From a03fbc2d4f42972ba2ba2520a691f27b949a6ec6 Mon Sep 17 00:00:00 2001
From: Andre Heinecke <email@example.com>
Date: Fri, 6 May 2016 18:25:12 +0200
Subject: [PATCH] Dirmngr: Treat multiple crlDPs as redundancies
- dirmngr/crlcache.c (crl_cache_reload_crl): Check all crlDPs to
try to fetch one complete revocation list. Only download one.
From RFC 5280 Section 126.96.36.199:
If the DistributionPoint omits the reasons field, the CRL MUST
include revocation information for all reasons. This profile
RECOMMENDS against segmenting CRLs by reason code. When a conforming
CA includes a cRLDistributionPoints extension in a certificate, it
MUST include at least one DistributionPoint that points to a CRL that
covers the certificate for all reasons.
If we have such a list we can safely assume that we have all
revocations and do not need to check other crlDPs. This enables
us to error out if a crlDP is provided and no CRL can be fetched
but allows CA's to provide reduntant crlDPs in case one is
unreachable. Previously Dirmngr would have errored out when
the first crlDP checked was unreachable.
Signed-off-by: Andre Heinecke <firstname.lastname@example.org>
dirmngr/crlcache.c | 40 ++++++++++++++++++++++++++++++++--------
1 file changed, 32 insertions(+), 8 deletions(-)