mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
dirmngr: Use sks-keyservers CA by default for the hkps pool.
* dirmngr/Makefile.am (dist_pkgdata_DATA): Add sks-keyservers.netCA.pem. * dirmngr/http.c (http_session_new): Add optional arg intended_hostname and set a default cert. * dirmngr/ks-engine-hkp.c (send_request): Pass httphost to http_session_new. -- Ship the certificate for the sks-keyservers hkps pool. If the user has specified that they want to use hkps://hkps.pool.sks-keyservers.net, and they have not specified any hkp-cacert explicitly, then initialize the trust path with this specific trust anchor. Co-authored-by: wk@gnupg.org Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
parent
361820a3be
commit
afb8696126
@ -20,6 +20,7 @@
|
|||||||
## Process this file with automake to produce Makefile.in
|
## Process this file with automake to produce Makefile.in
|
||||||
|
|
||||||
EXTRA_DIST = OAUTHORS ONEWS ChangeLog-2011 tls-ca.pem
|
EXTRA_DIST = OAUTHORS ONEWS ChangeLog-2011 tls-ca.pem
|
||||||
|
dist_pkgdata_DATA = sks-keyservers.netCA.pem
|
||||||
|
|
||||||
bin_PROGRAMS = dirmngr dirmngr-client
|
bin_PROGRAMS = dirmngr dirmngr-client
|
||||||
|
|
||||||
|
@ -562,7 +562,8 @@ http_session_release (http_session_t sess)
|
|||||||
/* Create a new session object which is currently used to enable TLS
|
/* Create a new session object which is currently used to enable TLS
|
||||||
support. It may eventually allow reusing existing connections. */
|
support. It may eventually allow reusing existing connections. */
|
||||||
gpg_error_t
|
gpg_error_t
|
||||||
http_session_new (http_session_t *r_session, const char *tls_priority)
|
http_session_new (http_session_t *r_session, const char *tls_priority,
|
||||||
|
const char *intended_hostname)
|
||||||
{
|
{
|
||||||
gpg_error_t err;
|
gpg_error_t err;
|
||||||
http_session_t sess;
|
http_session_t sess;
|
||||||
@ -600,6 +601,34 @@ http_session_new (http_session_t *r_session, const char *tls_priority)
|
|||||||
goto leave;
|
goto leave;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* If the user has not specified a CA list, and they are looking
|
||||||
|
* for the hkps pool from sks-keyservers.net, then default to
|
||||||
|
* Kristian's certificate authority: */
|
||||||
|
if (!tls_ca_certlist
|
||||||
|
&& intended_hostname
|
||||||
|
&& !ascii_strcasecmp (intended_hostname,
|
||||||
|
"hkps.pool.sks-keyservers.net"))
|
||||||
|
{
|
||||||
|
char *pemname = make_filename_try (gnupg_datadir (),
|
||||||
|
"sks-keyservers.netCA.pem", NULL);
|
||||||
|
if (!pemname)
|
||||||
|
{
|
||||||
|
err = gpg_error_from_syserror ();
|
||||||
|
log_error ("setting CA from file '%s' failed: %s\n",
|
||||||
|
pemname, gpg_strerror (err));
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
rc = gnutls_certificate_set_x509_trust_file
|
||||||
|
(sess->certcred, pemname, GNUTLS_X509_FMT_PEM);
|
||||||
|
if (rc < 0)
|
||||||
|
log_info ("setting CA from file '%s' failed: %s\n",
|
||||||
|
pemname, gnutls_strerror (rc));
|
||||||
|
xfree (pemname);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Add configured certificates to the session. */
|
||||||
for (sl = tls_ca_certlist; sl; sl = sl->next)
|
for (sl = tls_ca_certlist; sl; sl = sl->next)
|
||||||
{
|
{
|
||||||
rc = gnutls_certificate_set_x509_trust_file
|
rc = gnutls_certificate_set_x509_trust_file
|
||||||
|
@ -98,7 +98,8 @@ void http_register_tls_callback (gpg_error_t (*cb)(http_t,http_session_t,int));
|
|||||||
void http_register_tls_ca (const char *fname);
|
void http_register_tls_ca (const char *fname);
|
||||||
|
|
||||||
gpg_error_t http_session_new (http_session_t *r_session,
|
gpg_error_t http_session_new (http_session_t *r_session,
|
||||||
const char *tls_priority);
|
const char *tls_priority,
|
||||||
|
const char *intended_hostname);
|
||||||
http_session_t http_session_ref (http_session_t sess);
|
http_session_t http_session_ref (http_session_t sess);
|
||||||
void http_session_release (http_session_t sess);
|
void http_session_release (http_session_t sess);
|
||||||
|
|
||||||
|
@ -991,7 +991,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
|
|||||||
|
|
||||||
*r_fp = NULL;
|
*r_fp = NULL;
|
||||||
|
|
||||||
err = http_session_new (&session, NULL);
|
err = http_session_new (&session, NULL, httphost);
|
||||||
if (err)
|
if (err)
|
||||||
goto leave;
|
goto leave;
|
||||||
http_session_set_log_cb (session, cert_log_cb);
|
http_session_set_log_cb (session, cert_log_cb);
|
||||||
|
@ -65,7 +65,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
|
|||||||
estream_t fp = NULL;
|
estream_t fp = NULL;
|
||||||
char *request_buffer = NULL;
|
char *request_buffer = NULL;
|
||||||
|
|
||||||
err = http_session_new (&session, NULL);
|
err = http_session_new (&session, NULL, NULL);
|
||||||
if (err)
|
if (err)
|
||||||
goto leave;
|
goto leave;
|
||||||
http_session_set_log_cb (session, cert_log_cb);
|
http_session_set_log_cb (session, cert_log_cb);
|
||||||
|
@ -262,7 +262,7 @@ main (int argc, char **argv)
|
|||||||
http_register_tls_callback (verify_callback);
|
http_register_tls_callback (verify_callback);
|
||||||
http_register_tls_ca (cafile);
|
http_register_tls_ca (cafile);
|
||||||
|
|
||||||
err = http_session_new (&session, NULL);
|
err = http_session_new (&session, NULL, NULL);
|
||||||
if (err)
|
if (err)
|
||||||
log_error ("http_session_new failed: %s\n", gpg_strerror (err));
|
log_error ("http_session_new failed: %s\n", gpg_strerror (err));
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user