mirror of
git://git.gnupg.org/gnupg.git
synced 2024-06-09 23:39:51 +02:00
dirmngr: Improve finding OCSP cert.
* dirmngr/certcache.c (find_cert_bysubject): Add better debug output
and try to locate by keyid.
--
This change was suggested in T4536
but we do not have any test cases for this.
GnuPG-bug-id: 4536
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 4699e294cc
)
The bug report meanwhile has a test description but I have not done
the testing yet. I port this back to 2.2 anyway given that no
regression have been reported for master in nearly a year.
This commit is contained in:
parent
b6d89d1944
commit
25dc0e5b1e
|
@ -1471,6 +1471,9 @@ find_cert_bysubject (ctrl_t ctrl, const char *subject_dn, ksba_sexp_t keyid)
|
||||||
{
|
{
|
||||||
ksba_cert_ref (ci->cert);
|
ksba_cert_ref (ci->cert);
|
||||||
release_cache_lock ();
|
release_cache_lock ();
|
||||||
|
if (DBG_LOOKUP)
|
||||||
|
log_debug ("%s: certificate found in the cache"
|
||||||
|
" via ocsp_certs\n", __func__);
|
||||||
return ci->cert; /* We use this certificate. */
|
return ci->cert; /* We use this certificate. */
|
||||||
}
|
}
|
||||||
release_cache_lock ();
|
release_cache_lock ();
|
||||||
|
@ -1478,7 +1481,7 @@ find_cert_bysubject (ctrl_t ctrl, const char *subject_dn, ksba_sexp_t keyid)
|
||||||
log_debug ("find_cert_bysubject: certificate not in ocsp_certs\n");
|
log_debug ("find_cert_bysubject: certificate not in ocsp_certs\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
/* No check whether the certificate is cached. */
|
/* Now check whether the certificate is cached. */
|
||||||
for (seq=0; (cert = get_cert_bysubject (subject_dn, seq)); seq++)
|
for (seq=0; (cert = get_cert_bysubject (subject_dn, seq)); seq++)
|
||||||
{
|
{
|
||||||
if (!keyid)
|
if (!keyid)
|
||||||
|
@ -1487,6 +1490,9 @@ find_cert_bysubject (ctrl_t ctrl, const char *subject_dn, ksba_sexp_t keyid)
|
||||||
&& !cmp_simple_canon_sexp (keyid, subj))
|
&& !cmp_simple_canon_sexp (keyid, subj))
|
||||||
{
|
{
|
||||||
xfree (subj);
|
xfree (subj);
|
||||||
|
if (DBG_LOOKUP)
|
||||||
|
log_debug ("%s: certificate found in the cache"
|
||||||
|
" via subject DN\n", __func__);
|
||||||
break; /* Found matching cert. */
|
break; /* Found matching cert. */
|
||||||
}
|
}
|
||||||
xfree (subj);
|
xfree (subj);
|
||||||
|
@ -1495,6 +1501,34 @@ find_cert_bysubject (ctrl_t ctrl, const char *subject_dn, ksba_sexp_t keyid)
|
||||||
if (cert)
|
if (cert)
|
||||||
return cert; /* Done. */
|
return cert; /* Done. */
|
||||||
|
|
||||||
|
/* If we do not have a subject DN but have a keyid, try to locate it
|
||||||
|
* by keyid. */
|
||||||
|
if (!subject_dn && keyid)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
cert_item_t ci;
|
||||||
|
ksba_sexp_t ski;
|
||||||
|
|
||||||
|
acquire_cache_read_lock ();
|
||||||
|
for (i=0; i < 256; i++)
|
||||||
|
for (ci=cert_cache[i]; ci; ci = ci->next)
|
||||||
|
if (ci->cert && !ksba_cert_get_subj_key_id (ci->cert, NULL, &ski))
|
||||||
|
{
|
||||||
|
if (!cmp_simple_canon_sexp (keyid, ski))
|
||||||
|
{
|
||||||
|
ksba_free (ski);
|
||||||
|
ksba_cert_ref (ci->cert);
|
||||||
|
release_cache_lock ();
|
||||||
|
if (DBG_LOOKUP)
|
||||||
|
log_debug ("%s: certificate found in the cache"
|
||||||
|
" via ski\n", __func__);
|
||||||
|
return ci->cert;
|
||||||
|
}
|
||||||
|
ksba_free (ski);
|
||||||
|
}
|
||||||
|
release_cache_lock ();
|
||||||
|
}
|
||||||
|
|
||||||
if (DBG_LOOKUP)
|
if (DBG_LOOKUP)
|
||||||
log_debug ("find_cert_bysubject: certificate not in cache\n");
|
log_debug ("find_cert_bysubject: certificate not in cache\n");
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user