Changeset View
Changeset View
Standalone View
Standalone View
b/src/crlcache.c
Context not available. | |||||
char *issuer = NULL; | char *issuer = NULL; | ||||
ksba_name_t distpoint = NULL; | ksba_name_t distpoint = NULL; | ||||
ksba_name_t issuername = NULL; | ksba_name_t issuername = NULL; | ||||
ksba_crl_reason_t reasons = 0; | |||||
char *distpoint_uri = NULL; | char *distpoint_uri = NULL; | ||||
char *issuername_uri = NULL; | char *issuername_uri = NULL; | ||||
int any_dist_point = 0; | int any_dist_point = 0; | ||||
Context not available. | |||||
seq = 0; | seq = 0; | ||||
while ( !(err = ksba_cert_get_crl_dist_point (cert, seq++, | while ( !(err = ksba_cert_get_crl_dist_point (cert, seq++, | ||||
&distpoint, | &distpoint, | ||||
&issuername, NULL ))) | &issuername, &reasons ))) | ||||
{ | { | ||||
int name_seq; | int name_seq; | ||||
gpg_error_t last_err = 0; | gpg_error_t last_err = 0; | ||||
Context not available. | |||||
xfree (issuername_uri); issuername_uri = NULL; | xfree (issuername_uri); issuername_uri = NULL; | ||||
/* Get the URIs. We do this in a loop to iterate over all names | if (reasons != 0 && reasons != (KSBA_CRLREASON_UNSPECIFIED | | ||||
in the crlDP. */ | KSBA_CRLREASON_KEY_COMPROMISE | KSBA_CRLREASON_CA_COMPROMISE | | ||||
for (name_seq=0; ksba_name_enum (distpoint, name_seq); name_seq++) | KSBA_CRLREASON_AFFILIATION_CHANGED | KSBA_CRLREASON_SUPERSEDED | | ||||
KSBA_CRLREASON_CESSATION_OF_OPERATION | | |||||
KSBA_CRLREASON_CERTIFICATE_HOLD | | |||||
KSBA_CRLREASON_PRIVILEGE_WITHDRAWN | | |||||
KSBA_CRLREASON_AA_COMPROMISE) ) | |||||
{ | { | ||||
xfree (distpoint_uri); distpoint_uri = NULL; | |||||
distpoint_uri = ksba_name_get_uri (distpoint, name_seq); | |||||
if (!distpoint_uri) | |||||
continue; | |||||
if (!strncmp (distpoint_uri, "ldap:", 5) | |||||
|| !strncmp (distpoint_uri, "ldaps:", 6)) | |||||
{ | |||||
if (opt.ignore_ldap_dp) | |||||
continue; | |||||
} | |||||
else if (!strncmp (distpoint_uri, "http:", 5) | |||||
|| !strncmp (distpoint_uri, "https:", 6)) | |||||
{ | |||||
if (opt.ignore_http_dp) | |||||
continue; | |||||
} | |||||
else | |||||
continue; /* Skip unknown schemes. */ | |||||
any_dist_point = 1; | |||||
if (opt.verbose) | |||||
log_info ("fetching CRL from `%s'\n", distpoint_uri); | |||||
err = crl_fetch (ctrl, distpoint_uri, &reader); | |||||
if (err) | |||||
{ | |||||
log_error (_("crl_fetch via DP failed: %s\n"), | |||||
gpg_strerror (err)); | |||||
last_err = err; | |||||
continue; /* with the next name. */ | |||||
} | |||||
if (opt.verbose) | if (opt.verbose) | ||||
log_info ("inserting CRL (reader %p)\n", reader); | log_info ("incomplete distribution point not supported\n"); | ||||
err = crl_cache_insert (ctrl, distpoint_uri, reader); | /* Not supported; CRLs paritioned by reasons would require | ||||
if (err) | database change and addressing of cached CRL by issuer AND | ||||
{ | reasons or duplicate issuer keys. */ | ||||
log_error (_("crl_cache_insert via DP failed: %s\n"), | |||||
gpg_strerror (err)); | |||||
last_err = err; | |||||
continue; /* with the next name. */ | |||||
} | |||||
last_err = 0; | |||||
break; /* Ready. */ | |||||
} | } | ||||
if (last_err) | else | ||||
{ | { | ||||
err = last_err; | /* Get the URIs. We do this in a loop to iterate over all names | ||||
goto leave; | in the crlDP. */ | ||||
} | for (name_seq=0; ksba_name_enum (distpoint, name_seq); name_seq++) | ||||
{ | |||||
xfree (distpoint_uri); distpoint_uri = NULL; | |||||
distpoint_uri = ksba_name_get_uri (distpoint, name_seq); | |||||
if (!distpoint_uri) | |||||
continue; | |||||
if (!strncmp (distpoint_uri, "ldap:", 5) | |||||
|| !strncmp (distpoint_uri, "ldaps:", 6)) | |||||
{ | |||||
if (opt.ignore_ldap_dp) | |||||
continue; | |||||
} | |||||
else if (!strncmp (distpoint_uri, "http:", 5) | |||||
|| !strncmp (distpoint_uri, "https:", 6)) | |||||
{ | |||||
if (opt.ignore_http_dp) | |||||
continue; | |||||
} | |||||
else | |||||
continue; /* Skip unknown schemes. */ | |||||
any_dist_point = 1; | |||||
if (opt.verbose) | |||||
log_info ("fetching CRL from `%s'\n", distpoint_uri); | |||||
err = crl_fetch (ctrl, distpoint_uri, &reader); | |||||
if (err) | |||||
{ | |||||
log_error (_("crl_fetch via DP failed: %s\n"), | |||||
gpg_strerror (err)); | |||||
last_err = err; | |||||
continue; /* with the next name. */ | |||||
} | |||||
if (opt.verbose) | |||||
log_info ("inserting CRL (reader %p)\n", reader); | |||||
err = crl_cache_insert (ctrl, distpoint_uri, reader); | |||||
if (err) | |||||
{ | |||||
log_error (_("crl_cache_insert via DP failed: %s\n"), | |||||
gpg_strerror (err)); | |||||
last_err = err; | |||||
continue; /* with the next name. */ | |||||
} | |||||
last_err = 0; | |||||
break; /* Ready. */ | |||||
} | |||||
} /* This was complete DP */ | |||||
err = last_err; | |||||
ksba_name_release (distpoint); distpoint = NULL; | ksba_name_release (distpoint); distpoint = NULL; | ||||
/* We don't do anything with issuername_uri yet but we keep the | /* We don't do anything with issuername_uri yet but we keep the | ||||
Context not available. | |||||
issuername_uri = ksba_name_get_uri (issuername, 0); | issuername_uri = ksba_name_get_uri (issuername, 0); | ||||
ksba_name_release (issuername); issuername = NULL; | ksba_name_release (issuername); issuername = NULL; | ||||
if (!last_err && any_dist_point) | |||||
break; /* We have inserted new complete CRL sucessfully. Thats enough, | |||||
other DPs can't contain more comprehensive CRL. */ | |||||
} | } | ||||
if (gpg_err_code (err) == GPG_ERR_EOF) | if (gpg_err_code (err) == GPG_ERR_EOF) | ||||
err = 0; | err = 0; | ||||
Context not available. |