1
0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-10 13:04:23 +01:00

dirmngr: Load "sks-keyservers.netCA.pem" into the cache.

* dirmngr/certcache.c (load_certs_from_file): Always build this
function.  Add args 'trustclasses' and 'no_error'.  Pass TRUSTCLASSES
to put_cert.
(load_certs_from_system): Pass CERTTRUST_CLASS_SYSTEM to
load_certs_from_file.
(cert_cache_init): Try to load "sks-keyservers.netCA.pem".  Don't make
function fail in an out-of-core condition.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2017-02-21 12:41:43 +01:00
parent 50b9828eac
commit 9741aa24d9
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B

View File

@ -352,7 +352,7 @@ put_cert (ksba_cert_t cert, int permanent, unsigned int trustclass,
/* Load certificates from the directory DIRNAME. All certificates /* Load certificates from the directory DIRNAME. All certificates
matching the pattern "*.crt" or "*.der" are loaded. We assume that matching the pattern "*.crt" or "*.der" are loaded. We assume that
certificates are DER encoded and not PEM encapsulated. The cache certificates are DER encoded and not PEM encapsulated. The cache
should be in a locked state when calling this function. */ should be in a locked state when calling this function. */
static gpg_error_t static gpg_error_t
load_certs_from_dir (const char *dirname, unsigned int trustclass) load_certs_from_dir (const char *dirname, unsigned int trustclass)
@ -443,14 +443,15 @@ load_certs_from_dir (const char *dirname, unsigned int trustclass)
} }
#ifndef HAVE_W32_SYSTEM /* Load certificates from FILE. The certificates are expected to be
/* Load certificates from FILE. The certifciates are expected to be
* PEM encoded so that it is possible to load several certificates. * PEM encoded so that it is possible to load several certificates.
* All certificates are considered to be system provided trusted * TRUSTCLASSES is used to mark the certificates as trusted. The
* certificates. The cache should be in a locked state when calling * cache should be in a locked state when calling this function.
* this function. */ * NO_ERROR repalces an error message when FNAME was not found by an
* information message. */
static gpg_error_t static gpg_error_t
load_certs_from_file (const char *fname) load_certs_from_file (const char *fname, unsigned int trustclasses,
int no_error)
{ {
gpg_error_t err; gpg_error_t err;
estream_t fp = NULL; estream_t fp = NULL;
@ -462,7 +463,10 @@ load_certs_from_file (const char *fname)
if (!fp) if (!fp)
{ {
err = gpg_error_from_syserror (); err = gpg_error_from_syserror ();
log_error (_("can't open '%s': %s\n"), fname, gpg_strerror (err)); if (gpg_err_code (err) == GPG_ERR_ENONET && no_error)
log_info (_("can't open '%s': %s\n"), fname, gpg_strerror (err));
else
log_error (_("can't open '%s': %s\n"), fname, gpg_strerror (err));
goto leave; goto leave;
} }
@ -493,7 +497,7 @@ load_certs_from_file (const char *fname)
goto leave; goto leave;
} }
err = put_cert (cert, 1, CERTTRUST_CLASS_SYSTEM, NULL); err = put_cert (cert, 1, trustclasses, NULL);
if (gpg_err_code (err) == GPG_ERR_DUP_VALUE) if (gpg_err_code (err) == GPG_ERR_DUP_VALUE)
log_info (_("certificate '%s' already cached\n"), fname); log_info (_("certificate '%s' already cached\n"), fname);
else if (err) else if (err)
@ -523,7 +527,7 @@ load_certs_from_file (const char *fname)
return err; return err;
} }
#endif /*!HAVE_W32_SYSTEM*/
#ifdef HAVE_W32_SYSTEM #ifdef HAVE_W32_SYSTEM
/* Load all certificates from the Windows store named STORENAME. All /* Load all certificates from the Windows store named STORENAME. All
@ -671,7 +675,7 @@ load_certs_from_system (void)
if (!access (table[idx].name, F_OK)) if (!access (table[idx].name, F_OK))
{ {
/* Take the first available bundle. */ /* Take the first available bundle. */
err = load_certs_from_file (table[idx].name); err = load_certs_from_file (table[idx].name, CERTTRUST_CLASS_SYSTEM, 0);
break; break;
} }
@ -684,7 +688,7 @@ load_certs_from_system (void)
void void
cert_cache_init (void) cert_cache_init (void)
{ {
char *dname; char *fname;
if (initialization_done) if (initialization_done)
return; return;
@ -693,13 +697,21 @@ cert_cache_init (void)
load_certs_from_system (); load_certs_from_system ();
dname = make_filename (gnupg_sysconfdir (), "trusted-certs", NULL); fname = make_filename_try (gnupg_sysconfdir (), "trusted-certs", NULL);
load_certs_from_dir (dname, CERTTRUST_CLASS_CONFIG); if (fname)
xfree (dname); load_certs_from_dir (fname, CERTTRUST_CLASS_CONFIG);
xfree (fname);
dname = make_filename (gnupg_sysconfdir (), "extra-certs", NULL); fname = make_filename_try (gnupg_sysconfdir (), "extra-certs", NULL);
load_certs_from_dir (dname, 0); if (fname)
xfree (dname); load_certs_from_dir (fname, 0);
xfree (fname);
fname = make_filename_try (gnupg_datadir (),
"sks-keyservers.netCA.pem", NULL);
if (fname)
load_certs_from_file (fname, CERTTRUST_CLASS_HKPSPOOL, 1);
xfree (fname);
initialization_done = 1; initialization_done = 1;
release_cache_lock (); release_cache_lock ();