diff options
Diffstat (limited to 'sm')
| -rw-r--r-- | sm/certchain.c | 18 | ||||
| -rw-r--r-- | sm/gpgsm.c | 6 | ||||
| -rw-r--r-- | sm/gpgsm.h | 1 |
3 files changed, 25 insertions, 0 deletions
diff --git a/sm/certchain.c b/sm/certchain.c index 77e91f003..c30be324e 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -1055,6 +1055,24 @@ is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp, return 0; } + + if (!(force_ocsp || ctrl->use_ocsp) + && !opt.enable_issuer_based_crl_check) + { + err = ksba_cert_get_crl_dist_point (subject_cert, 0, NULL, NULL, NULL); + if (gpg_err_code (err) == GPG_ERR_EOF) + { + /* No DP specified in the certificate. Thus the CA does not + * consider a CRL useful and the user of the certificate + * also does not consider this to be a critical thing. In + * this case we can conclude that the certificate shall not + * be revocable. Note that we reach this point here only if + * no OCSP responder shall be used. */ + audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, gpg_error (GPG_ERR_TRUE)); + return 0; + } + } + err = gpgsm_dirmngr_isvalid (ctrl, subject_cert, issuer_cert, force_ocsp? 2 : !!ctrl->use_ocsp); diff --git a/sm/gpgsm.c b/sm/gpgsm.c index b4a81e368..ef3fe91b8 100644 --- a/sm/gpgsm.c +++ b/sm/gpgsm.c @@ -146,6 +146,7 @@ enum cmd_and_opt_values { oDisableTrustedCertCRLCheck, oEnableTrustedCertCRLCheck, oForceCRLRefresh, + oEnableIssuerBasedCRLCheck, oDisableOCSP, oEnableOCSP, @@ -412,6 +413,8 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_n (oDryRun, "dry-run", N_("do not make any changes")), ARGPARSE_s_s (oRequestOrigin, "request-origin", "@"), ARGPARSE_s_n (oForceCRLRefresh, "force-crl-refresh", "@"), + ARGPARSE_s_n (oEnableIssuerBasedCRLCheck, "enable-issuer-based-crl-check", + "@"), ARGPARSE_s_s (oAuditLog, "audit-log", N_("|FILE|write an audit log to FILE")), ARGPARSE_s_s (oHtmlAuditLog, "html-audit-log", "@"), @@ -1268,6 +1271,9 @@ main ( int argc, char **argv) case oForceCRLRefresh: opt.force_crl_refresh = 1; break; + case oEnableIssuerBasedCRLCheck: + opt.enable_issuer_based_crl_check = 1; + break; case oDisableOCSP: ctrl.use_ocsp = opt.enable_ocsp = 0; diff --git a/sm/gpgsm.h b/sm/gpgsm.h index 15b49782b..6c68cdab3 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -127,6 +127,7 @@ struct int no_crl_check; /* Don't do a CRL check */ int no_trusted_cert_crl_check; /* Don't run a CRL check for trusted certs. */ int force_crl_refresh; /* Force refreshing the CRL. */ + int enable_issuer_based_crl_check; /* Backward compatibility hack. */ int enable_ocsp; /* Default to use OCSP checks. */ char *policy_file; /* full pathname of policy file */ |