* gpgsm.c: New option --force-crl-refresh.

* call-dirmngr.c (gpgsm_dirmngr_isvalid): Pass option to dirmngr.

5 files changed, 26 insertions, 2 deletions

diff --git a/sm/ChangeLog b/sm/ChangeLog
index 25f72915f..c2627d3d2 100644
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@@ -1,3 +1,8 @@
+2004-04-07  Werner Koch  <wk@gnupg.org>
+
+	* gpgsm.c: New option --force-crl-refresh.
+	* call-dirmngr.c (gpgsm_dirmngr_isvalid): Pass option to dirmngr.
+
 2004-04-05  Werner Koch  <wk@gnupg.org>
 
 	* server.c (get_status_string): Add STATUS_NEWSIG.
diff --git a/sm/call-dirmngr.c b/sm/call-dirmngr.c
index 0e8f67f28..15160dc41 100644
--- a/sm/call-dirmngr.c
+++ b/sm/call-dirmngr.c
@@ -149,6 +149,8 @@ start_dirmngr (void)
   if (dirmngr_ctx)
     return 0; /* fixme: We need a context for each thread or serialize
                  the access to the dirmngr */
+  /* Note: if you change this to multiple connections, you also need
+     to take care of the implicit option sending caching. */
 
   infostr = force_pipe_server? NULL : getenv ("DIRMNGR_INFO");
   if (!infostr || !*infostr)
@@ -359,12 +361,14 @@ int
 gpgsm_dirmngr_isvalid (ctrl_t ctrl,
                        ksba_cert_t cert, ksba_cert_t issuer_cert, int use_ocsp)
 {
+  static int did_options;
   int rc;
   char *certid;
   char line[ASSUAN_LINELENGTH];
   struct inq_certificate_parm_s parm;
   struct isvalid_status_parm_s stparm;
 
+
   rc = start_dirmngr ();
   if (rc)
     return rc;
@@ -402,6 +406,15 @@ gpgsm_dirmngr_isvalid (ctrl_t ctrl,
      option to dirmngr, so that no fallback CRL check is done after an
      ocsp check. */
 
+  /* It is sufficient to send the options only once because we have
+     one connection per process only. */
+  if (!did_options)
+    {
+      if (opt.force_crl_refresh)
+        assuan_transact (dirmngr_ctx, "OPTION force-crl-refresh=1",
+                         NULL, NULL, NULL, NULL, NULL, NULL);
+      did_options = 1;
+    }
   snprintf (line, DIM(line)-1, "ISVALID %s", certid);
   line[DIM(line)-1] = 0;
   xfree (certid);
diff --git a/sm/fingerprint.c b/sm/fingerprint.c
index 26d147f41..6755f8eb7 100644
--- a/sm/fingerprint.c
+++ b/sm/fingerprint.c
@@ -153,7 +153,7 @@ gpgsm_get_keygrip (ksba_cert_t cert, char *array)
     return NULL; /* oops */
 
   if (DBG_X509)
-    log_debug ("get_keygrip for public key: %s\n", p);
+    log_debug ("get_keygrip for public key\n");
   n = gcry_sexp_canon_len (p, 0, NULL, NULL);
   if (!n)
     {
diff --git a/sm/gpgsm.c b/sm/gpgsm.c
index 047b356dd..7140e34ac 100644
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@@ -115,10 +115,11 @@ enum cmd_and_opt_values {
 
   oDisableCRLChecks,
   oEnableCRLChecks,
+  oForceCRLRefresh,
+
   oDisableOCSP,
   oEnableOCSP,
 
-
   oIncludeCerts,
   oPolicyFile,
   oDisablePolicyChecks,
@@ -262,6 +263,7 @@ static ARGPARSE_OPTS opts[] = {
 
     { oDisableCRLChecks, "disable-crl-checks", 0, N_("never consult a CRL")},
     { oEnableCRLChecks, "enable-crl-checks", 0, "@"},
+    { oForceCRLRefresh, "force-crl-refresh", 0, "@"},
 
     { oDisableOCSP, "disable-ocsp", 0, "@" },
     { oEnableOCSP,  "enable-ocsp", 0, N_("check validity using OCSP")},
@@ -931,6 +933,9 @@ main ( int argc, char **argv)
         case oEnableCRLChecks:
           opt.no_crl_check = 0;
           break;
+        case oForceCRLRefresh:
+          opt.force_crl_refresh = 1;
+          break;
 
         case oDisableOCSP:
           ctrl.use_ocsp = opt.enable_ocsp = 0;
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index 93487f002..d3fbc03ef 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -89,6 +89,7 @@ struct {
   int ignore_time_conflict; /* Ignore certain time conflicts */
 
   int no_crl_check;         /* Don't do a CRL check */
+  int force_crl_refresh;    /* Force refreshing the CRL. */
   int enable_ocsp;          /* Default to use OCSP checks. */
 
   char *policy_file;        /* full pathname of policy file */