[git] GnuPG - branch, master, updated. gnupg-2.1.18-99-gf07811e
by Werner Koch
cvs at cvs.gnupg.org
Fri Feb 17 21:34:29 CET 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, master has been updated
via f07811ee2c0a8044551e2ec063eda61cff7f6e39 (commit)
from 070211eb990f5ea41271eba432b6a6b485cef7c7 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit f07811ee2c0a8044551e2ec063eda61cff7f6e39
Author: Werner Koch <wk at gnupg.org>
Date: Fri Feb 17 21:31:33 2017 +0100
dirmngr: Add option --no-crl to the VALIDATE cmd.
* dirmngr/validate.h: Remove enums VALIDATE_MODE_*.
(VALIDATE_FLAG_SYSTRUST, VALIDATE_FLAG_EXTRATRUST)
(VALIDATE_FLAG_CRL, VALIDATE_FLAG_RECURSIVE)
(VALIDATE_FLAG_OCSP, VALIDATE_FLAG_TLS)
(VALIDATE_FLAG_NOCRLCHECK): New constants.
* dirmngr/validate.c (validate_cert_chain): Change arg 'mode' to
'flags'. Change code accordingly. Remove NO-CRL in TLS mode kludge.
* dirmngr/crlcache.c (crl_parse_insert): Change to use flag values for
the validate_cert_chain call.
* dirmngr/server.c (cmd_validate): Ditto. Add new option --no-crl.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/dirmngr/crlcache.c b/dirmngr/crlcache.c
index 2e471cb..3cd8cf4 100644
--- a/dirmngr/crlcache.c
+++ b/dirmngr/crlcache.c
@@ -1851,7 +1851,8 @@ crl_parse_insert (ctrl_t ctrl, ksba_crl_t crl,
md = NULL;
err = validate_cert_chain (ctrl, crlissuer_cert, NULL,
- VALIDATE_MODE_CRL_RECURSIVE,
+ (VALIDATE_FLAG_CRL
+ | VALIDATE_FLAG_RECURSIVE),
r_trust_anchor);
if (err)
{
diff --git a/dirmngr/server.c b/dirmngr/server.c
index 05ef439..1134ac0 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -1733,7 +1733,7 @@ cmd_cachecert (assuan_context_t ctx, char *line)
static const char hlp_validate[] =
- "VALIDATE [--systrust] [--tls]\n"
+ "VALIDATE [--systrust] [--tls] [--no-crl]\n"
"\n"
"Validate a certificate using the certificate validation function\n"
"used internally by dirmngr. This command is only useful for\n"
@@ -1753,7 +1753,8 @@ static const char hlp_validate[] =
"need to be PEM encoded.\n"
"\n"
"The option --systrust changes the behaviour to include the system\n"
- "provided root certificates as trust anchors.";
+ "provided root certificates as trust anchors. The option --no-crl\n"
+ "skips CRL checks";
static gpg_error_t
cmd_validate (assuan_context_t ctx, char *line)
{
@@ -1763,10 +1764,11 @@ cmd_validate (assuan_context_t ctx, char *line)
certlist_t certlist = NULL;
unsigned char *value = NULL;
size_t valuelen;
- int systrust_mode, tls_mode;
+ int systrust_mode, tls_mode, no_crl;
systrust_mode = has_option (line, "--systrust");
tls_mode = has_option (line, "--tls");
+ no_crl = has_option (line, "--no-crl");
line = skip_options (line);
if (tls_mode)
@@ -1843,14 +1845,11 @@ cmd_validate (assuan_context_t ctx, char *line)
cache_cert (cl->cert);
}
-
- err = validate_cert_chain
- (ctrl, cert, NULL,
- tls_mode && systrust_mode ? VALIDATE_MODE_TLS_SYSTRUST :
- tls_mode ? VALIDATE_MODE_TLS :
- /**/ systrust_mode ? VALIDATE_MODE_CERT_SYSTRUST :
- /**/ VALIDATE_MODE_CERT,
- NULL);
+ err = validate_cert_chain (ctrl, cert, NULL,
+ ((tls_mode ? VALIDATE_FLAG_TLS : 0)
+ | (systrust_mode ? VALIDATE_FLAG_SYSTRUST : 0)
+ | (no_crl ? VALIDATE_FLAG_NOCRLCHECK : 0)),
+ NULL);
leave:
ksba_cert_release (cert);
diff --git a/dirmngr/validate.c b/dirmngr/validate.c
index 8fb2df2..1599a8d 100644
--- a/dirmngr/validate.c
+++ b/dirmngr/validate.c
@@ -379,7 +379,7 @@ is_root_cert (ksba_cert_t cert, const char *issuerdn, const char *subjectdn)
R_TRUST_ANCHOR; in all other cases NULL is stored there. */
gpg_error_t
validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
- int mode, char **r_trust_anchor)
+ unsigned int flags, char **r_trust_anchor)
{
gpg_error_t err = 0;
int depth, maxdepth;
@@ -405,20 +405,9 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
dump_cert ("subject", cert);
/* May the target certificate be used for this purpose? */
- switch (mode)
- {
- case VALIDATE_MODE_OCSP:
- err = check_cert_use_ocsp (cert);
- break;
- case VALIDATE_MODE_CRL:
- case VALIDATE_MODE_CRL_RECURSIVE:
- err = check_cert_use_crl (cert);
- break;
- default:
- err = 0;
- break;
- }
- if (err)
+ if ((flags & VALIDATE_FLAG_OCSP) && (err = check_cert_use_ocsp (cert)))
+ return err;
+ if ((flags & VALIDATE_FLAG_CRL) && (err = check_cert_use_crl (cert)))
return err;
/* If we already validated the certificate not too long ago, we can
@@ -552,8 +541,7 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
goto leave; /* No. */
err = is_trusted_cert (subject_cert,
- (mode == VALIDATE_MODE_CERT_SYSTRUST
- || mode == VALIDATE_MODE_TLS_SYSTRUST));
+ !!(flags & VALIDATE_FLAG_SYSTRUST));
if (!err)
; /* Yes we trust this cert. */
else if (gpg_err_code (err) == GPG_ERR_NOT_TRUSTED)
@@ -759,7 +747,12 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
cert_log_name (" certificate", citem->cert);
}
- if (!err && mode != VALIDATE_MODE_CRL)
+ /* Now check for revocations unless CRL checks are disabled or we
+ * are non-recursive CRL mode. */
+ if (!err
+ && !(flags & VALIDATE_FLAG_NOCRLCHECK)
+ && !((flags & VALIDATE_FLAG_CRL)
+ && !(flags & VALIDATE_FLAG_RECURSIVE)))
{ /* Now that everything is fine, walk the chain and check each
* certificate for revocations.
*
@@ -774,9 +767,7 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
* our validity results to avoid double work. Far worse a
* catch-22 may happen for an improper setup hierarchy and we
* need a way to break up such a deadlock. */
- if (mode != VALIDATE_MODE_TLS_SYSTRUST)
- err = check_revocations (ctrl, chain);
-#warning fix the above
+ err = check_revocations (ctrl, chain);
}
if (!err && opt.verbose)
diff --git a/dirmngr/validate.h b/dirmngr/validate.h
index 376d99d..b6222b5 100644
--- a/dirmngr/validate.h
+++ b/dirmngr/validate.h
@@ -22,38 +22,35 @@
#define VALIDATE_H
-enum {
- /* Simple certificate validation mode. */
- VALIDATE_MODE_CERT = 0,
+/* Make use of the system provided root certificates. */
+#define VALIDATE_FLAG_SYSTRUST 1
- /* Same as MODE_CERT but using the system provided root
- * certificates. */
- VALIDATE_MODE_CERT_SYSTRUST,
+/* Make use of extra provided root certificates. */
+#define VALIDATE_FLAG_EXTRATRUST 2
- /* Same as MODE_CERT but uses a provided list of certificates. */
- VALIDATE_MODE_TLS,
+/* Standard CRL issuer certificate validation; i.e. CRLs are not
+ * considered for CRL issuer certificates. */
+#define VALIDATE_FLAG_CRL 4
- /* Same as MODE_TLS but using the system provided root
- * certificates. */
- VALIDATE_MODE_TLS_SYSTRUST,
+/* If this flag is set along with VALIDATE_FLAG_CRL a full CRL
+ * verification is done. */
+#define VALIDATE_FLAG_RECURSIVE 8
- /* Standard CRL issuer certificate validation; i.e. CRLs are not
- considered for CRL issuer certificates. */
- VALIDATE_MODE_CRL,
+/* Validation mode as used for OCSP. */
+#define VALIDATE_FLAG_OCSP 16
- /* Full CRL validation. */
- VALIDATE_MODE_CRL_RECURSIVE,
+/* Validation mode as used with TLS. */
+#define VALIDATE_FLAG_TLS 32
- /* Validation as used for OCSP. */
- VALIDATE_MODE_OCSP
-};
+/* Don't do CRL checks. */
+#define VALIDATE_FLAG_NOCRLCHECK 64
/* Validate the certificate CHAIN up to the trust anchor. Optionally
return the closest expiration time in R_EXPTIME. */
gpg_error_t validate_cert_chain (ctrl_t ctrl,
ksba_cert_t cert, ksba_isotime_t r_exptime,
- int mode, char **r_trust_anchor);
+ unsigned int flags, char **r_trust_anchor);
/* Return 0 if the certificate CERT is usable for certification. */
gpg_error_t check_cert_use_cert (ksba_cert_t cert);
-----------------------------------------------------------------------
Summary of changes:
dirmngr/crlcache.c | 3 ++-
dirmngr/server.c | 21 ++++++++++-----------
dirmngr/validate.c | 33 ++++++++++++---------------------
dirmngr/validate.h | 37 +++++++++++++++++--------------------
4 files changed, 41 insertions(+), 53 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list