diff options
author | Werner Koch <wk@gnupg.org> | 2023-03-09 18:28:39 +0100 |
---|---|---|
committer | Werner Koch <wk@gnupg.org> | 2023-03-09 18:28:39 +0100 |
commit | b52a0e244ae18aec4b9c93f90432a551fac95a40 (patch) | |
tree | db5677d70b5d85de0def204d88d43b4f15a597a0 | |
parent | keyboxd: Allow import of v0 certificates. (diff) | |
download | gnupg2-b52a0e244ae18aec4b9c93f90432a551fac95a40.tar.xz gnupg2-b52a0e244ae18aec4b9c93f90432a551fac95a40.zip |
dirmngr: Distinguish between "no crl" and "crl not trusted".
* dirmngr/crlcache.h (CRL_CACHE_NOTTRUSTED): New.
* dirmngr/crlcache.c (cache_isvalid): Set this status.
(crl_cache_cert_isvalid): Map it to GPG_ERR_NOT_TRUSTED.
(crl_cache_reload_crl): Move diagnostic to ...
* dirmngr/crlfetch.c (crl_fetch): here.
* dirmngr/server.c (cmd_isvalid): Map it to GPG_ERR_NOT_TRUSTED.
* dirmngr/validate.c (check_revocations): Handle new status. Improve
diagnostics.
* common/status.c (get_inv_recpsgnr_code): Map INV_CRL_OBJ.
* common/audit.c (proc_type_verify): Ditto.
--
This avoids repeated loading of CRLs in case of untrusted root
certificates.
-rw-r--r-- | common/audit.c | 1 | ||||
-rw-r--r-- | common/status.c | 3 | ||||
-rw-r--r-- | dirmngr/crlcache.c | 13 | ||||
-rw-r--r-- | dirmngr/crlcache.h | 1 | ||||
-rw-r--r-- | dirmngr/crlfetch.c | 3 | ||||
-rw-r--r-- | dirmngr/server.c | 7 | ||||
-rw-r--r-- | dirmngr/validate.c | 16 | ||||
-rw-r--r-- | sm/call-dirmngr.c | 1 |
8 files changed, 33 insertions, 12 deletions
diff --git a/common/audit.c b/common/audit.c index 803523c94..ae0d45216 100644 --- a/common/audit.c +++ b/common/audit.c @@ -1109,6 +1109,7 @@ proc_type_verify (audit_ctx_t ctx) case GPG_ERR_CERT_REVOKED: ok = "bad"; break; case GPG_ERR_NOT_ENABLED: ok = "disabled"; break; case GPG_ERR_NO_CRL_KNOWN: + case GPG_ERR_INV_CRL_OBJ: ok = _("no CRL found for certificate"); break; case GPG_ERR_CRL_TOO_OLD: diff --git a/common/status.c b/common/status.c index b752c12c6..b7dc1de39 100644 --- a/common/status.c +++ b/common/status.c @@ -158,7 +158,8 @@ get_inv_recpsgnr_code (gpg_error_t err) case GPG_ERR_WRONG_KEY_USAGE: errstr = "3"; break; case GPG_ERR_CERT_REVOKED: errstr = "4"; break; case GPG_ERR_CERT_EXPIRED: errstr = "5"; break; - case GPG_ERR_NO_CRL_KNOWN: errstr = "6"; break; + case GPG_ERR_NO_CRL_KNOWN: + case GPG_ERR_INV_CRL_OBJ: errstr = "6"; break; case GPG_ERR_CRL_TOO_OLD: errstr = "7"; break; case GPG_ERR_NO_POLICY_MATCH: errstr = "8"; break; diff --git a/dirmngr/crlcache.c b/dirmngr/crlcache.c index 5d793494e..9f0b910f3 100644 --- a/dirmngr/crlcache.c +++ b/dirmngr/crlcache.c @@ -164,7 +164,7 @@ struct crl_cache_entry_s unsigned int cdb_use_count; /* Current use count. */ unsigned int cdb_lru_count; /* Used for LRU purposes. */ int dbfile_checked; /* Set to true if the dbfile_hash value has - been checked one. */ + been checked once. */ }; @@ -1402,7 +1402,7 @@ cache_isvalid (ctrl_t ctrl, const char *issuer_hash, { if (opt.verbose) log_info ("no system trust and client does not trust either\n"); - retval = CRL_CACHE_CANTUSE; + retval = CRL_CACHE_NOTTRUSTED; } else { @@ -1522,8 +1522,11 @@ crl_cache_cert_isvalid (ctrl_t ctrl, ksba_cert_t cert, case CRL_CACHE_DONTKNOW: err = gpg_error (GPG_ERR_NO_CRL_KNOWN); break; + case CRL_CACHE_NOTTRUSTED: + err = gpg_error (GPG_ERR_NOT_TRUSTED); + break; case CRL_CACHE_CANTUSE: - err = gpg_error (GPG_ERR_NO_CRL_KNOWN); + err = gpg_error (GPG_ERR_INV_CRL_OBJ); break; default: log_fatal ("cache_isvalid returned invalid status code %d\n", result); @@ -2104,7 +2107,7 @@ crl_parse_insert (ctrl_t ctrl, ksba_crl_t crl, } } while (stopreason != KSBA_SR_READY); - assert (!err); + log_assert (!err); failure: @@ -2729,8 +2732,6 @@ crl_cache_reload_crl (ctrl_t ctrl, ksba_cert_t cert) any_dist_point = 1; - if (opt.verbose) - log_info ("fetching CRL from '%s'\n", distpoint_uri); crl_close_reader (reader); err = crl_fetch (ctrl, distpoint_uri, &reader); if (err) diff --git a/dirmngr/crlcache.h b/dirmngr/crlcache.h index 0e60def8f..7db8f01cc 100644 --- a/dirmngr/crlcache.h +++ b/dirmngr/crlcache.h @@ -27,6 +27,7 @@ typedef enum CRL_CACHE_VALID = 0, CRL_CACHE_INVALID, CRL_CACHE_DONTKNOW, + CRL_CACHE_NOTTRUSTED, CRL_CACHE_CANTUSE } crl_cache_result_t; diff --git a/dirmngr/crlfetch.c b/dirmngr/crlfetch.c index a591a2b5a..5b6b648e2 100644 --- a/dirmngr/crlfetch.c +++ b/dirmngr/crlfetch.c @@ -175,6 +175,9 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader) if (!url) return gpg_error (GPG_ERR_INV_ARG); + if (opt.verbose) + log_info ("fetching CRL from '%s'\n", url); + err = http_parse_uri (&uri, url, 0); http_release_parsed_uri (uri); if (!err) /* Yes, our HTTP code groks that. */ diff --git a/dirmngr/server.c b/dirmngr/server.c index fba2233d4..da7e707f9 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -1360,8 +1360,11 @@ cmd_isvalid (assuan_context_t ctx, char *line) goto again; } break; + case CRL_CACHE_NOTTRUSTED: + err = gpg_error (GPG_ERR_NOT_TRUSTED); + break; case CRL_CACHE_CANTUSE: - err = gpg_error (GPG_ERR_NO_CRL_KNOWN); + err = gpg_error (GPG_ERR_INV_CRL_OBJ); break; default: log_fatal ("crl_cache_isvalid returned invalid code\n"); @@ -1469,7 +1472,7 @@ cmd_checkcrl (assuan_context_t ctx, char *line) goto leave; } - assert (cert); + log_assert (cert); err = crl_cache_cert_isvalid (ctrl, cert, ctrl->force_crl_refresh); if (gpg_err_code (err) == GPG_ERR_NO_CRL_KNOWN) diff --git a/dirmngr/validate.c b/dirmngr/validate.c index 399cca3a4..02db3c270 100644 --- a/dirmngr/validate.c +++ b/dirmngr/validate.c @@ -255,6 +255,7 @@ check_revocations (ctrl_t ctrl, chain_item_t chain) int any_revoked = 0; int any_no_crl = 0; int any_crl_too_old = 0; + int any_not_trusted = 0; chain_item_t ci; log_assert (ctrl->check_revocations_nest_level >= 0); @@ -266,7 +267,8 @@ check_revocations (ctrl_t ctrl, chain_item_t chain) return gpg_error(GPG_ERR_BAD_CERT_CHAIN); } ctrl->check_revocations_nest_level++; - + if (opt.verbose) + log_info ("[%d] start checking CRLs\n", ctrl->check_revocations_nest_level); for (ci=chain; ci; ci = ci->next) { @@ -293,17 +295,19 @@ check_revocations (ctrl_t ctrl, chain_item_t chain) if (!err) err = crl_cache_cert_isvalid (ctrl, ci->cert, 0); } + if (opt.verbose) + log_info ("[%d] result of checking this CRL: %s\n", + ctrl->check_revocations_nest_level, gpg_strerror (err)); switch (gpg_err_code (err)) { case 0: err = 0; break; case GPG_ERR_CERT_REVOKED: any_revoked = 1; err = 0; break; case GPG_ERR_NO_CRL_KNOWN: any_no_crl = 1; err = 0; break; + case GPG_ERR_NOT_TRUSTED: any_not_trusted = 1; err = 0; break; case GPG_ERR_CRL_TOO_OLD: any_crl_too_old = 1; err = 0; break; default: break; } } - ctrl->check_revocations_nest_level--; - if (err) ; @@ -311,10 +315,16 @@ check_revocations (ctrl_t ctrl, chain_item_t chain) err = gpg_error (GPG_ERR_CERT_REVOKED); else if (any_no_crl) err = gpg_error (GPG_ERR_NO_CRL_KNOWN); + else if (any_not_trusted) + err = gpg_error (GPG_ERR_NOT_TRUSTED); else if (any_crl_too_old) err = gpg_error (GPG_ERR_CRL_TOO_OLD); else err = 0; + if (opt.verbose) + log_info ("[%d] result of checking all CRLs: %s\n", + ctrl->check_revocations_nest_level, gpg_strerror (err)); + ctrl->check_revocations_nest_level--; return err; } diff --git a/sm/call-dirmngr.c b/sm/call-dirmngr.c index 8e2761b1e..86beeedc1 100644 --- a/sm/call-dirmngr.c +++ b/sm/call-dirmngr.c @@ -521,6 +521,7 @@ isvalid_status_cb (void *opaque, const char *line) GPG_ERR_CERTIFICATE_REVOKED GPG_ERR_NO_CRL_KNOWN + GPG_ERR_INV_CRL_OBJ GPG_ERR_CRL_TOO_OLD Values for USE_OCSP: |