mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
* gpgsm.c, gpgsm.h: New options --{enable,disable}-ocsp.
(gpgsm_init_default_ctrl): Set USE_OCSP to the default value. * certchain.c (gpgsm_validate_chain): Handle USE_OCSP. * call-dirmngr.c (gpgsm_dirmngr_isvalid): Add arg USE_OCSP and proceed accordingly.
This commit is contained in:
parent
7134af9fdb
commit
c68eaa4b6b
13
sm/ChangeLog
13
sm/ChangeLog
@ -1,3 +1,16 @@
|
||||
2003-12-01 Werner Koch <wk@gnupg.org>
|
||||
|
||||
* gpgsm.c, gpgsm.h: New options --{enable,disable}-ocsp.
|
||||
(gpgsm_init_default_ctrl): Set USE_OCSP to the default value.
|
||||
* certchain.c (gpgsm_validate_chain): Handle USE_OCSP.
|
||||
* call-dirmngr.c (gpgsm_dirmngr_isvalid): Add arg USE_OCSP and
|
||||
proceed accordingly.
|
||||
|
||||
2003-11-19 Werner Koch <wk@gnupg.org>
|
||||
|
||||
* verify.c (gpgsm_verify): Use "0" instead of an empty string for
|
||||
the VALIDSIG status.
|
||||
|
||||
2003-11-18 Werner Koch <wk@gnupg.org>
|
||||
|
||||
* verify.c (gpgsm_verify): Fixed for changes API of gcry_md_info.
|
||||
|
@ -288,9 +288,12 @@ inq_certificate (void *opaque, const char *line)
|
||||
GPG_ERR_CERTIFICATE_REVOKED
|
||||
GPG_ERR_NO_CRL_KNOWN
|
||||
GPG_ERR_CRL_TOO_OLD
|
||||
|
||||
With USE_OCSP set to true, the dirmngr is asked to do an OCSP
|
||||
request first.
|
||||
*/
|
||||
int
|
||||
gpgsm_dirmngr_isvalid (KsbaCert cert)
|
||||
gpgsm_dirmngr_isvalid (ksba_cert_t cert, int use_ocsp)
|
||||
{
|
||||
int rc;
|
||||
char *certid;
|
||||
@ -301,23 +304,35 @@ gpgsm_dirmngr_isvalid (KsbaCert cert)
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
if (use_ocsp)
|
||||
{
|
||||
certid = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
|
||||
}
|
||||
else
|
||||
{
|
||||
certid = gpgsm_get_certid (cert);
|
||||
if (!certid)
|
||||
{
|
||||
log_error ("error getting the certificate ID\n");
|
||||
return gpg_error (GPG_ERR_GENERAL);
|
||||
}
|
||||
}
|
||||
|
||||
if (opt.verbose > 1)
|
||||
{
|
||||
char *fpr = gpgsm_get_fingerprint_string (cert, GCRY_MD_SHA1);
|
||||
log_info ("asking dirmngr about %s\n", fpr);
|
||||
log_info ("asking dirmngr about %s%s\n", fpr,
|
||||
use_ocsp? " (using OCSP)":"");
|
||||
xfree (fpr);
|
||||
}
|
||||
|
||||
parm.ctx = dirmngr_ctx;
|
||||
parm.cert = cert;
|
||||
|
||||
/* FIXME: If --disable-crl-checks has been set, we should pass an
|
||||
option to dirmngr, so that no fallback CRL check is done after an
|
||||
ocsp check. */
|
||||
|
||||
snprintf (line, DIM(line)-1, "ISVALID %s", certid);
|
||||
line[DIM(line)-1] = 0;
|
||||
xfree (certid);
|
||||
|
@ -517,11 +517,13 @@ gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, ksba_isotime_t r_exptime)
|
||||
goto leave;
|
||||
}
|
||||
|
||||
if (!opt.no_crl_check)
|
||||
if (!opt.no_crl_check || ctrl->use_ocsp)
|
||||
{
|
||||
rc = gpgsm_dirmngr_isvalid (subject_cert);
|
||||
rc = gpgsm_dirmngr_isvalid (subject_cert, ctrl->use_ocsp);
|
||||
if (rc)
|
||||
{
|
||||
/* Fixme: We should change the wording because we may
|
||||
have used OCSP. */
|
||||
switch (gpg_err_code (rc))
|
||||
{
|
||||
case GPG_ERR_CERT_REVOKED:
|
||||
@ -677,7 +679,7 @@ gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, ksba_isotime_t r_exptime)
|
||||
|
||||
if (opt.no_policy_check)
|
||||
log_info ("policies not checked due to --disable-policy-checks option\n");
|
||||
if (opt.no_crl_check)
|
||||
if (opt.no_crl_check && !ctrl->use_ocsp)
|
||||
log_info ("CRLs not checked due to --disable-crl-checks option\n");
|
||||
|
||||
if (!rc)
|
||||
|
14
sm/gpgsm.c
14
sm/gpgsm.c
@ -111,6 +111,9 @@ enum cmd_and_opt_values {
|
||||
|
||||
oDisableCRLChecks,
|
||||
oEnableCRLChecks,
|
||||
oDisableOCSP,
|
||||
oEnableOCSP,
|
||||
|
||||
|
||||
oIncludeCerts,
|
||||
oPolicyFile,
|
||||
@ -253,6 +256,9 @@ static ARGPARSE_OPTS opts[] = {
|
||||
{ oDisableCRLChecks, "disable-crl-checks", 0, N_("never consult a CRL")},
|
||||
{ oEnableCRLChecks, "enable-crl-checks", 0, "@"},
|
||||
|
||||
{ oDisableOCSP, "disable-ocsp", 0, "@" },
|
||||
{ oEnableOCSP, "enable-ocsp", 0, N_("check validity using OCSP")},
|
||||
|
||||
{ oIncludeCerts, "include-certs", 1,
|
||||
N_("|N|number of certificates to include") },
|
||||
|
||||
@ -825,6 +831,13 @@ main ( int argc, char **argv)
|
||||
opt.no_crl_check = 0;
|
||||
break;
|
||||
|
||||
case oDisableOCSP:
|
||||
opt.enable_ocsp = 0;
|
||||
break;
|
||||
case oEnableOCSP:
|
||||
opt.enable_ocsp = 1;
|
||||
break;
|
||||
|
||||
case oIncludeCerts: ctrl.include_certs = pargs.r.ret_int; break;
|
||||
|
||||
case oPolicyFile:
|
||||
@ -1360,6 +1373,7 @@ void
|
||||
gpgsm_init_default_ctrl (struct server_control_s *ctrl)
|
||||
{
|
||||
ctrl->include_certs = 1; /* only include the signer's cert */
|
||||
ctrl->use_ocsp = opt.enable_ocsp;
|
||||
}
|
||||
|
||||
|
||||
|
@ -35,7 +35,7 @@
|
||||
|
||||
#define MAX_DIGEST_LEN 24
|
||||
|
||||
/* A large struct name "opt" to keep global flags */
|
||||
/* A large struct named "opt" to keep global flags */
|
||||
struct {
|
||||
unsigned int debug; /* debug flags (DBG_foo_VALUE) */
|
||||
int verbose; /* verbosity level */
|
||||
@ -83,6 +83,7 @@ struct {
|
||||
int ignore_time_conflict; /* Ignore certain time conflicts */
|
||||
|
||||
int no_crl_check; /* Don't do a CRL check */
|
||||
int enable_ocsp; /* Default to use OCSP checks. */
|
||||
|
||||
char *policy_file; /* full pathname of policy file */
|
||||
int no_policy_check; /* ignore certificate policies */
|
||||
@ -131,6 +132,7 @@ struct server_control_s {
|
||||
along with a signature or the number of
|
||||
certificates up the chain (0 = none, 1 = only
|
||||
signer) */
|
||||
int use_ocsp; /* Set to true if OCSP should be used. */
|
||||
};
|
||||
typedef struct server_control_s *CTRL;
|
||||
|
||||
@ -261,7 +263,7 @@ int gpgsm_agent_learn (void);
|
||||
int gpgsm_agent_passwd (const char *hexkeygrip);
|
||||
|
||||
/*-- call-dirmngr.c --*/
|
||||
int gpgsm_dirmngr_isvalid (KsbaCert cert);
|
||||
int gpgsm_dirmngr_isvalid (ksba_cert_t cert, int use_ocsp);
|
||||
int gpgsm_dirmngr_lookup (CTRL ctrl, STRLIST names,
|
||||
void (*cb)(void*, KsbaCert), void *cb_value);
|
||||
int gpgsm_dirmngr_run_command (CTRL ctrl, const char *command,
|
||||
|
@ -474,7 +474,8 @@ gpgsm_verify (CTRL ctrl, int in_fd, int data_fd, FILE *out_fp)
|
||||
tstr = strtimestamp_r (sigtime);
|
||||
buf = xmalloc ( strlen(fpr) + strlen (tstr) + 120);
|
||||
sprintf (buf, "%s %s %s %s", fpr, tstr,
|
||||
sigtime, keyexptime );
|
||||
*sigtime? sigtime : "0",
|
||||
*keyexptime? keyexptime : "0" );
|
||||
xfree (tstr);
|
||||
xfree (fpr);
|
||||
gpgsm_status (ctrl, STATUS_VALIDSIG, buf);
|
||||
|
Loading…
x
Reference in New Issue
Block a user