Commit 84419f42 authored by Werner Koch's avatar Werner Koch

dirmngr: Support https for KS_FETCH.

* dirmngr/ks-engine-hkp.c (cert_log_cb): Move to ...
* dirmngr/misc.c (cert_log_cb): here.
* dirmngr/ks-engine-http.c (ks_http_fetch): Support 307-redirection
and https.
--

Note that this requires that the root certificates are registered using
the --hkp-cacert option.  Eventually we may introduce a separate
option to allow using different CAs for KS_FETCH and keyserver based
requests.
parent 3b20cc21
......@@ -880,40 +880,6 @@ ks_hkp_housekeeping (time_t curtime)
}
/* Callback to print infos about the TLS certificates. */
static void
cert_log_cb (http_session_t sess, gpg_error_t err,
const char *hostname, const void **certs, size_t *certlens)
{
ksba_cert_t cert;
size_t n;
(void)sess;
if (!err)
return; /* No error - no need to log anything */
log_debug ("expected hostname: %s\n", hostname);
for (n=0; certs[n]; n++)
{
err = ksba_cert_new (&cert);
if (!err)
err = ksba_cert_init_from_mem (cert, certs[n], certlens[n]);
if (err)
log_error ("error parsing cert for logging: %s\n", gpg_strerror (err));
else
{
char textbuf[20];
snprintf (textbuf, sizeof textbuf, "server[%u]", (unsigned int)n);
dump_cert (textbuf, cert);
}
ksba_cert_release (cert);
}
}
/* Send an HTTP request. On success returns an estream object at
R_FP. HOSTPORTSTR is only used for diagnostics. If HTTPHOST is
not NULL it will be used as HTTP "Host" header. If POST_CB is not
......
......@@ -38,6 +38,7 @@ ks_http_help (ctrl_t ctrl, parsed_uri_t uri)
const char const data[] =
"Handler for HTTP URLs:\n"
" http://\n"
" https://\n"
"Supported methods: fetch\n";
gpg_error_t err;
......@@ -58,11 +59,17 @@ gpg_error_t
ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
{
gpg_error_t err;
http_session_t session = NULL;
http_t http = NULL;
int redirects_left = MAX_REDIRECTS;
estream_t fp = NULL;
char *request_buffer = NULL;
err = http_session_new (&session, NULL);
if (err)
goto leave;
http_session_set_log_cb (session, cert_log_cb);
*r_fp = NULL;
once_more:
err = http_open (&http,
......@@ -72,7 +79,8 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
/* fixme: AUTH */ NULL,
0,
/* fixme: proxy*/ NULL,
NULL, NULL,
session,
NULL,
/*FIXME curl->srvtag*/NULL);
if (!err)
{
......@@ -112,6 +120,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
case 301:
case 302:
case 307:
{
const char *s = http_get_header (http, "Location");
......@@ -157,6 +166,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
leave:
http_close (http, 0);
http_session_release (session);
xfree (request_buffer);
return err;
}
......@@ -384,6 +384,39 @@ cert_log_subject (const char *text, ksba_cert_t cert)
}
/* Callback to print infos about the TLS certificates. */
void
cert_log_cb (http_session_t sess, gpg_error_t err,
const char *hostname, const void **certs, size_t *certlens)
{
ksba_cert_t cert;
size_t n;
(void)sess;
if (!err)
return; /* No error - no need to log anything */
log_debug ("expected hostname: %s\n", hostname);
for (n=0; certs[n]; n++)
{
err = ksba_cert_new (&cert);
if (!err)
err = ksba_cert_init_from_mem (cert, certs[n], certlens[n]);
if (err)
log_error ("error parsing cert for logging: %s\n", gpg_strerror (err));
else
{
char textbuf[20];
snprintf (textbuf, sizeof textbuf, "server[%u]", (unsigned int)n);
dump_cert (textbuf, cert);
}
ksba_cert_release (cert);
}
}
/****************
* Remove all %xx escapes; this is done inplace.
* Returns: New length of the string.
......
......@@ -68,6 +68,10 @@ void dump_string (const char *string);
TEXT. This is used for debugging. */
void dump_cert (const char *text, ksba_cert_t cert);
/* Callback to print infos about the TLS certificates. */
void cert_log_cb (http_session_t sess, gpg_error_t err,
const char *hostname, const void **certs, size_t *certlens);
/* Return the host name and the port (0 if none was given) from the
URL. Return NULL on error or if host is not included in the
URL. */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment