From 6b306f45f4fbe36b90cec4685aabb267a61e283f Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Sat, 14 Mar 2020 18:04:47 +0100 Subject: [PATCH] gpg: New option --auto-key-import * g10/gpg.c (opts): New options --auto-key-import, --no-auto-key-import, and --no-include-key-block. (gpgconf_list): Add them. * g10/options.h (opt): Add field flags.auto_key_import. * g10/mainproc.c (check_sig_and_print): Use flag to enable that feature. * tools/gpgconf-comp.c: Give the new options a Basic config level. -- Note that the --no variants of the options are intended for easy disabling at the command line. GnuPG-bug-id: 4856 Signed-off-by: Werner Koch --- doc/gpg.texi | 39 +++++++++++++++++++++++++++++++++++---- g10/gpg.c | 17 +++++++++++++++-- g10/mainproc.c | 11 ++++------- g10/options.h | 1 + tools/gpgconf-comp.c | 3 ++- 5 files changed, 57 insertions(+), 14 deletions(-) diff --git a/doc/gpg.texi b/doc/gpg.texi index 105aaf9df..f2a046e5a 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -1766,6 +1766,19 @@ Set what trust model GnuPG should follow. The models are: must be enabled explicitly. @end table +@item --include-key-block +@itemx --no-include-key-block +@opindex include-key-block +@opindex no-include-key-block +Include a minimized version of the public parts of the signing key as +a “Key Block subpacket” into data signatures. The Key Block contains +the signing key or subkey as well as an encryption subkey. This +allows the recipient of a signed message to reply encrypted to the +sender without using any online directories to lookup the key. The +default is @option{--no-innclude-key-block}. See also the option +@option{--auto-key-import}. + + @item --auto-key-locate @var{mechanisms} @itemx --no-auto-key-locate @opindex auto-key-locate @@ -1827,6 +1840,20 @@ list. The default is "local,wkd". @end table +@item --auto-key-import +@itemx --no-auto-key-import +@opindex auto-key-import +@opindex no-auto-key-import +This is an offline mechanism to get a missing key for signature +verification and for later encryption to this key. If this option is +enabled and a signature includes a “Key Block subpacket”, that key is +used to verify the signature and on verification success that key is +imported. The default is @option{--no-auto-key-import}. + +On the sender (signing) site the option @option{--include-key-block} +needs to be used to put the public part of the signing key as “Key +Block subpacket” into the signature. + @item --auto-key-retrieve @itemx --no-auto-key-retrieve @opindex auto-key-retrieve @@ -1837,22 +1864,26 @@ local keyring. The default is @option{--no-auto-key-retrieve}. The order of methods tried to lookup the key is: -1. If a preferred keyserver is specified in the signature and the +1. If the option @option{--auto-key-import} is set and the signatures +includes a “Key Block subpacket”, that key is used to verify the +signature and on verification success that key is imported. + +2. If a preferred keyserver is specified in the signature and the option @option{honor-keyserver-url} is active (which is not the default), that keyserver is tried. Note that the creator of the signature uses the option @option{--sig-keyserver-url} to specify the preferred keyserver for data signatures. -2. If the signature has the Signer's UID set (e.g. using +3. If the signature has the Signer's UID set (e.g. using @option{--sender} while creating the signature) a Web Key Directory (WKD) lookup is done. This is the default configuration but can be disabled by removing WKD from the auto-key-locate list or by using the option @option{--disable-signer-uid}. -3. If the option @option{honor-pka-record} is active, the legacy PKA +4. If the option @option{honor-pka-record} is active, the legacy PKA method is used. -4. If any keyserver is configured and the Issuer Fingerprint is part +5. If any keyserver is configured and the Issuer Fingerprint is part of the signature (since GnuPG 2.1.16), the configured keyservers are tried. diff --git a/g10/gpg.c b/g10/gpg.c index 05289880a..c5ba72fb3 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -360,6 +360,8 @@ enum cmd_and_opt_values oNoRandomSeedFile, oAutoKeyRetrieve, oNoAutoKeyRetrieve, + oAutoKeyImport, + oNoAutoKeyImport, oUseAgent, oNoUseAgent, oGpgAgentInfo, @@ -434,6 +436,7 @@ enum cmd_and_opt_values oUseOnlyOpenPGPCard, oFullTimestrings, oIncludeKeyBlock, + oNoIncludeKeyBlock, oNoop }; @@ -750,8 +753,6 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_i (oCompressLevel, "compress-level", "@"), ARGPARSE_s_i (oBZ2CompressLevel, "bzip2-compress-level", "@"), ARGPARSE_s_n (oDisableSignerUID, "disable-signer-uid", "@"), - ARGPARSE_s_n (oIncludeKeyBlock, "include-key-block", - N_("include the public key in the signature")), ARGPARSE_header ("ImportExport", N_("Options controlling key import and export")), @@ -759,8 +760,14 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_s (oAutoKeyLocate, "auto-key-locate", N_("|MECHANISMS|use MECHANISMS to locate keys by mail address")), ARGPARSE_s_n (oNoAutoKeyLocate, "no-auto-key-locate", "@"), + ARGPARSE_s_n (oAutoKeyImport, "auto-key-import", + N_("import missing key from a signature")), + ARGPARSE_s_n (oNoAutoKeyImport, "no-auto-key-import", "@"), ARGPARSE_s_n (oAutoKeyRetrieve, "auto-key-retrieve", "@"), ARGPARSE_s_n (oNoAutoKeyRetrieve, "no-auto-key-retrieve", "@"), + ARGPARSE_s_n (oIncludeKeyBlock, "include-key-block", + N_("include the public key in signatures")), + ARGPARSE_s_n (oNoIncludeKeyBlock, "no-include-key-block", "@"), ARGPARSE_s_n (oDisableDirmngr, "disable-dirmngr", N_("disable all access to the dirmngr")), ARGPARSE_s_s (oKeyServer, "keyserver", "@"), /* Deprecated. */ @@ -1943,6 +1950,8 @@ gpgconf_list (const char *configfile) es_printf ("encrypt-to:%lu:\n", GC_OPT_FLAG_NONE); es_printf ("try-secret-key:%lu:\n", GC_OPT_FLAG_NONE); es_printf ("auto-key-locate:%lu:\n", GC_OPT_FLAG_NONE); + es_printf ("auto-key-import:%lu:\n", GC_OPT_FLAG_NONE); + es_printf ("include-key-block:%lu:\n", GC_OPT_FLAG_NONE); es_printf ("auto-key-retrieve:%lu:\n", GC_OPT_FLAG_NONE); es_printf ("log-file:%lu:\n", GC_OPT_FLAG_NONE); es_printf ("debug-level:%lu:\"none:\n", GC_OPT_FLAG_DEFAULT); @@ -3035,6 +3044,7 @@ main (int argc, char **argv) case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break; case oIncludeKeyBlock: opt.flags.include_key_block = 1; break; + case oNoIncludeKeyBlock: opt.flags.include_key_block = 0; break; case oS2KMode: opt.s2k_mode = pargs.r.ret_int; break; case oS2KDigest: s2k_digest_string = xstrdup(pargs.r.ret_str); break; @@ -3420,6 +3430,9 @@ main (int argc, char **argv) case oIgnoreMDCError: opt.ignore_mdc_error = 1; break; case oNoRandomSeedFile: use_random_seed = 0; break; + case oAutoKeyImport: opt.flags.auto_key_import = 1; break; + case oNoAutoKeyImport: opt.flags.auto_key_import = 0; break; + case oAutoKeyRetrieve: opt.keyserver_options.options |= KEYSERVER_AUTO_KEY_RETRIEVE; break; diff --git a/g10/mainproc.c b/g10/mainproc.c index ffde748c0..941ffaa76 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -2012,14 +2012,11 @@ check_sig_and_print (CTX c, kbnode_t node) rc = do_check_sig (c, node, extrahash, extrahashlen, NULL, NULL, &is_expkey, &is_revkey, &pk); - /* If the key is not found but the signaure includes a key bnlock we - * import that key block and trry again. We keep this key block - * only if the signature verifies. */ - /* FIXME: Shall we add an option to disable it or use it only if - * --auto-key-retriueve is set? */ + /* If the key is not found but the signature includes a key block we + * use that key block for verification and on success import it. */ if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY - && sig->flags.key_block) - /* && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)) */ + && sig->flags.key_block + && opt.flags.auto_key_import) { PKT_public_key *included_pk; const byte *kblock; diff --git a/g10/options.h b/g10/options.h index d05164eac..bf1bb8f50 100644 --- a/g10/options.h +++ b/g10/options.h @@ -242,6 +242,7 @@ struct unsigned int large_rsa:1; unsigned int disable_signer_uid:1; unsigned int include_key_block:1; + unsigned int auto_key_import:1; /* Flag to enable experimental features from RFC4880bis. */ unsigned int rfc4880bis:1; /* Hack: --output is not given but OUTFILE was temporary set to "-". */ diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c index f6d9c10b1..0700bcf1b 100644 --- a/tools/gpgconf-comp.c +++ b/tools/gpgconf-comp.c @@ -404,8 +404,9 @@ static known_option_t known_options_gpg[] = { "log-file", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED, GC_ARG_TYPE_FILENAME }, { "auto-key-locate", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED }, + { "auto-key-import", GC_OPT_FLAG_NONE, GC_LEVEL_BASIC }, { "auto-key-retrieve", GC_OPT_FLAG_NONE, GC_LEVEL_EXPERT }, - { "no-auto-key-retrieve", GC_OPT_FLAG_NONE, GC_LEVEL_INVISIBLE }, + { "include-key-block", GC_OPT_FLAG_NONE, GC_LEVEL_BASIC }, { "disable-dirmngr", GC_OPT_FLAG_NONE, GC_LEVEL_EXPERT }, { "max-cert-depth", GC_OPT_FLAG_NONE, GC_LEVEL_INVISIBLE }, { "completes-needed", GC_OPT_FLAG_NONE, GC_LEVEL_INVISIBLE },