mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-10 13:04:23 +01:00
Some minor fixes for revocation keys: print a warning if a key is imported
that has been revoked by designated revoker, but the designated revoker is not present to verify the revocation (whew!). This applies to all ways to get a key into the system: --import --recv-keys, and --search-keys. If auto-key-retrieve is set, try and retrieve the revocation key. Also, auto-key-retrieve is now a keyserver-option.
This commit is contained in:
parent
c027e8610b
commit
f8f52d8ffe
@ -1,3 +1,27 @@
|
|||||||
|
2002-03-07 David Shaw <dshaw@jabberwocky.com>
|
||||||
|
|
||||||
|
* g10.c (main): make a few more strings translatable.
|
||||||
|
|
||||||
|
* options.h, options.skel, g10.c (main), gpgv.c, mainproc.c
|
||||||
|
(check_sig_and_print), keyserver.c (parse_keyserver_options):
|
||||||
|
--auto-key-retrieve should really be a keyserver-option variable.
|
||||||
|
|
||||||
|
* import.c (revocation_present): new function to print a warning
|
||||||
|
if a key is imported that has been revoked by designated revoker,
|
||||||
|
but the designated revoker is not present to verify the
|
||||||
|
revocation. If keyserver-options auto-key-retrieve is set, try
|
||||||
|
and fetch the designated revoker from the keyserver.
|
||||||
|
|
||||||
|
* import.c (import_one): call revocation_present after importing a
|
||||||
|
new key. Note that this applies to --import, --recv-keys, and
|
||||||
|
--search-keys.
|
||||||
|
|
||||||
|
* keyserver-internal.h, keyserver.c (keyserver_import_fprint):
|
||||||
|
import via fingerprint (for revocation keys).
|
||||||
|
|
||||||
|
* keyserver.c (keyserver_import_keyid): much simpler
|
||||||
|
implementation now that we're using KEYDB_SEARCH_DESC internally.
|
||||||
|
|
||||||
2002-03-04 David Shaw <dshaw@jabberwocky.com>
|
2002-03-04 David Shaw <dshaw@jabberwocky.com>
|
||||||
|
|
||||||
* revoke.c (gen_revoke): do not prompt for revocation reason for
|
* revoke.c (gen_revoke): do not prompt for revocation reason for
|
||||||
|
19
g10/g10.c
19
g10/g10.c
@ -1227,8 +1227,10 @@ main( int argc, char **argv )
|
|||||||
case oSetFilesize: opt.set_filesize = pargs.r.ret_ulong; break;
|
case oSetFilesize: opt.set_filesize = pargs.r.ret_ulong; break;
|
||||||
case oHonorHttpProxy:
|
case oHonorHttpProxy:
|
||||||
opt.honor_http_proxy = 1;
|
opt.honor_http_proxy = 1;
|
||||||
log_info("WARNING: --honor-http-proxy is deprecated.\n");
|
log_info(_("WARNING: %s is a deprecated option.\n"),
|
||||||
log_info("please use \"--keyserver-options honor-http-proxy\" instead\n");
|
"--honor-http-proxy");
|
||||||
|
log_info(_("please use \"--keyserver-options %s\" instead\n"),
|
||||||
|
"honor-http-proxy");
|
||||||
break;
|
break;
|
||||||
case oFastListMode: opt.fast_list_mode = 1; break;
|
case oFastListMode: opt.fast_list_mode = 1; break;
|
||||||
case oFixedListMode: opt.fixed_list_mode = 1; break;
|
case oFixedListMode: opt.fixed_list_mode = 1; break;
|
||||||
@ -1237,8 +1239,17 @@ main( int argc, char **argv )
|
|||||||
case oIgnoreValidFrom: opt.ignore_valid_from = 1; break;
|
case oIgnoreValidFrom: opt.ignore_valid_from = 1; break;
|
||||||
case oIgnoreCrcError: opt.ignore_crc_error = 1; break;
|
case oIgnoreCrcError: opt.ignore_crc_error = 1; break;
|
||||||
case oNoRandomSeedFile: use_random_seed = 0; break;
|
case oNoRandomSeedFile: use_random_seed = 0; break;
|
||||||
case oAutoKeyRetrieve: opt.auto_key_retrieve = 1; break;
|
case oAutoKeyRetrieve:
|
||||||
case oNoAutoKeyRetrieve: opt.auto_key_retrieve = 0; break;
|
case oNoAutoKeyRetrieve:
|
||||||
|
opt.keyserver_options.auto_key_retrieve=
|
||||||
|
(pargs.r_opt==oAutoKeyRetrieve);
|
||||||
|
log_info(_("WARNING: %s is a deprecated option.\n"),
|
||||||
|
pargs.r_opt==oAutoKeyRetrieve?
|
||||||
|
"--auto-key-retrieve":"--no-auto-key-retrieve");
|
||||||
|
log_info(_("please use \"--keyserver-options %s\" instead\n"),
|
||||||
|
pargs.r_opt==oAutoKeyRetrieve?
|
||||||
|
"auto-key-retrieve":"no-auto-key-retrieve");
|
||||||
|
break;
|
||||||
case oShowSessionKey: opt.show_session_key = 1; break;
|
case oShowSessionKey: opt.show_session_key = 1; break;
|
||||||
case oOverrideSessionKey:
|
case oOverrideSessionKey:
|
||||||
opt.override_session_key = pargs.r.ret_str;
|
opt.override_session_key = pargs.r.ret_str;
|
||||||
|
@ -147,7 +147,7 @@ main( int argc, char **argv )
|
|||||||
i18n_init();
|
i18n_init();
|
||||||
opt.command_fd = -1; /* no command fd */
|
opt.command_fd = -1; /* no command fd */
|
||||||
opt.pgp2_workarounds = 1;
|
opt.pgp2_workarounds = 1;
|
||||||
opt.auto_key_retrieve = 1;
|
opt.keyserver_options.auto_key_retrieve = 1;
|
||||||
opt.always_trust = 1;
|
opt.always_trust = 1;
|
||||||
opt.batch = 1;
|
opt.batch = 1;
|
||||||
|
|
||||||
|
84
g10/import.c
84
g10/import.c
@ -35,7 +35,7 @@
|
|||||||
#include "main.h"
|
#include "main.h"
|
||||||
#include "i18n.h"
|
#include "i18n.h"
|
||||||
#include "status.h"
|
#include "status.h"
|
||||||
|
#include "keyserver-internal.h"
|
||||||
|
|
||||||
struct stats_s {
|
struct stats_s {
|
||||||
ulong count;
|
ulong count;
|
||||||
@ -57,6 +57,7 @@ struct stats_s {
|
|||||||
static int import( IOBUF inp, int fast, const char* fname,
|
static int import( IOBUF inp, int fast, const char* fname,
|
||||||
struct stats_s *stats );
|
struct stats_s *stats );
|
||||||
static int read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root );
|
static int read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root );
|
||||||
|
static void revocation_present(KBNODE keyblock);
|
||||||
static void remove_bad_stuff (KBNODE keyblock);
|
static void remove_bad_stuff (KBNODE keyblock);
|
||||||
static int import_one( const char *fname, KBNODE keyblock, int fast,
|
static int import_one( const char *fname, KBNODE keyblock, int fast,
|
||||||
struct stats_s *stats);
|
struct stats_s *stats);
|
||||||
@ -597,6 +598,9 @@ import_one( const char *fname, KBNODE keyblock, int fast,
|
|||||||
leave:
|
leave:
|
||||||
release_kbnode( keyblock_orig );
|
release_kbnode( keyblock_orig );
|
||||||
free_public_key( pk_orig );
|
free_public_key( pk_orig );
|
||||||
|
|
||||||
|
revocation_present(keyblock);
|
||||||
|
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1073,7 +1077,84 @@ collapse_uids( KBNODE *keyblock )
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Check for a 0x20 revocation from a revocation key that is not
|
||||||
|
present. This gets called without the benefit of merge_xxxx so you
|
||||||
|
can't rely on pk->revkey and friends. */
|
||||||
|
static void
|
||||||
|
revocation_present(KBNODE keyblock)
|
||||||
|
{
|
||||||
|
KBNODE onode,inode;
|
||||||
|
PKT_public_key *pk=keyblock->pkt->pkt.public_key;
|
||||||
|
|
||||||
|
for(onode=keyblock->next;onode;onode=onode->next)
|
||||||
|
{
|
||||||
|
/* If we reach user IDs, we're done. */
|
||||||
|
if(onode->pkt->pkttype==PKT_USER_ID)
|
||||||
|
break;
|
||||||
|
|
||||||
|
if(onode->pkt->pkttype==PKT_SIGNATURE &&
|
||||||
|
onode->pkt->pkt.signature->sig_class==0x1F &&
|
||||||
|
onode->pkt->pkt.signature->revkey)
|
||||||
|
{
|
||||||
|
int idx;
|
||||||
|
PKT_signature *sig=onode->pkt->pkt.signature;
|
||||||
|
|
||||||
|
for(idx=0;idx<sig->numrevkeys;idx++)
|
||||||
|
{
|
||||||
|
u32 keyid[2];
|
||||||
|
|
||||||
|
keyid_from_fingerprint(sig->revkey[idx]->fpr,
|
||||||
|
MAX_FINGERPRINT_LEN,keyid);
|
||||||
|
|
||||||
|
for(inode=keyblock->next;inode;inode=inode->next)
|
||||||
|
{
|
||||||
|
/* If we reach user IDs, we're done. */
|
||||||
|
if(inode->pkt->pkttype==PKT_USER_ID)
|
||||||
|
break;
|
||||||
|
|
||||||
|
if(inode->pkt->pkttype==PKT_SIGNATURE &&
|
||||||
|
inode->pkt->pkt.signature->sig_class==0x20 &&
|
||||||
|
inode->pkt->pkt.signature->keyid[0]==keyid[0] &&
|
||||||
|
inode->pkt->pkt.signature->keyid[1]==keyid[1])
|
||||||
|
{
|
||||||
|
/* Okay, we have a revocation key, and a
|
||||||
|
revocation issued by it. Do we have the key
|
||||||
|
itself? */
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
rc=get_pubkey_byfprint(NULL,sig->revkey[idx]->fpr,
|
||||||
|
MAX_FINGERPRINT_LEN);
|
||||||
|
if(rc==G10ERR_NO_PUBKEY || rc==G10ERR_UNU_PUBKEY)
|
||||||
|
{
|
||||||
|
/* No, so try and get it */
|
||||||
|
if(opt.keyserver_scheme &&
|
||||||
|
opt.keyserver_options.auto_key_retrieve)
|
||||||
|
{
|
||||||
|
log_info(_("Warning: key %08lX may be revoked: "
|
||||||
|
"fetching revocation key %08lX\n"),
|
||||||
|
(ulong)keyid_from_pk(pk,NULL),
|
||||||
|
(ulong)keyid[1]);
|
||||||
|
keyserver_import_fprint(sig->revkey[idx]->fpr,
|
||||||
|
MAX_FINGERPRINT_LEN);
|
||||||
|
|
||||||
|
/* Do we have it now? */
|
||||||
|
rc=get_pubkey_byfprint(NULL,
|
||||||
|
sig->revkey[idx]->fpr,
|
||||||
|
MAX_FINGERPRINT_LEN);
|
||||||
|
}
|
||||||
|
|
||||||
|
if(rc==G10ERR_NO_PUBKEY || rc==G10ERR_UNU_PUBKEY)
|
||||||
|
log_info(_("Warning: key %08lX may be revoked: "
|
||||||
|
"revocation key %08lX not present.\n"),
|
||||||
|
(ulong)keyid_from_pk(pk,NULL),
|
||||||
|
(ulong)keyid[1]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/****************
|
/****************
|
||||||
* compare and merge the blocks
|
* compare and merge the blocks
|
||||||
@ -1440,4 +1521,3 @@ append_key( KBNODE keyblock, KBNODE node, int *n_sigs,
|
|||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -12,6 +12,7 @@ void parse_keyserver_options(char *options);
|
|||||||
int parse_keyserver_uri(char *uri);
|
int parse_keyserver_uri(char *uri);
|
||||||
int keyserver_export(STRLIST users);
|
int keyserver_export(STRLIST users);
|
||||||
int keyserver_import(STRLIST users);
|
int keyserver_import(STRLIST users);
|
||||||
|
int keyserver_import_fprint(const byte *fprint,size_t fprint_len);
|
||||||
int keyserver_import_keyid(u32 *keyid);
|
int keyserver_import_keyid(u32 *keyid);
|
||||||
int keyserver_refresh(STRLIST users);
|
int keyserver_refresh(STRLIST users);
|
||||||
int keyserver_search(STRLIST tokens);
|
int keyserver_search(STRLIST tokens);
|
||||||
|
@ -90,6 +90,10 @@ parse_keyserver_options(char *options)
|
|||||||
opt.keyserver_options.refresh_add_fake_v3_keyids=1;
|
opt.keyserver_options.refresh_add_fake_v3_keyids=1;
|
||||||
else if(strcasecmp(tok,"no-refresh-add-fake-v3-keyids")==0)
|
else if(strcasecmp(tok,"no-refresh-add-fake-v3-keyids")==0)
|
||||||
opt.keyserver_options.refresh_add_fake_v3_keyids=0;
|
opt.keyserver_options.refresh_add_fake_v3_keyids=0;
|
||||||
|
else if(strcasecmp(tok,"auto-key-retrieve")==0)
|
||||||
|
opt.keyserver_options.refresh_add_fake_v3_keyids=1;
|
||||||
|
else if(strcasecmp(tok,"no-auto-key-retrieve")==0)
|
||||||
|
opt.keyserver_options.refresh_add_fake_v3_keyids=0;
|
||||||
else if(strlen(tok)>0)
|
else if(strlen(tok)>0)
|
||||||
add_to_strlist(&opt.keyserver_options.other,tok);
|
add_to_strlist(&opt.keyserver_options.other,tok);
|
||||||
|
|
||||||
@ -676,22 +680,37 @@ keyserver_import(STRLIST users)
|
|||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
keyserver_import_fprint(const byte *fprint,size_t fprint_len)
|
||||||
|
{
|
||||||
|
KEYDB_SEARCH_DESC desc;
|
||||||
|
|
||||||
|
memset(&desc,0,sizeof(desc));
|
||||||
|
|
||||||
|
if(fprint_len==16)
|
||||||
|
desc.mode=KEYDB_SEARCH_MODE_FPR16;
|
||||||
|
else if(fprint_len==20)
|
||||||
|
desc.mode=KEYDB_SEARCH_MODE_FPR20;
|
||||||
|
else
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
memcpy(desc.u.fpr,fprint,fprint_len);
|
||||||
|
|
||||||
|
return keyserver_work(GET,NULL,&desc,1);
|
||||||
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
keyserver_import_keyid(u32 *keyid)
|
keyserver_import_keyid(u32 *keyid)
|
||||||
{
|
{
|
||||||
STRLIST sl=NULL;
|
KEYDB_SEARCH_DESC desc;
|
||||||
char key[17];
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
sprintf(key,"%08lX%08lX",(ulong)keyid[0],(ulong)keyid[1]);
|
memset(&desc,0,sizeof(desc));
|
||||||
|
|
||||||
add_to_strlist(&sl,key);
|
desc.mode=KEYDB_SEARCH_MODE_LONG_KID;
|
||||||
|
desc.u.kid[0]=keyid[0];
|
||||||
|
desc.u.kid[1]=keyid[1];
|
||||||
|
|
||||||
ret=keyserver_import(sl);
|
return keyserver_work(GET,NULL,&desc,1);
|
||||||
|
|
||||||
free_strlist(sl);
|
|
||||||
|
|
||||||
return ret;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* code mostly stolen from do_export_stream */
|
/* code mostly stolen from do_export_stream */
|
||||||
|
@ -1258,7 +1258,7 @@ check_sig_and_print( CTX c, KBNODE node )
|
|||||||
(int)strlen(tstr), tstr, astr? astr: "?", (ulong)sig->keyid[1] );
|
(int)strlen(tstr), tstr, astr? astr: "?", (ulong)sig->keyid[1] );
|
||||||
|
|
||||||
rc = do_check_sig(c, node, NULL );
|
rc = do_check_sig(c, node, NULL );
|
||||||
if( rc == G10ERR_NO_PUBKEY && opt.keyserver_scheme && opt.auto_key_retrieve) {
|
if( rc == G10ERR_NO_PUBKEY && opt.keyserver_scheme && opt.keyserver_options.auto_key_retrieve) {
|
||||||
if( keyserver_import_keyid ( sig->keyid )==0 )
|
if( keyserver_import_keyid ( sig->keyid )==0 )
|
||||||
rc = do_check_sig(c, node, NULL );
|
rc = do_check_sig(c, node, NULL );
|
||||||
}
|
}
|
||||||
|
@ -109,6 +109,7 @@ struct {
|
|||||||
int use_temp_files:1;
|
int use_temp_files:1;
|
||||||
int keep_temp_files:1;
|
int keep_temp_files:1;
|
||||||
int refresh_add_fake_v3_keyids:1;
|
int refresh_add_fake_v3_keyids:1;
|
||||||
|
int auto_key_retrieve:1;
|
||||||
STRLIST other;
|
STRLIST other;
|
||||||
} keyserver_options;
|
} keyserver_options;
|
||||||
int exec_disable;
|
int exec_disable;
|
||||||
@ -133,7 +134,6 @@ struct {
|
|||||||
int ignore_valid_from;
|
int ignore_valid_from;
|
||||||
int ignore_crc_error;
|
int ignore_crc_error;
|
||||||
int command_fd;
|
int command_fd;
|
||||||
int auto_key_retrieve;
|
|
||||||
const char *override_session_key;
|
const char *override_session_key;
|
||||||
int show_session_key;
|
int show_session_key;
|
||||||
int use_agent;
|
int use_agent;
|
||||||
|
@ -131,25 +131,25 @@ lock-once
|
|||||||
# on the keyserver.
|
# on the keyserver.
|
||||||
#
|
#
|
||||||
# verbose = show more information as the keys are fetched.
|
# verbose = show more information as the keys are fetched.
|
||||||
# Can be included more than once to increase the amount
|
# Can be used more than once to increase the amount
|
||||||
# of information shown.
|
# of information shown.
|
||||||
#
|
#
|
||||||
# use-temp-files = use temporary files instead of a pipe to talk to the
|
# use-temp-files = use temporary files instead of a pipe to talk to the
|
||||||
# keyserver. Some platforms (Win32 for one) always
|
# keyserver. Some platforms (Win32 for one) always
|
||||||
# have this on.
|
# have this on.
|
||||||
#
|
#
|
||||||
# keep-temp-files = don't delete the temporary files after using them
|
# keep-temp-files = do not delete temporary files after using them
|
||||||
# (really only useful for debugging)
|
# (really only useful for debugging)
|
||||||
#
|
#
|
||||||
# honor-http-proxy = if the keyserver uses http, honor the http_proxy
|
# honor-http-proxy = if the keyserver uses http, honor the http_proxy
|
||||||
# environment variable
|
# environment variable
|
||||||
|
#
|
||||||
|
# auto-key-retrieve = automatically fetch keys as needed from the
|
||||||
|
# keyserver when verifying signatures or when importing
|
||||||
|
# keys that have been revoked by a revocation key that
|
||||||
|
# is not present on the keyring.
|
||||||
|
|
||||||
#keyserver-options include-disabled include-revoked
|
#keyserver-options auto-key-retrieve include-disabled include-revoked
|
||||||
|
|
||||||
# Uncomment this line to automatically fetch a key from a keyserver
|
|
||||||
# (which must be set - see above) when verifying signatures.
|
|
||||||
|
|
||||||
#auto-key-retrieve
|
|
||||||
|
|
||||||
# Uncomment this line to display photo user IDs in key listings
|
# Uncomment this line to display photo user IDs in key listings
|
||||||
#show-photos
|
#show-photos
|
||||||
@ -201,6 +201,3 @@ lock-once
|
|||||||
# --gpg-agent-info=<path>:<pid>:1
|
# --gpg-agent-info=<path>:<pid>:1
|
||||||
#
|
#
|
||||||
# may be used to override it.
|
# may be used to override it.
|
||||||
#
|
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user