gpgsm: Print revocation date and reason in cert listings.

* dirmngr/ocsp.c (ocsp_isvalid): Add args r_revoked_at and r_revocation_reason. * dirmngr/server.c (cmd_isvalid): Emit a new REVOCATIONINFO status. (cmd_checkocsp): Ditto. * sm/call-dirmngr.c (struct isvalid_status_parm_s): Add new fields. (isvalid_status_cb): Parse REVOCATIONINFO. (gpgsm_dirmngr_isvalid): Add args r_revoked_at and r_revocation_reason. * sm/gpgsm.h (struct server_control_s): Add fields revoked_art and revocation_reason. * sm/keylist.c (list_cert_raw): Print revocation date. (list_cert_std): Ditto. -- Note that for now we do this only for OCSP because it is an important piece of information when using the chain model. For a sample key see commit 7fa1d3cc82.
2025-07-02 22:46:30 +02:00 · 2022-12-05 16:42:08 +01:00 · 2022-12-05 16:42:08 +01:00 · b6abaed2b5
commit b6abaed2b5
parent 4f1b9e3abb
8 changed files with 158 additions and 28 deletions
--- a/sm/call-dirmngr.c
+++ b/sm/call-dirmngr.c
@ -64,6 +64,8 @@ struct isvalid_status_parm_s {
  ctrl_t ctrl;
  int seen;
  unsigned char fpr[20];
+  gnupg_isotime_t revoked_at;
+  char *revocation_reason;  /* malloced or NULL */
 };


@ -491,6 +493,19 @@ isvalid_status_cb (void *opaque, const char *line)
      if (!*s || !unhexify_fpr (s, parm->fpr))
        parm->seen++; /* Bump it to indicate an error. */
    }
+  else if ((s = has_leading_keyword (line, "REVOCATIONINFO")))
+    {
+      if (*s && strlen (s) >= 15)
+        {
+          memcpy (parm->revoked_at, s, 15);
+          parm->revoked_at[15] = 0;
+        }
+      s += 15;
+      while (*s && spacep (s))
+        s++;
+      xfree (parm->revocation_reason);
+      parm->revocation_reason = *s? xtrystrdup (s) : NULL;
+    }
  else if (warning_and_note_printer (line))
    {
    }
@ -512,10 +527,15 @@ isvalid_status_cb (void *opaque, const char *line)
     0 = Do CRL check.
     1 = Do an OCSP check but fallback to CRL unless CRLs are disabled.
     2 = Do only an OCSP check (used for the chain model).
+
+   If R_REVOKED_AT pr R_REASON are not NULL and the certificate has
+   been revoked the revocation time and the reason are copied to there.
+   The caller needs to free R_REASON.
 */
 gpg_error_t
 gpgsm_dirmngr_isvalid (ctrl_t ctrl,
-                       ksba_cert_t cert, ksba_cert_t issuer_cert, int use_ocsp)
+                       ksba_cert_t cert, ksba_cert_t issuer_cert, int use_ocsp,
+                       gnupg_isotime_t r_revoked_at, char **r_reason)
 {
  static int did_options;
  int rc;
@ -524,6 +544,11 @@ gpgsm_dirmngr_isvalid (ctrl_t ctrl,
  struct inq_certificate_parm_s parm;
  struct isvalid_status_parm_s stparm;

+  if (r_revoked_at)
+    *r_revoked_at = 0;
+  if (r_reason)
+    *r_reason = NULL;
+
  rc = start_dirmngr (ctrl);
  if (rc)
    return rc;
@ -553,6 +578,8 @@ gpgsm_dirmngr_isvalid (ctrl_t ctrl,
  stparm.ctrl = ctrl;
  stparm.seen = 0;
  memset (stparm.fpr, 0, 20);
+  stparm.revoked_at[0] = 0;
+  stparm.revocation_reason = NULL;

  /* It is sufficient to send the options only once because we have
   * one connection per process only.  */
@ -577,6 +604,19 @@ gpgsm_dirmngr_isvalid (ctrl_t ctrl,
  if (opt.verbose > 1)
    log_info ("response of dirmngr: %s\n", rc? gpg_strerror (rc): "okay");

+  if (gpg_err_code (rc) == GPG_ERR_CERT_REVOKED
+      && !check_isotime (stparm.revoked_at))
+    {
+      if (r_revoked_at)
+        gnupg_copy_time (r_revoked_at, stparm.revoked_at);
+      if (r_reason)
+        {
+          *r_reason = stparm.revocation_reason;
+          stparm.revocation_reason = NULL;
+        }
+
+    }
+
  if (!rc && stparm.seen)
    {
      /* Need to also check the certificate validity. */
@ -634,7 +674,9 @@ gpgsm_dirmngr_isvalid (ctrl_t ctrl,
          ksba_cert_release (rspcert);
        }
    }
+
  release_dirmngr (ctrl);
+  xfree (stparm.revocation_reason);
  return rc;
 }