1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

dirmngr: Use sks-keyservers CA by default for the hkps pool.

* dirmngr/Makefile.am (dist_pkgdata_DATA): Add sks-keyservers.netCA.pem.
* dirmngr/http.c (http_session_new): Add optional arg
intended_hostname and set a default cert.
* dirmngr/ks-engine-hkp.c (send_request): Pass httphost to
http_session_new.
--

Ship the certificate for the sks-keyservers hkps pool.  If the user
has specified that they want to use
hkps://hkps.pool.sks-keyservers.net, and they have not specified any
hkp-cacert explicitly, then initialize the trust path with this
specific trust anchor.

Co-authored-by: wk@gnupg.org
Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Daniel Kahn Gillmor 2015-10-19 23:48:30 -04:00 committed by Werner Koch
parent 361820a3be
commit afb8696126
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
6 changed files with 36 additions and 5 deletions

View File

@ -20,6 +20,7 @@
## Process this file with automake to produce Makefile.in ## Process this file with automake to produce Makefile.in
EXTRA_DIST = OAUTHORS ONEWS ChangeLog-2011 tls-ca.pem EXTRA_DIST = OAUTHORS ONEWS ChangeLog-2011 tls-ca.pem
dist_pkgdata_DATA = sks-keyservers.netCA.pem
bin_PROGRAMS = dirmngr dirmngr-client bin_PROGRAMS = dirmngr dirmngr-client

View File

@ -562,7 +562,8 @@ http_session_release (http_session_t sess)
/* Create a new session object which is currently used to enable TLS /* Create a new session object which is currently used to enable TLS
support. It may eventually allow reusing existing connections. */ support. It may eventually allow reusing existing connections. */
gpg_error_t gpg_error_t
http_session_new (http_session_t *r_session, const char *tls_priority) http_session_new (http_session_t *r_session, const char *tls_priority,
const char *intended_hostname)
{ {
gpg_error_t err; gpg_error_t err;
http_session_t sess; http_session_t sess;
@ -600,6 +601,34 @@ http_session_new (http_session_t *r_session, const char *tls_priority)
goto leave; goto leave;
} }
/* If the user has not specified a CA list, and they are looking
* for the hkps pool from sks-keyservers.net, then default to
* Kristian's certificate authority: */
if (!tls_ca_certlist
&& intended_hostname
&& !ascii_strcasecmp (intended_hostname,
"hkps.pool.sks-keyservers.net"))
{
char *pemname = make_filename_try (gnupg_datadir (),
"sks-keyservers.netCA.pem", NULL);
if (!pemname)
{
err = gpg_error_from_syserror ();
log_error ("setting CA from file '%s' failed: %s\n",
pemname, gpg_strerror (err));
}
else
{
rc = gnutls_certificate_set_x509_trust_file
(sess->certcred, pemname, GNUTLS_X509_FMT_PEM);
if (rc < 0)
log_info ("setting CA from file '%s' failed: %s\n",
pemname, gnutls_strerror (rc));
xfree (pemname);
}
}
/* Add configured certificates to the session. */
for (sl = tls_ca_certlist; sl; sl = sl->next) for (sl = tls_ca_certlist; sl; sl = sl->next)
{ {
rc = gnutls_certificate_set_x509_trust_file rc = gnutls_certificate_set_x509_trust_file

View File

@ -98,7 +98,8 @@ void http_register_tls_callback (gpg_error_t (*cb)(http_t,http_session_t,int));
void http_register_tls_ca (const char *fname); void http_register_tls_ca (const char *fname);
gpg_error_t http_session_new (http_session_t *r_session, gpg_error_t http_session_new (http_session_t *r_session,
const char *tls_priority); const char *tls_priority,
const char *intended_hostname);
http_session_t http_session_ref (http_session_t sess); http_session_t http_session_ref (http_session_t sess);
void http_session_release (http_session_t sess); void http_session_release (http_session_t sess);

View File

@ -991,7 +991,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
*r_fp = NULL; *r_fp = NULL;
err = http_session_new (&session, NULL); err = http_session_new (&session, NULL, httphost);
if (err) if (err)
goto leave; goto leave;
http_session_set_log_cb (session, cert_log_cb); http_session_set_log_cb (session, cert_log_cb);

View File

@ -65,7 +65,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
estream_t fp = NULL; estream_t fp = NULL;
char *request_buffer = NULL; char *request_buffer = NULL;
err = http_session_new (&session, NULL); err = http_session_new (&session, NULL, NULL);
if (err) if (err)
goto leave; goto leave;
http_session_set_log_cb (session, cert_log_cb); http_session_set_log_cb (session, cert_log_cb);

View File

@ -262,7 +262,7 @@ main (int argc, char **argv)
http_register_tls_callback (verify_callback); http_register_tls_callback (verify_callback);
http_register_tls_ca (cafile); http_register_tls_ca (cafile);
err = http_session_new (&session, NULL); err = http_session_new (&session, NULL, NULL);
if (err) if (err)
log_error ("http_session_new failed: %s\n", gpg_strerror (err)); log_error ("http_session_new failed: %s\n", gpg_strerror (err));