = 0; int any_no_crl = 0; int any_crl_too_old = 0; + int any_not_trusted = 0; chain_item_t ci; log_assert (ctrl->check_revocations_nest_level >= 0); @@ -266,7 +267,8 @@ check_revocations (ctrl_t ctrl, chain_item_t chain) return gpg_error(GPG_ERR_BAD_CERT_CHAIN); } ctrl->check_revocations_nest_level++; - + if (opt.verbose) + log_info ("[%d] start checking CRLs\n", ctrl->check_revocations_nest_level); for (ci=chain; ci; ci = ci->next) { @@ -293,17 +295,19 @@ check_revocations (ctrl_t ctrl, chain_item_t chain) if (!err) err = crl_cache_cert_isvalid (ctrl, ci->cert, 0); } + if (opt.verbose) + log_info ("[%d] result of checking this CRL: %s\n", + ctrl->check_revocations_nest_level, gpg_strerror (err)); switch (gpg_err_code (err)) { case 0: err = 0; break; case GPG_ERR_CERT_REVOKED: any_revoked = 1; err = 0; break; case GPG_ERR_NO_CRL_KNOWN: any_no_crl = 1; err = 0; break; + case GPG_ERR_NOT_TRUSTED: any_not_trusted = 1; err = 0; break; case GPG_ERR_CRL_TOO_OLD: any_crl_too_old = 1; err = 0; break; default: break; } } - ctrl->check_revocations_nest_level--; - if (err) ; @@ -311,10 +315,16 @@ check_revocations (ctrl_t ctrl, chain_item_t chain) err = gpg_error (GPG_ERR_CERT_REVOKED); else if (any_no_crl) err = gpg_error (GPG_ERR_NO_CRL_KNOWN); + else if (any_not_trusted) + err = gpg_error (GPG_ERR_NOT_TRUSTED); else if (any_crl_too_old) err = gpg_error (GPG_ERR_CRL_TOO_OLD); else err = 0; + if (opt.verbose) + log_info ("[%d] result of checking all CRLs: %s\n", + ctrl->check_revocations_nest_level, gpg_strerror (err)); + ctrl->check_revocations_nest_level--; return err; } |