1
0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-20 14:37:08 +01:00

dirmngr: Improve finding OCSP cert.

* dirmngr/certcache.c (find_cert_bysubject): Add better debug output
and try to locate by keyid.
--

This chnages was suggested in
GnuPG-bug-id: 4536
but we do not have any test cases for this.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2019-05-28 12:22:39 +02:00
parent a2a9071746
commit 4699e294cc
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B

View File

@ -1471,6 +1471,9 @@ find_cert_bysubject (ctrl_t ctrl, const char *subject_dn, ksba_sexp_t keyid)
{ {
ksba_cert_ref (ci->cert); ksba_cert_ref (ci->cert);
release_cache_lock (); release_cache_lock ();
if (DBG_LOOKUP)
log_debug ("%s: certificate found in the cache"
" via ocsp_certs\n", __func__);
return ci->cert; /* We use this certificate. */ return ci->cert; /* We use this certificate. */
} }
release_cache_lock (); release_cache_lock ();
@ -1478,7 +1481,7 @@ find_cert_bysubject (ctrl_t ctrl, const char *subject_dn, ksba_sexp_t keyid)
log_debug ("find_cert_bysubject: certificate not in ocsp_certs\n"); log_debug ("find_cert_bysubject: certificate not in ocsp_certs\n");
} }
/* No check whether the certificate is cached. */ /* Now check whether the certificate is cached. */
for (seq=0; (cert = get_cert_bysubject (subject_dn, seq)); seq++) for (seq=0; (cert = get_cert_bysubject (subject_dn, seq)); seq++)
{ {
if (!keyid) if (!keyid)
@ -1487,6 +1490,9 @@ find_cert_bysubject (ctrl_t ctrl, const char *subject_dn, ksba_sexp_t keyid)
&& !cmp_simple_canon_sexp (keyid, subj)) && !cmp_simple_canon_sexp (keyid, subj))
{ {
xfree (subj); xfree (subj);
if (DBG_LOOKUP)
log_debug ("%s: certificate found in the cache"
" via subject DN\n", __func__);
break; /* Found matching cert. */ break; /* Found matching cert. */
} }
xfree (subj); xfree (subj);
@ -1495,6 +1501,34 @@ find_cert_bysubject (ctrl_t ctrl, const char *subject_dn, ksba_sexp_t keyid)
if (cert) if (cert)
return cert; /* Done. */ return cert; /* Done. */
/* If we do not have a subject DN but have a keyid, try to locate it
* by keyid. */
if (!subject_dn && keyid)
{
int i;
cert_item_t ci;
ksba_sexp_t ski;
acquire_cache_read_lock ();
for (i=0; i < 256; i++)
for (ci=cert_cache[i]; ci; ci = ci->next)
if (ci->cert && !ksba_cert_get_subj_key_id (ci->cert, NULL, &ski))
{
if (!cmp_simple_canon_sexp (keyid, ski))
{
ksba_free (ski);
ksba_cert_ref (ci->cert);
release_cache_lock ();
if (DBG_LOOKUP)
log_debug ("%s: certificate found in the cache"
" via ski\n", __func__);
return ci->cert;
}
ksba_free (ski);
}
release_cache_lock ();
}
if (DBG_LOOKUP) if (DBG_LOOKUP)
log_debug ("find_cert_bysubject: certificate not in cache\n"); log_debug ("find_cert_bysubject: certificate not in cache\n");