aboutsummaryrefslogtreecommitdiffstats
path: root/dirmngr
diff options
context:
space:
mode:
authorWerner Koch <[email protected]>2015-04-23 13:42:56 +0000
committerWerner Koch <[email protected]>2015-04-23 13:52:39 +0000
commit154f3ed2bf64de801ae0f9796338a2767ec6357b (patch)
tree064311a8189256ab5b8354409fb53e5a1ffa2b43 /dirmngr
parentcommon: Minor change of hex2str to allow for embedded nul. (diff)
downloadgnupg-154f3ed2bf64de801ae0f9796338a2767ec6357b.tar.gz
gnupg-154f3ed2bf64de801ae0f9796338a2767ec6357b.zip
gpg: Move all DNS access to Dirmngr.
* common/dns-cert.h: Move to ../dirmngr/. * common/dns-cert.c: Move to ../dirmngr/. Change args to return the key as a buffer. * common/t-dns-cert.c: Move to ../dirmngr/. * common/pka.c, common/pka.h, common/t-pka.c: Remove. * dirmngr/server.c (data_line_cookie_write): Factor code out to data_line_write and make it a wrapper for that. (data_line_write): New. (cmd_dns_cert): New. (register_commands): Register new command. * g10/Makefile.am (LDADD): Remove DNSLIBS. * g10/call-dirmngr.c (dns_cert_parm_s): New. (dns_cert_data_cb, dns_cert_status_cb): New. (gpg_dirmngr_dns_cert): New. (gpg_dirmngr_get_pka): New. * g10/gpgv.c (gpg_dirmngr_get_pka): New dummy function. * g10/keyserver.c (keyserver_import_cert): Replace get_dns_cert by gpg_dirmngr_dns_cert. (keyserver_import_pka): Replace get_pka_info by gpg_dirmngr_get_pka. * g10/mainproc.c: Include call-dirmngr.h. (pka_uri_from_sig): Add CTX arg. Replace get_pka_info by gpg_dirmngr_get_pka. -- With this patch gpg does not do any network access itself but uses dirmngr for that. Note that we need to keep linking to NETLIBS due to the logging code and because we need TCP for our socket emulation under Windows. Probably also required for Solaris etc. Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to 'dirmngr')
-rw-r--r--dirmngr/Makefile.am6
-rw-r--r--dirmngr/dns-cert.c382
-rw-r--r--dirmngr/dns-cert.h55
-rw-r--r--dirmngr/server.c189
-rw-r--r--dirmngr/t-dns-cert.c93
5 files changed, 711 insertions, 14 deletions
diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am
index 906fe37eb..cee777a6a 100644
--- a/dirmngr/Makefile.am
+++ b/dirmngr/Makefile.am
@@ -61,6 +61,7 @@ dirmngr_SOURCES = dirmngr.c dirmngr.h server.c crlcache.c crlfetch.c \
certcache.c certcache.h \
cdb.h cdblib.c misc.c dirmngr-err.h \
ocsp.c ocsp.h validate.c validate.h \
+ dns-cert.c dns-cert.h \
ks-action.c ks-action.h ks-engine.h \
ks-engine-hkp.c ks-engine-http.c ks-engine-finger.c ks-engine-kdns.c
@@ -113,7 +114,7 @@ t_common_ldadd = $(libcommontls) $(libcommon) no-libgcrypt.o \
$(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) \
$(DNSLIBS) $(LIBINTL) $(LIBICONV)
-module_tests =
+module_tests = t-dns-cert
if USE_LDAP
module_tests += t-ldap-parse-uri
@@ -124,4 +125,7 @@ t_ldap_parse_uri_SOURCES = \
$(ldap_url) $(t_common_src)
t_ldap_parse_uri_LDADD = $(ldaplibs) $(t_common_ldadd)
+t_dns_cert_SOURCES = t-dns-cert.c dns-cert.c
+t_dns_cert_LDADD = $(t_common_ldadd)
+
$(PROGRAMS) : $(libcommon) $(libcommonpth) $(libcommontls) $(libcommontlsnpth)
diff --git a/dirmngr/dns-cert.c b/dirmngr/dns-cert.c
new file mode 100644
index 000000000..de523b5f2
--- /dev/null
+++ b/dirmngr/dns-cert.c
@@ -0,0 +1,382 @@
+/* dns-cert.c - DNS CERT code (rfc-4398)
+ * Copyright (C) 2005, 2006, 2009 Free Software Foundation, Inc.
+ *
+ * This file is part of GNUPG.
+ *
+ * This file is free software; you can redistribute it and/or modify
+ * it under the terms of either
+ *
+ * - the GNU Lesser General Public License as published by the Free
+ * Software Foundation; either version 3 of the License, or (at
+ * your option) any later version.
+ *
+ * or
+ *
+ * - the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * or both in parallel, as here.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+#include <sys/types.h>
+#ifdef USE_DNS_CERT
+# ifdef HAVE_W32_SYSTEM
+# ifdef HAVE_WINSOCK2_H
+# include <winsock2.h>
+# endif
+# include <windows.h>
+# else
+# include <netinet/in.h>
+# include <arpa/nameser.h>
+# include <resolv.h>
+# endif
+# include <string.h>
+#endif
+#ifdef USE_ADNS
+# include <adns.h>
+#endif
+
+#include "util.h"
+#include "host2net.h"
+#include "dns-cert.h"
+
+/* Not every installation has gotten around to supporting CERTs
+ yet... */
+#ifndef T_CERT
+#define T_CERT 37
+#endif
+
+/* ADNS has no support for CERT yet. */
+#define my_adns_r_cert 37
+
+
+
+/* Returns 0 on success or an error code. If a PGP CERT record was
+ found, the malloced data is returned at (R_KEY, R_KEYLEN) and
+ the other return parameters are set to NULL/0. If an IPGP CERT
+ record was found the fingerprint is stored as an allocated block at
+ R_FPR and its length at R_FPRLEN; an URL is is allocated as a
+ string and returned at R_URL. If WANT_CERTTYPE is 0 this function
+ returns the first CERT found with a supported type; it is expected
+ that only one CERT record is used. If WANT_CERTTYPE is one of the
+ supported certtypes only records wih this certtype are considered
+ and the first found is returned. (R_KEY,R_KEYLEN) are optional. */
+gpg_error_t
+get_dns_cert (const char *name, int want_certtype,
+ void **r_key, size_t *r_keylen,
+ unsigned char **r_fpr, size_t *r_fprlen, char **r_url)
+{
+#ifdef USE_DNS_CERT
+#ifdef USE_ADNS
+ gpg_error_t err;
+ adns_state state;
+ adns_answer *answer = NULL;
+ unsigned int ctype;
+ int count;
+
+ if (r_key)
+ *r_key = NULL;
+ if (r_keylen)
+ *r_keylen = 0;
+ *r_fpr = NULL;
+ *r_fprlen = 0;
+ *r_url = NULL;
+
+ if (adns_init (&state, adns_if_noerrprint, NULL))
+ {
+ err = gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
+ log_error ("error initializing adns: %s\n", strerror (errno));
+ return err;
+ }
+
+ if (adns_synchronous (state, name, (adns_r_unknown | my_adns_r_cert),
+ adns_qf_quoteok_query, &answer))
+ {
+ err = gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
+ /* log_error ("DNS query failed: %s\n", strerror (errno)); */
+ adns_finish (state);
+ return err;
+ }
+ if (answer->status != adns_s_ok)
+ {
+ /* log_error ("DNS query returned an error: %s (%s)\n", */
+ /* adns_strerror (answer->status), */
+ /* adns_errabbrev (answer->status)); */
+ err = gpg_err_make (default_errsource, GPG_ERR_NOT_FOUND);
+ goto leave;
+ }
+
+ err = gpg_err_make (default_errsource, GPG_ERR_NOT_FOUND);
+ for (count = 0; count < answer->nrrs; count++)
+ {
+ int datalen = answer->rrs.byteblock[count].len;
+ const unsigned char *data = answer->rrs.byteblock[count].data;
+
+ if (datalen < 5)
+ continue; /* Truncated CERT record - skip. */
+
+ ctype = buf16_to_uint (data);
+ /* (key tag and algorithm fields are not required.) */
+ data += 5;
+ datalen -= 5;
+
+ if (want_certtype && want_certtype != ctype)
+ ; /* Not of the requested certtype. */
+ else if (ctype == DNS_CERTTYPE_PGP && datalen >= 11 && r_key && r_keylen)
+ {
+ /* CERT type is PGP. Gpg checks for a minimum length of 11,
+ thus we do the same. */
+ *r_key = xtrymalloc (datalen);
+ if (!*r_key)
+ err = gpg_err_make (default_errsource,
+ gpg_err_code_from_syserror ());
+ else
+ {
+ memcpy (*r_key, data, datalen);
+ *r_keylen = datalen;
+ err = 0;
+ }
+ goto leave;
+ }
+ else if (ctype == DNS_CERTTYPE_IPGP && datalen && datalen < 1023
+ && datalen >= data[0] + 1 && r_fpr && r_fprlen && r_url)
+ {
+ /* CERT type is IPGP. We made sure that the data is
+ plausible and that the caller requested this
+ information. */
+ *r_fprlen = data[0];
+ if (*r_fprlen)
+ {
+ *r_fpr = xtrymalloc (*r_fprlen);
+ if (!*r_fpr)
+ {
+ err = gpg_err_make (default_errsource,
+ gpg_err_code_from_syserror ());
+ goto leave;
+ }
+ memcpy (*r_fpr, data + 1, *r_fprlen);
+ }
+ else
+ *r_fpr = NULL;
+
+ if (datalen > *r_fprlen + 1)
+ {
+ *r_url = xtrymalloc (datalen - (*r_fprlen + 1) + 1);
+ if (!*r_url)
+ {
+ err = gpg_err_make (default_errsource,
+ gpg_err_code_from_syserror ());
+ xfree (*r_fpr);
+ *r_fpr = NULL;
+ goto leave;
+ }
+ memcpy (*r_url,
+ data + (*r_fprlen + 1), datalen - (*r_fprlen + 1));
+ (*r_url)[datalen - (*r_fprlen + 1)] = '\0';
+ }
+ else
+ *r_url = NULL;
+
+ err = 0;
+ goto leave;
+ }
+ }
+
+ leave:
+ adns_free (answer);
+ adns_finish (state);
+ return err;
+
+#else /*!USE_ADNS*/
+
+ gpg_error_t err;
+ unsigned char *answer;
+ int r;
+ u16 count;
+
+ if (r_key)
+ *r_key = NULL;
+ if (r_keylen)
+ *r_keylen = 0;
+ *r_fpr = NULL;
+ *r_fprlen = 0;
+ *r_url = NULL;
+
+ /* Allocate a 64k buffer which is the limit for an DNS response. */
+ answer = xtrymalloc (65536);
+ if (!answer)
+ return gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
+
+ err = gpg_err_make (default_errsource, GPG_ERR_NOT_FOUND);
+
+ r = res_query (name, C_IN, T_CERT, answer, 65536);
+ /* Not too big, not too small, no errors and at least 1 answer. */
+ if (r >= sizeof (HEADER) && r <= 65536
+ && (((HEADER *) answer)->rcode) == NOERROR
+ && (count = ntohs (((HEADER *) answer)->ancount)))
+ {
+ int rc;
+ unsigned char *pt, *emsg;
+
+ emsg = &answer[r];
+
+ pt = &answer[sizeof (HEADER)];
+
+ /* Skip over the query */
+
+ rc = dn_skipname (pt, emsg);
+ if (rc == -1)
+ {
+ err = gpg_err_make (default_errsource, GPG_ERR_INV_OBJ);
+ goto leave;
+ }
+ pt += rc + QFIXEDSZ;
+
+ /* There are several possible response types for a CERT request.
+ We're interested in the PGP (a key) and IPGP (a URI) types.
+ Skip all others. TODO: A key is better than a URI since
+ we've gone through all this bother to fetch it, so favor that
+ if we have both PGP and IPGP? */
+
+ while (count-- > 0 && pt < emsg)
+ {
+ u16 type, class, dlen, ctype;
+
+ rc = dn_skipname (pt, emsg); /* the name we just queried for */
+ if (rc == -1)
+ {
+ err = gpg_err_make (default_errsource, GPG_ERR_INV_OBJ);
+ goto leave;
+ }
+
+ pt += rc;
+
+ /* Truncated message? 15 bytes takes us to the point where
+ we start looking at the ctype. */
+ if ((emsg - pt) < 15)
+ break;
+
+ type = buf16_to_u16 (pt);
+ pt += 2;
+
+ class = buf16_to_u16 (pt);
+ pt += 2;
+
+ if (class != C_IN)
+ break;
+
+ /* ttl */
+ pt += 4;
+
+ /* data length */
+ dlen = buf16_to_u16 (pt);
+ pt += 2;
+
+ /* We asked for CERT and got something else - might be a
+ CNAME, so loop around again. */
+ if (type != T_CERT)
+ {
+ pt += dlen;
+ continue;
+ }
+
+ /* The CERT type */
+ ctype = buf16_to_u16 (pt);
+ pt += 2;
+
+ /* Skip the CERT key tag and algo which we don't need. */
+ pt += 3;
+
+ dlen -= 5;
+
+ /* 15 bytes takes us to here */
+ if (want_certtype && want_certtype != ctype)
+ ; /* Not of the requested certtype. */
+ else if (ctype == DNS_CERTTYPE_PGP && dlen && r_key && r_keylen)
+ {
+ /* PGP type */
+ *r_key = xtrymalloc (dlen);
+ if (!*r_key)
+ err = gpg_err_make (default_errsource,
+ gpg_err_code_from_syserror ());
+ else
+ {
+ memcpy (*r_key, pt, dlen);
+ *r_keylen = dlen;
+ err = 0;
+ }
+ goto leave;
+ }
+ else if (ctype == DNS_CERTTYPE_IPGP
+ && dlen && dlen < 1023 && dlen >= pt[0] + 1)
+ {
+ /* IPGP type */
+ *r_fprlen = pt[0];
+ if (*r_fprlen)
+ {
+ *r_fpr = xtrymalloc (*r_fprlen);
+ if (!*r_fpr)
+ {
+ err = gpg_err_make (default_errsource,
+ gpg_err_code_from_syserror ());
+ goto leave;
+ }
+ memcpy (*r_fpr, &pt[1], *r_fprlen);
+ }
+ else
+ *r_fpr = NULL;
+
+ if (dlen > *r_fprlen + 1)
+ {
+ *r_url = xtrymalloc (dlen - (*r_fprlen + 1) + 1);
+ if (!*r_fpr)
+ {
+ err = gpg_err_make (default_errsource,
+ gpg_err_code_from_syserror ());
+ xfree (*r_fpr);
+ *r_fpr = NULL;
+ goto leave;
+ }
+ memcpy (*r_url, &pt[*r_fprlen + 1], dlen - (*r_fprlen + 1));
+ (*r_url)[dlen - (*r_fprlen + 1)] = '\0';
+ }
+ else
+ *r_url = NULL;
+
+ err = 0;
+ goto leave;
+ }
+
+ /* Neither type matches, so go around to the next answer. */
+ pt += dlen;
+ }
+ }
+
+ leave:
+ xfree (answer);
+ return err;
+
+#endif /*!USE_ADNS */
+#else /* !USE_DNS_CERT */
+ (void)name;
+ if (r_key)
+ *r_key = NULL;
+ if (r_keylen)
+ *r_keylen = NULL;
+ *r_fpr = NULL;
+ *r_fprlen = 0;
+ *r_url = NULL;
+
+ return gpg_err_make (default_errsource, GPG_ERR_NOT_SUPPORTED);
+#endif
+}
diff --git a/dirmngr/dns-cert.h b/dirmngr/dns-cert.h
new file mode 100644
index 000000000..5a579ec1f
--- /dev/null
+++ b/dirmngr/dns-cert.h
@@ -0,0 +1,55 @@
+/* dns-cert.h - DNS CERT definition
+ * Copyright (C) 2006 Free Software Foundation, Inc.
+ *
+ * This file is part of GnuPG.
+ *
+ * This file is free software; you can redistribute it and/or modify
+ * it under the terms of either
+ *
+ * - the GNU Lesser General Public License as published by the Free
+ * Software Foundation; either version 3 of the License, or (at
+ * your option) any later version.
+ *
+ * or
+ *
+ * - the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * or both in parallel, as here.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+#ifndef GNUPG_DIRMNGR_DNS_CERT_H
+#define GNUPG_DIRMNGR_DNS_CERT_H
+
+
+#define DNS_CERTTYPE_ANY 0 /* Internal catch all type. */
+/* Certificate types according to RFC-4398: */
+#define DNS_CERTTYPE_PKIX 1 /* X.509 as per PKIX. */
+#define DNS_CERTTYPE_SPKI 2 /* SPKI certificate. */
+#define DNS_CERTTYPE_PGP 3 /* OpenPGP packet. */
+#define DNS_CERTTYPE_IPKIX 4 /* The URL of an X.509 data object. */
+#define DNS_CERTTYPE_ISPKI 5 /* The URL of an SPKI certificate. */
+#define DNS_CERTTYPE_IPGP 6 /* The fingerprint
+ and URL of an OpenPGP packet. */
+#define DNS_CERTTYPE_ACPKIX 7 /* Attribute Certificate. */
+#define DNS_CERTTYPE_IACPKIX 8 /* The URL of an Attribute Certificate. */
+#define DNS_CERTTYPE_URI 253 /* URI private. */
+#define DNS_CERTTYPE_OID 254 /* OID private. */
+
+
+gpg_error_t get_dns_cert (const char *name, int want_certtype,
+ void **r_key, size_t *r_keylen,
+ unsigned char **r_fpr, size_t *r_fprlen,
+ char **r_url);
+
+
+
+#endif /*GNUPG_DIRMNGR_DNS_CERT_H*/
diff --git a/dirmngr/server.c b/dirmngr/server.c
index c0f63ac7d..df6c66fcc 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -51,6 +51,8 @@
#if USE_LDAP
# include "ldap-parse-uri.h"
#endif
+#include "dns-cert.h"
+#include "mbox-util.h"
/* To avoid DoS attacks we limit the size of a certificate to
something reasonable. */
@@ -150,13 +152,14 @@ leave_cmd (assuan_context_t ctx, gpg_error_t err)
return err;
}
-/* A write handler used by es_fopencookie to write assuan data
- lines. */
-static ssize_t
-data_line_cookie_write (void *cookie, const void *buffer_arg, size_t size)
+
+/* This is a wrapper around assuan_send_data which makes debugging the
+ output in verbose mode easier. */
+static gpg_error_t
+data_line_write (assuan_context_t ctx, const void *buffer_arg, size_t size)
{
- assuan_context_t ctx = cookie;
const char *buffer = buffer_arg;
+ gpg_error_t err;
if (opt.verbose && buffer && size)
{
@@ -169,33 +172,49 @@ data_line_cookie_write (void *cookie, const void *buffer_arg, size_t size)
{
p = memchr (buffer, '\n', nbytes);
n = p ? (p - buffer) + 1 : nbytes;
- if (assuan_send_data (ctx, buffer, n))
+ err = assuan_send_data (ctx, buffer, n);
+ if (err)
{
gpg_err_set_errno (EIO);
- return -1;
+ return err;
}
buffer += n;
nbytes -= n;
- if (nbytes && assuan_send_data (ctx, NULL, 0)) /* Flush line. */
+ if (nbytes && (err=assuan_send_data (ctx, NULL, 0))) /* Flush line. */
{
gpg_err_set_errno (EIO);
- return -1;
+ return err;
}
}
while (nbytes);
}
else
{
- if (assuan_send_data (ctx, buffer, size))
+ err = assuan_send_data (ctx, buffer, size);
+ if (err)
{
- gpg_err_set_errno (EIO);
- return -1;
+ gpg_err_set_errno (EIO); /* For use by data_line_cookie_write. */
+ return err;
}
}
- return size;
+ return 0;
}
+
+/* A write handler used by es_fopencookie to write assuan data
+ lines. */
+static ssize_t
+data_line_cookie_write (void *cookie, const void *buffer, size_t size)
+{
+ assuan_context_t ctx = cookie;
+
+ if (data_line_write (ctx, buffer, size))
+ return -1;
+ return (ssize_t)size;
+}
+
+
static int
data_line_cookie_close (void *cookie)
{
@@ -609,6 +628,149 @@ option_handler (assuan_context_t ctx, const char *key, const char *value)
}
+
+static const char hlp_dns_cert[] =
+ "DNS_CERT <subtype> <name>\n"
+ "DNS_CERT --pka <user_id>\n"
+ "\n"
+ "Return the CERT record for <name>. <subtype> is one of\n"
+ " * Return the first record of any supported subtype\n"
+ " PGP Return the first record of subtype PGP (3)\n"
+ " IPGP Return the first record of subtype IPGP (6)\n"
+ "If the content of a certifciate is available (PGP) it is returned\n"
+ "by data lines. Fingerprints and URLs are returned via status lines.\n"
+ "In --pka mode the fingerprint and if available an URL is returned.";
+static gpg_error_t
+cmd_dns_cert (assuan_context_t ctx, char *line)
+{
+ /* ctrl_t ctrl = assuan_get_pointer (ctx); */
+ gpg_error_t err = 0;
+ int pka_mode;
+ char *mbox = NULL;
+ char *namebuf = NULL;
+ char *encodedhash = NULL;
+ const char *name;
+ int certtype;
+ char *p;
+ void *key = NULL;
+ size_t keylen;
+ unsigned char *fpr = NULL;
+ size_t fprlen;
+ char *url = NULL;
+
+ pka_mode = has_option (line, "--pka");
+ line = skip_options (line);
+ if (pka_mode)
+ ; /* No need to parse here - we do this later. */
+ else
+ {
+ p = strchr (line, ' ');
+ if (!p)
+ {
+ err = PARM_ERROR ("missing arguments");
+ goto leave;
+ }
+ *p++ = 0;
+ if (!strcmp (line, "*"))
+ certtype = DNS_CERTTYPE_ANY;
+ else if (!strcmp (line, "IPGP"))
+ certtype = DNS_CERTTYPE_IPGP;
+ else if (!strcmp (line, "PGP"))
+ certtype = DNS_CERTTYPE_PGP;
+ else
+ {
+ err = PARM_ERROR ("unknown subtype");
+ goto leave;
+ }
+ while (spacep (p))
+ p++;
+ line = p;
+ if (!*line)
+ {
+ err = PARM_ERROR ("name missing");
+ goto leave;
+ }
+ }
+
+ if (pka_mode)
+ {
+ char *domain; /* Points to mbox. */
+ char hashbuf[20];
+
+ mbox = mailbox_from_userid (line);
+ if (!mbox || !(domain = strchr (mbox, '@')))
+ {
+ err = set_error (GPG_ERR_INV_USER_ID, "no mailbox in user id");
+ goto leave;
+ }
+ *domain++ = 0;
+
+ gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, mbox, strlen (mbox));
+ encodedhash = zb32_encode (hashbuf, 8*20);
+ if (!encodedhash)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ namebuf = strconcat (encodedhash, "._pka.", domain, NULL);
+ if (!namebuf)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ name = namebuf;
+ certtype = DNS_CERTTYPE_IPGP;
+ }
+ else
+ name = line;
+
+ err = get_dns_cert (name, certtype, &key, &keylen, &fpr, &fprlen, &url);
+ if (err)
+ goto leave;
+
+ if (key)
+ {
+ err = data_line_write (ctx, key, keylen);
+ if (err)
+ goto leave;
+ }
+
+ if (fpr)
+ {
+ char *tmpstr;
+
+ tmpstr = bin2hex (fpr, fprlen, NULL);
+ if (!tmpstr)
+ err = gpg_error_from_syserror ();
+ else
+ {
+ err = assuan_write_status (ctx, "FPR", tmpstr);
+ xfree (tmpstr);
+ }
+ if (err)
+ goto leave;
+ }
+
+ if (url)
+ {
+ err = assuan_write_status (ctx, "URL", url);
+ if (err)
+ goto leave;
+ }
+
+
+ leave:
+ xfree (key);
+ xfree (fpr);
+ xfree (url);
+ xfree (mbox);
+ xfree (namebuf);
+ xfree (encodedhash);
+ return leave_cmd (ctx, err);
+}
+
+
+
static const char hlp_ldapserver[] =
"LDAPSERVER <data>\n"
"\n"
@@ -1919,6 +2081,7 @@ register_commands (assuan_context_t ctx)
assuan_handler_t handler;
const char * const help;
} table[] = {
+ { "DNS_CERT", cmd_dns_cert, hlp_dns_cert },
{ "LDAPSERVER", cmd_ldapserver, hlp_ldapserver },
{ "ISVALID", cmd_isvalid, hlp_isvalid },
{ "CHECKCRL", cmd_checkcrl, hlp_checkcrl },
diff --git a/dirmngr/t-dns-cert.c b/dirmngr/t-dns-cert.c
new file mode 100644
index 000000000..61536c566
--- /dev/null
+++ b/dirmngr/t-dns-cert.c
@@ -0,0 +1,93 @@
+/* t-dns-cert.c - Module test for dns-cert.c
+ * Copyright (C) 2011 Free Software Foundation, Inc.
+ *
+ * This file is part of GnuPG.
+ *
+ * GnuPG is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuPG is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+
+#include "util.h"
+#include "dns-cert.h"
+
+
+int
+main (int argc, char **argv)
+{
+ gpg_error_t err;
+ unsigned char *fpr;
+ size_t fpr_len;
+ char *url;
+ void *key;
+ size_t keylen;
+ char const *name;
+
+ if (argc)
+ {
+ argc--;
+ argv++;
+ }
+
+ if (!argc)
+ name = "simon.josefsson.org";
+ else if (argc == 1)
+ name = *argv;
+ else
+ {
+ fputs ("usage: t-dns-cert [name]\n", stderr);
+ return 1;
+ }
+
+ printf ("CERT lookup on '%s'\n", name);
+
+ err = get_dns_cert (name, DNS_CERTTYPE_ANY, &key, &keylen,
+ &fpr, &fpr_len, &url);
+ if (err)
+ printf ("get_dns_cert failed: %s <%s>\n",
+ gpg_strerror (err), gpg_strsource (err));
+ else if (key)
+ {
+ printf ("Key found (%u bytes)\n", (unsigned int)keylen);
+ }
+ else
+ {
+ if (fpr)
+ {
+ int i;
+
+ printf ("Fingerprint found (%d bytes): ", (int)fpr_len);
+ for (i = 0; i < fpr_len; i++)
+ printf ("%02X", fpr[i]);
+ putchar ('\n');
+ }
+ else
+ printf ("No fingerprint found\n");
+
+ if (url)
+ printf ("URL found: %s\n", url);
+ else
+ printf ("No URL found\n");
+
+ }
+
+ xfree (key);
+ xfree (fpr);
+ xfree (url);
+
+ return 0;
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-12 05:09:58 +0000