| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/server.c [USE_LDAP] (start_command_handler): Conditionalize.
--
Cherry-pick master commit of:
7011286ce6e1fb56c2989fdafbd11b931c489faa
GnuPG-bug-id: 6239
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-ldap.c (PAGE_SIZE): New.
(struct ks_engine_ldap_local_s): Add several new fields.
(ks_ldap_clear_state): Release them.
(search_and_parse): Factored out from ks_ldap_get and extended to
support the paged mode.
(ks_ldap_get): Implement the pages mode for --first and --next.
* dirmngr/server.c (cmd_ks_get): Provide a dummy passphrase in --first
mode.
* dirmngr/Makefile.am (dirmngr_LDADD): Add LBER_LIBS.
--
The paged mode allows to retrieve more items than the servers usually
limit (e.g. 1000 for an LDS). This patch also allows to use --first
without a patter to retrieve all keyblocks (except for disabled and
revoked keys).
GnuPG-bug-id: 6224
Backported-from-master: 7a01e806eac4cd7a65eaf3e17dcd2f117ec2d327
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/server.c (cmd_ks_get): Add option --first and --next.
(start_command_handler): Free that new ldap state.
* dirmngr/ks-engine-ldap.c (struct ks_engine_ldap_local_s): New.
(ks_ldap_new_state, ks_ldap_clear_state): New.
(ks_ldap_free_state): New.
(return_one_keyblock): New. Mostly factored out from ....
(ks_ldap_get): here. Implement --first/--next feature.
* dirmngr/ks-action.c (ks_action_get): Rename arg ldap_only to
ks_get_flags.
* dirmngr/ks-engine.h (KS_GET_FLAG_ONLY_LDAP): New.
(KS_GET_FLAG_FIRST): New.
(KS_GET_FLAG_NEXT): New.
* dirmngr/dirmngr.h (struct server_control_s): Add member
ks_get_state.
(struct ks_engine_ldap_local_s): New forward reference.
--
This feature allows to fetch keyblock by keyblock from an LDAP server.
This way tools can process and maybe filter each keyblock in a more
flexible way. Here is an example where two keyblocks for one mail
address are returned:
$ gpg-connect-agent --dirmngr
> ks_get --ldap --first <[email protected]>
[... First keyblock is returned ]
OK
> ks_get --next
[ ... Next keyblock is returned ]
OK
> ks_get --next
ERR 167772218 No data <Dirmngr>
GnuPG_bug_id: 6224
Backported-from-master: 4de98d4468f37bfb8352426830d5d5642ded7536
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Avoid passing data
behind the EOS.
(interrogate_ldap_dn): Stylistic change.
--
This also updates the my_ldap_connect description.
GnuPG-bug-id: 6047
(cherry picked from commit 11aa5a93a754fe978d0f35d7fbeb4767b6b6df05)
|
| |
|
|
|
|
|
|
|
|
| |
* dirmngr/ldap-wrapper.c (ldap_wrapper_wait_connections): It's with
no arguments.
--
Signed-off-by: NIIBE Yutaka <[email protected]>
(cherry picked from commit 530d709607e54465ce47c1fc7d2554ea3b0bea6b)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): Return BASEDN found,
memory allocated.
(my_ldap_connect): Follow the change, removing needless allocation.
--
GnuPG-bug-id: 6047
Signed-off-by: NIIBE Yutaka <[email protected]>
(cherry picked from commit 4b2066afb4988c32a030330acf51b7b0dc190041)
|
| |
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-ldap.c (my_ldap_connect): interrogate LDAP
server when basedn specified.
--
GnuPG-bug-id: 6047
Signed-off-by: Joey Berkovitz <[email protected]>
(cherry picked from commit 3257385378bb3f19ebf089538f0efe2154487989)
|
| |
|
|
|
| |
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Use gpgMailbox if
server supports this.
|
| |
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): New.
--
GnuPG-bug-id: 6047
Signed-off-by: NIIBE Yutaka <[email protected]>
Backported-from-master: 993820c315216584e23d36299920007abfeb3a32
|
| |
|
|
| |
--
|
| |
|
|
|
|
|
|
|
|
| |
* dirmngr/ldapserver.c (ldapserver_parse_one): Turn LINE into a const.
Use strtokenize instead of strtok style parsing.
--
This fixes a problem with resulted in a General Error for the second
key to be uploaded in the same session. But only if the colon format
to specify a keyserver with flags was used.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/dirmngr.h (struct ldap_server_s): Add field areconly.
* dirmngr/ldapserver.c (ldapserver_parse_one): Parse "areconly"
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Implement this flag.
* dirmngr/dirmngr_ldap.c: Add option --areconly
(connect_ldap): Implement option.
* dirmngr/ldap.c (run_ldap_wrapper): Add and pass that option.
--
This flag is used to pass the Windows specific option
LDAP_OPT_AREC_EXCLUSIVE. It is ignored on other systems.
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/crlcache.c (crl_cache_reload_crl): Rework the double loop.
Remove the unused issuername_uri stuff.
--
It is quite common that LDAP servers are blocked and thuis the HTTP
access point should be used instead. This worked well for
certificates where the DP are given in this form:
crlDP: ldap://x500.bund.de/[...]
http://x500.bund.de/[...]
issuer: none
but it failed for this form
crlDP: ldap://x500.bund.de/[...]
issuer: none
crlDP: http://x500.bund.de/[...]
issuer: none
because the LAST_ERR thing terminated the outer loop. This pacth
fixes this and also cleans up the code to be more robust.
Note that the common workaround of using --ignore-ldap-dp will now
only be needed if the firewall uses packet dropping instead of proper
ICMP rejects.
|
| |
|
|
|
|
|
|
| |
* dirmngr/dirmngr.h (opt): Add debug_cache_expired_certs:
* dirmngr/dirmngr.c (oDebugCacheExpiredCerts): New.
(opts): Add option.
(parse_rereadable_options): Set option.
* dirmngr/certcache.c (put_cert): Handle the option.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/certcache.c (put_cert): When PERMANENT, reject the
certificate which is obviously invalid.
--
With this change, invalid certificates from system won't be registered
into cache. Then, an intermediate certificate which is issued by an
entity certified by such an invalid certificate will be also rejected
with GPG_ERR_INV_CERT_OBJ. With less invalid certificates in cache,
it helps the validate_cert_chain function work better.
GnuPG-bug-id: 6142
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
| |
* dirmngr/ocsp.c (check_signature): Fix error printing of xtrymalloc.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-hkp.c (ks_hkp_search): Add "fingerprint=on" to
request URL.
--
Some keyservers, e.g. keyserver.ubuntu.com (Hockeypuck), do not
provide the key fingerprints by default. Therefore, we ask for the
fingerprints explicitly.
GnuPG-bug-id: 5741
(cherry picked from commit c7fa4c7f8bf375e3739ef8361f38b6b31113b8bf)
|
| |
|
|
| |
--
|
| |
|
|
|
|
| |
* dirmngr/server.c (proc_wkd_get): Also escape '#' and '+'
--
GnuPG-bug-id: 5902
|
| |
|
|
|
|
|
|
|
|
|
| |
* dirmngr/server.c (proc_wkd_get): Take care of DNS server failures
--
Unfortunately there are resolver setups which don't handle SRV records
but return a server error. We let a not found error pass, because
that merely means the domain does not exists.
GnuPG-bug-id: 4729
|
| |
|
|
| |
* dirmngr/Makefile.am: Tweak library order.
|
| |
|
|
|
| |
* dirmngr/Makefile.am: Add missing -L and -I
--
|
| |
|
|
|
|
|
| |
* dirmngr/dirmngr.c (main): Keep only values with the default flag.
--
This is not anymore required abnd brings us in sync with 2.3.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/dirmngr.c (dirmngr_never_use_tor_p): New.
* dirmngr/server.c (ensure_keyserver): Don't even test for the Tor
proxy in never-use-tor Mode.
* tools/gpgtar-create.c: Include unistd.h to avoid a warning on
Windows.
--
This delay of 2 or 3 seconds is in particular annoying on Windows.
This is now suppressed, as it should be, if --no-use-tor is used.
The second patch is unrelated
|
| |
|
|
|
|
|
|
|
|
| |
--
This looks better and is also required for further simplifications of
gpgconf.
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit 4c43fabbb0124bacbbaad2521a3085709e7f8249)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* tools/gpgconf-comp.c: Remove all regular option descriptions. They
are now read in from the component. Also remove a few meanwhile
obsolete options.
* agent/gpg-agent.c: Add option description which were only set in
gpgconf-comp.c.
* dirmngr/dirmngr.c: Ditto.
* scd/scdaemon.c: Ditto.
* sm/gpgsm.c: Ditto.
* g10/gpg.c: Ditto.
--
This second part removes all regular option descriptions because they
can be read from the components. A few were missing in the components
and thus moved to there.
Signed-off-by: Werner Koch <[email protected]>
This is a backport from master (2.3).
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/Makefile.am (t_ldap_parse_uri_CFLAGS): Add KSBA_CFLAGS.
* kbx/Makefile.am (libkeybox_a_CFLAGS, libkeybox509_a_CFLAGS): Add
NPTH_CFLAGS.
* tools/Makefile.am (gpgtar_CFLAGS, gpg_wks_server_CFLAGS,
gpg_wks_client_CFLAGS, gpg_pair_tool_CFLAGS): Add LIBGCRYPT_CFLAGS.
--
The tools include gcrypt.h via common/util.h.
GnuPG-bug-id: 5592
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* agent/gpg-agent.c (oStealSocket): New.
(opts): Add option.
(steal_socket): New file global var.
(main): Set option.
(create_server_socket): Implement option.
* dirmngr/dirmngr.c (oStealSocket): New.
(opts): Add option.
(steal_socket): New file global var.
(main): Set option. Add comment to eventually implement it.
--
Note that --steal-socket has currently no effect on dirmngr because
dirmngr does this anway.
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
* dirmngr/dns.c (dns_resconf_loadfile): Skip "search" which
begins with '.'.
--
GnuPG-bug-id: 5657
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/dirmngr.h (struct fingerprint_list_s): Add field binlen.
(opt): Add field ignored_certs.
* dirmngr/dirmngr.c: Add option --ignore-cert
(parse_rereadable_options): Handle that option.
(parse_ocsp_signer): Rename to ...
(parse_fingerprint_item): this and add two args.
* dirmngr/certcache.c (put_cert): Ignore all to be igored certs.
Change callers to handle the new error return.
--
This option is useful as a workaround in case we ill run into other
chain validation errors like what we fixed in
GnuPG-bug-id: 5639
Backported-from-master: 4b3e9a44b58e74b3eb4a59f88ee017fe7483a17d
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/certcache.c (find_cert_bysubject): Return the first trusted
certififcate if any.
--
This is basically the same as using OpenSSL with ist
X509_V_FLAG_TRUSTED_FIRST flag. See
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
GnuPG-bug-id: 5639
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac (DIRMNGR_DEFAULT_KEYSERVER): Change to
keyserver.ubuntu.com.
* dirmngr/certcache.c (cert_cache_init): Disable default pool cert.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
* dirmngr/http.c (http_session_new): Ditto.
* dirmngr/server.c (make_keyserver_item): Use a different mapping for
the gnupg.net names.
--
Due to the unfortunate shutdown of the keyserver pool, the long term
defaults won't work anymore. Thus it is better to change them.
For https access keyserver.ubuntu.com is now used because it can be
expected that this server can stand the load from newer gnupg LTS
versions.
For http based access the Dutch Surfnet keyserver is used. However
due to a non-standard TLS certificate this server can not easily be
made the default for https.
Note: that the default server will be changed again as soon as a new
connected keyserver infrastructure has been established.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-hkp.c (ks_hkp_search): Munge mail address pattern.
(ks_hkp_get): Allow for mail addresses.
-
Before the keyserver changes in 2.2.28 gpg passed dirmngr a pail
address as an exact pattern (e.g. "[email protected]"). Since 2.2.28
the mail address is detected gpg gpg and we see for example
"<[email protected]>". This patch fixes this to turn a mail address
into an exact match again.
GnuPG-bug-id: 5497
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
* dirmngr/dirmngr.c (parse_rereadable_options) [USE_LDAP]:
Conditionalize.
--
Reported-by: Phil Pennock
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac (USE_LDAPWRAPPER): Remove.
* dirmngr/Makefile.am: Use USE_LDAP instead of USE_LDAPWRAPPER.
* dirmngr/ldap-wrapper-ce.c: Remove.
* dirmngr/ldap-wrapper.h, dirmngr/ldap-wrapper.c: Remove
USE_LDAPWRAPPER things.
--
Backported-from-master: 4c295646ba0e175743e6be13457308c1e6d21dd3
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
* dirmngr/dirmngr_ldap.c (main): Handle no args case.
--
This is required for example for CRLs. The old code did not require
this because the hos was taken from the URL given has arg.
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ldap-misc.c: New.
* dirmngr/ldap-misc.h: New.
* dirmngr/ks-engine-ldap.c: Include ldap-misc.h.
(ldap_err_to_gpg_err, ldap_to_gpg_err): Move to ldap-misc.c.
* dirmngr/ldap-wrapper.c (ldap_wrapper): Print list of args in debug
mode.
* dirmngr/server.c (lookup_cert_by_pattern): Handle GPG_ERR_NOT_FOUND
the saqme as GPG_ERR_NO_DATA.
* dirmngr/ldap.c (run_ldap_wrapper): Add args tls_mode and ntds.
Remove arg url. Adjust for changes in dirmngr_ldap.
(url_fetch_ldap): Remove args host and port. Parse the URL and use
these values to call run_ldap_wrapper.
(attr_fetch_ldap): Pass tls flags to run_ldap_wrapper.
(rfc2254_need_escape, rfc2254_escape): New.
(extfilt_need_escape, extfilt_escape): New.
(parse_one_pattern): Rename to ...
(make_one_filter): this. Change for new dirmngr_ldap calling
convention. Make issuer DN searching partly work.
(escape4url, make_url): Remove.
(start_cert_fetch_ldap): Change for new dirmngr_ldap calling
convention.
* dirmngr/dirmngr_ldap.c: Major rewrite.
* dirmngr/t-ldap-misc.c: New.
* dirmngr/t-support.h (DIM, DIMof): New.
* dirmngr/Makefile.am (dirmngr_ldap_SOURCES): Add ldap-misc.c
(module_tests) [USE_LDAP]: Add t-ldap-misc.
(t_ldap_parse_uri_SOURCES): Ditto.
(t_ldap_misc_SOURCES): New.
--
This rewrite allows to properly handle TLS and avoids some code
duplication.
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Remove the
password_param thing because we set the password directly without an
intermediate var.
--
Reported-by: Ingo Kloecker
|
| |
|
|
|
|
|
|
|
| |
* dirmngr/server.c (make_keyserver_item): Fix default port for ldaps.
Move a tmpstr out of the blocks.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Improve diagnostics.
--
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Use LDAP_OPT_TIMEOUT.
* dirmngr/dirmngr.c (main): Move --ldaptimeout setting to ...
(parse_rereadable_options): here.
--
Note that this has not yet been tested. In fact a test with OpenLDAP
using a modified route got stuck in the connection attempt. Maybe it
works on Windows - will be tested later.
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/dirmngr.c (opts): Add option --ldapserver.
(ldapserver_list_needs_reset): New var.
(parse_rereadable_options): Implement option.
(main): Ignore dirmngr_ldapservers.conf if no --ldapserver is used.
* dirmngr/server.c (cmd_ldapserver): Add option --clear and list
configured servers if none are given.
--
This option allows to specify LDAP keyserver in dirmngr instead of
using gpgsm.conf.
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/server.c (cmd_ldapserver): Strip an optional prefix.
(make_keyserver_item): Handle non-URL ldap specs.
* dirmngr/dirmngr.h (struct ldap_server_s): Add fields starttls,
ldap_over_tls, and ntds.
* dirmngr/ldapserver.c (ldapserver_parse_one): Add for an empty host
string. Improve error messages for the non-file case. Support flags.
* dirmngr/ks-action.c (ks_action_help): Handle non-URL ldap specs.
(ks_action_search, ks_action_get, ks_action_put): Ditto.
* dirmngr/ks-engine-ldap.c: Include ldapserver.h.
(ks_ldap_help): Handle non-URL ldap specs.
(my_ldap_connect): Add args r_host and r_use_tls. Rewrite to support
URLs and non-URL specified keyservers.
(ks_ldap_get): Adjust for changes in my_ldap_connect.
(ks_ldap_search): Ditto.
(ks_ldap_put): Ditto.
--
The idea here is to unify our use of URLS or colon delimited ldap
keyserver specification. The requirement for percent escaping, for
example the bindname in an URLs, is cumbersome and prone to errors.
This we allow our classic colon delimited format as an alternative.
That format makes it also easy to specify flags to tell dirmngr
whether to use starttls or ldap-over-tls. The code is nearly 100%
compatible to existing specification. There is one ambiguity if the
hostname for CRL/X509 searches is just "ldap"; this can be solved by
prefixing it with "ldap:" (already implemented in gpgsm).
GnuPG-bug-id: 5405, 5452
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/http.h (HTTP_PARSE_NO_SCHEME_CHECK): New.
* dirmngr/http.c (http_parse_uri): Use this flag. Change all callers
to use the new macro for better readability.
(do_parse_uri): Add pseudo scheme "opaque".
(uri_query_value): New.
--
This scheme can be used to convey arbitrary strings in a parsed_uri_t
object.
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-ldap.c (extract_keys): Return the fingerprint if
available.
(ks_ldap_search): Ditto.
(extract_keys): Make sure to free the ldap values also in corner
cases.
(my_ldap_value_free): New.
(ks_ldap_get): Ditto.
(ks_ldap_search): Ditto.
(my_ldap_connect): Ditto.
--
For background see these comments from gpgme:
/* The output for external keylistings in GnuPG is different from all
the other key listings. We catch this here with a special
preprocessor that reformats the colon handler lines. */
/* The format is:
pub:<keyid>:<algo>:<keylen>:<creationdate>:<expirationdate>:<flags>
as defined in 5.2. Machine Readable Indexes of the OpenPGP
HTTP Keyserver Protocol (draft). Modern versions of the SKS
keyserver return the fingerprint instead of the keyid. We
detect this here and use the v4 fingerprint format to convert
it to a key id.
We want:
pub:o<flags>:<keylen>:<algo>:<keyid>:<creatdate>:<expdate>::::::::
*/
Regarding the freeing of values: I was not able to find a
specification stating it is okay to pass NULL to ldap_value_free, thus
the new wrapper. Also add robustness measures in case ldap_get_value
returns an empty array.
GnuPG-bug-id: 5441
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Ignore revoked
and disable keys in mail mode.
--
The LDAP schema has a revoked and a disabled flag. The former will be
set if a revoked key is uploaded; the latter can be set by other
means. With this change a search by mailbox does not anymore return
keys with these LDAP attributes set. This allows to better maintain a
directory with multiple keys per mailbox.
Doing the same for expired keys could also be done but requires more
effort.
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/getkey.c (get_seckey_default_or_card): Lookup a missing public
key from the current card via LDAP.
* g10/call-dirmngr.c: Include keyserver-intetnal.h.
(gpg_dirmngr_ks_get): Rename arg quick into flags. Take care of the
new LDAP flag.
* g10/keyserver-internal.h (KEYSERVER_IMPORT_FLAG_QUICK): New.
Replace the use of the value 1 for the former quick arg.
(KEYSERVER_IMPORT_FLAG_LDAP): New.
* g10/keyserver.c (keyserver_get_chunk): Increase the reserved line
length.
* dirmngr/ks-action.c (ks_action_get): Add arg ldap_only.
* dirmngr/server.c (cmd_ks_get): Add option --ldap.
--
This change makes it easy to start working with gnupg: Just insert the
smartcard or token provided to you and the first time you sign a
message the public key associated with the current card will be
imported and everything is set without any configuration.
This works only with an LDAP directory because it can be expected that
the public key has been put into the LDAP during card personalization.
Of course an LDAP server needs to be configured; in a Windows AD
domain this can be a mere "keyserver ldap:///" in dirmngr.conf. Other
configured keyservers are ignored.
Requirements for the card driver: The $SIGNKEYID attribute must exists
and a query for the KEY-FPR attribute needs to return the OpenPGP
fingerprint for that key. This is currently supported for OpenPGP
cards and certain PKCS#15 cards.
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit d7e707170fbe2956deb3d81e2802d21352079722)
|
| |
|
|
|
|
| |
--
(cherry picked from commit 683ff00bb1454d82914b2bddbf316057221971c1)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-ldap.c (ks_ldap_get): Print a SOURCE status.
* g10/options.h (opts): New field expl_import_self_sigs_only.
* g10/import.c (parse_import_options): Set it.
* g10/keyserver.c (keyserver_get_chunk): Add special options for LDAP.
--
I can be assumed that configured LDAP servers are somehow curated and
not affected by rogue key signatures as the HKP servers are. Thus we
can allow the import of key signature from LDAP keyservers by default.
GnuPG-bug-id: 5387
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ldap-parse-uri.c (ldap_parse_uri): Support a new gpgNtds
extension.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Do ldap_init always with
hostname - which is NULL and thus the same if not given. Fix minor
error in error code handling.
--
Note that "gpgNtds" is per RFC-4512 case insensitive and has not yet
been officially regisetered. Thus for correctness the OID can be
used:
1.3.6.1.4.1.11591.2.5 LDAP URL extensions
1.3.6.1.4.1.11591.2.5.1 gpgNtds=1 (auth. with current user)
Note that the value must be 1; all other values won't enable AD
authentication and are resevered for future use.
|
| |
|
|
|
|
|
|
|
|
| |
* dirmngr/ldap-parse-uri.c (ldap_uri_p): Use ascii-memcasecmp.
--
Note that the first test on ldaps or ldaps in the original code did
not worked at all so that the Mixed Case part took over there.
Signed-off-by: Werner Koch <[email protected]>
|
