commit 4de6db2f49115a899879bb25b20e49032e315490 Author: Petr Písař Date: Tue Oct 6 18:40:17 2009 +0200 Allow only complete DPs in crl_cache_reload_crl() This one allows to fail some DP without impact to CRL validation. The code contains just minimal changes to allow future reason-partitioned CRLs. diff --git a/src/crlcache.c b/src/crlcache.c index c7fe43a..a083578 100644 --- a/src/crlcache.c +++ b/src/crlcache.c @@ -2432,6 +2432,7 @@ crl_cache_reload_crl (ctrl_t ctrl, ksba_cert_t cert) char *issuer = NULL; ksba_name_t distpoint = NULL; ksba_name_t issuername = NULL; + ksba_crl_reason_t reasons = 0; char *distpoint_uri = NULL; char *issuername_uri = NULL; int any_dist_point = 0; @@ -2444,7 +2445,7 @@ crl_cache_reload_crl (ctrl_t ctrl, ksba_cert_t cert) seq = 0; while ( !(err = ksba_cert_get_crl_dist_point (cert, seq++, &distpoint, - &issuername, NULL ))) + &issuername, &reasons ))) { int name_seq; gpg_error_t last_err = 0; @@ -2460,62 +2461,75 @@ crl_cache_reload_crl (ctrl_t ctrl, ksba_cert_t cert) xfree (issuername_uri); issuername_uri = NULL; - /* Get the URIs. We do this in a loop to iterate over all names - in the crlDP. */ - for (name_seq=0; ksba_name_enum (distpoint, name_seq); name_seq++) + if (reasons != 0 && reasons != (KSBA_CRLREASON_UNSPECIFIED | + KSBA_CRLREASON_KEY_COMPROMISE | KSBA_CRLREASON_CA_COMPROMISE | + KSBA_CRLREASON_AFFILIATION_CHANGED | KSBA_CRLREASON_SUPERSEDED | + KSBA_CRLREASON_CESSATION_OF_OPERATION | + KSBA_CRLREASON_CERTIFICATE_HOLD | + KSBA_CRLREASON_PRIVILEGE_WITHDRAWN | + KSBA_CRLREASON_AA_COMPROMISE) ) { - xfree (distpoint_uri); distpoint_uri = NULL; - distpoint_uri = ksba_name_get_uri (distpoint, name_seq); - if (!distpoint_uri) - continue; - - if (!strncmp (distpoint_uri, "ldap:", 5) - || !strncmp (distpoint_uri, "ldaps:", 6)) - { - if (opt.ignore_ldap_dp) - continue; - } - else if (!strncmp (distpoint_uri, "http:", 5) - || !strncmp (distpoint_uri, "https:", 6)) - { - if (opt.ignore_http_dp) - continue; - } - else - continue; /* Skip unknown schemes. */ - - any_dist_point = 1; - - if (opt.verbose) - log_info ("fetching CRL from `%s'\n", distpoint_uri); - err = crl_fetch (ctrl, distpoint_uri, &reader); - if (err) - { - log_error (_("crl_fetch via DP failed: %s\n"), - gpg_strerror (err)); - last_err = err; - continue; /* with the next name. */ - } - if (opt.verbose) - log_info ("inserting CRL (reader %p)\n", reader); - err = crl_cache_insert (ctrl, distpoint_uri, reader); - if (err) - { - log_error (_("crl_cache_insert via DP failed: %s\n"), - gpg_strerror (err)); - last_err = err; - continue; /* with the next name. */ - } - last_err = 0; - break; /* Ready. */ + log_info ("incomplete distribution point not supported\n"); + /* Not supported; CRLs paritioned by reasons would require + database change and addressing of cached CRL by issuer AND + reasons or duplicate issuer keys. */ } - if (last_err) + else { - err = last_err; - goto leave; - } - + /* Get the URIs. We do this in a loop to iterate over all names + in the crlDP. */ + for (name_seq=0; ksba_name_enum (distpoint, name_seq); name_seq++) + { + xfree (distpoint_uri); distpoint_uri = NULL; + distpoint_uri = ksba_name_get_uri (distpoint, name_seq); + if (!distpoint_uri) + continue; + + if (!strncmp (distpoint_uri, "ldap:", 5) + || !strncmp (distpoint_uri, "ldaps:", 6)) + { + if (opt.ignore_ldap_dp) + continue; + } + else if (!strncmp (distpoint_uri, "http:", 5) + || !strncmp (distpoint_uri, "https:", 6)) + { + if (opt.ignore_http_dp) + continue; + } + else + continue; /* Skip unknown schemes. */ + + any_dist_point = 1; + + if (opt.verbose) + log_info ("fetching CRL from `%s'\n", distpoint_uri); + err = crl_fetch (ctrl, distpoint_uri, &reader); + if (err) + { + log_error (_("crl_fetch via DP failed: %s\n"), + gpg_strerror (err)); + last_err = err; + continue; /* with the next name. */ + } + + if (opt.verbose) + log_info ("inserting CRL (reader %p)\n", reader); + err = crl_cache_insert (ctrl, distpoint_uri, reader); + if (err) + { + log_error (_("crl_cache_insert via DP failed: %s\n"), + gpg_strerror (err)); + last_err = err; + continue; /* with the next name. */ + } + last_err = 0; + break; /* Ready. */ + } + } /* This was complete DP */ + err = last_err; + ksba_name_release (distpoint); distpoint = NULL; /* We don't do anything with issuername_uri yet but we keep the @@ -2523,6 +2537,9 @@ crl_cache_reload_crl (ctrl_t ctrl, ksba_cert_t cert) issuername_uri = ksba_name_get_uri (issuername, 0); ksba_name_release (issuername); issuername = NULL; + if (!last_err && any_dist_point) + break; /* We have inserted new complete CRL sucessfully. Thats enough, + other DPs can't contain more comprehensive CRL. */ } if (gpg_err_code (err) == GPG_ERR_EOF) err = 0;