[Pkg-gnupg-commit] [gnupg2] 113/166: dirmngr: Load "sks-keyservers.netCA.pem" into the cache.

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Mar 16 22:33:11 UTC 2017 

This is an automated email from the git hooks/post-receive script.

dkg pushed a commit to branch experimental
in repository gnupg2.

commit 9741aa24d9056b56cd5366ff5379bd8a3e6118df
Author: Werner Koch <wk at gnupg.org>
Date:   Tue Feb 21 12:41:43 2017 +0100

    dirmngr: Load "sks-keyservers.netCA.pem" into the cache.
    
    * dirmngr/certcache.c (load_certs_from_file): Always build this
    function.  Add args 'trustclasses' and 'no_error'.  Pass TRUSTCLASSES
    to put_cert.
    (load_certs_from_system): Pass CERTTRUST_CLASS_SYSTEM to
    load_certs_from_file.
    (cert_cache_init): Try to load "sks-keyservers.netCA.pem".  Don't make
    function fail in an out-of-core condition.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>
---
 dirmngr/certcache.c | 48 ++++++++++++++++++++++++++++++------------------
 1 file changed, 30 insertions(+), 18 deletions(-)

diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c
index 0e4071d..61be57e 100644
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@@ -352,7 +352,7 @@ put_cert (ksba_cert_t cert, int permanent, unsigned int trustclass,
 
 /* Load certificates from the directory DIRNAME.  All certificates
    matching the pattern "*.crt" or "*.der"  are loaded.  We assume that
-   certificates are DER encoded and not PEM encapsulated. The cache
+   certificates are DER encoded and not PEM encapsulated.  The cache
    should be in a locked state when calling this function.  */
 static gpg_error_t
 load_certs_from_dir (const char *dirname, unsigned int trustclass)
@@ -443,14 +443,15 @@ load_certs_from_dir (const char *dirname, unsigned int trustclass)
 }
 
 
-#ifndef HAVE_W32_SYSTEM
-/* Load certificates from FILE.  The certifciates are expected to be
+/* Load certificates from FILE.  The certificates are expected to be
  * PEM encoded so that it is possible to load several certificates.
- * All certificates are considered to be system provided trusted
- * certificates.  The cache should be in a locked state when calling
- * this function.  */
+ * TRUSTCLASSES is used to mark the certificates as trusted.  The
+ * cache should be in a locked state when calling this function.
+ * NO_ERROR repalces an error message when FNAME was not found by an
+ * information message.  */
 static gpg_error_t
-load_certs_from_file (const char *fname)
+load_certs_from_file (const char *fname, unsigned int trustclasses,
+                      int no_error)
 {
   gpg_error_t err;
   estream_t fp = NULL;
@@ -462,7 +463,10 @@ load_certs_from_file (const char *fname)
   if (!fp)
     {
       err = gpg_error_from_syserror ();
-      log_error (_("can't open '%s': %s\n"), fname, gpg_strerror (err));
+      if (gpg_err_code (err) == GPG_ERR_ENONET && no_error)
+        log_info (_("can't open '%s': %s\n"), fname, gpg_strerror (err));
+      else
+        log_error (_("can't open '%s': %s\n"), fname, gpg_strerror (err));
       goto leave;
     }
 
@@ -493,7 +497,7 @@ load_certs_from_file (const char *fname)
           goto leave;
         }
 
-      err = put_cert (cert, 1, CERTTRUST_CLASS_SYSTEM, NULL);
+      err = put_cert (cert, 1, trustclasses, NULL);
       if (gpg_err_code (err) == GPG_ERR_DUP_VALUE)
         log_info (_("certificate '%s' already cached\n"), fname);
       else if (err)
@@ -523,7 +527,7 @@ load_certs_from_file (const char *fname)
 
   return err;
 }
-#endif /*!HAVE_W32_SYSTEM*/
+
 
 #ifdef HAVE_W32_SYSTEM
 /* Load all certificates from the Windows store named STORENAME.  All
@@ -671,7 +675,7 @@ load_certs_from_system (void)
     if (!access (table[idx].name, F_OK))
       {
         /* Take the first available bundle.  */
-        err = load_certs_from_file (table[idx].name);
+        err = load_certs_from_file (table[idx].name, CERTTRUST_CLASS_SYSTEM, 0);
         break;
       }
 
@@ -684,7 +688,7 @@ load_certs_from_system (void)
 void
 cert_cache_init (void)
 {
-  char *dname;
+  char *fname;
 
   if (initialization_done)
     return;
@@ -693,13 +697,21 @@ cert_cache_init (void)
 
   load_certs_from_system ();
 
-  dname = make_filename (gnupg_sysconfdir (), "trusted-certs", NULL);
-  load_certs_from_dir (dname, CERTTRUST_CLASS_CONFIG);
-  xfree (dname);
+  fname = make_filename_try (gnupg_sysconfdir (), "trusted-certs", NULL);
+  if (fname)
+    load_certs_from_dir (fname, CERTTRUST_CLASS_CONFIG);
+  xfree (fname);
+
+  fname = make_filename_try (gnupg_sysconfdir (), "extra-certs", NULL);
+  if (fname)
+    load_certs_from_dir (fname, 0);
+  xfree (fname);
 
-  dname = make_filename (gnupg_sysconfdir (), "extra-certs", NULL);
-  load_certs_from_dir (dname, 0);
-  xfree (dname);
+  fname = make_filename_try (gnupg_datadir (),
+                             "sks-keyservers.netCA.pem", NULL);
+  if (fname)
+    load_certs_from_file (fname, CERTTRUST_CLASS_HKPSPOOL, 1);
+  xfree (fname);
 
   initialization_done = 1;
   release_cache_lock ();

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git

More information about the Pkg-gnupg-commit mailing list