security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-25 15:27:03 +01:00
Code Activity

Nonrevocable key signature support via "nrsign". These sigs can expire,

Browse Source 
but cannot be revoked.  Any revocation certificates for them are ignored.
This commit is contained in:
David Shaw 2001-12-21 21:02:05 +00:00
parent bcad2222c7
commit ca058399b0
10 changed files with 106 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
g10/ChangeLog
View File

@ -1,3 +1,27 @@
2001-12-21 David Shaw <dshaw@jabberwocky.com>
* parse-packet.c (can_handle_critical): Can handle critical
revocation subpackets now.
* trustdb.c (mark_usable_uid_certs): Disregard revocations for
nonrevocable sigs. Note that this allows a newer revocable
signature to override an older nonrevocable signature.
* sign.c (make_keysig_packet): add a duration field and change all
callers. This makes make_keysig_packet closer to
write_signature_packets and removes some duplicated expiration
code.
* keyedit.c (keyedit_menu, menu_revsig, sign_uids,
sign_mk_attrib): Add nrsign command, don't allow revoking a
nonrevocable signature,
* g10.c (main): Add --nrsign option to nonrevocably sign a key
from the command line.
* build-packet.c (build_sig_subpkt_from_sig): Comment to explain
the use of CRITICAL.
2001-12-21 Werner Koch <wk@gnupg.org> 2001-12-21 Werner Koch <wk@gnupg.org>
* g10.c. options.h : New option --show-keyring * g10.c. options.h : New option --show-keyring

5
g10/build-packet.c
View File

@ -900,6 +900,11 @@ build_sig_subpkt_from_sig( PKT_signature *sig )
buf[1] = (u >> 16) & 0xff; buf[1] = (u >> 16) & 0xff;
buf[2] = (u >> 8) & 0xff; buf[2] = (u >> 8) & 0xff;
buf[3] = u & 0xff; buf[3] = u & 0xff;
/* Mark this CRITICAL, so if any implementation doesn't
understand sigs that can expire, it'll just disregard this
sig altogether. */
build_sig_subpkt( sig, SIGSUBPKT_SIG_EXPIRE | SIGSUBPKT_FLAG_CRITICAL, build_sig_subpkt( sig, SIGSUBPKT_SIG_EXPIRE | SIGSUBPKT_FLAG_CRITICAL,
buf, 4 ); buf, 4 );
} }

11
g10/g10.c
View File

@ -78,6 +78,7 @@ enum cmd_and_opt_values { aNull = 0,
aSignSym, aSignSym,
aSignKey, aSignKey,
aLSignKey, aLSignKey,
aNRSignKey,
aListPackets, aListPackets,
aEditKey, aEditKey,
aDeleteKey, aDeleteKey,
@ -278,6 +279,7 @@ static ARGPARSE_OPTS opts[] = {
N_("remove key from the secret keyring")}, N_("remove key from the secret keyring")},
{ aSignKey, "sign-key" ,256, N_("sign a key")}, { aSignKey, "sign-key" ,256, N_("sign a key")},
{ aLSignKey, "lsign-key" ,256, N_("sign a key locally")}, { aLSignKey, "lsign-key" ,256, N_("sign a key locally")},
{ aNRSignKey, "nrsign-key" ,256, N_("sign a key non-revocably")},
{ aEditKey, "edit-key" ,256, N_("sign or edit a key")}, { aEditKey, "edit-key" ,256, N_("sign or edit a key")},
{ aGenRevoke, "gen-revoke",256, N_("generate a revocation certificate")}, { aGenRevoke, "gen-revoke",256, N_("generate a revocation certificate")},
{ aExport, "export" , 256, N_("export keys") }, { aExport, "export" , 256, N_("export keys") },
@ -889,6 +891,7 @@ main( int argc, char **argv )
case aKeygen: set_cmd( &cmd, aKeygen); greeting=1; break; case aKeygen: set_cmd( &cmd, aKeygen); greeting=1; break;
case aSignKey: set_cmd( &cmd, aSignKey); break; case aSignKey: set_cmd( &cmd, aSignKey); break;
case aLSignKey: set_cmd( &cmd, aLSignKey); break; case aLSignKey: set_cmd( &cmd, aLSignKey); break;
case aNRSignKey: set_cmd( &cmd, aNRSignKey); break;
case aStore: set_cmd( &cmd, aStore); break; case aStore: set_cmd( &cmd, aStore); break;
case aEditKey: set_cmd( &cmd, aEditKey); greeting=1; break; case aEditKey: set_cmd( &cmd, aEditKey); greeting=1; break;
case aClearsign: set_cmd( &cmd, aClearsign); break; case aClearsign: set_cmd( &cmd, aClearsign); break;
@ -1580,6 +1583,14 @@ main( int argc, char **argv )
m_free(username); m_free(username);
break; break;
case aNRSignKey:
if( argc != 1 )
wrong_args(_("--nrsign-key user-id"));
username = make_username( fname );
keyedit_menu(fname, locusr, NULL, 3 );
m_free(username);
break;
case aEditKey: /* Edit a key signature */ case aEditKey: /* Edit a key signature */
if( !argc ) if( !argc )
wrong_args(_("--edit-key user-id [commands]")); wrong_args(_("--edit-key user-id [commands]"));

71
g10/keyedit.c
View File

@ -75,16 +75,11 @@ static int enable_disable_key( KBNODE keyblock, int disable );
#define NODFLG_SELKEY (1<<9) /* indicate the selected key */ #define NODFLG_SELKEY (1<<9) /* indicate the selected key */
#define NODFLG_SELSIG (1<<10) /* indicate a selected signature */ #define NODFLG_SELSIG (1<<10) /* indicate a selected signature */
struct sign_attrib { struct sign_attrib {
int non_exportable; int non_exportable,non_revocable;
u32 duration;
struct revocation_reason_info *reason; struct revocation_reason_info *reason;
}; };
/**************** /****************
* Print information about a signature, check it and return true * Print information about a signature, check it and return true
* if the signature is okay. NODE must be a signature packet. * if the signature is okay. NODE must be a signature packet.
@ -241,20 +236,15 @@ sign_mk_attrib( PKT_signature *sig, void *opaque )
byte buf[8]; byte buf[8];
if( attrib->non_exportable ) { if( attrib->non_exportable ) {
sig->flags.exportable=0;
buf[0] = 0; /* not exportable */ buf[0] = 0; /* not exportable */
build_sig_subpkt( sig, SIGSUBPKT_EXPORTABLE, buf, 1 ); build_sig_subpkt( sig, SIGSUBPKT_EXPORTABLE, buf, 1 );
} }
if(attrib->duration>0) { if( attrib->non_revocable ) {
buf[0]=(attrib->duration >> 24) & 0xff; sig->flags.revocable=0;
buf[1]=(attrib->duration >> 16) & 0xff; buf[0] = 0; /* not revocable */
buf[2]=(attrib->duration >> 8) & 0xff; build_sig_subpkt( sig, SIGSUBPKT_REVOCABLE, buf, 1 );
buf[3]=attrib->duration & 0xff;
/* Mark this CRITICAL, so if any implementation doesn't
understand sigs that can expire, it'll just disregard this
sig altogether. */
build_sig_subpkt( sig, SIGSUBPKT_SIG_EXPIRE | SIGSUBPKT_FLAG_CRITICAL,
buf, 4 );
} }
if( attrib->reason ) if( attrib->reason )
@ -271,7 +261,8 @@ sign_mk_attrib( PKT_signature *sig, void *opaque )
* if some user_ids are marked those will be signed. * if some user_ids are marked those will be signed.
*/ */
static int static int
sign_uids( KBNODE keyblock, STRLIST locusr, int *ret_modified, int local ) sign_uids( KBNODE keyblock, STRLIST locusr, int *ret_modified,
int local , int nonrevocable )
{ {
int rc = 0; int rc = 0;
int class=0; int class=0;
@ -500,6 +491,10 @@ sign_uids( KBNODE keyblock, STRLIST locusr, int *ret_modified, int local )
tty_printf( tty_printf(
_("\nThe signature will be marked as non-exportable.\n")); _("\nThe signature will be marked as non-exportable.\n"));
if( nonrevocable )
tty_printf(
_("\nThe signature will be marked as non-revocable.\n"));
switch(class) switch(class)
{ {
case 0x11: case 0x11:
@ -537,10 +532,10 @@ sign_uids( KBNODE keyblock, STRLIST locusr, int *ret_modified, int local )
assert( primary_pk ); assert( primary_pk );
memset( &attrib, 0, sizeof attrib ); memset( &attrib, 0, sizeof attrib );
attrib.non_exportable = local; attrib.non_exportable = local;
attrib.duration = duration; attrib.non_revocable = nonrevocable;
node->flag &= ~NODFLG_MARK_A; node->flag &= ~NODFLG_MARK_A;
/* we force createion of a v4 signature for local /* we force creation of a v4 signature for local
* signatures, otherwise we would not generate the * signatures, otherwise we would not generate the
* subpacket with v3 keys and the signature becomes * subpacket with v3 keys and the signature becomes
* exportable */ * exportable */
@ -549,8 +544,8 @@ sign_uids( KBNODE keyblock, STRLIST locusr, int *ret_modified, int local )
NULL, NULL,
sk, sk,
class, 0, force_v4?4:0, class, 0, force_v4?4:0,
timestamp, sign_mk_attrib, timestamp, duration,
&attrib ); sign_mk_attrib, &attrib );
if( rc ) { if( rc ) {
log_error(_("signing failed: %s\n"), g10_errstr(rc)); log_error(_("signing failed: %s\n"), g10_errstr(rc));
goto leave; goto leave;
@ -753,7 +748,7 @@ keyedit_menu( const char *username, STRLIST locusr, STRLIST commands,
{ {
enum cmdids { cmdNONE = 0, enum cmdids { cmdNONE = 0,
cmdQUIT, cmdHELP, cmdFPR, cmdLIST, cmdSELUID, cmdCHECK, cmdSIGN, cmdQUIT, cmdHELP, cmdFPR, cmdLIST, cmdSELUID, cmdCHECK, cmdSIGN,
cmdLSIGN, cmdREVSIG, cmdREVKEY, cmdDELSIG, cmdPRIMARY, cmdLSIGN, cmdNRSIGN, cmdREVSIG, cmdREVKEY, cmdDELSIG, cmdPRIMARY,
cmdDEBUG, cmdSAVE, cmdADDUID, cmdDELUID, cmdADDKEY, cmdDELKEY, cmdDEBUG, cmdSAVE, cmdADDUID, cmdDELUID, cmdADDKEY, cmdDELKEY,
cmdTOGGLE, cmdSELKEY, cmdPASSWD, cmdTRUST, cmdPREF, cmdEXPIRE, cmdTOGGLE, cmdSELKEY, cmdPASSWD, cmdTRUST, cmdPREF, cmdEXPIRE,
cmdENABLEKEY, cmdDISABLEKEY, cmdSHOWPREF, cmdSETPREF, cmdUPDPREF, cmdENABLEKEY, cmdDISABLEKEY, cmdSHOWPREF, cmdSETPREF, cmdUPDPREF,
@ -780,6 +775,7 @@ keyedit_menu( const char *username, STRLIST locusr, STRLIST commands,
{ N_("sign") , cmdSIGN , 0,1,1, N_("sign the key") }, { N_("sign") , cmdSIGN , 0,1,1, N_("sign the key") },
{ N_("s") , cmdSIGN , 0,1,1, NULL }, { N_("s") , cmdSIGN , 0,1,1, NULL },
{ N_("lsign") , cmdLSIGN , 0,1,1, N_("sign the key locally") }, { N_("lsign") , cmdLSIGN , 0,1,1, N_("sign the key locally") },
{ N_("nrsign") , cmdNRSIGN , 0,1,1, N_("sign the key non-revocably") },
{ N_("debug") , cmdDEBUG , 0,0,0, NULL }, { N_("debug") , cmdDEBUG , 0,0,0, NULL },
{ N_("adduid") , cmdADDUID , 1,1,0, N_("add a user ID") }, { N_("adduid") , cmdADDUID , 1,1,0, N_("add a user ID") },
{ N_("deluid") , cmdDELUID , 0,1,0, N_("delete user ID") }, { N_("deluid") , cmdDELUID , 0,1,0, N_("delete user ID") },
@ -826,7 +822,8 @@ keyedit_menu( const char *username, STRLIST locusr, STRLIST commands,
if( sign_mode ) { if( sign_mode ) {
commands = NULL; commands = NULL;
append_to_strlist( &commands, sign_mode == 1? "sign":"lsign" ); append_to_strlist( &commands, sign_mode == 1? "sign":
sign_mode == 2?"lsign":"nrsign" );
have_commands = 1; have_commands = 1;
} }
@ -984,6 +981,7 @@ keyedit_menu( const char *username, STRLIST locusr, STRLIST commands,
case cmdSIGN: /* sign (only the public key) */ case cmdSIGN: /* sign (only the public key) */
case cmdLSIGN: /* sign (only the public key) */ case cmdLSIGN: /* sign (only the public key) */
case cmdNRSIGN: /* sign (only the public key) */
if( pk->is_revoked ) if( pk->is_revoked )
{ {
tty_printf(_("Key is revoked.\n")); tty_printf(_("Key is revoked.\n"));
@ -1007,7 +1005,8 @@ keyedit_menu( const char *username, STRLIST locusr, STRLIST commands,
break; break;
} }
} }
if( !sign_uids( keyblock, locusr, &modified, cmd == cmdLSIGN ) if( !sign_uids( keyblock, locusr, &modified,
cmd == cmdLSIGN , cmd == cmdNRSIGN )
&& sign_mode ) && sign_mode )
goto do_cmd_save; goto do_cmd_save;
break; break;
@ -1526,7 +1525,7 @@ menu_adduid( KBNODE pub_keyblock, KBNODE sec_keyblock )
sec_where = NULL; sec_where = NULL;
assert(pk && sk ); assert(pk && sk );
rc = make_keysig_packet( &sig, pk, uid, NULL, sk, 0x13, 0, 0, 0, rc = make_keysig_packet( &sig, pk, uid, NULL, sk, 0x13, 0, 0, 0, 0,
keygen_add_std_prefs, pk ); keygen_add_std_prefs, pk );
free_secret_key( sk ); free_secret_key( sk );
if( rc ) { if( rc ) {
@ -1821,11 +1820,11 @@ menu_expire( KBNODE pub_keyblock, KBNODE sec_keyblock )
/* create new self signature */ /* create new self signature */
if( mainkey ) if( mainkey )
rc = make_keysig_packet( &newsig, main_pk, uid, NULL, rc = make_keysig_packet( &newsig, main_pk, uid, NULL,
sk, 0x13, 0, 0, 0, sk, 0x13, 0, 0, 0, 0,
keygen_add_std_prefs, main_pk ); keygen_add_std_prefs, main_pk );
else else
rc = make_keysig_packet( &newsig, main_pk, NULL, sub_pk, rc = make_keysig_packet( &newsig, main_pk, NULL, sub_pk,
sk, 0x18, 0, 0, 0, sk, 0x18, 0, 0, 0, 0,
keygen_add_key_expire, sub_pk ); keygen_add_key_expire, sub_pk );
if( rc ) { if( rc ) {
log_error("make_keysig_packet failed: %s\n", log_error("make_keysig_packet failed: %s\n",
@ -2225,9 +2224,9 @@ ask_revoke_sig( KBNODE keyblock, KBNODE node )
(ulong)sig->keyid[1], datestr_from_sig(sig) ); (ulong)sig->keyid[1], datestr_from_sig(sig) );
if( cpr_get_answer_is_yes("ask_revoke_sig.one", if( cpr_get_answer_is_yes("ask_revoke_sig.one",
_("Create a revocation certificate for this signature? (y/N)")) ) { _("Create a revocation certificate for this signature? (y/N)")) ) {
node->flag |= NODFLG_MARK_A; node->flag |= NODFLG_MARK_A;
unode->flag |= NODFLG_MARK_A; unode->flag |= NODFLG_MARK_A;
} }
} }
@ -2263,9 +2262,11 @@ menu_revsig( KBNODE keyblock )
&& ((sig = node->pkt->pkt.signature), && ((sig = node->pkt->pkt.signature),
!seckey_available(sig->keyid) ) ) { !seckey_available(sig->keyid) ) ) {
if( (sig->sig_class&~3) == 0x10 ) { if( (sig->sig_class&~3) == 0x10 ) {
tty_printf(_(" signed by %08lX at %s\n"), tty_printf(_(" signed by %08lX at %s%s\n"),
(ulong)sig->keyid[1], datestr_from_sig(sig) ); (ulong)sig->keyid[1], datestr_from_sig(sig),
node->flag |= NODFLG_SELSIG; sig->flags.revocable?"":" (not revocable)");
if(sig->flags.revocable)
node->flag |= NODFLG_SELSIG;
} }
else if( sig->sig_class == 0x30 ) { else if( sig->sig_class == 0x30 ) {
tty_printf(_(" revoked by %08lX at %s\n"), tty_printf(_(" revoked by %08lX at %s\n"),
@ -2342,7 +2343,7 @@ menu_revsig( KBNODE keyblock )
unode->pkt->pkt.user_id, unode->pkt->pkt.user_id,
NULL, NULL,
sk, sk,
0x30, 0, 0, 0, 0x30, 0, 0, 0, 0,
sign_mk_attrib, sign_mk_attrib,
&attrib ); &attrib );
free_secret_key(sk); free_secret_key(sk);
@ -2405,7 +2406,7 @@ menu_revkey( KBNODE pub_keyblock, KBNODE sec_keyblock )
node->flag &= ~NODFLG_SELKEY; node->flag &= ~NODFLG_SELKEY;
sk = copy_secret_key( NULL, sec_keyblock->pkt->pkt.secret_key ); sk = copy_secret_key( NULL, sec_keyblock->pkt->pkt.secret_key );
rc = make_keysig_packet( &sig, mainpk, NULL, subpk, sk, rc = make_keysig_packet( &sig, mainpk, NULL, subpk, sk,
0x28, 0, 0, 0, 0x28, 0, 0, 0, 0,
sign_mk_attrib, &attrib ); sign_mk_attrib, &attrib );
free_secret_key(sk); free_secret_key(sk);
if( rc ) { if( rc ) {

4
g10/keygen.c
View File

@ -389,7 +389,7 @@ write_selfsig( KBNODE root, KBNODE pub_root, PKT_secret_key *sk,
cache_public_key (pk); cache_public_key (pk);
/* and make the signature */ /* and make the signature */
rc = make_keysig_packet( &sig, pk, uid, NULL, sk, 0x13, 0, 0, 0, rc = make_keysig_packet( &sig, pk, uid, NULL, sk, 0x13, 0, 0, 0, 0,
keygen_add_std_prefs, pk ); keygen_add_std_prefs, pk );
if( rc ) { if( rc ) {
log_error("make_keysig_packet failed: %s\n", g10_errstr(rc) ); log_error("make_keysig_packet failed: %s\n", g10_errstr(rc) );
@ -438,7 +438,7 @@ write_keybinding( KBNODE root, KBNODE pub_root, PKT_secret_key *sk,
/* and make the signature */ /* and make the signature */
oduap.usage = use; oduap.usage = use;
oduap.pk = subpk; oduap.pk = subpk;
rc = make_keysig_packet( &sig, pk, NULL, subpk, sk, 0x18, 0, 0, 0, rc = make_keysig_packet( &sig, pk, NULL, subpk, sk, 0x18, 0, 0, 0, 0,
keygen_add_key_flags_and_expire, &oduap ); keygen_add_key_flags_and_expire, &oduap );
if( rc ) { if( rc ) {
log_error("make_keysig_packet failed: %s\n", g10_errstr(rc) ); log_error("make_keysig_packet failed: %s\n", g10_errstr(rc) );

2
g10/packet.h
View File

@ -437,7 +437,7 @@ int write_comment( IOBUF out, const char *s );
int make_keysig_packet( PKT_signature **ret_sig, PKT_public_key *pk, int make_keysig_packet( PKT_signature **ret_sig, PKT_public_key *pk,
PKT_user_id *uid, PKT_public_key *subpk, PKT_user_id *uid, PKT_public_key *subpk,
PKT_secret_key *sk, int sigclass, int digest_algo, PKT_secret_key *sk, int sigclass, int digest_algo,
int sigversion, u32 timestamp, int sigversion, u32 timestamp, u32 duration,
int (*mksubpkt)(PKT_signature *, void *), int (*mksubpkt)(PKT_signature *, void *),
void *opaque ); void *opaque );
int update_keysig_packet( PKT_signature **ret_sig, int update_keysig_packet( PKT_signature **ret_sig,

1
g10/parse-packet.c
View File

@ -968,6 +968,7 @@ can_handle_critical( const byte *buffer, size_t n, int type )
case SIGSUBPKT_SIG_EXPIRE: case SIGSUBPKT_SIG_EXPIRE:
case SIGSUBPKT_KEY_EXPIRE: case SIGSUBPKT_KEY_EXPIRE:
case SIGSUBPKT_EXPORTABLE: case SIGSUBPKT_EXPORTABLE:
case SIGSUBPKT_REVOCABLE:
case SIGSUBPKT_ISSUER:/* issuer key ID */ case SIGSUBPKT_ISSUER:/* issuer key ID */
case SIGSUBPKT_PREF_SYM: case SIGSUBPKT_PREF_SYM:
case SIGSUBPKT_PREF_HASH: case SIGSUBPKT_PREF_HASH:

2
g10/revoke.c
View File

@ -193,7 +193,7 @@ gen_revoke( const char *uname )
iobuf_push_filter( out, armor_filter, &afx ); iobuf_push_filter( out, armor_filter, &afx );
/* create it */ /* create it */
rc = make_keysig_packet( &sig, pk, NULL, NULL, sk, 0x20, 0, 0, 0, rc = make_keysig_packet( &sig, pk, NULL, NULL, sk, 0x20, 0, 0, 0, 0,
revocation_reason_build_cb, revocation_reason_build_cb,
reason ); reason );
if( rc ) { if( rc ) {

6
g10/sign.c
View File

@ -1012,7 +1012,7 @@ make_keysig_packet( PKT_signature **ret_sig, PKT_public_key *pk,
PKT_user_id *uid, PKT_public_key *subpk, PKT_user_id *uid, PKT_public_key *subpk,
PKT_secret_key *sk, PKT_secret_key *sk,
int sigclass, int digest_algo, int sigclass, int digest_algo,
int sigversion, u32 timestamp, int sigversion, u32 timestamp, u32 duration,
int (*mksubpkt)(PKT_signature *, void *), void *opaque int (*mksubpkt)(PKT_signature *, void *), void *opaque
) )
{ {
@ -1075,7 +1075,9 @@ make_keysig_packet( PKT_signature **ret_sig, PKT_public_key *pk,
if(timestamp) if(timestamp)
sig->timestamp=timestamp; sig->timestamp=timestamp;
else else
sig->timestamp = make_timestamp(); sig->timestamp=make_timestamp();
if(duration)
sig->expiredate=sig->timestamp+duration;
sig->sig_class = sigclass; sig->sig_class = sigclass;
if( sig->version >= 4 ) if( sig->version >= 4 )
build_sig_subpkt_from_sig( sig ); build_sig_subpkt_from_sig( sig );

22
g10/trustdb.c
View File

@ -1056,7 +1056,27 @@ mark_usable_uid_certs (KBNODE keyblock, KBNODE uidnode,
if (kid[0] != sig->keyid[0] || kid[1] != sig->keyid[1]) if (kid[0] != sig->keyid[0] || kid[1] != sig->keyid[1])
continue; continue;
n->flag |= (1<<10); /* mark this node as processed */ n->flag |= (1<<10); /* mark this node as processed */
if (sig->timestamp >= sigdate)
/* If the current signode is a nonrevocable signature, and
we're checking a revocation, then skip. Note that this
will let more recent signatures replace the nonrevocable
signature. Is that the proper behavior? */
if(IS_UID_REV(n->pkt->pkt.signature) &&
IS_UID_SIG(signode->pkt->pkt.signature) &&
!signode->pkt->pkt.signature->flags.revocable)
continue;
/* A nonrevocable signature n should always replace a
revocation in signode. If n is newer, then there is no
question. If n is older, then it should still replace
signode as the revocation in signode is invalid because n
is nonrevocable. */
if ((sig->timestamp >= sigdate) ||
(IS_UID_REV(signode->pkt->pkt.signature) &&
IS_UID_SIG(n->pkt->pkt.signature) &&
!n->pkt->pkt.signature->flags.revocable))
{ {
signode = n; signode = n;
sigdate = sig->timestamp; sigdate = sig->timestamp;