diff options
| author | Werner Koch <[email protected]> | 2021-02-02 18:53:21 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2021-02-02 18:53:21 +0000 |
| commit | 7f3ce66ec56a5aea6170b7eb1bda5626eb208c83 (patch) | |
| tree | 3d57f33c5290451c3034fa88eabed0ca2ca78678 /g10/mainproc.c | |
| parent | gpg: Remove more or less useless tool gpgcompose. (diff) | |
| download | gnupg-7f3ce66ec56a5aea6170b7eb1bda5626eb208c83.tar.gz gnupg-7f3ce66ec56a5aea6170b7eb1bda5626eb208c83.zip | |
gpg: Remove support for PKA.
* g10/gpg.c (oPrintPKARecords): Remove.
(opts): Remove --print-pka-records.
(main): Remove "pka-lookups","pka-trust-increase" and other PKA stuff.
* g10/options.h (EXPORT_DANE_FORMAT): Remove.
(VERIFY_PKA_LOOKUPS, VERIFY_PKA_TRUST_INCREASE): Remove.
(KEYSERVER_HONOR_PKA_RECORD): Remove.
* g10/packet.h (pka_info_t): Remove.
(PKT_signature): Remove flags.pka_tried and pka_info.
* g10/parse-packet.c (register_known_notation): Remove
"[email protected]".
* g10/pkclist.c (check_signatures_trust): Remove PKA stuff.
* g10/call-dirmngr.c (gpg_dirmngr_get_pka): Remove.
* g10/export.c (parse_export_options): Remove "export-pka".
(do_export): Adjust for this.
(write_keyblock_to_output): Ditto.
(do_export_stream): Ditto.
(print_pka_or_dane_records): Rename to ...
(print_dane_records): this and remove two args. Remove PKA printing.
* g10/free-packet.c (free_seckey_enc, cp_pka_info): Adjust for removed
pka_info field.
* g10/getkey.c (get_pubkey_byname): Make AKL_PKA a dummy.
* g10/keyserver.c: Remove "honor-pka-record".
(keyserver_import_pka): Remove.
* g10/mainproc.c (get_pka_address): Remove.
(pka_uri_from_sig): Remove.
(check_sig_and_print): Remove code for PKA.
--
PKA (Public Key Association) was a DNS based key discovery method
which looked up fingerprint by mail addresses in the DNS. This goes
back to the conference where DKIM was suggested to show that we
already had a better method for this available with PGP/MIME. PKA was
was later superseded by an experimental DANE method and is today not
anymore relevant. It is anyway doubtful whether PKA was ever widely
used.
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to '')
| -rw-r--r-- | g10/mainproc.c | 117 |
1 files changed, 0 insertions, 117 deletions
diff --git a/g10/mainproc.c b/g10/mainproc.c index ca6c24323..a75755ee3 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -1695,83 +1695,6 @@ do_proc_packets (CTX c, iobuf_t a) } -/* Helper for pka_uri_from_sig to parse the to-be-verified address out - of the notation data. */ -static pka_info_t * -get_pka_address (PKT_signature *sig) -{ - pka_info_t *pka = NULL; - struct notation *nd,*notation; - - notation=sig_to_notation(sig); - - for(nd=notation;nd;nd=nd->next) - { - if(strcmp(nd->name,"[email protected]")!=0) - continue; /* Not the notation we want. */ - - /* For now we only use the first valid PKA notation. In future - we might want to keep additional PKA notations in a linked - list. */ - if (is_valid_mailbox (nd->value)) - { - pka = xmalloc (sizeof *pka + strlen(nd->value)); - pka->valid = 0; - pka->checked = 0; - pka->uri = NULL; - strcpy (pka->email, nd->value); - break; - } - } - - free_notation(notation); - - return pka; -} - - -/* Return the URI from a DNS PKA record. If this record has already - be retrieved for the signature we merely return it; if not we go - out and try to get that DNS record. */ -static const char * -pka_uri_from_sig (CTX c, PKT_signature *sig) -{ - if (!sig->flags.pka_tried) - { - log_assert (!sig->pka_info); - sig->flags.pka_tried = 1; - sig->pka_info = get_pka_address (sig); - if (sig->pka_info) - { - char *url; - unsigned char *fpr; - size_t fprlen; - - if (!gpg_dirmngr_get_pka (c->ctrl, sig->pka_info->email, - &fpr, &fprlen, &url)) - { - if (fpr && fprlen == sizeof sig->pka_info->fpr) - { - memcpy (sig->pka_info->fpr, fpr, fprlen); - if (url) - { - sig->pka_info->valid = 1; - if (!*url) - xfree (url); - else - sig->pka_info->uri = url; - url = NULL; - } - } - xfree (fpr); - xfree (url); - } - } - } - return sig->pka_info? sig->pka_info->uri : NULL; -} - - /* Return true if the AKL has the WKD method specified. */ static int akl_has_wkd_method (void) @@ -2138,44 +2061,6 @@ check_sig_and_print (CTX c, kbnode_t node) log_debug ("lookup via %s failed: %s\n", "WKD", gpg_strerror (res)); } - /* If the avove methods didn't work, our next try is to use the URI - * from a DNS PKA record. This is a legacy method which will - * eventually be removed. */ - if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY - && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE) - && (opt.keyserver_options.options & KEYSERVER_HONOR_PKA_RECORD)) - { - const char *uri = pka_uri_from_sig (c, sig); - - if (uri) - { - /* FIXME: We might want to locate the key using the - fingerprint instead of the keyid. */ - int res; - struct keyserver_spec *spec; - - spec = parse_keyserver_uri (uri, 1); - if (spec) - { - if (DBG_LOOKUP) - log_debug ("trying auto-key-retrieve method %s\n", "PKA"); - - free_public_key (pk); - pk = NULL; - glo_ctrl.in_auto_key_retrieve++; - res = keyserver_import_keyid (c->ctrl, sig->keyid, spec, 1); - glo_ctrl.in_auto_key_retrieve--; - free_keyserver_spec (spec); - if (!res) - rc = do_check_sig (c, node, extrahash, extrahashlen, NULL, - NULL, &is_expkey, &is_revkey, &pk); - else if (DBG_LOOKUP) - log_debug ("lookup via %s failed: %s\n", "PKA", - gpg_strerror (res)); - } - } - } - /* If the above methods didn't work, our next try is to locate * the key via its fingerprint from a keyserver. This requires * that the signers fingerprint is encoded in the signature. */ @@ -2466,8 +2351,6 @@ check_sig_and_print (CTX c, kbnode_t node) how to resolve a conflict. */ if (!rc) { - if ((opt.verify_options & VERIFY_PKA_LOOKUPS)) - pka_uri_from_sig (c, sig); /* Make sure PKA info is available. */ rc = check_signatures_trust (c->ctrl, keyblock, pk, sig); } |