security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-02 22:46:30 +02:00
Code Activity

dirmngr: Implement trust classes for the cert cache.

Browse source 
* dirmngr/certcache.h (CERTTRUST_CLASS_SYSTEM): New.
(CERTTRUST_CLASS_CONFIG): New.
(CERTTRUST_CLASS_HKP): New.
(CERTTRUST_CLASS_HKPSPOOL): New.
* dirmngr/certcache.c (MAX_EXTRA_CACHED_CERTS): Rename to ...
(MAX_NONPERM_CACHED_CERTS): this.
(total_extra_certificates): Rename to ...
(total_nonperm_certificates): this.
(total_config_certificates): Remove.
(total_trusted_certificates): Remove.
(total_system_trusted_certificates): Remove.
(cert_item_s): Remove field 'flags'.  Add fields 'permanent' and
'trustclasses'.
(clean_cache_slot): Clear new fields.
(put_cert): Change for new cert_item_t structure.
(load_certs_from_dir): Rename arg 'are_trusted' to 'trustclass'
(load_certs_from_file): Use CERTTRUST_CLASS_ value for put_cert.
(load_certs_from_w32_store): Ditto.
(cert_cache_init): Ditto.
(cert_cache_print_stats): Rewrite.
(is_trusted_cert): Replace arg 'with_systrust' by 'trustclasses'.
Chnage the test.
* dirmngr/validate.c (allowed_ca): Pass CERTTRUST_CLASS_CONFIG to
is_trusted_cert.
(validate_cert_chain): Pass CERTTRUST_CLASS_ values to
is_trusted_cert.
--

These trust classes make it easier to select certain sets of root
certificates.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2017-02-21 12:23:20 +01:00
parent 493c142e58
commit 50b9828eac
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
3 changed files with 98 additions and 65 deletions
Download patch file Download diff file Expand all files Collapse all files

15
dirmngr/certcache.h
View file

@ -21,6 +21,15 @@
#ifndef CERTCACHE_H
#define CERTCACHE_H
/* The origin of the trusted root certificates. */
enum {
CERTTRUST_CLASS_SYSTEM = 1, /* From the system's list of trusted certs. */
CERTTRUST_CLASS_CONFIG = 2, /* From dirmngr's config files. */
CERTTRUST_CLASS_HKP = 4, /* From --hkp-cacert */
CERTTRUST_CLASS_HKPSPOOL= 8, /* The one and only from sks-keyservers */
};
/* First time initialization of the certificate cache. */
void cert_cache_init (void);
@ -42,9 +51,9 @@ gpg_error_t cache_cert_silent (ksba_cert_t cert, void *fpr_buffer);
/* Return 0 if the certificate is a trusted certificate. Returns
* GPG_ERR_NOT_TRUSTED if it is not trusted or other error codes in
* case of systems errors. If WITH_SYSTRUST is set also system
* provided certificates are considered trusted. */
gpg_error_t is_trusted_cert (ksba_cert_t cert, int with_systrust);
* case of systems errors. TRUSTCLASSES are the bitwise ORed
* CERTTRUST_CLASS values to use for the check. */
gpg_error_t is_trusted_cert (ksba_cert_t cert, unsigned trustclasses);
/* Return a certificate object for the given fingerprint. FPR is
expected to be a 20 byte binary SHA-1 fingerprint. If no matching