5 files changed, 87 insertions, 35 deletions

diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am
index 35fb1cf33..1c8065dbb 100644
--- a/dirmngr/Makefile.am
+++ b/dirmngr/Makefile.am
@@ -93,7 +93,7 @@ dirmngr_LDADD = $(libcommonpth) \
 if USE_LDAP
 dirmngr_LDADD += $(ldaplibs) $(LBER_LIBS)
 endif
-dirmngr_LDFLAGS = $(extra_bin_ldflags)
+dirmngr_LDFLAGS =
 
 if USE_LDAP
 dirmngr_ldap_SOURCES = dirmngr_ldap.c ldap-misc.c ldap-misc.h $(ldap_url)
@@ -108,7 +108,7 @@ dirmngr_client_SOURCES = dirmngr-client.c
 dirmngr_client_LDADD = $(libcommon) \
                        $(LIBASSUAN_LIBS) $(GPG_ERROR_LIBS) \
                        $(LIBGCRYPT_LIBS) $(NETLIBS) $(LIBINTL) $(LIBICONV)
-dirmngr_client_LDFLAGS = $(extra_bin_ldflags)
+dirmngr_client_LDFLAGS =
 
 
 t_common_src = t-support.h t-support.c
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index 977e7dd04..cbc693bd8 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -886,7 +886,7 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
 /* This function is called after option parsing to adjust some values
  * and call option setup functions.  */
 static void
-post_option_parsing (void)
+post_option_parsing (enum cmd_and_opt_values cmd)
 {
   /* It would be too surpirsing if the quick timeout is larger than
    * the standard value.  */
@@ -894,6 +894,18 @@ post_option_parsing (void)
     opt.connect_quick_timeout = opt.connect_timeout;
 
   set_debug ();
+  /* For certain commands we do not want to set/test for Tor mode
+   * because that is somewhat expensive.  */
+  switch (cmd)
+    {
+    case aGPGConfList:
+    case aGPGConfTest:
+    case aGPGConfVersions:
+      break;
+    default:
+      set_tor_mode ();
+      break;
+    }
 }
 
 
@@ -1214,12 +1226,7 @@ main (int argc, char **argv)
       log_printf ("\n");
     }
 
-  /* Note that we do not run set_tor_mode in --gpgconf-list mode
-   * because it will attempt to connect to the tor client and that can
-   * be time consuming.  */
-  post_option_parsing ();
-  if (cmd != aGPGConfTest && cmd != aGPGConfList && cmd != aGPGConfVersions)
-    set_tor_mode ();
+  post_option_parsing (cmd);
 
   /* Get LDAP server list from file unless --ldapserver has been used.  */
 #if USE_LDAP
@@ -1965,7 +1972,7 @@ reread_configuration (void)
     }
   gpgrt_argparse (NULL, &pargs, NULL);  /* Release internal state.  */
   xfree (twopart);
-  post_option_parsing ();
+  post_option_parsing (0);
 
  finish:
   /* Get a default log file from common.conf.  */
diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c
index 7267d623e..483b6f32d 100644
--- a/dirmngr/ocsp.c
+++ b/dirmngr/ocsp.c
@@ -650,10 +650,13 @@ check_signature (ctrl_t ctrl,
 /* Check whether the certificate either given by fingerprint CERT_FPR
    or directly through the CERT object is valid by running an OCSP
    transaction.  With FORCE_DEFAULT_RESPONDER set only the configured
-   default responder is used. */
+   default responder is used.  If R_REVOKED_AT or R_REASON are not
+   NULL and the certificat has been revoked the revocation time and
+   the reasons are stored there. */
 gpg_error_t
 ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
-              int force_default_responder)
+              int force_default_responder, ksba_isotime_t r_revoked_at,
+              const char **r_reason)
 {
   gpg_error_t err;
   ksba_ocsp_t ocsp = NULL;
@@ -672,6 +675,12 @@ ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
   char *oid;
   ksba_name_t name;
   fingerprint_list_t default_signer = NULL;
+  const char *sreason;
+
+  if (r_revoked_at)
+    *r_revoked_at = 0;
+  if (r_reason)
+    *r_reason = NULL;
 
   /* Get the certificate.  */
   if (cert)
@@ -842,8 +851,36 @@ ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
                       more important message than the failure of our
                       cache. */
         }
-    }
 
+      switch (reason)
+        {
+        case KSBA_CRLREASON_UNSPECIFIED:
+          sreason = "unspecified"; break;
+        case KSBA_CRLREASON_KEY_COMPROMISE:
+          sreason = "key compromise"; break;
+        case KSBA_CRLREASON_CA_COMPROMISE:
+          sreason = "CA compromise"; break;
+        case KSBA_CRLREASON_AFFILIATION_CHANGED:
+          sreason = "affiliation changed"; break;
+        case KSBA_CRLREASON_SUPERSEDED:
+          sreason = "superseded"; break;
+        case KSBA_CRLREASON_CESSATION_OF_OPERATION:
+          sreason = "cessation of operation"; break;
+        case KSBA_CRLREASON_CERTIFICATE_HOLD:
+          sreason = "certificate on hold"; break;
+        case KSBA_CRLREASON_REMOVE_FROM_CRL:
+          sreason = "removed from CRL"; break;
+        case KSBA_CRLREASON_PRIVILEGE_WITHDRAWN:
+          sreason = "privilege withdrawn"; break;
+        case KSBA_CRLREASON_AA_COMPROMISE:
+          sreason = "AA compromise"; break;
+        case KSBA_CRLREASON_OTHER:
+          sreason = "other"; break;
+        default: sreason = "?"; break;
+        }
+    }
+  else
+    sreason = "";
 
   if (opt.verbose)
     {
@@ -855,29 +892,19 @@ ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
                 this_update, next_update);
       if (status == KSBA_STATUS_REVOKED)
         log_info (_("certificate has been revoked at: %s due to: %s\n"),
-                  revocation_time,
-                  reason == KSBA_CRLREASON_UNSPECIFIED?   "unspecified":
-                  reason == KSBA_CRLREASON_KEY_COMPROMISE? "key compromise":
-                  reason == KSBA_CRLREASON_CA_COMPROMISE?   "CA compromise":
-                  reason == KSBA_CRLREASON_AFFILIATION_CHANGED?
-                                                      "affiliation changed":
-                  reason == KSBA_CRLREASON_SUPERSEDED?   "superseded":
-                  reason == KSBA_CRLREASON_CESSATION_OF_OPERATION?
-                                                  "cessation of operation":
-                  reason == KSBA_CRLREASON_CERTIFICATE_HOLD?
-                                                  "certificate on hold":
-                  reason == KSBA_CRLREASON_REMOVE_FROM_CRL?
-                                                  "removed from CRL":
-                  reason == KSBA_CRLREASON_PRIVILEGE_WITHDRAWN?
-                                                  "privilege withdrawn":
-                  reason == KSBA_CRLREASON_AA_COMPROMISE? "AA compromise":
-                  reason == KSBA_CRLREASON_OTHER?   "other":"?");
+                  revocation_time, sreason);
 
     }
 
 
   if (status == KSBA_STATUS_REVOKED)
-    err = gpg_error (GPG_ERR_CERT_REVOKED);
+    {
+      err = gpg_error (GPG_ERR_CERT_REVOKED);
+      if (r_revoked_at)
+        gnupg_copy_time (r_revoked_at, revocation_time);
+      if (r_reason)
+        *r_reason = sreason;
+    }
   else if (status == KSBA_STATUS_UNKNOWN)
     err = gpg_error (GPG_ERR_NO_DATA);
   else if (status != KSBA_STATUS_GOOD)
diff --git a/dirmngr/ocsp.h b/dirmngr/ocsp.h
index cfab7dd6f..b3deeac93 100644
--- a/dirmngr/ocsp.h
+++ b/dirmngr/ocsp.h
@@ -23,7 +23,9 @@
 #define OCSP_H
 
 gpg_error_t ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
-                          int force_default_responder);
+                          int force_default_responder,
+                          gnupg_isotime_t r_revoked_at,
+                          const char **r_reason);
 
 /* Release the list of OCSP certificates hold in the CTRL object. */
 void release_ctrl_ocsp_certs (ctrl_t ctrl);
diff --git a/dirmngr/server.c b/dirmngr/server.c
index 98f354300..fba2233d4 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -1310,6 +1310,9 @@ cmd_isvalid (assuan_context_t ctx, char *line)
  again:
   if (ocsp_mode)
     {
+      gnupg_isotime_t revoked_at;
+      const char *reason;
+
       /* Note, that we currently ignore the supplied fingerprint FPR;
        * instead ocsp_isvalid does an inquire to ask for the cert.
        * The fingerprint may eventually be used to lookup the
@@ -1317,7 +1320,12 @@ cmd_isvalid (assuan_context_t ctx, char *line)
       if (!opt.allow_ocsp)
         err = gpg_error (GPG_ERR_NOT_SUPPORTED);
       else
-        err = ocsp_isvalid (ctrl, NULL, NULL, force_default_responder);
+        err = ocsp_isvalid (ctrl, NULL, NULL, force_default_responder,
+                            revoked_at, &reason);
+
+      if (gpg_err_code (err) == GPG_ERR_CERT_REVOKED)
+        dirmngr_status_printf (ctrl, "REVOCATIONINFO", "%s %s",
+                               revoked_at, reason);
 
       if (gpg_err_code (err) == GPG_ERR_CONFIGURATION
           && gpg_err_source (err) == GPG_ERR_SOURCE_DIRMNGR)
@@ -1512,6 +1520,8 @@ cmd_checkocsp (assuan_context_t ctx, char *line)
   unsigned char fprbuffer[20], *fpr;
   ksba_cert_t cert;
   int force_default_responder;
+  gnupg_isotime_t revoked_at;
+  const char *reason;
 
   force_default_responder = has_option (line, "--force-default-responder");
   line = skip_options (line);
@@ -1547,12 +1557,18 @@ cmd_checkocsp (assuan_context_t ctx, char *line)
         goto leave;
     }
 
-  assert (cert);
+  log_assert (cert);
 
   if (!opt.allow_ocsp)
     err = gpg_error (GPG_ERR_NOT_SUPPORTED);
   else
-    err = ocsp_isvalid (ctrl, cert, NULL, force_default_responder);
+    err = ocsp_isvalid (ctrl, cert, NULL, force_default_responder,
+                        revoked_at, &reason);
+
+  if (gpg_err_code (err) == GPG_ERR_CERT_REVOKED)
+    dirmngr_status_printf (ctrl, "REVOCATIONINFO", "%s %s",
+                           revoked_at, reason);
+
 
  leave:
   ksba_cert_release (cert);