Page Menu
Home
GnuPG
Search
Configure Global Search
Log In
Files
F34388792
D110.id938.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Size
5 KB
Subscribers
None
D110.id938.diff
View Options
Index: b/src/crlcache.c
===================================================================
--- b/src/crlcache.c
+++ b/src/crlcache.c
@@ -2432,6 +2432,7 @@
char *issuer = NULL;
ksba_name_t distpoint = NULL;
ksba_name_t issuername = NULL;
+ ksba_crl_reason_t reasons = 0;
char *distpoint_uri = NULL;
char *issuername_uri = NULL;
int any_dist_point = 0;
@@ -2444,7 +2445,7 @@
seq = 0;
while ( !(err = ksba_cert_get_crl_dist_point (cert, seq++,
&distpoint,
- &issuername, NULL )))
+ &issuername, &reasons )))
{
int name_seq;
gpg_error_t last_err = 0;
@@ -2460,62 +2461,75 @@
xfree (issuername_uri); issuername_uri = NULL;
- /* Get the URIs. We do this in a loop to iterate over all names
- in the crlDP. */
- for (name_seq=0; ksba_name_enum (distpoint, name_seq); name_seq++)
+ if (reasons != 0 && reasons != (KSBA_CRLREASON_UNSPECIFIED |
+ KSBA_CRLREASON_KEY_COMPROMISE | KSBA_CRLREASON_CA_COMPROMISE |
+ KSBA_CRLREASON_AFFILIATION_CHANGED | KSBA_CRLREASON_SUPERSEDED |
+ KSBA_CRLREASON_CESSATION_OF_OPERATION |
+ KSBA_CRLREASON_CERTIFICATE_HOLD |
+ KSBA_CRLREASON_PRIVILEGE_WITHDRAWN |
+ KSBA_CRLREASON_AA_COMPROMISE) )
{
- xfree (distpoint_uri); distpoint_uri = NULL;
- distpoint_uri = ksba_name_get_uri (distpoint, name_seq);
- if (!distpoint_uri)
- continue;
-
- if (!strncmp (distpoint_uri, "ldap:", 5)
- || !strncmp (distpoint_uri, "ldaps:", 6))
- {
- if (opt.ignore_ldap_dp)
- continue;
- }
- else if (!strncmp (distpoint_uri, "http:", 5)
- || !strncmp (distpoint_uri, "https:", 6))
- {
- if (opt.ignore_http_dp)
- continue;
- }
- else
- continue; /* Skip unknown schemes. */
-
- any_dist_point = 1;
-
- if (opt.verbose)
- log_info ("fetching CRL from `%s'\n", distpoint_uri);
- err = crl_fetch (ctrl, distpoint_uri, &reader);
- if (err)
- {
- log_error (_("crl_fetch via DP failed: %s\n"),
- gpg_strerror (err));
- last_err = err;
- continue; /* with the next name. */
- }
-
if (opt.verbose)
- log_info ("inserting CRL (reader %p)\n", reader);
- err = crl_cache_insert (ctrl, distpoint_uri, reader);
- if (err)
- {
- log_error (_("crl_cache_insert via DP failed: %s\n"),
- gpg_strerror (err));
- last_err = err;
- continue; /* with the next name. */
- }
- last_err = 0;
- break; /* Ready. */
+ log_info ("incomplete distribution point not supported\n");
+ /* Not supported; CRLs paritioned by reasons would require
+ database change and addressing of cached CRL by issuer AND
+ reasons or duplicate issuer keys. */
}
- if (last_err)
+ else
{
- err = last_err;
- goto leave;
- }
-
+ /* Get the URIs. We do this in a loop to iterate over all names
+ in the crlDP. */
+ for (name_seq=0; ksba_name_enum (distpoint, name_seq); name_seq++)
+ {
+ xfree (distpoint_uri); distpoint_uri = NULL;
+ distpoint_uri = ksba_name_get_uri (distpoint, name_seq);
+ if (!distpoint_uri)
+ continue;
+
+ if (!strncmp (distpoint_uri, "ldap:", 5)
+ || !strncmp (distpoint_uri, "ldaps:", 6))
+ {
+ if (opt.ignore_ldap_dp)
+ continue;
+ }
+ else if (!strncmp (distpoint_uri, "http:", 5)
+ || !strncmp (distpoint_uri, "https:", 6))
+ {
+ if (opt.ignore_http_dp)
+ continue;
+ }
+ else
+ continue; /* Skip unknown schemes. */
+
+ any_dist_point = 1;
+
+ if (opt.verbose)
+ log_info ("fetching CRL from `%s'\n", distpoint_uri);
+ err = crl_fetch (ctrl, distpoint_uri, &reader);
+ if (err)
+ {
+ log_error (_("crl_fetch via DP failed: %s\n"),
+ gpg_strerror (err));
+ last_err = err;
+ continue; /* with the next name. */
+ }
+
+ if (opt.verbose)
+ log_info ("inserting CRL (reader %p)\n", reader);
+ err = crl_cache_insert (ctrl, distpoint_uri, reader);
+ if (err)
+ {
+ log_error (_("crl_cache_insert via DP failed: %s\n"),
+ gpg_strerror (err));
+ last_err = err;
+ continue; /* with the next name. */
+ }
+ last_err = 0;
+ break; /* Ready. */
+ }
+ } /* This was complete DP */
+ err = last_err;
+
ksba_name_release (distpoint); distpoint = NULL;
/* We don't do anything with issuername_uri yet but we keep the
@@ -2523,6 +2537,9 @@
issuername_uri = ksba_name_get_uri (issuername, 0);
ksba_name_release (issuername); issuername = NULL;
+ if (!last_err && any_dist_point)
+ break; /* We have inserted new complete CRL sucessfully. Thats enough,
+ other DPs can't contain more comprehensive CRL. */
}
if (gpg_err_code (err) == GPG_ERR_EOF)
err = 0;
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Sat, Jan 3, 2:24 PM (13 h, 9 m)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
c5/9d/9a9112e1c55e92347463d3e12668
Attached To
D110: 264_dirmngr-1.0.3-allow_only_complete_dps.diff
Event Timeline
Log In to Comment