diff options
| author | Werner Koch <[email protected]> | 2020-04-16 17:05:49 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2020-04-16 17:05:49 +0000 |
| commit | bbb7edb8807b7d3c8bb5284d8fdf21adb67cd87d (patch) | |
| tree | 8abadf3829ddb244f1ed5d0a014d61cf006c8a99 /sm/certchain.c | |
| parent | sm: Lookup missing issuers first using authorityInfoAccess. (diff) | |
| download | gnupg-bbb7edb8807b7d3c8bb5284d8fdf21adb67cd87d.tar.gz gnupg-bbb7edb8807b7d3c8bb5284d8fdf21adb67cd87d.zip | |
sm: Always allow authorityInfoAccess lookup if CRLs are also enabled.
* sm/certchain.c (find_up): Disable external lookups in offline mode.
Always allow AKI lookup if CRLs are also enabled.
--
GnuPG-bug-id: 4898
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to 'sm/certchain.c')
| -rw-r--r-- | sm/certchain.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/sm/certchain.c b/sm/certchain.c index 2d2aec338..1555a84a7 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -929,15 +929,19 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh, } /* If we still didn't found it, try an external lookup. */ - if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next) + if (rc == -1 && !find_next && !ctrl->offline) { - if (!find_up_via_auth_info_access (ctrl, kh, cert)) + /* We allow AIA also if CRLs are enabled; both can be used + * as a web bug so it does not make sense to not use AIA if + * CRL checks are enabled. */ + if ((opt.auto_issuer_key_retrieve || !opt.no_crl_check) + && !find_up_via_auth_info_access (ctrl, kh, cert)) { if (DBG_X509) log_debug (" found via authorityInfoAccess.caIssuers\n"); rc = 0; } - else + else if (opt.auto_issuer_key_retrieve) { rc = find_up_external (ctrl, kh, issuer, keyid); if (!rc && DBG_X509) @@ -1001,15 +1005,16 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh, } /* Still not found. If enabled, try an external lookup. */ - if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next) + if (rc == -1 && !find_next && !ctrl->offline) { - if (!find_up_via_auth_info_access (ctrl, kh, cert)) + if ((opt.auto_issuer_key_retrieve || !opt.no_crl_check) + && !find_up_via_auth_info_access (ctrl, kh, cert)) { if (DBG_X509) log_debug (" found via authorityInfoAccess.caIssuers\n"); rc = 0; } - else + else if (opt.auto_issuer_key_retrieve) { rc = find_up_external (ctrl, kh, issuer, NULL); if (!rc && DBG_X509) |