From b52a0e244ae18aec4b9c93f90432a551fac95a40 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 9 Mar 2023 18:28:39 +0100 Subject: dirmngr: Distinguish between "no crl" and "crl not trusted". * dirmngr/crlcache.h (CRL_CACHE_NOTTRUSTED): New. * dirmngr/crlcache.c (cache_isvalid): Set this status. (crl_cache_cert_isvalid): Map it to GPG_ERR_NOT_TRUSTED. (crl_cache_reload_crl): Move diagnostic to ... * dirmngr/crlfetch.c (crl_fetch): here. * dirmngr/server.c (cmd_isvalid): Map it to GPG_ERR_NOT_TRUSTED. * dirmngr/validate.c (check_revocations): Handle new status. Improve diagnostics. * common/status.c (get_inv_recpsgnr_code): Map INV_CRL_OBJ. * common/audit.c (proc_type_verify): Ditto. -- This avoids repeated loading of CRLs in case of untrusted root certificates. --- dirmngr/crlcache.h | 1 + 1 file changed, 1 insertion(+) (limited to 'dirmngr/crlcache.h') diff --git a/dirmngr/crlcache.h b/dirmngr/crlcache.h index 0e60def8f..7db8f01cc 100644 --- a/dirmngr/crlcache.h +++ b/dirmngr/crlcache.h @@ -27,6 +27,7 @@ typedef enum CRL_CACHE_VALID = 0, CRL_CACHE_INVALID, CRL_CACHE_DONTKNOW, + CRL_CACHE_NOTTRUSTED, CRL_CACHE_CANTUSE } crl_cache_result_t; -- cgit v1.2.3