dirmngr: Add special treatment for the standard hkps pool to ntbtls.

* dirmngr/validate.h (VALIDATE_FLAG_SYSTRUST): Remove (VALIDATE_FLAG_EXTRATRUST): Remove (VALIDATE_FLAG_TRUST_SYSTEM): New. (VALIDATE_FLAG_TRUST_CONFIG): New. (VALIDATE_FLAG_TRUST_HKP): New. (VALIDATE_FLAG_TRUST_HKPSPOOL): New. (VALIDATE_FLAG_MASK_TRUST): New. * dirmngr/validate.c (check_header_constants): New. (validate_cert_chain): Call new function. Simplify call to is_trusted_cert. * dirmngr/crlcache.c (crl_parse_insert): Pass VALIDATE_FLAG_TRUST_CONFIG to validate_cert_chain * dirmngr/server.c (cmd_validate): Use VALDIATE_FLAG_TRUST_SYSTEM and VALIDATE_FLAG_TRUST_CONFIG. * dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Check provided TLS context. Set trustclass flags using the new VALIDATE_FLAG_TRUST values. * dirmngr/certcache.c (cert_cache_init): Load the standard pool certificate prior to the --hkp-cacerts. -- Note that this changes the way the standard cert is used: We require that it is installed at /usr/share/gnupg and we do not allow to change it. If this is not desired, the the standard cert can be removed or replaced by a newer one. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-02 22:46:30 +02:00 · 2017-02-21 14:55:04 +01:00 · 2017-02-21 14:55:04 +01:00 · 831d014550
commit 831d014550
parent d1625a9a82
7 changed files with 67 additions and 27 deletions
--- a/dirmngr/http-ntbtls.c
+++ b/dirmngr/http-ntbtls.c
@ -41,20 +41,23 @@ gnupg_http_tls_verify_cb (void *opaque,
                          void *tls_context)
 {
  ctrl_t ctrl = opaque;
+  ntbtls_t tls = tls_context;
  gpg_error_t err;
  int idx;
  ksba_cert_t cert;
  ksba_cert_t hostcert = NULL;
  unsigned int validate_flags;
+  const char *hostname;

  (void)http;
  (void)session;

  log_assert (ctrl && ctrl->magic == SERVER_CONTROL_MAGIC);
+  log_assert (!ntbtls_check_context (tls));

  /* Get the peer's certs fron ntbtls.  */
  for (idx = 0;
-       (cert = ntbtls_x509_get_peer_cert (tls_context, idx)); idx++)
+       (cert = ntbtls_x509_get_peer_cert (tls, idx)); idx++)
    {
      if (!idx)
        hostcert = cert;
@ -73,10 +76,22 @@ gnupg_http_tls_verify_cb (void *opaque,
    }

  validate_flags = VALIDATE_FLAG_TLS;
-  /* if ((http_flags & HTTP_FLAG_TRUST_DEF)) */
-  /*   validate_flags |= VALIDATE_FLAG_??; */
-  if ((http_flags & HTTP_FLAG_TRUST_SYS))
-    validate_flags |= VALIDATE_FLAG_SYSTRUST;
+
+  /* Are we using the standard hkps:// pool use the dedicated
+   * root certificate.  */
+  hostname = ntbtls_get_hostname (tls);
+  if (hostname
+      && !ascii_strcasecmp (hostname, "hkps.pool.sks-keyservers.net"))
+    {
+      validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL;
+    }
+  else /* Use the certificates as requested from the HTTP module.  */
+    {
+      if ((http_flags & HTTP_FLAG_TRUST_DEF))
+        validate_flags |= VALIDATE_FLAG_TRUST_HKP;
+      if ((http_flags & HTTP_FLAG_TRUST_SYS))
+        validate_flags |= VALIDATE_FLAG_TRUST_SYSTEM;
+    }

  if ((http_flags & HTTP_FLAG_NO_CRL))
    validate_flags |= VALIDATE_FLAG_NOCRLCHECK;