Disable CRL Distribution Points online verification

2025-04-04 17:00:11 -05:00 · 2024-02-15 12:12:24 +01:00 · 2024-02-15 12:12:24 +01:00 · dac68a3a4d
commit dac68a3a4d
parent bd1ab77f44
3 changed files with 22 additions and 6 deletions
--- a/NEWS.md
+++ b/NEWS.md
@ -11,6 +11,8 @@
  by using the "-verbose" option
 - added new command "extract-data" to extract a PKCS#7 data content to be signed
 - PKCS9_SEQUENCE_NUMBER authenticated attribute support
+- added the "-ignore-cdp" option to disable CRL Distribution Points
+  online verification

 ### 2.7 (2023.09.19)

--- a/osslsigncode.c
+++ b/osslsigncode.c
@ -1773,9 +1773,13 @@ static int verify_timestamp(FILE_FORMAT_CTX *ctx, PKCS7 *p7, CMS_ContentInfo *ti
    url = clrdp_url_get_x509(signer);
 #ifdef ENABLE_CURL
    if (url) {
-        printf("TSA's CRL distribution point: %s\n", url);
-        crl = x509_crl_get(url);
-        OPENSSL_free(url);
+        if (ctx->options->ignore_cdp) {
+            printf("Ignored TSA's CRL distribution point: %s\n", url);
+        } else {
+            printf("TSA's CRL distribution point: %s\n", url);
+            crl = x509_crl_get(url);
+            OPENSSL_free(url);
+        }
        if (!crl && !ctx->options->tsa_crlfile) {
            printf("Use the \"-TSA-CRLfile\" option to add one or more Time-Stamp Authority CRLs in PEM format.\n");
        }
@ -1892,9 +1896,13 @@ static int verify_authenticode(FILE_FORMAT_CTX *ctx, PKCS7 *p7, time_t time, X50
    url = clrdp_url_get_x509(signer);
 #ifdef ENABLE_CURL
    if (url) {
-        printf("CRL distribution point: %s\n", url);
-        crl = x509_crl_get(url);
-        OPENSSL_free(url);
+        if (ctx->options->ignore_cdp) {
+            printf("Ignored CRL distribution point: %s\n", url);
+        } else {
+            printf("CRL distribution point: %s\n", url);
+            crl = x509_crl_get(url);
+            OPENSSL_free(url);
+        }
        if (!crl && !ctx->options->crlfile) {
            printf("Use the \"-CRLfile\" option to add one or more CRLs in PEM format.\n");
            goto out;
@ -3072,6 +3080,7 @@ static void help_for(const char *argv0, const char *cmd)
    const char *cmds_sigin[] = {"attach-signature", NULL};
    const char *cmds_time[] = {"attach-signature", "sign", "verify", NULL};
    const char *cmds_ignore_timestamp[] = {"verify", NULL};
+    const char *cmds_ignore_cdp[] = {"verify", NULL};
 #ifdef ENABLE_CURL
    const char *cmds_t[] = {"add", "sign", NULL};
    const char *cmds_ts[] = {"add", "sign", NULL};
@ -3218,6 +3227,8 @@ static void help_for(const char *argv0, const char *cmd)
        printf("%-24s= a file containing the signature to be attached\n", "-sigin");
    if (on_list(cmd, cmds_ignore_timestamp))
        printf("%-24s= disable verification of the Timestamp Server signature\n", "-ignore-timestamp");
+    if (on_list(cmd, cmds_ignore_cdp))
+        printf("%-24s= disable CRL Distribution Points online verification\n", "-ignore-cdp");
 #ifdef ENABLE_CURL
    if (on_list(cmd, cmds_t)) {
        printf("%-24s= specifies that the digital signature will be timestamped\n", "-t");
@ -4120,6 +4131,8 @@ static int main_configure(int argc, char **argv, GLOBAL_OPTIONS *options)
            }
        } else if ((cmd == CMD_VERIFY) && !strcmp(*argv, "-ignore-timestamp")) {
            options->ignore_timestamp = 1;
+        } else if ((cmd == CMD_VERIFY) && !strcmp(*argv, "-ignore-cdp")) {
+            options->ignore_cdp = 1;
        } else if ((cmd == CMD_SIGN || cmd == CMD_ADD || cmd == CMD_VERIFY) && !strcmp(*argv, "-verbose")) {
            options->verbose = 1;
        } else if ((cmd == CMD_SIGN || cmd == CMD_EXTRACT_DATA || cmd == CMD_ADD || cmd == CMD_ATTACH)
--- a/osslsigncode.h
+++ b/osslsigncode.h
@ -273,6 +273,7 @@ typedef struct {
    int nest;
    int index;
    int ignore_timestamp;
+    int ignore_cdp;
    int verbose;
    int add_msi_dse;
    char *catalog;