Browse Source

dirmngr: Add support for hkps keyservers.

* dirmngr/dirmngr.c: Include gnutls.h.
(opts): Add --gnutls-debug and --hkp-cacert.
(opt_gnutls_debug, my_gnutls_log): New.
(set_debug): Set gnutls log level.
(parse_rereadable_options): Register a CA file.
(main): Init GNUTLS.
* dirmngr/ks-engine-hkp.c (ks_hkp_help): Support hkps.
(send_request): Ditto.
wk/test-master
Werner Koch 8 years ago
parent
commit
60e2fc7d38
  1. 47
      dirmngr/dirmngr.c
  2. 27
      dirmngr/ks-engine-hkp.c
  3. 32
      dirmngr/sks-keyservers.netCA.pem
  4. 145
      doc/dirmngr.texi
  5. 13
      doc/gpg.texi

47
dirmngr/dirmngr.c

@ -40,6 +40,9 @@
# include <signal.h>
#endif
#include <npth.h>
#ifdef HTTP_USE_GNUTLS
# include <gnutls/gnutls.h>
#endif /*HTTP_USE_GNUTLS*/
#define JNLIB_NEED_LOG_LOGV
@ -92,6 +95,7 @@ enum cmd_and_opt_values {
oDebugAll,
oDebugWait,
oDebugLevel,
oGnutlsDebug,
oNoGreeting,
oNoOptions,
oHomedir,
@ -116,6 +120,7 @@ enum cmd_and_opt_values {
oOCSPMaxPeriod,
oOCSPCurrentPeriod,
oMaxReplies,
oHkpCaCert,
oFakedSystemTime,
oForce,
oAllowOCSP,
@ -195,11 +200,16 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_i (oMaxReplies, "max-replies",
N_("|N|do not return more than N items in one query")),
ARGPARSE_s_s (oHkpCaCert, "hkp-cacert",
N_("|FILE|use the CA certifciates in FILE for HKP over TLS")),
ARGPARSE_s_s (oSocketName, "socket-name", "@"), /* Only for debugging. */
ARGPARSE_s_u (oFakedSystemTime, "faked-system-time", "@"), /*(epoch time)*/
ARGPARSE_p_u (oDebug, "debug", "@"),
ARGPARSE_s_n (oDebugAll, "debug-all", "@"),
ARGPARSE_s_i (oGnutlsDebug, "gnutls-debug", "@"),
ARGPARSE_s_i (oDebugWait, "debug-wait", "@"),
ARGPARSE_s_n (oNoGreeting, "no-greeting", "@"),
ARGPARSE_s_s (oHomedir, "homedir", "@"),
@ -234,6 +244,9 @@ static char *current_logfile;
/* Helper to implement --debug-level. */
static const char *debug_level;
/* Helper to set the GNUTLS log level. */
static int opt_gnutls_debug = -1;
/* Flag indicating that a shutdown has been requested. */
static volatile int shutdown_pending;
@ -331,6 +344,20 @@ my_ksba_hash_buffer (void *arg, const char *oid,
}
/* GNUTLS log function callback. */
static void
my_gnutls_log (int level, const char *text)
{
int n;
n = strlen (text);
while (n && text[n-1] == '\n')
n--;
log_debug ("gnutls:L%d: %.*s\n", level, n, text);
}
/* Setup the debugging. With a LEVEL of NULL only the active debug
flags are propagated to the subsystems. With LEVEL set, a specific
set of debug flags is set; thus overriding all flags already
@ -382,6 +409,14 @@ set_debug (void)
if (opt.debug & DBG_CRYPTO_VALUE )
gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1);
#ifdef HTTP_USE_GNUTLS
if (opt_gnutls_debug >= 0)
{
gnutls_global_set_log_function (my_gnutls_log);
gnutls_global_set_log_level (opt_gnutls_debug);
}
#endif /*HTTP_USE_GNUTLS*/
}
@ -439,6 +474,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
opt.ocsp_signer = tmp;
}
FREE_STRLIST (opt.ignored_cert_extensions);
http_register_tls_ca (NULL);
return 1;
}
@ -449,6 +485,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
case oDebug: opt.debug |= pargs->r.ret_ulong; break;
case oDebugAll: opt.debug = ~0; break;
case oDebugLevel: debug_level = pargs->r.ret_str; break;
case oGnutlsDebug: opt_gnutls_debug = pargs->r.ret_int; break;
case oLogFile:
if (!reread)
@ -490,6 +527,10 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
case oMaxReplies: opt.max_replies = pargs->r.ret_int; break;
case oHkpCaCert:
http_register_tls_ca (pargs->r.ret_str);
break;
case oIgnoreCertExtension:
add_to_strlist (&opt.ignored_cert_extensions, pargs->r.ret_str);
break;
@ -628,6 +669,12 @@ main (int argc, char **argv)
ksba_set_malloc_hooks (gcry_malloc, gcry_realloc, gcry_free );
ksba_set_hash_buffer_function (my_ksba_hash_buffer, NULL);
/* Init GNUTLS. */
#ifdef HTTP_USE_GNUTLS
rc = gnutls_global_init ();
if (rc)
log_fatal ("gnutls_global_init failed: %s\n", gnutls_strerror (rc));
#endif /*HTTP_USE_GNUTLS*/
/* Init Assuan. */
malloc_hooks.malloc = gcry_malloc;

27
dirmngr/ks-engine-hkp.c

@ -628,12 +628,14 @@ ks_hkp_help (ctrl_t ctrl, parsed_uri_t uri)
const char const data[] =
"Handler for HKP URLs:\n"
" hkp://\n"
" hkps://\n"
"Supported methods: search, get, put\n";
gpg_error_t err;
if (!uri)
err = ks_print_help (ctrl, " hkp");
else if (uri->is_http && !strcmp (uri->scheme, "hkp"))
err = ks_print_help (ctrl, " hkp\n hkps");
else if (uri->is_http && (!strcmp (uri->scheme, "hkp")
|| !strcmp (uri->scheme, "hkps")))
err = ks_print_help (ctrl, data);
else
err = 0;
@ -747,6 +749,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
estream_t *r_fp)
{
gpg_error_t err;
http_session_t session = NULL;
http_t http = NULL;
int redirects_left = MAX_REDIRECTS;
estream_t fp = NULL;
@ -754,6 +757,10 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
*r_fp = NULL;
err = http_session_new (&session, NULL);
if (err)
goto leave;
once_more:
err = http_open (&http,
post_cb? HTTP_REQ_POST : HTTP_REQ_GET,
@ -761,7 +768,8 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
/* fixme: AUTH */ NULL,
httpflags,
/* fixme: proxy*/ NULL,
NULL, NULL,
session,
NULL,
/*FIXME curl->srvtag*/NULL);
if (!err)
{
@ -798,6 +806,13 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
goto leave;
}
if (http_get_tls_info (http, NULL))
{
/* Update the httpflags so that a redirect won't fallback to an
unencrypted connection. */
httpflags |= HTTP_FLAG_FORCE_TLS;
}
switch (http_get_status_code (http))
{
case 200:
@ -806,6 +821,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
case 301:
case 302:
case 307:
{
const char *s = http_get_header (http, "Location");
@ -837,6 +853,10 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
goto leave;
}
/* FIXME: We should register a permanent redirection and whether a
host has ever used TLS so that future calls will always use
TLS. */
fp = http_get_read_ptr (http);
if (!fp)
{
@ -851,6 +871,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
leave:
http_close (http, 0);
http_session_release (session);
xfree (request_buffer);
return err;
}

32
dirmngr/sks-keyservers.netCA.pem

@ -0,0 +1,32 @@
-----BEGIN CERTIFICATE-----
MIIFizCCA3OgAwIBAgIJAK9zyLTPn4CPMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV
BAYTAk5PMQ0wCwYDVQQIDARPc2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5u
ZXQgQ0ExHjAcBgNVBAMMFXNrcy1rZXlzZXJ2ZXJzLm5ldCBDQTAeFw0xMjEwMDkw
MDMzMzdaFw0yMjEwMDcwMDMzMzdaMFwxCzAJBgNVBAYTAk5PMQ0wCwYDVQQIDARP
c2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5uZXQgQ0ExHjAcBgNVBAMMFXNr
cy1rZXlzZXJ2ZXJzLm5ldCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
ggIBANdsWy4PXWNUCkS3L//nrd0GqN3dVwoBGZ6w94Tw2jPDPifegwxQozFXkG6I
6A4TK1CJLXPvfz0UP0aBYyPmTNadDinaB9T4jIwd4rnxl+59GiEmqkN3IfPsv5Jj
MkKUmJnvOT0DEVlEaO1UZIwx5WpfprB3mR81/qm4XkAgmYrmgnLXd/pJDAMk7y1F
45b5zWofiD5l677lplcIPRbFhpJ6kDTODXh/XEdtF71EAeaOdEGOvyGDmCO0GWqS
FDkMMPTlieLA/0rgFTcz4xwUYj/cD5e0ZBuSkYsYFAU3hd1cGfBue0cPZaQH2HYx
Qk4zXD8S3F4690fRhr+tki5gyG6JDR67aKp3BIGLqm7f45WkX1hYp+YXywmEziM4
aSbGYhx8hoFGfq9UcfPEvp2aoc8u5sdqjDslhyUzM1v3m3ZGbhwEOnVjljY6JJLx
MxagxnZZSAY424ZZ3t71E/Mn27dm2w+xFRuoy8JEjv1d+BT3eChM5KaNwrj0IO/y
u8kFIgWYA1vZ/15qMT+tyJTfyrNVV/7Df7TNeWyNqjJ5rBmt0M6NpHG7CrUSkBy9
p8JhimgjP5r0FlEkgg+lyD+V79H98gQfVgP3pbJICz0SpBQf2F/2tyS4rLm+49rP
fcOajiXEuyhpcmzgusAj/1FjrtlynH1r9mnNaX4e+rLWzvU5AgMBAAGjUDBOMB0G
A1UdDgQWBBTkwyoJFGfYTVISTpM8E+igjdq28zAfBgNVHSMEGDAWgBTkwyoJFGfY
TVISTpM8E+igjdq28zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQAR
OXnYwu3g1ZjHyley3fZI5aLPsaE17cOImVTehC8DcIphm2HOMR/hYTTL+V0G4P+u
gH+6xeRLKSHMHZTtSBIa6GDL03434y9CBuwGvAFCMU2GV8w92/Z7apkAhdLToZA/
X/iWP2jeaVJhxgEcH8uPrnSlqoPBcKC9PrgUzQYfSZJkLmB+3jEa3HKruy1abJP5
gAdQvwvcPpvYRnIzUc9fZODsVmlHVFBCl2dlu/iHh2h4GmL4Da2rRkUMlbVTdioB
UYIvMycdOkpH5wJftzw7cpjsudGas0PARDXCFfGyKhwBRFY7Xp7lbjtU5Rz0Gc04
lPrhDf0pFE98Aw4jJRpFeWMjpXUEaG1cq7D641RpgcMfPFvOHY47rvDTS7XJOaUT
BwRjmDt896s6vMDcaG/uXJbQjuzmmx3W2Idyh3s5SI0GTHb0IwMKYb4eBUIpQOnB
cE77VnCYqKvN1NVYAqhWjXbY7XasZvszCRcOG+W3FqNaHOK/n/0ueb0uijdLan+U
f4p1bjbAox8eAOQS/8a3bzkJzdyBNUKGx1BIK2IBL9bn/HravSDOiNRSnZ/R3l9G
ZauX0tu7IIDlRCILXSyeazu0aj/vdT3YFQXPcvt5Fkf5wiNTo53f72/jYEJd6qph
WrpoKqrwGwTpRUCMhYIUt65hsTxCiJJ5nKe39h46sg==
-----END CERTIFICATE-----

145
doc/dirmngr.texi

@ -18,7 +18,7 @@
@mansect synopsis
@ifset manverb
.B dirmngr
.RI [ options ]
.RI [ options ]
.I command
.RI [ args ]
@end ifset
@ -32,7 +32,7 @@ system daemon through the @command{dirmngr-client} tool.
If @command{dirmngr} is started in system daemon mode, it uses a
directory layout as common for system daemons and does not make use of
the default @file{~/.gnupg} directory.
the default @file{~/.gnupg} directory.
@manpause
@ -175,7 +175,7 @@ numeric value or by a keyword:
@item none
No debugging at all. A value of less than 1 may be used instead of
the keyword.
@item basic
@item basic
Some basic debug messages. A value between 1 and 2 may be used
instead of the keyword.
@item advanced
@ -204,6 +204,10 @@ usual C-Syntax.
@opindex debug-all
Same as @code{--debug=0xffffffff}
@item --gnutls-debug @var{level}
@opindex gnutls-debug
Enable debugging of GNUTLS at @var{level}.
@item --debug-wait @var{n}
@opindex debug-wait
When running in server mode, wait @var{n} seconds before entering the
@ -247,12 +251,12 @@ scheme are ignored when looking for a suitable DP.
@item --ignore-ldap-dp
@opindex ignore-ldap-dp
This is similar to @option{--ignore-http-dp} but ignores entries using
the @acronym{LDAP} scheme. Both options may be combined resulting in
the @acronym{LDAP} scheme. Both options may be combined resulting in
ignoring DPs entirely.
@item --ignore-ocsp-service-url
@opindex ignore-ocsp-service-url
Ignore all OCSP URLs contained in the certificate. The effect is to
Ignore all OCSP URLs contained in the certificate. The effect is to
force the use of the default responder.
@item --honor-http-proxy
@ -284,7 +288,7 @@ configured LDAP server if the connection using the "proxy" failed.
@item --ldapserverlist-file @var{file}
@opindex ldapserverlist-file
Read the list of LDAP servers to consult for CRLs and certificates from
file instead of the default per-user ldap server list file. The default
file instead of the default per-user ldap server list file. The default
value for @var{file} is @file{dirmngr_ldapservers.conf} or
@file{ldapservers.conf} when running in @option{--daemon} mode.
@ -328,7 +332,7 @@ Note: The current version of dirmngr has this option disabled by default.
@item --allow-ocsp
@opindex allow-ocsp
This option enables OCSP support if requested by the client.
This option enables OCSP support if requested by the client.
OCSP requests are rejected by default because they may violate the
privacy of the user; for example it is possible to track the time when
@ -395,10 +399,17 @@ won't be rejected due to an unknown critical extension. Use this
option with care because extensions are usually flagged as critical
for a reason.
@item --hkp-cacert @var{file}
Use the root certificates in @var{file} for verification of the TLS
certificates used with @code{hkps} (keyserver access over TLS). If
the file is in PEM format a suffix of @code{.pem} is expected for
@var{file}. This option may be given multiple times to add more
root certificates.
@end table
@c
@c
@c Dirmngr Configuration
@c
@mansect files
@ -472,7 +483,7 @@ Please ignore the output; it is not needed anymore. Check the log file
to see whether all trusted root certificates have been loaded correctly.
@c
@c
@c Dirmngr Signals
@c
@mansect signals
@ -480,7 +491,7 @@ to see whether all trusted root certificates have been loaded correctly.
@section Use of signals.
A running @command{dirmngr} may be controlled by signals, i.e. using
the @command{kill} command to send a signal to the process.
the @command{kill} command to send a signal to the process.
Here is a list of supported signals:
@ -522,7 +533,7 @@ This prints some caching statistics to the log file.
Dirmngr is supposed to be used as a system wide daemon, it should be
started like:
@example
@example
dirmngr --daemon
@end example
@ -613,7 +624,7 @@ local lookup will be done in this case.
Check whether the certificate described by the @var{certid} has been
revoked. Due to caching, the Dirmngr is able to answer immediately in
most cases.
most cases.
The @var{certid} is a hex encoded string consisting of two parts,
delimited by a single dot. The first part is the SHA-1 hash of the
@ -642,7 +653,7 @@ us that it has been revoked.
@item GPG_ERR_NO_CRL_KNOWN
No CRL is known for this certificate or the CRL is not valid or out of
date.
date.
@item GPG_ERR_NO_DATA
The OCSP responder returned an ``unknown'' status. This means that it
@ -690,7 +701,7 @@ given or the certificate is not know, the function inquires the
certificate using:
@example
S: INQUIRE TARGETCERT
S: INQUIRE TARGETCERT
C: D <DER encoded certificate>
C: END
@end example
@ -720,7 +731,7 @@ certificate is not known by Dirmngr, the function inquires the
certificate using:
@example
S: INQUIRE TARGETCERT
S: INQUIRE TARGETCERT
C: D <DER encoded certificate>
C: END
@end example
@ -751,13 +762,13 @@ helpful for debugging. To get the actual certificate, this command
immediately inquires it using
@example
S: INQUIRE TARGETCERT
S: INQUIRE TARGETCERT
C: D <DER encoded certificate>
C: END
@end example
Thus the caller is expected to return the certificate for the request
as a binary blob.
as a binary blob.
@noindent
The return code is 0 for success; i.e. the certificate has not been
@ -771,45 +782,45 @@ internally by dirmngr. This command is only useful for debugging. To
get the actual certificate, this command immediately inquires it using
@example
S: INQUIRE TARGETCERT
S: INQUIRE TARGETCERT
C: D <DER encoded certificate>
C: END
@end example
Thus the caller is expected to return the certificate for the request
as a binary blob.
as a binary blob.
@mansect see also
@ifset isman
@command{gpgsm}(1),
@command{gpgsm}(1),
@command{dirmngr-client}(1)
@end ifset
@include see-also-note.texi
@c
@c
@c !!! UNDER CONSTRUCTION !!!
@c
@c
@c
@c
@c @section Verifying a Certificate
@c
@c
@c There are several ways to request services from Dirmngr. Almost all of
@c them are done using the Assuan protocol. What we describe here is the
@c Assuan command CHECKCRL as used for example by the dirmnr-client tool if
@c invoked as
@c
@c
@c @example
@c dirmngr-client foo.crt
@c @end example
@c
@c
@c This command will send an Assuan request to an already running Dirmngr
@c instance. foo.crt is expected to be a standard X.509 certificate and
@c dirmngr will receive the Assuan command
@c
@c
@c @example
@c CHECKCRL @var [{fingerprint}]
@c @end example
@c
@c
@c @var{fingerprint} is optional and expected to be the SHA-1 has of the
@c DER encoding of the certificate under question. It is to be HEX
@c encoded. The rationale for sending the fingerprint is that it allows
@ -817,15 +828,15 @@ as a binary blob.
@c this is not the case and no certificate has been found in dirmngr's
@c internal certificate storage, dirmngr will request the certificate using
@c the Assuan inquiry
@c
@c
@c @example
@c INQUIRE TARGETCERT
@c @end example
@c
@c
@c The caller (in our example dirmngr-client) is then expected to return
@c the certificate for the request (which should match @var{fingerprint})
@c as a binary blob.
@c
@c
@c Dirmngr now passes control to @code{crl_cache_cert_isvalid}. This
@c function checks whether a CRL item exists for target certificate. These
@c CRL items are kept in a database of already loaded and verified CRLs.
@ -837,25 +848,25 @@ as a binary blob.
@c listed in the CRL or @code{GPG_ERR_NO_CRL_KNOWN} in cases where no CRL or no
@c information is available. The first two codes are immediatly returned to
@c the caller and the processing of this request has been done.
@c
@c
@c Only the @code{GPG_ERR_NO_CRL_KNOWN} needs more attention: Dirmngr now
@c calls @code{clr_cache_reload_crl} and if this succeeds calls
@c @code{crl_cache_cert_isvald) once more. All further errors are
@c immediately returned to the caller.
@c
@c
@c @code{crl_cache_reload_crl} is the actual heart of the CRL management.
@c It locates the corresponding CRL for the target certificate, reads and
@c verifies this CRL and stores it in the CRL cache. It works like this:
@c
@c
@c * Loop over all crlDPs in the target certificate.
@c * If the crlDP is invalid immediately terminate the loop.
@c * Loop over all names in the current crlDP.
@c * If the URL scheme is unknown or not enabled
@c * If the URL scheme is unknown or not enabled
@c (--ignore-http-dp, --ignore-ldap-dp) continues with
@c the next name.
@c * @code{crl_fetch} is called to actually retrieve the CRL.
@c In case of problems this name is ignore and we continue with
@c the next name. Note that @code{crl_fetch} does only return
@c the next name. Note that @code{crl_fetch} does only return
@c a descriptor for the CRL for further reading so does the CRL
@c does not yet end up in memory.
@c * @code{crl_cache_insert} is called with that descriptor to
@ -873,16 +884,16 @@ as a binary blob.
@c * @code(crl_cache_insert) is then used to actually insert the CRL
@c into the cache. If this failed we give up immediatley without
@c checking the rest of the servers from the first step.
@c * Ready.
@c
@c
@c * Ready.
@c
@c
@c The @code{crl_cache_insert} function takes care of reading the bulk of
@c the CRL, parsing it and checking the signature. It works like this: A
@c new database file is created using a temporary file name. The CRL
@c parsing machinery is started and all items of the CRL are put into
@c this database file. At the end the issuer certificate of the CRL
@c needs to be retrieved. Three cases are to be distinguished:
@c
@c
@c a) An authorityKeyIdentifier with an issuer and serialno exits: The
@c certificate is retrieved using @code{find_cert_bysn}. If
@c the certificate is in the certificate cache, it is directly
@ -899,7 +910,7 @@ as a binary blob.
@c certificate to match the requested issuer and seriano (This is
@c needed because the LDAP layer may return several certificates as
@c LDAP as no standard way to retrieve by serial number).
@c
@c
@c b) An authorityKeyIdentifier with a key ID exists: The certificate is
@c retrieved using @code{find_cert_bysubject}. If the certificate is
@c in the certificate cache, it is directly returned. Then the
@ -913,7 +924,7 @@ as a binary blob.
@c external resources. This is done using the @code{ca_cert_fetch}
@c and @code{fetch_next_ksba_cert} and comparing the returned
@c certificate to match the requested subject and key ID.
@c
@c
@c c) No authorityKeyIdentifier exits: The certificate is retrieved
@c using @code{find_cert_bysubject} without the key ID argument. If
@c the certificate is in the certificate cache the first one with a
@ -930,12 +941,12 @@ as a binary blob.
@c and @code{fetch_next_ksba_cert} and comparing the returned
@c certificate to match the requested subject; the first certificate
@c with a matching subject is then returned.
@c
@c
@c If no certificate was found, the function returns with the error
@c GPG_ERR_MISSING_CERT. Now the signature is verified. If this fails,
@c the erro is returned. On success the @code{validate_cert_chain} is
@c used to verify that the certificate is actually valid.
@c
@c used to verify that the certificate is actually valid.
@c
@c Here we may encounter a recursive situation:
@c @code{validate_cert_chain} needs to look at other certificates and
@c also at CRLs to check whether tehse other certificates and well, the
@ -944,7 +955,7 @@ as a binary blob.
@c are currently processing. This would be a catch-22 and may indicate a
@c broken PKI. However, due to overlapping expiring times and imprecise
@c clocks thsi may actually happen.
@c
@c
@c For historical reasons the Assuan command ISVALID is a bit different
@c to CHECKCRL but this is mainly due to different calling conventions.
@c In the end the same fucntionality is used, albeit hidden by a couple
@ -952,44 +963,44 @@ as a binary blob.
@c ingetrages OCSP checking depending on options are the way it is
@c called. GPGSM still uses this command but might eventuall switch over
@c to CHECKCRL and CHECKOCSP so that ISVALID can be retired.
@c
@c
@c
@c
@c @section Validating a certificate
@c
@c
@c We describe here how the internal function @code{validate_cert_chain}
@c works. Note that mainly testing purposes this functionality may be
@c called directly using @cmd{dirmngr-client --validate @file{foo.crt}}.
@c
@c
@c For backward compatibility this function returns success if Dirmngr is
@c not used as a system daemon. Thus not validating the certicates at
@c all. FIXME: This is definitely not correct and should be fixed ASAP.
@c
@c
@c The function takes the target certificate and a mode argument as
@c parameters and returns an error code and optionally the closes
@c expiration time of all certificates in the chain.
@c
@c
@c We first check that the certificate may be used for the requested
@c purpose (i.e. OCSP or CRL signing). If this is not the case
@c GPG_ERR_WRONG_KEY_USAGE is returned.
@c
@c
@c The next step is to find the trust anchor (root certificate) and to
@c assemble the chain in memory: Starting with the target certificate,
@c the expiration time is checked against the current date, unknown
@c critical extensions are detected and certificate policies are matched
@c (We only allow 2.289.9.9 but I have no clue about that OID and from
@c where I got it - it does not even seem to be assigned - debug cruft?).
@c
@c
@c Now if this certificate is a self-signed one, we have reached the
@c trust anchor. In this case we check that the signature is good, the
@c certificate is allowed to act as a CA, that it is a trusted one (by
@c checking whether it is has been put into the trusted-certs
@c configuration directory) and finally prepend into to our list
@c representing the certificate chain. This steps ends then.
@c
@c
@c If it is not a self-signed certificate, we check that the chain won't
@c get too long (current limit is 100), if this is the case we terminate
@c with the error GPG_ERR_BAD_CERT_CHAIN.
@c
@c
@c Now the issuer's certificate is looked up: If an
@c authorityKeyIdentifier is available, this one is used to locate the
@c certificate either using issuer and serialnumber or subject DN
@ -1002,7 +1013,7 @@ as a binary blob.
@c that a matching certificate has explicitly been put into the
@c certificate cache. If the issuer's certificate could not be found,
@c the validation terminates with the error code @code{GPG_ERR_MISSING_CERT}.
@c
@c
@c If the issuer's certificate has been found, the signature of the
@c actual certificate is checked and in case this fails the error
@c #code{GPG_ERR_BAD_CERT_CHAIN} is returned. If the signature checks out, the
@ -1011,13 +1022,13 @@ as a binary blob.
@c certificate signing). Then the certificate is prepended to our list
@c representing the certificate chain. Finally the loop is continued now
@c with the issuer's certificate as the current certificate.
@c
@c
@c After the end of the loop and if no error as been encountered
@c (i.e. the certificate chain has been assempled correctly), a check is
@c done whether any certificate expired or a critical policy has not been
@c met. In any of these cases the validation terminates with an
@c appropriate error.
@c
@c appropriate error.
@c
@c Finally the function @code{check_revocations} is called to verify no
@c certificate in the assempled chain has been revoked: This is an
@c recursive process because a CRL has to be checked for each certificate
@ -1025,16 +1036,16 @@ as a binary blob.
@c that it is trusted and we avoid checking a CRL here due to common
@c setup problems and the assumption that a revoked root certifcate has
@c been removed from the list of trusted certificates.
@c
@c
@c
@c
@c
@c
@c
@c
@c @section Looking up certificates through LDAP.
@c
@c
@c This describes the LDAP layer to retrieve certificates.
@c the functions @code{ca_cert_fetch} and @code{fetch_next_ksba_cert} are
@c used for this. The first one starts a search and the second one is
@c used to retrieve certificate after certificate.
@c
@c

13
doc/gpg.texi

@ -1630,16 +1630,29 @@ are available for all keyserver types, some common options are:
program uses internally (libcurl, openldap, etc).
@item check-cert
@ifset gpgtwoone
This option has no more function since GnuPG 2.1. Use the
@code{dirmngr} configuration options instead.
@end ifset
@ifclear gpgtwoone
Enable certificate checking if the keyserver presents one (for hkps or
ldaps). Defaults to on.
@end ifclear
@item ca-cert-file
@ifset gpgtwoone
This option has no more function since GnuPG 2.1. Use the
@code{dirmngr} configuration options instead.
@end ifset
@ifclear gpgtwoone
Provide a certificate store to override the system default. Only
necessary if check-cert is enabled, and the keyserver is using a
certificate that is not present in a system default certificate list.
Note that depending on the SSL library that the keyserver helper is
built with, this may actually be a directory or a file.
@end ifclear
@end table
@item --completes-needed @code{n}

Loading…
Cancel
Save