summaryrefslogtreecommitdiffstats
path: root/dirmngr/certcache.c
diff options
context:
space:
mode:
authorWerner Koch <wk@gnupg.org>2017-02-21 12:41:43 +0100
committerWerner Koch <wk@gnupg.org>2017-02-21 12:42:34 +0100
commit9741aa24d9056b56cd5366ff5379bd8a3e6118df (patch)
tree4378ab388926b24b0314a7f7be74613b1a40d62e /dirmngr/certcache.c
parentdirmngr: Implement trust classes for the cert cache. (diff)
downloadgnupg2-9741aa24d9056b56cd5366ff5379bd8a3e6118df.tar.xz
gnupg2-9741aa24d9056b56cd5366ff5379bd8a3e6118df.zip
dirmngr: Load "sks-keyservers.netCA.pem" into the cache.
* dirmngr/certcache.c (load_certs_from_file): Always build this function. Add args 'trustclasses' and 'no_error'. Pass TRUSTCLASSES to put_cert. (load_certs_from_system): Pass CERTTRUST_CLASS_SYSTEM to load_certs_from_file. (cert_cache_init): Try to load "sks-keyservers.netCA.pem". Don't make function fail in an out-of-core condition. Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'dirmngr/certcache.c')
-rw-r--r--dirmngr/certcache.c48
1 files changed, 30 insertions, 18 deletions
diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c
index 0e4071d59..61be57efd 100644
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@@ -352,7 +352,7 @@ put_cert (ksba_cert_t cert, int permanent, unsigned int trustclass,
/* Load certificates from the directory DIRNAME. All certificates
matching the pattern "*.crt" or "*.der" are loaded. We assume that
- certificates are DER encoded and not PEM encapsulated. The cache
+ certificates are DER encoded and not PEM encapsulated. The cache
should be in a locked state when calling this function. */
static gpg_error_t
load_certs_from_dir (const char *dirname, unsigned int trustclass)
@@ -443,14 +443,15 @@ load_certs_from_dir (const char *dirname, unsigned int trustclass)
}
-#ifndef HAVE_W32_SYSTEM
-/* Load certificates from FILE. The certifciates are expected to be
+/* Load certificates from FILE. The certificates are expected to be
* PEM encoded so that it is possible to load several certificates.
- * All certificates are considered to be system provided trusted
- * certificates. The cache should be in a locked state when calling
- * this function. */
+ * TRUSTCLASSES is used to mark the certificates as trusted. The
+ * cache should be in a locked state when calling this function.
+ * NO_ERROR repalces an error message when FNAME was not found by an
+ * information message. */
static gpg_error_t
-load_certs_from_file (const char *fname)
+load_certs_from_file (const char *fname, unsigned int trustclasses,
+ int no_error)
{
gpg_error_t err;
estream_t fp = NULL;
@@ -462,7 +463,10 @@ load_certs_from_file (const char *fname)
if (!fp)
{
err = gpg_error_from_syserror ();
- log_error (_("can't open '%s': %s\n"), fname, gpg_strerror (err));
+ if (gpg_err_code (err) == GPG_ERR_ENONET && no_error)
+ log_info (_("can't open '%s': %s\n"), fname, gpg_strerror (err));
+ else
+ log_error (_("can't open '%s': %s\n"), fname, gpg_strerror (err));
goto leave;
}
@@ -493,7 +497,7 @@ load_certs_from_file (const char *fname)
goto leave;
}
- err = put_cert (cert, 1, CERTTRUST_CLASS_SYSTEM, NULL);
+ err = put_cert (cert, 1, trustclasses, NULL);
if (gpg_err_code (err) == GPG_ERR_DUP_VALUE)
log_info (_("certificate '%s' already cached\n"), fname);
else if (err)
@@ -523,7 +527,7 @@ load_certs_from_file (const char *fname)
return err;
}
-#endif /*!HAVE_W32_SYSTEM*/
+
#ifdef HAVE_W32_SYSTEM
/* Load all certificates from the Windows store named STORENAME. All
@@ -671,7 +675,7 @@ load_certs_from_system (void)
if (!access (table[idx].name, F_OK))
{
/* Take the first available bundle. */
- err = load_certs_from_file (table[idx].name);
+ err = load_certs_from_file (table[idx].name, CERTTRUST_CLASS_SYSTEM, 0);
break;
}
@@ -684,7 +688,7 @@ load_certs_from_system (void)
void
cert_cache_init (void)
{
- char *dname;
+ char *fname;
if (initialization_done)
return;
@@ -693,13 +697,21 @@ cert_cache_init (void)
load_certs_from_system ();
- dname = make_filename (gnupg_sysconfdir (), "trusted-certs", NULL);
- load_certs_from_dir (dname, CERTTRUST_CLASS_CONFIG);
- xfree (dname);
+ fname = make_filename_try (gnupg_sysconfdir (), "trusted-certs", NULL);
+ if (fname)
+ load_certs_from_dir (fname, CERTTRUST_CLASS_CONFIG);
+ xfree (fname);
+
+ fname = make_filename_try (gnupg_sysconfdir (), "extra-certs", NULL);
+ if (fname)
+ load_certs_from_dir (fname, 0);
+ xfree (fname);
- dname = make_filename (gnupg_sysconfdir (), "extra-certs", NULL);
- load_certs_from_dir (dname, 0);
- xfree (dname);
+ fname = make_filename_try (gnupg_datadir (),
+ "sks-keyservers.netCA.pem", NULL);
+ if (fname)
+ load_certs_from_file (fname, CERTTRUST_CLASS_HKPSPOOL, 1);
+ xfree (fname);
initialization_done = 1;
release_cache_lock ();
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-19 18:05:52 +0100