diff options
| author | Werner Koch <[email protected]> | 2020-03-27 20:11:25 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2020-03-27 20:16:07 +0000 |
| commit | 0b583a555e75fbb9140310390a267febd3329a12 (patch) | |
| tree | ff1ac042ea3b436a44d945b5e1ea8cde4330b7f5 /sm/gpgsm.h | |
| parent | scd:openpgp: Allow PKSIGN with keygrip also for OPENPGP.3. (diff) | |
| download | gnupg-0b583a555e75fbb9140310390a267febd3329a12.tar.gz gnupg-0b583a555e75fbb9140310390a267febd3329a12.zip | |
sm: Consider certificates w/o CRL DP as valid.
* sm/certchain.c (is_cert_still_valid): Shortcut if tehre is no DP.
* common/audit.c (proc_type_verify): Print "n/a" if a cert has no
distribution point.
* sm/gpgsm.h (opt): Add field enable_issuer_based_crl_check.
* sm/gpgsm.c (oEnableIssuerBasedCRLCheck): New.
(opts): Add option --enable-issuer-based-crl-check.
(main): Set option.
--
If the issuer does not provide a DP and the user wants such an issuer,
we expect that a certificate does not need revocation checks. The new
option --enable-issuer-based-crl-check can be used to revert to the
old behaviour which requires that a suitable LDAP server has been
configured to lookup a CRL by issuer.
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to 'sm/gpgsm.h')
| -rw-r--r-- | sm/gpgsm.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sm/gpgsm.h b/sm/gpgsm.h index 15b49782b..6c68cdab3 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -127,6 +127,7 @@ struct int no_crl_check; /* Don't do a CRL check */ int no_trusted_cert_crl_check; /* Don't run a CRL check for trusted certs. */ int force_crl_refresh; /* Force refreshing the CRL. */ + int enable_issuer_based_crl_check; /* Backward compatibility hack. */ int enable_ocsp; /* Default to use OCSP checks. */ char *policy_file; /* full pathname of policy file */ |