From 7c1613d41566f7d8db116790087de323621205fe Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 27 Oct 2016 18:30:58 -0400 Subject: [PATCH] dirmngr: Add system CAs if no hkp-cacert is given * dirmngr/dirmngr.c (http_session_new): If the user isn't talking to the HKPS pool, and they have not specified any hkp-cacert, then we should default to the system CAs, rather than nothing. * doc/dirmngr.texi: Document choice of CAs. -- Consider three possible classes of dirmngr configuration: a) no hkps:// keyserver URLs at all (communication with keyservers is entirely in the clear) b) hkps:// keyserver URLs, but no hkp-cacert directives c) hkps:// keyserver URLs, and at least one hkp-cacert directive class (a) provides no confidentiality of requests. class (b) currently will never work because the server certificate cannot be validated. class (c) is currently supported as intended. This patch allows users with configurations in class (b) to work as most users expect (relying on the system certificate authorities), without affecting users in classes (a) or (c). Signed-off-by: Daniel Kahn Gillmor o minor indentation fix - wk --- dirmngr/http.c | 15 ++++++++++----- doc/dirmngr.texi | 5 +++++ 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/dirmngr/http.c b/dirmngr/http.c index 90682fa46..bc62c820b 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -613,6 +613,8 @@ http_session_new (http_session_t *r_session, const char *tls_priority, const char *errpos; int rc; strlist_t sl; + int add_system_cas = !!(flags & HTTP_FLAG_TRUST_SYS); + int is_hkps_pool; rc = gnutls_certificate_allocate_credentials (&sess->certcred); if (rc < 0) @@ -623,13 +625,14 @@ http_session_new (http_session_t *r_session, const char *tls_priority, goto leave; } + is_hkps_pool = (intended_hostname + && !ascii_strcasecmp (intended_hostname, + "hkps.pool.sks-keyservers.net")); + /* If the user has not specified a CA list, and they are looking * for the hkps pool from sks-keyservers.net, then default to * Kristian's certificate authority: */ - if (!tls_ca_certlist - && intended_hostname - && !ascii_strcasecmp (intended_hostname, - "hkps.pool.sks-keyservers.net")) + if (!tls_ca_certlist && is_hkps_pool) { char *pemname = make_filename_try (gnupg_datadir (), "sks-keyservers.netCA.pem", NULL); @@ -662,10 +665,12 @@ http_session_new (http_session_t *r_session, const char *tls_priority, log_info ("setting CA from file '%s' failed: %s\n", sl->d, gnutls_strerror (rc)); } + if (!tls_ca_certlist && !is_hkps_pool) + add_system_cas = 1; } /* Add system certificates to the session. */ - if ((flags & HTTP_FLAG_TRUST_SYS)) + if (add_system_cas) { #if GNUTLS_VERSION_NUMBER >= 0x030014 static int shown; diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi index 73afbc318..bc3072ce8 100644 --- a/doc/dirmngr.texi +++ b/doc/dirmngr.texi @@ -461,6 +461,11 @@ the file is in PEM format a suffix of @code{.pem} is expected for @var{file}. This option may be given multiple times to add more root certificates. Tilde expansion is supported. +If no @code{hkp-cacert} directive is present, dirmngr will make a +reasonable choice: if the keyserver in question is the special pool +@code{hkps.pool.sks-keyservers.net}, it will use the bundled root +certificate for that pool. Otherwise, it will use the system CAs. + @end table