dirmngr: Use sks-keyservers CA by default for the hkps pool.

* dirmngr/Makefile.am (dist_pkgdata_DATA): Add sks-keyservers.netCA.pem. * dirmngr/http.c (http_session_new): Add optional arg intended_hostname and set a default cert. * dirmngr/ks-engine-hkp.c (send_request): Pass httphost to http_session_new. -- Ship the certificate for the sks-keyservers hkps pool. If the user has specified that they want to use hkps://hkps.pool.sks-keyservers.net, and they have not specified any hkp-cacert explicitly, then initialize the trust path with this specific trust anchor. Co-authored-by: wk@gnupg.org Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-19 23:48:30 -04:00 · 2015-10-19 23:48:30 -04:00 · afb8696126
parent 361820a3be
commit afb8696126
6 changed files with 36 additions and 5 deletions
--- a/dirmngr/Makefile.am
+++ b/dirmngr/Makefile.am
@ -20,6 +20,7 @@
 ## Process this file with automake to produce Makefile.in

 EXTRA_DIST = OAUTHORS ONEWS ChangeLog-2011 tls-ca.pem
+dist_pkgdata_DATA = sks-keyservers.netCA.pem

 bin_PROGRAMS = dirmngr dirmngr-client

--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@ -562,7 +562,8 @@ http_session_release (http_session_t sess)
 /* Create a new session object which is currently used to enable TLS
   support.  It may eventually allow reusing existing connections.  */
 gpg_error_t
-http_session_new (http_session_t *r_session, const char *tls_priority)
+http_session_new (http_session_t *r_session, const char *tls_priority,
+                  const char *intended_hostname)
 {
  gpg_error_t err;
  http_session_t sess;
@ -600,6 +601,34 @@ http_session_new (http_session_t *r_session, const char *tls_priority)
        goto leave;
      }

+    /* If the user has not specified a CA list, and they are looking
+     * for the hkps pool from sks-keyservers.net, then default to
+     * Kristian's certificate authority:  */
+    if (!tls_ca_certlist
+        && intended_hostname
+        && !ascii_strcasecmp (intended_hostname,
+                              "hkps.pool.sks-keyservers.net"))
+      {
+        char *pemname = make_filename_try (gnupg_datadir (),
+                                           "sks-keyservers.netCA.pem", NULL);
+        if (!pemname)
+          {
+            err = gpg_error_from_syserror ();
+            log_error ("setting CA from file '%s' failed: %s\n",
+                       pemname, gpg_strerror (err));
+          }
+        else
+          {
+            rc = gnutls_certificate_set_x509_trust_file
+              (sess->certcred, pemname, GNUTLS_X509_FMT_PEM);
+            if (rc < 0)
+              log_info ("setting CA from file '%s' failed: %s\n",
+                        pemname, gnutls_strerror (rc));
+            xfree (pemname);
+          }
+      }
+
+    /* Add configured certificates to the session.  */
    for (sl = tls_ca_certlist; sl; sl = sl->next)
      {
        rc = gnutls_certificate_set_x509_trust_file
--- a/dirmngr/http.h
+++ b/dirmngr/http.h
@ -98,7 +98,8 @@ void http_register_tls_callback (gpg_error_t (*cb)(http_t,http_session_t,int));
 void http_register_tls_ca (const char *fname);

 gpg_error_t http_session_new (http_session_t *r_session,
-                              const char *tls_priority);
+                              const char *tls_priority,
+                              const char *intended_hostname);
 http_session_t http_session_ref (http_session_t sess);
 void http_session_release (http_session_t sess);

--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@ -991,7 +991,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,

  *r_fp = NULL;

-  err = http_session_new (&session, NULL);
+  err = http_session_new (&session, NULL, httphost);
  if (err)
    goto leave;
  http_session_set_log_cb (session, cert_log_cb);
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@ -65,7 +65,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
  estream_t fp = NULL;
  char *request_buffer = NULL;

-  err = http_session_new (&session, NULL);
+  err = http_session_new (&session, NULL, NULL);
  if (err)
    goto leave;
  http_session_set_log_cb (session, cert_log_cb);
--- a/dirmngr/t-http.c
+++ b/dirmngr/t-http.c
@ -262,7 +262,7 @@ main (int argc, char **argv)
  http_register_tls_callback (verify_callback);
  http_register_tls_ca (cafile);

-  err = http_session_new (&session, NULL);
+  err = http_session_new (&session, NULL, NULL);
  if (err)
    log_error ("http_session_new failed: %s\n", gpg_strerror (err));