* g10/gpg.c (get_default_configname): Remove unused function.
(main): Provide a proper filename to gpgconf_list.
--
With the new option pasrer we used "UNKOWN" in this case. The problem
was that gpgconf --list-options chekcs that an absolute file is
provided and thus bails out if no config file is in /etc/gnupg or in
~/.gnupg/.
get_default_configname was not anymore in use because its function is
part of the new option parser.
* tools/wks-util.c (wks_cmd_install_key): Don't set u+x on the file.
(ensure_policy_file): No need to make the policy file group writable.
--
The policy file is rarely changed thus no need to g+w. Setting +x on
a plain file does not make sense at all.
GnuPG-bug-id: 5214
(cherry picked from commit c008e8d20e)
* common/dotlock.c (dotlock_create_unix): Remove debug output.
--
This was left over from developement about 10 years ago. Exhibits
itself when using sshfs.
GnuPG-bug-id: 5193
* src/argparse.c (gnupg_argparse): Factor some code out to ...
(prepare_arg_return): new.
(gnupg_argparse): No missing arg error in ignore sections.
* common/sysutils.c: Include pwd.h.
(gnupg_getusername): New.
--
Options in an [ignore] section do not anymore lead to an error if an
argument is missing. However, if the option is also in a force
section the error is thrown.
This is a port of the fix from libgpg-error. Also fixes the
username fixme.
* dirmngr/ks-engine-ldap.c: Wrap some ldap calls.
--
The former gpgkeys_ldap module has once been ported to dirmngr but
unfortunately the dirmngr_ldap wrapper has not been used so that we
have internal LDAP calls with these problems:
- No usable timeouts.
- On non-Windows platforms a lot of extra libs and possibly even a
second copy of Libgcrypt is pulled in.
- Only one threads runs at a time.
This patch mitigates the last point.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/http.h (struct parsed_uri_s): Add field ad_current.
* dirmngr/ldap-parse-uri.c (ldap_parse_uri): Set it.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Take care of ad_current.
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Add arg
serverinfo and allow searching by fingerprint.
(ks_ldap_get, ks_ldap_search): First connect then create teh filter.
--
With the new schema we can finally search by fingerprint.
* g10/call-dirmngr.c (ks_put_inq_cb): Emit "fpr" records.
* dirmngr/ks-engine-ldap.c (extract_attributes): Add args
extract-state and schemav2. Add data for the new schema version.
remove the legacy code to handle UIDs in the "pub" line.
(ks_ldap_put): Set new attributes for NTDS use the fingerprint as CN.
Signed-off-by: Werner Koch <wk@gnupg.org>
This is a backport from 2.3
* dirmngr/ks-engine-ldap.c (SERVERINFO_): New constants.
(my_ldap_connect): Relace args pgpkeyattrp and real_ldapp by a new
serverinfo arg. Set the new info flags.
(ks_ldap_get): Adjust for change.
(ks_ldap_search): Ditto.
(ks_ldap_put): Ditto. Replace xmalloc by xtrymalloc. Change the DN
for use with NTDS (aka Active Directory).
--
This is a first take on better Active Directory support. The main
change for NTDS in the code is that the an top-RDN of CN is used
instead of the old pgpCertID. More changes to come; for example using
and storing the fingerprint.
Signed-off-by: Werner Koch <wk@gnupg.org>
This is a backport from 2.3 without the new schema samples - they can
be found in the repo.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/ks-engine-ldap.c (extract_attributes): Do not store the
pgpSignerID.
* g10/call-dirmngr.c (ks_put_inq_cb): Do not emit sig records.
--
The pgpSignerID has no use in the LDAP and thus don't store it.
David's idea back in 2004 was
/* This bit is really for the benefit of people who
store their keys in LDAP servers. It makes it easy
to do queries for things like "all keys signed by
Isabella". */
See-commit: 3ddd4410ae
I consider this dangerous because such a query is not able to validate
the signature, does not get revocation signatures, and also has no
information about the validity of the signatures. Further many keys
are spammed tehse days with faked signatures and it does not make
sense to blow up the LDAP with such garbage.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/ks-engine-ldap.c (ks_ldap_put): Extract attribites into
addlist.
--
The code used the wrong list which resulting in adding attributes
marked for deletion. In particular Active Directory does not accept
such an data and rejects them. The bug was introduced into 2.1 while
porting the code from the old keyserver helpers to dirmngr.
Fixes-commit: 51341badb6
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac (GPGRT_ENABLE_ARGPARSE_MACROS): Define.
* common/argparse.c, common/argparse.h: Rewrite.
* tests/gpgscm/main.c: Switch to the new option parser.
* g10/gpg.c: Switch to the new option parser and enable a global conf
file.
* g10/gpgv.c: Ditto.
* agent/gpg-agent.c: Ditto.
* agent/preset-passphrase.c: Ditto.
* agent/protect-tool.c: Ditto.
* scd/scdaemon.c: Ditto.
* dirmngr/dirmngr.c: Ditto.
* dirmngr/dirmngr_ldap.c: Ditto
* dirmngr/dirmngr-client.c: Ditto.
* kbx/kbxutil.c: Ditto.
* tools/gpg-card.c: Ditto.
* tools/gpg-check-pattern.c: Ditto.
* tools/gpg-connect-agent.c: Ditto.
* tools/gpg-pair-tool.c: Ditto.
* tools/gpg-wks-client.c: Ditto.
* tools/gpg-wks-server.c: Ditto.
* tools/gpgconf.c: Ditto.
* tools/gpgsplit.c: Ditto.
* tools/gpgtar.c: Ditto.
* g13/g13.c: Ditto.
* g13/g13-syshelp.c: Ditto. Do not force verbose mode.
* sm/gpgsm.c: Ditto. Add option --no-options.
--
This is backport from master
commit cdbe10b762
commit ba463128ce
commit 3bc004decd
commit 2c823bd878
commit 0e8f6e2aa9
but without changing all functions names to gpgrt. Instead we use
wrapper functions which, when building against old Libgpg-error
versions, are implemented in argparse.c using code from the current
libgpg-error. This allows to keep the dependency requirement at
libgpg-error 1.27 to support older distributions. Tested builds
against 1.27 and 1.40-beta.
Note that g13-syshelp does not anymore default to --verbose because
that can now be enabled in /etc/gnupg/g13-syshelp.conf.
GnuPG-bug-id: 4788
Signed-off-by: Werner Koch <wk@gnupg.org>
* doc/gpg.texi: Add parameters for batch generation of ECC keys.
--
There are parameters required for batch generation of ECC keys which
weren't mentioned in the documentation.
Signed-off-by: Jens Meißner <meissner@b1-systems.de>
* dirmngr/dirmngr.c (get_revision_from_blurb): Fix detection of empty
string.
(gpgconf_versions): Print ksba revision.
--
The latest Libksba version support retrieving of the revision (commit)
id. We now use that or print a question mark.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 4070f302e4)
--
It does not make sense to keep support form GnuPG 1 here given that we
don't intend to ever backport any of the current stuff to the legacy
version.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (struct app_local_s): Add keygrip_str.
(store_keygrip): New.
(read_public_key): Store the keygrip.
(get_public_key): Sitto.
(send_keypair_info): USe the stored keygrip.
(check_keyidstr): New. Factored out from other functions and
extended.
(do_sign): Use check_keyidstr.
(do_auth): Ditto.
(do_decipher): Ditto.
(do_check_pin): Ditto.
--
This code is a backport of commits:
b0f0791e4a
cd: Factor out a function to check keyidstr.
4c4999b818
scd:openpgp: Allow PKSIGN with keygrip also for OPENPGP.3.
e769609cd3
scd: Allow KEYGRIP as KEYIDSTR.
Co-authored-by: NIIBE Yutaka <gniibe@fsij.org>
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/divert-scd.c (divert_pksign): Add arg 'grip'. Replace OPENPGP
key reference to keygrips.
(divert_pkdecrypt): Ditto.
* agent/protect.c (parse_shadow_info): Trim spaces.
* agent/pkdecrypt.c (agent_pkdecrypt): Pass the keygrip.
* agent/pksign.c (agent_pksign_do): Ditto.
* g10/mainproc.c (print_pkenc_list): Print extra info for an invalid
id error.
* g10/sign.c (do_sign): Ditto.
--
Using the keygrip instead of the identifier works on OpenPGP cards and
thus we use that to make sure that we are working on the right card.
For other cards we better don't do that to avoid regressions. Those
other cards are also usually provided and do not allow to
self-generate the keys.
Note that old versions of the code (gpg 1.4) used the fingerprint as
additional check but that was eventually removed and now that we use
the keygrip all over the place, it is best to use this to identify a
key.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keydb.h (pref_hint): Change from union to struct and add field
'exact'. Adjust callers.
* g10/pkclist.c (algo_available): Take care of the exact hint.
* g10/sign.c (sign_file): Fix indentation. Rework the hash from
recipient prefs.
--
This fixes a encrypt+sign case like: One recipient key has SHA512 as
highest ranked hash preference but the the signing key is a 256 bit
curve. Because we don't want to use a truncated hash with ECDSA, we
need to have an exact match - this is in particular important for
smartcard which check that the hash matches the curves.
Signed-off-by: Werner Koch <wk@gnupg.org>
* tools/gpgconf.c (main): Use gnupg_homedir instead of
default_homedir. Check for existance of the directory.
--
Fixes-commit: 1fbf085bc8
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/command.c (cmd_serialno): Skip options.
--
SERIALNO --all
works only in 2.3 and thus naive use with 2.2 vesions would conserer
"--all" as the reqyested applications. Fix is easy and should be done
anyway.
Signed-off-by: Werner Koch <wk@gnupg.org>