* gpgsm.c, gpgsm.h: New options --{enable,disable}-ocsp.

(gpgsm_init_default_ctrl): Set USE_OCSP to the default value.
* certchain.c (gpgsm_validate_chain): Handle USE_OCSP.
* call-dirmngr.c (gpgsm_dirmngr_isvalid): Add arg USE_OCSP and
proceed accordingly.

6 files changed, 59 insertions, 12 deletions

diff --git a/sm/ChangeLog b/sm/ChangeLog
index 4b6e579b6..fc4fcd07a 100644
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@@ -1,3 +1,16 @@
+2003-12-01  Werner Koch  <[email protected]>
+
+	* gpgsm.c, gpgsm.h: New options --{enable,disable}-ocsp.
+	(gpgsm_init_default_ctrl): Set USE_OCSP to the default value.
+	* certchain.c (gpgsm_validate_chain): Handle USE_OCSP.
+	* call-dirmngr.c (gpgsm_dirmngr_isvalid): Add arg USE_OCSP and
+	proceed accordingly.
+
+2003-11-19  Werner Koch  <[email protected]>
+
+	* verify.c (gpgsm_verify): Use "0" instead of an empty string for
+	the VALIDSIG status.
+
 2003-11-18  Werner Koch  <[email protected]>
 
 	* verify.c (gpgsm_verify): Fixed for changes API of gcry_md_info.
diff --git a/sm/call-dirmngr.c b/sm/call-dirmngr.c
index fa7f34f8b..8700145e3 100644
--- a/sm/call-dirmngr.c
+++ b/sm/call-dirmngr.c
@@ -288,9 +288,12 @@ inq_certificate (void *opaque, const char *line)
   GPG_ERR_CERTIFICATE_REVOKED
   GPG_ERR_NO_CRL_KNOWN
   GPG_ERR_CRL_TOO_OLD
+
+  With USE_OCSP set to true, the dirmngr is asked to do an OCSP
+  request first.
  */
 int
-gpgsm_dirmngr_isvalid (KsbaCert cert)
+gpgsm_dirmngr_isvalid (ksba_cert_t cert, int use_ocsp)
 {
   int rc;
   char *certid;
@@ -301,23 +304,35 @@ gpgsm_dirmngr_isvalid (KsbaCert cert)
   if (rc)
     return rc;
 
-  certid = gpgsm_get_certid (cert);
-  if (!certid)
+  if (use_ocsp)
     {
-      log_error ("error getting the certificate ID\n");
-      return gpg_error (GPG_ERR_GENERAL);
+      certid = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
+    }
+  else
+    {
+      certid = gpgsm_get_certid (cert);
+      if (!certid)
+        {
+          log_error ("error getting the certificate ID\n");
+          return gpg_error (GPG_ERR_GENERAL);
+        }
     }
 
   if (opt.verbose > 1)
     {
       char *fpr = gpgsm_get_fingerprint_string (cert, GCRY_MD_SHA1);
-      log_info ("asking dirmngr about %s\n", fpr);
+      log_info ("asking dirmngr about %s%s\n", fpr,
+                use_ocsp? " (using OCSP)":"");
       xfree (fpr);
     }
 
   parm.ctx = dirmngr_ctx;
   parm.cert = cert;
 
+  /* FIXME: If --disable-crl-checks has been set, we should pass an
+     option to dirmngr, so that no fallback CRL check is done after an
+     ocsp check. */
+
   snprintf (line, DIM(line)-1, "ISVALID %s", certid);
   line[DIM(line)-1] = 0;
   xfree (certid);
diff --git a/sm/certchain.c b/sm/certchain.c
index 50e910240..28b098bf4 100644
--- a/sm/certchain.c
+++ b/sm/certchain.c
@@ -517,11 +517,13 @@ gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, ksba_isotime_t r_exptime)
             goto leave;
         }
 
-      if (!opt.no_crl_check)
+      if (!opt.no_crl_check || ctrl->use_ocsp)
         {
-          rc = gpgsm_dirmngr_isvalid (subject_cert);
+          rc = gpgsm_dirmngr_isvalid (subject_cert, ctrl->use_ocsp);
           if (rc)
             {
+              /* Fixme: We should change the wording because we may
+                 have used OCSP. */
               switch (gpg_err_code (rc))
                 {
                 case GPG_ERR_CERT_REVOKED:
@@ -677,7 +679,7 @@ gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, ksba_isotime_t r_exptime)
 
   if (opt.no_policy_check)
     log_info ("policies not checked due to --disable-policy-checks option\n");
-  if (opt.no_crl_check)
+  if (opt.no_crl_check && !ctrl->use_ocsp)
     log_info ("CRLs not checked due to --disable-crl-checks option\n");
 
   if (!rc)
diff --git a/sm/gpgsm.c b/sm/gpgsm.c
index 3fab49731..161d185b1 100644
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@@ -111,6 +111,9 @@ enum cmd_and_opt_values {
 
   oDisableCRLChecks,
   oEnableCRLChecks,
+  oDisableOCSP,
+  oEnableOCSP,
+
 
   oIncludeCerts,
   oPolicyFile,
@@ -253,6 +256,9 @@ static ARGPARSE_OPTS opts[] = {
     { oDisableCRLChecks, "disable-crl-checks", 0, N_("never consult a CRL")},
     { oEnableCRLChecks, "enable-crl-checks", 0, "@"},
 
+    { oDisableOCSP, "disable-ocsp", 0, "@" },
+    { oEnableOCSP,  "enable-ocsp", 0, N_("check validity using OCSP")},
+
     { oIncludeCerts, "include-certs", 1,
                                  N_("|N|number of certificates to include") },
 
@@ -825,6 +831,13 @@ main ( int argc, char **argv)
           opt.no_crl_check = 0;
           break;
 
+        case oDisableOCSP:
+          opt.enable_ocsp = 0;
+          break;
+        case oEnableOCSP:
+          opt.enable_ocsp = 1;
+          break;
+
         case oIncludeCerts: ctrl.include_certs = pargs.r.ret_int; break;
 
         case oPolicyFile:
@@ -1360,6 +1373,7 @@ void
 gpgsm_init_default_ctrl (struct server_control_s *ctrl)
 {
   ctrl->include_certs = 1;  /* only include the signer's cert */
+  ctrl->use_ocsp = opt.enable_ocsp;
 }
 
 
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index f0b10c8dc..680ba9503 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -35,7 +35,7 @@
 
 #define MAX_DIGEST_LEN 24 
 
-/* A large struct name "opt" to keep global flags */
+/* A large struct named "opt" to keep global flags */
 struct {
   unsigned int debug; /* debug flags (DBG_foo_VALUE) */
   int verbose;      /* verbosity level */
@@ -83,6 +83,7 @@ struct {
   int ignore_time_conflict; /* Ignore certain time conflicts */
 
   int no_crl_check;         /* Don't do a CRL check */
+  int enable_ocsp;          /* Default to use OCSP checks. */
 
   char *policy_file;        /* full pathname of policy file */
   int no_policy_check;      /* ignore certificate policies */
@@ -131,6 +132,7 @@ struct server_control_s {
                          along with a signature or the number of
                          certificates up the chain (0 = none, 1 = only
                          signer) */
+  int use_ocsp;       /* Set to true if OCSP should be used. */
 };
 typedef struct server_control_s *CTRL;
 
@@ -261,7 +263,7 @@ int gpgsm_agent_learn (void);
 int gpgsm_agent_passwd (const char *hexkeygrip);
 
 /*-- call-dirmngr.c --*/
-int gpgsm_dirmngr_isvalid (KsbaCert cert);
+int gpgsm_dirmngr_isvalid (ksba_cert_t cert, int use_ocsp);
 int gpgsm_dirmngr_lookup (CTRL ctrl, STRLIST names,
                           void (*cb)(void*, KsbaCert), void *cb_value);
 int gpgsm_dirmngr_run_command (CTRL ctrl, const char *command,
diff --git a/sm/verify.c b/sm/verify.c
index e6e08c06c..c58dd895e 100644
--- a/sm/verify.c
+++ b/sm/verify.c
@@ -474,7 +474,8 @@ gpgsm_verify (CTRL ctrl, int in_fd, int data_fd, FILE *out_fp)
         tstr = strtimestamp_r (sigtime);
         buf = xmalloc ( strlen(fpr) + strlen (tstr) + 120);
         sprintf (buf, "%s %s %s %s", fpr, tstr,
-                 sigtime, keyexptime );
+                 *sigtime? sigtime : "0",
+                 *keyexptime? keyexptime : "0" );
         xfree (tstr);
         xfree (fpr);
         gpgsm_status (ctrl, STATUS_VALIDSIG, buf);