Print status of CRL checks in the audit log.

common/ChangeLog

@@ -1,3 +1,9 @@
+2009-07-23  Werner Koch  <wk@g10code.com>
+
+	* util.h (GPG_ERR_NOT_ENABLED): New.
+	* audit.h (enum): Add AUDIT_CRL_CHECK.
+	* audit.c (proc_type_verify): Show CRL check result.
+
 2009-07-06  Werner Koch  <wk@g10code.com>
 
 	* get-passphrase.c (struct agentargs): Add SESSION_ENV and remove

common/audit.c

@@ -251,8 +251,8 @@ audit_log (audit_ctx_t ctx, audit_event_t event)
 }
 
 /* Add a new event to the audit log.  If CTX is NULL, this function
-   does nothing.  This version also adds the result of the oepration
-   to the log.. */
+   does nothing.  This version also adds the result of the operation
+   to the log.  */
 void
 audit_log_ok (audit_ctx_t ctx, audit_event_t event, gpg_error_t err)
 {
@@ -479,6 +479,8 @@ writeout_li (audit_ctx_t ctx, const char *oktext, const char *format, ...)
         oktext = _("|audit-log-result|Not supported");
       else if (!strcmp (oktext, "no-cert"))
         oktext = _("|audit-log-result|No certificate");
+      else if (!strcmp (oktext, "disabled"))
+        oktext = _("|audit-log-result|Not enabled");
       else if (!strcmp (oktext, "error"))
         oktext = _("|audit-log-result|Error");
       else
@@ -923,9 +925,31 @@ proc_type_verify (audit_ctx_t ctx)
         }
 
       /* Show result of the CRL/OCSP check.  */
-      writeout_li (ctx, "-", "%s", _("CRL/OCSP check of certificates"));
- /*      add_helptag (ctx, "gpgsm.ocsp-problem"); */
-
+      item = find_next_log_item (ctx, loopitem,
+                                 AUDIT_CRL_CHECK, AUDIT_NEW_SIG);
+      if (item)
+        {
+          const char *ok;
+          switch (gpg_err_code (item->err))
+            {
+            case 0:                    ok = "good"; break;
+            case GPG_ERR_CERT_REVOKED: ok = "bad"; break;
+            case GPG_ERR_NOT_ENABLED:  ok = "disabled"; break;
+            case GPG_ERR_NO_CRL_KNOWN:
+              ok = _("no CRL found for certificate");
+              break;
+            case GPG_ERR_CRL_TOO_OLD:
+              ok = _("the available CRL is too old");
+              break;
+            default: ok = gpg_strerror (item->err); break;
+            }
+            
+          writeout_li (ctx, ok, "%s", _("CRL/OCSP check of certificates"));
+          if (item->err 
+              && gpg_err_code (item->err) != GPG_ERR_CERT_REVOKED
+              && gpg_err_code (item->err) != GPG_ERR_NOT_ENABLED)
+            add_helptag (ctx, "gpgsm.crl-problem");
+        }
 
       leave_li (ctx);
     }

common/audit.h

@@ -139,6 +139,9 @@ typedef enum
     /* Tells whether the root certificate is trusted.  This event is
        emmited durcing chain validation.  */
 
+    AUDIT_CRL_CHECK, /* err */
+    /* Tells the status of a CRL or OCSP check.  */
+
     AUDIT_GOT_RECIPIENTS,  /* int */
     /* Records the number of recipients to be used for encryption.
        This includes the recipients set by --encrypt-to but records 0

common/util.h

@@ -25,6 +25,11 @@
 #include <errno.h>  /* We need errno.  */
 #include <gpg-error.h> /* We need gpg_error_t. */
 
+/* Add error codes available only in newer versions of libgpg-error.  */
+#ifndef GPG_ERR_NOT_ENABLED
+#define GPG_ERR_NOT_ENABLED 179
+#endif
+
 /* Hash function used with libksba. */
 #define HASH_FNC ((void (*)(void *, const void*,size_t))gcry_md_write)
 

doc/ChangeLog

@@ -1,3 +1,7 @@
+2009-07-23  Werner Koch  <wk@g10code.com>
+
+	* help.txt (gpgsm.crl-problem): New.
+
 2009-07-22  Werner Koch  <wk@g10code.com>
 
 	* scdaemon.texi, instguide.texi, gpgsm.texi, sysnotes.texi

doc/DETAILS

@@ -628,12 +628,12 @@ more arguments in future versions.
         This is used to control smartcard operations.
         Defined values for WHAT are:
            1 = Request insertion of a card.  Serialnumber may be given
-               to request a specific card.
-           2 = Request removal of a card.
+               to request a specific card.  Used by gpg 1.4 w/o scdaemon.
+           2 = Request removal of a card.  Used by gpg 1.4 w/o scdaemon.
            3 = Card with serialnumber detected
            4 = No card available.
            5 = No card reader available
-
+           6 = No card support available                      
 
     PLAINTEXT <format> <timestamp> <filename>
         This indicates the format of the plaintext that is about to be

doc/help.txt

@@ -357,7 +357,13 @@ trustlist.txt in GnuPG's home directory.  If you are in doubt, ask
 your system administrator whether you should trust this certificate.
 
 
-
+.gpgsm.crl-problem
+# This tex is displayed by the audit log for problems with
+# the CRL or OCSP checking.
+Depending on your configuration a problem retrieving the CRL or
+performing an OCSP check occurred.  There are a great variety of
+reasons why this did not work.  Check the manual for possible
+solutions.
 
 
 # Local variables:

g10/keygen.c

@@ -1759,7 +1759,7 @@ ask_algo (int addmode, int *r_subkey_algo, unsigned int *r_usage)
 }
 
 
-/* Ask for the key size.  ALGO is the algorithjm.  If PRIMARY_KEYSIZE
+/* Ask for the key size.  ALGO is the algorithm.  If PRIMARY_KEYSIZE
    is not 0, the function asks for the size of the encryption
    subkey. */
 static unsigned

sm/ChangeLog

@@ -1,3 +1,7 @@
+2009-07-23  Werner Koch  <wk@g10code.com>
+
+	* certchain.c (is_cert_still_valid): Emit AUDIT_CRL_CHECK.
+
 2009-07-07  Werner Koch  <wk@g10code.com>
 
 	* server.c (command_has_option): New.

sm/certchain.c

@@ -889,11 +889,17 @@ is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp,
   gpg_error_t err;
 
   if (opt.no_crl_check && !ctrl->use_ocsp)
-    return 0;
+    {
+      audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, 
+                    gpg_error (GPG_ERR_NOT_ENABLED));
+      return 0;
+    }
 
   err = gpgsm_dirmngr_isvalid (ctrl,
                                subject_cert, issuer_cert, 
                                force_ocsp? 2 : !!ctrl->use_ocsp);
+  audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, err);
+
   if (err)
     {
       if (!lm)