From 17073c9abcfb0546e40f3fa6af655c87305f71b5 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 31 Aug 2022 18:11:36 +0200
Subject: [PATCH] dirmngr: New option --debug-cache-expired-certs.

* dirmngr/dirmngr.h (opt): Add debug_cache_expired_certs:
* dirmngr/dirmngr.c (oDebugCacheExpiredCerts): New.
(opts): Add option.
(parse_rereadable_options): Set option.
* dirmngr/certcache.c (put_cert): Handle the option.
---
 dirmngr/certcache.c | 5 +++--
 dirmngr/dirmngr.c   | 9 ++++++++-
 dirmngr/dirmngr.h   | 3 +++
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c
index 30d4d89fa..1e73d6f85 100644
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@@ -271,8 +271,9 @@ put_cert (ksba_cert_t cert, int permanent, unsigned int trustclass,
   cert_item_t ci;
   fingerprint_list_t ignored;
 
-  if (permanent)
-    {                           /* Do a little validation.  */
+  /* Do not keep expired certificates in the permanent cache.  */
+  if (permanent && !opt.debug_cache_expired_certs)
+    {
       ksba_isotime_t not_after;
       ksba_isotime_t current_time;
 
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index dbe971963..977e7dd04 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -108,6 +108,7 @@ enum cmd_and_opt_values {
   oDebugWait,
   oDebugLevel,
   oGnutlsDebug,
+  oDebugCacheExpiredCerts,
   oNoGreeting,
   oNoOptions,
   oHomedir,
@@ -292,8 +293,9 @@ static gpgrt_opt_t opts[] = {
   ARGPARSE_header (NULL, N_("Other options")),
 
   ARGPARSE_s_n (oForce,    "force",    N_("force loading of outdated CRLs")),
-  ARGPARSE_s_s (oSocketName, "socket-name", "@"),  /* Only for debugging.  */
 
+  ARGPARSE_s_s (oSocketName, "socket-name", "@"),  /* Only for debugging.  */
+  ARGPARSE_s_n (oDebugCacheExpiredCerts, "debug-cache-expired-certs", "@"),
 
   ARGPARSE_header (NULL, ""),  /* Stop the header group.  */
 
@@ -705,6 +707,7 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
       opt.connect_quick_timeout = 0;
       opt.ldaptimeout = DEFAULT_LDAP_TIMEOUT;
       ldapserver_list_needs_reset = 1;
+      opt.debug_cache_expired_certs = 0;
       return 1;
     }
 
@@ -863,6 +866,10 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
       opt.ldaptimeout = pargs->r.ret_int;
       break;
 
+    case oDebugCacheExpiredCerts:
+      opt.debug_cache_expired_certs = 0;
+      break;
+
     default:
       return 0; /* Not handled. */
     }
diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
index 8dc39f12c..d916cce5f 100644
--- a/dirmngr/dirmngr.h
+++ b/dirmngr/dirmngr.h
@@ -129,6 +129,9 @@ struct
      OID per string.  */
   strlist_t ignored_cert_extensions;
 
+  /* Allow expired certificates in the cache.  */
+  int debug_cache_expired_certs;
+
   int allow_ocsp;     /* Allow using OCSP. */
 
   int max_replies;