dirmngr: Improve finding OCSP cert.

* dirmngr/certcache.c (find_cert_bysubject): Add better debug output and try to locate by keyid. -- This change was suggested in T4536 but we do not have any test cases for this. GnuPG-bug-id: 4536 Signed-off-by: Werner Koch <[email protected]> (cherry picked from commit 4699e294cc9e59f35262adca26ca291927acca9e) The bug report meanwhile has a test description but I have not done the testing yet. I port this back to 2.2 anyway given that no regression have been reported for master in nearly a year.
author: Werner Koch <[email protected]> 2019-05-28 10:22:39 +0000
committer: Werner Koch <[email protected]> 2020-03-18 13:14:00 +0000
commit: 25dc0e5b1eb02f79946a86c799c7720001a296bc (patch)
tree: ae21d1bc71843b87452d2a81633f587b78ca94a2
parent: gpg: Update --trusted-key to accept fingerprint as well as long key id. (diff)
download: gnupg-25dc0e5b1eb02f79946a86c799c7720001a296bc.tar.gz
gnupg-25dc0e5b1eb02f79946a86c799c7720001a296bc.zip
1 files changed, 35 insertions, 1 deletions
diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c
index adb005ec8..5486997b6 100644
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@@ -1471,6 +1471,9 @@ find_cert_bysubject (ctrl_t ctrl, const char *subject_dn, ksba_sexp_t keyid)
                 {
                   ksba_cert_ref (ci->cert);
                   release_cache_lock ();
+                  if (DBG_LOOKUP)
+                    log_debug ("%s: certificate found in the cache"
+                               " via ocsp_certs\n", __func__);
                   return ci->cert; /* We use this certificate. */
                 }
       release_cache_lock ();
@@ -1478,7 +1481,7 @@ find_cert_bysubject (ctrl_t ctrl, const char *subject_dn, ksba_sexp_t keyid)
         log_debug ("find_cert_bysubject: certificate not in ocsp_certs\n");
     }
 
-  /* No check whether the certificate is cached.  */
+  /* Now check whether the certificate is cached.  */
   for (seq=0; (cert = get_cert_bysubject (subject_dn, seq)); seq++)
     {
       if (!keyid)
@@ -1487,6 +1490,9 @@ find_cert_bysubject (ctrl_t ctrl, const char *subject_dn, ksba_sexp_t keyid)
           && !cmp_simple_canon_sexp (keyid, subj))
         {
           xfree (subj);
+          if (DBG_LOOKUP)
+            log_debug ("%s: certificate found in the cache"
+                       " via subject DN\n", __func__);
           break; /* Found matching cert. */
         }
       xfree (subj);
@@ -1495,6 +1501,34 @@ find_cert_bysubject (ctrl_t ctrl, const char *subject_dn, ksba_sexp_t keyid)
   if (cert)
     return cert; /* Done.  */
 
+  /* If we do not have a subject DN but have a keyid, try to locate it
+   * by keyid.  */
+  if (!subject_dn && keyid)
+    {
+      int i;
+      cert_item_t ci;
+      ksba_sexp_t ski;
+
+      acquire_cache_read_lock ();
+      for (i=0; i < 256; i++)
+        for (ci=cert_cache[i]; ci; ci = ci->next)
+          if (ci->cert && !ksba_cert_get_subj_key_id (ci->cert, NULL, &ski))
+            {
+              if (!cmp_simple_canon_sexp (keyid, ski))
+                {
+                  ksba_free (ski);
+                  ksba_cert_ref (ci->cert);
+                  release_cache_lock ();
+                  if (DBG_LOOKUP)
+                    log_debug ("%s: certificate found in the cache"
+                               " via ski\n", __func__);
+                  return ci->cert;
+                }
+              ksba_free (ski);
+            }
+      release_cache_lock ();
+    }
+
   if (DBG_LOOKUP)
     log_debug ("find_cert_bysubject: certificate not in cache\n");
author	Werner Koch <[email protected]>	2019-05-28 10:22:39 +0000
committer	Werner Koch <[email protected]>	2020-03-18 13:14:00 +0000
commit	25dc0e5b1eb02f79946a86c799c7720001a296bc (patch)
tree	ae21d1bc71843b87452d2a81633f587b78ca94a2
parent	gpg: Update --trusted-key to accept fingerprint as well as long key id. (diff)
download	gnupg-25dc0e5b1eb02f79946a86c799c7720001a296bc.tar.gz gnupg-25dc0e5b1eb02f79946a86c799c7720001a296bc.zip