diff options
Diffstat (limited to 'sm')
| -rw-r--r-- | sm/certchain.c | 18 | ||||
| -rw-r--r-- | sm/gpgsm.c | 6 | ||||
| -rw-r--r-- | sm/gpgsm.h | 1 |
3 files changed, 25 insertions, 0 deletions
diff --git a/sm/certchain.c b/sm/certchain.c index f59dc7573..c71397b4d 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -1054,6 +1054,24 @@ is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp, return 0; } + + if (!(force_ocsp || ctrl->use_ocsp) + && !opt.enable_issuer_based_crl_check) + { + err = ksba_cert_get_crl_dist_point (subject_cert, 0, NULL, NULL, NULL); + if (gpg_err_code (err) == GPG_ERR_EOF) + { + /* No DP specified in the certificate. Thus the CA does not + * consider a CRL useful and the user of the certificate + * also does not consider this to be a critical thing. In + * this case we can conclude that the certificate shall not + * be revocable. Note that we reach this point here only if + * no OCSP responder shall be used. */ + audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, gpg_error (GPG_ERR_TRUE)); + return 0; + } + } + err = gpgsm_dirmngr_isvalid (ctrl, subject_cert, issuer_cert, force_ocsp? 2 : !!ctrl->use_ocsp); diff --git a/sm/gpgsm.c b/sm/gpgsm.c index 387e4d2e4..bb2767283 100644 --- a/sm/gpgsm.c +++ b/sm/gpgsm.c @@ -144,6 +144,7 @@ enum cmd_and_opt_values { oDisableTrustedCertCRLCheck, oEnableTrustedCertCRLCheck, oForceCRLRefresh, + oEnableIssuerBasedCRLCheck, oDisableOCSP, oEnableOCSP, @@ -402,6 +403,8 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"), ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"), ARGPARSE_s_n (oNoAutostart, "no-autostart", "@"), + ARGPARSE_s_n (oEnableIssuerBasedCRLCheck, "enable-issuer-based-crl-check", + "@"), /* Command aliases. */ ARGPARSE_c (aListKeys, "list-key", "@"), @@ -1202,6 +1205,9 @@ main ( int argc, char **argv) case oForceCRLRefresh: opt.force_crl_refresh = 1; break; + case oEnableIssuerBasedCRLCheck: + opt.enable_issuer_based_crl_check = 1; + break; case oDisableOCSP: ctrl.use_ocsp = opt.enable_ocsp = 0; diff --git a/sm/gpgsm.h b/sm/gpgsm.h index a9fb4c89b..d81e39230 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -124,6 +124,7 @@ struct int no_crl_check; /* Don't do a CRL check */ int no_trusted_cert_crl_check; /* Don't run a CRL check for trusted certs. */ int force_crl_refresh; /* Force refreshing the CRL. */ + int enable_issuer_based_crl_check; /* Backward compatibility hack. */ int enable_ocsp; /* Default to use OCSP checks. */ char *policy_file; /* full pathname of policy file */ |