From 0b583a555e75fbb9140310390a267febd3329a12 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Fri, 27 Mar 2020 21:11:25 +0100
Subject: sm: Consider certificates w/o CRL DP as valid.

* sm/certchain.c (is_cert_still_valid): Shortcut if tehre is no DP.
* common/audit.c (proc_type_verify): Print "n/a" if a cert has no
distribution point.
* sm/gpgsm.h (opt): Add field enable_issuer_based_crl_check.
* sm/gpgsm.c (oEnableIssuerBasedCRLCheck): New.
(opts): Add option --enable-issuer-based-crl-check.
(main): Set option.
--

If the issuer does not provide a DP and the user wants such an issuer,
we expect that a certificate does not need revocation checks.  The new
option --enable-issuer-based-crl-check can be used to revert to the
old behaviour which requires that a suitable LDAP server has been
configured to lookup a CRL by issuer.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 common/audit.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'common/audit.c')

diff --git a/common/audit.c b/common/audit.c
index 6185df37c..803523c94 100644
--- a/common/audit.c
+++ b/common/audit.c
@@ -1105,6 +1105,7 @@ proc_type_verify (audit_ctx_t ctx)
           switch (gpg_err_code (item->err))
             {
             case 0:                    ok = "good"; break;
+            case GPG_ERR_TRUE:         ok = "n/a";  break;
             case GPG_ERR_CERT_REVOKED: ok = "bad"; break;
             case GPG_ERR_NOT_ENABLED:  ok = "disabled"; break;
             case GPG_ERR_NO_CRL_KNOWN:
-- 
cgit v1.2.3