HashAlgorithm AlgorithmIdentifier,
certificateHash OCTET STRING }
*/
-static const char oidstr_certHash[] = "1.3.36.8.3.13";
+/* static const char oidstr_certHash[] = "1.3.36.8.3.13"; */
return err;
}
if ( !(nread == bufsize-nbytes && !es_feof (fp)))
- { /* Response succesfully received. */
+ { /* Response successfully received. */
nbytes += nread;
*r_buffer = buffer;
*r_buflen = nbytes;
/* Construct an OCSP request, send it to the configured OCSP responder
and parse the response. On success the OCSP context may be used to
- further process the reponse. */
+ further process the response. */
static gpg_error_t
do_ocsp_request (ctrl_t ctrl, ksba_ocsp_t ocsp, gcry_md_hd_t md,
const char *url, ksba_cert_t cert, ksba_cert_t issuer_cert)
(void)ctrl;
+ if (dirmngr_use_tor ())
+ {
+ /* For now we do not allow OCSP via Tor due to possible privacy
+ concerns. Needs further research. */
+ log_error (_("OCSP request not possible due to Tor mode\n"));
+ return gpg_error (GPG_ERR_NOT_SUPPORTED);
+ }
+
if (opt.disable_http)
{
log_error (_("OCSP request not possible due to disabled HTTP\n"));
once_more:
err = http_open (&http, HTTP_REQ_POST, url, NULL, NULL,
- (opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0),
- opt.http_proxy, NULL, NULL, NULL);
+ ((opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)
+ | (dirmngr_use_tor ()? HTTP_FLAG_FORCE_TOR:0)
+ | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)),
+ ctrl->http_proxy, NULL, NULL, NULL);
if (err)
{
log_error (_("error connecting to '%s': %s\n"), url, gpg_strerror (err));
}
xfree (fpr);
}
- else if (opt.system_daemon)
- {
- err = validate_cert_chain (ctrl, cert, NULL, VALIDATE_MODE_OCSP, NULL);
- }
else
{
/* We avoid duplicating the entire certificate validation code
reason == KSBA_CRLREASON_CA_COMPROMISE? "CA compromise":
reason == KSBA_CRLREASON_AFFILIATION_CHANGED?
"affiliation changed":
- reason == KSBA_CRLREASON_SUPERSEDED? "superseeded":
+ reason == KSBA_CRLREASON_SUPERSEDED? "superseded":
reason == KSBA_CRLREASON_CESSATION_OF_OPERATION?
"cessation of operation":
reason == KSBA_CRLREASON_CERTIFICATE_HOLD?