From d9c7935188483dae381c12e7eef19072bbade4b3 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Mon, 18 Nov 2019 18:23:04 +0100
Subject: dirmngr,gpg: Better diagnostic in case of bad TLS certificates.

* doc/DETAILS: Specify new status code "NOTE".
* dirmngr/ks-engine-http.c (ks_http_fetch): Print a NOTE status for a
bad TLS certificate.
* g10/call-dirmngr.c (ks_status_cb): Detect this status.
--

For example a

  gpg -v --locate-external-keys dd9jn@posteo.net

now yields

  gpg: Note: server uses an invalid certificate
  gpg: (further info: bad cert for 'posteo.net': \
                      Hostname does not match the certificate)
  gpg: error retrieving 'dd9jn@posteo.net' via WKD: Wrong name
  gpg: error reading key: Wrong name

(without -v the "further info" line is not shown).  Note that even
after years Posteo is not able to provide a valid certificate for
their .net addresses.  Anyway, this help to show the feature.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 g10/call-dirmngr.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'g10')

diff --git a/g10/call-dirmngr.c b/g10/call-dirmngr.c
index 58829c764..88fd97eb1 100644
--- a/g10/call-dirmngr.c
+++ b/g10/call-dirmngr.c
@@ -395,6 +395,7 @@ ks_status_cb (void *opaque, const char *line)
   gpg_error_t err = 0;
   const char *s, *s2;
   const char *warn;
+  int is_note = 0;
 
   if ((s = has_leading_keyword (line, parm->keyword? parm->keyword : "SOURCE")))
     {
@@ -406,7 +407,8 @@ ks_status_cb (void *opaque, const char *line)
             err = gpg_error_from_syserror ();
         }
     }
-  else if ((s = has_leading_keyword (line, "WARNING")))
+  else if ((s = has_leading_keyword (line, "WARNING"))
+           || (is_note = !!(s = has_leading_keyword (line, "NOTE"))))
     {
       if ((s2 = has_leading_keyword (s, "tor_not_running")))
         warn = _("Tor is not running");
@@ -418,12 +420,17 @@ ks_status_cb (void *opaque, const char *line)
         warn = _("unacceptable HTTP redirect from server");
       else if ((s2 = has_leading_keyword (s, "http_redirect_cleanup")))
         warn = _("unacceptable HTTP redirect from server was cleaned up");
+      else if ((s2 = has_leading_keyword (s, "tls_cert_error")))
+        warn = _("server uses an invalid certificate");
       else
         warn = NULL;
 
       if (warn)
         {
-          log_info (_("WARNING: %s\n"), warn);
+          if (is_note)
+            log_info (_("Note: %s\n"), warn);
+          else
+            log_info (_("WARNING: %s\n"), warn);
           if (s2)
             {
               while (*s2 && !spacep (s2))
-- 
cgit v1.2.3