From 831d014550863026dfefa774c961a21bd20c1e48 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 21 Feb 2017 14:55:04 +0100 Subject: dirmngr: Add special treatment for the standard hkps pool to ntbtls. * dirmngr/validate.h (VALIDATE_FLAG_SYSTRUST): Remove (VALIDATE_FLAG_EXTRATRUST): Remove (VALIDATE_FLAG_TRUST_SYSTEM): New. (VALIDATE_FLAG_TRUST_CONFIG): New. (VALIDATE_FLAG_TRUST_HKP): New. (VALIDATE_FLAG_TRUST_HKPSPOOL): New. (VALIDATE_FLAG_MASK_TRUST): New. * dirmngr/validate.c (check_header_constants): New. (validate_cert_chain): Call new function. Simplify call to is_trusted_cert. * dirmngr/crlcache.c (crl_parse_insert): Pass VALIDATE_FLAG_TRUST_CONFIG to validate_cert_chain * dirmngr/server.c (cmd_validate): Use VALDIATE_FLAG_TRUST_SYSTEM and VALIDATE_FLAG_TRUST_CONFIG. * dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Check provided TLS context. Set trustclass flags using the new VALIDATE_FLAG_TRUST values. * dirmngr/certcache.c (cert_cache_init): Load the standard pool certificate prior to the --hkp-cacerts. -- Note that this changes the way the standard cert is used: We require that it is installed at /usr/share/gnupg and we do not allow to change it. If this is not desired, the the standard cert can be removed or replaced by a newer one. Signed-off-by: Werner Koch --- dirmngr/server.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'dirmngr/server.c') diff --git a/dirmngr/server.c b/dirmngr/server.c index f726d1b35..961bba07d 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -1852,8 +1852,9 @@ cmd_validate (assuan_context_t ctx, char *line) } err = validate_cert_chain (ctrl, cert, NULL, - ((tls_mode ? VALIDATE_FLAG_TLS : 0) - | (systrust_mode ? VALIDATE_FLAG_SYSTRUST : 0) + (VALIDATE_FLAG_TRUST_CONFIG + | (tls_mode ? VALIDATE_FLAG_TLS : 0) + | (systrust_mode ? VALIDATE_FLAG_TRUST_SYSTEM : 0) | (no_crl ? VALIDATE_FLAG_NOCRLCHECK : 0)), NULL); -- cgit v1.2.3