diff options
| author | Werner Koch <[email protected]> | 2017-02-17 20:31:33 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2017-02-17 20:31:33 +0000 |
| commit | f07811ee2c0a8044551e2ec063eda61cff7f6e39 (patch) | |
| tree | 36f07a12fc3c897a4ef2a4bd9d39cc8e01045021 /dirmngr/validate.c | |
| parent | dirmngr: Add options --tls and --systrust to the VALIDATE cmd. (diff) | |
| download | gnupg-f07811ee2c0a8044551e2ec063eda61cff7f6e39.tar.gz gnupg-f07811ee2c0a8044551e2ec063eda61cff7f6e39.zip | |
dirmngr: Add option --no-crl to the VALIDATE cmd.
* dirmngr/validate.h: Remove enums VALIDATE_MODE_*.
(VALIDATE_FLAG_SYSTRUST, VALIDATE_FLAG_EXTRATRUST)
(VALIDATE_FLAG_CRL, VALIDATE_FLAG_RECURSIVE)
(VALIDATE_FLAG_OCSP, VALIDATE_FLAG_TLS)
(VALIDATE_FLAG_NOCRLCHECK): New constants.
* dirmngr/validate.c (validate_cert_chain): Change arg 'mode' to
'flags'. Change code accordingly. Remove NO-CRL in TLS mode kludge.
* dirmngr/crlcache.c (crl_parse_insert): Change to use flag values for
the validate_cert_chain call.
* dirmngr/server.c (cmd_validate): Ditto. Add new option --no-crl.
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to '')
| -rw-r--r-- | dirmngr/validate.c | 33 |
1 files changed, 12 insertions, 21 deletions
diff --git a/dirmngr/validate.c b/dirmngr/validate.c index 8fb2df2c3..1599a8d5a 100644 --- a/dirmngr/validate.c +++ b/dirmngr/validate.c @@ -379,7 +379,7 @@ is_root_cert (ksba_cert_t cert, const char *issuerdn, const char *subjectdn) R_TRUST_ANCHOR; in all other cases NULL is stored there. */ gpg_error_t validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime, - int mode, char **r_trust_anchor) + unsigned int flags, char **r_trust_anchor) { gpg_error_t err = 0; int depth, maxdepth; @@ -405,20 +405,9 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime, dump_cert ("subject", cert); /* May the target certificate be used for this purpose? */ - switch (mode) - { - case VALIDATE_MODE_OCSP: - err = check_cert_use_ocsp (cert); - break; - case VALIDATE_MODE_CRL: - case VALIDATE_MODE_CRL_RECURSIVE: - err = check_cert_use_crl (cert); - break; - default: - err = 0; - break; - } - if (err) + if ((flags & VALIDATE_FLAG_OCSP) && (err = check_cert_use_ocsp (cert))) + return err; + if ((flags & VALIDATE_FLAG_CRL) && (err = check_cert_use_crl (cert))) return err; /* If we already validated the certificate not too long ago, we can @@ -552,8 +541,7 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime, goto leave; /* No. */ err = is_trusted_cert (subject_cert, - (mode == VALIDATE_MODE_CERT_SYSTRUST - || mode == VALIDATE_MODE_TLS_SYSTRUST)); + !!(flags & VALIDATE_FLAG_SYSTRUST)); if (!err) ; /* Yes we trust this cert. */ else if (gpg_err_code (err) == GPG_ERR_NOT_TRUSTED) @@ -759,7 +747,12 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime, cert_log_name (" certificate", citem->cert); } - if (!err && mode != VALIDATE_MODE_CRL) + /* Now check for revocations unless CRL checks are disabled or we + * are non-recursive CRL mode. */ + if (!err + && !(flags & VALIDATE_FLAG_NOCRLCHECK) + && !((flags & VALIDATE_FLAG_CRL) + && !(flags & VALIDATE_FLAG_RECURSIVE))) { /* Now that everything is fine, walk the chain and check each * certificate for revocations. * @@ -774,9 +767,7 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime, * our validity results to avoid double work. Far worse a * catch-22 may happen for an improper setup hierarchy and we * need a way to break up such a deadlock. */ - if (mode != VALIDATE_MODE_TLS_SYSTRUST) - err = check_revocations (ctrl, chain); -#warning fix the above + err = check_revocations (ctrl, chain); } if (!err && opt.verbose) |