dirmngr: Distinguish between "no crl" and "crl not trusted".

* dirmngr/crlcache.h (CRL_CACHE_NOTTRUSTED): New.
* dirmngr/crlcache.c (cache_isvalid): Set this status.
(crl_cache_cert_isvalid): Map it to GPG_ERR_NOT_TRUSTED.
(crl_cache_reload_crl): Move diagnostic to ...
* dirmngr/crlfetch.c (crl_fetch): here.
* dirmngr/server.c (cmd_isvalid): Map it to GPG_ERR_NOT_TRUSTED.
* dirmngr/validate.c (check_revocations): Handle new status.  Improve
diagnostics.
* common/status.c (get_inv_recpsgnr_code): Map INV_CRL_OBJ.
* common/audit.c (proc_type_verify): Ditto.
--

This avoids repeated loading of CRLs in case of untrusted root
certificates.

2 files changed, 3 insertions, 1 deletions

diff --git a/common/audit.c b/common/audit.c
index 803523c94..ae0d45216 100644
--- a/common/audit.c
+++ b/common/audit.c
@@ -1109,6 +1109,7 @@ proc_type_verify (audit_ctx_t ctx)
             case GPG_ERR_CERT_REVOKED: ok = "bad"; break;
             case GPG_ERR_NOT_ENABLED:  ok = "disabled"; break;
             case GPG_ERR_NO_CRL_KNOWN:
+            case GPG_ERR_INV_CRL_OBJ:
               ok = _("no CRL found for certificate");
               break;
             case GPG_ERR_CRL_TOO_OLD:
diff --git a/common/status.c b/common/status.c
index b752c12c6..b7dc1de39 100644
--- a/common/status.c
+++ b/common/status.c
@@ -158,7 +158,8 @@ get_inv_recpsgnr_code (gpg_error_t err)
     case GPG_ERR_WRONG_KEY_USAGE: errstr = "3"; break;
     case GPG_ERR_CERT_REVOKED:    errstr = "4"; break;
     case GPG_ERR_CERT_EXPIRED:    errstr = "5"; break;
-    case GPG_ERR_NO_CRL_KNOWN:    errstr = "6"; break;
+    case GPG_ERR_NO_CRL_KNOWN:
+    case GPG_ERR_INV_CRL_OBJ:     errstr = "6"; break;
     case GPG_ERR_CRL_TOO_OLD:     errstr = "7"; break;
     case GPG_ERR_NO_POLICY_MATCH: errstr = "8"; break;