gpgsm: Print revocation date and reason in cert listings.

* dirmngr/ocsp.c (ocsp_isvalid): Add args r_revoked_at and
r_revocation_reason.
* dirmngr/server.c (cmd_isvalid): Emit a new REVOCATIONINFO status.
(cmd_checkocsp): Ditto.

* sm/call-dirmngr.c (struct isvalid_status_parm_s): Add new fields.
(isvalid_status_cb): Parse REVOCATIONINFO.
(gpgsm_dirmngr_isvalid): Add args r_revoked_at and
r_revocation_reason.

* sm/gpgsm.h (struct server_control_s): Add fields revoked_art and
revocation_reason.
* sm/keylist.c (list_cert_raw): Print revocation date.
(list_cert_std): Ditto.
--

Note that for now we do this only for OCSP because it is an important
piece of information when using the chain model.  For a sample key see
commit 7fa1d3cc821dca1ea8e1c80a0bdd527177c185ee.

3 files changed, 70 insertions, 25 deletions

diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c
index 7267d623e..483b6f32d 100644
--- a/dirmngr/ocsp.c
+++ b/dirmngr/ocsp.c
@@ -650,10 +650,13 @@ check_signature (ctrl_t ctrl,
 /* Check whether the certificate either given by fingerprint CERT_FPR
    or directly through the CERT object is valid by running an OCSP
    transaction.  With FORCE_DEFAULT_RESPONDER set only the configured
-   default responder is used. */
+   default responder is used.  If R_REVOKED_AT or R_REASON are not
+   NULL and the certificat has been revoked the revocation time and
+   the reasons are stored there. */
 gpg_error_t
 ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
-              int force_default_responder)
+              int force_default_responder, ksba_isotime_t r_revoked_at,
+              const char **r_reason)
 {
   gpg_error_t err;
   ksba_ocsp_t ocsp = NULL;
@@ -672,6 +675,12 @@ ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
   char *oid;
   ksba_name_t name;
   fingerprint_list_t default_signer = NULL;
+  const char *sreason;
+
+  if (r_revoked_at)
+    *r_revoked_at = 0;
+  if (r_reason)
+    *r_reason = NULL;
 
   /* Get the certificate.  */
   if (cert)
@@ -842,8 +851,36 @@ ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
                       more important message than the failure of our
                       cache. */
         }
-    }
 
+      switch (reason)
+        {
+        case KSBA_CRLREASON_UNSPECIFIED:
+          sreason = "unspecified"; break;
+        case KSBA_CRLREASON_KEY_COMPROMISE:
+          sreason = "key compromise"; break;
+        case KSBA_CRLREASON_CA_COMPROMISE:
+          sreason = "CA compromise"; break;
+        case KSBA_CRLREASON_AFFILIATION_CHANGED:
+          sreason = "affiliation changed"; break;
+        case KSBA_CRLREASON_SUPERSEDED:
+          sreason = "superseded"; break;
+        case KSBA_CRLREASON_CESSATION_OF_OPERATION:
+          sreason = "cessation of operation"; break;
+        case KSBA_CRLREASON_CERTIFICATE_HOLD:
+          sreason = "certificate on hold"; break;
+        case KSBA_CRLREASON_REMOVE_FROM_CRL:
+          sreason = "removed from CRL"; break;
+        case KSBA_CRLREASON_PRIVILEGE_WITHDRAWN:
+          sreason = "privilege withdrawn"; break;
+        case KSBA_CRLREASON_AA_COMPROMISE:
+          sreason = "AA compromise"; break;
+        case KSBA_CRLREASON_OTHER:
+          sreason = "other"; break;
+        default: sreason = "?"; break;
+        }
+    }
+  else
+    sreason = "";
 
   if (opt.verbose)
     {
@@ -855,29 +892,19 @@ ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
                 this_update, next_update);
       if (status == KSBA_STATUS_REVOKED)
         log_info (_("certificate has been revoked at: %s due to: %s\n"),
-                  revocation_time,
-                  reason == KSBA_CRLREASON_UNSPECIFIED?   "unspecified":
-                  reason == KSBA_CRLREASON_KEY_COMPROMISE? "key compromise":
-                  reason == KSBA_CRLREASON_CA_COMPROMISE?   "CA compromise":
-                  reason == KSBA_CRLREASON_AFFILIATION_CHANGED?
-                                                      "affiliation changed":
-                  reason == KSBA_CRLREASON_SUPERSEDED?   "superseded":
-                  reason == KSBA_CRLREASON_CESSATION_OF_OPERATION?
-                                                  "cessation of operation":
-                  reason == KSBA_CRLREASON_CERTIFICATE_HOLD?
-                                                  "certificate on hold":
-                  reason == KSBA_CRLREASON_REMOVE_FROM_CRL?
-                                                  "removed from CRL":
-                  reason == KSBA_CRLREASON_PRIVILEGE_WITHDRAWN?
-                                                  "privilege withdrawn":
-                  reason == KSBA_CRLREASON_AA_COMPROMISE? "AA compromise":
-                  reason == KSBA_CRLREASON_OTHER?   "other":"?");
+                  revocation_time, sreason);
 
     }
 
 
   if (status == KSBA_STATUS_REVOKED)
-    err = gpg_error (GPG_ERR_CERT_REVOKED);
+    {
+      err = gpg_error (GPG_ERR_CERT_REVOKED);
+      if (r_revoked_at)
+        gnupg_copy_time (r_revoked_at, revocation_time);
+      if (r_reason)
+        *r_reason = sreason;
+    }
   else if (status == KSBA_STATUS_UNKNOWN)
     err = gpg_error (GPG_ERR_NO_DATA);
   else if (status != KSBA_STATUS_GOOD)
diff --git a/dirmngr/ocsp.h b/dirmngr/ocsp.h
index cfab7dd6f..b3deeac93 100644
--- a/dirmngr/ocsp.h
+++ b/dirmngr/ocsp.h
@@ -23,7 +23,9 @@
 #define OCSP_H
 
 gpg_error_t ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
-                          int force_default_responder);
+                          int force_default_responder,
+                          gnupg_isotime_t r_revoked_at,
+                          const char **r_reason);
 
 /* Release the list of OCSP certificates hold in the CTRL object. */
 void release_ctrl_ocsp_certs (ctrl_t ctrl);
diff --git a/dirmngr/server.c b/dirmngr/server.c
index 98f354300..fba2233d4 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -1310,6 +1310,9 @@ cmd_isvalid (assuan_context_t ctx, char *line)
  again:
   if (ocsp_mode)
     {
+      gnupg_isotime_t revoked_at;
+      const char *reason;
+
       /* Note, that we currently ignore the supplied fingerprint FPR;
        * instead ocsp_isvalid does an inquire to ask for the cert.
        * The fingerprint may eventually be used to lookup the
@@ -1317,7 +1320,12 @@ cmd_isvalid (assuan_context_t ctx, char *line)
       if (!opt.allow_ocsp)
         err = gpg_error (GPG_ERR_NOT_SUPPORTED);
       else
-        err = ocsp_isvalid (ctrl, NULL, NULL, force_default_responder);
+        err = ocsp_isvalid (ctrl, NULL, NULL, force_default_responder,
+                            revoked_at, &reason);
+
+      if (gpg_err_code (err) == GPG_ERR_CERT_REVOKED)
+        dirmngr_status_printf (ctrl, "REVOCATIONINFO", "%s %s",
+                               revoked_at, reason);
 
       if (gpg_err_code (err) == GPG_ERR_CONFIGURATION
           && gpg_err_source (err) == GPG_ERR_SOURCE_DIRMNGR)
@@ -1512,6 +1520,8 @@ cmd_checkocsp (assuan_context_t ctx, char *line)
   unsigned char fprbuffer[20], *fpr;
   ksba_cert_t cert;
   int force_default_responder;
+  gnupg_isotime_t revoked_at;
+  const char *reason;
 
   force_default_responder = has_option (line, "--force-default-responder");
   line = skip_options (line);
@@ -1547,12 +1557,18 @@ cmd_checkocsp (assuan_context_t ctx, char *line)
         goto leave;
     }
 
-  assert (cert);
+  log_assert (cert);
 
   if (!opt.allow_ocsp)
     err = gpg_error (GPG_ERR_NOT_SUPPORTED);
   else
-    err = ocsp_isvalid (ctrl, cert, NULL, force_default_responder);
+    err = ocsp_isvalid (ctrl, cert, NULL, force_default_responder,
+                        revoked_at, &reason);
+
+  if (gpg_err_code (err) == GPG_ERR_CERT_REVOKED)
+    dirmngr_status_printf (ctrl, "REVOCATIONINFO", "%s %s",
+                           revoked_at, reason);
+
 
  leave:
   ksba_cert_release (cert);