common: Allow requesting a specific certtype with get_dns_cert()

* common/dns-cert.c (get_dns_cert): Add arg want_certtype. Change all callers. (CERTTYPE_): Move constants to ... * common/dns-cert.h: here as DNS_CERTTYPE_. Signed-off-by: Werner Koch <wk@gnupg.org>
2024-12-22 10:19:57 +01:00 · 2015-02-25 12:03:21 +01:00 · 2015-02-25 12:03:21 +01:00 · af60152a46
commit af60152a46
parent 9913253610
4 changed files with 35 additions and 24 deletions
--- a/common/dns-cert.c
+++ b/common/dns-cert.c
@ -60,29 +60,20 @@
 #define my_adns_r_cert 37


-/* Certificate types according to RFC-4398.  */
-#define CERTTYPE_PKIX      1 /* X.509 as per PKIX. */
-#define CERTTYPE_SPKI      2 /* SPKI certificate.  */
-#define CERTTYPE_PGP       3 /* OpenPGP packet.  */
-#define CERTTYPE_IPKIX     4 /* The URL of an X.509 data object. */
-#define CERTTYPE_ISPKI     5 /* The URL of an SPKI certificate.  */
-#define CERTTYPE_IPGP      6 /* The fingerprint and URL of an OpenPGP packet.*/
-#define CERTTYPE_ACPKIX    7 /* Attribute Certificate.  */
-#define CERTTYPE_IACPKIX   8 /* The URL of an Attribute Certificate.  */
-#define CERTTYPE_URI     253 /* URI private.  */
-#define CERTTYPE_OID     254 /* OID private.  */
-

 /* Returns 0 on success or an error code.  If a PGP CERT record was
   found, a new estream with that key will be returned at R_KEY and
   the other return parameters are set to NULL/0.  If an IPGP CERT
   record was found the fingerprint is stored as an allocated block at
   R_FPR and its length at R_FPRLEN; an URL is is allocated as a
-   string and returned at R_URL.  Note that this function returns the
-   first CERT found with a supported type; it is expected that only
-   one CERT record is used. */
+   string and returned at R_URL.  If WANT_CERTTYPE is 0 this function
+   returns the first CERT found with a supported type; it is expected
+   that only one CERT record is used.  If WANT_CERTTYPE is one of the
+   supported certtypes only records wih this certtype are considered
+   and the first found is returned.  */
 gpg_error_t
-get_dns_cert (const char *name, estream_t *r_key,
+get_dns_cert (const char *name, int want_certtype,
+              estream_t *r_key,
              unsigned char **r_fpr, size_t *r_fprlen, char **r_url)
 {
 #ifdef USE_DNS_CERT
@ -136,7 +127,9 @@ get_dns_cert (const char *name, estream_t *r_key,
      data += 5;
      datalen -= 5;

-      if (ctype == CERTTYPE_PGP && datalen >= 11)
+      if (want_certtype && want_certtype != ctype)
+        ; /* Not of the requested certtype.  */
+      else if (ctype == DNS_CERTTYPE_PGP && datalen >= 11)
        {
          /* CERT type is PGP.  Gpg checks for a minimum length of 11,
             thus we do the same.  */
@ -148,7 +141,7 @@ get_dns_cert (const char *name, estream_t *r_key,
            err = 0;
          goto leave;
        }
-      else if (ctype == CERTTYPE_IPGP && datalen && datalen < 1023
+      else if (ctype == DNS_CERTTYPE_IPGP && datalen && datalen < 1023
               && datalen >= data[0] + 1 && r_fpr && r_fprlen && r_url)
        {
          /* CERT type is IPGP.  We made sure that the data is
@ -297,8 +290,9 @@ get_dns_cert (const char *name, estream_t *r_key,
          dlen -= 5;

          /* 15 bytes takes us to here */
-
-          if (ctype == CERTTYPE_PGP && dlen)
+          if (want_certtype && want_certtype != ctype)
+            ; /* Not of the requested certtype.  */
+          else if (ctype == DNS_CERTTYPE_PGP && dlen)
            {
              /* PGP type */
              *r_key = es_fopenmem_init (0, "rwb", pt, dlen);
@ -309,7 +303,7 @@ get_dns_cert (const char *name, estream_t *r_key,
                err = 0;
              goto leave;
            }
-          else if (ctype == CERTTYPE_IPGP
+          else if (ctype == DNS_CERTTYPE_IPGP
                   && dlen && dlen < 1023 && dlen >= pt[0] + 1)
            {
              /* IPGP type */
--- a/common/dns-cert.h
+++ b/common/dns-cert.h
@ -29,7 +29,24 @@
 #ifndef GNUPG_COMMON_DNS_CERT_H
 #define GNUPG_COMMON_DNS_CERT_H

-gpg_error_t get_dns_cert (const char *name, estream_t *r_key,
+
+#define DNS_CERTTYPE_ANY       0 /* Internal catch all type. */
+/* Certificate types according to RFC-4398:  */
+#define DNS_CERTTYPE_PKIX      1 /* X.509 as per PKIX. */
+#define DNS_CERTTYPE_SPKI      2 /* SPKI certificate.  */
+#define DNS_CERTTYPE_PGP       3 /* OpenPGP packet.  */
+#define DNS_CERTTYPE_IPKIX     4 /* The URL of an X.509 data object. */
+#define DNS_CERTTYPE_ISPKI     5 /* The URL of an SPKI certificate.  */
+#define DNS_CERTTYPE_IPGP      6 /* The fingerprint
+                                    and URL of an OpenPGP packet.  */
+#define DNS_CERTTYPE_ACPKIX    7 /* Attribute Certificate.  */
+#define DNS_CERTTYPE_IACPKIX   8 /* The URL of an Attribute Certificate.  */
+#define DNS_CERTTYPE_URI     253 /* URI private.  */
+#define DNS_CERTTYPE_OID     254 /* OID private.  */
+
+
+gpg_error_t get_dns_cert (const char *name, int want_certtype,
+                          estream_t *r_key,
                          unsigned char **r_fpr, size_t *r_fprlen,
                          char **r_url);

--- a/common/t-dns-cert.c
+++ b/common/t-dns-cert.c
@ -54,7 +54,7 @@ main (int argc, char **argv)

  printf ("CERT lookup on '%s'\n", name);

-  err = get_dns_cert (name, &key, &fpr, &fpr_len, &url);
+  err = get_dns_cert (name, DNS_CERTTYPE_ANY, &key, &fpr, &fpr_len, &url);
  if (err)
    printf ("get_dns_cert failed: %s <%s>\n",
            gpg_strerror (err), gpg_strsource (err));
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@ -1910,7 +1910,7 @@ keyserver_import_cert (ctrl_t ctrl,
  if(domain)
    *domain='.';

-  err = get_dns_cert (look, &key, fpr, fpr_len, &url);
+  err = get_dns_cert (look, DNS_CERTTYPE_ANY, &key, fpr, fpr_len, &url);
  if (err)
    ;
  else if (key)