diff --git a/g10/getkey.c b/g10/getkey.c index 7c407dd0c..d76e7cc77 100644 --- a/g10/getkey.c +++ b/g10/getkey.c @@ -677,6 +677,24 @@ pk_from_block (PKT_public_key *pk, kbnode_t keyblock, kbnode_t found_key) } +/* Specialized version of get_pubkey which retrieves the key based on + * information in SIG. In contrast to get_pubkey PK is required. */ +gpg_error_t +get_pubkey_for_sig (ctrl_t ctrl, PKT_public_key *pk, PKT_signature *sig) +{ + const byte *fpr; + size_t fprlen; + + /* First try the new ISSUER_FPR info. */ + fpr = issuer_fpr_raw (sig, &fprlen); + if (fpr && !get_pubkey_byfprint (ctrl, pk, NULL, fpr, fprlen)) + return 0; + + /* Fallback to use the ISSUER_KEYID. */ + return get_pubkey (ctrl, pk, sig->keyid); +} + + /* Return the public key with the key id KEYID and store it at PK. * The resources in *PK should be released using * release_public_key_parts(). This function also stores a copy of @@ -739,8 +757,9 @@ get_pubkey (ctrl_t ctrl, PKT_public_key * pk, u32 * keyid) /* Do a lookup. */ { struct getkey_ctx_s ctx; - KBNODE kb = NULL; - KBNODE found_key = NULL; + kbnode_t kb = NULL; + kbnode_t found_key = NULL; + memset (&ctx, 0, sizeof ctx); ctx.exact = 1; /* Use the key ID exactly as given. */ ctx.not_allocated = 1; @@ -863,6 +882,28 @@ get_pubkey_fast (PKT_public_key * pk, u32 * keyid) } +/* Return the entire keyblock used to create SIG. This is a + * specialized version of get_pubkeyblock. + * + * FIXME: This is a hack because get_pubkey_for_sig was already called + * and it could have used a cache to hold the key. */ +kbnode_t +get_pubkeyblock_for_sig (ctrl_t ctrl, PKT_signature *sig) +{ + const byte *fpr; + size_t fprlen; + kbnode_t keyblock; + + /* First try the new ISSUER_FPR info. */ + fpr = issuer_fpr_raw (sig, &fprlen); + if (fpr && !get_pubkey_byfprint (ctrl, NULL, &keyblock, fpr, fprlen)) + return keyblock; + + /* Fallback to use the ISSUER_KEYID. */ + return get_pubkeyblock (ctrl, sig->keyid); +} + + /* Return the key block for the key with key id KEYID or NULL, if an * error occurs. Use release_kbnode() to release the key block. * @@ -1802,6 +1843,8 @@ get_pubkey_byfprint (ctrl_t ctrl, PKT_public_key *pk, kbnode_t *r_keyblock, memset (&ctx, 0, sizeof ctx); ctx.exact = 1; ctx.not_allocated = 1; + /* FIXME: We should get the handle from the cache like we do in + * get_pubkey. */ ctx.kr_handle = keydb_new (); if (!ctx.kr_handle) return gpg_error_from_syserror (); diff --git a/g10/keydb.h b/g10/keydb.h index c5671d665..70949e447 100644 --- a/g10/keydb.h +++ b/g10/keydb.h @@ -282,6 +282,10 @@ void cache_public_key( PKT_public_key *pk ); /* Disable and drop the public key cache. */ void getkey_disable_caches(void); +/* Return the public key used for signature SIG and store it at PK. */ +gpg_error_t get_pubkey_for_sig (ctrl_t ctrl, + PKT_public_key *pk, PKT_signature *sig); + /* Return the public key with the key id KEYID and store it at PK. */ int get_pubkey (ctrl_t ctrl, PKT_public_key *pk, u32 *keyid); @@ -290,6 +294,10 @@ int get_pubkey (ctrl_t ctrl, PKT_public_key *pk, u32 *keyid); also only considers primary keys. */ int get_pubkey_fast (PKT_public_key *pk, u32 *keyid); +/* Return the entire keyblock used to create SIG. This is a + * specialized version of get_pubkeyblock. */ +kbnode_t get_pubkeyblock_for_sig (ctrl_t ctrl, PKT_signature *sig); + /* Return the key block for the key with KEYID. */ kbnode_t get_pubkeyblock (ctrl_t ctrl, u32 *keyid); diff --git a/g10/mainproc.c b/g10/mainproc.c index f5cc4532a..5fea86787 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -1657,7 +1657,7 @@ akl_has_wkd_method (void) /* Return the ISSUER fingerprint buffer and its lenbgth at R_LEN. * Returns NULL if not available. The returned buffer is valid as * long as SIG is not modified. */ -static const byte * +const byte * issuer_fpr_raw (PKT_signature *sig, size_t *r_len) { const byte *p; @@ -1674,7 +1674,7 @@ issuer_fpr_raw (PKT_signature *sig, size_t *r_len) } -/* Return the ISSUER fingerprint string in human readbale format if +/* Return the ISSUER fingerprint string in human readable format if * available. Caller must release the string. */ /* FIXME: Move to another file. */ char * @@ -2042,7 +2042,7 @@ check_sig_and_print (CTX c, kbnode_t node) * keyblock has already been fetched. Thus we could use the * fingerprint or PK itself to lookup the entire keyblock. That * would best be done with a cache. */ - keyblock = get_pubkeyblock (c->ctrl, sig->keyid); + keyblock = get_pubkeyblock_for_sig (c->ctrl, sig); snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ", (ulong)sig->keyid[0], (ulong)sig->keyid[1]); diff --git a/g10/packet.h b/g10/packet.h index dc4ce5f88..e76e6af4e 100644 --- a/g10/packet.h +++ b/g10/packet.h @@ -605,6 +605,7 @@ int proc_signature_packets_by_fd (ctrl_t ctrl, int proc_encryption_packets (ctrl_t ctrl, void *ctx, iobuf_t a); int list_packets( iobuf_t a ); +const byte *issuer_fpr_raw (PKT_signature *sig, size_t *r_len); char *issuer_fpr_string (PKT_signature *sig); /*-- parse-packet.c --*/ diff --git a/g10/pkclist.c b/g10/pkclist.c index 03ad4c850..6f0424910 100644 --- a/g10/pkclist.c +++ b/g10/pkclist.c @@ -548,7 +548,7 @@ check_signatures_trust (ctrl_t ctrl, PKT_signature *sig) unsigned int trustlevel = TRUST_UNKNOWN; int rc=0; - rc = get_pubkey (ctrl, pk, sig->keyid ); + rc = get_pubkey_for_sig (ctrl, pk, sig); if (rc) { /* this should not happen */ log_error("Ooops; the key vanished - can't check the trust\n"); diff --git a/g10/sig-check.c b/g10/sig-check.c index 6b9feebfd..e59e0c900 100644 --- a/g10/sig-check.c +++ b/g10/sig-check.c @@ -156,7 +156,7 @@ check_signature2 (ctrl_t ctrl, log_info(_("WARNING: signature digest conflict in message\n")); rc = gpg_error (GPG_ERR_GENERAL); } - else if (get_pubkey (ctrl, pk, sig->keyid)) + else if (get_pubkey_for_sig (ctrl, pk, sig)) rc = gpg_error (GPG_ERR_NO_PUBKEY); else if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION, pk->pubkey_algo, pk->pkey, @@ -923,7 +923,7 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer, if (IS_CERT (sig)) signer->req_usage = PUBKEY_USAGE_CERT; - rc = get_pubkey (ctrl, signer, sig->keyid); + rc = get_pubkey_for_sig (ctrl, signer, sig); if (rc) { xfree (signer);