security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-09-22 15:11:41 +02:00
Code Activity

gpg: Let --show-keys print revocation certificates.

Browse Source 
* g10/import.c (list_standalone_revocation): New.
(import_revoke_cert): Call new function.
--

GnuPG-bug-id: 4018
Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2018-06-21 15:06:30 +02:00
parent 7e9aa307f7
commit 386b9c4f25
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 122 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
doc/DETAILS
View File

@ -59,6 +59,7 @@ described here.
- uat :: User attribute (same as user id except for field 10). - uat :: User attribute (same as user id except for field 10).
- sig :: Signature - sig :: Signature
- rev :: Revocation signature - rev :: Revocation signature
- rvs :: Recocation signature (standalone) [since 2.2.9]
- fpr :: Fingerprint (fingerprint is in field 10) - fpr :: Fingerprint (fingerprint is in field 10)
- pkd :: Public key data [*] - pkd :: Public key data [*]
- grp :: Keygrip - grp :: Keygrip
@ -207,12 +208,13 @@ described here.
For "uid" records this field lists the preferences in the same way For "uid" records this field lists the preferences in the same way
gpg's --edit-key menu does. gpg's --edit-key menu does.
For "sig" records, this is the fingerprint of the key that issued For "sig", "rev" and "rvs" records, this is the fingerprint of the
the signature. Note that this may only be filled if the signature key that issued the signature. Note that this may only be filled
verified correctly. Note also that for various technical reasons, if the signature verified correctly. Note also that for various
this fingerprint is only available if --no-sig-cache is used. technical reasons, this fingerprint is only available if
Since 2.2.7 this field will also be set if the key is missing but --no-sig-cache is used. Since 2.2.7 this field will also be set
the signature carries an issuer fingerprint as meta data. if the key is missing but the signature carries an issuer
fingerprint as meta data.
*** Field 14 - Flag field *** Field 14 - Flag field

121
g10/import.c
View File

@ -2632,6 +2632,95 @@ import_secret_one (ctrl_t ctrl, kbnode_t keyblock,
} }
/* List the recocation signature as a "rvs" record. SIGRC shows the
* character from the signature verification or 0 if no public key was
* found. */
static void
list_standalone_revocation (ctrl_t ctrl, PKT_signature *sig, int sigrc)
{
char *siguid = NULL;
size_t siguidlen = 0;
char *issuer_fpr = NULL;
if (sigrc != '%' && sigrc != '?' && !opt.fast_list_mode)
{
int nouid;
siguid = get_user_id (ctrl, sig->keyid, &siguidlen, &nouid);
if (nouid)
sigrc = '?';
}
if (opt.with_colons)
{
es_fputs ("rvs:", es_stdout);
if (sigrc)
es_putc (sigrc, es_stdout);
es_fprintf (es_stdout, "::%d:%08lX%08lX:%s:%s:::",
sig->pubkey_algo,
(ulong) sig->keyid[0], (ulong) sig->keyid[1],
colon_datestr_from_sig (sig),
colon_expirestr_from_sig (sig));
if (siguid)
es_write_sanitized (es_stdout, siguid, siguidlen, ":", NULL);
es_fprintf (es_stdout, ":%02x%c::", sig->sig_class,
sig->flags.exportable ? 'x' : 'l');
if ((issuer_fpr = issuer_fpr_string (sig)))
es_fputs (issuer_fpr, es_stdout);
es_fprintf (es_stdout, ":::%d:\n", sig->digest_algo);
if (opt.show_subpackets)
print_subpackets_colon (sig);
}
else /* Human readable. */
{
es_fputs ("rvs", es_stdout);
es_fprintf (es_stdout, "%c%c %c%c%c%c%c%c %s %s",
sigrc, (sig->sig_class - 0x10 > 0 &&
sig->sig_class - 0x10 <
4) ? '0' + sig->sig_class - 0x10 : ' ',
sig->flags.exportable ? ' ' : 'L',
sig->flags.revocable ? ' ' : 'R',
sig->flags.policy_url ? 'P' : ' ',
sig->flags.notation ? 'N' : ' ',
sig->flags.expired ? 'X' : ' ',
(sig->trust_depth > 9) ? 'T' : (sig->trust_depth >
0) ? '0' +
sig->trust_depth : ' ', keystr (sig->keyid),
datestr_from_sig (sig));
if (siguid)
{
es_fprintf (es_stdout, " ");
print_utf8_buffer (es_stdout, siguid, siguidlen);
}
es_putc ('\n', es_stdout);
if (sig->flags.policy_url
&& (opt.list_options & LIST_SHOW_POLICY_URLS))
show_policy_url (sig, 3, 0);
if (sig->flags.notation && (opt.list_options & LIST_SHOW_NOTATIONS))
show_notation (sig, 3, 0,
((opt.list_options & LIST_SHOW_STD_NOTATIONS) ? 1 : 0)
+
((opt.list_options & LIST_SHOW_USER_NOTATIONS) ? 2 : 0));
if (sig->flags.pref_ks
&& (opt.list_options & LIST_SHOW_KEYSERVER_URLS))
show_keyserver_url (sig, 3, 0);
}
es_fflush (es_stdout);
xfree (siguid);
xfree (issuer_fpr);
}
/**************** /****************
* Import a revocation certificate; this is a single signature packet. * Import a revocation certificate; this is a single signature packet.
*/ */
@ -2645,6 +2734,11 @@ import_revoke_cert (ctrl_t ctrl, kbnode_t node, unsigned int options,
KEYDB_HANDLE hd = NULL; KEYDB_HANDLE hd = NULL;
u32 keyid[2]; u32 keyid[2];
int rc = 0; int rc = 0;
int sigrc = 0;
int silent;
/* No error output for --show-keys. */
silent = (options & (IMPORT_SHOW | IMPORT_DRY_RUN));
log_assert (!node->next ); log_assert (!node->next );
log_assert (node->pkt->pkttype == PKT_SIGNATURE ); log_assert (node->pkt->pkttype == PKT_SIGNATURE );
@ -2657,15 +2751,16 @@ import_revoke_cert (ctrl_t ctrl, kbnode_t node, unsigned int options,
rc = get_pubkey (ctrl, pk, keyid ); rc = get_pubkey (ctrl, pk, keyid );
if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY ) if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY )
{ {
log_error(_("key %s: no public key -" if (!silent)
" can't apply revocation certificate\n"), keystr(keyid)); log_error (_("key %s: no public key -"
" can't apply revocation certificate\n"), keystr(keyid));
rc = 0; rc = 0;
goto leave; goto leave;
} }
else if (rc ) else if (rc )
{ {
log_error(_("key %s: public key not found: %s\n"), log_error (_("key %s: public key not found: %s\n"),
keystr(keyid), gpg_strerror (rc)); keystr(keyid), gpg_strerror (rc));
goto leave; goto leave;
} }
@ -2702,12 +2797,21 @@ import_revoke_cert (ctrl_t ctrl, kbnode_t node, unsigned int options,
/* it is okay, that node is not in keyblock because /* it is okay, that node is not in keyblock because
* check_key_signature works fine for sig_class 0x20 (KEY_REV) in * check_key_signature works fine for sig_class 0x20 (KEY_REV) in
* this special case. */ * this special case. SIGRC is only used for IMPORT_SHOW. */
rc = check_key_signature (ctrl, keyblock, node, NULL); rc = check_key_signature (ctrl, keyblock, node, NULL);
switch (gpg_err_code (rc))
{
case 0: sigrc = '!'; break;
case GPG_ERR_BAD_SIGNATURE: sigrc = '-'; break;
case GPG_ERR_NO_PUBKEY: sigrc = '?'; break;
case GPG_ERR_UNUSABLE_PUBKEY: sigrc = '?'; break;
default: sigrc = '%'; break;
}
if (rc ) if (rc )
{ {
log_error( _("key %s: invalid revocation certificate" if (!silent)
": %s - rejected\n"), keystr(keyid), gpg_strerror (rc)); log_error (_("key %s: invalid revocation certificate"
": %s - rejected\n"), keystr(keyid), gpg_strerror (rc));
goto leave; goto leave;
} }
@ -2757,6 +2861,9 @@ import_revoke_cert (ctrl_t ctrl, kbnode_t node, unsigned int options,
stats->n_revoc++; stats->n_revoc++;
leave: leave:
if ((options & IMPORT_SHOW))
list_standalone_revocation (ctrl, node->pkt->pkt.signature, sigrc);
keydb_release (hd); keydb_release (hd);
release_kbnode( keyblock ); release_kbnode( keyblock );
free_public_key( pk ); free_public_key( pk );