mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-18 14:17:03 +01:00
gpg: Prepare parser for the new attestation certificates.
* common/openpgpdefs.h (SIGSUBPKT_ATTST_SIGS): New.
* g10/keydb.h (IS_ATTST_SIGS): New.
(IS_CERT): Include the new one.
* g10/sign.c (mk_notation_policy_etc): Do not put notations into
attestation key signatures.
* g10/parse-packet.c (dump_sig_subpkt): Add new arg digest_algo.
Print the attestation sigs.
(parse_one_sig_subpkt): Support SIGSUBPKT_ATTST_SIGS.
(can_handle_critical): Ditto.
(enum_sig_subpkt): Pass digest algo to dump_sig_subpkt.
--
This change allows to list the new subpacket with --list-packets.
Example output:
:signature packet: algo 22, keyid C694723A1370EAB1
version 4, created 1567097576, md5len 0, sigclass 0x16
digest algo 8, begin of digest ff 0c
hashed subpkt 2 len 4 (sig created 2019-08-29)
hashed subpkt 37 len 32 (attst-sigs: 1
A794C6E9CCFE2F34C67E07[...])
hashed subpkt 33 len 21 (issuer fpr v4 156A3872[...])
subpkt 16 len 8 (issuer key ID C694723A1370EAB1)
data: [256 bits]
data: [256 bits]
GnuPG-bug-id: 4694
Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch
parent
e1d9be730c
commit
209caaff66
@ -119,6 +119,8 @@ typedef enum
|
|||||||
SIGSUBPKT_ISSUER_FPR = 33, /* Issuer fingerprint. */
|
SIGSUBPKT_ISSUER_FPR = 33, /* Issuer fingerprint. */
|
||||||
SIGSUBPKT_PREF_AEAD = 34, /* Preferred AEAD algorithms. */
|
SIGSUBPKT_PREF_AEAD = 34, /* Preferred AEAD algorithms. */
|
||||||
|
|
||||||
|
SIGSUBPKT_ATTST_SIGS = 37, /* Attested Certifications. */
|
||||||
|
|
||||||
SIGSUBPKT_FLAG_CRITICAL = 128
|
SIGSUBPKT_FLAG_CRITICAL = 128
|
||||||
}
|
}
|
||||||
sigsubpkttype_t;
|
sigsubpkttype_t;
|
||||||
|
|||||||
10
g10/keydb.h
10
g10/keydb.h
@ -29,11 +29,17 @@
|
|||||||
/* What qualifies as a certification (key-signature in contrast to a
|
/* What qualifies as a certification (key-signature in contrast to a
|
||||||
* data signature)? Note that a back signature is special and can be
|
* data signature)? Note that a back signature is special and can be
|
||||||
* made by key and data signatures capable subkeys.) */
|
* made by key and data signatures capable subkeys.) */
|
||||||
#define IS_CERT(s) (IS_KEY_SIG(s) || IS_UID_SIG(s) || IS_SUBKEY_SIG(s) \
|
#define IS_CERT(s) (IS_KEY_SIG(s) \
|
||||||
|| IS_KEY_REV(s) || IS_UID_REV(s) || IS_SUBKEY_REV(s))
|
|| IS_UID_SIG(s) \
|
||||||
|
|| IS_SUBKEY_SIG(s) \
|
||||||
|
|| IS_KEY_REV(s) \
|
||||||
|
|| IS_UID_REV(s) \
|
||||||
|
|| IS_SUBKEY_REV(s) \
|
||||||
|
|| IS_ATTST_SIGS(s) )
|
||||||
#define IS_SIG(s) (!IS_CERT(s))
|
#define IS_SIG(s) (!IS_CERT(s))
|
||||||
#define IS_KEY_SIG(s) ((s)->sig_class == 0x1f)
|
#define IS_KEY_SIG(s) ((s)->sig_class == 0x1f)
|
||||||
#define IS_UID_SIG(s) (((s)->sig_class & ~3) == 0x10)
|
#define IS_UID_SIG(s) (((s)->sig_class & ~3) == 0x10)
|
||||||
|
#define IS_ATTST_SIGS(s) ((s)->sig_class == 0x16)
|
||||||
#define IS_SUBKEY_SIG(s) ((s)->sig_class == 0x18)
|
#define IS_SUBKEY_SIG(s) ((s)->sig_class == 0x18)
|
||||||
#define IS_BACK_SIG(s) ((s)->sig_class == 0x19)
|
#define IS_BACK_SIG(s) ((s)->sig_class == 0x19)
|
||||||
#define IS_KEY_REV(s) ((s)->sig_class == 0x20)
|
#define IS_KEY_REV(s) ((s)->sig_class == 0x20)
|
||||||
|
|||||||
@ -1360,17 +1360,20 @@ parse_pubkeyenc (IOBUF inp, int pkttype, unsigned long pktlen,
|
|||||||
|
|
||||||
|
|
||||||
/* Dump a subpacket to LISTFP. BUFFER contains the subpacket in
|
/* Dump a subpacket to LISTFP. BUFFER contains the subpacket in
|
||||||
question and points to the type field in the subpacket header (not
|
* question and points to the type field in the subpacket header (not
|
||||||
the start of the header). TYPE is the subpacket's type with the
|
* the start of the header). TYPE is the subpacket's type with the
|
||||||
critical bit cleared. CRITICAL is the value of the CRITICAL bit.
|
* critical bit cleared. CRITICAL is the value of the CRITICAL bit.
|
||||||
BUFLEN is the length of the buffer and LENGTH is the length of the
|
* BUFLEN is the length of the buffer and LENGTH is the length of the
|
||||||
subpacket according to the subpacket's header. */
|
* subpacket according to the subpacket's header. DIGEST_ALGO is the
|
||||||
|
* digest algo of the signature. */
|
||||||
static void
|
static void
|
||||||
dump_sig_subpkt (int hashed, int type, int critical,
|
dump_sig_subpkt (int hashed, int type, int critical,
|
||||||
const byte * buffer, size_t buflen, size_t length)
|
const byte * buffer, size_t buflen, size_t length,
|
||||||
|
int digest_algo)
|
||||||
{
|
{
|
||||||
const char *p = NULL;
|
const char *p = NULL;
|
||||||
int i;
|
int i;
|
||||||
|
int nprinted;
|
||||||
|
|
||||||
/* The CERT has warning out with explains how to use GNUPG to detect
|
/* The CERT has warning out with explains how to use GNUPG to detect
|
||||||
* the ARRs - we print our old message here when it is a faked ARR
|
* the ARRs - we print our old message here when it is a faked ARR
|
||||||
@ -1388,9 +1391,11 @@ dump_sig_subpkt (int hashed, int type, int critical,
|
|||||||
buffer++;
|
buffer++;
|
||||||
length--;
|
length--;
|
||||||
|
|
||||||
es_fprintf (listfp, "\t%s%ssubpkt %d len %u (", /*) */
|
nprinted = es_fprintf (listfp, "\t%s%ssubpkt %d len %u (", /*) */
|
||||||
critical ? "critical " : "",
|
critical ? "critical " : "",
|
||||||
hashed ? "hashed " : "", type, (unsigned) length);
|
hashed ? "hashed " : "", type, (unsigned) length);
|
||||||
|
if (nprinted < 1)
|
||||||
|
nprinted = 1; /*(we use (nprinted-1) later.)*/
|
||||||
if (length > buflen)
|
if (length > buflen)
|
||||||
{
|
{
|
||||||
es_fprintf (listfp, "too short: buffer is only %u)\n", (unsigned) buflen);
|
es_fprintf (listfp, "too short: buffer is only %u)\n", (unsigned) buflen);
|
||||||
@ -1585,6 +1590,32 @@ dump_sig_subpkt (int hashed, int type, int critical,
|
|||||||
buffer[0] == 3 ? buffer[15] : buffer[2],
|
buffer[0] == 3 ? buffer[15] : buffer[2],
|
||||||
buffer[0] == 3 ? buffer[16] : buffer[3]);
|
buffer[0] == 3 ? buffer[16] : buffer[3]);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case SIGSUBPKT_ATTST_SIGS:
|
||||||
|
{
|
||||||
|
unsigned int hlen;
|
||||||
|
|
||||||
|
es_fputs ("attst-sigs: ", listfp);
|
||||||
|
hlen = gcry_md_get_algo_dlen (map_md_openpgp_to_gcry (digest_algo));
|
||||||
|
if (!hlen)
|
||||||
|
p = "[unknown digest algo]";
|
||||||
|
else if ((length % hlen))
|
||||||
|
p = "[invalid length]";
|
||||||
|
else
|
||||||
|
{
|
||||||
|
es_fprintf (listfp, "%d", length/hlen);
|
||||||
|
while (length)
|
||||||
|
{
|
||||||
|
es_fprintf (listfp, "\n\t%*s", nprinted-1, "");
|
||||||
|
es_write_hexstring (listfp, buffer, hlen, 0, NULL);
|
||||||
|
buffer += hlen;
|
||||||
|
length -= hlen;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
|
||||||
default:
|
default:
|
||||||
if (type >= 100 && type <= 110)
|
if (type >= 100 && type <= 110)
|
||||||
p = "experimental / private subpacket";
|
p = "experimental / private subpacket";
|
||||||
@ -1627,6 +1658,7 @@ parse_one_sig_subpkt (const byte * buffer, size_t n, int type)
|
|||||||
case SIGSUBPKT_PREF_KS:
|
case SIGSUBPKT_PREF_KS:
|
||||||
case SIGSUBPKT_FEATURES:
|
case SIGSUBPKT_FEATURES:
|
||||||
case SIGSUBPKT_REGEXP:
|
case SIGSUBPKT_REGEXP:
|
||||||
|
case SIGSUBPKT_ATTST_SIGS:
|
||||||
return 0;
|
return 0;
|
||||||
case SIGSUBPKT_SIGNATURE:
|
case SIGSUBPKT_SIGNATURE:
|
||||||
case SIGSUBPKT_EXPORTABLE:
|
case SIGSUBPKT_EXPORTABLE:
|
||||||
@ -1721,6 +1753,7 @@ can_handle_critical (const byte * buffer, size_t n, int type)
|
|||||||
case SIGSUBPKT_FEATURES:
|
case SIGSUBPKT_FEATURES:
|
||||||
case SIGSUBPKT_TRUST:
|
case SIGSUBPKT_TRUST:
|
||||||
case SIGSUBPKT_REGEXP:
|
case SIGSUBPKT_REGEXP:
|
||||||
|
case SIGSUBPKT_ATTST_SIGS:
|
||||||
/* Is it enough to show the policy or keyserver? */
|
/* Is it enough to show the policy or keyserver? */
|
||||||
case SIGSUBPKT_POLICY:
|
case SIGSUBPKT_POLICY:
|
||||||
case SIGSUBPKT_PREF_KS:
|
case SIGSUBPKT_PREF_KS:
|
||||||
@ -1812,7 +1845,7 @@ enum_sig_subpkt (PKT_signature *sig, int want_hashed, sigsubpkttype_t reqtype,
|
|||||||
}
|
}
|
||||||
else if (reqtype < 0) /* List packets. */
|
else if (reqtype < 0) /* List packets. */
|
||||||
dump_sig_subpkt (reqtype == SIGSUBPKT_LIST_HASHED,
|
dump_sig_subpkt (reqtype == SIGSUBPKT_LIST_HASHED,
|
||||||
type, *critical, buffer, buflen, n);
|
type, *critical, buffer, buflen, n, sig->digest_algo);
|
||||||
else if (type == reqtype) /* Found. */
|
else if (type == reqtype) /* Found. */
|
||||||
{
|
{
|
||||||
buffer++;
|
buffer++;
|
||||||
|
|||||||
@ -86,7 +86,9 @@ mk_notation_policy_etc (PKT_signature *sig,
|
|||||||
args.pksk = pksk;
|
args.pksk = pksk;
|
||||||
|
|
||||||
/* Notation data. */
|
/* Notation data. */
|
||||||
if (IS_SIG(sig) && opt.sig_notations)
|
if (IS_ATTST_SIGS(sig))
|
||||||
|
;
|
||||||
|
else if (IS_SIG(sig) && opt.sig_notations)
|
||||||
nd = opt.sig_notations;
|
nd = opt.sig_notations;
|
||||||
else if (IS_CERT(sig) && opt.cert_notations)
|
else if (IS_CERT(sig) && opt.cert_notations)
|
||||||
nd = opt.cert_notations;
|
nd = opt.cert_notations;
|
||||||
@ -113,7 +115,9 @@ mk_notation_policy_etc (PKT_signature *sig,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Set policy URL. */
|
/* Set policy URL. */
|
||||||
if (IS_SIG(sig) && opt.sig_policy_url)
|
if (IS_ATTST_SIGS(sig))
|
||||||
|
;
|
||||||
|
else if (IS_SIG(sig) && opt.sig_policy_url)
|
||||||
pu = opt.sig_policy_url;
|
pu = opt.sig_policy_url;
|
||||||
else if (IS_CERT(sig) && opt.cert_policy_url)
|
else if (IS_CERT(sig) && opt.cert_policy_url)
|
||||||
pu = opt.cert_policy_url;
|
pu = opt.cert_policy_url;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user