From 831d014550863026dfefa774c961a21bd20c1e48 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 21 Feb 2017 14:55:04 +0100 Subject: dirmngr: Add special treatment for the standard hkps pool to ntbtls. * dirmngr/validate.h (VALIDATE_FLAG_SYSTRUST): Remove (VALIDATE_FLAG_EXTRATRUST): Remove (VALIDATE_FLAG_TRUST_SYSTEM): New. (VALIDATE_FLAG_TRUST_CONFIG): New. (VALIDATE_FLAG_TRUST_HKP): New. (VALIDATE_FLAG_TRUST_HKPSPOOL): New. (VALIDATE_FLAG_MASK_TRUST): New. * dirmngr/validate.c (check_header_constants): New. (validate_cert_chain): Call new function. Simplify call to is_trusted_cert. * dirmngr/crlcache.c (crl_parse_insert): Pass VALIDATE_FLAG_TRUST_CONFIG to validate_cert_chain * dirmngr/server.c (cmd_validate): Use VALDIATE_FLAG_TRUST_SYSTEM and VALIDATE_FLAG_TRUST_CONFIG. * dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Check provided TLS context. Set trustclass flags using the new VALIDATE_FLAG_TRUST values. * dirmngr/certcache.c (cert_cache_init): Load the standard pool certificate prior to the --hkp-cacerts. -- Note that this changes the way the standard cert is used: We require that it is installed at /usr/share/gnupg and we do not allow to change it. If this is not desired, the the standard cert can be removed or replaced by a newer one. Signed-off-by: Werner Koch --- dirmngr/validate.h | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) (limited to 'dirmngr/validate.h') diff --git a/dirmngr/validate.h b/dirmngr/validate.h index b6222b51f..c7082e3d1 100644 --- a/dirmngr/validate.h +++ b/dirmngr/validate.h @@ -22,28 +22,30 @@ #define VALIDATE_H -/* Make use of the system provided root certificates. */ -#define VALIDATE_FLAG_SYSTRUST 1 - -/* Make use of extra provided root certificates. */ -#define VALIDATE_FLAG_EXTRATRUST 2 +/* Flag values matching the CERTTRUST_CLASS values and a MASK for + * them. check_header_constants() checks their consistency. */ +#define VALIDATE_FLAG_TRUST_SYSTEM 1 +#define VALIDATE_FLAG_TRUST_CONFIG 2 +#define VALIDATE_FLAG_TRUST_HKP 4 +#define VALIDATE_FLAG_TRUST_HKPSPOOL 8 +#define VALIDATE_FLAG_MASK_TRUST 0x0f /* Standard CRL issuer certificate validation; i.e. CRLs are not * considered for CRL issuer certificates. */ -#define VALIDATE_FLAG_CRL 4 +#define VALIDATE_FLAG_CRL 64 /* If this flag is set along with VALIDATE_FLAG_CRL a full CRL * verification is done. */ -#define VALIDATE_FLAG_RECURSIVE 8 +#define VALIDATE_FLAG_RECURSIVE 128 /* Validation mode as used for OCSP. */ -#define VALIDATE_FLAG_OCSP 16 +#define VALIDATE_FLAG_OCSP 256 /* Validation mode as used with TLS. */ -#define VALIDATE_FLAG_TLS 32 +#define VALIDATE_FLAG_TLS 512 /* Don't do CRL checks. */ -#define VALIDATE_FLAG_NOCRLCHECK 64 +#define VALIDATE_FLAG_NOCRLCHECK 1024 /* Validate the certificate CHAIN up to the trust anchor. Optionally -- cgit v1.2.3