From 9a1a5ca0bc2cfb17ccf632de3e134b6d789c6855 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 16 Feb 2017 18:58:27 +0100
Subject: dirmngr: Load all system provided certificates.

* configure.ac: Add option --default-trust-store.
(DEFAULT_TRUST_STORE_FILE): New ac_define.
* dirmngr/certcache.c: Include ksba-io-support.h.
(total_trusted_certificates, total_system_trusted_certificates): New.
(put_cert): Manage the new counters.
(cert_cache_deinit): Reset them.
(cert_cache_print_stats): Print them.
(is_trusted_cert): Add arg WITH_SYSTRUST.  Change all callers to pass
false.
(load_certs_from_file): New.
(load_certs_from_system): New.
(cert_cache_init): Load system certificates.
--

Note that this code does not yet allow to load the system certificates
on Windows.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 dirmngr/validate.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'dirmngr/validate.c')

diff --git a/dirmngr/validate.c b/dirmngr/validate.c
index 68e1bb387..4139c2262 100644
--- a/dirmngr/validate.c
+++ b/dirmngr/validate.c
@@ -189,7 +189,7 @@ allowed_ca (ksba_cert_t cert, int *chainlen)
     return err;
   if (!flag)
     {
-      if (!is_trusted_cert (cert))
+      if (!is_trusted_cert (cert, 0))
         {
           /* The German SigG Root CA's certificate does not flag
              itself as a CA; thus we relax this requirement if we
@@ -537,7 +537,7 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
           if (err)
             goto leave;  /* No. */
 
-          err = is_trusted_cert (subject_cert);
+          err = is_trusted_cert (subject_cert, 0);
           if (!err)
             ; /* Yes we trust this cert.  */
           else if (gpg_err_code (err) == GPG_ERR_NOT_TRUSTED)
-- 
cgit v1.2.3