diff options
| author | Werner Koch <wk@gnupg.org> | 2017-02-21 12:23:20 +0100 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2017-02-21 12:23:20 +0100 |
| commit | 50b9828eacc39c1ca75cb8313db896e4bdc8b270 (patch) | |
| tree | ef0134a5cd300e6687146b916c3e4e79adcfabe3 /dirmngr/certcache.h | |
| parent | dirmngr: New Assuan option "http-crl". (diff) | |
| download | gnupg2-50b9828eacc39c1ca75cb8313db896e4bdc8b270.tar.xz gnupg2-50b9828eacc39c1ca75cb8313db896e4bdc8b270.zip | |
dirmngr: Implement trust classes for the cert cache.
* dirmngr/certcache.h (CERTTRUST_CLASS_SYSTEM): New.
(CERTTRUST_CLASS_CONFIG): New.
(CERTTRUST_CLASS_HKP): New.
(CERTTRUST_CLASS_HKPSPOOL): New.
* dirmngr/certcache.c (MAX_EXTRA_CACHED_CERTS): Rename to ...
(MAX_NONPERM_CACHED_CERTS): this.
(total_extra_certificates): Rename to ...
(total_nonperm_certificates): this.
(total_config_certificates): Remove.
(total_trusted_certificates): Remove.
(total_system_trusted_certificates): Remove.
(cert_item_s): Remove field 'flags'. Add fields 'permanent' and
'trustclasses'.
(clean_cache_slot): Clear new fields.
(put_cert): Change for new cert_item_t structure.
(load_certs_from_dir): Rename arg 'are_trusted' to 'trustclass'
(load_certs_from_file): Use CERTTRUST_CLASS_ value for put_cert.
(load_certs_from_w32_store): Ditto.
(cert_cache_init): Ditto.
(cert_cache_print_stats): Rewrite.
(is_trusted_cert): Replace arg 'with_systrust' by 'trustclasses'.
Chnage the test.
* dirmngr/validate.c (allowed_ca): Pass CERTTRUST_CLASS_CONFIG to
is_trusted_cert.
(validate_cert_chain): Pass CERTTRUST_CLASS_ values to
is_trusted_cert.
--
These trust classes make it easier to select certain sets of root
certificates.
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'dirmngr/certcache.h')
| -rw-r--r-- | dirmngr/certcache.h | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/dirmngr/certcache.h b/dirmngr/certcache.h index 1f8670673..fec2ff4fe 100644 --- a/dirmngr/certcache.h +++ b/dirmngr/certcache.h @@ -21,6 +21,15 @@ #ifndef CERTCACHE_H #define CERTCACHE_H +/* The origin of the trusted root certificates. */ +enum { + CERTTRUST_CLASS_SYSTEM = 1, /* From the system's list of trusted certs. */ + CERTTRUST_CLASS_CONFIG = 2, /* From dirmngr's config files. */ + CERTTRUST_CLASS_HKP = 4, /* From --hkp-cacert */ + CERTTRUST_CLASS_HKPSPOOL= 8, /* The one and only from sks-keyservers */ +}; + + /* First time initialization of the certificate cache. */ void cert_cache_init (void); @@ -42,9 +51,9 @@ gpg_error_t cache_cert_silent (ksba_cert_t cert, void *fpr_buffer); /* Return 0 if the certificate is a trusted certificate. Returns * GPG_ERR_NOT_TRUSTED if it is not trusted or other error codes in - * case of systems errors. If WITH_SYSTRUST is set also system - * provided certificates are considered trusted. */ -gpg_error_t is_trusted_cert (ksba_cert_t cert, int with_systrust); + * case of systems errors. TRUSTCLASSES are the bitwise ORed + * CERTTRUST_CLASS values to use for the check. */ +gpg_error_t is_trusted_cert (ksba_cert_t cert, unsigned trustclasses); /* Return a certificate object for the given fingerprint. FPR is expected to be a 20 byte binary SHA-1 fingerprint. If no matching |