* certlist.c (gpgsm_cert_use_ocsp_p): New.

(cert_usage_p): Support it here.
* call-dirmngr.c (gpgsm_dirmngr_isvalid): Use it here.

sm/ChangeLog

@@ -1,3 +1,9 @@
+2004-08-18  Werner Koch  <wk@g10code.de>
+
+	* certlist.c (gpgsm_cert_use_ocsp_p): New.
+	(cert_usage_p): Support it here.
+	* call-dirmngr.c (gpgsm_dirmngr_isvalid): Use it here.
+
 2004-08-17  Marcus Brinkmann  <marcus@g10code.de>
 
 	* import.c: Fix typo in last change.

sm/call-dirmngr.c

@@ -458,9 +458,7 @@ gpgsm_dirmngr_isvalid (ctrl_t ctrl,
 
           if (!rc)
             {
-              /* fixme: We should refine the check to check for
-                 certificates allowed for CRL/OCPS. */
-              rc = gpgsm_cert_use_verify_p (rspcert);
+              rc = gpgsm_cert_use_ocsp_p (rspcert);
               if (rc)
                 rc = gpg_error (GPG_ERR_INV_CRL);
               else

sm/certlist.c

@@ -45,13 +45,15 @@ static const char oid_kp_ocspSigning[]    = "1.3.6.1.5.6.7.3.9";
 /* Return 0 if the cert is usable for encryption.  A MODE of 0 checks
    for signing a MODE of 1 checks for encryption, a MODE of 2 checks
    for verification and a MODE of 3 for decryption (just for
-   debugging) */
+   debugging).  MODE 4 is for certificate signing, MODE for COSP
+   response signing. */
 static int
 cert_usage_p (ksba_cert_t cert, int mode)
 {
   gpg_error_t err;
   unsigned int use;
   char *extkeyusages;
+  int have_ocsp_signing = 0;
 
   err = ksba_cert_get_ext_key_usages (cert, &extkeyusages);
   if (gpg_err_code (err) == GPG_ERR_NO_DATA)
@@ -94,6 +96,13 @@ cert_usage_p (ksba_cert_t cert, int mode)
                                    | KSBA_KEYUSAGE_NON_REPUDIATION);
                 }
               
+              /* This is a hack to cope with OCSP.  Note that we do
+                 not yet fully comply with the requirements and that
+                 the entire CRL/OCSP checking thing should undergo a
+                 thorough review and probably redesign. */
+              if ( !strcmp (p, oid_kp_ocspSigning))
+                have_ocsp_signing = 1;
+
               if ((p = strchr (pend, '\n')))
                 p++;
             }
@@ -135,6 +144,18 @@ cert_usage_p (ksba_cert_t cert, int mode)
       return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
     }
 
+  if (mode == 5)
+    {
+      if (use != ~0 
+          && (have_ocsp_signing
+              || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
+                         |KSBA_KEYUSAGE_CRL_SIGN))))
+        return 0;
+      log_info (_("certificate should have not "
+                  "been used for OCSP response signing\n"));
+      return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
+    }
+
   if ((use & ((mode&1)?
               (KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT):
               (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION)))
@@ -182,6 +203,12 @@ gpgsm_cert_use_cert_p (ksba_cert_t cert)
   return cert_usage_p (cert, 4);
 }
 
+int
+gpgsm_cert_use_ocsp_p (ksba_cert_t cert)
+{
+  return cert_usage_p (cert, 5);
+}
+
 
 static int
 same_subject_issuer (const char *subject, const char *issuer, ksba_cert_t cert)

sm/gpgsm.h

@@ -240,6 +240,7 @@ int gpgsm_cert_use_encrypt_p (ksba_cert_t cert);
 int gpgsm_cert_use_verify_p (ksba_cert_t cert);
 int gpgsm_cert_use_decrypt_p (ksba_cert_t cert);
 int gpgsm_cert_use_cert_p (ksba_cert_t cert);
+int gpgsm_cert_use_ocsp_p (ksba_cert_t cert);
 int gpgsm_add_cert_to_certlist (ctrl_t ctrl, ksba_cert_t cert,
                                 certlist_t *listaddr, int is_encrypt_to);
 int gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,