summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--common/ChangeLog6
-rw-r--r--common/audit.c34
-rw-r--r--common/audit.h3
-rw-r--r--common/util.h5
-rw-r--r--doc/ChangeLog4
-rw-r--r--doc/DETAILS6
-rw-r--r--doc/help.txt8
-rw-r--r--g10/keygen.c2
-rw-r--r--sm/ChangeLog4
-rw-r--r--sm/certchain.c8
10 files changed, 69 insertions, 11 deletions
diff --git a/common/ChangeLog b/common/ChangeLog
index 75c79c6f6..56e9712e2 100644
--- a/common/ChangeLog
+++ b/common/ChangeLog
@@ -1,3 +1,9 @@
+2009-07-23 Werner Koch <wk@g10code.com>
+
+ * util.h (GPG_ERR_NOT_ENABLED): New.
+ * audit.h (enum): Add AUDIT_CRL_CHECK.
+ * audit.c (proc_type_verify): Show CRL check result.
+
2009-07-06 Werner Koch <wk@g10code.com>
* get-passphrase.c (struct agentargs): Add SESSION_ENV and remove
diff --git a/common/audit.c b/common/audit.c
index a3c5b80d5..436f0d25d 100644
--- a/common/audit.c
+++ b/common/audit.c
@@ -251,8 +251,8 @@ audit_log (audit_ctx_t ctx, audit_event_t event)
}
/* Add a new event to the audit log. If CTX is NULL, this function
- does nothing. This version also adds the result of the oepration
- to the log.. */
+ does nothing. This version also adds the result of the operation
+ to the log. */
void
audit_log_ok (audit_ctx_t ctx, audit_event_t event, gpg_error_t err)
{
@@ -479,6 +479,8 @@ writeout_li (audit_ctx_t ctx, const char *oktext, const char *format, ...)
oktext = _("|audit-log-result|Not supported");
else if (!strcmp (oktext, "no-cert"))
oktext = _("|audit-log-result|No certificate");
+ else if (!strcmp (oktext, "disabled"))
+ oktext = _("|audit-log-result|Not enabled");
else if (!strcmp (oktext, "error"))
oktext = _("|audit-log-result|Error");
else
@@ -923,9 +925,31 @@ proc_type_verify (audit_ctx_t ctx)
}
/* Show result of the CRL/OCSP check. */
- writeout_li (ctx, "-", "%s", _("CRL/OCSP check of certificates"));
- /* add_helptag (ctx, "gpgsm.ocsp-problem"); */
-
+ item = find_next_log_item (ctx, loopitem,
+ AUDIT_CRL_CHECK, AUDIT_NEW_SIG);
+ if (item)
+ {
+ const char *ok;
+ switch (gpg_err_code (item->err))
+ {
+ case 0: ok = "good"; break;
+ case GPG_ERR_CERT_REVOKED: ok = "bad"; break;
+ case GPG_ERR_NOT_ENABLED: ok = "disabled"; break;
+ case GPG_ERR_NO_CRL_KNOWN:
+ ok = _("no CRL found for certificate");
+ break;
+ case GPG_ERR_CRL_TOO_OLD:
+ ok = _("the available CRL is too old");
+ break;
+ default: ok = gpg_strerror (item->err); break;
+ }
+
+ writeout_li (ctx, ok, "%s", _("CRL/OCSP check of certificates"));
+ if (item->err
+ && gpg_err_code (item->err) != GPG_ERR_CERT_REVOKED
+ && gpg_err_code (item->err) != GPG_ERR_NOT_ENABLED)
+ add_helptag (ctx, "gpgsm.crl-problem");
+ }
leave_li (ctx);
}
diff --git a/common/audit.h b/common/audit.h
index 85c2ffc25..491710706 100644
--- a/common/audit.h
+++ b/common/audit.h
@@ -139,6 +139,9 @@ typedef enum
/* Tells whether the root certificate is trusted. This event is
emmited durcing chain validation. */
+ AUDIT_CRL_CHECK, /* err */
+ /* Tells the status of a CRL or OCSP check. */
+
AUDIT_GOT_RECIPIENTS, /* int */
/* Records the number of recipients to be used for encryption.
This includes the recipients set by --encrypt-to but records 0
diff --git a/common/util.h b/common/util.h
index 61b26f1de..3eed4eba8 100644
--- a/common/util.h
+++ b/common/util.h
@@ -25,6 +25,11 @@
#include <errno.h> /* We need errno. */
#include <gpg-error.h> /* We need gpg_error_t. */
+/* Add error codes available only in newer versions of libgpg-error. */
+#ifndef GPG_ERR_NOT_ENABLED
+#define GPG_ERR_NOT_ENABLED 179
+#endif
+
/* Hash function used with libksba. */
#define HASH_FNC ((void (*)(void *, const void*,size_t))gcry_md_write)
diff --git a/doc/ChangeLog b/doc/ChangeLog
index 04a137d34..5b4c0d0dd 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,7 @@
+2009-07-23 Werner Koch <wk@g10code.com>
+
+ * help.txt (gpgsm.crl-problem): New.
+
2009-07-22 Werner Koch <wk@g10code.com>
* scdaemon.texi, instguide.texi, gpgsm.texi, sysnotes.texi
diff --git a/doc/DETAILS b/doc/DETAILS
index 39554a27c..cf940c0b3 100644
--- a/doc/DETAILS
+++ b/doc/DETAILS
@@ -628,12 +628,12 @@ more arguments in future versions.
This is used to control smartcard operations.
Defined values for WHAT are:
1 = Request insertion of a card. Serialnumber may be given
- to request a specific card.
- 2 = Request removal of a card.
+ to request a specific card. Used by gpg 1.4 w/o scdaemon.
+ 2 = Request removal of a card. Used by gpg 1.4 w/o scdaemon.
3 = Card with serialnumber detected
4 = No card available.
5 = No card reader available
-
+ 6 = No card support available
PLAINTEXT <format> <timestamp> <filename>
This indicates the format of the plaintext that is about to be
diff --git a/doc/help.txt b/doc/help.txt
index e186e27e8..36b993de5 100644
--- a/doc/help.txt
+++ b/doc/help.txt
@@ -357,7 +357,13 @@ trustlist.txt in GnuPG's home directory. If you are in doubt, ask
your system administrator whether you should trust this certificate.
-
+.gpgsm.crl-problem
+# This tex is displayed by the audit log for problems with
+# the CRL or OCSP checking.
+Depending on your configuration a problem retrieving the CRL or
+performing an OCSP check occurred. There are a great variety of
+reasons why this did not work. Check the manual for possible
+solutions.
# Local variables:
diff --git a/g10/keygen.c b/g10/keygen.c
index 91c990c08..38d78073f 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -1759,7 +1759,7 @@ ask_algo (int addmode, int *r_subkey_algo, unsigned int *r_usage)
}
-/* Ask for the key size. ALGO is the algorithjm. If PRIMARY_KEYSIZE
+/* Ask for the key size. ALGO is the algorithm. If PRIMARY_KEYSIZE
is not 0, the function asks for the size of the encryption
subkey. */
static unsigned
diff --git a/sm/ChangeLog b/sm/ChangeLog
index 954f88ea5..b50703e4b 100644
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@@ -1,3 +1,7 @@
+2009-07-23 Werner Koch <wk@g10code.com>
+
+ * certchain.c (is_cert_still_valid): Emit AUDIT_CRL_CHECK.
+
2009-07-07 Werner Koch <wk@g10code.com>
* server.c (command_has_option): New.
diff --git a/sm/certchain.c b/sm/certchain.c
index ddf4ece8f..e9a1aadfa 100644
--- a/sm/certchain.c
+++ b/sm/certchain.c
@@ -889,11 +889,17 @@ is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp,
gpg_error_t err;
if (opt.no_crl_check && !ctrl->use_ocsp)
- return 0;
+ {
+ audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK,
+ gpg_error (GPG_ERR_NOT_ENABLED));
+ return 0;
+ }
err = gpgsm_dirmngr_isvalid (ctrl,
subject_cert, issuer_cert,
force_ocsp? 2 : !!ctrl->use_ocsp);
+ audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, err);
+
if (err)
{
if (!lm)