diff --git a/sm/ChangeLog b/sm/ChangeLog index 25f72915f..c2627d3d2 100644 --- a/sm/ChangeLog +++ b/sm/ChangeLog @@ -1,3 +1,8 @@ +2004-04-07 Werner Koch + + * gpgsm.c: New option --force-crl-refresh. + * call-dirmngr.c (gpgsm_dirmngr_isvalid): Pass option to dirmngr. + 2004-04-05 Werner Koch * server.c (get_status_string): Add STATUS_NEWSIG. diff --git a/sm/call-dirmngr.c b/sm/call-dirmngr.c index 0e8f67f28..15160dc41 100644 --- a/sm/call-dirmngr.c +++ b/sm/call-dirmngr.c @@ -149,6 +149,8 @@ start_dirmngr (void) if (dirmngr_ctx) return 0; /* fixme: We need a context for each thread or serialize the access to the dirmngr */ + /* Note: if you change this to multiple connections, you also need + to take care of the implicit option sending caching. */ infostr = force_pipe_server? NULL : getenv ("DIRMNGR_INFO"); if (!infostr || !*infostr) @@ -359,12 +361,14 @@ int gpgsm_dirmngr_isvalid (ctrl_t ctrl, ksba_cert_t cert, ksba_cert_t issuer_cert, int use_ocsp) { + static int did_options; int rc; char *certid; char line[ASSUAN_LINELENGTH]; struct inq_certificate_parm_s parm; struct isvalid_status_parm_s stparm; + rc = start_dirmngr (); if (rc) return rc; @@ -402,6 +406,15 @@ gpgsm_dirmngr_isvalid (ctrl_t ctrl, option to dirmngr, so that no fallback CRL check is done after an ocsp check. */ + /* It is sufficient to send the options only once because we have + one connection per process only. */ + if (!did_options) + { + if (opt.force_crl_refresh) + assuan_transact (dirmngr_ctx, "OPTION force-crl-refresh=1", + NULL, NULL, NULL, NULL, NULL, NULL); + did_options = 1; + } snprintf (line, DIM(line)-1, "ISVALID %s", certid); line[DIM(line)-1] = 0; xfree (certid); diff --git a/sm/fingerprint.c b/sm/fingerprint.c index 26d147f41..6755f8eb7 100644 --- a/sm/fingerprint.c +++ b/sm/fingerprint.c @@ -153,7 +153,7 @@ gpgsm_get_keygrip (ksba_cert_t cert, char *array) return NULL; /* oops */ if (DBG_X509) - log_debug ("get_keygrip for public key: %s\n", p); + log_debug ("get_keygrip for public key\n"); n = gcry_sexp_canon_len (p, 0, NULL, NULL); if (!n) { diff --git a/sm/gpgsm.c b/sm/gpgsm.c index 047b356dd..7140e34ac 100644 --- a/sm/gpgsm.c +++ b/sm/gpgsm.c @@ -115,10 +115,11 @@ enum cmd_and_opt_values { oDisableCRLChecks, oEnableCRLChecks, + oForceCRLRefresh, + oDisableOCSP, oEnableOCSP, - oIncludeCerts, oPolicyFile, oDisablePolicyChecks, @@ -262,6 +263,7 @@ static ARGPARSE_OPTS opts[] = { { oDisableCRLChecks, "disable-crl-checks", 0, N_("never consult a CRL")}, { oEnableCRLChecks, "enable-crl-checks", 0, "@"}, + { oForceCRLRefresh, "force-crl-refresh", 0, "@"}, { oDisableOCSP, "disable-ocsp", 0, "@" }, { oEnableOCSP, "enable-ocsp", 0, N_("check validity using OCSP")}, @@ -931,6 +933,9 @@ main ( int argc, char **argv) case oEnableCRLChecks: opt.no_crl_check = 0; break; + case oForceCRLRefresh: + opt.force_crl_refresh = 1; + break; case oDisableOCSP: ctrl.use_ocsp = opt.enable_ocsp = 0; diff --git a/sm/gpgsm.h b/sm/gpgsm.h index 93487f002..d3fbc03ef 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -89,6 +89,7 @@ struct { int ignore_time_conflict; /* Ignore certain time conflicts */ int no_crl_check; /* Don't do a CRL check */ + int force_crl_refresh; /* Force refreshing the CRL. */ int enable_ocsp; /* Default to use OCSP checks. */ char *policy_file; /* full pathname of policy file */