[PATCH v2] Use sks-keyservers CA by default for the hkps pool.

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Dec 11 04:05:48 CET 2015 

Ship the certificate for the sks-keyservers hkps pool.  If the user
has specified that they want to use
hkps://hkps.pool.sks-keyservers.net, and they have not specified any
hkp-cacert explicitly, then initialize the trust path with this
specific trust anchor.
---
 dirmngr/Makefile.am      |  1 +
 dirmngr/http.c           | 22 +++++++++++++++++++++-
 dirmngr/http.h           |  3 ++-
 dirmngr/ks-engine-hkp.c  |  2 +-
 dirmngr/ks-engine-http.c |  2 +-
 dirmngr/t-http.c         |  2 +-
 6 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am
index c3bce0d..1c74d10 100644
--- a/dirmngr/Makefile.am
+++ b/dirmngr/Makefile.am
@@ -20,6 +20,7 @@
 ## Process this file with automake to produce Makefile.in
 
 EXTRA_DIST = OAUTHORS ONEWS ChangeLog-2011 tls-ca.pem
+dist_pkgdata_DATA = sks-keyservers.netCA.pem
 
 bin_PROGRAMS = dirmngr dirmngr-client
 
diff --git a/dirmngr/http.c b/dirmngr/http.c
index 74b6911..c4f7cbc 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -130,6 +130,8 @@
                         "01234567890@"                 \
                         "!\"#$%&'()*+,-./:;<=>?[\\]^_{|}~"
 
+#define HKPS_POOL_CA_PEM GNUPG_DATADIR "/sks-keyservers.netCA.pem"
+
 /* A long counter type.  */
 #ifdef HAVE_STRTOULL
 typedef unsigned long long longcounter_t;
@@ -562,7 +564,8 @@ http_session_release (http_session_t sess)
 /* Create a new session object which is currently used to enable TLS
    support.  It may eventually allow reusing existing connections.  */
 gpg_error_t
-http_session_new (http_session_t *r_session, const char *tls_priority)
+http_session_new (http_session_t *r_session, const char *tls_priority,
+                  const char *intended_hostname)
 {
   gpg_error_t err;
   http_session_t sess;
@@ -600,6 +603,23 @@ http_session_new (http_session_t *r_session, const char *tls_priority)
         goto leave;
       }
 
+    /* if the user has not specified a CA list, and they are looking
+     * for the hkps pool from sks-keyservers.net, then default to
+     * Kristian's certificate authority:
+     */
+    if (!tls_ca_certlist)
+      {
+        if (intended_hostname &&
+            0 == strcasecmp("hkps.pool.sks-keyservers.net", intended_hostname))
+          {
+            rc = gnutls_certificate_set_x509_trust_file
+              (sess->certcred, HKPS_POOL_CA_PEM, GNUTLS_X509_FMT_PEM);
+            if (rc < 0)
+              log_info ("setting CA from file '" HKPS_POOL_CA_PEM "' failed: %s\n",
+                        gnutls_strerror (rc));
+
+          }
+      }
     for (sl = tls_ca_certlist; sl; sl = sl->next)
       {
         rc = gnutls_certificate_set_x509_trust_file
diff --git a/dirmngr/http.h b/dirmngr/http.h
index 64f55e1..58b8c1a 100644
--- a/dirmngr/http.h
+++ b/dirmngr/http.h
@@ -98,7 +98,8 @@ void http_register_tls_callback (gpg_error_t (*cb)(http_t,http_session_t,int));
 void http_register_tls_ca (const char *fname);
 
 gpg_error_t http_session_new (http_session_t *r_session,
-                              const char *tls_priority);
+                              const char *tls_priority,
+                              const char *intended_hostname);
 http_session_t http_session_ref (http_session_t sess);
 void http_session_release (http_session_t sess);
 
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index e458899..f6af688 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -990,7 +990,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
 
   *r_fp = NULL;
 
-  err = http_session_new (&session, NULL);
+  err = http_session_new (&session, NULL, httphost);
   if (err)
     goto leave;
   http_session_set_log_cb (session, cert_log_cb);
diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
index ae128ee..c51c0ce 100644
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@@ -65,7 +65,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
   estream_t fp = NULL;
   char *request_buffer = NULL;
 
-  err = http_session_new (&session, NULL);
+  err = http_session_new (&session, NULL, NULL);
   if (err)
     goto leave;
   http_session_set_log_cb (session, cert_log_cb);
diff --git a/dirmngr/t-http.c b/dirmngr/t-http.c
index 63662a2..9d5ea5f 100644
--- a/dirmngr/t-http.c
+++ b/dirmngr/t-http.c
@@ -262,7 +262,7 @@ main (int argc, char **argv)
   http_register_tls_callback (verify_callback);
   http_register_tls_ca (cafile);
 
-  err = http_session_new (&session, NULL);
+  err = http_session_new (&session, NULL, NULL);
   if (err)
     log_error ("http_session_new failed: %s\n", gpg_strerror (err));
 
-- 
2.6.2

More information about the Gnupg-devel mailing list