mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
gpg: Switch to a hash and CERT record based PKA system.
* common/dns-cert.c (get_dns_cert): Make r_key optional. * common/pka.c: Rewrite for the new hash based lookup. * common/t-pka.c: New. * configure.ac: Remove option --disable-dns-pka. (USE_DNS_PKA): Remove ac_define. * g10/getkey.c (parse_auto_key_locate): Always include PKA. -- Note that although PKA is now always build, it will only work if support for looking up via DNS has not been disabled. The new PKA only works with the IPGP DNS certtype and shall be used only to retrieve the fingerprint and optional the key for the first time. Due to the security problems with DNSSEC the former assumption to validate the key using DNSSEC is not anymore justified. Instead an additional layer (e.g. Trust-On-First-Use) needs to be implemented to track change to the key. Having a solid way of getting a key matching a mail address is however a must have. More work needs to go into a redefinition of the --verify-options pka-lookups and pka-trust-increase. The auto-key-locate mechanism should also be able to continue key fetching with another methods once the fingerprint has been retrieved with PKA. Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
parent
af60152a46
commit
2fc27c8696
@ -178,7 +178,7 @@ jnlib_tests += t-w32-reg
|
|||||||
endif
|
endif
|
||||||
module_tests = t-convert t-percent t-gettime t-sysutils t-sexputil \
|
module_tests = t-convert t-percent t-gettime t-sysutils t-sexputil \
|
||||||
t-session-env t-openpgp-oid t-ssh-utils t-dns-cert \
|
t-session-env t-openpgp-oid t-ssh-utils t-dns-cert \
|
||||||
t-mapstrings t-zb32 t-mbox-util
|
t-pka t-mapstrings t-zb32 t-mbox-util
|
||||||
if !HAVE_W32CE_SYSTEM
|
if !HAVE_W32CE_SYSTEM
|
||||||
module_tests += t-exechelp
|
module_tests += t-exechelp
|
||||||
endif
|
endif
|
||||||
@ -222,6 +222,7 @@ t_session_env_LDADD = $(t_common_ldadd)
|
|||||||
t_openpgp_oid_LDADD = $(t_common_ldadd)
|
t_openpgp_oid_LDADD = $(t_common_ldadd)
|
||||||
t_ssh_utils_LDADD = $(t_common_ldadd)
|
t_ssh_utils_LDADD = $(t_common_ldadd)
|
||||||
t_dns_cert_LDADD = $(t_common_ldadd) $(DNSLIBS)
|
t_dns_cert_LDADD = $(t_common_ldadd) $(DNSLIBS)
|
||||||
|
t_pka_LDADD = $(t_common_ldadd) $(DNSLIBS)
|
||||||
t_mapstrings_LDADD = $(t_common_ldadd)
|
t_mapstrings_LDADD = $(t_common_ldadd)
|
||||||
t_zb32_LDADD = $(t_common_ldadd)
|
t_zb32_LDADD = $(t_common_ldadd)
|
||||||
t_mbox_util_LDADD = $(t_common_ldadd)
|
t_mbox_util_LDADD = $(t_common_ldadd)
|
||||||
|
@ -70,7 +70,7 @@
|
|||||||
returns the first CERT found with a supported type; it is expected
|
returns the first CERT found with a supported type; it is expected
|
||||||
that only one CERT record is used. If WANT_CERTTYPE is one of the
|
that only one CERT record is used. If WANT_CERTTYPE is one of the
|
||||||
supported certtypes only records wih this certtype are considered
|
supported certtypes only records wih this certtype are considered
|
||||||
and the first found is returned. */
|
and the first found is returned. R_KEY is optional. */
|
||||||
gpg_error_t
|
gpg_error_t
|
||||||
get_dns_cert (const char *name, int want_certtype,
|
get_dns_cert (const char *name, int want_certtype,
|
||||||
estream_t *r_key,
|
estream_t *r_key,
|
||||||
@ -84,7 +84,8 @@ get_dns_cert (const char *name, int want_certtype,
|
|||||||
unsigned int ctype;
|
unsigned int ctype;
|
||||||
int count;
|
int count;
|
||||||
|
|
||||||
*r_key = NULL;
|
if (r_key)
|
||||||
|
*r_key = NULL;
|
||||||
*r_fpr = NULL;
|
*r_fpr = NULL;
|
||||||
*r_fprlen = 0;
|
*r_fprlen = 0;
|
||||||
*r_url = NULL;
|
*r_url = NULL;
|
||||||
@ -129,7 +130,7 @@ get_dns_cert (const char *name, int want_certtype,
|
|||||||
|
|
||||||
if (want_certtype && want_certtype != ctype)
|
if (want_certtype && want_certtype != ctype)
|
||||||
; /* Not of the requested certtype. */
|
; /* Not of the requested certtype. */
|
||||||
else if (ctype == DNS_CERTTYPE_PGP && datalen >= 11)
|
else if (ctype == DNS_CERTTYPE_PGP && datalen >= 11 && r_key)
|
||||||
{
|
{
|
||||||
/* CERT type is PGP. Gpg checks for a minimum length of 11,
|
/* CERT type is PGP. Gpg checks for a minimum length of 11,
|
||||||
thus we do the same. */
|
thus we do the same. */
|
||||||
@ -197,7 +198,8 @@ get_dns_cert (const char *name, int want_certtype,
|
|||||||
int r;
|
int r;
|
||||||
u16 count;
|
u16 count;
|
||||||
|
|
||||||
*r_key = NULL;
|
if (r_key)
|
||||||
|
*r_key = NULL;
|
||||||
*r_fpr = NULL;
|
*r_fpr = NULL;
|
||||||
*r_fprlen = 0;
|
*r_fprlen = 0;
|
||||||
*r_url = NULL;
|
*r_url = NULL;
|
||||||
@ -292,7 +294,7 @@ get_dns_cert (const char *name, int want_certtype,
|
|||||||
/* 15 bytes takes us to here */
|
/* 15 bytes takes us to here */
|
||||||
if (want_certtype && want_certtype != ctype)
|
if (want_certtype && want_certtype != ctype)
|
||||||
; /* Not of the requested certtype. */
|
; /* Not of the requested certtype. */
|
||||||
else if (ctype == DNS_CERTTYPE_PGP && dlen)
|
else if (ctype == DNS_CERTTYPE_PGP && dlen && r_key)
|
||||||
{
|
{
|
||||||
/* PGP type */
|
/* PGP type */
|
||||||
*r_key = es_fopenmem_init (0, "rwb", pt, dlen);
|
*r_key = es_fopenmem_init (0, "rwb", pt, dlen);
|
||||||
@ -355,7 +357,8 @@ get_dns_cert (const char *name, int want_certtype,
|
|||||||
#endif /*!USE_ADNS */
|
#endif /*!USE_ADNS */
|
||||||
#else /* !USE_DNS_CERT */
|
#else /* !USE_DNS_CERT */
|
||||||
(void)name;
|
(void)name;
|
||||||
*r_key = NULL;
|
if (r_key)
|
||||||
|
*r_key = NULL;
|
||||||
*r_fpr = NULL;
|
*r_fpr = NULL;
|
||||||
*r_fprlen = 0;
|
*r_fprlen = 0;
|
||||||
*r_url = NULL;
|
*r_url = NULL;
|
||||||
|
343
common/pka.c
343
common/pka.c
@ -33,307 +33,76 @@
|
|||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
||||||
#ifdef USE_DNS_PKA
|
|
||||||
#include <sys/types.h>
|
|
||||||
#ifdef _WIN32
|
|
||||||
# ifdef HAVE_WINSOCK2_H
|
|
||||||
# include <winsock2.h>
|
|
||||||
# endif
|
|
||||||
# include <windows.h>
|
|
||||||
#else
|
|
||||||
#include <netinet/in.h>
|
|
||||||
#include <arpa/nameser.h>
|
|
||||||
#include <resolv.h>
|
|
||||||
#endif
|
|
||||||
#endif /* USE_DNS_PKA */
|
|
||||||
#ifdef USE_ADNS
|
|
||||||
# include <adns.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "host2net.h"
|
#include "mbox-util.h"
|
||||||
|
#include "dns-cert.h"
|
||||||
#include "pka.h"
|
#include "pka.h"
|
||||||
|
|
||||||
#ifdef USE_DNS_PKA
|
|
||||||
/* Parse the TXT resource record. Format is:
|
|
||||||
|
|
||||||
v=pka1;fpr=a4d94e92b0986ab5ee9dcd755de249965b0358a2;uri=string
|
|
||||||
|
|
||||||
For simplicity white spaces are not allowed. Because we expect to
|
|
||||||
use a new RRTYPE for this in the future we define the TXT really
|
|
||||||
strict for simplicity: No white spaces, case sensitivity of the
|
|
||||||
names, order must be as given above. Only URI is optional.
|
|
||||||
|
|
||||||
This function modifies BUFFER. On success 0 is returned, the 20
|
|
||||||
byte fingerprint stored at FPR and BUFFER contains the URI or an
|
|
||||||
empty string.
|
|
||||||
*/
|
|
||||||
static int
|
|
||||||
parse_txt_record (char *buffer, unsigned char *fpr)
|
|
||||||
{
|
|
||||||
char *p, *pend;
|
|
||||||
int i;
|
|
||||||
|
|
||||||
p = buffer;
|
|
||||||
pend = strchr (p, ';');
|
|
||||||
if (!pend)
|
|
||||||
return -1;
|
|
||||||
*pend++ = 0;
|
|
||||||
if (strcmp (p, "v=pka1"))
|
|
||||||
return -1; /* Wrong or missing version. */
|
|
||||||
|
|
||||||
p = pend;
|
|
||||||
pend = strchr (p, ';');
|
|
||||||
if (pend)
|
|
||||||
*pend++ = 0;
|
|
||||||
if (strncmp (p, "fpr=", 4))
|
|
||||||
return -1; /* Missing fingerprint part. */
|
|
||||||
p += 4;
|
|
||||||
for (i=0; i < 20 && hexdigitp (p) && hexdigitp (p+1); i++, p += 2)
|
|
||||||
fpr[i] = xtoi_2 (p);
|
|
||||||
if (i != 20)
|
|
||||||
return -1; /* Fingerprint consists not of exactly 40 hexbytes. */
|
|
||||||
|
|
||||||
p = pend;
|
|
||||||
if (!p || !*p)
|
|
||||||
{
|
|
||||||
*buffer = 0;
|
|
||||||
return 0; /* Success (no URI given). */
|
|
||||||
}
|
|
||||||
if (strncmp (p, "uri=", 4))
|
|
||||||
return -1; /* Unknown part. */
|
|
||||||
p += 4;
|
|
||||||
/* There is an URI, copy it to the start of the buffer. */
|
|
||||||
while (*p)
|
|
||||||
*buffer++ = *p++;
|
|
||||||
*buffer = 0;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
/* For the given email ADDRESS lookup the PKA information in the DNS.
|
/* For the given email ADDRESS lookup the PKA information in the DNS.
|
||||||
|
|
||||||
On success the 20 byte SHA-1 fingerprint is stored at FPR and the
|
On success the fingerprint is stored at FPRBUF and the URI will be
|
||||||
URI will be returned in an allocated buffer. Note that the URI
|
returned in an allocated buffer. Note that the URI might be a zero
|
||||||
might be an zero length string as this information is optional.
|
length string as this information is optional. Caller must xfree
|
||||||
Caller must xfree the returned string.
|
the returned string. FPRBUFLEN gives the size of the expected
|
||||||
|
fingerprint (usually 20).
|
||||||
|
|
||||||
On error NULL is returned and the 20 bytes at FPR are not
|
On error NULL is returned and the FPRBUF is not defined. */
|
||||||
defined. */
|
|
||||||
char *
|
char *
|
||||||
get_pka_info (const char *address, unsigned char *fpr)
|
get_pka_info (const char *address, void *fprbuf, size_t fprbuflen)
|
||||||
{
|
{
|
||||||
#ifdef USE_ADNS
|
char *result = NULL;
|
||||||
int rc;
|
char *mbox;
|
||||||
adns_state state;
|
char *domain; /* Points to mbox. */
|
||||||
const char *domain;
|
char hashbuf[20];
|
||||||
char *name;
|
char *hash = NULL;
|
||||||
adns_answer *answer = NULL;
|
char *name = NULL;
|
||||||
char *buffer = NULL;
|
unsigned char *fpr = NULL;
|
||||||
|
size_t fpr_len;
|
||||||
|
char *url = NULL;
|
||||||
|
gpg_error_t err;
|
||||||
|
|
||||||
domain = strrchr (address, '@');
|
mbox = mailbox_from_userid (address);
|
||||||
if (!domain || domain == address || !domain[1])
|
if (!mbox)
|
||||||
return NULL; /* Invalid mail address given. */
|
goto leave;
|
||||||
name = xtrymalloc (strlen (address) + 5 + 1);
|
domain = strchr (mbox, '@');
|
||||||
|
if (!domain)
|
||||||
|
goto leave;
|
||||||
|
*domain++ = 0;
|
||||||
|
|
||||||
|
gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, mbox, strlen (mbox));
|
||||||
|
hash = zb32_encode (hashbuf, 8*20);
|
||||||
|
if (!hash)
|
||||||
|
goto leave;
|
||||||
|
name = strconcat (hash, "._pka.", domain, NULL);
|
||||||
if (!name)
|
if (!name)
|
||||||
return NULL;
|
goto leave;
|
||||||
memcpy (name, address, domain - address);
|
|
||||||
strcpy (stpcpy (name + (domain-address), "._pka."), domain+1);
|
|
||||||
|
|
||||||
rc = adns_init (&state, adns_if_noerrprint, NULL);
|
if (get_dns_cert (name, DNS_CERTTYPE_IPGP, NULL, &fpr, &fpr_len, &url))
|
||||||
if (rc)
|
goto leave;
|
||||||
|
if (!fpr)
|
||||||
|
goto leave;
|
||||||
|
|
||||||
|
/* Return the fingerprint. */
|
||||||
|
if (fpr_len != fprbuflen)
|
||||||
{
|
{
|
||||||
log_error ("error initializing adns: %s\n", strerror (errno));
|
/* fprintf (stderr, "get_dns_cert failed: fprlen (%zu/%zu)\n", */
|
||||||
xfree (name);
|
/* fpr_len, fprbuflen); */
|
||||||
return NULL;
|
goto leave;
|
||||||
}
|
}
|
||||||
|
memcpy (fprbuf, fpr, fpr_len);
|
||||||
|
|
||||||
rc = adns_synchronous (state, name, adns_r_txt, adns_qf_quoteok_query,
|
/* We return the URL or an empty string. */
|
||||||
&answer);
|
if (!url)
|
||||||
|
url = xtrycalloc (1, 1);
|
||||||
|
result = url;
|
||||||
|
url = NULL;
|
||||||
|
|
||||||
|
leave:
|
||||||
|
xfree (fpr);
|
||||||
|
xfree (url);
|
||||||
xfree (name);
|
xfree (name);
|
||||||
if (rc)
|
xfree (hash);
|
||||||
{
|
xfree (mbox);
|
||||||
log_error ("DNS query failed: %s\n", strerror (errno));
|
return result;
|
||||||
adns_finish (state);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
if (answer->status != adns_s_ok
|
|
||||||
|| answer->type != adns_r_txt || !answer->nrrs)
|
|
||||||
{
|
|
||||||
log_error ("DNS query returned an error: %s (%s)\n",
|
|
||||||
adns_strerror (answer->status),
|
|
||||||
adns_errabbrev (answer->status));
|
|
||||||
adns_free (answer);
|
|
||||||
adns_finish (state);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* We use a PKA records iff there is exactly one record. */
|
|
||||||
if (answer->nrrs == 1 && answer->rrs.manyistr[0]->i != -1)
|
|
||||||
{
|
|
||||||
buffer = xtrystrdup (answer->rrs.manyistr[0]->str);
|
|
||||||
if (parse_txt_record (buffer, fpr))
|
|
||||||
{
|
|
||||||
xfree (buffer);
|
|
||||||
buffer = NULL; /* Not a valid gpg trustdns RR. */
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
adns_free (answer);
|
|
||||||
adns_finish (state);
|
|
||||||
return buffer;
|
|
||||||
|
|
||||||
#else /*!USE_ADNS*/
|
|
||||||
unsigned char answer[PACKETSZ];
|
|
||||||
int anslen;
|
|
||||||
int qdcount, ancount;
|
|
||||||
int rc;
|
|
||||||
unsigned char *p, *pend;
|
|
||||||
const char *domain;
|
|
||||||
char *name;
|
|
||||||
HEADER header;
|
|
||||||
|
|
||||||
domain = strrchr (address, '@');
|
|
||||||
if (!domain || domain == address || !domain[1])
|
|
||||||
return NULL; /* invalid mail address given. */
|
|
||||||
|
|
||||||
name = xtrymalloc (strlen (address) + 5 + 1);
|
|
||||||
if (!name)
|
|
||||||
return NULL;
|
|
||||||
memcpy (name, address, domain - address);
|
|
||||||
strcpy (stpcpy (name + (domain-address), "._pka."), domain+1);
|
|
||||||
|
|
||||||
anslen = res_query (name, C_IN, T_TXT, answer, PACKETSZ);
|
|
||||||
xfree (name);
|
|
||||||
if (anslen < sizeof(HEADER))
|
|
||||||
return NULL; /* DNS resolver returned a too short answer. */
|
|
||||||
|
|
||||||
/* Don't despair: A good compiler should optimize this away, as
|
|
||||||
header is just 32 byte and constant at compile time. It's
|
|
||||||
one way to comply with strict aliasing rules. */
|
|
||||||
memcpy (&header, answer, sizeof (header));
|
|
||||||
|
|
||||||
if ( (rc=header.rcode) != NOERROR )
|
|
||||||
return NULL; /* DNS resolver returned an error. */
|
|
||||||
|
|
||||||
/* We assume that PACKETSZ is large enough and don't do dynmically
|
|
||||||
expansion of the buffer. */
|
|
||||||
if (anslen > PACKETSZ)
|
|
||||||
return NULL; /* DNS resolver returned a too long answer */
|
|
||||||
|
|
||||||
qdcount = ntohs (header.qdcount);
|
|
||||||
ancount = ntohs (header.ancount);
|
|
||||||
|
|
||||||
if (!ancount)
|
|
||||||
return NULL; /* Got no answer. */
|
|
||||||
|
|
||||||
p = answer + sizeof (HEADER);
|
|
||||||
pend = answer + anslen; /* Actually points directly behind the buffer. */
|
|
||||||
|
|
||||||
while (qdcount-- && p < pend)
|
|
||||||
{
|
|
||||||
rc = dn_skipname (p, pend);
|
|
||||||
if (rc == -1)
|
|
||||||
return NULL;
|
|
||||||
p += rc + QFIXEDSZ;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (ancount > 1)
|
|
||||||
return NULL; /* more than one possible gpg trustdns record - none used. */
|
|
||||||
|
|
||||||
while (ancount-- && p <= pend)
|
|
||||||
{
|
|
||||||
unsigned int type, class, txtlen, n;
|
|
||||||
char *buffer, *bufp;
|
|
||||||
|
|
||||||
rc = dn_skipname (p, pend);
|
|
||||||
if (rc == -1)
|
|
||||||
return NULL;
|
|
||||||
p += rc;
|
|
||||||
if (p >= pend - 10)
|
|
||||||
return NULL; /* RR too short. */
|
|
||||||
|
|
||||||
type = buf16_to_uint (p);
|
|
||||||
p += 2;
|
|
||||||
class = buf16_to_uint (p);
|
|
||||||
p += 2;
|
|
||||||
p += 4;
|
|
||||||
txtlen = buf16_to_uint (p);
|
|
||||||
p += 2;
|
|
||||||
|
|
||||||
if (type != T_TXT || class != C_IN)
|
|
||||||
return NULL; /* Answer does not match the query. */
|
|
||||||
|
|
||||||
buffer = bufp = xmalloc (txtlen + 1);
|
|
||||||
while (txtlen && p < pend)
|
|
||||||
{
|
|
||||||
for (n = *p++, txtlen--; txtlen && n && p < pend; txtlen--, n--)
|
|
||||||
*bufp++ = *p++;
|
|
||||||
}
|
|
||||||
*bufp = 0;
|
|
||||||
if (parse_txt_record (buffer, fpr))
|
|
||||||
{
|
|
||||||
xfree (buffer);
|
|
||||||
return NULL; /* Not a valid gpg trustdns RR. */
|
|
||||||
}
|
|
||||||
return buffer;
|
|
||||||
}
|
|
||||||
|
|
||||||
return NULL;
|
|
||||||
#endif /*!USE_ADNS*/
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#else /* !USE_DNS_PKA */
|
|
||||||
|
|
||||||
/* Dummy version of the function if we can't use the resolver
|
|
||||||
functions. */
|
|
||||||
char *
|
|
||||||
get_pka_info (const char *address, unsigned char *fpr)
|
|
||||||
{
|
|
||||||
(void)address;
|
|
||||||
(void)fpr;
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
#endif /* !USE_DNS_PKA */
|
|
||||||
|
|
||||||
|
|
||||||
#ifdef TEST
|
|
||||||
int
|
|
||||||
main(int argc,char *argv[])
|
|
||||||
{
|
|
||||||
unsigned char fpr[20];
|
|
||||||
char *uri;
|
|
||||||
int i;
|
|
||||||
|
|
||||||
if (argc < 2)
|
|
||||||
{
|
|
||||||
fprintf (stderr, "usage: pka mail-addresses\n");
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
argc--;
|
|
||||||
argv++;
|
|
||||||
|
|
||||||
for (; argc; argc--, argv++)
|
|
||||||
{
|
|
||||||
uri = get_pka_info ( *argv, fpr );
|
|
||||||
printf ("%s", *argv);
|
|
||||||
if (uri)
|
|
||||||
{
|
|
||||||
putchar (' ');
|
|
||||||
for (i=0; i < 20; i++)
|
|
||||||
printf ("%02X", fpr[i]);
|
|
||||||
if (*uri)
|
|
||||||
printf (" %s", uri);
|
|
||||||
xfree (uri);
|
|
||||||
}
|
|
||||||
putchar ('\n');
|
|
||||||
}
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
#endif /* TEST */
|
|
||||||
|
|
||||||
/*
|
|
||||||
Local Variables:
|
|
||||||
compile-command: "cc -DUSE_DNS_PKA -DTEST -I.. -I../include -Wall -g -o pka pka.c -lresolv ../tools/no-libgcrypt.o ../jnlib/libjnlib.a"
|
|
||||||
End:
|
|
||||||
*/
|
|
||||||
|
@ -29,7 +29,7 @@
|
|||||||
#ifndef GNUPG_COMMON_PKA_H
|
#ifndef GNUPG_COMMON_PKA_H
|
||||||
#define GNUPG_COMMON_PKA_H
|
#define GNUPG_COMMON_PKA_H
|
||||||
|
|
||||||
char *get_pka_info (const char *address, unsigned char *fpr);
|
char *get_pka_info (const char *address, void *fprbuf, size_t fprbuflen);
|
||||||
|
|
||||||
|
|
||||||
#endif /*GNUPG_COMMON_PKA_H*/
|
#endif /*GNUPG_COMMON_PKA_H*/
|
||||||
|
72
common/t-pka.c
Normal file
72
common/t-pka.c
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
/* t-pak.c - Module test for pka.c
|
||||||
|
* Copyright (C) 2015 Werner Koch
|
||||||
|
*
|
||||||
|
* This file is part of GnuPG.
|
||||||
|
*
|
||||||
|
* GnuPG is free software; you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU General Public License as published by
|
||||||
|
* the Free Software Foundation; either version 3 of the License, or
|
||||||
|
* (at your option) any later version.
|
||||||
|
*
|
||||||
|
* GnuPG is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program; if not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <config.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <assert.h>
|
||||||
|
|
||||||
|
#include "util.h"
|
||||||
|
#include "pka.h"
|
||||||
|
|
||||||
|
|
||||||
|
int
|
||||||
|
main (int argc, char **argv)
|
||||||
|
{
|
||||||
|
unsigned char fpr[20];
|
||||||
|
char *url;
|
||||||
|
char const *name;
|
||||||
|
int i;
|
||||||
|
|
||||||
|
if (argc)
|
||||||
|
{
|
||||||
|
argc--;
|
||||||
|
argv++;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!argc)
|
||||||
|
name = "wk@gnupg.org";
|
||||||
|
else if (argc == 1)
|
||||||
|
name = *argv;
|
||||||
|
else
|
||||||
|
{
|
||||||
|
fputs ("usage: t-pka [userid]\n", stderr);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
printf ("User id ...: %s\n", name);
|
||||||
|
|
||||||
|
url = get_pka_info (name, fpr, sizeof fpr);
|
||||||
|
printf ("Fingerprint: ");
|
||||||
|
if (url)
|
||||||
|
{
|
||||||
|
for (i = 0; i < sizeof fpr; i++)
|
||||||
|
printf ("%02X", fpr[i]);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
printf ("[not found]");
|
||||||
|
|
||||||
|
putchar ('\n');
|
||||||
|
|
||||||
|
printf ("URL .......: %s\n", (url && *url)? url : "[none]");
|
||||||
|
|
||||||
|
xfree (url);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
17
configure.ac
17
configure.ac
@ -920,18 +920,12 @@ AC_ARG_ENABLE(dns-srv,
|
|||||||
[disable the use of DNS SRV in HKP and HTTP]),
|
[disable the use of DNS SRV in HKP and HTTP]),
|
||||||
use_dns_srv=$enableval,use_dns_srv=yes)
|
use_dns_srv=$enableval,use_dns_srv=yes)
|
||||||
|
|
||||||
AC_ARG_ENABLE(dns-pka,
|
|
||||||
AC_HELP_STRING([--disable-dns-pka],
|
|
||||||
[disable the use of PKA records in DNS]),
|
|
||||||
use_dns_pka=$enableval,use_dns_pka=yes)
|
|
||||||
|
|
||||||
AC_ARG_ENABLE(dns-cert,
|
AC_ARG_ENABLE(dns-cert,
|
||||||
AC_HELP_STRING([--disable-dns-cert],
|
AC_HELP_STRING([--disable-dns-cert],
|
||||||
[disable the use of CERT records in DNS]),
|
[disable the use of CERT records in DNS]),
|
||||||
use_dns_cert=$enableval,use_dns_cert=yes)
|
use_dns_cert=$enableval,use_dns_cert=yes)
|
||||||
|
|
||||||
if test x"$use_dns_pka" = xyes || test x"$use_dns_srv" = xyes \
|
if test x"$use_dns_srv" = xyes || test x"$use_dns_cert" = xyes; then
|
||||||
|| test x"$use_dns_cert" = xyes; then
|
|
||||||
_dns_save_libs=$LIBS
|
_dns_save_libs=$LIBS
|
||||||
LIBS=""
|
LIBS=""
|
||||||
# the double underscore thing is a glibc-ism?
|
# the double underscore thing is a glibc-ism?
|
||||||
@ -988,10 +982,6 @@ if test x"$use_dns_pka" = xyes || test x"$use_dns_srv" = xyes \
|
|||||||
AC_DEFINE(USE_DNS_SRV,1,[define to use DNS SRV])
|
AC_DEFINE(USE_DNS_SRV,1,[define to use DNS SRV])
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if test x"$use_dns_pka" = xyes ; then
|
|
||||||
AC_DEFINE(USE_DNS_PKA,1,[define to use our experimental DNS PKA])
|
|
||||||
fi
|
|
||||||
|
|
||||||
if test x"$use_dns_cert" = xyes ; then
|
if test x"$use_dns_cert" = xyes ; then
|
||||||
AC_DEFINE(USE_DNS_CERT,1,[define to use DNS CERT])
|
AC_DEFINE(USE_DNS_CERT,1,[define to use DNS CERT])
|
||||||
fi
|
fi
|
||||||
@ -1010,16 +1000,11 @@ if test x"$use_dns_pka" = xyes || test x"$use_dns_srv" = xyes \
|
|||||||
AC_DEFINE(USE_DNS_SRV,1)
|
AC_DEFINE(USE_DNS_SRV,1)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if test x"$use_dns_pka" = xyes ; then
|
|
||||||
AC_DEFINE(USE_DNS_PKA,1)
|
|
||||||
fi
|
|
||||||
|
|
||||||
if test x"$use_dns_cert" = xyes ; then
|
if test x"$use_dns_cert" = xyes ; then
|
||||||
AC_DEFINE(USE_DNS_CERT,1,[define to use DNS CERT])
|
AC_DEFINE(USE_DNS_CERT,1,[define to use DNS CERT])
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
use_dns_srv=no
|
use_dns_srv=no
|
||||||
use_dns_pka=no
|
|
||||||
use_dns_cert=no
|
use_dns_cert=no
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -2971,10 +2971,8 @@ parse_auto_key_locate (char *options)
|
|||||||
else if (ascii_strcasecmp (tok, "cert") == 0)
|
else if (ascii_strcasecmp (tok, "cert") == 0)
|
||||||
akl->type = AKL_CERT;
|
akl->type = AKL_CERT;
|
||||||
#endif
|
#endif
|
||||||
#ifdef USE_DNS_PKA
|
|
||||||
else if (ascii_strcasecmp (tok, "pka") == 0)
|
else if (ascii_strcasecmp (tok, "pka") == 0)
|
||||||
akl->type = AKL_PKA;
|
akl->type = AKL_PKA;
|
||||||
#endif
|
|
||||||
else if ((akl->spec = parse_keyserver_uri (tok, 1)))
|
else if ((akl->spec = parse_keyserver_uri (tok, 1)))
|
||||||
akl->type = AKL_SPEC;
|
akl->type = AKL_SPEC;
|
||||||
else
|
else
|
||||||
|
@ -1980,7 +1980,7 @@ keyserver_import_pka (ctrl_t ctrl,
|
|||||||
*fpr = xmalloc (20);
|
*fpr = xmalloc (20);
|
||||||
*fpr_len = 20;
|
*fpr_len = 20;
|
||||||
|
|
||||||
uri = get_pka_info (name, *fpr);
|
uri = get_pka_info (name, *fpr, 20);
|
||||||
if (uri && *uri)
|
if (uri && *uri)
|
||||||
{
|
{
|
||||||
/* An URI is available. Lookup the key. */
|
/* An URI is available. Lookup the key. */
|
||||||
|
@ -1498,7 +1498,8 @@ pka_uri_from_sig (PKT_signature *sig)
|
|||||||
{
|
{
|
||||||
char *uri;
|
char *uri;
|
||||||
|
|
||||||
uri = get_pka_info (sig->pka_info->email, sig->pka_info->fpr);
|
uri = get_pka_info (sig->pka_info->email,
|
||||||
|
sig->pka_info->fpr, sizeof sig->pka_info->fpr);
|
||||||
if (uri)
|
if (uri)
|
||||||
{
|
{
|
||||||
sig->pka_info->valid = 1;
|
sig->pka_info->valid = 1;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user