diff options
| author | Werner Koch <[email protected]> | 2017-02-21 13:55:04 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2017-02-21 13:55:04 +0000 |
| commit | 831d014550863026dfefa774c961a21bd20c1e48 (patch) | |
| tree | a7ab8eb014de4a48375a4f3242e61aa7bfcef9b2 /dirmngr/validate.c | |
| parent | dirmngr: Load --hkp-cacert values into the certificate cache. (diff) | |
| download | gnupg-831d014550863026dfefa774c961a21bd20c1e48.tar.gz gnupg-831d014550863026dfefa774c961a21bd20c1e48.zip | |
dirmngr: Add special treatment for the standard hkps pool to ntbtls.
* dirmngr/validate.h (VALIDATE_FLAG_SYSTRUST): Remove
(VALIDATE_FLAG_EXTRATRUST): Remove
(VALIDATE_FLAG_TRUST_SYSTEM): New.
(VALIDATE_FLAG_TRUST_CONFIG): New.
(VALIDATE_FLAG_TRUST_HKP): New.
(VALIDATE_FLAG_TRUST_HKPSPOOL): New.
(VALIDATE_FLAG_MASK_TRUST): New.
* dirmngr/validate.c (check_header_constants): New.
(validate_cert_chain): Call new function. Simplify call to
is_trusted_cert.
* dirmngr/crlcache.c (crl_parse_insert): Pass
VALIDATE_FLAG_TRUST_CONFIG to validate_cert_chain
* dirmngr/server.c (cmd_validate): Use VALDIATE_FLAG_TRUST_SYSTEM and
VALIDATE_FLAG_TRUST_CONFIG.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Check provided TLS
context. Set trustclass flags using the new VALIDATE_FLAG_TRUST
values.
* dirmngr/certcache.c (cert_cache_init): Load the standard pool
certificate prior to the --hkp-cacerts.
--
Note that this changes the way the standard cert is used: We require
that it is installed at /usr/share/gnupg and we do not allow to change
it. If this is not desired, the the standard cert can be removed or
replaced by a newer one.
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to 'dirmngr/validate.c')
| -rw-r--r-- | dirmngr/validate.c | 30 |
1 files changed, 26 insertions, 4 deletions
diff --git a/dirmngr/validate.c b/dirmngr/validate.c index 5bd784fe1..3671a8b9e 100644 --- a/dirmngr/validate.c +++ b/dirmngr/validate.c @@ -74,6 +74,29 @@ static const char oid_kp_ocspSigning[] = "1.3.6.1.5.5.7.3.9"; static gpg_error_t check_cert_sig (ksba_cert_t issuer_cert, ksba_cert_t cert); +/* Make sure that the values defined in the headers are correct. We + * can't use the preprocessor due to the use of enums. */ +static void +check_header_constants (void) +{ + log_assert (CERTTRUST_CLASS_SYSTEM == VALIDATE_FLAG_TRUST_SYSTEM); + log_assert (CERTTRUST_CLASS_CONFIG == VALIDATE_FLAG_TRUST_CONFIG); + log_assert (CERTTRUST_CLASS_HKP == VALIDATE_FLAG_TRUST_HKP); + log_assert (CERTTRUST_CLASS_HKPSPOOL == VALIDATE_FLAG_TRUST_HKPSPOOL); + +#undef X +#define X (VALIDATE_FLAG_TRUST_SYSTEM | VALIDATE_FLAG_TRUST_CONFIG \ + | VALIDATE_FLAG_TRUST_HKP | VALIDATE_FLAG_TRUST_HKPSPOOL) + +#if ( X & VALIDATE_FLAG_MASK_TRUST ) != X +# error VALIDATE_FLAG_MASK_TRUST is bad +#endif +#if ( ~X & VALIDATE_FLAG_MASK_TRUST ) +# error VALIDATE_FLAG_MASK_TRUST is bad +#endif + +#undef X +} /* Check whether CERT contains critical extensions we don't know @@ -393,6 +416,7 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime, int any_no_policy_match = 0; chain_item_t chain; + check_header_constants (); if (r_exptime) *r_exptime = 0; @@ -540,10 +564,8 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime, if (err) goto leave; /* No. */ - err = is_trusted_cert - (subject_cert, - (CERTTRUST_CLASS_CONFIG - | (flags & VALIDATE_FLAG_SYSTRUST)? CERTTRUST_CLASS_SYSTEM : 0)); + err = is_trusted_cert (subject_cert, + (flags & VALIDATE_FLAG_MASK_TRUST)); if (!err) ; /* Yes we trust this cert. */ else if (gpg_err_code (err) == GPG_ERR_NOT_TRUSTED) |