gpgsm: Print revocation date and reason in cert listings.

* dirmngr/ocsp.c (ocsp_isvalid): Add args r_revoked_at and r_revocation_reason. * dirmngr/server.c (cmd_isvalid): Emit a new REVOCATIONINFO status. (cmd_checkocsp): Ditto. * sm/call-dirmngr.c (struct isvalid_status_parm_s): Add new fields. (isvalid_status_cb): Parse REVOCATIONINFO. (gpgsm_dirmngr_isvalid): Add args r_revoked_at and r_revocation_reason. * sm/gpgsm.h (struct server_control_s): Add fields revoked_art and revocation_reason. * sm/keylist.c (list_cert_raw): Print revocation date. (list_cert_std): Ditto. -- Note that for now we do this only for OCSP because it is an important piece of information when using the chain model. For a sample key see commit 7fa1d3cc82.
2025-07-03 22:56:33 +02:00 · 2022-12-05 16:42:08 +01:00 · 2022-12-05 16:42:08 +01:00 · b6abaed2b5
commit b6abaed2b5
parent 4f1b9e3abb
8 changed files with 158 additions and 28 deletions
--- a/dirmngr/ocsp.c
+++ b/dirmngr/ocsp.c
@ -650,10 +650,13 @@ check_signature (ctrl_t ctrl,
 /* Check whether the certificate either given by fingerprint CERT_FPR
   or directly through the CERT object is valid by running an OCSP
   transaction.  With FORCE_DEFAULT_RESPONDER set only the configured
-   default responder is used. */
+   default responder is used.  If R_REVOKED_AT or R_REASON are not
+   NULL and the certificat has been revoked the revocation time and
+   the reasons are stored there. */
 gpg_error_t
 ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
-              int force_default_responder)
+              int force_default_responder, ksba_isotime_t r_revoked_at,
+              const char **r_reason)
 {
  gpg_error_t err;
  ksba_ocsp_t ocsp = NULL;
@ -672,6 +675,12 @@ ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
  char *oid;
  ksba_name_t name;
  fingerprint_list_t default_signer = NULL;
+  const char *sreason;
+
+  if (r_revoked_at)
+    *r_revoked_at = 0;
+  if (r_reason)
+    *r_reason = NULL;

  /* Get the certificate.  */
  if (cert)
@ -842,8 +851,36 @@ ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
                      more important message than the failure of our
                      cache. */
        }
-    }

+      switch (reason)
+        {
+        case KSBA_CRLREASON_UNSPECIFIED:
+          sreason = "unspecified"; break;
+        case KSBA_CRLREASON_KEY_COMPROMISE:
+          sreason = "key compromise"; break;
+        case KSBA_CRLREASON_CA_COMPROMISE:
+          sreason = "CA compromise"; break;
+        case KSBA_CRLREASON_AFFILIATION_CHANGED:
+          sreason = "affiliation changed"; break;
+        case KSBA_CRLREASON_SUPERSEDED:
+          sreason = "superseded"; break;
+        case KSBA_CRLREASON_CESSATION_OF_OPERATION:
+          sreason = "cessation of operation"; break;
+        case KSBA_CRLREASON_CERTIFICATE_HOLD:
+          sreason = "certificate on hold"; break;
+        case KSBA_CRLREASON_REMOVE_FROM_CRL:
+          sreason = "removed from CRL"; break;
+        case KSBA_CRLREASON_PRIVILEGE_WITHDRAWN:
+          sreason = "privilege withdrawn"; break;
+        case KSBA_CRLREASON_AA_COMPROMISE:
+          sreason = "AA compromise"; break;
+        case KSBA_CRLREASON_OTHER:
+          sreason = "other"; break;
+        default: sreason = "?"; break;
+        }
+    }
+  else
+    sreason = "";

  if (opt.verbose)
    {
@ -855,29 +892,19 @@ ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
                this_update, next_update);
      if (status == KSBA_STATUS_REVOKED)
        log_info (_("certificate has been revoked at: %s due to: %s\n"),
-                  revocation_time,
-                  reason == KSBA_CRLREASON_UNSPECIFIED?   "unspecified":
-                  reason == KSBA_CRLREASON_KEY_COMPROMISE? "key compromise":
-                  reason == KSBA_CRLREASON_CA_COMPROMISE?   "CA compromise":
-                  reason == KSBA_CRLREASON_AFFILIATION_CHANGED?
-                                                      "affiliation changed":
-                  reason == KSBA_CRLREASON_SUPERSEDED?   "superseded":
-                  reason == KSBA_CRLREASON_CESSATION_OF_OPERATION?
-                                                  "cessation of operation":
-                  reason == KSBA_CRLREASON_CERTIFICATE_HOLD?
-                                                  "certificate on hold":
-                  reason == KSBA_CRLREASON_REMOVE_FROM_CRL?
-                                                  "removed from CRL":
-                  reason == KSBA_CRLREASON_PRIVILEGE_WITHDRAWN?
-                                                  "privilege withdrawn":
-                  reason == KSBA_CRLREASON_AA_COMPROMISE? "AA compromise":
-                  reason == KSBA_CRLREASON_OTHER?   "other":"?");
+                  revocation_time, sreason);

    }


  if (status == KSBA_STATUS_REVOKED)
-    err = gpg_error (GPG_ERR_CERT_REVOKED);
+    {
+      err = gpg_error (GPG_ERR_CERT_REVOKED);
+      if (r_revoked_at)
+        gnupg_copy_time (r_revoked_at, revocation_time);
+      if (r_reason)
+        *r_reason = sreason;
+    }
  else if (status == KSBA_STATUS_UNKNOWN)
    err = gpg_error (GPG_ERR_NO_DATA);
  else if (status != KSBA_STATUS_GOOD)