Add TLS::Policy::require_cert_revocation_info

3 files changed, 14 insertions, 1 deletions

diff --git a/src/lib/tls/tls_callbacks.cpp b/src/lib/tls/tls_callbacks.cpp
index 7afb3f17f..f25f392b3 100644
--- a/src/lib/tls/tls_callbacks.cpp
+++ b/src/lib/tls/tls_callbacks.cpp
@@ -36,7 +36,8 @@ void TLS::Callbacks::tls_verify_cert_chain(
    if(cert_chain.empty())
       throw Invalid_Argument("Certificate chain was empty");
 
-   Path_Validation_Restrictions restrictions(true, policy.minimum_signature_strength());
+   Path_Validation_Restrictions restrictions(policy.require_cert_revocation_info(),
+                                             policy.minimum_signature_strength());
 
    Path_Validation_Result result =
       x509_path_validate(cert_chain,
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index e9caa8bb3..84ba5e4bf 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -161,6 +161,11 @@ size_t Policy::minimum_signature_strength() const
    return 110;
    }
 
+bool Policy::require_cert_revocation_info() const
+   {
+   return true;
+   }
+
 size_t Policy::minimum_rsa_bits() const
    {
    /* Default assumption is all end-entity certificates should
diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h
index f992949fe..b577eb265 100644
--- a/src/lib/tls/tls_policy.h
+++ b/src/lib/tls/tls_policy.h
@@ -66,6 +66,13 @@ class BOTAN_DLL Policy
       */
       virtual size_t minimum_signature_strength() const;
 
+      /**
+      * Return if cert revocation info (CRL/OCSP) is required
+      * If true, validation will fail unless a valid CRL or OCSP response
+      * was examined.
+      */
+      virtual bool require_cert_revocation_info() const;
+
       bool allowed_signature_method(const std::string& sig_method) const;
 
       /**