security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-04-17 15:44:34 +02:00
Code Activity

gpg: Extend the ERRSIG status line with a fingerprint.

Browse Source 
* g10/mainproc.c (issuer_fpr_raw): New.
(issuer_fpr_string): Re-implement using issuer_fpr_rtaw.
(check_sig_and_print): Don't free ISSUER_FPR.  Use ISSUER_FPR_RAW.
Use write_status_printf.  Extend ERRSIG status.
--

Modern OpenPGP implementations put the ISSUER_FPR into the signature
to make it easier to discover the, public needed to check the
signature.  This is also useful in error messages and thus we add it.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2018-04-12 16:41:05 +02:00
parent e2bd152a92
commit 23a714598c
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
3 changed files with 50 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
NEWS
View File

@ -4,6 +4,9 @@ Noteworthy changes in version 2.2.7 (unreleased)
* gpg: New option --no-symkey-cache to disable the passphrase cache * gpg: New option --no-symkey-cache to disable the passphrase cache
for symmetrical en- and decryption. for symmetrical en- and decryption.
* gpg: The ERRSIG status now prints the fingerprint if that is part
of the signature.
Noteworthy changes in version 2.2.6 (2018-04-09) Noteworthy changes in version 2.2.6 (2018-04-09)
------------------------------------------------ ------------------------------------------------

13
doc/DETAILS
View File

@ -435,14 +435,17 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB:
available. This is the case with CMS and might eventually also be available. This is the case with CMS and might eventually also be
available for OpenPGP. available for OpenPGP.
*** ERRSIG <keyid> <pkalgo> <hashalgo> <sig_class> <time> <rc> *** ERRSIG <keyid> <pkalgo> <hashalgo> <sig_class> <time> <rc> <fpr>
It was not possible to check the signature. This may be caused by It was not possible to check the signature. This may be caused by
a missing public key or an unsupported algorithm. A RC of 4 a missing public key or an unsupported algorithm. A RC of 4
indicates unknown algorithm, a 9 indicates a missing public indicates unknown algorithm, a 9 indicates a missing public
key. The other fields give more information about this signature. key. The other fields give more information about this signature.
sig_class is a 2 byte hex-value. The fingerprint may be used sig_class is a 2 byte hex-value. The fingerprint may be used
instead of the keyid if it is available. This is the case with instead of the long_keyid_or_fpr if it is available. This is the
gpgsm and might eventually also be available for OpenPGP. case with gpgsm and might eventually also be available for
OpenPGP. The ERRSIG line has FPR filed which is only available
since 2.2.7; that FPR may either be missing or - if the signature
has no fingerprint as meta data.
Note, that TIME may either be the number of seconds since Epoch or Note, that TIME may either be the number of seconds since Epoch or
an ISO 8601 string. The latter can be detected by the presence of an ISO 8601 string. The latter can be detected by the presence of
@ -717,7 +720,9 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB:
The used key has been revoked by its owner. No arguments yet. The used key has been revoked by its owner. No arguments yet.
*** NO_PUBKEY <long keyid> *** NO_PUBKEY <long keyid>
The public key is not available The public key is not available. Note the arg should in general
not be used because it is better to take it from the ERRSIG
status line which is printed right before this one.
*** NO_SECKEY <long keyid> *** NO_SECKEY <long keyid>
The secret key is not available The secret key is not available

57
g10/mainproc.c
View File

@ -1608,6 +1608,26 @@ akl_has_wkd_method (void)
} }
/* Return the ISSUER fingerprint buffer and its lenbgth at R_LEN.
* Returns NULL if not available. The returned buffer is valid as
* long as SIG is not modified. */
static const byte *
issuer_fpr_raw (PKT_signature *sig, size_t *r_len)
{
const byte *p;
size_t n;
p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
if (p && n == 21 && p[0] == 4)
{
*r_len = n - 1;
return p+1;
}
*r_len = 0;
return NULL;
}
/* Return the ISSUER fingerprint string in human readbale format if /* Return the ISSUER fingerprint string in human readbale format if
* available. Caller must release the string. */ * available. Caller must release the string. */
static char * static char *
@ -1616,10 +1636,8 @@ issuer_fpr_string (PKT_signature *sig)
const byte *p; const byte *p;
size_t n; size_t n;
p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n); p = issuer_fpr_raw (sig, &n);
if (p && n == 21 && p[0] == 4) return p? bin2hex (p, n, NULL) : NULL;
return bin2hex (p+1, n-1, NULL);
return NULL;
} }
@ -1659,7 +1677,7 @@ check_sig_and_print (CTX c, kbnode_t node)
int rc; int rc;
int is_expkey = 0; int is_expkey = 0;
int is_revkey = 0; int is_revkey = 0;
char *issuer_fpr; char *issuer_fpr = NULL;
PKT_public_key *pk = NULL; /* The public key for the signature or NULL. */ PKT_public_key *pk = NULL; /* The public key for the signature or NULL. */
int tried_ks_by_fpr; int tried_ks_by_fpr;
@ -1786,13 +1804,14 @@ check_sig_and_print (CTX c, kbnode_t node)
write_status_text (STATUS_NEWSIG, NULL); write_status_text (STATUS_NEWSIG, NULL);
astr = openpgp_pk_algo_name ( sig->pubkey_algo ); astr = openpgp_pk_algo_name ( sig->pubkey_algo );
if ((issuer_fpr = issuer_fpr_string (sig))) issuer_fpr = issuer_fpr_string (sig);
if (issuer_fpr)
{ {
log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp)); log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
log_info (_(" using %s key %s\n"), log_info (_(" using %s key %s\n"),
astr? astr: "?", issuer_fpr); astr? astr: "?", issuer_fpr);
xfree (issuer_fpr);
} }
else if (!keystrlen () || keystrlen () > 8) else if (!keystrlen () || keystrlen () > 8)
{ {
@ -1899,14 +1918,14 @@ check_sig_and_print (CTX c, kbnode_t node)
const byte *p; const byte *p;
size_t n; size_t n;
p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n); p = issuer_fpr_raw (sig, &n);
if (p && n == 21 && p[0] == 4) if (p)
{ {
/* v4 packet with a SHA-1 fingerprint. */ /* v4 packet with a SHA-1 fingerprint. */
free_public_key (pk); free_public_key (pk);
pk = NULL; pk = NULL;
glo_ctrl.in_auto_key_retrieve++; glo_ctrl.in_auto_key_retrieve++;
res = keyserver_import_fprint (c->ctrl, p+1, n-1, opt.keyserver, 1); res = keyserver_import_fprint (c->ctrl, p, n, opt.keyserver, 1);
tried_ks_by_fpr = 1; tried_ks_by_fpr = 1;
glo_ctrl.in_auto_key_retrieve--; glo_ctrl.in_auto_key_retrieve--;
if (!res) if (!res)
@ -2273,22 +2292,22 @@ check_sig_and_print (CTX c, kbnode_t node)
} }
else else
{ {
char buf[50]; write_status_printf (STATUS_ERRSIG, "%08lX%08lX %d %d %02x %lu %d %s",
(ulong)sig->keyid[0], (ulong)sig->keyid[1],
snprintf (buf, sizeof buf, "%08lX%08lX %d %d %02x %lu %d", sig->pubkey_algo, sig->digest_algo,
(ulong)sig->keyid[0], (ulong)sig->keyid[1], sig->sig_class, (ulong)sig->timestamp,
sig->pubkey_algo, sig->digest_algo, gpg_err_code (rc),
sig->sig_class, (ulong)sig->timestamp, gpg_err_code (rc)); issuer_fpr? issuer_fpr:"-");
write_status_text (STATUS_ERRSIG, buf);
if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY) if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY)
{ {
buf[16] = 0; write_status_printf (STATUS_NO_PUBKEY, "%08lX%08lX",
write_status_text (STATUS_NO_PUBKEY, buf); (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
} }
if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED) if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED)
log_error (_("Can't check signature: %s\n"), gpg_strerror (rc)); log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
} }
xfree (issuer_fpr);
return rc; return rc;
} }