aboutsummaryrefslogtreecommitdiffstats
path: root/dirmngr
diff options
context:
space:
mode:
Diffstat (limited to 'dirmngr')
-rw-r--r--dirmngr/Makefile.am6
-rw-r--r--dirmngr/dns-cert.c382
-rw-r--r--dirmngr/dns-cert.h55
-rw-r--r--dirmngr/server.c189
-rw-r--r--dirmngr/t-dns-cert.c93
5 files changed, 711 insertions, 14 deletions
diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am
index 906fe37eb..cee777a6a 100644
--- a/dirmngr/Makefile.am
+++ b/dirmngr/Makefile.am
@@ -61,6 +61,7 @@ dirmngr_SOURCES = dirmngr.c dirmngr.h server.c crlcache.c crlfetch.c \
certcache.c certcache.h \
cdb.h cdblib.c misc.c dirmngr-err.h \
ocsp.c ocsp.h validate.c validate.h \
+ dns-cert.c dns-cert.h \
ks-action.c ks-action.h ks-engine.h \
ks-engine-hkp.c ks-engine-http.c ks-engine-finger.c ks-engine-kdns.c
@@ -113,7 +114,7 @@ t_common_ldadd = $(libcommontls) $(libcommon) no-libgcrypt.o \
$(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) \
$(DNSLIBS) $(LIBINTL) $(LIBICONV)
-module_tests =
+module_tests = t-dns-cert
if USE_LDAP
module_tests += t-ldap-parse-uri
@@ -124,4 +125,7 @@ t_ldap_parse_uri_SOURCES = \
$(ldap_url) $(t_common_src)
t_ldap_parse_uri_LDADD = $(ldaplibs) $(t_common_ldadd)
+t_dns_cert_SOURCES = t-dns-cert.c dns-cert.c
+t_dns_cert_LDADD = $(t_common_ldadd)
+
$(PROGRAMS) : $(libcommon) $(libcommonpth) $(libcommontls) $(libcommontlsnpth)
diff --git a/dirmngr/dns-cert.c b/dirmngr/dns-cert.c
new file mode 100644
index 000000000..de523b5f2
--- /dev/null
+++ b/dirmngr/dns-cert.c
@@ -0,0 +1,382 @@
+/* dns-cert.c - DNS CERT code (rfc-4398)
+ * Copyright (C) 2005, 2006, 2009 Free Software Foundation, Inc.
+ *
+ * This file is part of GNUPG.
+ *
+ * This file is free software; you can redistribute it and/or modify
+ * it under the terms of either
+ *
+ * - the GNU Lesser General Public License as published by the Free
+ * Software Foundation; either version 3 of the License, or (at
+ * your option) any later version.
+ *
+ * or
+ *
+ * - the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * or both in parallel, as here.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+#include <sys/types.h>
+#ifdef USE_DNS_CERT
+# ifdef HAVE_W32_SYSTEM
+# ifdef HAVE_WINSOCK2_H
+# include <winsock2.h>
+# endif
+# include <windows.h>
+# else
+# include <netinet/in.h>
+# include <arpa/nameser.h>
+# include <resolv.h>
+# endif
+# include <string.h>
+#endif
+#ifdef USE_ADNS
+# include <adns.h>
+#endif
+
+#include "util.h"
+#include "host2net.h"
+#include "dns-cert.h"
+
+/* Not every installation has gotten around to supporting CERTs
+ yet... */
+#ifndef T_CERT
+#define T_CERT 37
+#endif
+
+/* ADNS has no support for CERT yet. */
+#define my_adns_r_cert 37
+
+
+
+/* Returns 0 on success or an error code. If a PGP CERT record was
+ found, the malloced data is returned at (R_KEY, R_KEYLEN) and
+ the other return parameters are set to NULL/0. If an IPGP CERT
+ record was found the fingerprint is stored as an allocated block at
+ R_FPR and its length at R_FPRLEN; an URL is is allocated as a
+ string and returned at R_URL. If WANT_CERTTYPE is 0 this function
+ returns the first CERT found with a supported type; it is expected
+ that only one CERT record is used. If WANT_CERTTYPE is one of the
+ supported certtypes only records wih this certtype are considered
+ and the first found is returned. (R_KEY,R_KEYLEN) are optional. */
+gpg_error_t
+get_dns_cert (const char *name, int want_certtype,
+ void **r_key, size_t *r_keylen,
+ unsigned char **r_fpr, size_t *r_fprlen, char **r_url)
+{
+#ifdef USE_DNS_CERT
+#ifdef USE_ADNS
+ gpg_error_t err;
+ adns_state state;
+ adns_answer *answer = NULL;
+ unsigned int ctype;
+ int count;
+
+ if (r_key)
+ *r_key = NULL;
+ if (r_keylen)
+ *r_keylen = 0;
+ *r_fpr = NULL;
+ *r_fprlen = 0;
+ *r_url = NULL;
+
+ if (adns_init (&state, adns_if_noerrprint, NULL))
+ {
+ err = gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
+ log_error ("error initializing adns: %s\n", strerror (errno));
+ return err;
+ }
+
+ if (adns_synchronous (state, name, (adns_r_unknown | my_adns_r_cert),
+ adns_qf_quoteok_query, &answer))
+ {
+ err = gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
+ /* log_error ("DNS query failed: %s\n", strerror (errno)); */
+ adns_finish (state);
+ return err;
+ }
+ if (answer->status != adns_s_ok)
+ {
+ /* log_error ("DNS query returned an error: %s (%s)\n", */
+ /* adns_strerror (answer->status), */
+ /* adns_errabbrev (answer->status)); */
+ err = gpg_err_make (default_errsource, GPG_ERR_NOT_FOUND);
+ goto leave;
+ }
+
+ err = gpg_err_make (default_errsource, GPG_ERR_NOT_FOUND);
+ for (count = 0; count < answer->nrrs; count++)
+ {
+ int datalen = answer->rrs.byteblock[count].len;
+ const unsigned char *data = answer->rrs.byteblock[count].data;
+
+ if (datalen < 5)
+ continue; /* Truncated CERT record - skip. */
+
+ ctype = buf16_to_uint (data);
+ /* (key tag and algorithm fields are not required.) */
+ data += 5;
+ datalen -= 5;
+
+ if (want_certtype && want_certtype != ctype)
+ ; /* Not of the requested certtype. */
+ else if (ctype == DNS_CERTTYPE_PGP && datalen >= 11 && r_key && r_keylen)
+ {
+ /* CERT type is PGP. Gpg checks for a minimum length of 11,
+ thus we do the same. */
+ *r_key = xtrymalloc (datalen);
+ if (!*r_key)
+ err = gpg_err_make (default_errsource,
+ gpg_err_code_from_syserror ());
+ else
+ {
+ memcpy (*r_key, data, datalen);
+ *r_keylen = datalen;
+ err = 0;
+ }
+ goto leave;
+ }
+ else if (ctype == DNS_CERTTYPE_IPGP && datalen && datalen < 1023
+ && datalen >= data[0] + 1 && r_fpr && r_fprlen && r_url)
+ {
+ /* CERT type is IPGP. We made sure that the data is
+ plausible and that the caller requested this
+ information. */
+ *r_fprlen = data[0];
+ if (*r_fprlen)
+ {
+ *r_fpr = xtrymalloc (*r_fprlen);
+ if (!*r_fpr)
+ {
+ err = gpg_err_make (default_errsource,
+ gpg_err_code_from_syserror ());
+ goto leave;
+ }
+ memcpy (*r_fpr, data + 1, *r_fprlen);
+ }
+ else
+ *r_fpr = NULL;
+
+ if (datalen > *r_fprlen + 1)
+ {
+ *r_url = xtrymalloc (datalen - (*r_fprlen + 1) + 1);
+ if (!*r_url)
+ {
+ err = gpg_err_make (default_errsource,
+ gpg_err_code_from_syserror ());
+ xfree (*r_fpr);
+ *r_fpr = NULL;
+ goto leave;
+ }
+ memcpy (*r_url,
+ data + (*r_fprlen + 1), datalen - (*r_fprlen + 1));
+ (*r_url)[datalen - (*r_fprlen + 1)] = '\0';
+ }
+ else
+ *r_url = NULL;
+
+ err = 0;
+ goto leave;
+ }
+ }
+
+ leave:
+ adns_free (answer);
+ adns_finish (state);
+ return err;
+
+#else /*!USE_ADNS*/
+
+ gpg_error_t err;
+ unsigned char *answer;
+ int r;
+ u16 count;
+
+ if (r_key)
+ *r_key = NULL;
+ if (r_keylen)
+ *r_keylen = 0;
+ *r_fpr = NULL;
+ *r_fprlen = 0;
+ *r_url = NULL;
+
+ /* Allocate a 64k buffer which is the limit for an DNS response. */
+ answer = xtrymalloc (65536);
+ if (!answer)
+ return gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
+
+ err = gpg_err_make (default_errsource, GPG_ERR_NOT_FOUND);
+
+ r = res_query (name, C_IN, T_CERT, answer, 65536);
+ /* Not too big, not too small, no errors and at least 1 answer. */
+ if (r >= sizeof (HEADER) && r <= 65536
+ && (((HEADER *) answer)->rcode) == NOERROR
+ && (count = ntohs (((HEADER *) answer)->ancount)))
+ {
+ int rc;
+ unsigned char *pt, *emsg;
+
+ emsg = &answer[r];
+
+ pt = &answer[sizeof (HEADER)];
+
+ /* Skip over the query */
+
+ rc = dn_skipname (pt, emsg);
+ if (rc == -1)
+ {
+ err = gpg_err_make (default_errsource, GPG_ERR_INV_OBJ);
+ goto leave;
+ }
+ pt += rc + QFIXEDSZ;
+
+ /* There are several possible response types for a CERT request.
+ We're interested in the PGP (a key) and IPGP (a URI) types.
+ Skip all others. TODO: A key is better than a URI since
+ we've gone through all this bother to fetch it, so favor that
+ if we have both PGP and IPGP? */
+
+ while (count-- > 0 && pt < emsg)
+ {
+ u16 type, class, dlen, ctype;
+
+ rc = dn_skipname (pt, emsg); /* the name we just queried for */
+ if (rc == -1)
+ {
+ err = gpg_err_make (default_errsource, GPG_ERR_INV_OBJ);
+ goto leave;
+ }
+
+ pt += rc;
+
+ /* Truncated message? 15 bytes takes us to the point where
+ we start looking at the ctype. */
+ if ((emsg - pt) < 15)
+ break;
+
+ type = buf16_to_u16 (pt);
+ pt += 2;
+
+ class = buf16_to_u16 (pt);
+ pt += 2;
+
+ if (class != C_IN)
+ break;
+
+ /* ttl */
+ pt += 4;
+
+ /* data length */
+ dlen = buf16_to_u16 (pt);
+ pt += 2;
+
+ /* We asked for CERT and got something else - might be a
+ CNAME, so loop around again. */
+ if (type != T_CERT)
+ {
+ pt += dlen;
+ continue;
+ }
+
+ /* The CERT type */
+ ctype = buf16_to_u16 (pt);
+ pt += 2;
+
+ /* Skip the CERT key tag and algo which we don't need. */
+ pt += 3;
+
+ dlen -= 5;
+
+ /* 15 bytes takes us to here */
+ if (want_certtype && want_certtype != ctype)
+ ; /* Not of the requested certtype. */
+ else if (ctype == DNS_CERTTYPE_PGP && dlen && r_key && r_keylen)
+ {
+ /* PGP type */
+ *r_key = xtrymalloc (dlen);
+ if (!*r_key)
+ err = gpg_err_make (default_errsource,
+ gpg_err_code_from_syserror ());
+ else
+ {
+ memcpy (*r_key, pt, dlen);
+ *r_keylen = dlen;
+ err = 0;
+ }
+ goto leave;
+ }
+ else if (ctype == DNS_CERTTYPE_IPGP
+ && dlen && dlen < 1023 && dlen >= pt[0] + 1)
+ {
+ /* IPGP type */
+ *r_fprlen = pt[0];
+ if (*r_fprlen)
+ {
+ *r_fpr = xtrymalloc (*r_fprlen);
+ if (!*r_fpr)
+ {
+ err = gpg_err_make (default_errsource,
+ gpg_err_code_from_syserror ());
+ goto leave;
+ }
+ memcpy (*r_fpr, &pt[1], *r_fprlen);
+ }
+ else
+ *r_fpr = NULL;
+
+ if (dlen > *r_fprlen + 1)
+ {
+ *r_url = xtrymalloc (dlen - (*r_fprlen + 1) + 1);
+ if (!*r_fpr)
+ {
+ err = gpg_err_make (default_errsource,
+ gpg_err_code_from_syserror ());
+ xfree (*r_fpr);
+ *r_fpr = NULL;
+ goto leave;
+ }
+ memcpy (*r_url, &pt[*r_fprlen + 1], dlen - (*r_fprlen + 1));
+ (*r_url)[dlen - (*r_fprlen + 1)] = '\0';
+ }
+ else
+ *r_url = NULL;
+
+ err = 0;
+ goto leave;
+ }
+
+ /* Neither type matches, so go around to the next answer. */
+ pt += dlen;
+ }
+ }
+
+ leave:
+ xfree (answer);
+ return err;
+
+#endif /*!USE_ADNS */
+#else /* !USE_DNS_CERT */
+ (void)name;
+ if (r_key)
+ *r_key = NULL;
+ if (r_keylen)
+ *r_keylen = NULL;
+ *r_fpr = NULL;
+ *r_fprlen = 0;
+ *r_url = NULL;
+
+ return gpg_err_make (default_errsource, GPG_ERR_NOT_SUPPORTED);
+#endif
+}
diff --git a/dirmngr/dns-cert.h b/dirmngr/dns-cert.h
new file mode 100644
index 000000000..5a579ec1f
--- /dev/null
+++ b/dirmngr/dns-cert.h
@@ -0,0 +1,55 @@
+/* dns-cert.h - DNS CERT definition
+ * Copyright (C) 2006 Free Software Foundation, Inc.
+ *
+ * This file is part of GnuPG.
+ *
+ * This file is free software; you can redistribute it and/or modify
+ * it under the terms of either
+ *
+ * - the GNU Lesser General Public License as published by the Free
+ * Software Foundation; either version 3 of the License, or (at
+ * your option) any later version.
+ *
+ * or
+ *
+ * - the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * or both in parallel, as here.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+#ifndef GNUPG_DIRMNGR_DNS_CERT_H
+#define GNUPG_DIRMNGR_DNS_CERT_H
+
+
+#define DNS_CERTTYPE_ANY 0 /* Internal catch all type. */
+/* Certificate types according to RFC-4398: */
+#define DNS_CERTTYPE_PKIX 1 /* X.509 as per PKIX. */
+#define DNS_CERTTYPE_SPKI 2 /* SPKI certificate. */
+#define DNS_CERTTYPE_PGP 3 /* OpenPGP packet. */
+#define DNS_CERTTYPE_IPKIX 4 /* The URL of an X.509 data object. */
+#define DNS_CERTTYPE_ISPKI 5 /* The URL of an SPKI certificate. */
+#define DNS_CERTTYPE_IPGP 6 /* The fingerprint
+ and URL of an OpenPGP packet. */
+#define DNS_CERTTYPE_ACPKIX 7 /* Attribute Certificate. */
+#define DNS_CERTTYPE_IACPKIX 8 /* The URL of an Attribute Certificate. */
+#define DNS_CERTTYPE_URI 253 /* URI private. */
+#define DNS_CERTTYPE_OID 254 /* OID private. */
+
+
+gpg_error_t get_dns_cert (const char *name, int want_certtype,
+ void **r_key, size_t *r_keylen,
+ unsigned char **r_fpr, size_t *r_fprlen,
+ char **r_url);
+
+
+
+#endif /*GNUPG_DIRMNGR_DNS_CERT_H*/
diff --git a/dirmngr/server.c b/dirmngr/server.c
index c0f63ac7d..df6c66fcc 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -51,6 +51,8 @@
#if USE_LDAP
# include "ldap-parse-uri.h"
#endif
+#include "dns-cert.h"
+#include "mbox-util.h"
/* To avoid DoS attacks we limit the size of a certificate to
something reasonable. */
@@ -150,13 +152,14 @@ leave_cmd (assuan_context_t ctx, gpg_error_t err)
return err;
}
-/* A write handler used by es_fopencookie to write assuan data
- lines. */
-static ssize_t
-data_line_cookie_write (void *cookie, const void *buffer_arg, size_t size)
+
+/* This is a wrapper around assuan_send_data which makes debugging the
+ output in verbose mode easier. */
+static gpg_error_t
+data_line_write (assuan_context_t ctx, const void *buffer_arg, size_t size)
{
- assuan_context_t ctx = cookie;
const char *buffer = buffer_arg;
+ gpg_error_t err;
if (opt.verbose && buffer && size)
{
@@ -169,33 +172,49 @@ data_line_cookie_write (void *cookie, const void *buffer_arg, size_t size)
{
p = memchr (buffer, '\n', nbytes);
n = p ? (p - buffer) + 1 : nbytes;
- if (assuan_send_data (ctx, buffer, n))
+ err = assuan_send_data (ctx, buffer, n);
+ if (err)
{
gpg_err_set_errno (EIO);
- return -1;
+ return err;
}
buffer += n;
nbytes -= n;
- if (nbytes && assuan_send_data (ctx, NULL, 0)) /* Flush line. */
+ if (nbytes && (err=assuan_send_data (ctx, NULL, 0))) /* Flush line. */
{
gpg_err_set_errno (EIO);
- return -1;
+ return err;
}
}
while (nbytes);
}
else
{
- if (assuan_send_data (ctx, buffer, size))
+ err = assuan_send_data (ctx, buffer, size);
+ if (err)
{
- gpg_err_set_errno (EIO);
- return -1;
+ gpg_err_set_errno (EIO); /* For use by data_line_cookie_write. */
+ return err;
}
}
- return size;
+ return 0;
}
+
+/* A write handler used by es_fopencookie to write assuan data
+ lines. */
+static ssize_t
+data_line_cookie_write (void *cookie, const void *buffer, size_t size)
+{
+ assuan_context_t ctx = cookie;
+
+ if (data_line_write (ctx, buffer, size))
+ return -1;
+ return (ssize_t)size;
+}
+
+
static int
data_line_cookie_close (void *cookie)
{
@@ -609,6 +628,149 @@ option_handler (assuan_context_t ctx, const char *key, const char *value)
}
+
+static const char hlp_dns_cert[] =
+ "DNS_CERT <subtype> <name>\n"
+ "DNS_CERT --pka <user_id>\n"
+ "\n"
+ "Return the CERT record for <name>. <subtype> is one of\n"
+ " * Return the first record of any supported subtype\n"
+ " PGP Return the first record of subtype PGP (3)\n"
+ " IPGP Return the first record of subtype IPGP (6)\n"
+ "If the content of a certifciate is available (PGP) it is returned\n"
+ "by data lines. Fingerprints and URLs are returned via status lines.\n"
+ "In --pka mode the fingerprint and if available an URL is returned.";
+static gpg_error_t
+cmd_dns_cert (assuan_context_t ctx, char *line)
+{
+ /* ctrl_t ctrl = assuan_get_pointer (ctx); */
+ gpg_error_t err = 0;
+ int pka_mode;
+ char *mbox = NULL;
+ char *namebuf = NULL;
+ char *encodedhash = NULL;
+ const char *name;
+ int certtype;
+ char *p;
+ void *key = NULL;
+ size_t keylen;
+ unsigned char *fpr = NULL;
+ size_t fprlen;
+ char *url = NULL;
+
+ pka_mode = has_option (line, "--pka");
+ line = skip_options (line);
+ if (pka_mode)
+ ; /* No need to parse here - we do this later. */
+ else
+ {
+ p = strchr (line, ' ');
+ if (!p)
+ {
+ err = PARM_ERROR ("missing arguments");
+ goto leave;
+ }
+ *p++ = 0;
+ if (!strcmp (line, "*"))
+ certtype = DNS_CERTTYPE_ANY;
+ else if (!strcmp (line, "IPGP"))
+ certtype = DNS_CERTTYPE_IPGP;
+ else if (!strcmp (line, "PGP"))
+ certtype = DNS_CERTTYPE_PGP;
+ else
+ {
+ err = PARM_ERROR ("unknown subtype");
+ goto leave;
+ }
+ while (spacep (p))
+ p++;
+ line = p;
+ if (!*line)
+ {
+ err = PARM_ERROR ("name missing");
+ goto leave;
+ }
+ }
+
+ if (pka_mode)
+ {
+ char *domain; /* Points to mbox. */
+ char hashbuf[20];
+
+ mbox = mailbox_from_userid (line);
+ if (!mbox || !(domain = strchr (mbox, '@')))
+ {
+ err = set_error (GPG_ERR_INV_USER_ID, "no mailbox in user id");
+ goto leave;
+ }
+ *domain++ = 0;
+
+ gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, mbox, strlen (mbox));
+ encodedhash = zb32_encode (hashbuf, 8*20);
+ if (!encodedhash)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ namebuf = strconcat (encodedhash, "._pka.", domain, NULL);
+ if (!namebuf)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ name = namebuf;
+ certtype = DNS_CERTTYPE_IPGP;
+ }
+ else
+ name = line;
+
+ err = get_dns_cert (name, certtype, &key, &keylen, &fpr, &fprlen, &url);
+ if (err)
+ goto leave;
+
+ if (key)
+ {
+ err = data_line_write (ctx, key, keylen);
+ if (err)
+ goto leave;
+ }
+
+ if (fpr)
+ {
+ char *tmpstr;
+
+ tmpstr = bin2hex (fpr, fprlen, NULL);
+ if (!tmpstr)
+ err = gpg_error_from_syserror ();
+ else
+ {
+ err = assuan_write_status (ctx, "FPR", tmpstr);
+ xfree (tmpstr);
+ }
+ if (err)
+ goto leave;
+ }
+
+ if (url)
+ {
+ err = assuan_write_status (ctx, "URL", url);
+ if (err)
+ goto leave;
+ }
+
+
+ leave:
+ xfree (key);
+ xfree (fpr);
+ xfree (url);
+ xfree (mbox);
+ xfree (namebuf);
+ xfree (encodedhash);
+ return leave_cmd (ctx, err);
+}
+
+
+
static const char hlp_ldapserver[] =
"LDAPSERVER <data>\n"
"\n"
@@ -1919,6 +2081,7 @@ register_commands (assuan_context_t ctx)
assuan_handler_t handler;
const char * const help;
} table[] = {
+ { "DNS_CERT", cmd_dns_cert, hlp_dns_cert },
{ "LDAPSERVER", cmd_ldapserver, hlp_ldapserver },
{ "ISVALID", cmd_isvalid, hlp_isvalid },
{ "CHECKCRL", cmd_checkcrl, hlp_checkcrl },
diff --git a/dirmngr/t-dns-cert.c b/dirmngr/t-dns-cert.c
new file mode 100644
index 000000000..61536c566
--- /dev/null
+++ b/dirmngr/t-dns-cert.c
@@ -0,0 +1,93 @@
+/* t-dns-cert.c - Module test for dns-cert.c
+ * Copyright (C) 2011 Free Software Foundation, Inc.
+ *
+ * This file is part of GnuPG.
+ *
+ * GnuPG is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuPG is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+
+#include "util.h"
+#include "dns-cert.h"
+
+
+int
+main (int argc, char **argv)
+{
+ gpg_error_t err;
+ unsigned char *fpr;
+ size_t fpr_len;
+ char *url;
+ void *key;
+ size_t keylen;
+ char const *name;
+
+ if (argc)
+ {
+ argc--;
+ argv++;
+ }
+
+ if (!argc)
+ name = "simon.josefsson.org";
+ else if (argc == 1)
+ name = *argv;
+ else
+ {
+ fputs ("usage: t-dns-cert [name]\n", stderr);
+ return 1;
+ }
+
+ printf ("CERT lookup on '%s'\n", name);
+
+ err = get_dns_cert (name, DNS_CERTTYPE_ANY, &key, &keylen,
+ &fpr, &fpr_len, &url);
+ if (err)
+ printf ("get_dns_cert failed: %s <%s>\n",
+ gpg_strerror (err), gpg_strsource (err));
+ else if (key)
+ {
+ printf ("Key found (%u bytes)\n", (unsigned int)keylen);
+ }
+ else
+ {
+ if (fpr)
+ {
+ int i;
+
+ printf ("Fingerprint found (%d bytes): ", (int)fpr_len);
+ for (i = 0; i < fpr_len; i++)
+ printf ("%02X", fpr[i]);
+ putchar ('\n');
+ }
+ else
+ printf ("No fingerprint found\n");
+
+ if (url)
+ printf ("URL found: %s\n", url);
+ else
+ printf ("No URL found\n");
+
+ }
+
+ xfree (key);
+ xfree (fpr);
+ xfree (url);
+
+ return 0;
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-17 09:07:54 +0000