dirmngr: Load --hkp-cacert values into the certificate cache.

* dirmngr/dirmngr.c (hkp_cacert_filenames): New var. (parse_rereadable_options): Store filenames from --hkp-cacert in the new var. (main, dirmngr_sighup_action): Pass that var to cert_cache_init. * dirmngr/certcache.c (cert_cache_init): Add arg 'hkp_cacert' and load those certs. (load_certs_from_file): Use autodetect so that PEM and DER encodings are possible. Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-21 13:57:24 +01:00 · 2017-02-21 13:57:24 +01:00 · d1625a9a82
parent 9741aa24d9
commit d1625a9a82
3 changed files with 23 additions and 9 deletions
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@ -471,7 +471,8 @@ load_certs_from_file (const char *fname, unsigned int trustclasses,
    }

  err = gnupg_ksba_create_reader (&ioctx,
-                                  (GNUPG_KSBA_IO_PEM | GNUPG_KSBA_IO_MULTIPEM),
+                                  (GNUPG_KSBA_IO_AUTODETECT
+                                   | GNUPG_KSBA_IO_MULTIPEM),
                                  fp, &reader);
  if (err)
    {
@ -686,9 +687,10 @@ load_certs_from_system (void)

 /* Initialize the certificate cache if not yet done.  */
 void
-cert_cache_init (void)
+cert_cache_init (strlist_t hkp_cacerts)
 {
  char *fname;
+  strlist_t sl;

  if (initialization_done)
    return;
@ -707,6 +709,10 @@ cert_cache_init (void)
    load_certs_from_dir (fname, 0);
  xfree (fname);

+  for (sl = hkp_cacerts; sl; sl = sl->next)
+    load_certs_from_file (sl->d, CERTTRUST_CLASS_HKP, 0);
+
+
  fname = make_filename_try (gnupg_datadir (),
                             "sks-keyservers.netCA.pem", NULL);
  if (fname)
--- a/dirmngr/certcache.h
+++ b/dirmngr/certcache.h
@ -31,7 +31,7 @@ enum {


 /* First time initialization of the certificate cache.  */
-void cert_cache_init (void);
+void cert_cache_init (strlist_t hkp_cacerts);

 /* Deinitialize the certificate cache.  */
 void cert_cache_deinit (int full);
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@ -319,6 +319,10 @@ static int active_connections;
 * thread to run background network tasks.  */
 static int network_activity_seen;

+/* A list of filenames registred with --hkp-cacert.  */
+static strlist_t hkp_cacert_filenames;
+
+
 /* The timer tick used for housekeeping stuff.  */
 #define TIMERTICK_INTERVAL         (60)

@ -586,6 +590,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
        }
      FREE_STRLIST (opt.ignored_cert_extensions);
      http_register_tls_ca (NULL);
+      FREE_STRLIST (hkp_cacert_filenames);
      FREE_STRLIST (opt.keyserver);
      /* Note: We do not allow resetting of TOR_MODE_FORCE at runtime.  */
      if (tor_mode != TOR_MODE_FORCE)
@ -653,11 +658,14 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)

    case oHkpCaCert:
      {
+        /* We need to register the filenames with gnutls (http.c) and
+         * also for our own cert cache.  */
        char *tmpname;

        /* Do tilde expansion and make path absolute.  */
        tmpname = make_absfilename (pargs->r.ret_str, NULL);
        http_register_tls_ca (tmpname);
+        add_to_strlist (&hkp_cacert_filenames, pargs->r.ret_str);
        xfree (tmpname);
      }
      break;
@ -1069,7 +1077,7 @@ main (int argc, char **argv)


      thread_init ();
-      cert_cache_init ();
+      cert_cache_init (hkp_cacert_filenames);
      crl_cache_init ();
      http_register_netactivity_cb (netactivity_action);
      start_command_handler (ASSUAN_INVALID_FD);
@ -1104,7 +1112,7 @@ main (int argc, char **argv)
        log_set_prefix (NULL, 0);

      thread_init ();
-      cert_cache_init ();
+      cert_cache_init (hkp_cacert_filenames);
      crl_cache_init ();
      http_register_netactivity_cb (netactivity_action);
      handle_connections (3);
@ -1311,7 +1319,7 @@ main (int argc, char **argv)
 #endif

      thread_init ();
-      cert_cache_init ();
+      cert_cache_init (hkp_cacert_filenames);
      crl_cache_init ();
      http_register_netactivity_cb (netactivity_action);
      handle_connections (fd);
@ -1333,7 +1341,7 @@ main (int argc, char **argv)
      dirmngr_init_default_ctrl (&ctrlbuf);

      thread_init ();
-      cert_cache_init ();
+      cert_cache_init (hkp_cacert_filenames);
      crl_cache_init ();
      if (!argc)
        rc = crl_cache_load (&ctrlbuf, NULL);
@ -1356,7 +1364,7 @@ main (int argc, char **argv)
      dirmngr_init_default_ctrl (&ctrlbuf);

      thread_init ();
-      cert_cache_init ();
+      cert_cache_init (hkp_cacert_filenames);
      crl_cache_init ();
      rc = crl_fetch (&ctrlbuf, argv[0], &reader);
      if (rc)
@ -1769,7 +1777,7 @@ dirmngr_sighup_action (void)
  reread_configuration ();
  cert_cache_deinit (0);
  crl_cache_deinit ();
-  cert_cache_init ();
+  cert_cache_init (hkp_cacert_filenames);
  crl_cache_init ();
  reload_dns_stuff (0);
  ks_hkp_reload ();