gpgsm: Print revocation date and reason in cert listings.

* dirmngr/ocsp.c (ocsp_isvalid): Add args r_revoked_at and r_revocation_reason. * dirmngr/server.c (cmd_isvalid): Emit a new REVOCATIONINFO status. (cmd_checkocsp): Ditto. * sm/call-dirmngr.c (struct isvalid_status_parm_s): Add new fields. (isvalid_status_cb): Parse REVOCATIONINFO. (gpgsm_dirmngr_isvalid): Add args r_revoked_at and r_revocation_reason. * sm/gpgsm.h (struct server_control_s): Add fields revoked_art and revocation_reason. * sm/keylist.c (list_cert_raw): Print revocation date. (list_cert_std): Ditto. -- Note that for now we do this only for OCSP because it is an important piece of information when using the chain model. For a sample key see commit 7fa1d3cc82.
2025-07-02 22:46:30 +02:00 · 2022-12-05 16:42:08 +01:00 · 2022-12-05 16:42:08 +01:00 · b6abaed2b5
commit b6abaed2b5
parent 4f1b9e3abb
8 changed files with 158 additions and 28 deletions
--- a/dirmngr/ocsp.c
+++ b/dirmngr/ocsp.c
@ -650,10 +650,13 @@ check_signature (ctrl_t ctrl,
 /* Check whether the certificate either given by fingerprint CERT_FPR
   or directly through the CERT object is valid by running an OCSP
   transaction.  With FORCE_DEFAULT_RESPONDER set only the configured
-   default responder is used. */
+   default responder is used.  If R_REVOKED_AT or R_REASON are not
+   NULL and the certificat has been revoked the revocation time and
+   the reasons are stored there. */
 gpg_error_t
 ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
-              int force_default_responder)
+              int force_default_responder, ksba_isotime_t r_revoked_at,
+              const char **r_reason)
 {
  gpg_error_t err;
  ksba_ocsp_t ocsp = NULL;
@ -672,6 +675,12 @@ ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
  char *oid;
  ksba_name_t name;
  fingerprint_list_t default_signer = NULL;
+  const char *sreason;
+
+  if (r_revoked_at)
+    *r_revoked_at = 0;
+  if (r_reason)
+    *r_reason = NULL;

  /* Get the certificate.  */
  if (cert)
@ -842,8 +851,36 @@ ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
                      more important message than the failure of our
                      cache. */
        }
-    }

+      switch (reason)
+        {
+        case KSBA_CRLREASON_UNSPECIFIED:
+          sreason = "unspecified"; break;
+        case KSBA_CRLREASON_KEY_COMPROMISE:
+          sreason = "key compromise"; break;
+        case KSBA_CRLREASON_CA_COMPROMISE:
+          sreason = "CA compromise"; break;
+        case KSBA_CRLREASON_AFFILIATION_CHANGED:
+          sreason = "affiliation changed"; break;
+        case KSBA_CRLREASON_SUPERSEDED:
+          sreason = "superseded"; break;
+        case KSBA_CRLREASON_CESSATION_OF_OPERATION:
+          sreason = "cessation of operation"; break;
+        case KSBA_CRLREASON_CERTIFICATE_HOLD:
+          sreason = "certificate on hold"; break;
+        case KSBA_CRLREASON_REMOVE_FROM_CRL:
+          sreason = "removed from CRL"; break;
+        case KSBA_CRLREASON_PRIVILEGE_WITHDRAWN:
+          sreason = "privilege withdrawn"; break;
+        case KSBA_CRLREASON_AA_COMPROMISE:
+          sreason = "AA compromise"; break;
+        case KSBA_CRLREASON_OTHER:
+          sreason = "other"; break;
+        default: sreason = "?"; break;
+        }
+    }
+  else
+    sreason = "";

  if (opt.verbose)
    {
@ -855,29 +892,19 @@ ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
                this_update, next_update);
      if (status == KSBA_STATUS_REVOKED)
        log_info (_("certificate has been revoked at: %s due to: %s\n"),
-                  revocation_time,
-                  reason == KSBA_CRLREASON_UNSPECIFIED?   "unspecified":
-                  reason == KSBA_CRLREASON_KEY_COMPROMISE? "key compromise":
-                  reason == KSBA_CRLREASON_CA_COMPROMISE?   "CA compromise":
-                  reason == KSBA_CRLREASON_AFFILIATION_CHANGED?
-                                                      "affiliation changed":
-                  reason == KSBA_CRLREASON_SUPERSEDED?   "superseded":
-                  reason == KSBA_CRLREASON_CESSATION_OF_OPERATION?
-                                                  "cessation of operation":
-                  reason == KSBA_CRLREASON_CERTIFICATE_HOLD?
-                                                  "certificate on hold":
-                  reason == KSBA_CRLREASON_REMOVE_FROM_CRL?
-                                                  "removed from CRL":
-                  reason == KSBA_CRLREASON_PRIVILEGE_WITHDRAWN?
-                                                  "privilege withdrawn":
-                  reason == KSBA_CRLREASON_AA_COMPROMISE? "AA compromise":
-                  reason == KSBA_CRLREASON_OTHER?   "other":"?");
+                  revocation_time, sreason);

    }


  if (status == KSBA_STATUS_REVOKED)
-    err = gpg_error (GPG_ERR_CERT_REVOKED);
+    {
+      err = gpg_error (GPG_ERR_CERT_REVOKED);
+      if (r_revoked_at)
+        gnupg_copy_time (r_revoked_at, revocation_time);
+      if (r_reason)
+        *r_reason = sreason;
+    }
  else if (status == KSBA_STATUS_UNKNOWN)
    err = gpg_error (GPG_ERR_NO_DATA);
  else if (status != KSBA_STATUS_GOOD)
--- a/dirmngr/ocsp.h
+++ b/dirmngr/ocsp.h
@ -23,7 +23,9 @@
 #define OCSP_H

 gpg_error_t ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
-                          int force_default_responder);
+                          int force_default_responder,
+                          gnupg_isotime_t r_revoked_at,
+                          const char **r_reason);

 /* Release the list of OCSP certificates hold in the CTRL object. */
 void release_ctrl_ocsp_certs (ctrl_t ctrl);
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@ -1310,6 +1310,9 @@ cmd_isvalid (assuan_context_t ctx, char *line)
 again:
  if (ocsp_mode)
    {
+      gnupg_isotime_t revoked_at;
+      const char *reason;
+
      /* Note, that we currently ignore the supplied fingerprint FPR;
       * instead ocsp_isvalid does an inquire to ask for the cert.
       * The fingerprint may eventually be used to lookup the
@ -1317,7 +1320,12 @@ cmd_isvalid (assuan_context_t ctx, char *line)
      if (!opt.allow_ocsp)
        err = gpg_error (GPG_ERR_NOT_SUPPORTED);
      else
-        err = ocsp_isvalid (ctrl, NULL, NULL, force_default_responder);
+        err = ocsp_isvalid (ctrl, NULL, NULL, force_default_responder,
+                            revoked_at, &reason);
+
+      if (gpg_err_code (err) == GPG_ERR_CERT_REVOKED)
+        dirmngr_status_printf (ctrl, "REVOCATIONINFO", "%s %s",
+                               revoked_at, reason);

      if (gpg_err_code (err) == GPG_ERR_CONFIGURATION
          && gpg_err_source (err) == GPG_ERR_SOURCE_DIRMNGR)
@ -1512,6 +1520,8 @@ cmd_checkocsp (assuan_context_t ctx, char *line)
  unsigned char fprbuffer[20], *fpr;
  ksba_cert_t cert;
  int force_default_responder;
+  gnupg_isotime_t revoked_at;
+  const char *reason;

  force_default_responder = has_option (line, "--force-default-responder");
  line = skip_options (line);
@ -1547,12 +1557,18 @@ cmd_checkocsp (assuan_context_t ctx, char *line)
        goto leave;
    }

-  assert (cert);
+  log_assert (cert);

  if (!opt.allow_ocsp)
    err = gpg_error (GPG_ERR_NOT_SUPPORTED);
  else
-    err = ocsp_isvalid (ctrl, cert, NULL, force_default_responder);
+    err = ocsp_isvalid (ctrl, cert, NULL, force_default_responder,
+                        revoked_at, &reason);
+
+  if (gpg_err_code (err) == GPG_ERR_CERT_REVOKED)
+    dirmngr_status_printf (ctrl, "REVOCATIONINFO", "%s %s",
+                           revoked_at, reason);
+

 leave:
  ksba_cert_release (cert);