7 files changed, 77 insertions, 11 deletions

diff --git a/sm/call-dirmngr.c b/sm/call-dirmngr.c
index cc958ccf8..86beeedc1 100644
--- a/sm/call-dirmngr.c
+++ b/sm/call-dirmngr.c
@@ -362,7 +362,7 @@ inq_certificate (void *opaque, const char *line)
     }
   else
     {
-      log_error ("unsupported inquiry '%s'\n", line);
+      log_error ("unsupported certificate inquiry '%s'\n", line);
       return gpg_error (GPG_ERR_ASS_UNKNOWN_INQUIRE);
     }
 
@@ -386,8 +386,8 @@ inq_certificate (void *opaque, const char *line)
       int err;
       ksba_cert_t cert;
 
-
-      err = gpgsm_find_cert (parm->ctrl, line, ski, &cert, 1);
+      err = gpgsm_find_cert (parm->ctrl, line, ski, &cert,
+                             FIND_CERT_ALLOW_AMBIG|FIND_CERT_WITH_EPHEM);
       if (err)
         {
           log_error ("certificate not found: %s\n", gpg_strerror (err));
@@ -521,6 +521,7 @@ isvalid_status_cb (void *opaque, const char *line)
 
   GPG_ERR_CERTIFICATE_REVOKED
   GPG_ERR_NO_CRL_KNOWN
+  GPG_ERR_INV_CRL_OBJ
   GPG_ERR_CRL_TOO_OLD
 
   Values for USE_OCSP:
@@ -1014,7 +1015,8 @@ run_command_inq_cb (void *opaque, const char *line)
       if (!*line)
         return gpg_error (GPG_ERR_ASS_PARAMETER);
 
-      err = gpgsm_find_cert (parm->ctrl, line, NULL, &cert, 1);
+      err = gpgsm_find_cert (parm->ctrl, line, NULL, &cert,
+                             FIND_CERT_ALLOW_AMBIG);
       if (err)
         {
           log_error ("certificate not found: %s\n", gpg_strerror (err));
@@ -1035,9 +1037,33 @@ run_command_inq_cb (void *opaque, const char *line)
       line = s;
       log_info ("dirmngr: %s\n", line);
     }
+  else if ((s = has_leading_keyword (line, "ISTRUSTED")))
+    {
+      /* The server is asking us whether the certificate is a trusted
+         root certificate.  */
+      char fpr[41];
+      struct rootca_flags_s rootca_flags;
+      int n;
+
+      line = s;
+
+      for (s=line,n=0; hexdigitp (s); s++, n++)
+        ;
+      if (*s || n != 40)
+        return gpg_error (GPG_ERR_ASS_PARAMETER);
+      for (s=line, n=0; n < 40; s++, n++)
+        fpr[n] = (*s >= 'a')? (*s & 0xdf): *s;
+      fpr[n] = 0;
+
+      if (!gpgsm_agent_istrusted (parm->ctrl, NULL, fpr, &rootca_flags))
+        rc = assuan_send_data (parm->ctx, "1", 1);
+      else
+        rc = 0;
+      return rc;
+    }
   else
     {
-      log_error ("unsupported inquiry '%s'\n", line);
+      log_error ("unsupported command inquiry '%s'\n", line);
       rc = gpg_error (GPG_ERR_ASS_UNKNOWN_INQUIRE);
     }
 
diff --git a/sm/certchain.c b/sm/certchain.c
index cbb6e1127..7b782190b 100644
--- a/sm/certchain.c
+++ b/sm/certchain.c
@@ -122,6 +122,7 @@ do_list (int is_error, int listmode, estream_t fp, const char *format, ...)
     }
   else
     {
+      es_fflush (es_stdout);
       log_logv (is_error? GPGRT_LOGLVL_ERROR: GPGRT_LOGLVL_INFO,
                 format, arg_ptr);
       log_printf ("\n");
@@ -1480,6 +1481,7 @@ ask_marktrusted (ctrl_t ctrl, ksba_cert_t cert, int listmode)
   int success = 0;
 
   fpr = gpgsm_get_fingerprint_string (cert, GCRY_MD_SHA1);
+  es_fflush (es_stdout);
   log_info (_("fingerprint=%s\n"), fpr? fpr : "?");
   xfree (fpr);
 
@@ -2277,6 +2279,7 @@ gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert)
             {
               if (!opt.quiet)
                 {
+                  es_fflush (es_stdout);
                   log_info ("issuer certificate (#/");
                   gpgsm_dump_string (issuer);
                   log_printf (") not found\n");
diff --git a/sm/certdump.c b/sm/certdump.c
index 3ad0edbe3..03bfd4106 100644
--- a/sm/certdump.c
+++ b/sm/certdump.c
@@ -728,7 +728,14 @@ gpgsm_es_print_name2 (estream_t fp, const char *name, int translate)
 void
 gpgsm_es_print_name (estream_t fp, const char *name)
 {
-  gpgsm_es_print_name2 (fp, name, 1);
+  if (opt.no_pretty_dn)
+    {
+      if (!name)
+        name = "[error]";
+      es_write_sanitized (fp, name, strlen (name), NULL, NULL);
+    }
+  else
+    gpgsm_es_print_name2 (fp, name, 1);
 }
 
 
diff --git a/sm/certlist.c b/sm/certlist.c
index b5f9f7874..fdf31a198 100644
--- a/sm/certlist.c
+++ b/sm/certlist.c
@@ -508,11 +508,12 @@ gpgsm_release_certlist (certlist_t list)
 int
 gpgsm_find_cert (ctrl_t ctrl,
                  const char *name, ksba_sexp_t keyid, ksba_cert_t *r_cert,
-                 int allow_ambiguous)
+                 unsigned int flags)
 {
   int rc;
   KEYDB_SEARCH_DESC desc;
   KEYDB_HANDLE kh = NULL;
+  int allow_ambiguous = (flags & FIND_CERT_ALLOW_AMBIG);
 
   *r_cert = NULL;
   rc = classify_user_id (name, &desc, 0);
@@ -523,6 +524,9 @@ gpgsm_find_cert (ctrl_t ctrl,
         rc = gpg_error (GPG_ERR_ENOMEM);
       else
         {
+          if ((flags & FIND_CERT_WITH_EPHEM))
+            keydb_set_ephemeral (kh, 1);
+
         nextone:
           rc = keydb_search (ctrl, kh, &desc, 1);
           if (!rc)
diff --git a/sm/gpgsm.c b/sm/gpgsm.c
index f8b3856c2..aeb6ad7a9 100644
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@@ -114,6 +114,7 @@ enum cmd_and_opt_values {
   oNoLogFile,
   oAuditLog,
   oHtmlAuditLog,
+  oLogTime,
 
   oEnableSpecialFilenames,
 
@@ -169,6 +170,7 @@ enum cmd_and_opt_values {
   oWithKeyScreening,
   oAnswerYes,
   oAnswerNo,
+  oNoPrettyDN,
   oKeyring,
   oDefaultKey,
   oDefRecipient,
@@ -288,6 +290,7 @@ static gpgrt_opt_t opts[] = {
                 N_("|FILE|write server mode logs to FILE")),
   ARGPARSE_s_n (oNoLogFile, "no-log-file", "@"),
   ARGPARSE_s_i (oLoggerFD, "logger-fd", "@"),
+  ARGPARSE_s_n (oLogTime, "log-time", "@"),
   ARGPARSE_s_n (oNoSecmemWarn, "no-secmem-warning", "@"),
 
 
@@ -383,7 +386,7 @@ static gpgrt_opt_t opts[] = {
   ARGPARSE_s_n (oWithKeygrip,     "with-keygrip", "@"),
   ARGPARSE_s_n (oWithSecret,      "with-secret", "@"),
   ARGPARSE_s_n (oWithKeyScreening,"with-key-screening", "@"),
-
+  ARGPARSE_s_n (oNoPrettyDN, "no-pretty-dn", "@"),
 
 
   ARGPARSE_header ("Security", N_("Options controlling the security")),
@@ -499,6 +502,9 @@ static int maybe_setuid = 1;
 static const char *debug_level;
 static unsigned int debug_value;
 
+/* Helper for --log-time;  */
+static int opt_log_time;
+
 /* Default value for include-certs.  We need an extra macro for
    gpgconf-list because the variable will be changed by the command
    line option.
@@ -1247,6 +1253,7 @@ main ( int argc, char **argv)
 
         case oLogFile: logfile = pargs.r.ret_str; break;
         case oNoLogFile: logfile = NULL; break;
+        case oLogTime: opt_log_time = 1; break;
 
         case oAuditLog: auditlog = pargs.r.ret_str; break;
         case oHtmlAuditLog: htmlauditlog = pargs.r.ret_str; break;
@@ -1312,6 +1319,10 @@ main ( int argc, char **argv)
           opt.with_key_screening = 1;
           break;
 
+        case oNoPrettyDN:
+          opt.no_pretty_dn = 1;
+          break;
+
         case oHomedir: gnupg_set_homedir (pargs.r.ret_str); break;
         case oChUid: break;  /* Command line only (see above).  */
         case oAgentProgram: opt.agent_program = pargs.r.ret_str;  break;
@@ -1579,6 +1590,10 @@ main ( int argc, char **argv)
       log_set_file (logfile);
       log_set_prefix (NULL, GPGRT_LOG_WITH_PREFIX | GPGRT_LOG_WITH_TIME | GPGRT_LOG_WITH_PID);
     }
+  else if (opt_log_time)
+    log_set_prefix (NULL, (GPGRT_LOG_WITH_PREFIX|GPGRT_LOG_NO_REGISTRY
+                           |GPGRT_LOG_WITH_TIME));
+
 
   if (gnupg_faked_time_p ())
     {
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index ced2d679f..6149b8491 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -85,6 +85,8 @@ struct
 
   int with_key_screening; /* Option  --with-key-screening active.  */
 
+  int no_pretty_dn;       /* Option --no-pretty-dn */
+
   int pinentry_mode;
   int request_origin;
 
@@ -404,8 +406,11 @@ int gpgsm_add_cert_to_certlist (ctrl_t ctrl, ksba_cert_t cert,
 int gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
                            certlist_t *listaddr, int is_encrypt_to);
 void gpgsm_release_certlist (certlist_t list);
+
+#define FIND_CERT_ALLOW_AMBIG 1
+#define FIND_CERT_WITH_EPHEM  2
 int gpgsm_find_cert (ctrl_t ctrl, const char *name, ksba_sexp_t keyid,
-                     ksba_cert_t *r_cert, int allow_ambiguous);
+                     ksba_cert_t *r_cert, unsigned int flags);
 
 /*-- keylist.c --*/
 gpg_error_t gpgsm_list_keys (ctrl_t ctrl, strlist_t names,
diff --git a/sm/verify.c b/sm/verify.c
index 9f1216f83..a07d1c9c7 100644
--- a/sm/verify.c
+++ b/sm/verify.c
@@ -105,12 +105,17 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
   int signer;
   const char *algoid;
   int algo;
-  int is_detached;
+  int is_detached, maybe_detached;
   estream_t in_fp = NULL;
   char *p;
 
   audit_set_type (ctrl->audit, AUDIT_TYPE_VERIFY);
 
+  /* Although we detect detached signatures during the parsing phase,
+   * we need to know it earlier and thus accept the caller idea of
+   * what to verify.  */
+  maybe_detached = (data_fd != -1);
+
   kh = keydb_new (ctrl);
   if (!kh)
     {
@@ -131,7 +136,8 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
   rc = gnupg_ksba_create_reader
     (&b64reader, ((ctrl->is_pem? GNUPG_KSBA_IO_PEM : 0)
                   | (ctrl->is_base64? GNUPG_KSBA_IO_BASE64 : 0)
-                  | (ctrl->autodetect_encoding? GNUPG_KSBA_IO_AUTODETECT : 0)),
+                  | (ctrl->autodetect_encoding? GNUPG_KSBA_IO_AUTODETECT : 0)
+                  | (maybe_detached? GNUPG_KSBA_IO_STRIP : 0)),
      in_fp, &reader);
   if (rc)
     {