diff options
Diffstat (limited to 'dirmngr')
| -rw-r--r-- | dirmngr/ocsp.c | 69 | ||||
| -rw-r--r-- | dirmngr/ocsp.h | 4 | ||||
| -rw-r--r-- | dirmngr/server.c | 22 |
3 files changed, 70 insertions, 25 deletions
diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c index 7267d623e..483b6f32d 100644 --- a/dirmngr/ocsp.c +++ b/dirmngr/ocsp.c @@ -650,10 +650,13 @@ check_signature (ctrl_t ctrl, /* Check whether the certificate either given by fingerprint CERT_FPR or directly through the CERT object is valid by running an OCSP transaction. With FORCE_DEFAULT_RESPONDER set only the configured - default responder is used. */ + default responder is used. If R_REVOKED_AT or R_REASON are not + NULL and the certificat has been revoked the revocation time and + the reasons are stored there. */ gpg_error_t ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr, - int force_default_responder) + int force_default_responder, ksba_isotime_t r_revoked_at, + const char **r_reason) { gpg_error_t err; ksba_ocsp_t ocsp = NULL; @@ -672,6 +675,12 @@ ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr, char *oid; ksba_name_t name; fingerprint_list_t default_signer = NULL; + const char *sreason; + + if (r_revoked_at) + *r_revoked_at = 0; + if (r_reason) + *r_reason = NULL; /* Get the certificate. */ if (cert) @@ -842,8 +851,36 @@ ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr, more important message than the failure of our cache. */ } - } + switch (reason) + { + case KSBA_CRLREASON_UNSPECIFIED: + sreason = "unspecified"; break; + case KSBA_CRLREASON_KEY_COMPROMISE: + sreason = "key compromise"; break; + case KSBA_CRLREASON_CA_COMPROMISE: + sreason = "CA compromise"; break; + case KSBA_CRLREASON_AFFILIATION_CHANGED: + sreason = "affiliation changed"; break; + case KSBA_CRLREASON_SUPERSEDED: + sreason = "superseded"; break; + case KSBA_CRLREASON_CESSATION_OF_OPERATION: + sreason = "cessation of operation"; break; + case KSBA_CRLREASON_CERTIFICATE_HOLD: + sreason = "certificate on hold"; break; + case KSBA_CRLREASON_REMOVE_FROM_CRL: + sreason = "removed from CRL"; break; + case KSBA_CRLREASON_PRIVILEGE_WITHDRAWN: + sreason = "privilege withdrawn"; break; + case KSBA_CRLREASON_AA_COMPROMISE: + sreason = "AA compromise"; break; + case KSBA_CRLREASON_OTHER: + sreason = "other"; break; + default: sreason = "?"; break; + } + } + else + sreason = ""; if (opt.verbose) { @@ -855,29 +892,19 @@ ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr, this_update, next_update); if (status == KSBA_STATUS_REVOKED) log_info (_("certificate has been revoked at: %s due to: %s\n"), - revocation_time, - reason == KSBA_CRLREASON_UNSPECIFIED? "unspecified": - reason == KSBA_CRLREASON_KEY_COMPROMISE? "key compromise": - reason == KSBA_CRLREASON_CA_COMPROMISE? "CA compromise": - reason == KSBA_CRLREASON_AFFILIATION_CHANGED? - "affiliation changed": - reason == KSBA_CRLREASON_SUPERSEDED? "superseded": - reason == KSBA_CRLREASON_CESSATION_OF_OPERATION? - "cessation of operation": - reason == KSBA_CRLREASON_CERTIFICATE_HOLD? - "certificate on hold": - reason == KSBA_CRLREASON_REMOVE_FROM_CRL? - "removed from CRL": - reason == KSBA_CRLREASON_PRIVILEGE_WITHDRAWN? - "privilege withdrawn": - reason == KSBA_CRLREASON_AA_COMPROMISE? "AA compromise": - reason == KSBA_CRLREASON_OTHER? "other":"?"); + revocation_time, sreason); } if (status == KSBA_STATUS_REVOKED) - err = gpg_error (GPG_ERR_CERT_REVOKED); + { + err = gpg_error (GPG_ERR_CERT_REVOKED); + if (r_revoked_at) + gnupg_copy_time (r_revoked_at, revocation_time); + if (r_reason) + *r_reason = sreason; + } else if (status == KSBA_STATUS_UNKNOWN) err = gpg_error (GPG_ERR_NO_DATA); else if (status != KSBA_STATUS_GOOD) diff --git a/dirmngr/ocsp.h b/dirmngr/ocsp.h index cfab7dd6f..b3deeac93 100644 --- a/dirmngr/ocsp.h +++ b/dirmngr/ocsp.h @@ -23,7 +23,9 @@ #define OCSP_H gpg_error_t ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr, - int force_default_responder); + int force_default_responder, + gnupg_isotime_t r_revoked_at, + const char **r_reason); /* Release the list of OCSP certificates hold in the CTRL object. */ void release_ctrl_ocsp_certs (ctrl_t ctrl); diff --git a/dirmngr/server.c b/dirmngr/server.c index 98f354300..fba2233d4 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -1310,6 +1310,9 @@ cmd_isvalid (assuan_context_t ctx, char *line) again: if (ocsp_mode) { + gnupg_isotime_t revoked_at; + const char *reason; + /* Note, that we currently ignore the supplied fingerprint FPR; * instead ocsp_isvalid does an inquire to ask for the cert. * The fingerprint may eventually be used to lookup the @@ -1317,7 +1320,12 @@ cmd_isvalid (assuan_context_t ctx, char *line) if (!opt.allow_ocsp) err = gpg_error (GPG_ERR_NOT_SUPPORTED); else - err = ocsp_isvalid (ctrl, NULL, NULL, force_default_responder); + err = ocsp_isvalid (ctrl, NULL, NULL, force_default_responder, + revoked_at, &reason); + + if (gpg_err_code (err) == GPG_ERR_CERT_REVOKED) + dirmngr_status_printf (ctrl, "REVOCATIONINFO", "%s %s", + revoked_at, reason); if (gpg_err_code (err) == GPG_ERR_CONFIGURATION && gpg_err_source (err) == GPG_ERR_SOURCE_DIRMNGR) @@ -1512,6 +1520,8 @@ cmd_checkocsp (assuan_context_t ctx, char *line) unsigned char fprbuffer[20], *fpr; ksba_cert_t cert; int force_default_responder; + gnupg_isotime_t revoked_at; + const char *reason; force_default_responder = has_option (line, "--force-default-responder"); line = skip_options (line); @@ -1547,12 +1557,18 @@ cmd_checkocsp (assuan_context_t ctx, char *line) goto leave; } - assert (cert); + log_assert (cert); if (!opt.allow_ocsp) err = gpg_error (GPG_ERR_NOT_SUPPORTED); else - err = ocsp_isvalid (ctrl, cert, NULL, force_default_responder); + err = ocsp_isvalid (ctrl, cert, NULL, force_default_responder, + revoked_at, &reason); + + if (gpg_err_code (err) == GPG_ERR_CERT_REVOKED) + dirmngr_status_printf (ctrl, "REVOCATIONINFO", "%s %s", + revoked_at, reason); + leave: ksba_cert_release (cert); |