* gpgsm.c, gpgsm.h: New options --{enable,disable}-ocsp.

(gpgsm_init_default_ctrl): Set USE_OCSP to the default value.
* certchain.c (gpgsm_validate_chain): Handle USE_OCSP.
* call-dirmngr.c (gpgsm_dirmngr_isvalid): Add arg USE_OCSP and
proceed accordingly.

1 files changed, 5 insertions, 3 deletions

diff --git a/sm/certchain.c b/sm/certchain.c
index 50e910240..28b098bf4 100644
--- a/sm/certchain.c
+++ b/sm/certchain.c
@@ -517,11 +517,13 @@ gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, ksba_isotime_t r_exptime)
             goto leave;
         }
 
-      if (!opt.no_crl_check)
+      if (!opt.no_crl_check || ctrl->use_ocsp)
         {
-          rc = gpgsm_dirmngr_isvalid (subject_cert);
+          rc = gpgsm_dirmngr_isvalid (subject_cert, ctrl->use_ocsp);
           if (rc)
             {
+              /* Fixme: We should change the wording because we may
+                 have used OCSP. */
               switch (gpg_err_code (rc))
                 {
                 case GPG_ERR_CERT_REVOKED:
@@ -677,7 +679,7 @@ gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, ksba_isotime_t r_exptime)
 
   if (opt.no_policy_check)
     log_info ("policies not checked due to --disable-policy-checks option\n");
-  if (opt.no_crl_check)
+  if (opt.no_crl_check && !ctrl->use_ocsp)
     log_info ("CRLs not checked due to --disable-crl-checks option\n");
 
   if (!rc)