From af60152a4632ef26ca950a424429b15b6c69038d Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 25 Feb 2015 12:03:21 +0100 Subject: [PATCH] common: Allow requesting a specific certtype with get_dns_cert() * common/dns-cert.c (get_dns_cert): Add arg want_certtype. Change all callers. (CERTTYPE_): Move constants to ... * common/dns-cert.h: here as DNS_CERTTYPE_. Signed-off-by: Werner Koch --- common/dns-cert.c | 36 +++++++++++++++--------------------- common/dns-cert.h | 19 ++++++++++++++++++- common/t-dns-cert.c | 2 +- g10/keyserver.c | 2 +- 4 files changed, 35 insertions(+), 24 deletions(-) diff --git a/common/dns-cert.c b/common/dns-cert.c index e74330840..e7be2759b 100644 --- a/common/dns-cert.c +++ b/common/dns-cert.c @@ -60,29 +60,20 @@ #define my_adns_r_cert 37 -/* Certificate types according to RFC-4398. */ -#define CERTTYPE_PKIX 1 /* X.509 as per PKIX. */ -#define CERTTYPE_SPKI 2 /* SPKI certificate. */ -#define CERTTYPE_PGP 3 /* OpenPGP packet. */ -#define CERTTYPE_IPKIX 4 /* The URL of an X.509 data object. */ -#define CERTTYPE_ISPKI 5 /* The URL of an SPKI certificate. */ -#define CERTTYPE_IPGP 6 /* The fingerprint and URL of an OpenPGP packet.*/ -#define CERTTYPE_ACPKIX 7 /* Attribute Certificate. */ -#define CERTTYPE_IACPKIX 8 /* The URL of an Attribute Certificate. */ -#define CERTTYPE_URI 253 /* URI private. */ -#define CERTTYPE_OID 254 /* OID private. */ - /* Returns 0 on success or an error code. If a PGP CERT record was found, a new estream with that key will be returned at R_KEY and the other return parameters are set to NULL/0. If an IPGP CERT record was found the fingerprint is stored as an allocated block at R_FPR and its length at R_FPRLEN; an URL is is allocated as a - string and returned at R_URL. Note that this function returns the - first CERT found with a supported type; it is expected that only - one CERT record is used. */ + string and returned at R_URL. If WANT_CERTTYPE is 0 this function + returns the first CERT found with a supported type; it is expected + that only one CERT record is used. If WANT_CERTTYPE is one of the + supported certtypes only records wih this certtype are considered + and the first found is returned. */ gpg_error_t -get_dns_cert (const char *name, estream_t *r_key, +get_dns_cert (const char *name, int want_certtype, + estream_t *r_key, unsigned char **r_fpr, size_t *r_fprlen, char **r_url) { #ifdef USE_DNS_CERT @@ -136,7 +127,9 @@ get_dns_cert (const char *name, estream_t *r_key, data += 5; datalen -= 5; - if (ctype == CERTTYPE_PGP && datalen >= 11) + if (want_certtype && want_certtype != ctype) + ; /* Not of the requested certtype. */ + else if (ctype == DNS_CERTTYPE_PGP && datalen >= 11) { /* CERT type is PGP. Gpg checks for a minimum length of 11, thus we do the same. */ @@ -148,7 +141,7 @@ get_dns_cert (const char *name, estream_t *r_key, err = 0; goto leave; } - else if (ctype == CERTTYPE_IPGP && datalen && datalen < 1023 + else if (ctype == DNS_CERTTYPE_IPGP && datalen && datalen < 1023 && datalen >= data[0] + 1 && r_fpr && r_fprlen && r_url) { /* CERT type is IPGP. We made sure that the data is @@ -297,8 +290,9 @@ get_dns_cert (const char *name, estream_t *r_key, dlen -= 5; /* 15 bytes takes us to here */ - - if (ctype == CERTTYPE_PGP && dlen) + if (want_certtype && want_certtype != ctype) + ; /* Not of the requested certtype. */ + else if (ctype == DNS_CERTTYPE_PGP && dlen) { /* PGP type */ *r_key = es_fopenmem_init (0, "rwb", pt, dlen); @@ -309,7 +303,7 @@ get_dns_cert (const char *name, estream_t *r_key, err = 0; goto leave; } - else if (ctype == CERTTYPE_IPGP + else if (ctype == DNS_CERTTYPE_IPGP && dlen && dlen < 1023 && dlen >= pt[0] + 1) { /* IPGP type */ diff --git a/common/dns-cert.h b/common/dns-cert.h index ae38caa3b..4b49efc1c 100644 --- a/common/dns-cert.h +++ b/common/dns-cert.h @@ -29,7 +29,24 @@ #ifndef GNUPG_COMMON_DNS_CERT_H #define GNUPG_COMMON_DNS_CERT_H -gpg_error_t get_dns_cert (const char *name, estream_t *r_key, + +#define DNS_CERTTYPE_ANY 0 /* Internal catch all type. */ +/* Certificate types according to RFC-4398: */ +#define DNS_CERTTYPE_PKIX 1 /* X.509 as per PKIX. */ +#define DNS_CERTTYPE_SPKI 2 /* SPKI certificate. */ +#define DNS_CERTTYPE_PGP 3 /* OpenPGP packet. */ +#define DNS_CERTTYPE_IPKIX 4 /* The URL of an X.509 data object. */ +#define DNS_CERTTYPE_ISPKI 5 /* The URL of an SPKI certificate. */ +#define DNS_CERTTYPE_IPGP 6 /* The fingerprint + and URL of an OpenPGP packet. */ +#define DNS_CERTTYPE_ACPKIX 7 /* Attribute Certificate. */ +#define DNS_CERTTYPE_IACPKIX 8 /* The URL of an Attribute Certificate. */ +#define DNS_CERTTYPE_URI 253 /* URI private. */ +#define DNS_CERTTYPE_OID 254 /* OID private. */ + + +gpg_error_t get_dns_cert (const char *name, int want_certtype, + estream_t *r_key, unsigned char **r_fpr, size_t *r_fprlen, char **r_url); diff --git a/common/t-dns-cert.c b/common/t-dns-cert.c index 71c7a9cfe..a170ffb2d 100644 --- a/common/t-dns-cert.c +++ b/common/t-dns-cert.c @@ -54,7 +54,7 @@ main (int argc, char **argv) printf ("CERT lookup on '%s'\n", name); - err = get_dns_cert (name, &key, &fpr, &fpr_len, &url); + err = get_dns_cert (name, DNS_CERTTYPE_ANY, &key, &fpr, &fpr_len, &url); if (err) printf ("get_dns_cert failed: %s <%s>\n", gpg_strerror (err), gpg_strsource (err)); diff --git a/g10/keyserver.c b/g10/keyserver.c index 8bcb82765..ffcc1bfe0 100644 --- a/g10/keyserver.c +++ b/g10/keyserver.c @@ -1910,7 +1910,7 @@ keyserver_import_cert (ctrl_t ctrl, if(domain) *domain='.'; - err = get_dns_cert (look, &key, fpr, fpr_len, &url); + err = get_dns_cert (look, DNS_CERTTYPE_ANY, &key, fpr, fpr_len, &url); if (err) ; else if (key)