aboutsummaryrefslogtreecommitdiffstats
path: root/sm (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* sm: New options to prepare the use of keyboxd.Werner Koch2020-09-036-81/+423
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | * sm/Makefile.am (AM_CFLAGS): Add npth flags. (common_libs): Use npth version of the lib. (gpgsm_LDADD): Add npth libs. * sm/gpgsm.c (oUseKeyboxd, oKeyboxdProgram): New. (opts): New options --use-keyboxd and --keyboxd-program. (main): Set them. (gpgsm_deinit_default_ctrl): New. (main): Call it. * sm/server.c (gpgsm_server): Ditto. * sm/gpgsm.h (opt): Add fields use_keyboxd and keyboxd_program. (keydb_local_s): New type. (struct server_control_s): Add field keybd_local. * sm/keydb.c: Include assuan.h, asshelp.h, and kbx-client-util.h. (struct keydb_local_s): New. (struct keydb_handle): Add fields for keyboxd use. (gpgsm_keydb_deinit_session_data): New. (warn_version_mismatch): New. (create_new_context): New. (open_context): New. (keydb_new): Implement keyboxd mode. (keydb_release): Ditto. (keydb_get_resource_name): Ditto. * sm/keydb.c: Add stub support for all other functions. Signed-off-by: Werner Koch <[email protected]>
* sm: Add arg ctrl to keydb_new.Werner Koch2020-09-0313-22/+24
| | | | | | | * sm/keydb.c (keydb_new): Add arg and change all callers. -- This will be used later.
* Use only one copy of the warn_server_mismatch function.Werner Koch2020-09-012-67/+6
| | | | | | | | | | | | | | | | | * common/asshelp.c (warn_server_version_mismatch): New. Actually a slightly modified version of warn_version_mismatch found in other modules. * common/status.c (gnupg_status_strings): New. * g10/cpr.c (write_status_strings2): New. * g10/call-agent.c (warn_version_mismatch): Use the new unified warn_server_version_mismatch function. * g10/call-dirmngr.c (warn_version_mismatch): Ditto. * g10/call-keyboxd.c (warn_version_mismatch): Ditto. * sm/call-agent.c (warn_version_mismatch): Ditto. * sm/call-dirmngr.c (warn_version_mismatch): Ditto. * tools/card-call-scd.c (warn_version_mismatch): Ditto. Signed-off-by: Werner Koch <[email protected]>
* sm: Fix a bug in the rfc2253 parserWerner Koch2020-08-281-1/+1
| | | | | | | | | | | | | * sm/certdump.c (parse_dn_part): Fix parser flaw. -- This could in theory result in reading bytes after a after Nul in a string and thus possible segv on unallocated memory or reading other parts of the memory. However, it is harmless because the rfc2253 strings have been constructed by libksba. GnuPG-bug-id: 5037 Signed-off-by: Werner Koch <[email protected]>
* sm: Do not require a default keyring for --gpgconf-list.Werner Koch2020-08-251-0/+1
| | | | | | | | * sm/gpgsm.c (main): No default keyring for gpgconf mode. -- GnuPG-bug-id: 4867 Signed-off-by: Werner Koch <[email protected]>
* build: New configure option --disable-testsWerner Koch2020-08-201-0/+4
| | | | | | | | * configure.ac: Add option --disable-tests. Print warnings in the summary. (DISABLE_TESTS): New am_conditional. -- GnuPG-bug-id: 4960
* gpg,gpgsm: Record the creation time of a private key.Werner Koch2020-08-191-3/+11
| | | | | | | | | | | | | | | | | * sm/call-agent.c (gpgsm_agent_genkey): Pass --timestamp option. (gpgsm_agent_import_key): Ditto. * g10/call-agent.c (agent_genkey): Add arg timestamp and pass it on. (agent_import_key): Ditto. * g10/import.c (transfer_secret_keys): Pass the creation date to the agent. * g10/keygen.c (common_gen): Ditto. -- Having the creation time in the private key file makes it a lot easier to re-create an OpenPGP public keyblock in case it was accidentally lost. Signed-off-by: Werner Koch <[email protected]>
* Silence compiler warnings.NIIBE Yutaka2020-08-191-1/+1
| | | | | | | | | | * common/openpgp-oid.c (map_openpgp_pk_to_gcry): Use cast for enum conversion. * dirmngr/dns-stuff.c (get_dns_srv): Use explicit conversion from int to float. * sm/gpgsm.c (parse_keyserver_line): Initialize ERR. Signed-off-by: NIIBE Yutaka <[email protected]>
* Add --chuid to gpg, gpg-card, and gpg-connect-agent.Werner Koch2020-08-141-6/+10
| | | | | | | | | | | | | | | | | | | * g10/gpg.c (oChUid): New. (opts): Add --chuid. (main): Implement --chuid. Delay setting of homedir until the new chuid is done. * sm/gpgsm.c (main): Delay setting of homedir until the new chuid is done. * tools/gpg-card.c (oChUid): New. (opts): Add --chuid. (changeuser): New helper var. (main): Implement --chuid. * tools/gpg-connect-agent.c (oChUid): New. (opts): Add --chuid. (main): Implement --chuid. -- Signed-off-by: Werner Koch <[email protected]>
* gpgsm: New option --chuid.Werner Koch2020-08-061-1/+12
| | | | | | | | | | * sm/gpgsm.c (oChUid, opts): New option --chuid. (main): Implement option. -- This option will at least be useful for Scute. Signed-off-by: Werner Koch <[email protected]>
* sm: Also show the SHA-256 fingerprint.Werner Koch2020-08-041-1/+13
| | | | | | | | * sm/keylist.c (list_cert_colon): Emit a new "fp2" record. (list_cert_raw): Print the SHA2 fingerprint. (list_cert_std): Ditto. Signed-off-by: Werner Koch <[email protected]>
* w32: Add NETLIBS for sm/t-minip12.NIIBE Yutaka2020-07-301-1/+1
| | | | | | | | | * sm/Makefile.am (t_minip12_LDADD): Add NETLIBS. -- GnuPG-bug-id: 4944 Signed-off-by: NIIBE Yutaka <[email protected]>
* w32: Add link to $(NETLIB) for -lws2_32.NIIBE Yutaka2020-07-301-1/+1
| | | | | | | | | | | * dirmngr/Makefile.am (dirmngr_LDADD): Add $(NETLIBS). * sm/Makefile.am (gpgsm_LDADD): Ditto. * tools/Makefile.am (gpg_wks_client_LDADD): Ditto. -- GnuPG-bug-id: 4994 Signed-off-by: NIIBE Yutaka <[email protected]>
* Do not use the pinentry's qualitybarWerner Koch2020-07-081-1/+1
| | | | | | | | | | | | | | | | * agent/genkey.c (agent_ask_new_passphrase): No qualitybar. * g10/call-agent.c (agent_get_passphrase): Ditto. * sm/call-agent.c (gpgsm_agent_ask_passphrase): Ditto. -- The concept of a passphrase quality indicator is anyway questionable because user are smart enough to trick them out and they also tend to limit the actually used entropy. Except for the red/green switching (to show whether constraints are fulfilled) our qualitybar is pretty bad and thus worse than none. Signed-off-by: Werner Koch <[email protected]>
* gpgsm: Replace all assert calls by log_assert.Werner Koch2020-07-0819-44/+29
| | | | | | -- Signed-off-by: Werner Koch <[email protected]>
* sm: Exclude rsaPSS from de-vs compliance mode.Werner Koch2020-07-038-76/+145
| | | | | | | | | | | | | | | * common/compliance.h (PK_ALGO_FLAG_RSAPSS): New. * common/compliance.c (gnupg_pk_is_compliant): Add arg alog_flags and test rsaPSS. Adjust all callers. (gnupg_pk_is_allowed): Ditto. * sm/misc.c (gpgsm_ksba_cms_get_sig_val): New wrapper function. (gpgsm_get_hash_algo_from_sigval): New. * sm/certcheck.c (gpgsm_check_cms_signature): Change type of sigval arg. Add arg pkalgoflags. Use the PK_ALGO_FLAG_RSAPSS. * sm/verify.c (gpgsm_verify): Use the new wrapper and new fucntion to also get the algo flags. Pass algo flags along. Signed-off-by: Werner Koch <[email protected]>
* sm: Fix regression in Friday's commitWerner Koch2020-06-291-2/+2
| | | | | | | | * sm/gpgsm.c (main): Set ERR also for encrypt. -- Fixes-commit: ccbb0cfeefed096a9841b6557d10eef12d55b721 Signed-off-by: Werner Koch <[email protected]>
* sm: Try not to output a partial new message after an error.Werner Koch2020-06-261-2/+19
| | | | | | | | | | | | | | | | | * sm/gpgsm.c (main) <aSign,aEncr>: Uses gpgrt_fcancel on error. -- When creating a signature or encrypting and the respective key is not available or the user canceled the PIN entry gpgsm prints the initial part of the message due to internal buffering in gpgrt. By using gpgrt_fcancel we can avoid this at least as long as the data is less than the standard buffer size (which is currently 8k). If is not a complete solution but the best we can do easily. Outputting to the tty is anyway more of a testing aid than for real use. This makes use of the new gpgrt_fcancel API. Signed-off-by: Werner Koch <[email protected]>
* sm: Print the serial number of a cert also in decimal.Werner Koch2020-06-263-3/+89
| | | | | | | | | | | | * sm/certdump.c: Include membuf.h. (gpgsm_print_serial_decimal): New. * sm/keylist.c (list_cert_raw): Print s/n also in decimal (list_cert_std): Ditto. -- Many CA's print the serial number in decimal on their cards. Signed-off-by: Werner Koch <[email protected]>
* sm: Fix support verification of nistp521 signatures.Werner Koch2020-06-251-1/+1
| | | | | | | | * sm/certcheck.c (do_encode_md): Fix obvious bug. -- Fixes-commit: 596212e71abf33b30608348b782c093dace83110 Signed-off-by: Werner Koch <[email protected]>
* sm: Support verification of nistp521 signatures.Werner Koch2020-06-171-5/+8
| | | | | | | | | | | * sm/certcheck.c (do_encode_md): Take care of nistp521. -- That curve is a bit odd in that it does not match a common hash digest length. We fix that here for just this case instead of writing more general code to support all allowed cases (i.e. hash shorter than Q). Signed-off-by: Werner Koch <[email protected]>
* sm: Fix recently introduced regression in CSR creation.Werner Koch2020-06-031-1/+5
| | | | | | | | * sm/certreqgen.c (create_request): Also set SIGKEYLEN. -- Fixes-commit: 44676819f2873705b78849e7b2fd22214b691642 Signed-off-by: Werner Koch <[email protected]>
* sm: Create ECC certificates with AKI and SKI by default.Werner Koch2020-05-191-31/+127
| | | | | | | | * sm/certreqgen.c (create_request): Create AKI and SKI by default. -- GnuPG-bug-id: 4098 Signed-off-by: Werner Koch <[email protected]>
* sm: Support creation of EdDSA certificates.Werner Koch2020-05-184-63/+183
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * sm/misc.c (transform_sigval): Support EdDSA. * sm/certreqgen.c (create_request): Support EdDSA cert creation. * sm/certcheck.c (gpgsm_check_cert_sig): Map some ECC algo OIDs to hash algos. * sm/call-agent.c (struct sethash_inq_parm_s): New. (sethash_inq_cb): New. (gpgsm_agent_pksign): Add mode to pass plain data for EdDSA. -- Tested using a parameter file Key-Type: EdDSA Key-Length: 1024 Key-Grip: 09D9AE3D494F7888C93BE5106AD8A734A87617F0 Key-Usage: sign Serial: random Name-DN: CN=dummy test ed25519 where the keygrip is from a gpg generated Ed25519 key. ECDSA was tested using Key-Type: ECDSA Key-Length: 1024 Key-Grip: 8E06A180EFFE4C65B812150CAF19BF30C0689A4C Key-Usage: sign Serial: random Name-DN: CN=dummy test nistp256 and RSA using Key-Type: RSA Key-Length: 2048 Key-Grip: C6A6390E9388CDBAD71EAEA698233FE5E04F001E Key-Usage: sign Serial: random Name-DN: CN=dummy test rsa The command used in all cases is gpgsm -v --gen-key --batch a.parm >a.crt gpgsm -v --import <a.crt More support, in particular in the user interface, is required and will follow soon. GnuPG-bug-id: 4888 Signed-off-by: Werner Koch <[email protected]>
* sm: Support import and verification of EdDSA certificates.Werner Koch2020-05-133-17/+143
| | | | | | | | | | | | | | * sm/certdump.c (gpgsm_get_serial): New. * sm/certcheck.c (gpgsm_check_cert_sig): Support EdDSA signatures. -- Note that this does not work with the self-signed RFC-8410 sample certificate; see the code for comments. The Ed488 case has not been tested due to a lack of support in Libgcrypt. Signed-off-by: Werner Koch <[email protected]>
* sm: Support signing using ECDSA.Werner Koch2020-05-112-32/+54
| | | | | | | | | | * sm/gpgsm.h (struct certlist_s): Add helper field pk_algo. * sm/sign.c (gpgsm_sign): Store the public key algo. Take the hash algo from the curve. Improve diagnostic output in verbose mode. -- GnuPG-bug-id: 4098 Signed-off-by: Werner Koch <[email protected]>
* sm: Allow decryption using dhSinglePass-stdDH-sha1kdf-scheme.Werner Koch2020-05-084-67/+92
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * sm/decrypt.c (ecdh_decrypt): Support dhSinglePass-stdDH-sha1kdf-scheme. Factor key derive code out to ... (ecdh_derive_kek): new global function. Allow for hashs shorter than the key. (hash_ecc_cms_shared_info): Make file-only. * sm/encrypt.c (ecdh_encrypt): Replace derive code by a call to the new ecdh_derive_kek. Add test code to create data using dhSinglePass-stdDH-sha1kdf-scheme. * sm/gpgsm.h (opt): Add member force_ecdh_sha1kdf. * sm/gpgsm.c: Add option --debug-force-ecdh-sha1kdf. -- I did some test against Governikus_Signer: 2.9.2.0 MCard security Provider: 2.4.0 Algorithm catalog from: 05.12.2019 using a Signature Card v2.0 and a nistp256 certificate. Encrypting with Governikus used the stdDH-sha1kdf scheme which we can now decrypt. Encrypting with GPGSM uses for that curve the recommended scheme sha256kdf but Governikus was not able to decrypt this (no usable error message). Encrypting using stdDH-sha1kdf with GPGSM by using the new --debug-force-ecdh-sha1kdf option showed that Governikus was able to decrypt this. FWIW: RFC5753 (Use of Elliptic Curve Cryptography (ECC) Algorithms) has this requirement: Implementations that support EnvelopedData with the ephemeral-static ECDH standard primitive: - MUST support the dhSinglePass-stdDH-sha256kdf-scheme key agreement algorithm, the id-aes128-wrap key wrap algorithm, and the id-aes128-cbc content encryption algorithm; and which Governikus seems not to fulfill. GnuPG-bug-id: 4098 Signed-off-by: Werner Koch <[email protected]>
* sm: Print algorithm infos in data decryption mode.Werner Koch2020-05-081-0/+13
| | | | | | | | * common/sexputil.c (cipher_mode_to_string): New. * sm/decrypt.c (prepare_decryption): Show cipher algo and mode. (gpgsm_decrypt): Show key algo and fingerprint Signed-off-by: Werner Koch <[email protected]>
* sm: Cleanup the use of GCRY_PK_ECC and GCRY_PK_ECDSA.Werner Koch2020-05-084-8/+13
| | | | | | | | | | | * common/sexputil.c (pubkey_algo_to_string): New. * sm/certcheck.c (do_encode_md): Replace GCRY_PK_ECDSA by GCRY_PK_ECC. * sm/certreqgen-ui.c (check_keygrip): Add all ECC algorithms. * sm/gpgsm.c (our_pk_test_algo): Also allow EdDSA. * sm/verify.c (gpgsm_verify): Map ECC algo to ECDSA. Use new pubkey algo name function Signed-off-by: Werner Koch <[email protected]>
* sm: Improve readability of the data verification output.Werner Koch2020-05-081-35/+66
| | | | | | | | | | * sm/verify.c (gpgsm_verify): Print the used algorithms. -- Note that we now use the full fingerprint instead of the certificate id. This better aligns with what we do in gpg. Signed-off-by: Werner Koch <[email protected]>
* sm: Fix annoying warning about not yet implemented --attribute.Werner Koch2020-05-071-1/+2
| | | | | | -- Signed-off-by: Werner Koch <[email protected]>
* sm: Print the key types as standard key algorithm strings.Werner Koch2020-05-073-14/+84
| | | | | | | | | | | | | | | | * sm/fingerprint.c (gpgsm_get_key_algo_info): Factor code out to ... (gpgsm_get_key_algo_info2): new. (gpgsm_pubkey_algo_string): New. * sm/keylist.c (list_cert_colon): Put curve into field 17 (list_cert_raw): Print the unified key algotithm string instead of the algo and size. (list_cert_std): Ditto. -- It is important to known whether a 256 bit ECC uses a NIST or a Brainpool curve. Signed-off-by: Werner Koch <[email protected]>
* sm: Support decryption of ECDH data using a smartcard.Werner Koch2020-05-071-8/+11
| | | | | | | | | | * sm/decrypt.c (ecdh_decrypt): Add arg nbits and detect bare secret. (prepare_decryption): Add arg nbits and pass on. (gpgsm_decrypt): Pass size of curve to prepare_decryption. -- GnuPG-bug-id: 4098 Signed-off-by: Werner Koch <[email protected]>
* sm: Support encryption using ECDH keys.Werner Koch2020-05-043-13/+313
| | | | | | | | | | | | | | * sm/decrypt.c (hash_ecc_cms_shared_info): Make global. * sm/encrypt.c (ecdh_encrypt): New. (encrypt_dek): Add arg PK_ALGO and support ECDH. (gpgsm_encrypt): Pass PK_ALGO. -- Note: This has only been tested with a messages created and decrypted by GnuPG. GnuPG-bug-id: 4098 Signed-off-by: Werner Koch <[email protected]>
* doc: Typo fixes in code commentsWerner Koch2020-05-041-1/+1
| | | | | | -- Signed-off-by: Werner Koch <[email protected]>
* sm: Add support to export ECC private keys.Werner Koch2020-04-274-211/+559
| | | | | | | | | | | | | | | | | | | * sm/minip12.c [TEST]: Remove test code. Include util.h, tlv.h. and openpgpdefs.h. Remove the class and tag constants and replace them by those from tlv.h. (builder_add_oid, builder_add_mpi): New. (build_key_sequence): Rename to ... (build_rsa_key_sequence): this. (build_ecc_key_sequence): New. (p12_build): Call RSA or ECC builder. (p12_raw_build): Ditto. * sm/export.c (gpgsm_p12_export): Use correct armor header for ECC. (sexp_to_kparms): Support ECC. * sm/t-minip12.c: New to replace the former TEST code in minip12.h. -- GnuPG-bug-id: 4921
* sm: Minor debug output format changes.Werner Koch2020-04-233-3/+3
| | | | --
* sm: Support decryption of ECDH data.Werner Koch2020-04-231-37/+365
| | | | | | | | | | | | | | | | | * sm/decrypt.c: Include tlv.h. (string_from_gcry_buffer): New. (hash_ecc_cms_shared_info): New. (ecdh_decrypt): New. (prepare_decryption): Support ECDH. Add arg pk_algo. (gpgsm_decrypt): Lift some variables from an inner code block. -- Note: This has only been tested with a single messages created by OpenSSL and taken from the Mozilla bug tracker. In particular the code to included UserKeyingMaterial (ukm) has not been tested. GnuPG-bug-id: 4098 Signed-off-by: Werner Koch <[email protected]>
* sm: Support import of PKCS#12 encoded ECC private keys.Werner Koch2020-04-213-62/+198
| | | | | | | | | | | | | * sm/minip12.c: Include ksba.h. (oid_pcPublicKey): New const. (parse_bag_data): Add arg 'r-curve'. Support parsing of ECC private keys. (p12_parse): Add arg 'r_curve'. * sm/import.c (parse_p12): Support ECC import. -- GnuPG-bug-id: 4921 Signed-off-by: Werner Koch <[email protected]>
* sm: Replace some debug message by log_error or log_infoWerner Koch2020-04-212-8/+10
| | | | | | -- Signed-off-by: Werner Koch <[email protected]>
* sm: Always allow authorityInfoAccess lookup if CRLs are also enabled.Werner Koch2020-04-161-6/+11
| | | | | | | | | * sm/certchain.c (find_up): Disable external lookups in offline mode. Always allow AKI lookup if CRLs are also enabled. -- GnuPG-bug-id: 4898 Signed-off-by: Werner Koch <[email protected]>
* sm: Lookup missing issuers first using authorityInfoAccess.Werner Koch2020-04-164-26/+180
| | | | | | | | | | | | | | | | * sm/call-dirmngr.c (gpgsm_dirmngr_lookup): Add optional arg URL and adjust all callers. * sm/certchain.c (oidstr_caIssuers): New. (struct find_up_store_certs_s): Add additional fields. (find_up_store_certs_cb): Store the fingerprint. (find_up_via_auth_info_access): New. (find_up): Try the AIA URI first. -- Note that --auto-issuer-key-retrieve is required to use that. GnuPG-bug-id: 4898 Signed-off-by: Werner Koch <[email protected]>
* sm,dirmngr: Restrict allowed parameters used with rsaPSS.Werner Koch2020-04-151-1/+39
| | | | | | | | | | | | | | | * sm/certcheck.c (extract_pss_params): Check the used PSS params. * dirmngr/crlcache.c (finish_sig_check): Ditto. * dirmngr/validate.c (check_cert_sig): Ditto. -- GnuPG-bug-id: 4538 # ------------------------ >8 ------------------------ See https://www.metzdowd.com/pipermail/cryptography/2019-November/035449.html Signed-off-by: Werner Koch <[email protected]>
* sm: Support rsaPSS verification also for CMS signatures.Werner Koch2020-04-142-40/+112
| | | | | | | | | * sm/certcheck.c (gpgsm_check_cert_sig): Factor PSS parsing out to ... (extract_pss_params): new. (gpgsm_check_cms_signature): Implement PSS. -- GnuPG-bug-id: 4538
* dirmngr: Support rsaPSS also in the general validate module.Werner Koch2020-04-091-1/+5
| | | | | | | | | | | | | | | | | | * dirmngr/validate.c (hash_algo_from_buffer): New. (uint_from_buffer): New. (check_cert_sig): Support rsaPSS. * sm/certcheck.c (gpgsm_check_cert_sig): Fix small memory leak on error. -- Yes, I know that there is a lot of code duplication. In fact some of the code is ugly and it would be better if we enhance Libgcrypt to guarantee that returned memory buffers via gcry_sexp_extract_param are allways Nul terminated and we should also enhance that function to directly extract into an unsigned int or char *. GnuPG-bug-id: 4538 Signed-off-by: Werner Koch <[email protected]>
* sm,dirmngr: Support rsaPSS signature verification.Werner Koch2020-04-091-45/+145
| | | | | | | | | | | | | | | | * sm/certcheck.c (hash_algo_from_buffer): New. (uint_from_buffer): New. (gpgsm_check_cert_sig): Handle PSS. * dirmngr/crlcache.c (hash_algo_from_buffer): New. (uint_from_buffer): New. (start_sig_check): Detect PSS and extract hash algo. New arg to return a PSS flag. (finish_sig_check): New arg use_pss. Extract PSS args and use them. (crl_parse_insert): Pass use_pss flag along. -- GnuPG-bug-id: 4538 Signed-off-by: Werner Koch <[email protected]>
* sm: Fix a warning in an es_fopencooie function.Werner Koch2020-04-011-0/+4
| | | | | | | | | | | | | | * sm/certdump.c (format_name_writer): Take care of a flush request. -- We won't see a flush here so that fix does not solve a real bug but we want to be correct. Note that this function seems to predate the es_fopenmem function and thus in master (2.3) we should replace it entirely. GnuPG-bug-id: 4495 Signed-off-by: Werner Koch <[email protected]> (cherry picked from 2.2 commit 8d0d61aca3d2713df8a33444af3658b859d72be8)
* sm: Fix possible NULL deref in error messages of --gen-key.Werner Koch2020-03-301-20/+20
| | | | | | | | * sm/certreqgen.c: Protect printing the liniernur in case of !R. -- GnuPG-bug-id: 4895 Signed-off-by: Werner Koch <[email protected]>
* sm: Consider certificates w/o CRL DP as valid.Werner Koch2020-03-273-0/+25
| | | | | | | | | | | | | | | | | | | * sm/certchain.c (is_cert_still_valid): Shortcut if tehre is no DP. * common/audit.c (proc_type_verify): Print "n/a" if a cert has no distribution point. * sm/gpgsm.h (opt): Add field enable_issuer_based_crl_check. * sm/gpgsm.c (oEnableIssuerBasedCRLCheck): New. (opts): Add option --enable-issuer-based-crl-check. (main): Set option. -- If the issuer does not provide a DP and the user wants such an issuer, we expect that a certificate does not need revocation checks. The new option --enable-issuer-based-crl-check can be used to revert to the old behaviour which requires that a suitable LDAP server has been configured to lookup a CRL by issuer. Signed-off-by: Werner Koch <[email protected]>
* gpgsm: Fix the previous commit.NIIBE Yutaka2020-03-271-5/+5
| | | | Signed-off-by: NIIBE Yutaka <[email protected]>
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-21 13:27:27 +0000