From 070211eb990f5ea41271eba432b6a6b485cef7c7 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 17 Feb 2017 16:39:48 +0100 Subject: dirmngr: Add options --tls and --systrust to the VALIDATE cmd. * dirmngr/certcache.h (certlist_s, certlist_t): New. * dirmngr/certcache.c (read_certlist_from_stream): New. (release_certlist): New. * dirmngr/server.c (MAX_CERTLIST_LENGTH): New. (cmd_validate): Add options --tls and --systrust. Implement them using a kludge for now. * dirmngr/validate.c (validate_cert_chain): Support systrust checking. Add kludge to disable the CRL checking for tls mode. -- This can now be used to test a list of certificates as returned by TLS. Put the certs PEM encoded into a a file certlist.pem with the target certificate being the first. Then run gpg-connect-agent --dirmngr \ '/definqfile CERTLIST wiki-gnupg-chain.pem' \ 'validate --systrust --tls' /bye CRLS check has been disabled becuase we can't yet pass the systrust flag to the CRL checking code. Signed-off-by: Werner Koch --- dirmngr/validate.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'dirmngr/validate.c') diff --git a/dirmngr/validate.c b/dirmngr/validate.c index 5081ae0f7..8fb2df2c3 100644 --- a/dirmngr/validate.c +++ b/dirmngr/validate.c @@ -233,8 +233,8 @@ check_revocations (ctrl_t ctrl, chain_item_t chain) int any_crl_too_old = 0; chain_item_t ci; - assert (ctrl->check_revocations_nest_level >= 0); - assert (chain); + log_assert (ctrl->check_revocations_nest_level >= 0); + log_assert (chain); if (ctrl->check_revocations_nest_level > 10) { @@ -551,7 +551,9 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime, if (err) goto leave; /* No. */ - err = is_trusted_cert (subject_cert, 0); + err = is_trusted_cert (subject_cert, + (mode == VALIDATE_MODE_CERT_SYSTRUST + || mode == VALIDATE_MODE_TLS_SYSTRUST)); if (!err) ; /* Yes we trust this cert. */ else if (gpg_err_code (err) == GPG_ERR_NOT_TRUSTED) @@ -772,7 +774,9 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime, * our validity results to avoid double work. Far worse a * catch-22 may happen for an improper setup hierarchy and we * need a way to break up such a deadlock. */ - err = check_revocations (ctrl, chain); + if (mode != VALIDATE_MODE_TLS_SYSTRUST) + err = check_revocations (ctrl, chain); +#warning fix the above } if (!err && opt.verbose) -- cgit v1.2.3