1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

gpg: Allow the use of an ADSK subkey as ADSK subkey.

* g10/packet.h (PKT_public_key): Increased size of req_usage to 16.
* g10/getkey.c (key_byname): Set allow_adsk in the context if ir was
requested via req_usage.
(finish_lookup): Allow RENC usage matching.
* g10/keyedit.c (append_adsk_to_key): Adjust the assert.
* g10/keygen.c (prepare_adsk): Also allow to find an RENC subkey.
--

If an ADSK is to be added it may happen that an ADSK subkey is found
first and this should then be used even that it does not have the E
usage.  However, it used to have that E usage when it was added.

While testing this I found another pecularity: If you do
  gpg -k ADSK_SUBKEY_FPR
without the '!' suffix and no corresponding encryption subkey is dound,
you will get an unusabe key error.  I hesitate to fix that due to
possible side-effects.

GnuPG-bug-id: 6882
Backported-from-master: d30e345692440b9c6677118c1d20b9d17d80f873

Note that we still use the NO_AKL and not the newer TRY_LDAP in 2.2.
We may want to backport that change as well.
This commit is contained in:
Werner Koch 2024-10-31 15:11:55 +01:00
parent 2ca38bee7a
commit 6c58694a88
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
4 changed files with 15 additions and 9 deletions

View File

@ -77,7 +77,8 @@ struct getkey_ctx_s
/* Part of the search criteria: The type of the requested key. A
mask of PUBKEY_USAGE_SIG, PUBKEY_USAGE_ENC and PUBKEY_USAGE_CERT.
If non-zero, then for a key to match, it must implement one of
the required uses. */
the required uses. FWIW: the req_usage field in PKT_public_key
used to be an u8 but meanwhile is an u16. */
int req_usage;
/* The database handle. */
@ -978,7 +979,12 @@ key_byname (ctrl_t ctrl, GETKEY_CTX *retctx, strlist_t namelist,
if (pk)
{
/* It is a bit tricky to allow returning an ADSK key: lookup
* masks the req_usage flags using the standard usage maps and
* only if ctx->allow_adsk is set, sets the RENC flag again. */
ctx->req_usage = pk->req_usage;
if ((pk->req_usage & PUBKEY_USAGE_RENC))
ctx->allow_adsk = 1;
}
rc = lookup (ctrl, ctx, want_secret, ret_kb, &found_key);
@ -3702,7 +3708,7 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact,
#define USAGE_MASK (PUBKEY_USAGE_SIG|PUBKEY_USAGE_ENC|PUBKEY_USAGE_CERT)
req_usage &= USAGE_MASK;
/* In allow ADSK mode make sure both encryption bis are set. */
/* In allow ADSK mode make sure both encryption bits are set. */
if (allow_adsk && (req_usage & PUBKEY_USAGE_XENC_MASK))
req_usage |= PUBKEY_USAGE_XENC_MASK;
@ -3807,7 +3813,8 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact,
log_debug ("\tsubkey not valid\n");
continue;
}
if (!((pk->pubkey_usage & USAGE_MASK) & req_usage))
if (!((pk->pubkey_usage & (USAGE_MASK | PUBKEY_USAGE_RENC))
& req_usage))
{
if (DBG_LOOKUP)
log_debug ("\tusage does not match: want=%x have=%x\n",

View File

@ -4757,8 +4757,8 @@ append_adsk_to_key (ctrl_t ctrl, kbnode_t keyblock, PKT_public_key *adsk)
/* Prepare and append the adsk. */
keyid_from_pk (main_pk, adsk->main_keyid); /* Fixup main keyid. */
log_assert ((adsk->pubkey_usage & PUBKEY_USAGE_ENC));
adsk->pubkey_usage = PUBKEY_USAGE_RENC; /* 'e' -> 'r' */
log_assert ((adsk->pubkey_usage & PUBKEY_USAGE_XENC_MASK));
adsk->pubkey_usage = PUBKEY_USAGE_RENC; /* 'e' or 'r' -> 'r' */
pkt = xtrycalloc (1, sizeof *pkt);
if (!pkt)
{

View File

@ -4046,7 +4046,7 @@ prepare_adsk (ctrl_t ctrl, const char *name)
}
adsk_pk = xcalloc (1, sizeof *adsk_pk);
adsk_pk->req_usage = PUBKEY_USAGE_ENC;
adsk_pk->req_usage = PUBKEY_USAGE_ENC | PUBKEY_USAGE_RENC;
err = get_pubkey_byname (ctrl, GET_PUBKEY_NO_AKL,
NULL, adsk_pk, name, NULL, NULL, 1);
if (err)

View File

@ -400,10 +400,9 @@ typedef struct
when serializing. (Serialized.) */
byte version;
byte selfsigversion; /* highest version of all of the self-sigs */
/* The public key algorithm. (Serialized.) */
byte pubkey_algo;
byte pubkey_algo; /* The public key algorithm. (PGP format) */
u16 pubkey_usage; /* carries the usage info. */
byte req_usage; /* hack to pass a request to getkey() */
u16 req_usage; /* hack to pass a request to getkey() */
u32 has_expired; /* set to the expiration date if expired */
/* keyid of the primary key. Never access this value directly.
Instead, use pk_main_keyid(). */