security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-02 22:46:30 +02:00
Code Activity

dirmngr: Load all system provided certificates.

Browse source 
* configure.ac: Add option --default-trust-store.
(DEFAULT_TRUST_STORE_FILE): New ac_define.
* dirmngr/certcache.c: Include ksba-io-support.h.
(total_trusted_certificates, total_system_trusted_certificates): New.
(put_cert): Manage the new counters.
(cert_cache_deinit): Reset them.
(cert_cache_print_stats): Print them.
(is_trusted_cert): Add arg WITH_SYSTRUST.  Change all callers to pass
false.
(load_certs_from_file): New.
(load_certs_from_system): New.
(cert_cache_init): Load system certificates.
--

Note that this code does not yet allow to load the system certificates
on Windows.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2017-02-16 18:58:27 +01:00
parent 09d71de4d4
commit 9a1a5ca0bc
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
4 changed files with 164 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

4
dirmngr/validate.c
View file

@ -189,7 +189,7 @@ allowed_ca (ksba_cert_t cert, int *chainlen)
return err;
if (!flag)
{
if (!is_trusted_cert (cert))
if (!is_trusted_cert (cert, 0))
{
/* The German SigG Root CA's certificate does not flag
itself as a CA; thus we relax this requirement if we
@ -537,7 +537,7 @@ validate_cert_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
if (err)
goto leave; /* No. */
err = is_trusted_cert (subject_cert);
err = is_trusted_cert (subject_cert, 0);
if (!err)
; /* Yes we trust this cert. */
else if (gpg_err_code (err) == GPG_ERR_NOT_TRUSTED)