diff options
| author | Werner Koch <[email protected]> | 2017-02-21 11:23:20 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2017-02-21 11:23:20 +0000 |
| commit | 50b9828eacc39c1ca75cb8313db896e4bdc8b270 (patch) | |
| tree | ef0134a5cd300e6687146b916c3e4e79adcfabe3 /dirmngr/validate.c | |
| parent | dirmngr: New Assuan option "http-crl". (diff) | |
| download | gnupg-50b9828eacc39c1ca75cb8313db896e4bdc8b270.tar.gz gnupg-50b9828eacc39c1ca75cb8313db896e4bdc8b270.zip | |
dirmngr: Implement trust classes for the cert cache.
* dirmngr/certcache.h (CERTTRUST_CLASS_SYSTEM): New.
(CERTTRUST_CLASS_CONFIG): New.
(CERTTRUST_CLASS_HKP): New.
(CERTTRUST_CLASS_HKPSPOOL): New.
* dirmngr/certcache.c (MAX_EXTRA_CACHED_CERTS): Rename to ...
(MAX_NONPERM_CACHED_CERTS): this.
(total_extra_certificates): Rename to ...
(total_nonperm_certificates): this.
(total_config_certificates): Remove.
(total_trusted_certificates): Remove.
(total_system_trusted_certificates): Remove.
(cert_item_s): Remove field 'flags'. Add fields 'permanent' and
'trustclasses'.
(clean_cache_slot): Clear new fields.
(put_cert): Change for new cert_item_t structure.
(load_certs_from_dir): Rename arg 'are_trusted' to 'trustclass'
(load_certs_from_file): Use CERTTRUST_CLASS_ value for put_cert.
(load_certs_from_w32_store): Ditto.
(cert_cache_init): Ditto.
(cert_cache_print_stats): Rewrite.
(is_trusted_cert): Replace arg 'with_systrust' by 'trustclasses'.
Chnage the test.
* dirmngr/validate.c (allowed_ca): Pass CERTTRUST_CLASS_CONFIG to
is_trusted_cert.
(validate_cert_chain): Pass CERTTRUST_CLASS_ values to
is_trusted_cert.
--
These trust classes make it easier to select certain sets of root
certificates.
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to 'dirmngr/validate.c')
| -rw-r--r-- | dirmngr/validate.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/dirmngr/validate.c b/dirmngr/validate.c index 1599a8d5a..5bd784fe1 100644 --- a/dirmngr/validate.c +++ b/dirmngr/validate.c @@ -203,7 +203,7 @@ allowed_ca (ksba_cert_t cert, int *chainlen) return err; if (!flag) { - if (!is_trusted_cert (cert, 0)) + if (!is_trusted_cert (cert, CERTTRUST_CLASS_CONFIG)) { /* The German SigG Root CA's certificate does not flag itself as a CA; thus we relax this requirement if we @@ -540,8 +540,10 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime, if (err) goto leave; /* No. */ - err = is_trusted_cert (subject_cert, - !!(flags & VALIDATE_FLAG_SYSTRUST)); + err = is_trusted_cert + (subject_cert, + (CERTTRUST_CLASS_CONFIG + | (flags & VALIDATE_FLAG_SYSTRUST)? CERTTRUST_CLASS_SYSTEM : 0)); if (!err) ; /* Yes we trust this cert. */ else if (gpg_err_code (err) == GPG_ERR_NOT_TRUSTED) |