dirmngr: Add system CAs if no hkp-cacert is given

* dirmngr/dirmngr.c (http_session_new): If the user isn't talking to the HKPS pool, and they have not specified any hkp-cacert, then we should default to the system CAs, rather than nothing. * doc/dirmngr.texi: Document choice of CAs. -- Consider three possible classes of dirmngr configuration: a) no hkps:// keyserver URLs at all (communication with keyservers is entirely in the clear) b) hkps:// keyserver URLs, but no hkp-cacert directives c) hkps:// keyserver URLs, and at least one hkp-cacert directive class (a) provides no confidentiality of requests. class (b) currently will never work because the server certificate cannot be validated. class (c) is currently supported as intended. This patch allows users with configurations in class (b) to work as most users expect (relying on the system certificate authorities), without affecting users in classes (a) or (c). Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> o minor indentation fix - wk
2016-10-27 18:30:58 -04:00 · 2016-10-27 18:30:58 -04:00 · 7c1613d415
parent c4e02a3b7a
commit 7c1613d415
2 changed files with 15 additions and 5 deletions
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@ -613,6 +613,8 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
    const char *errpos;
    int rc;
    strlist_t sl;
+    int add_system_cas = !!(flags & HTTP_FLAG_TRUST_SYS);
+    int is_hkps_pool;

    rc = gnutls_certificate_allocate_credentials (&sess->certcred);
    if (rc < 0)
@ -623,13 +625,14 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
        goto leave;
      }

+    is_hkps_pool = (intended_hostname
+                    && !ascii_strcasecmp (intended_hostname,
+                                          "hkps.pool.sks-keyservers.net"));
+
    /* If the user has not specified a CA list, and they are looking
     * for the hkps pool from sks-keyservers.net, then default to
     * Kristian's certificate authority:  */
-    if (!tls_ca_certlist
-        && intended_hostname
-        && !ascii_strcasecmp (intended_hostname,
-                              "hkps.pool.sks-keyservers.net"))
+    if (!tls_ca_certlist && is_hkps_pool)
      {
        char *pemname = make_filename_try (gnupg_datadir (),
                                           "sks-keyservers.netCA.pem", NULL);
@ -662,10 +665,12 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
              log_info ("setting CA from file '%s' failed: %s\n",
                        sl->d, gnutls_strerror (rc));
          }
+        if (!tls_ca_certlist && !is_hkps_pool)
+          add_system_cas = 1;
      }

    /* Add system certificates to the session.  */
-    if ((flags & HTTP_FLAG_TRUST_SYS))
+    if (add_system_cas)
      {
 #if GNUTLS_VERSION_NUMBER >= 0x030014
        static int shown;
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@ -461,6 +461,11 @@ the file is in PEM format a suffix of @code{.pem} is expected for
@var{file}.  This option may be given multiple times to add more
 root certificates.  Tilde expansion is supported.

+If no @code{hkp-cacert} directive is present, dirmngr will make a
+reasonable choice: if the keyserver in question is the special pool
+@code{hkps.pool.sks-keyservers.net}, it will use the bundled root
+certificate for that pool.  Otherwise, it will use the system CAs.
+
@end table