summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWerner Koch <wk@gnupg.org>2005-04-21 09:16:41 +0200
committerWerner Koch <wk@gnupg.org>2005-04-21 09:16:41 +0200
commit314c234e7d1320bcd13e5130c3d7074b19979e46 (patch)
tree7362abce81e9b5c3477bb1d8d7a7e264ca93ff2c
parent. (diff)
downloadgnupg2-314c234e7d1320bcd13e5130c3d7074b19979e46.tar.xz
gnupg2-314c234e7d1320bcd13e5130c3d7074b19979e46.zip
(gpgsm_validate_chain): Check revocations even for
expired certificates. This is required because on signature verification an expired key is fine whereas a revoked one is not.
-rw-r--r--sm/ChangeLog16
-rw-r--r--sm/Makefile.am3
-rw-r--r--sm/certchain.c9
3 files changed, 21 insertions, 7 deletions
diff --git a/sm/ChangeLog b/sm/ChangeLog
index 7b67407ad..b209b9d4b 100644
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@@ -1,3 +1,19 @@
+2005-04-21 Werner Koch <wk@g10code.com>
+
+ * certchain.c (gpgsm_validate_chain): Check revocations even for
+ expired certificates. This is required because on signature
+ verification an expired key is fine whereas a revoked one is not.
+
+2005-04-20 Werner Koch <wk@g10code.com>
+
+ * Makefile.am (AM_CFLAGS): Add PTH_CFLAGS as noted by several folks.
+
+2005-04-19 Werner Koch <wk@g10code.com>
+
+ * certchain.c (check_cert_policy): Print the diagnostic for a open
+ failure of policies.txt only in verbose mode or when it is not
+ ENOENT.
+
2005-04-17 Werner Koch <wk@g10code.com>
* call-dirmngr.c (inq_certificate): Add new inquire SENDCERT_SKI.
diff --git a/sm/Makefile.am b/sm/Makefile.am
index d4f972527..f1a116ab5 100644
--- a/sm/Makefile.am
+++ b/sm/Makefile.am
@@ -21,7 +21,8 @@
bin_PROGRAMS = gpgsm
-AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(LIBASSUAN_CFLAGS) $(KSBA_CFLAGS)
+AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(LIBASSUAN_CFLAGS) $(KSBA_CFLAGS) \
+ $(PTH_CFLAGS)
AM_CPPFLAGS = -I$(top_srcdir)/common -I$(top_srcdir)/intl
include $(top_srcdir)/am/cmacros.am
diff --git a/sm/certchain.c b/sm/certchain.c
index a5fdbc622..2e491f590 100644
--- a/sm/certchain.c
+++ b/sm/certchain.c
@@ -175,8 +175,9 @@ check_cert_policy (ksba_cert_t cert, int listmode, FILE *fplist)
fp = fopen (opt.policy_file, "r");
if (!fp)
{
- log_error ("failed to open `%s': %s\n",
- opt.policy_file, strerror (errno));
+ if (opt.verbose || errno != ENOENT)
+ log_info (_("failed to open `%s': %s\n"),
+ opt.policy_file, strerror (errno));
xfree (policies);
/* With no critical policies this is only a warning */
if (!any_critical)
@@ -816,8 +817,6 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
/* Check for revocations etc. */
if ((flags & 1))
rc = 0;
- else if (any_expired)
- ; /* Don't bother to run the expensive CRL check then. */
else
rc = is_cert_still_valid (ctrl, lm, fp,
subject_cert, subject_cert,
@@ -953,8 +952,6 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
/* Check for revocations etc. */
if ((flags & 1))
rc = 0;
- else if (any_expired)
- ; /* Don't bother to run the expensive CRL check then. */
else
rc = is_cert_still_valid (ctrl, lm, fp,
subject_cert, issuer_cert,