6 files changed, 114 insertions, 17 deletions

diff --git a/dirmngr/ks-action.c b/dirmngr/ks-action.c
index 6be2072e9..dd1865d4f 100644
--- a/dirmngr/ks-action.c
+++ b/dirmngr/ks-action.c
@@ -551,7 +551,7 @@ ks_action_put (ctrl_t ctrl, uri_item_t keyservers,
 /* Delete an OpenPGP key from all KEYSERVERS which use LDAP.  The key
  * is specifified by PATTERNS.  */
 gpg_error_t
-ks_action_del (ctrl_t ctrl, uri_item_t keyservers, strlist_t patterns)
+ks_action_del (ctrl_t ctrl, uri_item_t keyservers, strlist_t fprlist)
 {
   gpg_error_t err = 0;
   gpg_error_t first_err = 0;
@@ -567,7 +567,7 @@ ks_action_del (ctrl_t ctrl, uri_item_t keyservers, strlist_t patterns)
            || uri->parsed_uri->opaque )
         {
           any_server = 1;
-          err = ks_ldap_del (ctrl, uri->parsed_uri, patterns);
+          err = ks_ldap_del (ctrl, uri->parsed_uri, fprlist);
           if (err && !first_err)
             first_err = err;
         }
@@ -575,7 +575,7 @@ ks_action_del (ctrl_t ctrl, uri_item_t keyservers, strlist_t patterns)
     }
 
   if (!any_server)
-    err = gpg_error (GPG_ERR_NO_KEYSERVER); /* Actual: No LDAP keyserver */
+    err = gpg_error (GPG_ERR_NO_KEYSERVER); /* No LDAP keyserver */
   else if (!err && first_err)
     err = first_err;
   return err;
diff --git a/dirmngr/ks-action.h b/dirmngr/ks-action.h
index d222d6afe..0df497266 100644
--- a/dirmngr/ks-action.h
+++ b/dirmngr/ks-action.h
@@ -34,7 +34,7 @@ gpg_error_t ks_action_put (ctrl_t ctrl, uri_item_t keyservers,
 			   void *data, size_t datalen,
 			   void *info, size_t infolen);
 gpg_error_t ks_action_del (ctrl_t ctrl, uri_item_t keyservers,
-                           strlist_t patterns);
+                           strlist_t fprlist);
 gpg_error_t ks_action_query (ctrl_t ctrl, const char *ldapserver,
                              unsigned int ks_get_flags,
                              const char *filter, char **attr,
diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c
index ff4f005f4..9bb604707 100644
--- a/dirmngr/ks-engine-ldap.c
+++ b/dirmngr/ks-engine-ldap.c
@@ -3048,15 +3048,113 @@ ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri,
 }
 
 
-/* Delete the keys given by PATTERNS from the keyserver identified by
- * URI. */
+/* Delete the keys given by the list of fingerprints in FPRLIST from
+ * the keyserver identified by URI.  The function stops at the first
+ * error encountered. */
 gpg_error_t
-ks_ldap_del (ctrl_t ctrl, parsed_uri_t uri, strlist_t patterns)
+ks_ldap_del (ctrl_t ctrl, parsed_uri_t uri, strlist_t fprlist)
 {
-  (void)ctrl;
-  (void)uri;
-  (void)patterns;
-  return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
+  gpg_error_t err = 0;
+  int ldap_err;
+  unsigned int serverinfo;
+  LDAP *ldap_conn = NULL;
+  char *basedn = NULL;
+  char *dn = NULL;
+  strlist_t fpr;
+  unsigned int count = 0;
+  unsigned int totalcount = 0;
+
+  if (dirmngr_use_tor ())
+    {
+      return no_ldap_due_to_tor (ctrl);
+    }
+
+  for (fpr = fprlist; fpr; fpr = fpr->next)
+    totalcount++;
+
+  err = my_ldap_connect (uri, 0, &ldap_conn, &basedn, NULL, NULL, &serverinfo);
+  if (err || !basedn)
+    {
+      if(opt.verbose)
+        log_info ("%s: connecting to server failed\n", __func__);
+      if (!err)
+	err = gpg_error (GPG_ERR_GENERAL);  /* (no baseDN) */
+      goto leave;
+    }
+
+  if (!(serverinfo & SERVERINFO_REALLDAP))
+    {
+      if(opt.verbose)
+        log_info ("%s: The PGP.com keyserver is not supported\n", __func__);
+      err = gpg_error (GPG_ERR_NOT_SUPPORTED);
+      goto leave;
+    }
+
+  if (!(serverinfo & SERVERINFO_SCHEMAV2))
+    {
+      if(opt.verbose)
+        log_info ("%s: The keyserver does not support the v2 schema\n",
+                  __func__);
+      err = gpg_error (GPG_ERR_NOT_SUPPORTED);
+      goto leave;
+    }
+
+  if (opt.verbose)
+    log_info ("%s: Using DN: %s,%s\n", __func__,
+              (serverinfo & SERVERINFO_NTDS)? "CN=<fingerprint>"
+              /* */                         : "pgpCertID=<keyid>",
+              basedn);
+  for (fpr = fprlist; fpr; fpr = fpr->next)
+    {
+      if ((serverinfo & SERVERINFO_NTDS))
+        {
+          xfree (dn);
+          dn = xtryasprintf ("CN=%s,%s", fpr->d, basedn);
+        }
+      else
+        {
+          unsigned int off;
+
+          /* Simle method to get the keyID.  Note that a v5 key
+           * (len>40) has the keyid at the left.  If the length is
+           * less than 17 we assume a keyid has been given.  */
+          off = strlen (fpr->d);
+          if (off <= 40 && off > 16)
+            off = off - 16;
+          else
+            off = 0;
+
+          xfree (dn);
+          dn = xtryasprintf ("pgpCertID=%.16s,%s", fpr->d+off, basedn);
+        }
+
+      npth_unprotect ();
+      ldap_err = ldap_delete_ext_s (ldap_conn, dn, NULL, NULL);
+      npth_protect ();
+      if (ldap_err == LDAP_SUCCESS)
+        {
+          if (opt.verbose)
+            log_info ("%s: key %s deleted\n", __func__, fpr->d);
+          count++;
+        }
+      else
+        {
+          log_error ("%s: error deleting key %s: %s\n",
+                     __func__, fpr->d, ldap_err2string (ldap_err));
+          err = ldap_err_to_gpg_err (ldap_err);
+          break;  /* Stop at the first failed deletion.  */
+        }
+    }
+  log_info ("%s: number of keys deleted: %u of %u\n",
+            __func__, count, totalcount);
+
+
+ leave:
+  if (ldap_conn)
+    ldap_unbind (ldap_conn);
+  xfree (dn);
+  xfree (basedn);
+  return err;
 }
 
 
diff --git a/dirmngr/ks-engine.h b/dirmngr/ks-engine.h
index dfc626d56..005d07490 100644
--- a/dirmngr/ks-engine.h
+++ b/dirmngr/ks-engine.h
@@ -82,7 +82,7 @@ gpg_error_t ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri,
 gpg_error_t ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri,
 			 void *data, size_t datalen,
 			 void *info, size_t infolen);
-gpg_error_t ks_ldap_del (ctrl_t ctrl, parsed_uri_t uri, strlist_t patterns);
+gpg_error_t ks_ldap_del (ctrl_t ctrl, parsed_uri_t uri, strlist_t fprlist);
 gpg_error_t ks_ldap_query (ctrl_t ctrl, parsed_uri_t uri,
                            unsigned int ks_get_flags,
                            const char *filter, char **attrs,
diff --git a/dirmngr/server.c b/dirmngr/server.c
index 3ad939a6b..747d0a914 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -2723,11 +2723,10 @@ cmd_ks_put (assuan_context_t ctx, char *line)
 
 
 static const char hlp_ks_del[] =
-  "KS_DEL --ldap {<pattern>}\n"
+  "KS_DEL --ldap {<fingerprints>}\n"
   "\n"
-  "Delete the keys matching PATTERN from the configured OpenPGP LDAP server\n"
-  "The pattern should be a fingerprint.\n"
-  "The option --ldap is mandatory.\n";
+  "Delete the keys specified by primary keys FINGERPRINTS from the\n"
+  "configured OpenPGP LDAP server.  The option --ldap is mandatory.";
 static gpg_error_t
 cmd_ks_del (assuan_context_t ctx, char *line)
 {
diff --git a/g10/sign.c b/g10/sign.c
index 1e8bd8f95..b3bda581c 100644
--- a/g10/sign.c
+++ b/g10/sign.c
@@ -825,7 +825,7 @@ write_onepass_sig_packets (SK_LIST sk_list, IOBUF out, int sigclass )
 
 /*
  * Helper to write the plaintext (literal data) packet.  At
- * R_EXTRAHASH a malloced object with the with the extra data hashed
+ * R_EXTRAHASH a malloced object with the extra data hashed
  * into v5 signatures is stored.
  */
 static int