Changeset View
Changeset View
Standalone View
Standalone View
b/dirmngr/crlcache.c
Context not available. | |||||
char *issuer = NULL; | char *issuer = NULL; | ||||
ksba_name_t distpoint = NULL; | ksba_name_t distpoint = NULL; | ||||
ksba_name_t issuername = NULL; | ksba_name_t issuername = NULL; | ||||
ksba_crl_reason_t reason = KSBA_CRLREASON_UNSPECIFIED; | |||||
char *distpoint_uri = NULL; | char *distpoint_uri = NULL; | ||||
char *issuername_uri = NULL; | char *issuername_uri = NULL; | ||||
int any_dist_point = 0; | int any_dist_point = 0; | ||||
int any_full_list_obtained = 0; | |||||
int seq; | int seq; | ||||
gpg_error_t last_err = 0; | |||||
/* Loop over all distribution points, get the CRLs and put them into | /* Loop over all distribution points, get the CRLs and put them into | ||||
the cache. */ | the cache. */ | ||||
Context not available. | |||||
seq = 0; | seq = 0; | ||||
while ( !(err = ksba_cert_get_crl_dist_point (cert, seq++, | while ( !(err = ksba_cert_get_crl_dist_point (cert, seq++, | ||||
&distpoint, | &distpoint, | ||||
&issuername, NULL ))) | &issuername, &reason)) ) | ||||
{ | { | ||||
int name_seq; | int name_seq; | ||||
gpg_error_t last_err = 0; | |||||
if (!distpoint && !issuername) | if (!distpoint && !issuername) | ||||
{ | { | ||||
Context not available. | |||||
continue; /* with the next name. */ | continue; /* with the next name. */ | ||||
} | } | ||||
last_err = 0; | last_err = 0; | ||||
if (reason == KSBA_CRLREASON_UNSPECIFIED) | |||||
{ | |||||
/* We now have obtained a CRL for this certificate that includes | |||||
recovcations for all reasons. No need to check the other | |||||
crlDPs. | |||||
From RFC 5280 Section 4.2.1.13: | |||||
If the DistributionPoint omits the reasons field, the CRL MUST | |||||
include revocation information for all reasons. This profile | |||||
RECOMMENDS against segmenting CRLs by reason code. When a conforming | |||||
CA includes a cRLDistributionPoints extension in a certificate, it | |||||
MUST include at least one DistributionPoint that points to a CRL that | |||||
covers the certificate for all reasons. */ | |||||
any_full_list_obtained = 1; | |||||
} | |||||
break; /* Ready. */ | break; /* Ready. */ | ||||
} | } | ||||
if (last_err) | |||||
{ | |||||
err = last_err; | |||||
goto leave; | |||||
} | |||||
ksba_name_release (distpoint); distpoint = NULL; | ksba_name_release (distpoint); distpoint = NULL; | ||||
/* We don't do anything with issuername_uri yet but we keep the | /* We don't do anything with issuername_uri yet but we keep the | ||||
Context not available. | |||||
/* Close the reader. */ | /* Close the reader. */ | ||||
crl_close_reader (reader); | crl_close_reader (reader); | ||||
reader = NULL; | reader = NULL; | ||||
/* We have fetched a CRL that should contain all certificates. No | |||||
reason to look at any more crlDP's. */ | |||||
if (any_full_list_obtained) | |||||
break; | |||||
} | |||||
/* Hard failure in case a crlDP was provided but we were unable | |||||
to obtain a full CRL for this. */ | |||||
if (any_dist_point && !any_full_list_obtained) | |||||
{ | |||||
err = last_err; | |||||
goto leave; | |||||
} | } | ||||
if (gpg_err_code (err) == GPG_ERR_EOF) | if (gpg_err_code (err) == GPG_ERR_EOF) | ||||
err = 0; | err = 0; | ||||
Context not available. |