dirmngr: Load --hkp-cacert values into the certificate cache.

* dirmngr/dirmngr.c (hkp_cacert_filenames): New var. (parse_rereadable_options): Store filenames from --hkp-cacert in the new var. (main, dirmngr_sighup_action): Pass that var to cert_cache_init. * dirmngr/certcache.c (cert_cache_init): Add arg 'hkp_cacert' and load those certs. (load_certs_from_file): Use autodetect so that PEM and DER encodings are possible. Signed-off-by: Werner Koch <[email protected]>
author: Werner Koch <[email protected]> 2017-02-21 12:57:24 +0000
committer: Werner Koch <[email protected]> 2017-02-21 12:57:24 +0000
commit: d1625a9a82b1e5d96bbbf2132c49c53108565ae1 (patch)
tree: 91ae85fb1eeda69b2e2b7b8ccde66529e7259c44
parent: dirmngr: Load "sks-keyservers.netCA.pem" into the cache. (diff)
download: gnupg-d1625a9a82b1e5d96bbbf2132c49c53108565ae1.tar.gz
gnupg-d1625a9a82b1e5d96bbbf2132c49c53108565ae1.zip
3 files changed, 23 insertions, 9 deletions
diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c
index 61be57efd..47eea25cc 100644
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@@ -471,7 +471,8 @@ load_certs_from_file (const char *fname, unsigned int trustclasses,
     }
 
   err = gnupg_ksba_create_reader (&ioctx,
-                                  (GNUPG_KSBA_IO_PEM | GNUPG_KSBA_IO_MULTIPEM),
+                                  (GNUPG_KSBA_IO_AUTODETECT
+                                   | GNUPG_KSBA_IO_MULTIPEM),
                                   fp, &reader);
   if (err)
     {
@@ -686,9 +687,10 @@ load_certs_from_system (void)
 
 /* Initialize the certificate cache if not yet done.  */
 void
-cert_cache_init (void)
+cert_cache_init (strlist_t hkp_cacerts)
 {
   char *fname;
+  strlist_t sl;
 
   if (initialization_done)
     return;
@@ -707,6 +709,10 @@ cert_cache_init (void)
     load_certs_from_dir (fname, 0);
   xfree (fname);
 
+  for (sl = hkp_cacerts; sl; sl = sl->next)
+    load_certs_from_file (sl->d, CERTTRUST_CLASS_HKP, 0);
+
+
   fname = make_filename_try (gnupg_datadir (),
                              "sks-keyservers.netCA.pem", NULL);
   if (fname)
diff --git a/dirmngr/certcache.h b/dirmngr/certcache.h
index fec2ff4fe..92529bf11 100644
--- a/dirmngr/certcache.h
+++ b/dirmngr/certcache.h
@@ -31,7 +31,7 @@ enum {
 
 
 /* First time initialization of the certificate cache.  */
-void cert_cache_init (void);
+void cert_cache_init (strlist_t hkp_cacerts);
 
 /* Deinitialize the certificate cache.  */
 void cert_cache_deinit (int full);
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index f04d0881f..6b4cbcf2d 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -319,6 +319,10 @@ static int active_connections;
  * thread to run background network tasks.  */
 static int network_activity_seen;
 
+/* A list of filenames registred with --hkp-cacert.  */
+static strlist_t hkp_cacert_filenames;
+
+
 /* The timer tick used for housekeeping stuff.  */
 #define TIMERTICK_INTERVAL         (60)
 
@@ -586,6 +590,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
         }
       FREE_STRLIST (opt.ignored_cert_extensions);
       http_register_tls_ca (NULL);
+      FREE_STRLIST (hkp_cacert_filenames);
       FREE_STRLIST (opt.keyserver);
       /* Note: We do not allow resetting of TOR_MODE_FORCE at runtime.  */
       if (tor_mode != TOR_MODE_FORCE)
@@ -653,11 +658,14 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
 
     case oHkpCaCert:
       {
+        /* We need to register the filenames with gnutls (http.c) and
+         * also for our own cert cache.  */
         char *tmpname;
 
         /* Do tilde expansion and make path absolute.  */
         tmpname = make_absfilename (pargs->r.ret_str, NULL);
         http_register_tls_ca (tmpname);
+        add_to_strlist (&hkp_cacert_filenames, pargs->r.ret_str);
         xfree (tmpname);
       }
       break;
@@ -1069,7 +1077,7 @@ main (int argc, char **argv)
 
 
       thread_init ();
-      cert_cache_init ();
+      cert_cache_init (hkp_cacert_filenames);
       crl_cache_init ();
       http_register_netactivity_cb (netactivity_action);
       start_command_handler (ASSUAN_INVALID_FD);
@@ -1104,7 +1112,7 @@ main (int argc, char **argv)
         log_set_prefix (NULL, 0);
 
       thread_init ();
-      cert_cache_init ();
+      cert_cache_init (hkp_cacert_filenames);
       crl_cache_init ();
       http_register_netactivity_cb (netactivity_action);
       handle_connections (3);
@@ -1311,7 +1319,7 @@ main (int argc, char **argv)
 #endif
 
       thread_init ();
-      cert_cache_init ();
+      cert_cache_init (hkp_cacert_filenames);
       crl_cache_init ();
       http_register_netactivity_cb (netactivity_action);
       handle_connections (fd);
@@ -1333,7 +1341,7 @@ main (int argc, char **argv)
       dirmngr_init_default_ctrl (&ctrlbuf);
 
       thread_init ();
-      cert_cache_init ();
+      cert_cache_init (hkp_cacert_filenames);
       crl_cache_init ();
       if (!argc)
         rc = crl_cache_load (&ctrlbuf, NULL);
@@ -1356,7 +1364,7 @@ main (int argc, char **argv)
       dirmngr_init_default_ctrl (&ctrlbuf);
 
       thread_init ();
-      cert_cache_init ();
+      cert_cache_init (hkp_cacert_filenames);
       crl_cache_init ();
       rc = crl_fetch (&ctrlbuf, argv[0], &reader);
       if (rc)
@@ -1769,7 +1777,7 @@ dirmngr_sighup_action (void)
   reread_configuration ();
   cert_cache_deinit (0);
   crl_cache_deinit ();
-  cert_cache_init ();
+  cert_cache_init (hkp_cacert_filenames);
   crl_cache_init ();
   reload_dns_stuff (0);
   ks_hkp_reload ();
author	Werner Koch <[email protected]>	2017-02-21 12:57:24 +0000
committer	Werner Koch <[email protected]>	2017-02-21 12:57:24 +0000
commit	d1625a9a82b1e5d96bbbf2132c49c53108565ae1 (patch)
tree	91ae85fb1eeda69b2e2b7b8ccde66529e7259c44
parent	dirmngr: Load "sks-keyservers.netCA.pem" into the cache. (diff)
download	gnupg-d1625a9a82b1e5d96bbbf2132c49c53108565ae1.tar.gz gnupg-d1625a9a82b1e5d96bbbf2132c49c53108565ae1.zip