From df692a6167be5486f9a29da003a00292fd895176 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Mon, 18 Sep 2017 22:49:05 +0200
Subject: dirmngr: Use system certs if --hkp-cacert is not used.

* dirmngr/certcache.c (any_cert_of_class): New var.
(put_cert): Set it.
(cert_cache_deinit): Clear it.
(cert_cache_any_in_class): New func.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Add hack to
override empty list of HKP certs.
--

This patch carries the changes for GNUTLS from commit
7c1613d41566f7d8db116790087de323621205fe over to NTBTLS.  NTBTLS works
quite different and thus we need to do it this way.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 dirmngr/http-ntbtls.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'dirmngr/http-ntbtls.c')

diff --git a/dirmngr/http-ntbtls.c b/dirmngr/http-ntbtls.c
index 250db556c..ea66a4d73 100644
--- a/dirmngr/http-ntbtls.c
+++ b/dirmngr/http-ntbtls.c
@@ -91,6 +91,12 @@ gnupg_http_tls_verify_cb (void *opaque,
         validate_flags |= VALIDATE_FLAG_TRUST_HKP;
       if ((http_flags & HTTP_FLAG_TRUST_SYS))
         validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM;
+
+      /* If HKP trust is requested and there are no HKP certificates
+       * configured, also try thye standard system certificates.  */
+      if ((validate_flags & VALIDATE_FLAG_TRUST_HKP)
+          && !cert_cache_any_in_class (CERTTRUST_CLASS_HKP))
+        validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM;
     }
 
   if ((http_flags & HTTP_FLAG_NO_CRL))
-- 
cgit