[PATCH 2/3] dirmngr: add system CAs if no hkp-cacert is given

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Oct 28 00:30:58 CEST 2016

* dirmngr/dirmngr.c (http_session_new): if the user isn't talking to
  the HKPS pool, and they have not specified any hkp-cacert, then we
  should default to the system CAs, rather than nothing.
* doc/dirmngr.texi: document choice of CAs.


Consider three possible classes of dirmngr configuration:

 a) no hkps:// keyserver URLs at all (communication with keyservers is
    entirely in the clear)

 b) hkps:// keyserver URLs, but no hkp-cacert directives

 c) hkps:// keyserver URLs, and at least one hkp-cacert directive

class (a) provides no confidentiality of requests.

class (b) currently will never work because the server certificate
cannot be validated.

class (c) is currently supported as intended.

This patch allows users with configurations in class (b) to work as
most users expect (relying on the system certificate authorities),
without affecting users in classes (a) or (c).

Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
 dirmngr/http.c   | 14 +++++++++-----
 doc/dirmngr.texi |  5 +++++
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/dirmngr/http.c b/dirmngr/http.c
index b767c15..18e3b72 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -591,6 +591,8 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
     const char *errpos;
     int rc;
     strlist_t sl;
+    int add_system_cas = !!(flags & HTTP_FLAG_TRUST_SYS);
+    int is_hkps_pool;
     rc = gnutls_certificate_allocate_credentials (&sess->certcred);
     if (rc < 0)
@@ -601,13 +603,13 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
         goto leave;
+    is_hkps_pool = intended_hostname &&
+      !ascii_strcasecmp (intended_hostname, "hkps.pool.sks-keyservers.net");
     /* If the user has not specified a CA list, and they are looking
      * for the hkps pool from sks-keyservers.net, then default to
      * Kristian's certificate authority:  */
-    if (!tls_ca_certlist
-        && intended_hostname
-        && !ascii_strcasecmp (intended_hostname,
-                              "hkps.pool.sks-keyservers.net"))
+    if (!tls_ca_certlist && is_hkps_pool)
         char *pemname = make_filename_try (gnupg_datadir (),
                                            "sks-keyservers.netCA.pem", NULL);
@@ -640,10 +642,12 @@ http_session_new (http_session_t *r_session, const char *tls_priority,
               log_info ("setting CA from file '%s' failed: %s\n",
                         sl->d, gnutls_strerror (rc));
+        if (!tls_ca_certlist && !is_hkps_pool)
+          add_system_cas = 1;
     /* Add system certificates to the session.  */
-    if ((flags & HTTP_FLAG_TRUST_SYS))
+    if (add_system_cas)
 #if GNUTLS_VERSION_NUMBER >= 0x030014
         static int shown;
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index 6620a87..8a2e5ba 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -462,6 +462,11 @@ the file is in PEM format a suffix of @code{.pem} is expected for
 @var{file}.  This option may be given multiple times to add more
 root certificates.  Tilde expansion is supported.
+If no @code{hkp-cacert} directive is present, dirmngr will make a
+reasonable choice: if the keyserver in question is the special pool
+ at code{hkps.pool.sks-keyservers.net}, it will use the bundled root
+certificate for that pool.  Otherwise, it will use the system CAs.
 @end table

More information about the Gnupg-devel mailing list