diff options
| author | Werner Koch <[email protected]> | 2017-02-17 15:39:48 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2017-02-17 15:41:02 +0000 |
| commit | 070211eb990f5ea41271eba432b6a6b485cef7c7 (patch) | |
| tree | df547fb8197e445666906f4a0ee5f37fda512e9d /dirmngr/validate.c | |
| parent | dirmngr: Remove use of hardcoded numbers in validate. (diff) | |
| download | gnupg-070211eb990f5ea41271eba432b6a6b485cef7c7.tar.gz gnupg-070211eb990f5ea41271eba432b6a6b485cef7c7.zip | |
dirmngr: Add options --tls and --systrust to the VALIDATE cmd.
* dirmngr/certcache.h (certlist_s, certlist_t): New.
* dirmngr/certcache.c (read_certlist_from_stream): New.
(release_certlist): New.
* dirmngr/server.c (MAX_CERTLIST_LENGTH): New.
(cmd_validate): Add options --tls and --systrust. Implement them
using a kludge for now.
* dirmngr/validate.c (validate_cert_chain): Support systrust
checking. Add kludge to disable the CRL checking for tls mode.
--
This can now be used to test a list of certificates as returned by
TLS. Put the certs PEM encoded into a a file certlist.pem with the
target certificate being the first. Then run
gpg-connect-agent --dirmngr \
'/definqfile CERTLIST wiki-gnupg-chain.pem' \
'validate --systrust --tls' /bye
CRLS check has been disabled becuase we can't yet pass the systrust
flag to the CRL checking code.
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to '')
| -rw-r--r-- | dirmngr/validate.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/dirmngr/validate.c b/dirmngr/validate.c index 5081ae0f7..8fb2df2c3 100644 --- a/dirmngr/validate.c +++ b/dirmngr/validate.c @@ -233,8 +233,8 @@ check_revocations (ctrl_t ctrl, chain_item_t chain) int any_crl_too_old = 0; chain_item_t ci; - assert (ctrl->check_revocations_nest_level >= 0); - assert (chain); + log_assert (ctrl->check_revocations_nest_level >= 0); + log_assert (chain); if (ctrl->check_revocations_nest_level > 10) { @@ -551,7 +551,9 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime, if (err) goto leave; /* No. */ - err = is_trusted_cert (subject_cert, 0); + err = is_trusted_cert (subject_cert, + (mode == VALIDATE_MODE_CERT_SYSTRUST + || mode == VALIDATE_MODE_TLS_SYSTRUST)); if (!err) ; /* Yes we trust this cert. */ else if (gpg_err_code (err) == GPG_ERR_NOT_TRUSTED) @@ -772,7 +774,9 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime, * our validity results to avoid double work. Far worse a * catch-22 may happen for an improper setup hierarchy and we * need a way to break up such a deadlock. */ - err = check_revocations (ctrl, chain); + if (mode != VALIDATE_MODE_TLS_SYSTRUST) + err = check_revocations (ctrl, chain); +#warning fix the above } if (!err && opt.verbose) |