dirmngr: Add options --tls and --systrust to the VALIDATE cmd.

* dirmngr/certcache.h (certlist_s, certlist_t): New.
* dirmngr/certcache.c (read_certlist_from_stream): New.
(release_certlist): New.
* dirmngr/server.c (MAX_CERTLIST_LENGTH): New.
(cmd_validate): Add options --tls and --systrust.  Implement them
using a kludge for now.
* dirmngr/validate.c (validate_cert_chain): Support systrust
checking.  Add kludge to disable the CRL checking for tls mode.
--

This can now be used to test a list of certificates as returned by
TLS.  Put the certs PEM encoded into a a file certlist.pem with the
target certificate being the first.  Then run

  gpg-connect-agent --dirmngr \
    '/definqfile CERTLIST wiki-gnupg-chain.pem' \
    'validate --systrust --tls' /bye

CRLS check has been disabled becuase we can't yet pass the systrust
flag to the CRL checking code.

Signed-off-by: Werner Koch <[email protected]>

1 files changed, 13 insertions, 1 deletions

diff --git a/dirmngr/certcache.h b/dirmngr/certcache.h
index ac93ee699..1f8670673 100644
--- a/dirmngr/certcache.h
+++ b/dirmngr/certcache.h
@@ -46,7 +46,6 @@ gpg_error_t cache_cert_silent (ksba_cert_t cert, void *fpr_buffer);
  * provided certificates are considered trusted.  */
 gpg_error_t is_trusted_cert (ksba_cert_t cert, int with_systrust);
 
-
 /* Return a certificate object for the given fingerprint.  FPR is
    expected to be a 20 byte binary SHA-1 fingerprint.  If no matching
    certificate is available in the cache NULL is returned.  The caller
@@ -100,5 +99,18 @@ gpg_error_t find_issuing_cert (ctrl_t ctrl,
 
 
 
+/* A simple list of certificates.  */
+struct certlist_s
+{
+  struct certlist_s *next;
+  ksba_cert_t cert;
+  unsigned char fpr[20];  /* of the certificate.  */
+};
+typedef struct certlist_s *certlist_t;
+
+gpg_error_t read_certlist_from_stream (certlist_t *r_certlist, estream_t fp);
+void release_certlist (certlist_t cl);
+
+
 
 #endif /*CERTCACHE_H*/