diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c index 81da029a3..8f85e4883 100644 --- a/dirmngr/dirmngr.c +++ b/dirmngr/dirmngr.c @@ -40,6 +40,9 @@ # include #endif #include +#ifdef HTTP_USE_GNUTLS +# include +#endif /*HTTP_USE_GNUTLS*/ #define JNLIB_NEED_LOG_LOGV @@ -92,6 +95,7 @@ enum cmd_and_opt_values { oDebugAll, oDebugWait, oDebugLevel, + oGnutlsDebug, oNoGreeting, oNoOptions, oHomedir, @@ -116,6 +120,7 @@ enum cmd_and_opt_values { oOCSPMaxPeriod, oOCSPCurrentPeriod, oMaxReplies, + oHkpCaCert, oFakedSystemTime, oForce, oAllowOCSP, @@ -195,11 +200,16 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_i (oMaxReplies, "max-replies", N_("|N|do not return more than N items in one query")), + ARGPARSE_s_s (oHkpCaCert, "hkp-cacert", + N_("|FILE|use the CA certifciates in FILE for HKP over TLS")), + + ARGPARSE_s_s (oSocketName, "socket-name", "@"), /* Only for debugging. */ ARGPARSE_s_u (oFakedSystemTime, "faked-system-time", "@"), /*(epoch time)*/ ARGPARSE_p_u (oDebug, "debug", "@"), ARGPARSE_s_n (oDebugAll, "debug-all", "@"), + ARGPARSE_s_i (oGnutlsDebug, "gnutls-debug", "@"), ARGPARSE_s_i (oDebugWait, "debug-wait", "@"), ARGPARSE_s_n (oNoGreeting, "no-greeting", "@"), ARGPARSE_s_s (oHomedir, "homedir", "@"), @@ -234,6 +244,9 @@ static char *current_logfile; /* Helper to implement --debug-level. */ static const char *debug_level; +/* Helper to set the GNUTLS log level. */ +static int opt_gnutls_debug = -1; + /* Flag indicating that a shutdown has been requested. */ static volatile int shutdown_pending; @@ -331,6 +344,20 @@ my_ksba_hash_buffer (void *arg, const char *oid, } +/* GNUTLS log function callback. */ +static void +my_gnutls_log (int level, const char *text) +{ + int n; + + n = strlen (text); + while (n && text[n-1] == '\n') + n--; + + log_debug ("gnutls:L%d: %.*s\n", level, n, text); +} + + /* Setup the debugging. With a LEVEL of NULL only the active debug flags are propagated to the subsystems. With LEVEL set, a specific set of debug flags is set; thus overriding all flags already @@ -382,6 +409,14 @@ set_debug (void) if (opt.debug & DBG_CRYPTO_VALUE ) gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1); + +#ifdef HTTP_USE_GNUTLS + if (opt_gnutls_debug >= 0) + { + gnutls_global_set_log_function (my_gnutls_log); + gnutls_global_set_log_level (opt_gnutls_debug); + } +#endif /*HTTP_USE_GNUTLS*/ } @@ -439,6 +474,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) opt.ocsp_signer = tmp; } FREE_STRLIST (opt.ignored_cert_extensions); + http_register_tls_ca (NULL); return 1; } @@ -449,6 +485,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) case oDebug: opt.debug |= pargs->r.ret_ulong; break; case oDebugAll: opt.debug = ~0; break; case oDebugLevel: debug_level = pargs->r.ret_str; break; + case oGnutlsDebug: opt_gnutls_debug = pargs->r.ret_int; break; case oLogFile: if (!reread) @@ -490,6 +527,10 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) case oMaxReplies: opt.max_replies = pargs->r.ret_int; break; + case oHkpCaCert: + http_register_tls_ca (pargs->r.ret_str); + break; + case oIgnoreCertExtension: add_to_strlist (&opt.ignored_cert_extensions, pargs->r.ret_str); break; @@ -628,6 +669,12 @@ main (int argc, char **argv) ksba_set_malloc_hooks (gcry_malloc, gcry_realloc, gcry_free ); ksba_set_hash_buffer_function (my_ksba_hash_buffer, NULL); + /* Init GNUTLS. */ +#ifdef HTTP_USE_GNUTLS + rc = gnutls_global_init (); + if (rc) + log_fatal ("gnutls_global_init failed: %s\n", gnutls_strerror (rc)); +#endif /*HTTP_USE_GNUTLS*/ /* Init Assuan. */ malloc_hooks.malloc = gcry_malloc; diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c index fa616a0c0..c115cf562 100644 --- a/dirmngr/ks-engine-hkp.c +++ b/dirmngr/ks-engine-hkp.c @@ -628,12 +628,14 @@ ks_hkp_help (ctrl_t ctrl, parsed_uri_t uri) const char const data[] = "Handler for HKP URLs:\n" " hkp://\n" + " hkps://\n" "Supported methods: search, get, put\n"; gpg_error_t err; if (!uri) - err = ks_print_help (ctrl, " hkp"); - else if (uri->is_http && !strcmp (uri->scheme, "hkp")) + err = ks_print_help (ctrl, " hkp\n hkps"); + else if (uri->is_http && (!strcmp (uri->scheme, "hkp") + || !strcmp (uri->scheme, "hkps"))) err = ks_print_help (ctrl, data); else err = 0; @@ -747,6 +749,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, estream_t *r_fp) { gpg_error_t err; + http_session_t session = NULL; http_t http = NULL; int redirects_left = MAX_REDIRECTS; estream_t fp = NULL; @@ -754,6 +757,10 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, *r_fp = NULL; + err = http_session_new (&session, NULL); + if (err) + goto leave; + once_more: err = http_open (&http, post_cb? HTTP_REQ_POST : HTTP_REQ_GET, @@ -761,7 +768,8 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, /* fixme: AUTH */ NULL, httpflags, /* fixme: proxy*/ NULL, - NULL, NULL, + session, + NULL, /*FIXME curl->srvtag*/NULL); if (!err) { @@ -798,6 +806,13 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, goto leave; } + if (http_get_tls_info (http, NULL)) + { + /* Update the httpflags so that a redirect won't fallback to an + unencrypted connection. */ + httpflags |= HTTP_FLAG_FORCE_TLS; + } + switch (http_get_status_code (http)) { case 200: @@ -806,6 +821,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, case 301: case 302: + case 307: { const char *s = http_get_header (http, "Location"); @@ -837,6 +853,10 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, goto leave; } + /* FIXME: We should register a permanent redirection and whether a + host has ever used TLS so that future calls will always use + TLS. */ + fp = http_get_read_ptr (http); if (!fp) { @@ -851,6 +871,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, leave: http_close (http, 0); + http_session_release (session); xfree (request_buffer); return err; } diff --git a/dirmngr/sks-keyservers.netCA.pem b/dirmngr/sks-keyservers.netCA.pem new file mode 100644 index 000000000..24a2ad2e8 --- /dev/null +++ b/dirmngr/sks-keyservers.netCA.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFizCCA3OgAwIBAgIJAK9zyLTPn4CPMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV +BAYTAk5PMQ0wCwYDVQQIDARPc2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5u +ZXQgQ0ExHjAcBgNVBAMMFXNrcy1rZXlzZXJ2ZXJzLm5ldCBDQTAeFw0xMjEwMDkw +MDMzMzdaFw0yMjEwMDcwMDMzMzdaMFwxCzAJBgNVBAYTAk5PMQ0wCwYDVQQIDARP +c2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5uZXQgQ0ExHjAcBgNVBAMMFXNr +cy1rZXlzZXJ2ZXJzLm5ldCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC +ggIBANdsWy4PXWNUCkS3L//nrd0GqN3dVwoBGZ6w94Tw2jPDPifegwxQozFXkG6I +6A4TK1CJLXPvfz0UP0aBYyPmTNadDinaB9T4jIwd4rnxl+59GiEmqkN3IfPsv5Jj +MkKUmJnvOT0DEVlEaO1UZIwx5WpfprB3mR81/qm4XkAgmYrmgnLXd/pJDAMk7y1F +45b5zWofiD5l677lplcIPRbFhpJ6kDTODXh/XEdtF71EAeaOdEGOvyGDmCO0GWqS +FDkMMPTlieLA/0rgFTcz4xwUYj/cD5e0ZBuSkYsYFAU3hd1cGfBue0cPZaQH2HYx +Qk4zXD8S3F4690fRhr+tki5gyG6JDR67aKp3BIGLqm7f45WkX1hYp+YXywmEziM4 +aSbGYhx8hoFGfq9UcfPEvp2aoc8u5sdqjDslhyUzM1v3m3ZGbhwEOnVjljY6JJLx +MxagxnZZSAY424ZZ3t71E/Mn27dm2w+xFRuoy8JEjv1d+BT3eChM5KaNwrj0IO/y +u8kFIgWYA1vZ/15qMT+tyJTfyrNVV/7Df7TNeWyNqjJ5rBmt0M6NpHG7CrUSkBy9 +p8JhimgjP5r0FlEkgg+lyD+V79H98gQfVgP3pbJICz0SpBQf2F/2tyS4rLm+49rP +fcOajiXEuyhpcmzgusAj/1FjrtlynH1r9mnNaX4e+rLWzvU5AgMBAAGjUDBOMB0G +A1UdDgQWBBTkwyoJFGfYTVISTpM8E+igjdq28zAfBgNVHSMEGDAWgBTkwyoJFGfY +TVISTpM8E+igjdq28zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQAR +OXnYwu3g1ZjHyley3fZI5aLPsaE17cOImVTehC8DcIphm2HOMR/hYTTL+V0G4P+u +gH+6xeRLKSHMHZTtSBIa6GDL03434y9CBuwGvAFCMU2GV8w92/Z7apkAhdLToZA/ +X/iWP2jeaVJhxgEcH8uPrnSlqoPBcKC9PrgUzQYfSZJkLmB+3jEa3HKruy1abJP5 +gAdQvwvcPpvYRnIzUc9fZODsVmlHVFBCl2dlu/iHh2h4GmL4Da2rRkUMlbVTdioB +UYIvMycdOkpH5wJftzw7cpjsudGas0PARDXCFfGyKhwBRFY7Xp7lbjtU5Rz0Gc04 +lPrhDf0pFE98Aw4jJRpFeWMjpXUEaG1cq7D641RpgcMfPFvOHY47rvDTS7XJOaUT +BwRjmDt896s6vMDcaG/uXJbQjuzmmx3W2Idyh3s5SI0GTHb0IwMKYb4eBUIpQOnB +cE77VnCYqKvN1NVYAqhWjXbY7XasZvszCRcOG+W3FqNaHOK/n/0ueb0uijdLan+U +f4p1bjbAox8eAOQS/8a3bzkJzdyBNUKGx1BIK2IBL9bn/HravSDOiNRSnZ/R3l9G +ZauX0tu7IIDlRCILXSyeazu0aj/vdT3YFQXPcvt5Fkf5wiNTo53f72/jYEJd6qph +WrpoKqrwGwTpRUCMhYIUt65hsTxCiJJ5nKe39h46sg== +-----END CERTIFICATE----- diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi index e6264878a..7b2f92c0d 100644 --- a/doc/dirmngr.texi +++ b/doc/dirmngr.texi @@ -18,7 +18,7 @@ @mansect synopsis @ifset manverb .B dirmngr -.RI [ options ] +.RI [ options ] .I command .RI [ args ] @end ifset @@ -32,7 +32,7 @@ system daemon through the @command{dirmngr-client} tool. If @command{dirmngr} is started in system daemon mode, it uses a directory layout as common for system daemons and does not make use of -the default @file{~/.gnupg} directory. +the default @file{~/.gnupg} directory. @manpause @@ -175,7 +175,7 @@ numeric value or by a keyword: @item none No debugging at all. A value of less than 1 may be used instead of the keyword. -@item basic +@item basic Some basic debug messages. A value between 1 and 2 may be used instead of the keyword. @item advanced @@ -204,6 +204,10 @@ usual C-Syntax. @opindex debug-all Same as @code{--debug=0xffffffff} +@item --gnutls-debug @var{level} +@opindex gnutls-debug +Enable debugging of GNUTLS at @var{level}. + @item --debug-wait @var{n} @opindex debug-wait When running in server mode, wait @var{n} seconds before entering the @@ -247,12 +251,12 @@ scheme are ignored when looking for a suitable DP. @item --ignore-ldap-dp @opindex ignore-ldap-dp This is similar to @option{--ignore-http-dp} but ignores entries using -the @acronym{LDAP} scheme. Both options may be combined resulting in +the @acronym{LDAP} scheme. Both options may be combined resulting in ignoring DPs entirely. @item --ignore-ocsp-service-url @opindex ignore-ocsp-service-url -Ignore all OCSP URLs contained in the certificate. The effect is to +Ignore all OCSP URLs contained in the certificate. The effect is to force the use of the default responder. @item --honor-http-proxy @@ -284,7 +288,7 @@ configured LDAP server if the connection using the "proxy" failed. @item --ldapserverlist-file @var{file} @opindex ldapserverlist-file Read the list of LDAP servers to consult for CRLs and certificates from -file instead of the default per-user ldap server list file. The default +file instead of the default per-user ldap server list file. The default value for @var{file} is @file{dirmngr_ldapservers.conf} or @file{ldapservers.conf} when running in @option{--daemon} mode. @@ -328,7 +332,7 @@ Note: The current version of dirmngr has this option disabled by default. @item --allow-ocsp @opindex allow-ocsp -This option enables OCSP support if requested by the client. +This option enables OCSP support if requested by the client. OCSP requests are rejected by default because they may violate the privacy of the user; for example it is possible to track the time when @@ -395,10 +399,17 @@ won't be rejected due to an unknown critical extension. Use this option with care because extensions are usually flagged as critical for a reason. +@item --hkp-cacert @var{file} +Use the root certificates in @var{file} for verification of the TLS +certificates used with @code{hkps} (keyserver access over TLS). If +the file is in PEM format a suffix of @code{.pem} is expected for +@var{file}. This option may be given multiple times to add more +root certificates. + @end table -@c +@c @c Dirmngr Configuration @c @mansect files @@ -472,7 +483,7 @@ Please ignore the output; it is not needed anymore. Check the log file to see whether all trusted root certificates have been loaded correctly. -@c +@c @c Dirmngr Signals @c @mansect signals @@ -480,7 +491,7 @@ to see whether all trusted root certificates have been loaded correctly. @section Use of signals. A running @command{dirmngr} may be controlled by signals, i.e. using -the @command{kill} command to send a signal to the process. +the @command{kill} command to send a signal to the process. Here is a list of supported signals: @@ -522,7 +533,7 @@ This prints some caching statistics to the log file. Dirmngr is supposed to be used as a system wide daemon, it should be started like: -@example +@example dirmngr --daemon @end example @@ -613,7 +624,7 @@ local lookup will be done in this case. Check whether the certificate described by the @var{certid} has been revoked. Due to caching, the Dirmngr is able to answer immediately in -most cases. +most cases. The @var{certid} is a hex encoded string consisting of two parts, delimited by a single dot. The first part is the SHA-1 hash of the @@ -642,7 +653,7 @@ us that it has been revoked. @item GPG_ERR_NO_CRL_KNOWN No CRL is known for this certificate or the CRL is not valid or out of -date. +date. @item GPG_ERR_NO_DATA The OCSP responder returned an ``unknown'' status. This means that it @@ -690,7 +701,7 @@ given or the certificate is not know, the function inquires the certificate using: @example - S: INQUIRE TARGETCERT + S: INQUIRE TARGETCERT C: D C: END @end example @@ -720,7 +731,7 @@ certificate is not known by Dirmngr, the function inquires the certificate using: @example - S: INQUIRE TARGETCERT + S: INQUIRE TARGETCERT C: D C: END @end example @@ -751,13 +762,13 @@ helpful for debugging. To get the actual certificate, this command immediately inquires it using @example - S: INQUIRE TARGETCERT + S: INQUIRE TARGETCERT C: D C: END @end example Thus the caller is expected to return the certificate for the request -as a binary blob. +as a binary blob. @noindent The return code is 0 for success; i.e. the certificate has not been @@ -771,45 +782,45 @@ internally by dirmngr. This command is only useful for debugging. To get the actual certificate, this command immediately inquires it using @example - S: INQUIRE TARGETCERT + S: INQUIRE TARGETCERT C: D C: END @end example Thus the caller is expected to return the certificate for the request -as a binary blob. +as a binary blob. @mansect see also @ifset isman -@command{gpgsm}(1), +@command{gpgsm}(1), @command{dirmngr-client}(1) @end ifset @include see-also-note.texi -@c +@c @c !!! UNDER CONSTRUCTION !!! -@c -@c +@c +@c @c @section Verifying a Certificate -@c +@c @c There are several ways to request services from Dirmngr. Almost all of @c them are done using the Assuan protocol. What we describe here is the @c Assuan command CHECKCRL as used for example by the dirmnr-client tool if @c invoked as -@c +@c @c @example @c dirmngr-client foo.crt @c @end example -@c +@c @c This command will send an Assuan request to an already running Dirmngr @c instance. foo.crt is expected to be a standard X.509 certificate and @c dirmngr will receive the Assuan command -@c +@c @c @example @c CHECKCRL @var [{fingerprint}] @c @end example -@c +@c @c @var{fingerprint} is optional and expected to be the SHA-1 has of the @c DER encoding of the certificate under question. It is to be HEX @c encoded. The rationale for sending the fingerprint is that it allows @@ -817,15 +828,15 @@ as a binary blob. @c this is not the case and no certificate has been found in dirmngr's @c internal certificate storage, dirmngr will request the certificate using @c the Assuan inquiry -@c +@c @c @example @c INQUIRE TARGETCERT @c @end example -@c +@c @c The caller (in our example dirmngr-client) is then expected to return @c the certificate for the request (which should match @var{fingerprint}) @c as a binary blob. -@c +@c @c Dirmngr now passes control to @code{crl_cache_cert_isvalid}. This @c function checks whether a CRL item exists for target certificate. These @c CRL items are kept in a database of already loaded and verified CRLs. @@ -837,25 +848,25 @@ as a binary blob. @c listed in the CRL or @code{GPG_ERR_NO_CRL_KNOWN} in cases where no CRL or no @c information is available. The first two codes are immediatly returned to @c the caller and the processing of this request has been done. -@c +@c @c Only the @code{GPG_ERR_NO_CRL_KNOWN} needs more attention: Dirmngr now @c calls @code{clr_cache_reload_crl} and if this succeeds calls @c @code{crl_cache_cert_isvald) once more. All further errors are @c immediately returned to the caller. -@c +@c @c @code{crl_cache_reload_crl} is the actual heart of the CRL management. @c It locates the corresponding CRL for the target certificate, reads and @c verifies this CRL and stores it in the CRL cache. It works like this: -@c +@c @c * Loop over all crlDPs in the target certificate. @c * If the crlDP is invalid immediately terminate the loop. @c * Loop over all names in the current crlDP. -@c * If the URL scheme is unknown or not enabled +@c * If the URL scheme is unknown or not enabled @c (--ignore-http-dp, --ignore-ldap-dp) continues with @c the next name. @c * @code{crl_fetch} is called to actually retrieve the CRL. @c In case of problems this name is ignore and we continue with -@c the next name. Note that @code{crl_fetch} does only return +@c the next name. Note that @code{crl_fetch} does only return @c a descriptor for the CRL for further reading so does the CRL @c does not yet end up in memory. @c * @code{crl_cache_insert} is called with that descriptor to @@ -873,16 +884,16 @@ as a binary blob. @c * @code(crl_cache_insert) is then used to actually insert the CRL @c into the cache. If this failed we give up immediatley without @c checking the rest of the servers from the first step. -@c * Ready. -@c -@c +@c * Ready. +@c +@c @c The @code{crl_cache_insert} function takes care of reading the bulk of @c the CRL, parsing it and checking the signature. It works like this: A @c new database file is created using a temporary file name. The CRL @c parsing machinery is started and all items of the CRL are put into @c this database file. At the end the issuer certificate of the CRL @c needs to be retrieved. Three cases are to be distinguished: -@c +@c @c a) An authorityKeyIdentifier with an issuer and serialno exits: The @c certificate is retrieved using @code{find_cert_bysn}. If @c the certificate is in the certificate cache, it is directly @@ -899,7 +910,7 @@ as a binary blob. @c certificate to match the requested issuer and seriano (This is @c needed because the LDAP layer may return several certificates as @c LDAP as no standard way to retrieve by serial number). -@c +@c @c b) An authorityKeyIdentifier with a key ID exists: The certificate is @c retrieved using @code{find_cert_bysubject}. If the certificate is @c in the certificate cache, it is directly returned. Then the @@ -913,7 +924,7 @@ as a binary blob. @c external resources. This is done using the @code{ca_cert_fetch} @c and @code{fetch_next_ksba_cert} and comparing the returned @c certificate to match the requested subject and key ID. -@c +@c @c c) No authorityKeyIdentifier exits: The certificate is retrieved @c using @code{find_cert_bysubject} without the key ID argument. If @c the certificate is in the certificate cache the first one with a @@ -930,12 +941,12 @@ as a binary blob. @c and @code{fetch_next_ksba_cert} and comparing the returned @c certificate to match the requested subject; the first certificate @c with a matching subject is then returned. -@c +@c @c If no certificate was found, the function returns with the error @c GPG_ERR_MISSING_CERT. Now the signature is verified. If this fails, @c the erro is returned. On success the @code{validate_cert_chain} is -@c used to verify that the certificate is actually valid. -@c +@c used to verify that the certificate is actually valid. +@c @c Here we may encounter a recursive situation: @c @code{validate_cert_chain} needs to look at other certificates and @c also at CRLs to check whether tehse other certificates and well, the @@ -944,7 +955,7 @@ as a binary blob. @c are currently processing. This would be a catch-22 and may indicate a @c broken PKI. However, due to overlapping expiring times and imprecise @c clocks thsi may actually happen. -@c +@c @c For historical reasons the Assuan command ISVALID is a bit different @c to CHECKCRL but this is mainly due to different calling conventions. @c In the end the same fucntionality is used, albeit hidden by a couple @@ -952,44 +963,44 @@ as a binary blob. @c ingetrages OCSP checking depending on options are the way it is @c called. GPGSM still uses this command but might eventuall switch over @c to CHECKCRL and CHECKOCSP so that ISVALID can be retired. -@c -@c +@c +@c @c @section Validating a certificate -@c +@c @c We describe here how the internal function @code{validate_cert_chain} @c works. Note that mainly testing purposes this functionality may be @c called directly using @cmd{dirmngr-client --validate @file{foo.crt}}. -@c +@c @c For backward compatibility this function returns success if Dirmngr is @c not used as a system daemon. Thus not validating the certicates at @c all. FIXME: This is definitely not correct and should be fixed ASAP. -@c +@c @c The function takes the target certificate and a mode argument as @c parameters and returns an error code and optionally the closes @c expiration time of all certificates in the chain. -@c +@c @c We first check that the certificate may be used for the requested @c purpose (i.e. OCSP or CRL signing). If this is not the case @c GPG_ERR_WRONG_KEY_USAGE is returned. -@c +@c @c The next step is to find the trust anchor (root certificate) and to @c assemble the chain in memory: Starting with the target certificate, @c the expiration time is checked against the current date, unknown @c critical extensions are detected and certificate policies are matched @c (We only allow 2.289.9.9 but I have no clue about that OID and from @c where I got it - it does not even seem to be assigned - debug cruft?). -@c +@c @c Now if this certificate is a self-signed one, we have reached the @c trust anchor. In this case we check that the signature is good, the @c certificate is allowed to act as a CA, that it is a trusted one (by @c checking whether it is has been put into the trusted-certs @c configuration directory) and finally prepend into to our list @c representing the certificate chain. This steps ends then. -@c +@c @c If it is not a self-signed certificate, we check that the chain won't @c get too long (current limit is 100), if this is the case we terminate @c with the error GPG_ERR_BAD_CERT_CHAIN. -@c +@c @c Now the issuer's certificate is looked up: If an @c authorityKeyIdentifier is available, this one is used to locate the @c certificate either using issuer and serialnumber or subject DN @@ -1002,7 +1013,7 @@ as a binary blob. @c that a matching certificate has explicitly been put into the @c certificate cache. If the issuer's certificate could not be found, @c the validation terminates with the error code @code{GPG_ERR_MISSING_CERT}. -@c +@c @c If the issuer's certificate has been found, the signature of the @c actual certificate is checked and in case this fails the error @c #code{GPG_ERR_BAD_CERT_CHAIN} is returned. If the signature checks out, the @@ -1011,13 +1022,13 @@ as a binary blob. @c certificate signing). Then the certificate is prepended to our list @c representing the certificate chain. Finally the loop is continued now @c with the issuer's certificate as the current certificate. -@c +@c @c After the end of the loop and if no error as been encountered @c (i.e. the certificate chain has been assempled correctly), a check is @c done whether any certificate expired or a critical policy has not been @c met. In any of these cases the validation terminates with an -@c appropriate error. -@c +@c appropriate error. +@c @c Finally the function @code{check_revocations} is called to verify no @c certificate in the assempled chain has been revoked: This is an @c recursive process because a CRL has to be checked for each certificate @@ -1025,16 +1036,16 @@ as a binary blob. @c that it is trusted and we avoid checking a CRL here due to common @c setup problems and the assumption that a revoked root certifcate has @c been removed from the list of trusted certificates. -@c -@c -@c -@c +@c +@c +@c +@c @c @section Looking up certificates through LDAP. -@c +@c @c This describes the LDAP layer to retrieve certificates. @c the functions @code{ca_cert_fetch} and @code{fetch_next_ksba_cert} are @c used for this. The first one starts a search and the second one is @c used to retrieve certificate after certificate. -@c +@c + - diff --git a/doc/gpg.texi b/doc/gpg.texi index 1a8101002..bc12cbccc 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -1630,16 +1630,29 @@ are available for all keyserver types, some common options are: program uses internally (libcurl, openldap, etc). @item check-cert +@ifset gpgtwoone + This option has no more function since GnuPG 2.1. Use the + @code{dirmngr} configuration options instead. +@end ifset +@ifclear gpgtwoone Enable certificate checking if the keyserver presents one (for hkps or ldaps). Defaults to on. +@end ifclear @item ca-cert-file +@ifset gpgtwoone + This option has no more function since GnuPG 2.1. Use the + @code{dirmngr} configuration options instead. +@end ifset +@ifclear gpgtwoone Provide a certificate store to override the system default. Only necessary if check-cert is enabled, and the keyserver is using a certificate that is not present in a system default certificate list. Note that depending on the SSL library that the keyserver helper is built with, this may actually be a directory or a file. +@end ifclear + @end table @item --completes-needed @code{n}