security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-03 12:11:33 +01:00
Code Activity

agent: Introduce attribute "Remote-list" to KEYINFO.

Browse Source 
* agent/command.c (do_one_keyinfo): Add arg list_mode.  Check
attribute Remote-list.
(cmd_keyinfo): Change semantics to return nothing in restricted list
mode.
This commit is contained in:
Werner Koch 2022-10-12 10:19:14 +02:00
parent b0b4e24c4f
commit 1383aa4750
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 27 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
agent/command.c
View File

@ -1479,7 +1479,7 @@ static gpg_error_t
do_one_keyinfo (ctrl_t ctrl, const unsigned char *grip, assuan_context_t ctx, do_one_keyinfo (ctrl_t ctrl, const unsigned char *grip, assuan_context_t ctx,
int data, int with_ssh_fpr, int in_ssh, int data, int with_ssh_fpr, int in_ssh,
int ttl, int disabled, int confirm, int on_card, int ttl, int disabled, int confirm, int on_card,
const char *need_attr) const char *need_attr, int list_mode)
{ {
gpg_error_t err; gpg_error_t err;
char hexgrip[40+1]; char hexgrip[40+1];
@ -1507,11 +1507,12 @@ do_one_keyinfo (ctrl_t ctrl, const unsigned char *grip, assuan_context_t ctx,
goto leave; goto leave;
} }
if (need_attr) if (need_attr || (ctrl->restricted && list_mode))
{ {
gcry_sexp_t s_key = NULL; gcry_sexp_t s_key = NULL;
nvc_t keymeta = NULL; nvc_t keymeta = NULL;
int istrue; int istrue, has_rl;
if (missing_key) if (missing_key)
goto leave; /* No attribute available. */ goto leave; /* No attribute available. */
@ -1521,7 +1522,14 @@ do_one_keyinfo (ctrl_t ctrl, const unsigned char *grip, assuan_context_t ctx,
istrue = 0; istrue = 0;
else else
{ {
has_rl = 0;
if (ctrl->restricted && list_mode
&& !(has_rl = nvc_get_boolean (keymeta, "Remote-list:")))
istrue = 0;
else if (need_attr)
istrue = nvc_get_boolean (keymeta, need_attr); istrue = nvc_get_boolean (keymeta, need_attr);
else
istrue = has_rl;
nvc_release (keymeta); nvc_release (keymeta);
} }
gcry_sexp_release (s_key); gcry_sexp_release (s_key);
@ -1532,7 +1540,6 @@ do_one_keyinfo (ctrl_t ctrl, const unsigned char *grip, assuan_context_t ctx,
} }
} }
/* Reformat the grip so that we use uppercase as good style. */ /* Reformat the grip so that we use uppercase as good style. */
bin2hex (grip, 20, hexgrip); bin2hex (grip, 20, hexgrip);
@ -1722,12 +1729,6 @@ cmd_keyinfo (assuan_context_t ctx, char *line)
if (list_mode == 2) if (list_mode == 2)
{ {
if (ctrl->restricted)
{
err = leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
goto leave;;
}
if (cf) if (cf)
{ {
while (!ssh_read_control_file (cf, hexgrip, while (!ssh_read_control_file (cf, hexgrip,
@ -1742,8 +1743,10 @@ cmd_keyinfo (assuan_context_t ctx, char *line)
on_card = 1; on_card = 1;
err = do_one_keyinfo (ctrl, grip, ctx, opt_data, opt_ssh_fpr, 1, err = do_one_keyinfo (ctrl, grip, ctx, opt_data, opt_ssh_fpr, 1,
ttl, disabled, confirm, on_card, need_attr); ttl, disabled, confirm, on_card, need_attr,
if (need_attr && gpg_err_code (err) == GPG_ERR_NOT_FOUND) list_mode);
if ((need_attr || ctrl->restricted)
&& gpg_err_code (err) == GPG_ERR_NOT_FOUND)
; ;
else if (err) else if (err)
goto leave; goto leave;
@ -1756,12 +1759,6 @@ cmd_keyinfo (assuan_context_t ctx, char *line)
char *dirname; char *dirname;
gnupg_dirent_t dir_entry; gnupg_dirent_t dir_entry;
if (ctrl->restricted)
{
err = leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
goto leave;
}
dirname = make_filename_try (gnupg_homedir (), dirname = make_filename_try (gnupg_homedir (),
GNUPG_PRIVATE_KEYS_DIR, NULL); GNUPG_PRIVATE_KEYS_DIR, NULL);
if (!dirname) if (!dirname)
@ -1806,8 +1803,10 @@ cmd_keyinfo (assuan_context_t ctx, char *line)
on_card = 1; on_card = 1;
err = do_one_keyinfo (ctrl, grip, ctx, opt_data, opt_ssh_fpr, is_ssh, err = do_one_keyinfo (ctrl, grip, ctx, opt_data, opt_ssh_fpr, is_ssh,
ttl, disabled, confirm, on_card, need_attr); ttl, disabled, confirm, on_card, need_attr,
if (need_attr && gpg_err_code (err) == GPG_ERR_NOT_FOUND) list_mode);
if ((need_attr || ctrl->restricted)
&& gpg_err_code (err) == GPG_ERR_NOT_FOUND)
; ;
else if (err) else if (err)
goto leave; goto leave;
@ -1836,7 +1835,7 @@ cmd_keyinfo (assuan_context_t ctx, char *line)
on_card = 1; on_card = 1;
err = do_one_keyinfo (ctrl, grip, ctx, opt_data, opt_ssh_fpr, is_ssh, err = do_one_keyinfo (ctrl, grip, ctx, opt_data, opt_ssh_fpr, is_ssh,
ttl, disabled, confirm, on_card, need_attr); ttl, disabled, confirm, on_card, need_attr, 0);
} }
leave: leave:

6
agent/keyformat.txt
View File

@ -129,6 +129,12 @@ If given and the value is "yes" or "1" the key is allowed for use by
GnuPG's PKCS#11 interface (Scute). Note that Scute needs to be GnuPG's PKCS#11 interface (Scute). Note that Scute needs to be
configured to use this optimization. configured to use this optimization.
*** Remote-list
Allow to list the key with the KEYINFO command from a remote machine
via the extra socket. A boolean value is expected; the default is
"no". Note that KEYINFO will anyway provide information if the
keygrip is specified.
*** Confirm *** Confirm
If given and the value is "yes", a user will be asked confirmation by If given and the value is "yes", a user will be asked confirmation by
a dialog window when the key is about to be used for a dialog window when the key is about to be used for