mirror of
git://git.gnupg.org/gnupg.git
synced 2024-06-09 23:39:51 +02:00
dirmngr: Improve finding OCSP cert.
* dirmngr/certcache.c (find_cert_bysubject): Add better debug output
and try to locate by keyid.
--
This change was suggested in T4536
but we do not have any test cases for this.
GnuPG-bug-id: 4536
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 4699e294cc
)
The bug report meanwhile has a test description but I have not done
the testing yet. I port this back to 2.2 anyway given that no
regression have been reported for master in nearly a year.
This commit is contained in:
parent
b6d89d1944
commit
25dc0e5b1e
|
@ -1471,6 +1471,9 @@ find_cert_bysubject (ctrl_t ctrl, const char *subject_dn, ksba_sexp_t keyid)
|
|||
{
|
||||
ksba_cert_ref (ci->cert);
|
||||
release_cache_lock ();
|
||||
if (DBG_LOOKUP)
|
||||
log_debug ("%s: certificate found in the cache"
|
||||
" via ocsp_certs\n", __func__);
|
||||
return ci->cert; /* We use this certificate. */
|
||||
}
|
||||
release_cache_lock ();
|
||||
|
@ -1478,7 +1481,7 @@ find_cert_bysubject (ctrl_t ctrl, const char *subject_dn, ksba_sexp_t keyid)
|
|||
log_debug ("find_cert_bysubject: certificate not in ocsp_certs\n");
|
||||
}
|
||||
|
||||
/* No check whether the certificate is cached. */
|
||||
/* Now check whether the certificate is cached. */
|
||||
for (seq=0; (cert = get_cert_bysubject (subject_dn, seq)); seq++)
|
||||
{
|
||||
if (!keyid)
|
||||
|
@ -1487,6 +1490,9 @@ find_cert_bysubject (ctrl_t ctrl, const char *subject_dn, ksba_sexp_t keyid)
|
|||
&& !cmp_simple_canon_sexp (keyid, subj))
|
||||
{
|
||||
xfree (subj);
|
||||
if (DBG_LOOKUP)
|
||||
log_debug ("%s: certificate found in the cache"
|
||||
" via subject DN\n", __func__);
|
||||
break; /* Found matching cert. */
|
||||
}
|
||||
xfree (subj);
|
||||
|
@ -1495,6 +1501,34 @@ find_cert_bysubject (ctrl_t ctrl, const char *subject_dn, ksba_sexp_t keyid)
|
|||
if (cert)
|
||||
return cert; /* Done. */
|
||||
|
||||
/* If we do not have a subject DN but have a keyid, try to locate it
|
||||
* by keyid. */
|
||||
if (!subject_dn && keyid)
|
||||
{
|
||||
int i;
|
||||
cert_item_t ci;
|
||||
ksba_sexp_t ski;
|
||||
|
||||
acquire_cache_read_lock ();
|
||||
for (i=0; i < 256; i++)
|
||||
for (ci=cert_cache[i]; ci; ci = ci->next)
|
||||
if (ci->cert && !ksba_cert_get_subj_key_id (ci->cert, NULL, &ski))
|
||||
{
|
||||
if (!cmp_simple_canon_sexp (keyid, ski))
|
||||
{
|
||||
ksba_free (ski);
|
||||
ksba_cert_ref (ci->cert);
|
||||
release_cache_lock ();
|
||||
if (DBG_LOOKUP)
|
||||
log_debug ("%s: certificate found in the cache"
|
||||
" via ski\n", __func__);
|
||||
return ci->cert;
|
||||
}
|
||||
ksba_free (ski);
|
||||
}
|
||||
release_cache_lock ();
|
||||
}
|
||||
|
||||
if (DBG_LOOKUP)
|
||||
log_debug ("find_cert_bysubject: certificate not in cache\n");
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user