security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

* gpgsm.c, gpgsm.h: New options --{enable,disable}-ocsp. 

(gpgsm_init_default_ctrl): Set USE_OCSP to the default value.
* certchain.c (gpgsm_validate_chain): Handle USE_OCSP.
* call-dirmngr.c (gpgsm_dirmngr_isvalid): Add arg USE_OCSP and
proceed accordingly.
This commit is contained in:
Werner Koch 2003-12-01 10:54:30 +00:00
parent 7134af9fdb
commit c68eaa4b6b
6 changed files with 59 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
sm/ChangeLog
View File

@ -1,3 +1,16 @@
2003-12-01 Werner Koch <wk@gnupg.org>
* gpgsm.c, gpgsm.h: New options --{enable,disable}-ocsp.
(gpgsm_init_default_ctrl): Set USE_OCSP to the default value.
* certchain.c (gpgsm_validate_chain): Handle USE_OCSP.
* call-dirmngr.c (gpgsm_dirmngr_isvalid): Add arg USE_OCSP and
proceed accordingly.
2003-11-19 Werner Koch <wk@gnupg.org>
* verify.c (gpgsm_verify): Use "0" instead of an empty string for
the VALIDSIG status.
2003-11-18 Werner Koch <wk@gnupg.org>
* verify.c (gpgsm_verify): Fixed for changes API of gcry_md_info.

27
sm/call-dirmngr.c
View File

@ -288,9 +288,12 @@ inq_certificate (void *opaque, const char *line)
GPG_ERR_CERTIFICATE_REVOKED
GPG_ERR_NO_CRL_KNOWN
GPG_ERR_CRL_TOO_OLD
With USE_OCSP set to true, the dirmngr is asked to do an OCSP
request first.
*/
int
gpgsm_dirmngr_isvalid (KsbaCert cert)
gpgsm_dirmngr_isvalid (ksba_cert_t cert, int use_ocsp)
{
int rc;
char *certid;
@ -301,23 +304,35 @@ gpgsm_dirmngr_isvalid (KsbaCert cert)
if (rc)
return rc;
certid = gpgsm_get_certid (cert);
if (!certid)
if (use_ocsp)
{
log_error ("error getting the certificate ID\n");
return gpg_error (GPG_ERR_GENERAL);
certid = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
}
else
{
certid = gpgsm_get_certid (cert);
if (!certid)
{
log_error ("error getting the certificate ID\n");
return gpg_error (GPG_ERR_GENERAL);
}
}
if (opt.verbose > 1)
{
char *fpr = gpgsm_get_fingerprint_string (cert, GCRY_MD_SHA1);
log_info ("asking dirmngr about %s\n", fpr);
log_info ("asking dirmngr about %s%s\n", fpr,
use_ocsp? " (using OCSP)":"");
xfree (fpr);
}
parm.ctx = dirmngr_ctx;
parm.cert = cert;
/* FIXME: If --disable-crl-checks has been set, we should pass an
option to dirmngr, so that no fallback CRL check is done after an
ocsp check. */
snprintf (line, DIM(line)-1, "ISVALID %s", certid);
line[DIM(line)-1] = 0;
xfree (certid);

8
sm/certchain.c
View File

@ -517,11 +517,13 @@ gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, ksba_isotime_t r_exptime)
goto leave;
}
if (!opt.no_crl_check)
if (!opt.no_crl_check || ctrl->use_ocsp)
{
rc = gpgsm_dirmngr_isvalid (subject_cert);
rc = gpgsm_dirmngr_isvalid (subject_cert, ctrl->use_ocsp);
if (rc)
{
/* Fixme: We should change the wording because we may
have used OCSP. */
switch (gpg_err_code (rc))
{
case GPG_ERR_CERT_REVOKED:
@ -677,7 +679,7 @@ gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, ksba_isotime_t r_exptime)
if (opt.no_policy_check)
log_info ("policies not checked due to --disable-policy-checks option\n");
if (opt.no_crl_check)
if (opt.no_crl_check && !ctrl->use_ocsp)
log_info ("CRLs not checked due to --disable-crl-checks option\n");
if (!rc)

14
sm/gpgsm.c
View File

@ -111,6 +111,9 @@ enum cmd_and_opt_values {
oDisableCRLChecks,
oEnableCRLChecks,
oDisableOCSP,
oEnableOCSP,
oIncludeCerts,
oPolicyFile,
@ -253,6 +256,9 @@ static ARGPARSE_OPTS opts[] = {
{ oDisableCRLChecks, "disable-crl-checks", 0, N_("never consult a CRL")},
{ oEnableCRLChecks, "enable-crl-checks", 0, "@"},
{ oDisableOCSP, "disable-ocsp", 0, "@" },
{ oEnableOCSP, "enable-ocsp", 0, N_("check validity using OCSP")},
{ oIncludeCerts, "include-certs", 1,
N_("|N|number of certificates to include") },
@ -825,6 +831,13 @@ main ( int argc, char **argv)
opt.no_crl_check = 0;
break;
case oDisableOCSP:
opt.enable_ocsp = 0;
break;
case oEnableOCSP:
opt.enable_ocsp = 1;
break;
case oIncludeCerts: ctrl.include_certs = pargs.r.ret_int; break;
case oPolicyFile:
@ -1360,6 +1373,7 @@ void
gpgsm_init_default_ctrl (struct server_control_s *ctrl)
{
ctrl->include_certs = 1; /* only include the signer's cert */
ctrl->use_ocsp = opt.enable_ocsp;
}

6
sm/gpgsm.h
View File

@ -35,7 +35,7 @@
#define MAX_DIGEST_LEN 24
/* A large struct name "opt" to keep global flags */
/* A large struct named "opt" to keep global flags */
struct {
unsigned int debug; /* debug flags (DBG_foo_VALUE) */
int verbose; /* verbosity level */
@ -83,6 +83,7 @@ struct {
int ignore_time_conflict; /* Ignore certain time conflicts */
int no_crl_check; /* Don't do a CRL check */
int enable_ocsp; /* Default to use OCSP checks. */
char *policy_file; /* full pathname of policy file */
int no_policy_check; /* ignore certificate policies */
@ -131,6 +132,7 @@ struct server_control_s {
along with a signature or the number of
certificates up the chain (0 = none, 1 = only
signer) */
int use_ocsp; /* Set to true if OCSP should be used. */
};
typedef struct server_control_s *CTRL;
@ -261,7 +263,7 @@ int gpgsm_agent_learn (void);
int gpgsm_agent_passwd (const char *hexkeygrip);
/*-- call-dirmngr.c --*/
int gpgsm_dirmngr_isvalid (KsbaCert cert);
int gpgsm_dirmngr_isvalid (ksba_cert_t cert, int use_ocsp);
int gpgsm_dirmngr_lookup (CTRL ctrl, STRLIST names,
void (*cb)(void*, KsbaCert), void *cb_value);
int gpgsm_dirmngr_run_command (CTRL ctrl, const char *command,

3
sm/verify.c
View File

@ -474,7 +474,8 @@ gpgsm_verify (CTRL ctrl, int in_fd, int data_fd, FILE *out_fp)
tstr = strtimestamp_r (sigtime);
buf = xmalloc ( strlen(fpr) + strlen (tstr) + 120);
sprintf (buf, "%s %s %s %s", fpr, tstr,
sigtime, keyexptime );
*sigtime? sigtime : "0",
*keyexptime? keyexptime : "0" );
xfree (tstr);
xfree (fpr);
gpgsm_status (ctrl, STATUS_VALIDSIG, buf);