From 06442ab0da6c119fb18ee8a19984ebac89e1fc75 Mon Sep 17 00:00:00 2001 From: David Shaw Date: Sun, 20 Jul 2003 00:10:13 +0000 Subject: [PATCH] * packet.h, main.h, sig-check.c (signature_check2, check_key_signature2, do_check): If ret_pk is set, fill in the pk used to verify the signature. Change all callers in getkey.c, mainproc.c, and sig-check.c. * keylist.c (list_keyblock_colon): Use the ret_pk from above to put the fingerprint of the signing key in "sig" records during a --with-colons --check-sigs. This requires --no-sig-cache as well since we don't cache fingerprints. --- g10/ChangeLog | 12 ++++++++++++ g10/getkey.c | 2 +- g10/keylist.c | 41 ++++++++++++++++++++++++++++++++++++++--- g10/main.h | 3 ++- g10/mainproc.c | 4 ++-- g10/packet.h | 4 ++-- g10/sig-check.c | 41 ++++++++++++++++++++++++----------------- 7 files changed, 81 insertions(+), 26 deletions(-) diff --git a/g10/ChangeLog b/g10/ChangeLog index 2feda9a84..7c532dd56 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,3 +1,15 @@ +2003-07-19 David Shaw + + * packet.h, main.h, sig-check.c (signature_check2, + check_key_signature2, do_check): If ret_pk is set, fill in the pk + used to verify the signature. Change all callers in getkey.c, + mainproc.c, and sig-check.c. + + * keylist.c (list_keyblock_colon): Use the ret_pk from above to + put the fingerprint of the signing key in "sig" records during a + --with-colons --check-sigs. This requires --no-sig-cache as well + since we don't cache fingerprints. + 2003-07-10 David Shaw * parse-packet.c (parse_signature): No need to reserve 8 bytes for diff --git a/g10/getkey.c b/g10/getkey.c index 4dd8085b8..f488eb04a 100644 --- a/g10/getkey.c +++ b/g10/getkey.c @@ -1604,7 +1604,7 @@ merge_selfsigs_main( KBNODE keyblock, int *r_revoked ) ultimate trust flag. */ if(get_pubkey_fast(ultimate_pk,sig->keyid)==0 && check_key_signature2(keyblock,k,ultimate_pk, - NULL,&dummy,&dum2)==0 + NULL,NULL,&dummy,&dum2)==0 && get_ownertrust(ultimate_pk)==TRUST_ULTIMATE) { free_public_key(ultimate_pk); diff --git a/g10/keylist.c b/g10/keylist.c index 9d27404ff..181a622d2 100644 --- a/g10/keylist.c +++ b/g10/keylist.c @@ -1032,8 +1032,10 @@ list_keyblock_colon( KBNODE keyblock, int secret, int fpr ) } else if( opt.list_sigs && node->pkt->pkttype == PKT_SIGNATURE ) { PKT_signature *sig = node->pkt->pkt.signature; - int sigrc; + int sigrc,fprokay=0; char *sigstr; + size_t fplen; + byte fparray[MAX_FINGERPRINT_LEN]; if( !any ) { /* no user id, (maybe a revocation follows)*/ if( sig->sig_class == 0x20 ) @@ -1067,8 +1069,16 @@ list_keyblock_colon( KBNODE keyblock, int secret, int fpr ) continue; } if( opt.check_sigs ) { + PKT_public_key *signer_pk=NULL; + u32 dummy; + int dum2; + fflush(stdout); - rc = check_key_signature( keyblock, node, NULL ); + if(opt.no_sig_cache) + signer_pk=m_alloc_clear(sizeof(PKT_public_key)); + + rc = check_key_signature2( keyblock, node, NULL, signer_pk, + NULL, &dummy, &dum2); switch( rc ) { case 0: sigrc = '!'; break; case G10ERR_BAD_SIGN: sigrc = '-'; break; @@ -1076,6 +1086,16 @@ list_keyblock_colon( KBNODE keyblock, int secret, int fpr ) case G10ERR_UNU_PUBKEY: sigrc = '?'; break; default: sigrc = '%'; break; } + + if(opt.no_sig_cache) + { + if(rc==0) + { + fingerprint_from_pk (signer_pk, fparray, &fplen); + fprokay=1; + } + free_public_key(signer_pk); + } } else { rc = 0; @@ -1109,7 +1129,22 @@ list_keyblock_colon( KBNODE keyblock, int secret, int fpr ) print_string( stdout, p, n, ':' ); m_free(p); } - printf(":%02x%c:\n", sig->sig_class,sig->flags.exportable?'x':'l'); + printf(":%02x%c:", sig->sig_class,sig->flags.exportable?'x':'l'); + + if(opt.no_sig_cache && opt.check_sigs && fprokay) + { + size_t i; + + printf(":"); + + for (i=0; i < fplen ; i++ ) + printf ("%02X", fparray[i] ); + + printf(":"); + } + + printf("\n"); + /* fixme: check or list other sigs here */ } } diff --git a/g10/main.h b/g10/main.h index 8657bba60..285500ce4 100644 --- a/g10/main.h +++ b/g10/main.h @@ -129,7 +129,8 @@ int sign_symencrypt_file (const char *fname, STRLIST locusr); int check_revocation_keys (PKT_public_key *pk, PKT_signature *sig); int check_key_signature( KBNODE root, KBNODE node, int *is_selfsig ); int check_key_signature2( KBNODE root, KBNODE node, PKT_public_key *check_pk, - int *is_selfsig, u32 *r_expiredate, int *r_expired ); + PKT_public_key *ret_pk, int *is_selfsig, + u32 *r_expiredate, int *r_expired ); /*-- delkey.c --*/ int delete_keys( STRLIST names, int secret, int allow_both ); diff --git a/g10/mainproc.c b/g10/mainproc.c index 99cc4f11b..0bd1a56eb 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -722,9 +722,9 @@ do_check_sig( CTX c, KBNODE node, int *is_selfsig, int *is_expkey ) } else return G10ERR_SIG_CLASS; - rc = signature_check2( sig, md, &dummy, is_expkey ); + rc = signature_check2( sig, md, &dummy, is_expkey, NULL ); if( rc == G10ERR_BAD_SIGN && md2 ) - rc = signature_check2( sig, md2, &dummy, is_expkey ); + rc = signature_check2( sig, md2, &dummy, is_expkey, NULL ); md_close(md); md_close(md2); diff --git a/g10/packet.h b/g10/packet.h index c391c53a4..516c93a44 100644 --- a/g10/packet.h +++ b/g10/packet.h @@ -460,8 +460,8 @@ int cmp_user_ids( PKT_user_id *a, PKT_user_id *b ); /*-- sig-check.c --*/ int signature_check( PKT_signature *sig, MD_HANDLE digest ); -int signature_check2( PKT_signature *sig, MD_HANDLE digest, - u32 *r_expiredate, int *r_expired ); +int signature_check2( PKT_signature *sig, MD_HANDLE digest, u32 *r_expiredate, + int *r_expired, PKT_public_key *ret_pk ); /*-- seckey-cert.c --*/ int is_secret_key_protected( PKT_secret_key *sk ); diff --git a/g10/sig-check.c b/g10/sig-check.c index c99187928..53363f8f9 100644 --- a/g10/sig-check.c +++ b/g10/sig-check.c @@ -39,8 +39,8 @@ struct cmp_help_context_s { MD_HANDLE md; }; -static int do_check( PKT_public_key *pk, PKT_signature *sig, - MD_HANDLE digest, int *r_expired ); +static int do_check( PKT_public_key *pk, PKT_signature *sig, MD_HANDLE digest, + int *r_expired, PKT_public_key *ret_pk); /**************** * Check the signature which is contained in SIG. @@ -52,12 +52,12 @@ signature_check( PKT_signature *sig, MD_HANDLE digest ) { u32 dummy; int dum2; - return signature_check2( sig, digest, &dummy, &dum2 ); + return signature_check2( sig, digest, &dummy, &dum2, NULL ); } int -signature_check2( PKT_signature *sig, MD_HANDLE digest, - u32 *r_expiredate, int *r_expired ) +signature_check2( PKT_signature *sig, MD_HANDLE digest, u32 *r_expiredate, + int *r_expired, PKT_public_key *ret_pk ) { PKT_public_key *pk = m_alloc_clear( sizeof *pk ); int rc=0; @@ -80,7 +80,7 @@ signature_check2( PKT_signature *sig, MD_HANDLE digest, invalid subkey */ else { *r_expiredate = pk->expiredate; - rc = do_check( pk, sig, digest, r_expired ); + rc = do_check( pk, sig, digest, r_expired, ret_pk ); } free_public_key( pk ); @@ -260,7 +260,7 @@ do_check_messages( PKT_public_key *pk, PKT_signature *sig, int *r_expired ) static int do_check( PKT_public_key *pk, PKT_signature *sig, MD_HANDLE digest, - int *r_expired ) + int *r_expired, PKT_public_key *ret_pk ) { MPI result = NULL; int rc=0; @@ -347,6 +347,9 @@ do_check( PKT_public_key *pk, PKT_signature *sig, MD_HANDLE digest, rc = G10ERR_BAD_SIGN; } + if(!rc && ret_pk) + copy_public_key(ret_pk,pk); + return rc; } @@ -475,14 +478,18 @@ check_key_signature( KBNODE root, KBNODE node, int *is_selfsig ) { u32 dummy; int dum2; - return check_key_signature2(root, node, NULL, is_selfsig, &dummy, &dum2 ); + return check_key_signature2(root, node, NULL, NULL, + is_selfsig, &dummy, &dum2 ); } /* If check_pk is set, then use it to check the signature in node - rather than getting it from root or the keydb. */ + rather than getting it from root or the keydb. If ret_pk is set, + fill in the public key that was used to verify the signature. + ret_pk is only meaningful when the verification was successful. */ int check_key_signature2( KBNODE root, KBNODE node, PKT_public_key *check_pk, - int *is_selfsig, u32 *r_expiredate, int *r_expired ) + PKT_public_key *ret_pk, int *is_selfsig, + u32 *r_expiredate, int *r_expired ) { MD_HANDLE md; PKT_public_key *pk; @@ -531,7 +538,7 @@ check_key_signature2( KBNODE root, KBNODE node, PKT_public_key *check_pk, { md = md_open( algo, 0 ); hash_public_key( md, pk ); - rc = do_check( pk, sig, md, r_expired ); + rc = do_check( pk, sig, md, r_expired, ret_pk ); cache_sig_result ( sig, rc ); md_close(md); } @@ -543,7 +550,7 @@ check_key_signature2( KBNODE root, KBNODE node, PKT_public_key *check_pk, md = md_open( algo, 0 ); hash_public_key( md, pk ); hash_public_key( md, snode->pkt->pkt.public_key ); - rc = do_check( pk, sig, md, r_expired ); + rc = do_check( pk, sig, md, r_expired, ret_pk ); cache_sig_result ( sig, rc ); md_close(md); } @@ -569,7 +576,7 @@ check_key_signature2( KBNODE root, KBNODE node, PKT_public_key *check_pk, md = md_open( algo, 0 ); hash_public_key( md, pk ); hash_public_key( md, snode->pkt->pkt.public_key ); - rc = do_check( pk, sig, md, r_expired ); + rc = do_check( pk, sig, md, r_expired, ret_pk ); cache_sig_result ( sig, rc ); md_close(md); } @@ -584,7 +591,7 @@ check_key_signature2( KBNODE root, KBNODE node, PKT_public_key *check_pk, else if( sig->sig_class == 0x1f ) { /* direct key signature */ md = md_open( algo, 0 ); hash_public_key( md, pk ); - rc = do_check( pk, sig, md, r_expired ); + rc = do_check( pk, sig, md, r_expired, ret_pk ); cache_sig_result ( sig, rc ); md_close(md); } @@ -602,12 +609,12 @@ check_key_signature2( KBNODE root, KBNODE node, PKT_public_key *check_pk, { if( is_selfsig ) *is_selfsig = 1; - rc = do_check( pk, sig, md, r_expired ); + rc = do_check( pk, sig, md, r_expired, ret_pk ); } else if (check_pk) - rc=do_check(check_pk,sig,md,r_expired); + rc=do_check(check_pk,sig,md,r_expired, ret_pk); else - rc = signature_check2( sig, md, r_expiredate, r_expired ); + rc = signature_check2( sig, md, r_expiredate, r_expired, ret_pk); cache_sig_result ( sig, rc ); md_close(md);