dirmngr: Align the gnutls use of CAs with the ntbtls code.

* dirmngr/http.c (http_session_new) <gnutls>: Use only the special
pool certificate for the default keyserver.
--

The gnutls version uses a different strategy than the ntbtls version
on when to use the special SKS pool certificate.  This patch aligns it
so that we don't need to wonder about different kind of bug reports.
In short the special cert is now the only cert use with the default
keyserver.

Signed-off-by: Werner Koch <[email protected]>

3 files changed, 18 insertions, 10 deletions

diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c
index 5486997b6..87f605eab 100644
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@@ -721,6 +721,9 @@ cert_cache_init (strlist_t hkp_cacerts)
     load_certs_from_dir (fname, 0);
   xfree (fname);
 
+  /* Put the special pool certificate into our store.  This is
+   * currently only used with ntbtls.  For GnuTLS http_session_new
+   * unfortunately loads that certificate directly from the file.  */
   fname = make_filename_try (gnupg_datadir (),
                              "sks-keyservers.netCA.pem", NULL);
   if (fname)
diff --git a/dirmngr/http-ntbtls.c b/dirmngr/http-ntbtls.c
index 924b8b25f..ae5cf5519 100644
--- a/dirmngr/http-ntbtls.c
+++ b/dirmngr/http-ntbtls.c
@@ -77,8 +77,10 @@ gnupg_http_tls_verify_cb (void *opaque,
 
   validate_flags = VALIDATE_FLAG_TLS;
 
-  /* If we are using the standard hkps:// pool use the dedicated
-   * root certificate.  */
+  /* If we are using the standard hkps:// pool use the dedicated root
+   * certificate.  Note that this differes from the GnuTLS
+   * implementation which uses this special certificate only if no
+   * other certificates are configured. */
   hostname = ntbtls_get_hostname (tls);
   if (hostname
       && !ascii_strcasecmp (hostname, get_default_keyserver (1)))
diff --git a/dirmngr/http.c b/dirmngr/http.c
index f3d98e14b..bfbc30276 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -765,10 +765,9 @@ http_session_new (http_session_t *r_session,
                     && !ascii_strcasecmp (intended_hostname,
                                           get_default_keyserver (1)));
 
-    /* If the user has not specified a CA list, and they are looking
-     * for the hkps pool from sks-keyservers.net, then default to
-     * Kristian's certificate authority:  */
-    if (!tls_ca_certlist && is_hkps_pool)
+    /* If we are looking for the hkps pool from sks-keyservers.net,
+     * then forcefully use its dedicated certificate authority.  */
+    if (is_hkps_pool)
       {
         char *pemname = make_filename_try (gnupg_datadir (),
                                            "sks-keyservers.netCA.pem", NULL);
@@ -788,11 +787,12 @@ http_session_new (http_session_t *r_session,
             xfree (pemname);
           }
 
-        add_system_cas = 0;
+        if (is_hkps_pool)
+          add_system_cas = 0;
       }
 
     /* Add configured certificates to the session.  */
-    if ((flags & HTTP_FLAG_TRUST_DEF))
+    if ((flags & HTTP_FLAG_TRUST_DEF) && !is_hkps_pool)
       {
         for (sl = tls_ca_certlist; sl; sl = sl->next)
           {
@@ -803,7 +803,10 @@ http_session_new (http_session_t *r_session,
               log_info ("setting CA from file '%s' failed: %s\n",
                         sl->d, gnutls_strerror (rc));
           }
-        if (!tls_ca_certlist && !is_hkps_pool)
+
+        /* If HKP trust is requested and there are no HKP certificates
+         * configured, also try the standard system certificates.  */
+        if (!tls_ca_certlist)
           add_system_cas = 1;
       }
 
@@ -825,7 +828,7 @@ http_session_new (http_session_t *r_session,
       }
 
     /* Add other configured certificates to the session.  */
-    if ((flags & HTTP_FLAG_TRUST_CFG))
+    if ((flags & HTTP_FLAG_TRUST_CFG) && !is_hkps_pool)
       {
         for (sl = cfg_ca_certlist; sl; sl = sl->next)
           {