summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWerner Koch <wk@gnupg.org>2023-03-09 18:28:39 +0100
committerWerner Koch <wk@gnupg.org>2023-03-09 18:28:39 +0100
commitb52a0e244ae18aec4b9c93f90432a551fac95a40 (patch)
treedb5677d70b5d85de0def204d88d43b4f15a597a0
parentkeyboxd: Allow import of v0 certificates. (diff)
downloadgnupg2-b52a0e244ae18aec4b9c93f90432a551fac95a40.tar.xz
gnupg2-b52a0e244ae18aec4b9c93f90432a551fac95a40.zip
dirmngr: Distinguish between "no crl" and "crl not trusted".
* dirmngr/crlcache.h (CRL_CACHE_NOTTRUSTED): New. * dirmngr/crlcache.c (cache_isvalid): Set this status. (crl_cache_cert_isvalid): Map it to GPG_ERR_NOT_TRUSTED. (crl_cache_reload_crl): Move diagnostic to ... * dirmngr/crlfetch.c (crl_fetch): here. * dirmngr/server.c (cmd_isvalid): Map it to GPG_ERR_NOT_TRUSTED. * dirmngr/validate.c (check_revocations): Handle new status. Improve diagnostics. * common/status.c (get_inv_recpsgnr_code): Map INV_CRL_OBJ. * common/audit.c (proc_type_verify): Ditto. -- This avoids repeated loading of CRLs in case of untrusted root certificates.
-rw-r--r--common/audit.c1
-rw-r--r--common/status.c3
-rw-r--r--dirmngr/crlcache.c13
-rw-r--r--dirmngr/crlcache.h1
-rw-r--r--dirmngr/crlfetch.c3
-rw-r--r--dirmngr/server.c7
-rw-r--r--dirmngr/validate.c16
-rw-r--r--sm/call-dirmngr.c1
8 files changed, 33 insertions, 12 deletions
diff --git a/common/audit.c b/common/audit.c
index 803523c94..ae0d45216 100644
--- a/common/audit.c
+++ b/common/audit.c
@@ -1109,6 +1109,7 @@ proc_type_verify (audit_ctx_t ctx)
case GPG_ERR_CERT_REVOKED: ok = "bad"; break;
case GPG_ERR_NOT_ENABLED: ok = "disabled"; break;
case GPG_ERR_NO_CRL_KNOWN:
+ case GPG_ERR_INV_CRL_OBJ:
ok = _("no CRL found for certificate");
break;
case GPG_ERR_CRL_TOO_OLD:
diff --git a/common/status.c b/common/status.c
index b752c12c6..b7dc1de39 100644
--- a/common/status.c
+++ b/common/status.c
@@ -158,7 +158,8 @@ get_inv_recpsgnr_code (gpg_error_t err)
case GPG_ERR_WRONG_KEY_USAGE: errstr = "3"; break;
case GPG_ERR_CERT_REVOKED: errstr = "4"; break;
case GPG_ERR_CERT_EXPIRED: errstr = "5"; break;
- case GPG_ERR_NO_CRL_KNOWN: errstr = "6"; break;
+ case GPG_ERR_NO_CRL_KNOWN:
+ case GPG_ERR_INV_CRL_OBJ: errstr = "6"; break;
case GPG_ERR_CRL_TOO_OLD: errstr = "7"; break;
case GPG_ERR_NO_POLICY_MATCH: errstr = "8"; break;
diff --git a/dirmngr/crlcache.c b/dirmngr/crlcache.c
index 5d793494e..9f0b910f3 100644
--- a/dirmngr/crlcache.c
+++ b/dirmngr/crlcache.c
@@ -164,7 +164,7 @@ struct crl_cache_entry_s
unsigned int cdb_use_count; /* Current use count. */
unsigned int cdb_lru_count; /* Used for LRU purposes. */
int dbfile_checked; /* Set to true if the dbfile_hash value has
- been checked one. */
+ been checked once. */
};
@@ -1402,7 +1402,7 @@ cache_isvalid (ctrl_t ctrl, const char *issuer_hash,
{
if (opt.verbose)
log_info ("no system trust and client does not trust either\n");
- retval = CRL_CACHE_CANTUSE;
+ retval = CRL_CACHE_NOTTRUSTED;
}
else
{
@@ -1522,8 +1522,11 @@ crl_cache_cert_isvalid (ctrl_t ctrl, ksba_cert_t cert,
case CRL_CACHE_DONTKNOW:
err = gpg_error (GPG_ERR_NO_CRL_KNOWN);
break;
+ case CRL_CACHE_NOTTRUSTED:
+ err = gpg_error (GPG_ERR_NOT_TRUSTED);
+ break;
case CRL_CACHE_CANTUSE:
- err = gpg_error (GPG_ERR_NO_CRL_KNOWN);
+ err = gpg_error (GPG_ERR_INV_CRL_OBJ);
break;
default:
log_fatal ("cache_isvalid returned invalid status code %d\n", result);
@@ -2104,7 +2107,7 @@ crl_parse_insert (ctrl_t ctrl, ksba_crl_t crl,
}
}
while (stopreason != KSBA_SR_READY);
- assert (!err);
+ log_assert (!err);
failure:
@@ -2729,8 +2732,6 @@ crl_cache_reload_crl (ctrl_t ctrl, ksba_cert_t cert)
any_dist_point = 1;
- if (opt.verbose)
- log_info ("fetching CRL from '%s'\n", distpoint_uri);
crl_close_reader (reader);
err = crl_fetch (ctrl, distpoint_uri, &reader);
if (err)
diff --git a/dirmngr/crlcache.h b/dirmngr/crlcache.h
index 0e60def8f..7db8f01cc 100644
--- a/dirmngr/crlcache.h
+++ b/dirmngr/crlcache.h
@@ -27,6 +27,7 @@ typedef enum
CRL_CACHE_VALID = 0,
CRL_CACHE_INVALID,
CRL_CACHE_DONTKNOW,
+ CRL_CACHE_NOTTRUSTED,
CRL_CACHE_CANTUSE
}
crl_cache_result_t;
diff --git a/dirmngr/crlfetch.c b/dirmngr/crlfetch.c
index a591a2b5a..5b6b648e2 100644
--- a/dirmngr/crlfetch.c
+++ b/dirmngr/crlfetch.c
@@ -175,6 +175,9 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader)
if (!url)
return gpg_error (GPG_ERR_INV_ARG);
+ if (opt.verbose)
+ log_info ("fetching CRL from '%s'\n", url);
+
err = http_parse_uri (&uri, url, 0);
http_release_parsed_uri (uri);
if (!err) /* Yes, our HTTP code groks that. */
diff --git a/dirmngr/server.c b/dirmngr/server.c
index fba2233d4..da7e707f9 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -1360,8 +1360,11 @@ cmd_isvalid (assuan_context_t ctx, char *line)
goto again;
}
break;
+ case CRL_CACHE_NOTTRUSTED:
+ err = gpg_error (GPG_ERR_NOT_TRUSTED);
+ break;
case CRL_CACHE_CANTUSE:
- err = gpg_error (GPG_ERR_NO_CRL_KNOWN);
+ err = gpg_error (GPG_ERR_INV_CRL_OBJ);
break;
default:
log_fatal ("crl_cache_isvalid returned invalid code\n");
@@ -1469,7 +1472,7 @@ cmd_checkcrl (assuan_context_t ctx, char *line)
goto leave;
}
- assert (cert);
+ log_assert (cert);
err = crl_cache_cert_isvalid (ctrl, cert, ctrl->force_crl_refresh);
if (gpg_err_code (err) == GPG_ERR_NO_CRL_KNOWN)
diff --git a/dirmngr/validate.c b/dirmngr/validate.c
index 399cca3a4..02db3c270 100644
--- a/dirmngr/validate.c
+++ b/dirmngr/validate.c
@@ -255,6 +255,7 @@ check_revocations (ctrl_t ctrl, chain_item_t chain)
int any_revoked = 0;
int any_no_crl = 0;
int any_crl_too_old = 0;
+ int any_not_trusted = 0;
chain_item_t ci;
log_assert (ctrl->check_revocations_nest_level >= 0);
@@ -266,7 +267,8 @@ check_revocations (ctrl_t ctrl, chain_item_t chain)
return gpg_error(GPG_ERR_BAD_CERT_CHAIN);
}
ctrl->check_revocations_nest_level++;
-
+ if (opt.verbose)
+ log_info ("[%d] start checking CRLs\n", ctrl->check_revocations_nest_level);
for (ci=chain; ci; ci = ci->next)
{
@@ -293,17 +295,19 @@ check_revocations (ctrl_t ctrl, chain_item_t chain)
if (!err)
err = crl_cache_cert_isvalid (ctrl, ci->cert, 0);
}
+ if (opt.verbose)
+ log_info ("[%d] result of checking this CRL: %s\n",
+ ctrl->check_revocations_nest_level, gpg_strerror (err));
switch (gpg_err_code (err))
{
case 0: err = 0; break;
case GPG_ERR_CERT_REVOKED: any_revoked = 1; err = 0; break;
case GPG_ERR_NO_CRL_KNOWN: any_no_crl = 1; err = 0; break;
+ case GPG_ERR_NOT_TRUSTED: any_not_trusted = 1; err = 0; break;
case GPG_ERR_CRL_TOO_OLD: any_crl_too_old = 1; err = 0; break;
default: break;
}
}
- ctrl->check_revocations_nest_level--;
-
if (err)
;
@@ -311,10 +315,16 @@ check_revocations (ctrl_t ctrl, chain_item_t chain)
err = gpg_error (GPG_ERR_CERT_REVOKED);
else if (any_no_crl)
err = gpg_error (GPG_ERR_NO_CRL_KNOWN);
+ else if (any_not_trusted)
+ err = gpg_error (GPG_ERR_NOT_TRUSTED);
else if (any_crl_too_old)
err = gpg_error (GPG_ERR_CRL_TOO_OLD);
else
err = 0;
+ if (opt.verbose)
+ log_info ("[%d] result of checking all CRLs: %s\n",
+ ctrl->check_revocations_nest_level, gpg_strerror (err));
+ ctrl->check_revocations_nest_level--;
return err;
}
diff --git a/sm/call-dirmngr.c b/sm/call-dirmngr.c
index 8e2761b1e..86beeedc1 100644
--- a/sm/call-dirmngr.c
+++ b/sm/call-dirmngr.c
@@ -521,6 +521,7 @@ isvalid_status_cb (void *opaque, const char *line)
GPG_ERR_CERTIFICATE_REVOKED
GPG_ERR_NO_CRL_KNOWN
+ GPG_ERR_INV_CRL_OBJ
GPG_ERR_CRL_TOO_OLD
Values for USE_OCSP: