Print status of CRL checks in the audit log.

common/ChangeLog

@@ -1,3 +1,9 @@
+2009-07-23  Werner Koch  <wk@g10code.com>
+
+	* util.h (GPG_ERR_NOT_ENABLED): New.
+	* audit.h (enum): Add AUDIT_CRL_CHECK.
+	* audit.c (proc_type_verify): Show CRL check result.
+
 2009-07-06  Werner Koch  <wk@g10code.com>
 
 	* get-passphrase.c (struct agentargs): Add SESSION_ENV and remove

common/audit.c

@@ -251,8 +251,8 @@ audit_log (audit_ctx_t ctx, audit_event_t event)
 }
 
 /* Add a new event to the audit log.  If CTX is NULL, this function
-   does nothing.  This version also adds the result of the oepration
-   to the log.. */
+   does nothing.  This version also adds the result of the operation
+   to the log.  */
 void
 audit_log_ok (audit_ctx_t ctx, audit_event_t event, gpg_error_t err)
 {
@@ -479,6 +479,8 @@ writeout_li (audit_ctx_t ctx, const char *oktext, const char *format, ...)
         oktext = _("|audit-log-result|Not supported");
       else if (!strcmp (oktext, "no-cert"))
         oktext = _("|audit-log-result|No certificate");
+      else if (!strcmp (oktext, "disabled"))
+        oktext = _("|audit-log-result|Not enabled");
       else if (!strcmp (oktext, "error"))
         oktext = _("|audit-log-result|Error");
       else
@@ -923,9 +925,31 @@ proc_type_verify (audit_ctx_t ctx)
         }
 
       /* Show result of the CRL/OCSP check.  */
-      writeout_li (ctx, "-", "%s", _("CRL/OCSP check of certificates"));
- /*      add_helptag (ctx, "gpgsm.ocsp-problem"); */
-
+      item = find_next_log_item (ctx, loopitem,
+                                 AUDIT_CRL_CHECK, AUDIT_NEW_SIG);
+      if (item)
+        {
+          const char *ok;
+          switch (gpg_err_code (item->err))
+            {
+            case 0:                    ok = "good"; break;
+            case GPG_ERR_CERT_REVOKED: ok = "bad"; break;
+            case GPG_ERR_NOT_ENABLED:  ok = "disabled"; break;
+            case GPG_ERR_NO_CRL_KNOWN:
+              ok = _("no CRL found for certificate");
+              break;
+            case GPG_ERR_CRL_TOO_OLD:
+              ok = _("the available CRL is too old");
+              break;
+            default: ok = gpg_strerror (item->err); break;
+            }
+            
+          writeout_li (ctx, ok, "%s", _("CRL/OCSP check of certificates"));
+          if (item->err 
+              && gpg_err_code (item->err) != GPG_ERR_CERT_REVOKED
+              && gpg_err_code (item->err) != GPG_ERR_NOT_ENABLED)
+            add_helptag (ctx, "gpgsm.crl-problem");
+        }
 
       leave_li (ctx);
     }

common/audit.h

@@ -139,6 +139,9 @@ typedef enum
     /* Tells whether the root certificate is trusted.  This event is
        emmited durcing chain validation.  */
 
+    AUDIT_CRL_CHECK, /* err */
+    /* Tells the status of a CRL or OCSP check.  */
+
     AUDIT_GOT_RECIPIENTS,  /* int */
     /* Records the number of recipients to be used for encryption.
        This includes the recipients set by --encrypt-to but records 0

common/util.h

@@ -25,6 +25,11 @@
 #include <errno.h>  /* We need errno.  */
 #include <gpg-error.h> /* We need gpg_error_t. */
 
+/* Add error codes available only in newer versions of libgpg-error.  */
+#ifndef GPG_ERR_NOT_ENABLED
+#define GPG_ERR_NOT_ENABLED 179
+#endif
+
 /* Hash function used with libksba. */
 #define HASH_FNC ((void (*)(void *, const void*,size_t))gcry_md_write)