diff --git a/NEWS b/NEWS index cab323ac9..22f1fd053 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,12 @@ Noteworthy changes in version 2.3.0 (unreleased) ------------------------------------------------ + * The legacy key discovory method PKA is no longer supported. The + command --print-pka-records and the PKA related import and export + options have been removed. + + + Changes also found in 2.2.21: * gpg: Add option --no-include-key-block. [#4856] @@ -742,6 +748,7 @@ Noteworthy changes in version 2.3.0 (unreleased) certificates are configured. If build with GNUTLS, this was already the case. + Release-info: https://dev.gnupg.org/T4702 See-also: gnupg-announce/2017q3/000415.html Release dates of 2.2.x versions: diff --git a/doc/gpg.texi b/doc/gpg.texi index 23b0d9c19..d44a9a211 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -1434,18 +1434,6 @@ the opposite meaning. The options are: all the AKA lines as well as photo Ids are not shown with the signature verification status. - @item pka-lookups - @opindex verify-options:pka-lookups - Enable PKA lookups to verify sender addresses. Note that PKA is based - on DNS, and so enabling this option may disclose information on when - and what signatures are verified or to whom data is encrypted. This - is similar to the "web bug" described for the @option{--auto-key-retrieve} - option. - - @item pka-trust-increase - @opindex verify-options:pka-trust-increase - Raise the trust in a signature to full if the signature passes PKA - validation. This option is only meaningful if pka-lookups is set. @end table @item --enable-large-rsa @@ -1810,9 +1798,6 @@ list. The default is "local,wkd". @item cert Locate a key using DNS CERT, as specified in RFC-4398. - @item pka - Locate a key using DNS PKA. - @item dane Locate a key using DANE, as specified in draft-ietf-dane-openpgpkey-05.txt. @@ -1896,10 +1881,7 @@ preferred keyserver for data signatures. disabled by removing WKD from the auto-key-locate list or by using the option @option{--disable-signer-uid}. -4. If the option @option{honor-pka-record} is active, the legacy PKA -method is used. - -5. If any keyserver is configured and the Issuer Fingerprint is part +4. If any keyserver is configured and the Issuer Fingerprint is part of the signature (since GnuPG 2.1.16), the configured keyservers are tried. @@ -1980,11 +1962,6 @@ are available for all keyserver types, some common options are: "web bug": The creator of the key can see when the keys is refreshed. Thus this option is not enabled by default. - @item honor-pka-record - If @option{--auto-key-retrieve} is used, and the signature being - verified has a PKA record, then use the PKA information to fetch - the key. Defaults to "yes". - @item include-subkeys When receiving a key, include subkeys as potential targets. Note that this option is not used with HKP keyservers, as they do not support @@ -2002,8 +1979,7 @@ are available for all keyserver types, some common options are: @end table The default list of options is: "self-sigs-only, import-clean, -repair-keys, repair-pks-subkey-bug, export-attributes, -honor-pka-record". +repair-keys, repair-pks-subkey-bug, export-attributes". @item --completes-needed @var{n} @@ -2434,9 +2410,9 @@ opposite meaning. The options are: @item import-export Run the entire import code but instead of storing the key to the - local keyring write it to the output. The export options - @option{export-pka} and @option{export-dane} affect the output. This - option can be used to remove all invalid parts from a key without the + local keyring write it to the output. The export option + @option{export-dane} affect the output. This option can for example + be used to remove all invalid parts from a key without the need to store it. @item merge-only @@ -2634,11 +2610,6 @@ opposite meaning. The options are: running the @option{--edit-key} command "minimize" before export except that the local copy of the key is not modified. Defaults to no. - @item export-pka - Instead of outputting the key material output PKA records suitable - to put into DNS zone files. An ORIGIN line is printed before each - record to allow diverting the records to the corresponding zone file. - @item export-dane Instead of outputting the key material output OpenPGP DANE records suitable to put into DNS zone files. An ORIGIN line is printed before diff --git a/g10/call-dirmngr.c b/g10/call-dirmngr.c index 17f5fdcf3..21edab639 100644 --- a/g10/call-dirmngr.c +++ b/g10/call-dirmngr.c @@ -1249,72 +1249,6 @@ gpg_dirmngr_dns_cert (ctrl_t ctrl, const char *name, const char *certtype, } -/* Ask the dirmngr for PKA info. On success the retrieved fingerprint - is returned in a malloced buffer at R_FPR and its length is stored - at R_FPRLEN. If an URL is available it is stored as a malloced - string at R_URL. On error all return values are set to NULL/0. */ -gpg_error_t -gpg_dirmngr_get_pka (ctrl_t ctrl, const char *userid, - unsigned char **r_fpr, size_t *r_fprlen, - char **r_url) -{ - gpg_error_t err; - assuan_context_t ctx; - struct dns_cert_parm_s parm; - char *line = NULL; - - memset (&parm, 0, sizeof parm); - if (r_fpr) - *r_fpr = NULL; - if (r_fprlen) - *r_fprlen = 0; - if (r_url) - *r_url = NULL; - - err = open_context (ctrl, &ctx); - if (err) - return err; - - line = es_bsprintf ("DNS_CERT --pka -- %s", userid); - if (!line) - { - err = gpg_error_from_syserror (); - goto leave; - } - if (strlen (line) + 2 >= ASSUAN_LINELENGTH) - { - err = gpg_error (GPG_ERR_TOO_LARGE); - goto leave; - } - - err = assuan_transact (ctx, line, dns_cert_data_cb, &parm, - NULL, NULL, dns_cert_status_cb, &parm); - if (err) - goto leave; - - if (r_fpr && parm.fpr) - { - *r_fpr = parm.fpr; - parm.fpr = NULL; - } - if (r_fprlen) - *r_fprlen = parm.fprlen; - - if (r_url && parm.url) - { - *r_url = parm.url; - parm.url = NULL; - } - - leave: - xfree (parm.fpr); - xfree (parm.url); - xfree (line); - close_context (ctrl, ctx); - return err; -} - - /* Ask the dirmngr to retrieve a key via the Web Key Directory * protocol. If QUICK is set the dirmngr is advised to use a shorter diff --git a/g10/call-dirmngr.h b/g10/call-dirmngr.h index 285c4cb4d..8679777c2 100644 --- a/g10/call-dirmngr.h +++ b/g10/call-dirmngr.h @@ -37,9 +37,6 @@ gpg_error_t gpg_dirmngr_dns_cert (ctrl_t ctrl, estream_t *r_key, unsigned char **r_fpr, size_t *r_fprlen, char **r_url); -gpg_error_t gpg_dirmngr_get_pka (ctrl_t ctrl, const char *userid, - unsigned char **r_fpr, size_t *r_fprlen, - char **r_url); gpg_error_t gpg_dirmngr_wkd_get (ctrl_t ctrl, const char *name, int quick, estream_t *r_key, char **r_url); diff --git a/g10/export.c b/g10/export.c index 396bc2780..d24fd16a4 100644 --- a/g10/export.c +++ b/g10/export.c @@ -93,10 +93,9 @@ static int do_export_stream (ctrl_t ctrl, iobuf_t out, strlist_t users, int secret, kbnode_t *keyblock_out, unsigned int options, export_stats_t stats, int *any); -static gpg_error_t print_pka_or_dane_records +static gpg_error_t print_dane_records /**/ (iobuf_t out, kbnode_t keyblock, PKT_public_key *pk, - const void *data, size_t datalen, - int print_pka, int print_dane); + const void *data, size_t datalen); static void @@ -127,7 +126,6 @@ parse_export_options(char *str,unsigned int *options,int noisy) {"export-minimal",EXPORT_MINIMAL|EXPORT_CLEAN,NULL, N_("remove as much as possible from key during export")}, - {"export-pka", EXPORT_PKA_FORMAT, NULL, NULL }, {"export-dane", EXPORT_DANE_FORMAT, NULL, NULL }, {"backup", EXPORT_BACKUP, NULL, @@ -157,7 +155,7 @@ parse_export_options(char *str,unsigned int *options,int noisy) *options |= (EXPORT_LOCAL_SIGS | EXPORT_ATTRIBUTES | EXPORT_SENSITIVE_REVKEYS); *options &= ~(EXPORT_CLEAN | EXPORT_MINIMAL - | EXPORT_PKA_FORMAT | EXPORT_DANE_FORMAT); + | EXPORT_DANE_FORMAT); } return rc; @@ -413,7 +411,7 @@ do_export (ctrl_t ctrl, strlist_t users, int secret, unsigned int options, if (rc) return rc; - if ( opt.armor && !(options & (EXPORT_PKA_FORMAT|EXPORT_DANE_FORMAT)) ) + if ( opt.armor && !(options & EXPORT_DANE_FORMAT) ) { afx = new_armor_context (); afx->what = secret? 5 : 1; @@ -1334,7 +1332,7 @@ write_keyblock_to_output (kbnode_t keyblock, int with_armor, if (opt.verbose) log_info (_("writing to '%s'\n"), iobuf_get_fname_nonnull (out)); - if ((options & (EXPORT_PKA_FORMAT|EXPORT_DANE_FORMAT))) + if ((options & EXPORT_DANE_FORMAT)) { with_armor = 0; out_help = iobuf_temp (); @@ -1371,7 +1369,7 @@ write_keyblock_to_output (kbnode_t keyblock, int with_armor, } err = 0; - if (out_help && pk) + if (out_help && pk && (options & EXPORT_DANE_FORMAT)) { const void *data; size_t datalen; @@ -1380,10 +1378,7 @@ write_keyblock_to_output (kbnode_t keyblock, int with_armor, data = iobuf_get_temp_buffer (out_help); datalen = iobuf_get_temp_length (out_help); - err = print_pka_or_dane_records (out, - keyblock, pk, data, datalen, - (options & EXPORT_PKA_FORMAT), - (options & EXPORT_DANE_FORMAT)); + err = print_dane_records (out, keyblock, pk, data, datalen); } leave: @@ -1474,13 +1469,12 @@ apply_drop_subkey_filter (ctrl_t ctrl, kbnode_t keyblock, } -/* Print DANE or PKA records for all user IDs in KEYBLOCK to OUT. The - * data for the record is taken from (DATA,DATELEN). PK is the public - * key packet with the primary key. */ +/* Print DANErecords for all user IDs in KEYBLOCK to OUT. The data + * for the record is taken from (DATA,DATELEN). PK is the public key + * packet with the primary key. */ static gpg_error_t -print_pka_or_dane_records (iobuf_t out, kbnode_t keyblock, PKT_public_key *pk, - const void *data, size_t datalen, - int print_pka, int print_dane) +print_dane_records (iobuf_t out, kbnode_t keyblock, PKT_public_key *pk, + const void *data, size_t datalen) { gpg_error_t err = 0; kbnode_t kbctx, node; @@ -1532,25 +1526,7 @@ print_pka_or_dane_records (iobuf_t out, kbnode_t keyblock, PKT_public_key *pk, domain = strchr (mbox, '@'); *domain++ = 0; - if (print_pka) - { - es_fprintf (fp, "$ORIGIN _pka.%s.\n; %s\n; ", domain, hexfpr); - print_utf8_buffer (fp, uid->name, uid->len); - es_putc ('\n', fp); - gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, mbox, strlen (mbox)); - xfree (hash); - hash = zb32_encode (hashbuf, 8*20); - if (!hash) - { - err = gpg_error_from_syserror (); - goto leave; - } - len = strlen (hexfpr)/2; - es_fprintf (fp, "%s TYPE37 \\# %u 0006 0000 00 %02X %s\n\n", - hash, 6 + len, len, hexfpr); - } - - if (print_dane && hexdata) + if (1) { es_fprintf (fp, "$ORIGIN _openpgpkey.%s.\n; %s\n; ", domain, hexfpr); print_utf8_buffer (fp, uid->name, uid->len); @@ -1930,13 +1906,12 @@ do_export_stream (ctrl_t ctrl, iobuf_t out, strlist_t users, int secret, if (!kdbhd) return gpg_error_from_syserror (); - /* For the PKA and DANE format open a helper iobuf and for DANE + /* For the DANE format open a helper iobuf and * enforce some options. */ - if ((options & (EXPORT_PKA_FORMAT | EXPORT_DANE_FORMAT))) + if ((options & EXPORT_DANE_FORMAT)) { out_help = iobuf_temp (); - if ((options & EXPORT_DANE_FORMAT)) - options |= EXPORT_MINIMAL | EXPORT_CLEAN; + options |= EXPORT_MINIMAL | EXPORT_CLEAN; } if (!users) @@ -2110,9 +2085,9 @@ do_export_stream (ctrl_t ctrl, iobuf_t out, strlist_t users, int secret, break; } - if (out_help) + if (out_help && (options & EXPORT_DANE_FORMAT)) { - /* We want to write PKA or DANE records. OUT_HELP has the + /* We want to write DANE records. OUT_HELP has the * keyblock and we print a record for each uid to OUT. */ const void *data; size_t datalen; @@ -2121,10 +2096,7 @@ do_export_stream (ctrl_t ctrl, iobuf_t out, strlist_t users, int secret, data = iobuf_get_temp_buffer (out_help); datalen = iobuf_get_temp_length (out_help); - err = print_pka_or_dane_records (out, - keyblock, pk, data, datalen, - (options & EXPORT_PKA_FORMAT), - (options & EXPORT_DANE_FORMAT)); + err = print_dane_records (out, keyblock, pk, data, datalen); if (err) goto leave; diff --git a/g10/free-packet.c b/g10/free-packet.c index 6bc534656..6d7b34961 100644 --- a/g10/free-packet.c +++ b/g10/free-packet.c @@ -104,11 +104,6 @@ free_seckey_enc( PKT_signature *sig ) xfree(sig->hashed); xfree(sig->unhashed); - if (sig->pka_info) - { - xfree (sig->pka_info->uri); - xfree (sig->pka_info); - } xfree (sig->signers_uid); xfree(sig); @@ -262,20 +257,6 @@ copy_public_key (PKT_public_key *d, PKT_public_key *s) -static pka_info_t * -cp_pka_info (const pka_info_t *s) -{ - pka_info_t *d = xmalloc (sizeof *s + strlen (s->email)); - - d->valid = s->valid; - d->checked = s->checked; - d->uri = s->uri? xstrdup (s->uri):NULL; - memcpy (d->fpr, s->fpr, sizeof s->fpr); - strcpy (d->email, s->email); - return d; -} - - PKT_signature * copy_signature( PKT_signature *d, PKT_signature *s ) { @@ -291,7 +272,6 @@ copy_signature( PKT_signature *d, PKT_signature *s ) for(i=0; i < n; i++ ) d->data[i] = my_mpi_copy( s->data[i] ); } - d->pka_info = s->pka_info? cp_pka_info (s->pka_info) : NULL; d->hashed = cp_subpktarea (s->hashed); d->unhashed = cp_subpktarea (s->unhashed); if (s->signers_uid) diff --git a/g10/getkey.c b/g10/getkey.c index 85c7d3fdd..d4c991f85 100644 --- a/g10/getkey.c +++ b/g10/getkey.c @@ -1080,10 +1080,7 @@ get_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode, break; case AKL_PKA: - mechanism_string = "PKA"; - glo_ctrl.in_auto_key_retrieve++; - rc = keyserver_import_pka (ctrl, name, &fpr, &fpr_len); - glo_ctrl.in_auto_key_retrieve--; + /* This is now obsolete. */ break; case AKL_DANE: @@ -1151,7 +1148,7 @@ get_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode, /* Use the fingerprint of the key that we actually fetched. * This helps prevent problems where the key that we fetched * doesn't have the same name that we used to fetch it. In - * the case of CERT and PKA, this is an actual security + * the case of CERT, this is an actual security * requirement as the URL might point to a key put in by an * attacker. By forcing the use of the fingerprint, we * won't use the attacker's key here. */ diff --git a/g10/gpg.c b/g10/gpg.c index 79732abef..e795f744a 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -421,7 +421,6 @@ enum cmd_and_opt_values oAllowWeakKeySignatures, oFakedSystemTime, oNoAutostart, - oPrintPKARecords, oPrintDANERecords, oTOFUDefaultPolicy, oTOFUDBFormat, @@ -810,7 +809,6 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_n (oFastListMode, "fast-list-mode", "@"), ARGPARSE_s_n (oFixedListMode, "fixed-list-mode", "@"), ARGPARSE_s_n (oLegacyListMode, "legacy-list-mode", "@"), - ARGPARSE_s_n (oPrintPKARecords, "print-pka-records", "@"), ARGPARSE_s_n (oPrintDANERecords, "print-dane-records", "@"), ARGPARSE_s_s (oKeyidFormat, "keyid-format", "@"), ARGPARSE_s_n (oShowKeyring, "show-keyring", "@"), @@ -2335,7 +2333,6 @@ main (int argc, char **argv) ctrl_t ctrl; static int print_dane_records; - static int print_pka_records; static int allow_large_chunks; static const char *homedirvalue; static const char *changeuser; @@ -2409,7 +2406,7 @@ main (int argc, char **argv) | IMPORT_COLLAPSE_SUBKEYS | IMPORT_CLEAN); opt.keyserver_options.export_options = EXPORT_ATTRIBUTES; - opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD; + opt.keyserver_options.options = 0; opt.verify_options = (LIST_SHOW_UID_VALIDITY | VERIFY_SHOW_POLICY_URLS | VERIFY_SHOW_STD_NOTATIONS @@ -3345,10 +3342,6 @@ main (int argc, char **argv) N_("show revoked and expired user IDs in signature verification")}, {"show-primary-uid-only",VERIFY_SHOW_PRIMARY_UID_ONLY,NULL, N_("show only the primary user ID in signature verification")}, - {"pka-lookups",VERIFY_PKA_LOOKUPS,NULL, - N_("validate signatures with PKA data")}, - {"pka-trust-increase",VERIFY_PKA_TRUST_INCREASE,NULL, - N_("elevate the trust of signatures with valid PKA data")}, {NULL,0,NULL,NULL} }; @@ -3416,7 +3409,6 @@ main (int argc, char **argv) case oFastListMode: opt.fast_list_mode = 1; break; case oFixedListMode: /* Dummy */ break; case oLegacyListMode: opt.legacy_list_mode = 1; break; - case oPrintPKARecords: print_pka_records = 1; break; case oPrintDANERecords: print_dane_records = 1; break; case oListOnly: opt.list_only=1; break; case oIgnoreTimeConflict: opt.ignore_time_conflict = 1; break; @@ -3684,10 +3676,6 @@ main (int argc, char **argv) log_error ("invalid option \"%s\"; use \"%s\" instead\n", "--print-dane-records", "--export-options export-dane"); - if (print_pka_records) - log_error ("invalid option \"%s\"; use \"%s\" instead\n", - "--print-pks-records", - "--export-options export-pka"); if (log_get_errorcount (0)) { write_status_failure ("option-checking", gpg_error(GPG_ERR_GENERAL)); diff --git a/g10/gpgv.c b/g10/gpgv.c index f80458db4..82fbf8fce 100644 --- a/g10/gpgv.c +++ b/g10/gpgv.c @@ -450,14 +450,6 @@ keyserver_import_cert (const char *name) return -1; } -int -keyserver_import_pka (const char *name,unsigned char *fpr) -{ - (void)name; - (void)fpr; - return -1; -} - gpg_error_t keyserver_import_wkd (ctrl_t ctrl, const char *name, int quick, unsigned char **fpr, size_t *fpr_len) @@ -723,22 +715,6 @@ agent_get_keyinfo (ctrl_t ctrl, const char *hexkeygrip, return gpg_error (GPG_ERR_NO_SECKEY); } -gpg_error_t -gpg_dirmngr_get_pka (ctrl_t ctrl, const char *userid, - unsigned char **r_fpr, size_t *r_fprlen, - char **r_url) -{ - (void)ctrl; - (void)userid; - if (r_fpr) - *r_fpr = NULL; - if (r_fprlen) - *r_fprlen = 0; - if (r_url) - *r_url = NULL; - return gpg_error (GPG_ERR_NOT_FOUND); -} - gpg_error_t export_pubkey_buffer (ctrl_t ctrl, const char *keyspec, unsigned int options, const void *prefix, size_t prefixlen, diff --git a/g10/keyserver-internal.h b/g10/keyserver-internal.h index f5f7f3620..6d0e7f4ae 100644 --- a/g10/keyserver-internal.h +++ b/g10/keyserver-internal.h @@ -43,8 +43,6 @@ gpg_error_t keyserver_search (ctrl_t ctrl, strlist_t tokens); int keyserver_fetch (ctrl_t ctrl, strlist_t urilist, int origin); int keyserver_import_cert (ctrl_t ctrl, const char *name, int dane_mode, unsigned char **fpr,size_t *fpr_len); -gpg_error_t keyserver_import_pka (ctrl_t ctrl, const char *name, - unsigned char **fpr,size_t *fpr_len); gpg_error_t keyserver_import_wkd (ctrl_t ctrl, const char *name, int quick, unsigned char **fpr, size_t *fpr_len); int keyserver_import_ntds (ctrl_t ctrl, const char *name, diff --git a/g10/keyserver.c b/g10/keyserver.c index f42bca15c..0b3718050 100644 --- a/g10/keyserver.c +++ b/g10/keyserver.c @@ -99,8 +99,6 @@ static struct parse_options keyserver_opts[]= N_("automatically retrieve keys when verifying signatures")}, {"honor-keyserver-url",KEYSERVER_HONOR_KEYSERVER_URL,NULL, N_("honor the preferred keyserver URL set on the key")}, - {"honor-pka-record",KEYSERVER_HONOR_PKA_RECORD,NULL, - N_("honor the PKA record set on a key when retrieving keys")}, {NULL,0,NULL,NULL} }; @@ -2021,39 +2019,6 @@ keyserver_import_cert (ctrl_t ctrl, const char *name, int dane_mode, return err; } -/* Import key pointed to by a PKA record. Return the requested - fingerprint in fpr. */ -gpg_error_t -keyserver_import_pka (ctrl_t ctrl, const char *name, - unsigned char **fpr, size_t *fpr_len) -{ - gpg_error_t err; - char *url; - - err = gpg_dirmngr_get_pka (ctrl, name, fpr, fpr_len, &url); - if (url && *url && fpr && fpr_len) - { - /* An URL is available. Lookup the key. */ - struct keyserver_spec *spec; - spec = parse_keyserver_uri (url, 1); - if (spec) - { - err = keyserver_import_fprint (ctrl, *fpr, *fpr_len, spec, 0); - free_keyserver_spec (spec); - } - } - xfree (url); - - if (err) - { - xfree(*fpr); - *fpr = NULL; - *fpr_len = 0; - } - - return err; -} - /* Import a key using the Web Key Directory protocol. */ gpg_error_t diff --git a/g10/mainproc.c b/g10/mainproc.c index ca6c24323..a75755ee3 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -1695,83 +1695,6 @@ do_proc_packets (CTX c, iobuf_t a) } -/* Helper for pka_uri_from_sig to parse the to-be-verified address out - of the notation data. */ -static pka_info_t * -get_pka_address (PKT_signature *sig) -{ - pka_info_t *pka = NULL; - struct notation *nd,*notation; - - notation=sig_to_notation(sig); - - for(nd=notation;nd;nd=nd->next) - { - if(strcmp(nd->name,"pka-address@gnupg.org")!=0) - continue; /* Not the notation we want. */ - - /* For now we only use the first valid PKA notation. In future - we might want to keep additional PKA notations in a linked - list. */ - if (is_valid_mailbox (nd->value)) - { - pka = xmalloc (sizeof *pka + strlen(nd->value)); - pka->valid = 0; - pka->checked = 0; - pka->uri = NULL; - strcpy (pka->email, nd->value); - break; - } - } - - free_notation(notation); - - return pka; -} - - -/* Return the URI from a DNS PKA record. If this record has already - be retrieved for the signature we merely return it; if not we go - out and try to get that DNS record. */ -static const char * -pka_uri_from_sig (CTX c, PKT_signature *sig) -{ - if (!sig->flags.pka_tried) - { - log_assert (!sig->pka_info); - sig->flags.pka_tried = 1; - sig->pka_info = get_pka_address (sig); - if (sig->pka_info) - { - char *url; - unsigned char *fpr; - size_t fprlen; - - if (!gpg_dirmngr_get_pka (c->ctrl, sig->pka_info->email, - &fpr, &fprlen, &url)) - { - if (fpr && fprlen == sizeof sig->pka_info->fpr) - { - memcpy (sig->pka_info->fpr, fpr, fprlen); - if (url) - { - sig->pka_info->valid = 1; - if (!*url) - xfree (url); - else - sig->pka_info->uri = url; - url = NULL; - } - } - xfree (fpr); - xfree (url); - } - } - } - return sig->pka_info? sig->pka_info->uri : NULL; -} - - /* Return true if the AKL has the WKD method specified. */ static int akl_has_wkd_method (void) @@ -2138,44 +2061,6 @@ check_sig_and_print (CTX c, kbnode_t node) log_debug ("lookup via %s failed: %s\n", "WKD", gpg_strerror (res)); } - /* If the avove methods didn't work, our next try is to use the URI - * from a DNS PKA record. This is a legacy method which will - * eventually be removed. */ - if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY - && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE) - && (opt.keyserver_options.options & KEYSERVER_HONOR_PKA_RECORD)) - { - const char *uri = pka_uri_from_sig (c, sig); - - if (uri) - { - /* FIXME: We might want to locate the key using the - fingerprint instead of the keyid. */ - int res; - struct keyserver_spec *spec; - - spec = parse_keyserver_uri (uri, 1); - if (spec) - { - if (DBG_LOOKUP) - log_debug ("trying auto-key-retrieve method %s\n", "PKA"); - - free_public_key (pk); - pk = NULL; - glo_ctrl.in_auto_key_retrieve++; - res = keyserver_import_keyid (c->ctrl, sig->keyid, spec, 1); - glo_ctrl.in_auto_key_retrieve--; - free_keyserver_spec (spec); - if (!res) - rc = do_check_sig (c, node, extrahash, extrahashlen, NULL, - NULL, &is_expkey, &is_revkey, &pk); - else if (DBG_LOOKUP) - log_debug ("lookup via %s failed: %s\n", "PKA", - gpg_strerror (res)); - } - } - } - /* If the above methods didn't work, our next try is to locate * the key via its fingerprint from a keyserver. This requires * that the signers fingerprint is encoded in the signature. */ @@ -2466,8 +2351,6 @@ check_sig_and_print (CTX c, kbnode_t node) how to resolve a conflict. */ if (!rc) { - if ((opt.verify_options & VERIFY_PKA_LOOKUPS)) - pka_uri_from_sig (c, sig); /* Make sure PKA info is available. */ rc = check_signatures_trust (c->ctrl, keyblock, pk, sig); } diff --git a/g10/options.h b/g10/options.h index 9e4309671..5b0b12fd3 100644 --- a/g10/options.h +++ b/g10/options.h @@ -379,7 +379,6 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode; #define EXPORT_RESET_SUBKEY_PASSWD (1<<3) #define EXPORT_MINIMAL (1<<4) #define EXPORT_CLEAN (1<<5) -#define EXPORT_PKA_FORMAT (1<<6) #define EXPORT_DANE_FORMAT (1<<7) #define EXPORT_BACKUP (1<<10) @@ -407,8 +406,6 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode; #define VERIFY_SHOW_KEYSERVER_URLS (1<<4) #define VERIFY_SHOW_UID_VALIDITY (1<<5) #define VERIFY_SHOW_UNUSABLE_UIDS (1<<6) -#define VERIFY_PKA_LOOKUPS (1<<7) -#define VERIFY_PKA_TRUST_INCREASE (1<<8) #define VERIFY_SHOW_PRIMARY_UID_ONLY (1<<9) #define KEYSERVER_HTTP_PROXY (1<<0) @@ -416,7 +413,6 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode; #define KEYSERVER_ADD_FAKE_V3 (1<<2) #define KEYSERVER_AUTO_KEY_RETRIEVE (1<<3) #define KEYSERVER_HONOR_KEYSERVER_URL (1<<4) -#define KEYSERVER_HONOR_PKA_RECORD (1<<5) #endif /*G10_OPTIONS_H*/ diff --git a/g10/packet.h b/g10/packet.h index eec3050e9..b27beccdd 100644 --- a/g10/packet.h +++ b/g10/packet.h @@ -193,19 +193,6 @@ struct revocation_key { }; -/* Object to keep information about a PKA DNS record. */ -typedef struct -{ - int valid; /* An actual PKA record exists for EMAIL. */ - int checked; /* Set to true if the FPR has been checked against the - actual key. */ - char *uri; /* Malloced string with the URI. NULL if the URI is - not available.*/ - unsigned char fpr[20]; /* The fingerprint as stored in the PKA RR. */ - char email[1];/* The email address from the notation data. */ -} pka_info_t; - - /* A signature packet (RFC 4880, Section 5.2). Only a subset of these fields are directly serialized (these are marked as such); the rest are read from the subpackets, which are not synthesized when @@ -226,7 +213,6 @@ typedef struct unsigned pref_ks:1; /* At least one preferred keyserver is present */ unsigned key_block:1; /* A key block subpacket is present. */ unsigned expired:1; - unsigned pka_tried:1; /* Set if we tried to retrieve the PKA record. */ } flags; /* The key that allegedly generated this signature. (Directly serialized in v3 sigs; for v4 sigs, this must be explicitly added @@ -254,8 +240,6 @@ typedef struct struct revocation_key *revkey; int numrevkeys; int help_counter; /* Used internally bu some functions. */ - pka_info_t *pka_info; /* Malloced PKA data or NULL if not - available. See also flags.pka_tried. */ char *signers_uid; /* Malloced value of the SIGNERS_UID * subpacket or NULL. This string has * already been sanitized. */ diff --git a/g10/parse-packet.c b/g10/parse-packet.c index c3f6b544d..bb05eabb7 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -268,9 +268,7 @@ register_known_notation (const char *string) { sl = add_to_strlist (&known_notations_list, "preferred-email-encoding@pgp.com"); - sl->flags = 32; - sl = add_to_strlist (&known_notations_list, "pka-address@gnupg.org"); - sl->flags = 21; + sl->flags = 32; /* Length of the string. */ } if (!string) return; /* Only initialized the default known notations. */ diff --git a/g10/pkclist.c b/g10/pkclist.c index 643a0fb03..d53af7223 100644 --- a/g10/pkclist.c +++ b/g10/pkclist.c @@ -710,57 +710,6 @@ check_signatures_trust (ctrl_t ctrl, kbnode_t keyblock, PKT_public_key *pk, if ((trustlevel & TRUST_FLAG_DISABLED)) log_info (_("Note: This key has been disabled.\n")); - /* If we have PKA information adjust the trustlevel. */ - if (sig->pka_info && sig->pka_info->valid && !(uidbased && !targetuid)) - { - unsigned char fpr[MAX_FINGERPRINT_LEN]; - PKT_public_key *primary_pk; - size_t fprlen; - int okay; - - primary_pk = xmalloc_clear (sizeof *primary_pk); - get_pubkey (ctrl, primary_pk, pk->main_keyid); - fingerprint_from_pk (primary_pk, fpr, &fprlen); - free_public_key (primary_pk); - - if ( fprlen == 20 && !memcmp (sig->pka_info->fpr, fpr, 20) ) - { - okay = 1; - write_status_text (STATUS_PKA_TRUST_GOOD, sig->pka_info->email); - log_info (_("Note: Verified signer's address is '%s'\n"), - sig->pka_info->email); - } - else - { - okay = 0; - write_status_text (STATUS_PKA_TRUST_BAD, sig->pka_info->email); - log_info (_("Note: Signer's address '%s' " - "does not match DNS entry\n"), sig->pka_info->email); - } - - switch ( (trustlevel & TRUST_MASK) ) - { - case TRUST_UNKNOWN: - case TRUST_UNDEFINED: - case TRUST_MARGINAL: - if (okay && opt.verify_options&VERIFY_PKA_TRUST_INCREASE) - { - trustlevel = ((trustlevel & ~TRUST_MASK) | TRUST_FULLY); - log_info (_("trustlevel adjusted to FULL" - " due to valid PKA info\n")); - } - /* fall through */ - case TRUST_FULLY: - if (!okay) - { - trustlevel = ((trustlevel & ~TRUST_MASK) | TRUST_NEVER); - log_info (_("trustlevel adjusted to NEVER" - " due to bad PKA info\n")); - } - break; - } - } - /* Now let the user know what up with the trustlevel. */ switch ( (trustlevel & TRUST_MASK) ) { diff --git a/g10/test-stubs.c b/g10/test-stubs.c index f7b6a22ad..913d49890 100644 --- a/g10/test-stubs.c +++ b/g10/test-stubs.c @@ -208,14 +208,6 @@ keyserver_import_cert (const char *name) return -1; } -int -keyserver_import_pka (const char *name,unsigned char *fpr) -{ - (void)name; - (void)fpr; - return -1; -} - gpg_error_t keyserver_import_wkd (ctrl_t ctrl, const char *name, int quick, unsigned char **fpr, size_t *fpr_len) @@ -480,22 +472,6 @@ agent_get_keyinfo (ctrl_t ctrl, const char *hexkeygrip, return gpg_error (GPG_ERR_NO_SECKEY); } -gpg_error_t -gpg_dirmngr_get_pka (ctrl_t ctrl, const char *userid, - unsigned char **r_fpr, size_t *r_fprlen, - char **r_url) -{ - (void)ctrl; - (void)userid; - if (r_fpr) - *r_fpr = NULL; - if (r_fprlen) - *r_fprlen = 0; - if (r_url) - *r_url = NULL; - return gpg_error (GPG_ERR_NOT_FOUND); -} - gpg_error_t export_pubkey_buffer (ctrl_t ctrl, const char *keyspec, unsigned int options, const void *prefix, size_t prefixlen,