[PATCH v2] Use sks-keyservers CA by default for the hkps pool.
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Dec 11 04:05:48 CET 2015
Ship the certificate for the sks-keyservers hkps pool. If the user
has specified that they want to use
hkps://hkps.pool.sks-keyservers.net, and they have not specified any
hkp-cacert explicitly, then initialize the trust path with this
specific trust anchor.
---
dirmngr/Makefile.am | 1 +
dirmngr/http.c | 22 +++++++++++++++++++++-
dirmngr/http.h | 3 ++-
dirmngr/ks-engine-hkp.c | 2 +-
dirmngr/ks-engine-http.c | 2 +-
dirmngr/t-http.c | 2 +-
6 files changed, 27 insertions(+), 5 deletions(-)
diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am
index c3bce0d..1c74d10 100644
--- a/dirmngr/Makefile.am
+++ b/dirmngr/Makefile.am
@@ -20,6 +20,7 @@
## Process this file with automake to produce Makefile.in
EXTRA_DIST = OAUTHORS ONEWS ChangeLog-2011 tls-ca.pem
+dist_pkgdata_DATA = sks-keyservers.netCA.pem
bin_PROGRAMS = dirmngr dirmngr-client
diff --git a/dirmngr/http.c b/dirmngr/http.c
index 74b6911..c4f7cbc 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -130,6 +130,8 @@
"01234567890@" \
"!\"#$%&'()*+,-./:;<=>?[\\]^_{|}~"
+#define HKPS_POOL_CA_PEM GNUPG_DATADIR "/sks-keyservers.netCA.pem"
+
/* A long counter type. */
#ifdef HAVE_STRTOULL
typedef unsigned long long longcounter_t;
@@ -562,7 +564,8 @@ http_session_release (http_session_t sess)
/* Create a new session object which is currently used to enable TLS
support. It may eventually allow reusing existing connections. */
gpg_error_t
-http_session_new (http_session_t *r_session, const char *tls_priority)
+http_session_new (http_session_t *r_session, const char *tls_priority,
+ const char *intended_hostname)
{
gpg_error_t err;
http_session_t sess;
@@ -600,6 +603,23 @@ http_session_new (http_session_t *r_session, const char *tls_priority)
goto leave;
}
+ /* if the user has not specified a CA list, and they are looking
+ * for the hkps pool from sks-keyservers.net, then default to
+ * Kristian's certificate authority:
+ */
+ if (!tls_ca_certlist)
+ {
+ if (intended_hostname &&
+ 0 == strcasecmp("hkps.pool.sks-keyservers.net", intended_hostname))
+ {
+ rc = gnutls_certificate_set_x509_trust_file
+ (sess->certcred, HKPS_POOL_CA_PEM, GNUTLS_X509_FMT_PEM);
+ if (rc < 0)
+ log_info ("setting CA from file '" HKPS_POOL_CA_PEM "' failed: %s\n",
+ gnutls_strerror (rc));
+
+ }
+ }
for (sl = tls_ca_certlist; sl; sl = sl->next)
{
rc = gnutls_certificate_set_x509_trust_file
diff --git a/dirmngr/http.h b/dirmngr/http.h
index 64f55e1..58b8c1a 100644
--- a/dirmngr/http.h
+++ b/dirmngr/http.h
@@ -98,7 +98,8 @@ void http_register_tls_callback (gpg_error_t (*cb)(http_t,http_session_t,int));
void http_register_tls_ca (const char *fname);
gpg_error_t http_session_new (http_session_t *r_session,
- const char *tls_priority);
+ const char *tls_priority,
+ const char *intended_hostname);
http_session_t http_session_ref (http_session_t sess);
void http_session_release (http_session_t sess);
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index e458899..f6af688 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -990,7 +990,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
*r_fp = NULL;
- err = http_session_new (&session, NULL);
+ err = http_session_new (&session, NULL, httphost);
if (err)
goto leave;
http_session_set_log_cb (session, cert_log_cb);
diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
index ae128ee..c51c0ce 100644
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@@ -65,7 +65,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
estream_t fp = NULL;
char *request_buffer = NULL;
- err = http_session_new (&session, NULL);
+ err = http_session_new (&session, NULL, NULL);
if (err)
goto leave;
http_session_set_log_cb (session, cert_log_cb);
diff --git a/dirmngr/t-http.c b/dirmngr/t-http.c
index 63662a2..9d5ea5f 100644
--- a/dirmngr/t-http.c
+++ b/dirmngr/t-http.c
@@ -262,7 +262,7 @@ main (int argc, char **argv)
http_register_tls_callback (verify_callback);
http_register_tls_ca (cafile);
- err = http_session_new (&session, NULL);
+ err = http_session_new (&session, NULL, NULL);
if (err)
log_error ("http_session_new failed: %s\n", gpg_strerror (err));
--
2.6.2
More information about the Gnupg-devel
mailing list