From c68eaa4b6b7fdbdcb2b03ca8ecd7194ddae4dab8 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 1 Dec 2003 10:54:30 +0000 Subject: * gpgsm.c, gpgsm.h: New options --{enable,disable}-ocsp. (gpgsm_init_default_ctrl): Set USE_OCSP to the default value. * certchain.c (gpgsm_validate_chain): Handle USE_OCSP. * call-dirmngr.c (gpgsm_dirmngr_isvalid): Add arg USE_OCSP and proceed accordingly. --- sm/call-dirmngr.c | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) (limited to 'sm/call-dirmngr.c') diff --git a/sm/call-dirmngr.c b/sm/call-dirmngr.c index fa7f34f8b..8700145e3 100644 --- a/sm/call-dirmngr.c +++ b/sm/call-dirmngr.c @@ -288,9 +288,12 @@ inq_certificate (void *opaque, const char *line) GPG_ERR_CERTIFICATE_REVOKED GPG_ERR_NO_CRL_KNOWN GPG_ERR_CRL_TOO_OLD + + With USE_OCSP set to true, the dirmngr is asked to do an OCSP + request first. */ int -gpgsm_dirmngr_isvalid (KsbaCert cert) +gpgsm_dirmngr_isvalid (ksba_cert_t cert, int use_ocsp) { int rc; char *certid; @@ -301,23 +304,35 @@ gpgsm_dirmngr_isvalid (KsbaCert cert) if (rc) return rc; - certid = gpgsm_get_certid (cert); - if (!certid) + if (use_ocsp) { - log_error ("error getting the certificate ID\n"); - return gpg_error (GPG_ERR_GENERAL); + certid = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1); + } + else + { + certid = gpgsm_get_certid (cert); + if (!certid) + { + log_error ("error getting the certificate ID\n"); + return gpg_error (GPG_ERR_GENERAL); + } } if (opt.verbose > 1) { char *fpr = gpgsm_get_fingerprint_string (cert, GCRY_MD_SHA1); - log_info ("asking dirmngr about %s\n", fpr); + log_info ("asking dirmngr about %s%s\n", fpr, + use_ocsp? " (using OCSP)":""); xfree (fpr); } parm.ctx = dirmngr_ctx; parm.cert = cert; + /* FIXME: If --disable-crl-checks has been set, we should pass an + option to dirmngr, so that no fallback CRL check is done after an + ocsp check. */ + snprintf (line, DIM(line)-1, "ISVALID %s", certid); line[DIM(line)-1] = 0; xfree (certid); -- cgit