From: "Arne Jørgensen" <arne@arnested.dk>
Subject: Patch to enable CRL check when verifying S/MIME signed articles
Date: Thu, 04 Dec 2003 22:28:43 +0100 [thread overview]
Message-ID: <87fzg0s25w.fsf@seamus.arnested.dk> (raw)
[-- Attachment #1: Type: text/plain, Size: 282 bytes --]
Hi,
This patch will have Gnus/OpenSSL check the revocation status of a
signers certificate when verifying an signed signed article (it passes
the -crl_check option on to openssl).
At least OpenSSL version 0.9.7 is requiered (the -crl_check option
was not present prior to this).
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Enable CRL check when verifying S/MIME signed articles --]
[-- Type: text/x-patch, Size: 1786 bytes --]
Index: smime.el
===================================================================
RCS file: /usr/local/cvsroot/gnus/lisp/smime.el,v
retrieving revision 6.31
diff -c -r6.31 smime.el
*** smime.el 25 Jul 2003 00:53:09 -0000 6.31
--- smime.el 4 Dec 2003 21:19:07 -0000
***************
*** 184,189 ****
--- 184,210 ----
(const :tag "RC2 128 bits" "-rc2-128"))
:group 'smime)
+ (defcustom smime-crl-check nil
+ "*Check revocation status of signers certificate using CRLs.
+ Enabling this will have OpenSSL check the signers certificate
+ against a certificate revocation list (CRL).
+
+ For this to work you the CRL must be up-to-date and since they
+ are normally updated quite often (ie. several times a day) you
+ probably need some tool to keep them up-to-date. Unfortunately
+ Gnus cannot do this for you.
+
+ The CRL should either be appended (in PEM format) to your
+ `smime-CA-file' or be located in a file (also in PEM format) in
+ your `smime-certificate-directory' named to the X.509 hash of the
+ certificate with .r0 as file name extension.
+
+ At least OpenSSL version 0.9.7 is required for this to work."
+ :type '(choice (const :tag "No check" nil)
+ (const :tag "Check certificate" "-crl_check")
+ (const :tag "Check certificate chain" "-crl_check_all"))
+ :group 'smime)
+
(defcustom smime-dns-server nil
"*DNS server to query certificates from.
If nil, use system defaults."
***************
*** 348,353 ****
--- 369,376 ----
(expand-file-name smime-CA-directory))))))
(unless CAs
(error "No CA configured"))
+ (if smime-crl-check
+ (add-to-list 'CAs smime-crl-check))
(if (apply 'smime-call-openssl-region b e (list smime-details-buffer t)
"smime" "-verify" "-out" "/dev/null" CAs)
t
[-- Attachment #3: Type: text/plain, Size: 187 bytes --]
Kind regards,
--
Arne Jørgensen
Valby Langgade 272, 1. tv., DK-2500 Valby, Denmark
phone: +45 36 44 18 03, mobile: +45 21 65 01 13
email: arne@arnested.dk, <http://arnested.dk/>
next reply other threads:[~2003-12-04 21:28 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-04 21:28 Arne Jørgensen [this message]
2003-12-05 0:56 ` Simon Josefsson
2003-12-31 3:24 ` Lars Magne Ingebrigtsen
2003-12-31 10:13 ` Arne Jørgensen
2004-01-02 19:53 ` Lars Magne Ingebrigtsen
2004-01-02 20:20 ` Arne Jørgensen
2004-01-02 20:24 ` Lars Magne Ingebrigtsen
2003-12-10 22:15 ` Arne Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87fzg0s25w.fsf@seamus.arnested.dk \
--to=arne@arnested.dk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).