[Pkg-gnupg-commit] [gnupg2] 114/166: dirmngr: Load --hkp-cacert values into the certificate cache.
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Mar 16 22:33:11 UTC 2017
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch experimental
in repository gnupg2.
commit d1625a9a82b1e5d96bbbf2132c49c53108565ae1
Author: Werner Koch <wk at gnupg.org>
Date: Tue Feb 21 13:57:24 2017 +0100
dirmngr: Load --hkp-cacert values into the certificate cache.
* dirmngr/dirmngr.c (hkp_cacert_filenames): New var.
(parse_rereadable_options): Store filenames from --hkp-cacert in the
new var.
(main, dirmngr_sighup_action): Pass that var to cert_cache_init.
* dirmngr/certcache.c (cert_cache_init): Add arg 'hkp_cacert' and load
those certs.
(load_certs_from_file): Use autodetect so that PEM and DER encodings
are possible.
Signed-off-by: Werner Koch <wk at gnupg.org>
---
dirmngr/certcache.c | 10 ++++++++--
dirmngr/certcache.h | 2 +-
dirmngr/dirmngr.c | 20 ++++++++++++++------
3 files changed, 23 insertions(+), 9 deletions(-)
diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c
index 61be57e..47eea25 100644
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@@ -471,7 +471,8 @@ load_certs_from_file (const char *fname, unsigned int trustclasses,
}
err = gnupg_ksba_create_reader (&ioctx,
- (GNUPG_KSBA_IO_PEM | GNUPG_KSBA_IO_MULTIPEM),
+ (GNUPG_KSBA_IO_AUTODETECT
+ | GNUPG_KSBA_IO_MULTIPEM),
fp, &reader);
if (err)
{
@@ -686,9 +687,10 @@ load_certs_from_system (void)
/* Initialize the certificate cache if not yet done. */
void
-cert_cache_init (void)
+cert_cache_init (strlist_t hkp_cacerts)
{
char *fname;
+ strlist_t sl;
if (initialization_done)
return;
@@ -707,6 +709,10 @@ cert_cache_init (void)
load_certs_from_dir (fname, 0);
xfree (fname);
+ for (sl = hkp_cacerts; sl; sl = sl->next)
+ load_certs_from_file (sl->d, CERTTRUST_CLASS_HKP, 0);
+
+
fname = make_filename_try (gnupg_datadir (),
"sks-keyservers.netCA.pem", NULL);
if (fname)
diff --git a/dirmngr/certcache.h b/dirmngr/certcache.h
index fec2ff4..92529bf 100644
--- a/dirmngr/certcache.h
+++ b/dirmngr/certcache.h
@@ -31,7 +31,7 @@ enum {
/* First time initialization of the certificate cache. */
-void cert_cache_init (void);
+void cert_cache_init (strlist_t hkp_cacerts);
/* Deinitialize the certificate cache. */
void cert_cache_deinit (int full);
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index f04d088..6b4cbcf 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -319,6 +319,10 @@ static int active_connections;
* thread to run background network tasks. */
static int network_activity_seen;
+/* A list of filenames registred with --hkp-cacert. */
+static strlist_t hkp_cacert_filenames;
+
+
/* The timer tick used for housekeeping stuff. */
#define TIMERTICK_INTERVAL (60)
@@ -586,6 +590,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
}
FREE_STRLIST (opt.ignored_cert_extensions);
http_register_tls_ca (NULL);
+ FREE_STRLIST (hkp_cacert_filenames);
FREE_STRLIST (opt.keyserver);
/* Note: We do not allow resetting of TOR_MODE_FORCE at runtime. */
if (tor_mode != TOR_MODE_FORCE)
@@ -653,11 +658,14 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
case oHkpCaCert:
{
+ /* We need to register the filenames with gnutls (http.c) and
+ * also for our own cert cache. */
char *tmpname;
/* Do tilde expansion and make path absolute. */
tmpname = make_absfilename (pargs->r.ret_str, NULL);
http_register_tls_ca (tmpname);
+ add_to_strlist (&hkp_cacert_filenames, pargs->r.ret_str);
xfree (tmpname);
}
break;
@@ -1069,7 +1077,7 @@ main (int argc, char **argv)
thread_init ();
- cert_cache_init ();
+ cert_cache_init (hkp_cacert_filenames);
crl_cache_init ();
http_register_netactivity_cb (netactivity_action);
start_command_handler (ASSUAN_INVALID_FD);
@@ -1104,7 +1112,7 @@ main (int argc, char **argv)
log_set_prefix (NULL, 0);
thread_init ();
- cert_cache_init ();
+ cert_cache_init (hkp_cacert_filenames);
crl_cache_init ();
http_register_netactivity_cb (netactivity_action);
handle_connections (3);
@@ -1311,7 +1319,7 @@ main (int argc, char **argv)
#endif
thread_init ();
- cert_cache_init ();
+ cert_cache_init (hkp_cacert_filenames);
crl_cache_init ();
http_register_netactivity_cb (netactivity_action);
handle_connections (fd);
@@ -1333,7 +1341,7 @@ main (int argc, char **argv)
dirmngr_init_default_ctrl (&ctrlbuf);
thread_init ();
- cert_cache_init ();
+ cert_cache_init (hkp_cacert_filenames);
crl_cache_init ();
if (!argc)
rc = crl_cache_load (&ctrlbuf, NULL);
@@ -1356,7 +1364,7 @@ main (int argc, char **argv)
dirmngr_init_default_ctrl (&ctrlbuf);
thread_init ();
- cert_cache_init ();
+ cert_cache_init (hkp_cacert_filenames);
crl_cache_init ();
rc = crl_fetch (&ctrlbuf, argv[0], &reader);
if (rc)
@@ -1769,7 +1777,7 @@ dirmngr_sighup_action (void)
reread_configuration ();
cert_cache_deinit (0);
crl_cache_deinit ();
- cert_cache_init ();
+ cert_cache_init (hkp_cacert_filenames);
crl_cache_init ();
reload_dns_stuff (0);
ks_hkp_reload ();
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list