security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-02 22:46:30 +02:00
Code Activity

kbx: Redefine the UBID which is now the primary fingerprint.

Browse source 
* common/util.h (UBID_LEN): New.  Use it at all places.
* kbx/keybox-blob.c (create_blob_finish): Do not write the UBID item.
* kbx/keybox-dump.c (print_ubib): Remove.
(_keybox_dump_blob): Do not print the now removed ubid flag.
* kbx/keybox-search-desc.h (struct keydb_search_desc): Use constants
for the size of the ubid and grip.
* kbx/keybox-search.c (blob_cmp_ubid): New.
(has_ubid): Make it a simple wrapper around blob_cmp_ubid.
(keybox_get_data): Add arg 'r_ubid'.

* kbx/frontend.h (enum kbxd_store_modes): New.
* kbx/kbxserver.c (cmd_store): Add new option --insert.

* kbx/backend-cache.c (be_cache_initialize): New.
(be_cache_add_resource): Call it here.
* kbx/backend-kbx.c (be_kbx_seek): Remove args 'fpr' and 'fprlen'.
(be_kbx_search): Get the UBID from keybox_get_data.
* kbx/backend-support.c (be_fingerprint_from_blob): Replace by ...
(be_ubid_from_blob): new.  Change all callers.

* kbx/frontend.c (kbxd_add_resource): Temporary disable the cache but
use the new cache init function.
(kbxd_store): Replace arg 'only_update' by 'mode'.  Seek using the
ubid.  Take care of the mode.
--

It turned out that using the hash of the entire blob was not helpful.
Thus we redefine the Unique-Blob-ID (UBID) as the primary fingerprint
of the blob.  In case this is a v5 OpenPGP key a left truncated
version of the SHA-256 hash is used; in all other cases the full SHA-1
hash.  Using a SHA-256 hash does not make sense because v4 keys are
and will for some time be the majority of keys and thus padding them
with zeroes won't make any difference.  Even if fingerprint collisions
can eventually be created we will assume that the keys are bogus and
that it does not make sense to store its twin also in our key storage.
We can also easily extend the update code to detect a collision and
reject the update.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2019-11-28 09:39:35 +01:00
parent f59455d054
commit 915297705a
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
18 changed files with 170 additions and 180 deletions
Download patch file Download diff file Expand all files Collapse all files

26
kbx/backend-support.c
View file

@ -155,9 +155,9 @@ be_return_pubkey (ctrl_t ctrl, const void *buffer, size_t buflen,
enum pubkey_types pubkey_type, const unsigned char *ubid)
{
gpg_error_t err;
char hexubid[41];
char hexubid[2*UBID_LEN+1];
bin2hex (ubid, 20, hexubid);
bin2hex (ubid, UBID_LEN, hexubid);
err = status_printf (ctrl, "PUBKEY_INFO", "%d %s", pubkey_type, hexubid);
if (err)
goto leave;
@ -228,14 +228,12 @@ is_x509_blob (const unsigned char *blob, size_t bloblen)
/* Return the public key type and the (primary) fingerprint for
* (BLOB,BLOBLEN). R_FPR must point to a buffer of at least 32 bytes,
* it received the fi gerprint on success with the length of that
* fingerprint stored at R_FPRLEN. R_PKTYPE receives the public key
* type. */
* (BLOB,BLOBLEN). r_UBID must point to a buffer of at least UBID_LEN
* bytes, on success it receives the UBID (primary fingerprint
* truncated 20 octets). R_PKTYPE receives the public key type. */
gpg_error_t
be_fingerprint_from_blob (const void *blob, size_t bloblen,
enum pubkey_types *r_pktype,
char *r_fpr, unsigned int *r_fprlen)
be_ubid_from_blob (const void *blob, size_t bloblen,
enum pubkey_types *r_pktype, char *r_ubid)
{
gpg_error_t err;
@ -246,9 +244,7 @@ be_fingerprint_from_blob (const void *blob, size_t bloblen,
* we have the entire certificate here (we checked the start of
* the blob and assume that the length is also okay). */
*r_pktype = PUBKEY_TYPE_X509;
gcry_md_hash_buffer (GCRY_MD_SHA1, r_fpr, blob, bloblen);
*r_fprlen = 20;
gcry_md_hash_buffer (GCRY_MD_SHA1, r_ubid, blob, bloblen);
err = 0;
}
else
@ -264,10 +260,8 @@ be_fingerprint_from_blob (const void *blob, size_t bloblen,
else
{
*r_pktype = PUBKEY_TYPE_OPGP;
log_assert (info.primary.fprlen <= 32);
memcpy (r_fpr, info.primary.fpr, info.primary.fprlen);
*r_fprlen = info.primary.fprlen;
log_assert (info.primary.fprlen >= 20);
memcpy (r_ubid, info.primary.fpr, UBID_LEN);
_keybox_destroy_openpgp_info (&info);
}
}