dirmngr: New option --debug-cache-expired-certs.

* dirmngr/dirmngr.h (opt): Add debug_cache_expired_certs: * dirmngr/dirmngr.c (oDebugCacheExpiredCerts): New. (opts): Add option. (parse_rereadable_options): Set option. * dirmngr/certcache.c (put_cert): Handle the option.
2024-12-22 10:19:57 +01:00 · 2022-08-31 18:11:36 +02:00 · 2022-08-31 18:11:36 +02:00 · 17073c9abc
commit 17073c9abc
parent 0662b9444b
3 changed files with 14 additions and 3 deletions
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@ -271,8 +271,9 @@ put_cert (ksba_cert_t cert, int permanent, unsigned int trustclass,
  cert_item_t ci;
  fingerprint_list_t ignored;

-  if (permanent)
-    {                           /* Do a little validation.  */
+  /* Do not keep expired certificates in the permanent cache.  */
+  if (permanent && !opt.debug_cache_expired_certs)
+    {
      ksba_isotime_t not_after;
      ksba_isotime_t current_time;

--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@ -108,6 +108,7 @@ enum cmd_and_opt_values {
  oDebugWait,
  oDebugLevel,
  oGnutlsDebug,
+  oDebugCacheExpiredCerts,
  oNoGreeting,
  oNoOptions,
  oHomedir,
@ -292,8 +293,9 @@ static gpgrt_opt_t opts[] = {
  ARGPARSE_header (NULL, N_("Other options")),

  ARGPARSE_s_n (oForce,    "force",    N_("force loading of outdated CRLs")),
-  ARGPARSE_s_s (oSocketName, "socket-name", "@"),  /* Only for debugging.  */

+  ARGPARSE_s_s (oSocketName, "socket-name", "@"),  /* Only for debugging.  */
+  ARGPARSE_s_n (oDebugCacheExpiredCerts, "debug-cache-expired-certs", "@"),

  ARGPARSE_header (NULL, ""),  /* Stop the header group.  */

@ -705,6 +707,7 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
      opt.connect_quick_timeout = 0;
      opt.ldaptimeout = DEFAULT_LDAP_TIMEOUT;
      ldapserver_list_needs_reset = 1;
+      opt.debug_cache_expired_certs = 0;
      return 1;
    }

@ -863,6 +866,10 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
      opt.ldaptimeout = pargs->r.ret_int;
      break;

+    case oDebugCacheExpiredCerts:
+      opt.debug_cache_expired_certs = 0;
+      break;
+
    default:
      return 0; /* Not handled. */
    }
--- a/dirmngr/dirmngr.h
+++ b/dirmngr/dirmngr.h
@ -129,6 +129,9 @@ struct
     OID per string.  */
  strlist_t ignored_cert_extensions;

+  /* Allow expired certificates in the cache.  */
+  int debug_cache_expired_certs;
+
  int allow_ocsp;     /* Allow using OCSP. */

  int max_replies;