From f07811ee2c0a8044551e2ec063eda61cff7f6e39 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Fri, 17 Feb 2017 21:31:33 +0100
Subject: dirmngr: Add option --no-crl to the VALIDATE cmd.

* dirmngr/validate.h: Remove enums VALIDATE_MODE_*.
(VALIDATE_FLAG_SYSTRUST, VALIDATE_FLAG_EXTRATRUST)
(VALIDATE_FLAG_CRL, VALIDATE_FLAG_RECURSIVE)
(VALIDATE_FLAG_OCSP, VALIDATE_FLAG_TLS)
(VALIDATE_FLAG_NOCRLCHECK): New constants.
* dirmngr/validate.c (validate_cert_chain): Change arg 'mode' to
'flags'.  Change code accordingly.  Remove NO-CRL in TLS mode kludge.
* dirmngr/crlcache.c (crl_parse_insert): Change to use flag values for
the validate_cert_chain call.
* dirmngr/server.c (cmd_validate): Ditto.  Add new option --no-crl.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 dirmngr/server.c | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

(limited to 'dirmngr/server.c')

diff --git a/dirmngr/server.c b/dirmngr/server.c
index 05ef439a1..1134ac081 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -1733,7 +1733,7 @@ cmd_cachecert (assuan_context_t ctx, char *line)
 
 
 static const char hlp_validate[] =
-  "VALIDATE [--systrust] [--tls]\n"
+  "VALIDATE [--systrust] [--tls] [--no-crl]\n"
   "\n"
   "Validate a certificate using the certificate validation function\n"
   "used internally by dirmngr.  This command is only useful for\n"
@@ -1753,7 +1753,8 @@ static const char hlp_validate[] =
   "need to be PEM encoded.\n"
   "\n"
   "The option --systrust changes the behaviour to include the system\n"
-  "provided root certificates as trust anchors.";
+  "provided root certificates as trust anchors.  The option --no-crl\n"
+  "skips CRL checks";
 static gpg_error_t
 cmd_validate (assuan_context_t ctx, char *line)
 {
@@ -1763,10 +1764,11 @@ cmd_validate (assuan_context_t ctx, char *line)
   certlist_t certlist = NULL;
   unsigned char *value = NULL;
   size_t valuelen;
-  int systrust_mode, tls_mode;
+  int systrust_mode, tls_mode, no_crl;
 
   systrust_mode = has_option (line, "--systrust");
   tls_mode = has_option (line, "--tls");
+  no_crl = has_option (line, "--no-crl");
   line = skip_options (line);
 
   if (tls_mode)
@@ -1843,14 +1845,11 @@ cmd_validate (assuan_context_t ctx, char *line)
         cache_cert (cl->cert);
     }
 
-
-  err = validate_cert_chain
-    (ctrl, cert, NULL,
-     tls_mode && systrust_mode ? VALIDATE_MODE_TLS_SYSTRUST  :
-     tls_mode                  ? VALIDATE_MODE_TLS           :
-     /**/        systrust_mode ? VALIDATE_MODE_CERT_SYSTRUST :
-     /**/                        VALIDATE_MODE_CERT,
-     NULL);
+  err = validate_cert_chain (ctrl, cert, NULL,
+                             ((tls_mode ? VALIDATE_FLAG_TLS : 0)
+                              | (systrust_mode ? VALIDATE_FLAG_SYSTRUST : 0)
+                              | (no_crl ? VALIDATE_FLAG_NOCRLCHECK : 0)),
+                             NULL);
 
  leave:
   ksba_cert_release (cert);
-- 
cgit v1.2.3