fix(crl): derive missing CDP status from admin toggle in handler

vitormattos · backportbot-libresign[bot] · commit 0ea77a2074e9 · 2026-04-04T17:51:49.000Z
When a certificate has no crlDistributionPoints extension, the handler now
maps the status to DISABLED when external CRL validation is turned off,
instead of always setting MISSING. This makes the source status align with
the configured policy before signature validation runs.

Signed-off-by: Vitor Mattos &lt;1079143+vitormattos@users.noreply.github.com&gt;
diff --git a/lib/Handler/CertificateEngine/AEngineHandler.php b/lib/Handler/CertificateEngine/AEngineHandler.php
@@ -193,7 +193,10 @@ private function addCrlValidationInfo(array &$certData, string $certPem): void {
 				$certData['crl_revoked_at'] = $crlDetails['revoked_at'];
 			}
 		} else {
-			$certData['crl_validation'] = CrlValidationStatus::MISSING;
+			$externalValidationEnabled = $this->appConfig->getValueBool(Application::APP_ID, 'crl_external_validation_enabled', true);
+			$certData['crl_validation'] = $externalValidationEnabled
+				? CrlValidationStatus::MISSING
+				: CrlValidationStatus::DISABLED;
 			$certData['crl_urls'] = [];
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -193,7 +193,10 @@ private function addCrlValidationInfo(array &$certData, string $certPem): void {`
`193`	`193`	`$certData['crl_revoked_at'] = $crlDetails['revoked_at'];`
`194`	`194`	`}`
`195`	`195`	`} else {`
`196`		`- $certData['crl_validation'] = CrlValidationStatus::MISSING;`
	`196`	`+ $externalValidationEnabled = $this->appConfig->getValueBool(Application::APP_ID, 'crl_external_validation_enabled', true);`
	`197`	`+ $certData['crl_validation'] = $externalValidationEnabled`
	`198`	`+ ? CrlValidationStatus::MISSING`
	`199`	`+ : CrlValidationStatus::DISABLED;`
`197`	`200`	`$certData['crl_urls'] = [];`
`198`	`201`	`}`
`199`	`202`	`}`