* g10/encrypt.c (encrypt_crypt, encrypt_filter): Factor common code
out to ...
(create_dek_with_warnings): new
(check_encryption_compliance): and new.
* g10/encrypt.c (encrypt_filter): Add the compliance check.
--
GnuPG-bug-id: 6174
Ported-from: f88cb12f8e
* dirmngr/ldapserver.c (ldapserver_parse_one): Turn LINE into a const.
Use strtokenize instead of strtok style parsing.
--
This fixes a problem with resulted in a General Error for the second
key to be uploaded in the same session. But only if the colon format
to specify a keyserver with flags was used.
* g10/parse-packet.c (enum_sig_subpkt): Show "buffer shorter than
subpacket" only in debug mode.
(parse_signature): Show "signature packet without timestamp / keyid"
only in souble verbose mode.
* g10/sig-check.c (check_signature_metadata_validity): Use ISO
timestamp in UTC for the signature expired note.
--
I have seen to many of these diagnostics and in particular the first
one seems to be a connected to the others. Thus it does not make
sense to show them in standard verbose mode.
The ISO timestamp is much easier to read than than the localized
timestamp and switching from localtime to UTC should not harm.
* dirmngr/dirmngr.h (struct ldap_server_s): Add field areconly.
* dirmngr/ldapserver.c (ldapserver_parse_one): Parse "areconly"
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Implement this flag.
* dirmngr/dirmngr_ldap.c: Add option --areconly
(connect_ldap): Implement option.
* dirmngr/ldap.c (run_ldap_wrapper): Add and pass that option.
--
This flag is used to pass the Windows specific option
LDAP_OPT_AREC_EXCLUSIVE. It is ignored on other systems.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/mainproc.c (proc_encrypted): Change compliance logic.
--
For the description of the proplem see
https://dev.gnupg.org/T6205#163306
GnuPG-bug-id: 6205
* dirmngr/crlcache.c (crl_cache_reload_crl): Rework the double loop.
Remove the unused issuername_uri stuff.
--
It is quite common that LDAP servers are blocked and thuis the HTTP
access point should be used instead. This worked well for
certificates where the DP are given in this form:
crlDP: ldap://x500.bund.de/[...]
http://x500.bund.de/[...]
issuer: none
but it failed for this form
crlDP: ldap://x500.bund.de/[...]
issuer: none
crlDP: http://x500.bund.de/[...]
issuer: none
because the LAST_ERR thing terminated the outer loop. This pacth
fixes this and also cleans up the code to be more robust.
Note that the common workaround of using --ignore-ldap-dp will now
only be needed if the firewall uses packet dropping instead of proper
ICMP rejects.
* common/homedir.c (unix_rootdir): Add ".enable" statement to
gpgconf.ctl
* tests/gpgconf.ctl.in: Use this statement.
* tests/cms/Makefile.am (OLD_TESTS_ENVIRONMENT): Enable .enable.
(TESTS_ENVIRONMENT): Ditto.
* tests/gpgme/Makefile.am (TESTS_ENVIRONMENT): Ditto.
* tests/migrations/Makefile.am (TESTS_ENVIRONMENT): Ditto.
* tests/openpgp/Makefile.am (TESTS_ENVIRONMENT): Ditto.
* tests/pkits/Makefile.am (TESTS_ENVIRONMENT): Ditto.
* tests/tpm2dtests/Makefile.am (TESTS_ENVIRONMENT): Ditto.
--
Without that it was required to delete the gpgconf.ctl to run manual
tests.
What a hack.
* tools/Makefile.am: gpg-auth is one in libexec_PROGRAMS.
* tools/gpg-auth.c: Support use by root for login user.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* g10/packet.h (PUBKEY_USAGE_RENC): New.
(PUBKEY_USAGE_TIME): New.
(PUBKEY_USAGE_GROUP): New.
* g10/getkey.c (parse_key_usage): Set the new key flags.
* g10/keyedit.c (show_key_with_all_names_colon): Show the new key
flags.
* g10/keyid.c (usagestr_from_pk): Ditto
* g10/keylist.c (print_capabilities): Ditto.
* g10/keygen.c (parse_usagestr): Parse line and set new flags.
(quickgen_set_para): Show flags.
--
See draft-koch-openpgp-2015-rfc4880bis-00 for the current version.
Actually these flags have been in the draft for years now. This patch
is a first step to make use of them.
* common/ssh-utils.c (ssh_public_key_in_base64): Use standard name for
ECC curve.
--
See oidtable in common/openpgp-oid.c.
Fixes-commit: 8e650dbd48
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* tools/gpg-auth.c (my_strusage): Fix usage string.
(main): Use gpg-agent to get scdaemon socket.
(authenticate): Return GPG_ERR_NOT_FOUND when no success.
(ga_scd_connect): Use DBG_IPC.
(inq_needpin): Change API for getpin.
(put_second_field_cb): New, to get the second field.
(scd_get_pubkey): Use put_second_field_cb.
(ga_filter_by_authorized_keys): Put NULL at the PREV->next.
(getpin): Flush the standard output.
Include the last terminating NUL.
Return the length.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* dirmngr/certcache.c (put_cert): When PERMANENT, reject the
certificate which is obviously invalid.
--
With this change, invalid certificates from system won't be registered
into cache. Then, an intermediate certificate which is issued by an
entity certified by such an invalid certificate will be also rejected
with GPG_ERR_INV_CERT_OBJ. With less invalid certificates in cache,
it helps the validate_cert_chain function work better.
GnuPG-bug-id: 6142
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/ccid-driver.c (USE_LIBUSB_DEBUG_CB): New const.
(debug_libusb_cb): new.
(ccid_set_debug_level): Use it.
--
This allows to see the libusb log in our usual debug output. For this
the option debug-ccid-driver needs to be given 5 or more times.
* common/comopt.c (opts): Add "no-autostart".
(parse_comopt): Set it.
* common/comopt.h (comopt): Add no_autostart.
* g10/gpg.c (main): Take care of the new option.
* sm/gpgsm.c (main): Ditto.
* tools/gpg-connect-agent.c (INCLUDED_BY_MAIN_MODULE): Add.
(main): Parse common options and handle new option.
* tools/gpg-card.c (main): Ditto.
(cmd_yubikey): Fix minor error reporting issue.
* common/util.h (GNUPG_MODULE_NAME_CARD): New const.
* common/homedir.c (gnupg_module_name): Support it.
--
Having a global option makes it easier to use disable autostart on a
server which is required to use a remote gpg-agent reliable.
* g10/keygen.c (keygen_set_std_prefs): Allow extra spaces before
preference elements. Detect the bracketed versions of the strings.
Ignore "aead".
--
This allows to c+p the list shown by pref with out remove the
brackets.
* agent/command.c (do_one_keyinfo): New arg need_Attr.
(cmd_keyinfo): New option --need-attr.
* agent/findkey.c (public_key_from_file): Use nvc_get_boolean.
--
This option makes it easier to list keys suitable only for certain
purposes.
The second patch makes if compliant to the description in
keyformat.txt
