From 314c234e7d1320bcd13e5130c3d7074b19979e46 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 21 Apr 2005 07:16:41 +0000
Subject: (gpgsm_validate_chain): Check revocations even for expired
 certificates.  This is required because on signature verification an expired
 key is fine whereas a revoked one is not.

---
 sm/certchain.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

(limited to 'sm/certchain.c')

diff --git a/sm/certchain.c b/sm/certchain.c
index a5fdbc622..2e491f590 100644
--- a/sm/certchain.c
+++ b/sm/certchain.c
@@ -175,8 +175,9 @@ check_cert_policy (ksba_cert_t cert, int listmode, FILE *fplist)
   fp = fopen (opt.policy_file, "r");
   if (!fp)
     {
-      log_error ("failed to open `%s': %s\n",
-                 opt.policy_file, strerror (errno));
+      if (opt.verbose || errno != ENOENT)
+        log_info (_("failed to open `%s': %s\n"),
+                  opt.policy_file, strerror (errno));
       xfree (policies);
       /* With no critical policies this is only a warning */
       if (!any_critical)
@@ -816,8 +817,6 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
           /* Check for revocations etc. */
           if ((flags & 1))
             rc = 0;
-          else if (any_expired)
-            ; /* Don't bother to run the expensive CRL check then. */
           else
             rc = is_cert_still_valid (ctrl, lm, fp,
                                       subject_cert, subject_cert,
@@ -953,8 +952,6 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
       /* Check for revocations etc. */
       if ((flags & 1))
         rc = 0;
-      else if (any_expired)
-        ; /* Don't bother to run the expensive CRL check then. */
       else
         rc = is_cert_still_valid (ctrl, lm, fp,
                                   subject_cert, issuer_cert,
-- 
cgit v1.2.3