dirmngr: Add support for hkps keyservers.

* dirmngr/dirmngr.c: Include gnutls.h. (opts): Add --gnutls-debug and --hkp-cacert. (opt_gnutls_debug, my_gnutls_log): New. (set_debug): Set gnutls log level. (parse_rereadable_options): Register a CA file. (main): Init GNUTLS. * dirmngr/ks-engine-hkp.c (ks_hkp_help): Support hkps. (send_request): Ditto.
2025-07-01 22:37:57 +02:00 · 2014-05-05 16:09:45 +02:00 · 2014-05-05 16:09:45 +02:00 · 60e2fc7d38
commit 60e2fc7d38
parent ea0f5481f0
5 changed files with 194 additions and 70 deletions
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@ -40,6 +40,9 @@
 # include <signal.h>
 #endif
 #include <npth.h>
+#ifdef HTTP_USE_GNUTLS
+# include <gnutls/gnutls.h>
+#endif /*HTTP_USE_GNUTLS*/


 #define JNLIB_NEED_LOG_LOGV
@ -92,6 +95,7 @@ enum cmd_and_opt_values {
  oDebugAll,
  oDebugWait,
  oDebugLevel,
+  oGnutlsDebug,
  oNoGreeting,
  oNoOptions,
  oHomedir,
@ -116,6 +120,7 @@ enum cmd_and_opt_values {
  oOCSPMaxPeriod,
  oOCSPCurrentPeriod,
  oMaxReplies,
+  oHkpCaCert,
  oFakedSystemTime,
  oForce,
  oAllowOCSP,
@ -195,11 +200,16 @@ static ARGPARSE_OPTS opts[] = {
  ARGPARSE_s_i (oMaxReplies, "max-replies",
                N_("|N|do not return more than N items in one query")),

+  ARGPARSE_s_s (oHkpCaCert, "hkp-cacert",
+                N_("|FILE|use the CA certifciates in FILE for HKP over TLS")),
+
+
  ARGPARSE_s_s (oSocketName, "socket-name", "@"),  /* Only for debugging.  */

  ARGPARSE_s_u (oFakedSystemTime, "faked-system-time", "@"), /*(epoch time)*/
  ARGPARSE_p_u (oDebug,    "debug", "@"),
  ARGPARSE_s_n (oDebugAll, "debug-all", "@"),
+  ARGPARSE_s_i (oGnutlsDebug, "gnutls-debug", "@"),
  ARGPARSE_s_i (oDebugWait, "debug-wait", "@"),
  ARGPARSE_s_n (oNoGreeting, "no-greeting", "@"),
  ARGPARSE_s_s (oHomedir, "homedir", "@"),
@ -234,6 +244,9 @@ static char *current_logfile;
 /* Helper to implement --debug-level. */
 static const char *debug_level;

+/* Helper to set the GNUTLS log level.  */
+static int opt_gnutls_debug = -1;
+
 /* Flag indicating that a shutdown has been requested.  */
 static volatile int shutdown_pending;

@ -331,6 +344,20 @@ my_ksba_hash_buffer (void *arg, const char *oid,
 }


+/* GNUTLS log function callback.  */
+static void
+my_gnutls_log (int level, const char *text)
+{
+  int n;
+
+  n = strlen (text);
+  while (n && text[n-1] == '\n')
+    n--;
+
+  log_debug ("gnutls:L%d: %.*s\n", level, n, text);
+}
+
+
 /* Setup the debugging.  With a LEVEL of NULL only the active debug
   flags are propagated to the subsystems.  With LEVEL set, a specific
   set of debug flags is set; thus overriding all flags already
@ -382,6 +409,14 @@ set_debug (void)

  if (opt.debug & DBG_CRYPTO_VALUE )
    gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1);
+
+#ifdef HTTP_USE_GNUTLS
+  if (opt_gnutls_debug >= 0)
+    {
+      gnutls_global_set_log_function (my_gnutls_log);
+      gnutls_global_set_log_level (opt_gnutls_debug);
+    }
+#endif /*HTTP_USE_GNUTLS*/
 }


@ -439,6 +474,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
          opt.ocsp_signer = tmp;
        }
      FREE_STRLIST (opt.ignored_cert_extensions);
+      http_register_tls_ca (NULL);
      return 1;
    }

@ -449,6 +485,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
    case oDebug:   opt.debug |= pargs->r.ret_ulong; break;
    case oDebugAll: opt.debug = ~0; break;
    case oDebugLevel: debug_level = pargs->r.ret_str; break;
+    case oGnutlsDebug: opt_gnutls_debug = pargs->r.ret_int; break;

    case oLogFile:
      if (!reread)
@ -490,6 +527,10 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)

    case oMaxReplies: opt.max_replies = pargs->r.ret_int; break;

+    case oHkpCaCert:
+      http_register_tls_ca (pargs->r.ret_str);
+      break;
+
    case oIgnoreCertExtension:
      add_to_strlist (&opt.ignored_cert_extensions, pargs->r.ret_str);
      break;
@ -628,6 +669,12 @@ main (int argc, char **argv)
  ksba_set_malloc_hooks (gcry_malloc, gcry_realloc, gcry_free );
  ksba_set_hash_buffer_function (my_ksba_hash_buffer, NULL);

+  /* Init GNUTLS.  */
+#ifdef HTTP_USE_GNUTLS
+  rc = gnutls_global_init ();
+  if (rc)
+    log_fatal ("gnutls_global_init failed: %s\n", gnutls_strerror (rc));
+#endif /*HTTP_USE_GNUTLS*/

  /* Init Assuan. */
  malloc_hooks.malloc = gcry_malloc;
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@ -628,12 +628,14 @@ ks_hkp_help (ctrl_t ctrl, parsed_uri_t uri)
  const char const data[] =
    "Handler for HKP URLs:\n"
    "  hkp://\n"
+    "  hkps://\n"
    "Supported methods: search, get, put\n";
  gpg_error_t err;

  if (!uri)
-    err = ks_print_help (ctrl, "  hkp");
-  else if (uri->is_http && !strcmp (uri->scheme, "hkp"))
+    err = ks_print_help (ctrl, "  hkp\n  hkps");
+  else if (uri->is_http && (!strcmp (uri->scheme, "hkp")
+                            || !strcmp (uri->scheme, "hkps")))
    err = ks_print_help (ctrl, data);
  else
    err = 0;
@ -747,6 +749,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
              estream_t *r_fp)
 {
  gpg_error_t err;
+  http_session_t session = NULL;
  http_t http = NULL;
  int redirects_left = MAX_REDIRECTS;
  estream_t fp = NULL;
@ -754,6 +757,10 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,

  *r_fp = NULL;

+  err = http_session_new (&session, NULL);
+  if (err)
+    goto leave;
+
 once_more:
  err = http_open (&http,
                   post_cb? HTTP_REQ_POST : HTTP_REQ_GET,
@ -761,7 +768,8 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
                   /* fixme: AUTH */ NULL,
                   httpflags,
                   /* fixme: proxy*/ NULL,
-                   NULL, NULL,
+                   session,
+                   NULL,
                   /*FIXME curl->srvtag*/NULL);
  if (!err)
    {
@ -798,6 +806,13 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
      goto leave;
    }

+  if (http_get_tls_info (http, NULL))
+    {
+      /* Update the httpflags so that a redirect won't fallback to an
+         unencrypted connection.  */
+      httpflags |= HTTP_FLAG_FORCE_TLS;
+    }
+
  switch (http_get_status_code (http))
    {
    case 200:
@ -806,6 +821,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,

    case 301:
    case 302:
+    case 307:
      {
        const char *s = http_get_header (http, "Location");

@ -837,6 +853,10 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
      goto leave;
    }

+  /* FIXME: We should register a permanent redirection and whether a
+     host has ever used TLS so that future calls will always use
+     TLS. */
+
  fp = http_get_read_ptr (http);
  if (!fp)
    {
@ -851,6 +871,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,

 leave:
  http_close (http, 0);
+  http_session_release (session);
  xfree (request_buffer);
  return err;
 }
--- a/dirmngr/sks-keyservers.netCA.pem
+++ b/dirmngr/sks-keyservers.netCA.pem
@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFizCCA3OgAwIBAgIJAK9zyLTPn4CPMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV
+BAYTAk5PMQ0wCwYDVQQIDARPc2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5u
+ZXQgQ0ExHjAcBgNVBAMMFXNrcy1rZXlzZXJ2ZXJzLm5ldCBDQTAeFw0xMjEwMDkw
+MDMzMzdaFw0yMjEwMDcwMDMzMzdaMFwxCzAJBgNVBAYTAk5PMQ0wCwYDVQQIDARP
+c2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5uZXQgQ0ExHjAcBgNVBAMMFXNr
+cy1rZXlzZXJ2ZXJzLm5ldCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBANdsWy4PXWNUCkS3L//nrd0GqN3dVwoBGZ6w94Tw2jPDPifegwxQozFXkG6I
+6A4TK1CJLXPvfz0UP0aBYyPmTNadDinaB9T4jIwd4rnxl+59GiEmqkN3IfPsv5Jj
+MkKUmJnvOT0DEVlEaO1UZIwx5WpfprB3mR81/qm4XkAgmYrmgnLXd/pJDAMk7y1F
+45b5zWofiD5l677lplcIPRbFhpJ6kDTODXh/XEdtF71EAeaOdEGOvyGDmCO0GWqS
+FDkMMPTlieLA/0rgFTcz4xwUYj/cD5e0ZBuSkYsYFAU3hd1cGfBue0cPZaQH2HYx
+Qk4zXD8S3F4690fRhr+tki5gyG6JDR67aKp3BIGLqm7f45WkX1hYp+YXywmEziM4
+aSbGYhx8hoFGfq9UcfPEvp2aoc8u5sdqjDslhyUzM1v3m3ZGbhwEOnVjljY6JJLx
+MxagxnZZSAY424ZZ3t71E/Mn27dm2w+xFRuoy8JEjv1d+BT3eChM5KaNwrj0IO/y
+u8kFIgWYA1vZ/15qMT+tyJTfyrNVV/7Df7TNeWyNqjJ5rBmt0M6NpHG7CrUSkBy9
+p8JhimgjP5r0FlEkgg+lyD+V79H98gQfVgP3pbJICz0SpBQf2F/2tyS4rLm+49rP
+fcOajiXEuyhpcmzgusAj/1FjrtlynH1r9mnNaX4e+rLWzvU5AgMBAAGjUDBOMB0G
+A1UdDgQWBBTkwyoJFGfYTVISTpM8E+igjdq28zAfBgNVHSMEGDAWgBTkwyoJFGfY
+TVISTpM8E+igjdq28zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQAR
+OXnYwu3g1ZjHyley3fZI5aLPsaE17cOImVTehC8DcIphm2HOMR/hYTTL+V0G4P+u
+gH+6xeRLKSHMHZTtSBIa6GDL03434y9CBuwGvAFCMU2GV8w92/Z7apkAhdLToZA/
+X/iWP2jeaVJhxgEcH8uPrnSlqoPBcKC9PrgUzQYfSZJkLmB+3jEa3HKruy1abJP5
+gAdQvwvcPpvYRnIzUc9fZODsVmlHVFBCl2dlu/iHh2h4GmL4Da2rRkUMlbVTdioB
+UYIvMycdOkpH5wJftzw7cpjsudGas0PARDXCFfGyKhwBRFY7Xp7lbjtU5Rz0Gc04
+lPrhDf0pFE98Aw4jJRpFeWMjpXUEaG1cq7D641RpgcMfPFvOHY47rvDTS7XJOaUT
+BwRjmDt896s6vMDcaG/uXJbQjuzmmx3W2Idyh3s5SI0GTHb0IwMKYb4eBUIpQOnB
+cE77VnCYqKvN1NVYAqhWjXbY7XasZvszCRcOG+W3FqNaHOK/n/0ueb0uijdLan+U
+f4p1bjbAox8eAOQS/8a3bzkJzdyBNUKGx1BIK2IBL9bn/HravSDOiNRSnZ/R3l9G
+ZauX0tu7IIDlRCILXSyeazu0aj/vdT3YFQXPcvt5Fkf5wiNTo53f72/jYEJd6qph
+WrpoKqrwGwTpRUCMhYIUt65hsTxCiJJ5nKe39h46sg==
+-----END CERTIFICATE-----
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@ -18,7 +18,7 @@
@mansect synopsis
@ifset manverb
 .B  dirmngr
-.RI [ options ]  
+.RI [ options ]
 .I command
 .RI [ args ]
@end ifset
@ -32,7 +32,7 @@ system daemon through the @command{dirmngr-client} tool.

 If @command{dirmngr} is started in system daemon mode, it uses a
 directory layout as common for system daemons and does not make use of
-the default @file{~/.gnupg} directory.  
+the default @file{~/.gnupg} directory.


@manpause
@ -175,7 +175,7 @@ numeric value or by a keyword:
@item none
 No debugging at all.  A value of less than 1 may be used instead of
 the keyword.
-@item basic  
+@item basic
 Some basic debug messages.  A value between 1 and 2 may be used
 instead of the keyword.
@item advanced
@ -204,6 +204,10 @@ usual C-Syntax.
@opindex debug-all
 Same as @code{--debug=0xffffffff}

+@item --gnutls-debug @var{level}
+@opindex gnutls-debug
+Enable debugging of GNUTLS at @var{level}.
+
@item --debug-wait @var{n}
@opindex debug-wait
 When running in server mode, wait @var{n} seconds before entering the
@ -247,12 +251,12 @@ scheme are ignored when looking for a suitable DP.
@item --ignore-ldap-dp
@opindex ignore-ldap-dp
 This is similar to @option{--ignore-http-dp} but ignores entries using
-the @acronym{LDAP} scheme.  Both options may be combined resulting in 
+the @acronym{LDAP} scheme.  Both options may be combined resulting in
 ignoring DPs entirely.

@item --ignore-ocsp-service-url
@opindex ignore-ocsp-service-url
-Ignore all OCSP URLs contained in the certificate.  The effect is to 
+Ignore all OCSP URLs contained in the certificate.  The effect is to
 force the use of the default responder.

@item --honor-http-proxy
@ -284,7 +288,7 @@ configured LDAP server if the connection using the "proxy" failed.
@item --ldapserverlist-file @var{file}
@opindex ldapserverlist-file
 Read the list of LDAP servers to consult for CRLs and certificates from
-file instead of the default per-user ldap server list file. The default 
+file instead of the default per-user ldap server list file. The default
 value for @var{file} is @file{dirmngr_ldapservers.conf} or
@file{ldapservers.conf} when running in @option{--daemon} mode.

@ -328,7 +332,7 @@ Note: The current version of dirmngr has this option disabled by default.

@item --allow-ocsp
@opindex allow-ocsp
-This option enables OCSP support if requested by the client.  
+This option enables OCSP support if requested by the client.

 OCSP requests are rejected by default because they may violate the
 privacy of the user; for example it is possible to track the time when
@ -395,10 +399,17 @@ won't be rejected due to an unknown critical extension.  Use this
 option with care because extensions are usually flagged as critical
 for a reason.

+@item --hkp-cacert @var{file}
+Use the root certificates in @var{file} for verification of the TLS
+certificates used with @code{hkps} (keyserver access over TLS).  If
+the file is in PEM format a suffix of @code{.pem} is expected for
+@var{file}.  This option may be given multiple times to add more
+root certificates.
+
@end table


-@c 
+@c
@c Dirmngr Configuration
@c
@mansect files
@ -472,7 +483,7 @@ Please ignore the output; it is not needed anymore.  Check the log file
 to see whether all trusted root certificates have been loaded correctly.


-@c 
+@c
@c Dirmngr Signals
@c
@mansect signals
@ -480,7 +491,7 @@ to see whether all trusted root certificates have been loaded correctly.
@section Use of signals.

 A running @command{dirmngr} may be controlled by signals, i.e. using
-the @command{kill} command to send a signal to the process. 
+the @command{kill} command to send a signal to the process.

 Here is a list of supported signals:

@ -522,7 +533,7 @@ This prints some caching statistics to the log file.
 Dirmngr is supposed to be used as a system wide daemon, it should be
 started like:

-@example 
+@example
  dirmngr --daemon
@end example

@ -613,7 +624,7 @@ local lookup will be done in this case.

 Check whether the certificate described by the @var{certid} has been
 revoked.  Due to caching, the Dirmngr is able to answer immediately in
-most cases.  
+most cases.

 The @var{certid} is a hex encoded string consisting of two parts,
 delimited by a single dot.  The first part is the SHA-1 hash of the
@ -642,7 +653,7 @@ us that it has been revoked.

@item GPG_ERR_NO_CRL_KNOWN
 No CRL is known for this certificate or the CRL is not valid or out of
-date. 
+date.

@item GPG_ERR_NO_DATA
 The OCSP responder returned an ``unknown'' status.  This means that it
@ -690,7 +701,7 @@ given or the certificate is not know, the function inquires the
 certificate using:

@example
-  S: INQUIRE TARGETCERT 
+  S: INQUIRE TARGETCERT
  C: D <DER encoded certificate>
  C: END
@end example
@ -720,7 +731,7 @@ certificate is not known by Dirmngr, the function inquires the
 certificate using:

@example
-  S: INQUIRE TARGETCERT 
+  S: INQUIRE TARGETCERT
  C: D <DER encoded certificate>
  C: END
@end example
@ -751,13 +762,13 @@ helpful for debugging.  To get the actual certificate, this command
 immediately inquires it using

@example
-  S: INQUIRE TARGETCERT 
+  S: INQUIRE TARGETCERT
  C: D <DER encoded certificate>
  C: END
@end example

 Thus the caller is expected to return the certificate for the request
-as a binary blob. 
+as a binary blob.

@noindent
 The return code is 0 for success; i.e. the certificate has not been
@ -771,45 +782,45 @@ internally by dirmngr.  This command is only useful for debugging.  To
 get the actual certificate, this command immediately inquires it using

@example
-  S: INQUIRE TARGETCERT 
+  S: INQUIRE TARGETCERT
  C: D <DER encoded certificate>
  C: END
@end example

 Thus the caller is expected to return the certificate for the request
-as a binary blob. 
+as a binary blob.


@mansect see also
@ifset isman
-@command{gpgsm}(1), 
+@command{gpgsm}(1),
@command{dirmngr-client}(1)
@end ifset
@include see-also-note.texi

-@c 
+@c
@c !!! UNDER CONSTRUCTION !!!
-@c 
-@c 
+@c
+@c
@c @section Verifying a Certificate
-@c 
+@c
@c There are several ways to request services from Dirmngr.  Almost all of
@c them are done using the Assuan protocol.  What we describe here is the
@c Assuan command CHECKCRL as used for example by the dirmnr-client tool if
@c invoked as
-@c 
+@c
@c @example
@c   dirmngr-client foo.crt
@c @end example
-@c 
+@c
@c This command will send an Assuan request to an already running Dirmngr
@c instance.  foo.crt is expected to be a standard X.509 certificate and
@c dirmngr will receive the Assuan command
-@c 
+@c
@c @example
@c    CHECKCRL @var [{fingerprint}]
@c @end example
-@c 
+@c
@c @var{fingerprint} is optional and expected to be the SHA-1 has of the
@c DER encoding of the certificate under question.  It is to be HEX
@c encoded.  The rationale for sending the fingerprint is that it allows
@ -817,15 +828,15 @@ as a binary blob.
@c this is not the case and no certificate has been found in dirmngr's
@c internal certificate storage, dirmngr will request the certificate using
@c the Assuan inquiry
-@c 
+@c
@c @example
@c       INQUIRE TARGETCERT
@c @end example
-@c 
+@c
@c The caller (in our example dirmngr-client) is then expected to return
@c the certificate for the request (which should match @var{fingerprint})
@c as a binary blob.
-@c 
+@c
@c Dirmngr now passes control to @code{crl_cache_cert_isvalid}.  This
@c function checks whether a CRL item exists for target certificate.  These
@c CRL items are kept in a database of already loaded and verified CRLs.
@ -837,25 +848,25 @@ as a binary blob.
@c listed in the CRL or @code{GPG_ERR_NO_CRL_KNOWN} in cases where no CRL or no
@c information is available.  The first two codes are immediatly returned to
@c the caller and the processing of this request has been done.
-@c 
+@c
@c Only the @code{GPG_ERR_NO_CRL_KNOWN} needs more attention: Dirmngr now
@c calls @code{clr_cache_reload_crl} and if this succeeds calls
@c @code{crl_cache_cert_isvald) once more.  All further errors are
@c immediately returned to the caller.
-@c 
+@c
@c @code{crl_cache_reload_crl} is the actual heart of the CRL management.
@c It locates the corresponding CRL for the target certificate, reads and
@c verifies this CRL and stores it in the CRL cache.  It works like this:
-@c 
+@c
@c * Loop over all crlDPs in the target certificate.
@c     * If the crlDP is invalid immediately terminate the loop.
@c     * Loop over all names in the current crlDP.
-@c         * If the URL scheme is unknown or not enabled 
+@c         * If the URL scheme is unknown or not enabled
@c           (--ignore-http-dp, --ignore-ldap-dp) continues with
@c           the next name.
@c         * @code{crl_fetch} is called to actually retrieve the CRL.
@c           In case of problems this name is ignore and we continue with
-@c           the next name.  Note that @code{crl_fetch} does only return 
+@c           the next name.  Note that @code{crl_fetch} does only return
@c           a descriptor for the CRL for further reading so does the CRL
@c           does not yet end up in memory.
@c         * @code{crl_cache_insert} is called with that descriptor to
@ -873,16 +884,16 @@ as a binary blob.
@c     * @code(crl_cache_insert) is then used to actually insert the CRL
@c       into the cache.  If this failed we give up immediatley without
@c       checking the rest of the servers from the first step.
-@c * Ready. 
-@c 
-@c 
+@c * Ready.
+@c
+@c
@c The @code{crl_cache_insert} function takes care of reading the bulk of
@c the CRL, parsing it and checking the signature.  It works like this: A
@c new database file is created using a temporary file name.  The CRL
@c parsing machinery is started and all items of the CRL are put into
@c this database file.  At the end the issuer certificate of the CRL
@c needs to be retrieved.  Three cases are to be distinguished:
-@c 
+@c
@c  a) An authorityKeyIdentifier with an issuer and serialno exits: The
@c     certificate is retrieved using @code{find_cert_bysn}.  If
@c     the certificate is in the certificate cache, it is directly
@ -899,7 +910,7 @@ as a binary blob.
@c     certificate to match the requested issuer and seriano (This is
@c     needed because the LDAP layer may return several certificates as
@c     LDAP as no standard way to retrieve by serial number).
-@c 
+@c
@c  b) An authorityKeyIdentifier with a key ID exists: The certificate is
@c     retrieved using @code{find_cert_bysubject}.  If the certificate is
@c     in the certificate cache, it is directly returned.  Then the
@ -913,7 +924,7 @@ as a binary blob.
@c     external resources.  This is done using the @code{ca_cert_fetch}
@c     and @code{fetch_next_ksba_cert} and comparing the returned
@c     certificate to match the requested subject and key ID.
-@c 
+@c
@c  c) No authorityKeyIdentifier exits: The certificate is retrieved
@c     using @code{find_cert_bysubject} without the key ID argument.  If
@c     the certificate is in the certificate cache the first one with a
@ -930,12 +941,12 @@ as a binary blob.
@c     and @code{fetch_next_ksba_cert} and comparing the returned
@c     certificate to match the requested subject; the first certificate
@c     with a matching subject is then returned.
-@c 
+@c
@c If no certificate was found, the function returns with the error
@c GPG_ERR_MISSING_CERT.  Now the signature is verified.  If this fails,
@c the erro is returned.  On success the @code{validate_cert_chain} is
-@c used to verify that the certificate is actually valid. 
-@c 
+@c used to verify that the certificate is actually valid.
+@c
@c Here we may encounter a recursive situation:
@c @code{validate_cert_chain} needs to look at other certificates and
@c also at CRLs to check whether tehse other certificates and well, the
@ -944,7 +955,7 @@ as a binary blob.
@c are currently processing. This would be a catch-22 and may indicate a
@c broken PKI.  However, due to overlapping expiring times and imprecise
@c clocks thsi may actually happen.
-@c     
+@c
@c For historical reasons the Assuan command ISVALID is a bit different
@c to CHECKCRL but this is mainly due to different calling conventions.
@c In the end the same fucntionality is used, albeit hidden by a couple
@ -952,44 +963,44 @@ as a binary blob.
@c ingetrages OCSP checking depending on options are the way it is
@c called.  GPGSM still uses this command but might eventuall switch over
@c to CHECKCRL and CHECKOCSP so that ISVALID can be retired.
-@c   
-@c 
+@c
+@c
@c @section Validating a certificate
-@c 
+@c
@c We describe here how the internal function @code{validate_cert_chain}
@c works. Note that mainly testing purposes this functionality may be
@c called directly using @cmd{dirmngr-client --validate @file{foo.crt}}.
-@c 
+@c
@c For backward compatibility this function returns success if Dirmngr is
@c not used as a system daemon.  Thus not validating the certicates at
@c all. FIXME:  This is definitely not correct and should be fixed ASAP.
-@c 
+@c
@c The function takes the target certificate and a mode argument as
@c parameters and returns an error code and optionally the closes
@c expiration time of all certificates in the chain.
-@c 
+@c
@c We first check that the certificate may be used for the requested
@c purpose (i.e. OCSP or CRL signing).  If this is not the case
@c GPG_ERR_WRONG_KEY_USAGE is returned.
-@c 
+@c
@c The next step is to find the trust anchor (root certificate) and to
@c assemble the chain in memory: Starting with the target certificate,
@c the expiration time is checked against the current date, unknown
@c critical extensions are detected and certificate policies are matched
@c (We only allow 2.289.9.9 but I have no clue about that OID and from
@c where I got it - it does not even seem to be assigned - debug cruft?).
-@c 
+@c
@c Now if this certificate is a self-signed one, we have reached the
@c trust anchor.  In this case we check that the signature is good, the
@c certificate is allowed to act as a CA, that it is a trusted one (by
@c checking whether it is has been put into the trusted-certs
@c configuration directory) and finally prepend into to our list
@c representing the certificate chain.  This steps ends then.
-@c 
+@c
@c If it is not a self-signed certificate, we check that the chain won't
@c get too long (current limit is 100), if this is the case we terminate
@c with the error GPG_ERR_BAD_CERT_CHAIN.
-@c 
+@c
@c Now the issuer's certificate is looked up: If an
@c authorityKeyIdentifier is available, this one is used to locate the
@c certificate either using issuer and serialnumber or subject DN
@ -1002,7 +1013,7 @@ as a binary blob.
@c that a matching certificate has explicitly been put into the
@c certificate cache.  If the issuer's certificate could not be found,
@c the validation terminates with the error code @code{GPG_ERR_MISSING_CERT}.
-@c 
+@c
@c If the issuer's certificate has been found, the signature of the
@c actual certificate is checked and in case this fails the error
@c #code{GPG_ERR_BAD_CERT_CHAIN} is returned.  If the signature checks out, the
@ -1011,13 +1022,13 @@ as a binary blob.
@c certificate signing).  Then the certificate is prepended to our list
@c representing the certificate chain.  Finally the loop is continued now
@c with the issuer's certificate as the current certificate.
-@c 
+@c
@c After the end of the loop and if no error as been encountered
@c (i.e. the certificate chain has been assempled correctly), a check is
@c done whether any certificate expired or a critical policy has not been
@c met.  In any of these cases the validation terminates with an
-@c appropriate error. 
-@c 
+@c appropriate error.
+@c
@c Finally the function @code{check_revocations} is called to verify no
@c certificate in the assempled chain has been revoked: This is an
@c recursive process because a CRL has to be checked for each certificate
@ -1025,16 +1036,16 @@ as a binary blob.
@c that it is trusted and we avoid checking a CRL here due to common
@c setup problems and the assumption that a revoked root certifcate has
@c been removed from the list of trusted certificates.
-@c 
-@c 
-@c 
-@c 
+@c
+@c
+@c
+@c
@c @section Looking up certificates through LDAP.
-@c 
+@c
@c This describes the LDAP layer to retrieve certificates.
@c the functions @code{ca_cert_fetch} and @code{fetch_next_ksba_cert} are
@c used for this.  The first one starts a search and the second one is
@c used to retrieve certificate after certificate.
-@c 
+@c
+

-  
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@ -1630,16 +1630,29 @@ are available for all keyserver types, some common options are:
  program uses internally (libcurl, openldap, etc).

  @item check-cert
+@ifset gpgtwoone
+  This option has no more function since GnuPG 2.1.  Use the
+  @code{dirmngr} configuration options instead.
+@end ifset
+@ifclear gpgtwoone
  Enable certificate checking if the keyserver presents one (for hkps or
  ldaps).  Defaults to on.
+@end ifclear

  @item ca-cert-file
+@ifset gpgtwoone
+  This option has no more function since GnuPG 2.1.  Use the
+  @code{dirmngr} configuration options instead.
+@end ifset
+@ifclear gpgtwoone
  Provide a certificate store to override the system default.  Only
  necessary if check-cert is enabled, and the keyserver is using a
  certificate that is not present in a system default certificate list.

  Note that depending on the SSL library that the keyserver helper is
  built with, this may actually be a directory or a file.
+@end ifclear
+
@end table

@item --completes-needed @code{n}