diff options
| author | Werner Koch <[email protected]> | 2017-02-21 13:55:04 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2017-02-21 13:55:04 +0000 |
| commit | 831d014550863026dfefa774c961a21bd20c1e48 (patch) | |
| tree | a7ab8eb014de4a48375a4f3242e61aa7bfcef9b2 /dirmngr/validate.h | |
| parent | dirmngr: Load --hkp-cacert values into the certificate cache. (diff) | |
| download | gnupg-831d014550863026dfefa774c961a21bd20c1e48.tar.gz gnupg-831d014550863026dfefa774c961a21bd20c1e48.zip | |
dirmngr: Add special treatment for the standard hkps pool to ntbtls.
* dirmngr/validate.h (VALIDATE_FLAG_SYSTRUST): Remove
(VALIDATE_FLAG_EXTRATRUST): Remove
(VALIDATE_FLAG_TRUST_SYSTEM): New.
(VALIDATE_FLAG_TRUST_CONFIG): New.
(VALIDATE_FLAG_TRUST_HKP): New.
(VALIDATE_FLAG_TRUST_HKPSPOOL): New.
(VALIDATE_FLAG_MASK_TRUST): New.
* dirmngr/validate.c (check_header_constants): New.
(validate_cert_chain): Call new function. Simplify call to
is_trusted_cert.
* dirmngr/crlcache.c (crl_parse_insert): Pass
VALIDATE_FLAG_TRUST_CONFIG to validate_cert_chain
* dirmngr/server.c (cmd_validate): Use VALDIATE_FLAG_TRUST_SYSTEM and
VALIDATE_FLAG_TRUST_CONFIG.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Check provided TLS
context. Set trustclass flags using the new VALIDATE_FLAG_TRUST
values.
* dirmngr/certcache.c (cert_cache_init): Load the standard pool
certificate prior to the --hkp-cacerts.
--
Note that this changes the way the standard cert is used: We require
that it is installed at /usr/share/gnupg and we do not allow to change
it. If this is not desired, the the standard cert can be removed or
replaced by a newer one.
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to 'dirmngr/validate.h')
| -rw-r--r-- | dirmngr/validate.h | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/dirmngr/validate.h b/dirmngr/validate.h index b6222b51f..c7082e3d1 100644 --- a/dirmngr/validate.h +++ b/dirmngr/validate.h @@ -22,28 +22,30 @@ #define VALIDATE_H -/* Make use of the system provided root certificates. */ -#define VALIDATE_FLAG_SYSTRUST 1 - -/* Make use of extra provided root certificates. */ -#define VALIDATE_FLAG_EXTRATRUST 2 +/* Flag values matching the CERTTRUST_CLASS values and a MASK for + * them. check_header_constants() checks their consistency. */ +#define VALIDATE_FLAG_TRUST_SYSTEM 1 +#define VALIDATE_FLAG_TRUST_CONFIG 2 +#define VALIDATE_FLAG_TRUST_HKP 4 +#define VALIDATE_FLAG_TRUST_HKPSPOOL 8 +#define VALIDATE_FLAG_MASK_TRUST 0x0f /* Standard CRL issuer certificate validation; i.e. CRLs are not * considered for CRL issuer certificates. */ -#define VALIDATE_FLAG_CRL 4 +#define VALIDATE_FLAG_CRL 64 /* If this flag is set along with VALIDATE_FLAG_CRL a full CRL * verification is done. */ -#define VALIDATE_FLAG_RECURSIVE 8 +#define VALIDATE_FLAG_RECURSIVE 128 /* Validation mode as used for OCSP. */ -#define VALIDATE_FLAG_OCSP 16 +#define VALIDATE_FLAG_OCSP 256 /* Validation mode as used with TLS. */ -#define VALIDATE_FLAG_TLS 32 +#define VALIDATE_FLAG_TLS 512 /* Don't do CRL checks. */ -#define VALIDATE_FLAG_NOCRLCHECK 64 +#define VALIDATE_FLAG_NOCRLCHECK 1024 /* Validate the certificate CHAIN up to the trust anchor. Optionally |