From 070211eb990f5ea41271eba432b6a6b485cef7c7 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 17 Feb 2017 16:39:48 +0100 Subject: dirmngr: Add options --tls and --systrust to the VALIDATE cmd. * dirmngr/certcache.h (certlist_s, certlist_t): New. * dirmngr/certcache.c (read_certlist_from_stream): New. (release_certlist): New. * dirmngr/server.c (MAX_CERTLIST_LENGTH): New. (cmd_validate): Add options --tls and --systrust. Implement them using a kludge for now. * dirmngr/validate.c (validate_cert_chain): Support systrust checking. Add kludge to disable the CRL checking for tls mode. -- This can now be used to test a list of certificates as returned by TLS. Put the certs PEM encoded into a a file certlist.pem with the target certificate being the first. Then run gpg-connect-agent --dirmngr \ '/definqfile CERTLIST wiki-gnupg-chain.pem' \ 'validate --systrust --tls' /bye CRLS check has been disabled becuase we can't yet pass the systrust flag to the CRL checking code. Signed-off-by: Werner Koch --- dirmngr/certcache.h | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'dirmngr/certcache.h') diff --git a/dirmngr/certcache.h b/dirmngr/certcache.h index ac93ee699..1f8670673 100644 --- a/dirmngr/certcache.h +++ b/dirmngr/certcache.h @@ -46,7 +46,6 @@ gpg_error_t cache_cert_silent (ksba_cert_t cert, void *fpr_buffer); * provided certificates are considered trusted. */ gpg_error_t is_trusted_cert (ksba_cert_t cert, int with_systrust); - /* Return a certificate object for the given fingerprint. FPR is expected to be a 20 byte binary SHA-1 fingerprint. If no matching certificate is available in the cache NULL is returned. The caller @@ -100,5 +99,18 @@ gpg_error_t find_issuing_cert (ctrl_t ctrl, +/* A simple list of certificates. */ +struct certlist_s +{ + struct certlist_s *next; + ksba_cert_t cert; + unsigned char fpr[20]; /* of the certificate. */ +}; +typedef struct certlist_s *certlist_t; + +gpg_error_t read_certlist_from_stream (certlist_t *r_certlist, estream_t fp); +void release_certlist (certlist_t cl); + + #endif /*CERTCACHE_H*/ -- cgit v1.2.3