1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-26 10:59:58 +01:00

9103 Commits

Author SHA1 Message Date
Werner Koch
d7d9a5ba3c
common: Rename w32-misc.c to w32-cmdline.c
* common/w32-misc.c: Rename to ....
* common/w32-cmdline.c: this.
* common/Makefile.am: Adjust.
--

(cherry picked from commit 7262d602d802c4a3840097d5de217fcfb9728b49)
2021-06-08 10:08:03 +02:00
Werner Koch
09f49b4c9a
common,w32: Implement globing of command line args.
* common/w32-misc.c [W32]: Include windows.h
(struct add_arg_s): New.
(add_arg): New.
(glob_arg): New.
(parse_cmdstring): Add arg argvflags and set it.
(w32_parse_commandline): Add arg r_itemsalloced.  Add globing.

* common/init.c (prepare_w32_commandline): Mark glob created items as
leaked.

* common/t-w32-cmdline.c : Include windows.h
(test_all): Add simple glob test for Unix.
(main): Add manual test mode for Windows.

* common/xasprintf.c (xtryreallocarray): New.
--

GnuPG-bug-id: 4398
Backported-from-master: 089c9439674e8ecbc64f0ba924e6fb447bbc2b9d)
2021-06-08 10:05:27 +02:00
Werner Koch
4d6807b215
common,w32: Refine the command line parsing for \ in quotes.
* common/t-w32-cmdline.c (test_all): Add new test cases.
* common/w32-misc.c (strip_one_arg): Add arg endquote.
(parse_cmdstring): Take care of backslashes in quotes.
--

I found some new test vectors from Microsoft.

(cherry picked from commit 20c60076866904187a09393de596deef286116f8)
2021-06-08 09:36:54 +02:00
Werner Koch
90ddd1cf13
common: First take on handling Unicode command line args.
* common/w32-misc.c: New.
* common/t-w32-cmdline.c: New.
* common/init.c: Include w32help.h.
(prepare_w32_commandline): New.
(_init_common_subsystems) [W32]: Call prepare_w32_commandline.

* common/Makefile.am (common_sources) [W32]: Add w32-misc.c
(module_tests): Add t-w32-cmdline
(t_w32_cmdline_LDADD): New.
--

The rules for the command line parser are not cleary specified - if at
all.  See the comment in t-w32-cmdline.c.

We can't use the mingw version because that would require to change
all argv handling to be wchar_t and that only for Windows.  That would
be too ugly.  Parsing the command line into argv by us is much easier
and we can do that only if needed - i.e. if globing is required (we
are prepared for this) or a non-ASCII character has been encountered.
This way we keep things stable and only fix the currently not working
Unicode problem.

GnuPG-bug-id: 4398
(cherry picked from commit deb6c94362c0f179de1cac18707aad2f51a21e10)
2021-06-08 09:29:49 +02:00
Werner Koch
1f59c4c8e2
gpg: Prepare for globing with UTF-8.
* g10/gpg.c (_dowildcard): Remove.
(my_strusage): Enable wildcards using our new system.
--

This patch actually removes the current globing using a mingw
feature.  We are not able to use this because it does not handle
Unicode filenames.  The plan is to implement this in init.c.  This
patch merely configures gpg to request globing.

GnuPG-bug-id: 4398
(cherry picked from commit 8e15506d6680bbee85bc01453da28fc90b4cb673)
2021-06-08 09:24:39 +02:00
Werner Koch
39815c023f
dirmngr: Rewrite the LDAP wrapper tool
* dirmngr/ldap-misc.c: New.
* dirmngr/ldap-misc.h: New.
* dirmngr/ks-engine-ldap.c: Include ldap-misc.h.
(ldap_err_to_gpg_err, ldap_to_gpg_err): Move to ldap-misc.c.
* dirmngr/ldap-wrapper.c (ldap_wrapper): Print list of args in debug
mode.
* dirmngr/server.c (lookup_cert_by_pattern): Handle GPG_ERR_NOT_FOUND
the saqme as GPG_ERR_NO_DATA.
* dirmngr/ldap.c (run_ldap_wrapper): Add args tls_mode and ntds.
Remove arg url.  Adjust for changes in dirmngr_ldap.
(url_fetch_ldap): Remove args host and port.  Parse the URL and use
these values to call run_ldap_wrapper.
(attr_fetch_ldap): Pass tls flags to run_ldap_wrapper.
(rfc2254_need_escape, rfc2254_escape): New.
(extfilt_need_escape, extfilt_escape): New.
(parse_one_pattern): Rename to ...
(make_one_filter): this.  Change for new dirmngr_ldap calling
convention.  Make issuer DN searching partly work.
(escape4url, make_url): Remove.
(start_cert_fetch_ldap): Change for new dirmngr_ldap calling
convention.
* dirmngr/dirmngr_ldap.c: Major rewrite.

* dirmngr/t-ldap-misc.c: New.
* dirmngr/t-support.h (DIM, DIMof): New.
* dirmngr/Makefile.am (dirmngr_ldap_SOURCES): Add ldap-misc.c
(module_tests) [USE_LDAP]: Add t-ldap-misc.
(t_ldap_parse_uri_SOURCES): Ditto.
(t_ldap_misc_SOURCES): New.
--

This rewrite allows to properly handle TLS and avoids some code
duplication.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-08 08:51:11 +02:00
NIIBE Yutaka
2f98d8a0f9 agent: Appropriate error code for importing key with no passwd.
* agent/cvt-openpgp.c (convert_from_openpgp_main): Return
GPG_ERR_BAD_SECKEY.

--

Backport master commit of:
	21ef425e222ddfa460b37dece63adb67ff2e4dd1

When non-protected case, error at gcry_pk_testkey results
GPG_ERR_BAD_PASSPHRASE.  Here, it should be converted to
GPG_ERR_BAD_SECKEY, or else, user will be asked passwd even if it's
not protected.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-08 09:12:26 +09:00
Werner Koch
8bd5172539
dirmngr: Remove useless code.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Remove the
password_param thing because we set the password directly without an
intermediate var.
--

Reported-by: Ingo Kloecker
2021-06-04 07:49:00 +02:00
Werner Koch
b722fd755c
sm: Support AES-GCM decryption.
* sm/gpgsm.c (main): Use gpgrt_fcancel on decryption error if gpgrt
supports this.
* sm/decrypt.c (decrypt_gcm_filter): New.
(gpgsm_decrypt): Use this filter if requested.  Check authtag.
* common/compliance.c (gnupg_cipher_is_allowed): Allow GCM for gpgsm
in consumer (decrypt) de-vs mode.
--

Backported-from-master: 4980fb3c6dde8c1dda975e8a36d6086c8456a631

We allow GCM in de-vs mode for decryption although this has not been
evaluation.  It is decryption and thus no serious harm may happen.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-02 19:11:42 +02:00
Werner Koch
c8f0b02936
gpgconf: Make runtime changes with different homedir work.
* tools/gpgconf-comp.c (dirmngr_runtime_change): Pass --homedir
first.  Remove unused variable.
2021-05-28 19:50:15 +02:00
Werner Koch
7c4b0eda74
doc: Update description of LDAP keyservers
--
2021-05-28 15:50:58 +02:00
Werner Koch
8de9d54ac8
dirmngr: Fix default port for our redefinition of ldaps.
* dirmngr/server.c (make_keyserver_item): Fix default port for ldaps.
Move a tmpstr out of the blocks.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Improve diagnostics.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-28 15:22:51 +02:00
NIIBE Yutaka
40b2890b43 build: _DARWIN_C_SOURCE should be 1.
* configure.ac (*-apple-darwin*): Set _DARWIN_C_SOURCE 1.

--

GnuPG-bug-id: 5440
Reported-by: Jay Freeman
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-27 13:33:34 +09:00
Werner Koch
317d5947b8
dirmngr: Use --ldaptimeout for OpenPGP LDAP keyservers.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Use LDAP_OPT_TIMEOUT.

* dirmngr/dirmngr.c (main): Move --ldaptimeout setting to ...
(parse_rereadable_options): here.
--

Note that this has not yet been tested.  In fact a test with OpenLDAP
using a modified route got stuck in the connection attempt.  Maybe it
works on Windows - will be tested later.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-26 19:06:36 +02:00
Werner Koch
ff17aee5d1
dirmngr: New option --ldapserver
* dirmngr/dirmngr.c (opts): Add option --ldapserver.
(ldapserver_list_needs_reset): New var.
(parse_rereadable_options): Implement option.
(main): Ignore dirmngr_ldapservers.conf if no --ldapserver is used.

* dirmngr/server.c (cmd_ldapserver): Add option --clear and list
configured servers if none are given.
--

This option allows to specify LDAP keyserver in dirmngr instead of
using gpgsm.conf.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-26 16:21:50 +02:00
Werner Koch
2b4cddf908
dirmngr: Allow for non-URL specified ldap keyservers.
* dirmngr/server.c (cmd_ldapserver): Strip an optional prefix.
(make_keyserver_item): Handle non-URL ldap specs.
* dirmngr/dirmngr.h (struct ldap_server_s): Add fields starttls,
ldap_over_tls, and ntds.

* dirmngr/ldapserver.c (ldapserver_parse_one): Add for an empty host
string.  Improve error messages for the non-file case.  Support flags.
* dirmngr/ks-action.c (ks_action_help): Handle non-URL ldap specs.
(ks_action_search, ks_action_get, ks_action_put): Ditto.
* dirmngr/ks-engine-ldap.c: Include ldapserver.h.
(ks_ldap_help): Handle non-URL ldap specs.
(my_ldap_connect): Add args r_host and r_use_tls.  Rewrite to support
URLs and non-URL specified keyservers.
(ks_ldap_get): Adjust for changes in my_ldap_connect.
(ks_ldap_search): Ditto.
(ks_ldap_put): Ditto.
--

The idea here is to unify our use of URLS or colon delimited ldap
keyserver specification.  The requirement for percent escaping, for
example the bindname in an URLs, is cumbersome and prone to errors.
This we allow our classic colon delimited format as an alternative.
That format makes it also easy to specify flags to tell dirmngr
whether to use starttls or ldap-over-tls.  The code is nearly 100%
compatible to existing specification.  There is one ambiguity if the
hostname for CRL/X509 searches is just "ldap"; this can be solved by
prefixing it with "ldap:" (already implemented in gpgsm).

GnuPG-bug-id: 5405, 5452
2021-05-26 14:48:27 +02:00
Werner Koch
9f586700ec
gpg,sm: Simplify keyserver spec parsing.
* common/keyserver.h: Remove.
* sm/gpgsm.h (struct keyserver_spec): Remove.
(opt): Change keyserver to a strlist_t.
* sm/gpgsm.c (keyserver_list_free): Remove.
(parse_keyserver_line): Remove.
(main): Store keyserver in an strlist.
* sm/call-dirmngr.c (prepare_dirmngr): Adjust for the strlist.  Avoid
an ambiguity in dirmngr by adding a prefix if needed.

* g10/options.h (struct keyserver_spec): Move definition from
keyserver.h to here.  Remove most fields.
* g10/keyserver.c (free_keyserver_spec): Adjust.
(cmp_keyserver_spec): Adjust.
(parse_keyserver_uri): Simplify.
(keyidlist): Remove fakev3 arg which does not make any sense because
we don't even support v3 keys.
--

We now rely on the dirmngr to parse the keyserver specs.  Thus a bad
specification will not be caught immediately.  However, even before
that dirmngr had stricter tests.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-26 14:30:17 +02:00
Werner Koch
72124fadaf
dirmngr: Support pseudo URI scheme "opaque".
* dirmngr/http.h (HTTP_PARSE_NO_SCHEME_CHECK): New.
* dirmngr/http.c (http_parse_uri): Use this flag.  Change all callers
to use the new macro for better readability.
(do_parse_uri): Add pseudo scheme "opaque".
(uri_query_value): New.
--

This scheme can be used to convey arbitrary strings in a parsed_uri_t
object.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-26 10:02:49 +02:00
NIIBE Yutaka
44c8232b97 po: Update Japanese Translation.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-21 10:14:35 +09:00
NIIBE Yutaka
5be0d075b1 scd: Release memory for RDRNAME.
* scd/apdu.c (apdu_close_reader): Free RDRNAME field.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-21 10:00:28 +09:00
Jakub Jelen
678e1b20d3
scd: avoid memory leaks
* scd/app-p15.c (send_certinfo): free labelbuf
  (do_sign): goto leave instead of return
* scd/command.c (cmd_genkey): goto leave instead of return

--

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
GnuPG-bug-id: 5393

Modifified for this backport:

* scd/command.c (cmd_genkey): Make it easier to read by replacing
keyno with orig_line.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-20 15:19:19 +02:00
Jakub Jelen
4dc4b025d6
common: Avoid double-free
* common/name-value.c (do_nvc_parse): reset to null after ownership
change

--

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
GnuPG-bug-id: 5393
2021-05-20 14:52:08 +02:00
Werner Koch
b677e2ec98
Assorted memory leak fixes on the error code paths.
--

These are taken from these commits:

98c52ae * card: Intialize pointer to avoid double free
fc5fac8 * kbx: Avoid uninitialized read
fa0771f * g10: Avoid memory leaks
25aa353 * dirmgr: Avoid double free
33a2362 * agent: Fix memory leaks
e6132bc * sm: Avoid memory leaks and double double-free
2af7bb2 * g10: Fix memory leaks
0d2c1e9 * dirmgr: clean up memory on error code paths

GnuPG-bug-id: 5393
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-20 14:51:42 +02:00
Werner Koch
9d63ba2721
po: Updated the Russian translation
--

Done with the help of Ineiev.
2021-05-20 08:14:23 +02:00
Ineiev
17b7048732
po: Update Russian translation. 2021-05-19 19:56:55 +02:00
Werner Koch
f0e538619d
dirmngr: For KS_SEARCH return the fingerprint also with LDAP.
* dirmngr/ks-engine-ldap.c (extract_keys): Return the fingerprint if
available.
(ks_ldap_search): Ditto.
(extract_keys): Make sure to free the ldap values also in corner
cases.
(my_ldap_value_free): New.
(ks_ldap_get): Ditto.
(ks_ldap_search): Ditto.
(my_ldap_connect): Ditto.
--

For background see these comments from gpgme:

/* The output for external keylistings in GnuPG is different from all
   the other key listings.  We catch this here with a special
   preprocessor that reformats the colon handler lines.  */
/* The format is:

   pub:<keyid>:<algo>:<keylen>:<creationdate>:<expirationdate>:<flags>

   as defined in 5.2. Machine Readable Indexes of the OpenPGP
   HTTP Keyserver Protocol (draft).  Modern versions of the SKS
   keyserver return the fingerprint instead of the keyid.  We
   detect this here and use the v4 fingerprint format to convert
   it to a key id.

   We want:
   pub:o<flags>:<keylen>:<algo>:<keyid>:<creatdate>:<expdate>::::::::
*/

Regarding the freeing of values: I was not able to find a
specification stating it is okay to pass NULL to ldap_value_free, thus
the new wrapper.  Also add robustness measures in case ldap_get_value
returns an empty array.

GnuPG-bug-id: 5441
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-19 18:18:35 +02:00
Werner Koch
cf9a0bc2ec
po: Auto updates
--

Also fixed two fuzzies in fr.po and it.po
2021-05-19 00:04:58 +02:00
Werner Koch
7bf8530e75
gpg: Fix sending an OpenPGP key with umlaut to an LDAP keyserver.
* g10/call-dirmngr.c (record_output): Rewrite.
--

Thou shalt not percent-escape for C-unescaping.

Fixes-commit: 51341badb623927f2a358588c725a356fc77dbe7
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-18 22:54:16 +02:00
Ingo Klöcker
aa62881404
scd:p15: Fix logic for appending product name to MANUFACTURER.
* scd/app-p15.c (do_getattr): Append product name to MANUFACTURER if
manufacturer_id does not already contain a bracket and if we have a
product name.
2021-05-18 22:54:12 +02:00
Werner Koch
c9859967c0
po: In German always use "Passwort" instead of "Passphrase".
--

This is a several decade old debate how to name this.  Meanwhile in
Germany it seems to be more clean to use the term "Passwort" instead
of "Passphrase" (or that "Mantra" thing).  It is easier to explain to
users that a password may include spaces etc than to to explain the
difference between passphrase and password.

So let's keep the things in the code as is but change the
translations.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-17 19:34:25 +02:00
Werner Koch
03f83bcda5
gpg: Use a more descriptive prompt for symmetric decryption.
* g10/keydb.h (GETPASSWORD_FLAG_SYMDECRYPT): New.
(passphrase_to_dek_ext): Remove this obsolete prototype.
* g10/passphrase.c (passphrase_get): Add arg flags.  Use new flag
value.
(passphrase_to_dek): Add arg flags and pass it on.
* g10/mainproc.c (proc_symkey_enc): Use new flag.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-17 19:30:15 +02:00
Werner Koch
50ea1b67e8
sm: Ask for the password for password based decryption (pwri)
* sm/decrypt.c (pwri_decrypt): Add arg ctrl.  Ask for passphrase.

* sm/export.c (export_p12): Mark string as translatable.
* sm/import.c (parse_p12): Ditto.
--

This is finishes the support for PWRI.

The N_() marks are added so that we don't rely of the side-effect of
having the same strings in protect-tool.c

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit eeb65d3bbd7d461694d30009631739735a2b9bad)
2021-05-17 19:29:06 +02:00
Werner Koch
6f31acac76
sm: Support decryption of password based encryption (pwri)
* sm/decrypt.c (string_from_gcry_buffer): New.
(pwri_parse_pbkdf2): New.
(pwri_decrypt): New.
(prepare_decryption): Support pwri.
(gpgsm_decrypt): Test for PWRI.  Move IS_DE_VS flag to DFPARM.

* common/sexputil.c (cipher_mode_to_string): New.
--

Note that this is not finished because we need to implement a password
callback.  For now "abc" is used as passwort.

Latest libksba is also required to return the required info.

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 02029f9eab87e9fd667829dfb083846275576398

Note that this change also prints the used algorithm and shows some
existsing diagnostics only in verbose mode.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-17 18:26:34 +02:00
Werner Koch
b6f8cd7eef
dirmngr: LDAP search by a mailbox now ignores revoked keys.
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Ignore revoked
and disable keys in mail mode.
--

The LDAP schema has a revoked and a disabled flag.  The former will be
set if a revoked key is uploaded; the latter can be set by other
means.   With this change a search by mailbox does not anymore return
keys with these LDAP attributes set.  This allows to better maintain a
directory with multiple keys per mailbox.

Doing the same for expired keys could also be done but requires more
effort.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-17 15:35:27 +02:00
NIIBE Yutaka
987b816860
scd,pcsc: Use a single context.
* scd/apdu.c (pcsc): New variable.
(struct reader_table_s): Remove pcsc.context from member.
(pcsc_get_status, connect_pcsc_card): Use pcsc.context.
(close_pcsc_reader): Release pcsc.context here with reference count.
(apdu_open_one_reader): Move API loading to ...
(pcsc_init): new.
(apdu_open_one_reader): Remove.
(apdu_open_reader): Call open_pcsc_reader instead of
apdu_open_one_reader.
(open_pcsc_reader): Call pcsc_init if needed.  Call close_pcsc_reader
instead of pcsc_release_context.  Make reader parsing more robust.
(apdu_init): Initialize pcsc.count and pcsc.context.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: 1080e91efd60cb41c2d6dbafaee810e5967a3161)

The backport also adds some other chnages as described above.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-07 09:53:29 +02:00
Werner Koch
89e20c38c2
po: auto updates
--
2021-05-04 12:48:48 +02:00
Werner Koch
26de9c400e
build: Silence a cimpiler warning also in non-maintainer mode.
--

This yields less warnings during a release build.
2021-05-04 12:47:44 +02:00
Werner Koch
b203325ce1
gpg: Allow ECDH with a smartcard returning just the x-coordinate.
* g10/ecdh.c (pk_ecdh_encrypt_with_shared_point): Factor extraction
part out to  ...
(extract_secret_x): new.  Allow for x-only coordinate.
(pk_ecdh_encrypt_with_shared_point): Change arg shared_mpi
to (shared,nshared).  Move param check to the top.  Add extra safety
check.
(pk_ecdh_decrypt): Adjust for change.
* g10/pkglue.c (get_data_from_sexp): New.
(pk_encrypt): Use it for "s" and adjusted for changed
pk_ecdh_encrypt_with_shared_point.
* g10/pubkey-enc.c (get_it): Remove conversion to an MPI and call
pk_ecdh_decrypt with the frame buffer.
--

Backported-from-master: f129b0e97730b47d62482fba9599db39b526f3d2)
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-04 11:51:34 +02:00
Werner Koch
b410c95fe9
build: Silence two compiler warnings.
--
2021-05-04 10:45:30 +02:00
Werner Koch
9d83bfb639
scd: Fix possible PC/SC removed card problem
* scd/apdu.c (pcsc_cancel): New.
(pcsc_init): Load new function.
(connect_pcsc_card): Use it after a removed card error.
--

Backported-from-master: 8d81fd7c01e8dfacc719ff190f8e364014e32fdf
2021-05-04 10:38:53 +02:00
Werner Koch
a475bb725b
scd: Add string for another PC/SC error code.
* scd/apdu.c (PCSC_E_NO_READERS_AVAILABLE): New.
(pcsc_error_string): Add a description for this.
* scd/scdaemon.c (scd_kick_the_loop): Fix diagnostic.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-04 10:33:30 +02:00
Werner Koch
569fa67277
build: Allow running sign-release target from the dist dir.
--

This is a kludge to avoid a new configure run only to then cd down do
dist.  Just cd to dist and run make sign-release.

(cherry picked from commit 178e4eb6555e3dffcae3eda1b45c1dbf1d87c103)
2021-05-04 10:27:54 +02:00
Kirill Elagin
6c4216094e
scd: Fix unblock PIN by a Reset Code with KDF.
* scd/app-openpgp.c (do_change_pin): Use correct CHVNO=1 for
pin2hash_if_kdf, for user's PIN.

--

GnuPG-bug-id: 5413
Signed-off-by: Kirill Elagin <kirelagin@gmail.com>
(cherry picked from commit f209d7d2db0e963a6ad1fa8c4f0c034ba0297842)
2021-05-04 10:27:32 +02:00
Werner Koch
22fe23f46d
gpg: Fix mailbox based search via AKL keyserver method.
* g10/keyserver.c (keyserver_import_name): Rename to ...
(keyserver_import_mbox): this.  And use mail search mode.
* g10/getkey.c (get_pubkey_byname): Change the two callers.
--

In contrast to a search via keyserver_import_ntds the older
keyserver_import_name used a full match of the provided name despite
that it is only called with an addr-spec (mbox).  Due to the mode the
pattern send to dirmngr was prefixed with a '=' and thus dirmngr used
an exact search;.  This did only work for provided user ids like
"foo@example.org" but not for "<foo@example.org>" or
"Foo <foo@xample.org>".  The old code dates back to 2010.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 4fcfac6feb2a6c2b14883ba406afc917e8d4be42)
2021-05-04 10:23:20 +02:00
Werner Koch
e7251be84c
gpg: Auto import keys specified with --trusted-keys.
* g10/getkey.c (get_pubkey_with_ldap_fallback): New.
* g10/trustdb.c (verify_own_keys): Use it.

(cherry picked from commit 100037ac0f558e8959fc065d4703c85c2962489e)
2021-05-04 10:21:14 +02:00
Werner Koch
e53f603728
gpg: Allow decryption w/o public key but with correct card inserted.
* agent/command.c (cmd_readkey): Add option --no-data and special
handling for $SIGNKEYID and $AUTHKEYID.
* g10/call-agent.c (agent_scd_getattr): Create shadow keys for KEY-FPR
output.
* g10/skclist.c (enum_secret_keys): Automagically get a missing public
key for the current card.

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 50293ec2ebf2a997dbad9a47166d694efcc0709a)
2021-05-04 10:06:57 +02:00
Werner Koch
79e8ea100d
speedo: Automatically select Authenticode signing cert.
--

This is required because GlobalSign re-issued the certificate (which
actually required to install InternetExploder in addition to Edge) and
now we have two certs to select from.  The /a option seems to use the
latest generated certificate.

(cherry picked from commit 4237a2b0a50999885c1577d27419ef8c49cd32db)
2021-05-04 08:44:02 +02:00
Werner Koch
aa612d752e
agent: Silence error messages for READKEY --card
* agent/command.c (cmd_readkey): Test for shadow key before creating
it.

(cherry picked from commit 8f2c9cb73538baab7da8107f2cceb2f6fc49642a)
2021-05-04 08:42:51 +02:00
Werner Koch
2af217ecd7
gpg: Allow fingerprint based lookup with --locate-external-key.
* g10/keyserver.c (keyserver_import_fprint_ntds): New.
* g10/getkey.c (get_pubkey_byname): Detect an attempt to search by
fingerprint in no_local mode.
--

See the man page.  For testing use

  gpg --auto-key-locate local,wkd,keyserver --locate-external-key  \
    FINGERPRINT

with at least one LDAP keyserver given in dirmngr.conf.  On Windows
"ntds" may be used instead or in addtion to "keyserver".

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit ec36eca08cdbf6653e7362e8e0e6c5f2c75b4a60)
2021-05-03 20:53:15 +02:00
Werner Koch
b59af0e2a0
gpg: Lookup a missing public key of the current card via LDAP.
* g10/getkey.c (get_seckey_default_or_card): Lookup a missing public
key from the current card via LDAP.
* g10/call-dirmngr.c: Include keyserver-intetnal.h.
(gpg_dirmngr_ks_get): Rename arg quick into flags.  Take care of the
new LDAP flag.
* g10/keyserver-internal.h (KEYSERVER_IMPORT_FLAG_QUICK): New.
Replace the use of the value 1 for the former quick arg.
(KEYSERVER_IMPORT_FLAG_LDAP): New.
* g10/keyserver.c (keyserver_get_chunk): Increase the reserved line
length.
* dirmngr/ks-action.c (ks_action_get): Add arg ldap_only.
* dirmngr/server.c (cmd_ks_get): Add option --ldap.
--

This change makes it easy to start working with gnupg: Just insert the
smartcard or token provided to you and the first time you sign a
message the public key associated with the current card will be
imported and everything is set without any configuration.

This works only with an LDAP directory because it can be expected that
the public key has been put into the LDAP during card personalization.
Of course an LDAP server needs to be configured; in a Windows AD
domain this can be a mere "keyserver ldap:///" in dirmngr.conf.  Other
configured keyservers are ignored.

Requirements for the card driver: The $SIGNKEYID attribute must exists
and a query for the KEY-FPR attribute needs to return the OpenPGP
fingerprint for that key.  This is currently supported for OpenPGP
cards and certain PKCS#15 cards.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit d7e707170fbe2956deb3d81e2802d21352079722)
2021-05-03 20:28:33 +02:00