From f6f0dd4d5ea85e0b16e96d7678b1d508182049a8 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 24 Jul 2017 19:35:45 +0200 Subject: [PATCH] gpg: Filter keys received via DANE * g10/keyserver.c (keyserver_import_cert): Use an import filter in DANE mode. -- We only want to see the user ids requested via DANE and not any additional ids. This filter enables this in the same way we do this in WKD. Signed-off-by: Werner Koch --- g10/keyserver.c | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/g10/keyserver.c b/g10/keyserver.c index bec30e37d..a84961e37 100644 --- a/g10/keyserver.c +++ b/g10/keyserver.c @@ -1926,14 +1926,36 @@ keyserver_import_cert (ctrl_t ctrl, const char *name, int dane_mode, else if (key) { int armor_status=opt.no_armor; + import_filter_t save_filt; /* CERTs and DANE records are always in binary format */ opt.no_armor=1; - - err = import_keys_es_stream (ctrl, key, NULL, fpr, fpr_len, - (opt.keyserver_options.import_options - | IMPORT_NO_SECKEY), - NULL, NULL, KEYORG_DANE); + if (dane_mode) + { + save_filt = save_and_clear_import_filter (); + if (!save_filt) + err = gpg_error_from_syserror (); + else + { + char *filtstr = es_bsprintf ("keep-uid=mbox = %s", look); + err = filtstr? 0 : gpg_error_from_syserror (); + if (!err) + err = parse_and_set_import_filter (filtstr); + xfree (filtstr); + if (!err) + err = import_keys_es_stream (ctrl, key, NULL, fpr, fpr_len, + IMPORT_NO_SECKEY, + NULL, NULL, KEYORG_DANE); + restore_import_filter (save_filt); + } + } + else + { + err = import_keys_es_stream (ctrl, key, NULL, fpr, fpr_len, + (opt.keyserver_options.import_options + | IMPORT_NO_SECKEY), + NULL, NULL, 0); + } opt.no_armor=armor_status;