1
0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-03 12:11:33 +01:00

gpg: Autoload designated revoker key and ADSK when needed.

* g10/options.h (opt): Move the definition of struct akl to global
scope.
* g10/keydb.h (enum get_pubkey_modes): Add GET_PUBKEY_TRY_LDAP.
* g10/getkey.c (get_pubkey_byname): Implement GET_PUBKEY_BYNAME.
* g10/keygen.c (prepare_desig_revoker): Use it here.
(prepare_adsk): and here.
--

The revoker key is required before we create it along with a new key.
This is because the we need to know the algo and also to make sure
that the key really exists.

GnuPG-bug-id: 7133
This commit is contained in:
Werner Koch 2024-06-05 10:00:38 +02:00
parent 068ebb6f1e
commit 465ea9116d
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
4 changed files with 42 additions and 27 deletions

View File

@ -916,6 +916,7 @@ key_byname (ctrl_t ctrl, GETKEY_CTX *retctx, strlist_t namelist,
* auto-key-locate option list! * auto-key-locate option list!
* GET_PUBKEY_NO_LOCAL - Only the auto key locate functionality is * GET_PUBKEY_NO_LOCAL - Only the auto key locate functionality is
* used and no local search is done. * used and no local search is done.
* GET_PUBKEY_TRY_LDAP - If the key was not found locally try LDAP.
* *
* If RETCTX is not NULL, then the constructed context is returned in * If RETCTX is not NULL, then the constructed context is returned in
* *RETCTX so that getpubkey_next can be used to get subsequent * *RETCTX so that getpubkey_next can be used to get subsequent
@ -968,7 +969,7 @@ get_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode,
int nodefault = 0; int nodefault = 0;
int anylocalfirst = 0; int anylocalfirst = 0;
int mechanism_type = AKL_NODEFAULT; int mechanism_type = AKL_NODEFAULT;
struct akl *used_akl = opt.auto_key_locate;
/* If RETCTX is not NULL, then RET_KDBHD must be NULL. */ /* If RETCTX is not NULL, then RET_KDBHD must be NULL. */
log_assert (retctx == NULL || ret_kdbhd == NULL); log_assert (retctx == NULL || ret_kdbhd == NULL);
@ -990,12 +991,12 @@ get_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode,
is_mbox = 1; is_mbox = 1;
} }
/* If we are called due to --locate-external-key Check whether NAME /* If we are called due to --locate-external-key check whether NAME
* is a fingerprint and then try to lookup that key by configured * is a fingerprint and then try to lookup that key by configured
* method which support lookup by fingerprint. FPRBUF carries the * method which support lookup by fingerprint. FPRBUF carries the
* parsed fingerprint iff IS_FPR is true. */ * parsed fingerprint iff IS_FPR is true. */
is_fpr = 0; is_fpr = 0;
if (!is_mbox && mode == GET_PUBKEY_NO_LOCAL) if (!is_mbox && (mode == GET_PUBKEY_NO_LOCAL || mode == GET_PUBKEY_TRY_LDAP))
{ {
if (!classify_user_id (name, &fprbuf, 1) if (!classify_user_id (name, &fprbuf, 1)
&& fprbuf.mode == KEYDB_SEARCH_MODE_FPR) && fprbuf.mode == KEYDB_SEARCH_MODE_FPR)
@ -1021,12 +1022,20 @@ get_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode,
* implicitly). */ * implicitly). */
if (mode == GET_PUBKEY_NO_LOCAL) if (mode == GET_PUBKEY_NO_LOCAL)
nodefault = 1; /* Auto-key-locate but ignore "local". */ nodefault = 1; /* Auto-key-locate but ignore "local". */
else if (mode != GET_PUBKEY_NO_AKL) else if (mode == GET_PUBKEY_NO_AKL)
;
else if (mode == GET_PUBKEY_TRY_LDAP)
{
static struct akl ldap_only_akl = { AKL_LDAP, NULL, NULL };
used_akl = &ldap_only_akl;
}
else
{ {
/* auto-key-locate is enabled. */ /* auto-key-locate is enabled. */
/* nodefault is true if "nodefault" or "local" appear. */ /* nodefault is true if "nodefault" or "local" appear. */
for (akl = opt.auto_key_locate; akl; akl = akl->next) for (akl = used_akl; akl; akl = akl->next)
if (akl->type == AKL_NODEFAULT || akl->type == AKL_LOCAL) if (akl->type == AKL_NODEFAULT || akl->type == AKL_LOCAL)
{ {
nodefault = 1; nodefault = 1;
@ -1034,7 +1043,7 @@ get_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode,
} }
/* anylocalfirst is true if "local" appears before any other /* anylocalfirst is true if "local" appears before any other
search methods (except "nodefault"). */ search methods (except "nodefault"). */
for (akl = opt.auto_key_locate; akl; akl = akl->next) for (akl = used_akl; akl; akl = akl->next)
if (akl->type != AKL_NODEFAULT) if (akl->type != AKL_NODEFAULT)
{ {
if (akl->type == AKL_LOCAL) if (akl->type == AKL_LOCAL)
@ -1085,7 +1094,7 @@ get_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode,
* the local keyring). Since the auto key locate feature is * the local keyring). Since the auto key locate feature is
* enabled and NAME appears to be an email address, try the auto * enabled and NAME appears to be an email address, try the auto
* locate feature. */ * locate feature. */
for (akl = opt.auto_key_locate; akl; akl = akl->next) for (akl = used_akl; akl; akl = akl->next)
{ {
unsigned char *fpr = NULL; unsigned char *fpr = NULL;
size_t fpr_len; size_t fpr_len;

View File

@ -372,7 +372,8 @@ enum get_pubkey_modes
{ {
GET_PUBKEY_NORMAL = 0, GET_PUBKEY_NORMAL = 0,
GET_PUBKEY_NO_AKL = 1, GET_PUBKEY_NO_AKL = 1,
GET_PUBKEY_NO_LOCAL = 2 GET_PUBKEY_NO_LOCAL = 2,
GET_PUBKEY_TRY_LDAP = 3
}; };
/* Find a public key identified by NAME. */ /* Find a public key identified by NAME. */

View File

@ -4504,7 +4504,7 @@ prepare_desig_revoker (ctrl_t ctrl, const char *name)
revoker_pk = xcalloc (1, sizeof *revoker_pk); revoker_pk = xcalloc (1, sizeof *revoker_pk);
revoker_pk->req_usage = PUBKEY_USAGE_CERT; revoker_pk->req_usage = PUBKEY_USAGE_CERT;
err = get_pubkey_byname (ctrl, GET_PUBKEY_NO_AKL, err = get_pubkey_byname (ctrl, GET_PUBKEY_TRY_LDAP,
NULL, revoker_pk, name, NULL, NULL, 1); NULL, revoker_pk, name, NULL, NULL, 1);
if (err) if (err)
goto leave; goto leave;
@ -4565,7 +4565,7 @@ prepare_adsk (ctrl_t ctrl, const char *name)
adsk_pk = xcalloc (1, sizeof *adsk_pk); adsk_pk = xcalloc (1, sizeof *adsk_pk);
adsk_pk->req_usage = PUBKEY_USAGE_ENC; adsk_pk->req_usage = PUBKEY_USAGE_ENC;
err = get_pubkey_byname (ctrl, GET_PUBKEY_NO_AKL, err = get_pubkey_byname (ctrl, GET_PUBKEY_TRY_LDAP,
NULL, adsk_pk, name, NULL, NULL, 1); NULL, adsk_pk, name, NULL, NULL, 1);
if (err) if (err)
goto leave; goto leave;

View File

@ -41,6 +41,26 @@ struct keyserver_spec
}; };
typedef struct keyserver_spec *keyserver_spec_t; typedef struct keyserver_spec *keyserver_spec_t;
/* The --auto-key-locate mechanisms object. */
struct akl
{
enum {
AKL_NODEFAULT,
AKL_LOCAL,
AKL_CERT,
AKL_PKA,
AKL_DANE,
AKL_WKD,
AKL_LDAP,
AKL_NTDS,
AKL_KEYSERVER,
AKL_SPEC
} type;
keyserver_spec_t spec;
struct akl *next;
};
/* Global options for GPG. */ /* Global options for GPG. */
EXTERN_UNLESS_MAIN_MODULE EXTERN_UNLESS_MAIN_MODULE
@ -290,23 +310,7 @@ struct
/* Linked list of ways to find a key if the key isn't on the local /* Linked list of ways to find a key if the key isn't on the local
keyring. */ keyring. */
struct akl struct akl *auto_key_locate;
{
enum {
AKL_NODEFAULT,
AKL_LOCAL,
AKL_CERT,
AKL_PKA,
AKL_DANE,
AKL_WKD,
AKL_LDAP,
AKL_NTDS,
AKL_KEYSERVER,
AKL_SPEC
} type;
keyserver_spec_t spec;
struct akl *next;
} *auto_key_locate;
/* The value of --key-origin. See parse_key_origin(). */ /* The value of --key-origin. See parse_key_origin(). */
int key_origin; int key_origin;
@ -327,6 +331,7 @@ struct
unsigned int compat_flags; unsigned int compat_flags;
} opt; } opt;
/* CTRL is used to keep some global variables we currently can't /* CTRL is used to keep some global variables we currently can't
avoid. Future concurrent versions of gpg will put it into a per avoid. Future concurrent versions of gpg will put it into a per
request structure CTRL. */ request structure CTRL. */