dirmngr: Add special treatment for the standard hkps pool to ntbtls.

* dirmngr/validate.h (VALIDATE_FLAG_SYSTRUST): Remove (VALIDATE_FLAG_EXTRATRUST): Remove (VALIDATE_FLAG_TRUST_SYSTEM): New. (VALIDATE_FLAG_TRUST_CONFIG): New. (VALIDATE_FLAG_TRUST_HKP): New. (VALIDATE_FLAG_TRUST_HKPSPOOL): New. (VALIDATE_FLAG_MASK_TRUST): New. * dirmngr/validate.c (check_header_constants): New. (validate_cert_chain): Call new function. Simplify call to is_trusted_cert. * dirmngr/crlcache.c (crl_parse_insert): Pass VALIDATE_FLAG_TRUST_CONFIG to validate_cert_chain * dirmngr/server.c (cmd_validate): Use VALDIATE_FLAG_TRUST_SYSTEM and VALIDATE_FLAG_TRUST_CONFIG. * dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Check provided TLS context. Set trustclass flags using the new VALIDATE_FLAG_TRUST values. * dirmngr/certcache.c (cert_cache_init): Load the standard pool certificate prior to the --hkp-cacerts. -- Note that this changes the way the standard cert is used: We require that it is installed at /usr/share/gnupg and we do not allow to change it. If this is not desired, the the standard cert can be removed or replaced by a newer one. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-02 22:46:30 +02:00 · 2017-02-21 14:55:04 +01:00 · 2017-02-21 14:55:04 +01:00 · 831d014550
commit 831d014550
parent d1625a9a82
7 changed files with 67 additions and 27 deletions
--- a/dirmngr/http.h
+++ b/dirmngr/http.h
@ -86,7 +86,7 @@ enum
    HTTP_FLAG_IGNORE_CL = 32,    /* Ignore content-length.  */
    HTTP_FLAG_IGNORE_IPv4 = 64,  /* Do not use IPv4.  */
    HTTP_FLAG_IGNORE_IPv6 = 128, /* Do not use IPv6.  */
-    HTTP_FLAG_TRUST_DEF   = 256, /* Use the default CAs.  */
+    HTTP_FLAG_TRUST_DEF   = 256, /* Use the CAs configured for HKP.  */
    HTTP_FLAG_TRUST_SYS   = 512, /* Also use the system defined CAs.  */
    HTTP_FLAG_NO_CRL     = 1024  /* Do not consult CRLs for https.  */
  };