dirmngr: Return modifyTimestamp and add server option --newer.

* dirmngr/server.c (cmd_ks_get): Add option --newer. (cmd_ad_query): Ditto. * dirmngr/ldap-misc.c (isotime2rfc4517): New. (rfc4517toisotime): New. * dirmngr/ks-action.c (ks_action_get): Add arg newer and pass on. (ks_action_query): Ditto. * dirmngr/ks-engine-ldap.c (extract_keys): Print new "chg" record. (ks_ldap_get): Add arg newer. Modify filter with newer arg. (ks_ldap_search): Print the modifyTimestamp. (ks_ldap_query): Add arg newer. Modify filter with newer arg. -- Note that the modifyTimestamp is also available on Windows, where its value is more commonly known as whenChanged. Both are constructed attributes. Note that the --newer option is a bit of a misnomer because LDAP has only a greater-or-equal and no greater-than operator.
2025-07-03 22:56:33 +02:00 · 2023-04-04 08:49:55 +02:00 · 2023-04-04 08:49:55 +02:00 · 56d309133f
commit 56d309133f
parent a5360ae4c7
7 changed files with 195 additions and 27 deletions
--- a/dirmngr/ks-engine-ldap.c
+++ b/dirmngr/ks-engine-ldap.c
@ -1004,6 +1004,15 @@ extract_keys (estream_t output,
    }
  my_ldap_value_free (vals);

+  vals = ldap_get_values (ldap_conn, message, "modifyTimestamp");
+  if (vals && vals[0])
+    {
+      gnupg_isotime_t atime;
+      if (!rfc4517toisotime (atime, vals[0]))
+        es_fprintf (output, "chg:%s:\n", atime);
+    }
+  my_ldap_value_free (vals);
+
  es_fprintf (output, "INFO %s END\n", certid);
 }

@ -1368,7 +1377,7 @@ fetch_rootdse (ctrl_t ctrl, parsed_uri_t uri)
      || puri->parsed_uri->opaque)
    {
      err = ks_ldap_query (ctrl, puri->parsed_uri, KS_GET_FLAG_ROOTDSE,
-                           "^&base&(objectclass=*)", NULL, &infp);
+                           "^&base&(objectclass=*)", NULL, NULL, &infp);
      if (err)
        log_error ("ldap: reading the rootDES failed: %s\n",
                   gpg_strerror (err));
@ -1417,7 +1426,7 @@ basedn_from_rootdse (ctrl_t ctrl, parsed_uri_t uri)
 * data.  KS_GET_FLAGS conveys flags from the client.  */
 gpg_error_t
 ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec,
-	     unsigned int ks_get_flags, estream_t *r_fp)
+	     unsigned int ks_get_flags, gnupg_isotime_t newer, estream_t *r_fp)
 {
  gpg_error_t err;
  unsigned int serverinfo;
@ -1442,7 +1451,7 @@ ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec,
    {
     "dummy", /* (to be be replaced.)  */
     "pgpcertid", "pgpuserid", "pgpkeyid", "pgprevoked", "pgpdisabled",
-     "pgpkeycreatetime", "modifytimestamp", "pgpkeysize", "pgpkeytype",
+     "pgpkeycreatetime", "modifyTimestamp", "pgpkeysize", "pgpkeytype",
     "gpgfingerprint",
     NULL
    };
@ -1542,6 +1551,28 @@ ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec,
      if (err)
        goto leave;

+      if (*newer)
+        {
+          char *tstr, *fstr;
+
+          tstr = isotime2rfc4517 (newer);
+          if (!tstr)
+            {
+              err = gpg_error_from_syserror ();
+              goto leave;
+            }
+          fstr = strconcat ("(&", filter,
+                            "(modifyTimestamp>=", tstr, "))", NULL);
+          xfree (tstr);
+          if (!fstr)
+            {
+              err = gpg_error_from_syserror ();
+              goto leave;
+            }
+          xfree (filter);
+          filter = fstr;
+        }
+
      if (opt.debug)
        log_debug ("ks-ldap: using filter: %s\n", filter);

@ -1697,7 +1728,7 @@ ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
    char *attrs[] =
      {
 	"pgpcertid", "pgpuserid", "pgprevoked", "pgpdisabled",
-	"pgpkeycreatetime", "pgpkeyexpiretime", "modifytimestamp",
+	"pgpkeycreatetime", "pgpkeyexpiretime", "modifyTimestamp",
 	"pgpkeysize", "pgpkeytype", "gpgfingerprint",
        NULL
      };
@ -1851,19 +1882,17 @@ ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
 		  }
                my_ldap_value_free (vals);

-#if 0
-		/* This is not yet specified in the keyserver
-		   protocol, but may be someday. */
 		es_fputc (':', fp);

-		vals = ldap_get_values (ldap_conn, each, "modifytimestamp");
-		if(vals && vals[0] strlen (vals[0]) == 15)
+		vals = ldap_get_values (ldap_conn, each, "modifyTimestamp");
+		if(vals && vals[0])
 		  {
-		    es_fprintf (fp, "%u",
-				(unsigned int) ldap2epochtime (vals[0]));
+                    gnupg_isotime_t atime;
+                    if (rfc4517toisotime (atime, vals[0]))
+                      *atime = 0;
+                    es_fprintf (fp, "%s", atime);
 		  }
                my_ldap_value_free (vals);
-#endif

 		es_fprintf (fp, "\n");

@ -2785,7 +2814,8 @@ ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri,
 * return or NULL for all. */
 gpg_error_t
 ks_ldap_query (ctrl_t ctrl, parsed_uri_t uri, unsigned int ks_get_flags,
-               const char *filter_arg, char **attrs, estream_t *r_fp)
+               const char *filter_arg, char **attrs,
+               gnupg_isotime_t newer, estream_t *r_fp)
 {
  gpg_error_t err;
  unsigned int serverinfo;
@ -2823,6 +2853,30 @@ ks_ldap_query (ctrl_t ctrl, parsed_uri_t uri, unsigned int ks_get_flags,
      err = ldap_parse_extfilter (filter_arg, 0, &basedn, &scope, &filter);
      if (err)
        goto leave;
+      if (newer && *newer)
+        {
+          char *tstr, *fstr;
+
+          tstr = isotime2rfc4517 (newer);
+          if (!tstr)
+            {
+              err = gpg_error_from_syserror ();
+              goto leave;
+            }
+          if (filter && *filter)
+            fstr = strconcat ("(&", filter,
+                              "(modifyTimestamp>=", tstr, "))", NULL);
+          else
+            fstr = strconcat ("(modifyTimestamp>=", tstr, ")", NULL);
+          xfree (tstr);
+          if (!fstr)
+            {
+              err = gpg_error_from_syserror ();
+              goto leave;
+            }
+          xfree (filter);
+          filter = fstr;
+        }
    }