| Commit message (Collapse) | Author | Files | Lines |
|---|
|
--
Signed-off-by: Yao Wei <[email protected]>
|
|
--
|
|
--
GnuPG-bug-id: 5189
Signed-off-by: bobwxc <[email protected]>
|
|
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
|
|
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Change the new
support for KEYDB_SEARCH_MODE_MAIL.
(ks_ldap_get): Add a debug.
* g10/options.h (AKL_NTDS): New.
* g10/keyserver.c (keyserver_import_ntds): New.
(keyserver_get_chunk): Allow KEYDB_SEARCH_MODE_MAIL.
* g10/getkey.c (parse_auto_key_locate): Support "ntds".
(get_pubkey_byname): Ditto.
|
|
--
With these modifications it is now possible to store and retrieve keys
from an AD without manually tweaking the schema. Permissions need to
be set manuallay, though.
|
|
--
I accidently added a gpgSubCertID attribute not realizing that the
pgpSubKeyID already carries the long keyid. Remove that. Note that
the pgpkeyID has the short keyid and the long keyid has the name
pgpCertID.
Signed-off-by: Werner Koch <[email protected]>
|
|
* dirmngr/ks-engine-ldap.c (SERVERINFO_): New constants.
(my_ldap_connect): Relace args pgpkeyattrp and real_ldapp by a new
serverinfo arg. Set the new info flags.
(ks_ldap_get): Adjust for change.
(ks_ldap_search): Ditto.
(ks_ldap_put): Ditto. Replace xmalloc by xtrymalloc. Change the DN
for use with NTDS (aka Active Directory).
* doc/ldap/gnupg-ldap-init.ldif (pgpSoftware): Update definition of
pgpVersion.
* doc/ldap/gnupg-ldap-ad-init.ldif: New.
* doc/ldap/gnupg-ldap-ad-schema.ldif: New.
--
This is a first take on better Active Directory support. The main
change for NTDS in the code is that the an top-RDN of CN is used
instead of the old pgpCertID. More changes to come; for example using
and storing the fingerprint.
Signed-off-by: Werner Koch <[email protected]>
|
|
* doc/gpg.texi: Add parameters for batch generation of ECC keys.
--
There are parameters required for batch generation of ECC keys which
weren't mentioned in the documentation.
Signed-off-by: Jens Meißner <[email protected]>
|
|
* scd/app.c (is_same_serialno): New.
(check_application_conflict): Use this.
(select_application): Ditto.
(app_switch_current_card): Ditto.
* scd/app-openpgp.c (check_keyidstr): Ignore the card version and also
compare case insensitive.
--
This is required because we change what we emit as serialno of OpenPGP
cards but existing keys still use the old form of the serial
number (i.e. with a firmware version).
See-commit: 3a8250c02031080c6c8eebd5dea03f5f87f9ddd7
Signed-off-by: Werner Koch <[email protected]>
|
|
--
GnuPG-bug-id: 5071
Also fixed one in keyformat.txt [wk].
|
|
* g10/keydb.h (pref_hint): Change from union to struct and add field
'exact'. Adjust callers.
* g10/pkclist.c (algo_available): Take care of the exact hint.
* g10/sign.c (sign_file): Rework the hash detection from
recipient prefs.
--
This fixes a encrypt+sign case like: One recipient key has SHA512 as
highest ranked hash preference but the the signing key is a 256 bit
curve. Because we don't want to use a truncated hash with ECDSA, we
need to have an exact match - this is in particular important for
smartcard which check that the hash matches the curves.
Signed-off-by: Werner Koch <[email protected]>
Ported-from-stable: aeed0b93ff660fe271d8f98f8d5ce60aa5bf3ebe
|
|
* scd/command.c (reset_notify): Add option --keep-lock.
(do_reset): Add arg keep_lock.
(cmd_lock): Send progress status.
* g10/call-agent.c (agent_scd_apdu): Add more pseudo APDUs.
* g10/card-util.c (send_apdu): Ditto.
(factory_reset): Use lock commands.
--
This is required so that for example Kleopatra does not detect the
RESET and issues a SERIALNO of its own, thus conflicting with our
SERIALNO undefined.
Signed-off-by: Werner Koch <[email protected]>
|
|
* doc/examples/vsnfd.prf: Rename to VS-NfD.prf.
* doc/examples/Automatic.prf: New.
* doc/Makefile.am (examples): Adjust.
* build-aux/speedo/w32/inst.nsi: Install gpg-check-pattern.exe and 3
example files.
* build-aux/speedo/w32/wixlib.wxs: Add new files.
--
Note that we renamed the existing example profile so that kleopatra
shows a nicer name. In fact the gpg4win installer just copies of
theses file but it is better to maintain them here.
gpg-check-pattern.exe can no be installed because we meanwhile have a
regex lib which works also on Windows.
Signed-off-by: Werner Koch <[email protected]>
|
|
* g10/gpg.c (enum cmd_and_opt_values): Add aQuickRevSig.
(opts): Add --quick-revoke-sig.
(main): Implement.
* g10/keyedit.c (quick_find_keyblock): Add arg 'want_secret' and
adjust all callers.
(keyedit_quick_revsig): new.
* g10/revoke.c (get_default_sig_revocation_reason): New.
* g10/keylist.c (cmp_signodes): Make global.
--
GnuPG-bug-id: 5093
|
|
* g10/gpg.c (parse_list_options): Add "sort-sigs".
(main): Make it the default.
* g10/options.h (LIST_SORT_SIGS): New.
* g10/keylist.c (cmp_signodes): New.
(list_keyblock_print): Sort signatures and factor signature printing
code out to ...
(list_signature_print): new.
--
In particular together with --full-timestamps this makes it easier to
see the history of key signatures and their revocations. The
self-signatures are also printed first. To disable this
--list-options no-sort-sigs
can be used.
Also don't print the annoying "no recocation reason specified"
message.
Signed-off-by: Werner Koch <[email protected]>
|
|
* common/sysutils.c (gnupg_access) [W32]: Fix for older libgpgrt.
--
Fixes-commit: c94ee1386e0d5cdac51086c4d5b92de59c09c9b5
Signed-off-by: Werner Koch <[email protected]>
|
|
--
|
|
* tools/gpgconf-comp.c (known_options_dirmngr): Degrade add-servers to
expert mode.
|
|
* doc/examples/vsnfd.prf: Remove enable-extended-key-format
--
This is no longer a valid option for gpg-agent because it
is now the default.
(cherry picked from commit d833030f8cf646b5de83d01fc3e412ad77ec4b1c)
|
|
* g10/options.h (IMPORT_BULK): New.
* g10/import.c (parse_import_options): Add "bulk-import".
* g10/call-keyboxd.c (in_transaction): New var.
(gpg_keyboxd_deinit_session_data): Run a commit if in bulk import
mode.
(create_new_context): Run a begin transaction if in bulk import mode.
--
Initial tests with this option are not very promising. Importing
about 3000 real world keys with --use-keyboxd and full logging took:
real 33m31.724s
user 19m54.265s
sys 2m49.662s
With bulk-import this saves a mere 12%:
real 29m36.542s
user 19m3.391s
sys 2m46.728s
Signed-off-by: Werner Koch <[email protected]>
|
|
* kbx/backend-sqlite.c (table_definitions): Add column UINO to
userids.
(be_sqlite_local_s): Add fields select_col_uidno and
select_col_subkey.
(run_select_statement): Also select subkey or uidno column.
(be_sqlite_search): Return their values.
(store_into_userid): Store the UIDNO.
* kbx/backend-support.c (be_return_pubkey): Extend PUBKEY_INFO.
--
For an existing database adding the new column to the table userid is
straightforward. However if the original version of the schema used an
integer for the keyid column, that column has likely be renamed. Make
sure that the NOT NULL constraint has also be removed; check the
SQLite documentation on how this can be done.
Signed-off-by: Werner Koch <[email protected]>
|
|
* scd/app-openpgp.c (send_keypair_info): Emit the algo string as part
of a KEYPAIRINFO.
* scd/command.c (do_readkey): Ditto.
* scd/app-piv.c (do_readkey): Ditto.
* scd/app-nks.c (do_learn_status_core): Ditto.
(struct fid_cache_s): Add field algostr.
(flush_fid_cache): Release it.
(keygripstr_from_pk_file): Fill it and add it to the cache. Use a
single exit label.
* scd/app-help.c (app_help_get_keygrip_string_pk): Add new arg
r_algostr. Change all callers.
--
This is helpful so that callers do not need to parse the key for this
basic information. Use "scd readkey --info-only" to return the info
status line instead of the key material; using just --info returns the
info in addition to the key material.
Signed-off-by: Werner Koch <[email protected]>
|
|
--
Also fixed some typos and documented soon to be used OIDs
|
|
* kbx/backend-support.c (be_return_pubkey): Add args is_ephemeral and
is_revoked. Adjust callers.
* kbx/backend-sqlite.c: Alter table pubkey to add new columns.
(run_select_statement): Add new column to all selects.
(be_sqlite_search): Return the new flags.
--
For existing test databases the new column can be added with:
alter table pubkey add ephemeral integer not null default 0;
alter table pubkey add revoked integer not null default 0;
Signed-off-by: Werner Koch <[email protected]>
|
|
* doc/gnupg-module-overview.svg: Add examples of GPGME aware
applications
--
Whenever I used this overview I needed to explain what this
meant so giving examples might help a bit and also illustrate
the codesharing between GpgOL, Kleopatra and KMail.
|
|
* scd/app-openpgp.c (data_objects): 0x00FA for binary data.
(do_getattr): Parse the data and send it in status lines.
(get_algorithm_attribute_string): New.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
--
|
|
--
|
|
* doc/examples/vsnfd.prf: Remove default-new-key-algo option.
|
|
* tools/gpgtar.c (oUtf8Strings): New.
(opts): Add option --utf8-strings.
(parse_arguments): Set option.
* tools/gpgtar.h (opt): Add field utf8strings.
* tools/gpgtar-create.c (name_to_utf8): New.
(fillup_entry_w32): Use that.
(scan_directory): Ditto.
(scan_directory) [W32]: Convert file name to utf8.
(gpgtar_create): Convert pattern.
--
Note that this works only with file names read from a file or if the
specified files on the command line are plain ascii. When recursing
into a directory Unicode file names work again. This limitation is
due to main(int, char**) which can't get the wchar version. We could
fix that but is needs a bit more work in our init code.
GnuPG-bug-id: 4083
Signed-off-by: Werner Koch <[email protected]>
|
|
--
GnuPG-bug-id: 3772
Signed-off-by: Werner Koch <[email protected]>
|
|
--
GnuPG-bug-id: 4958
|
|
* agent/command.c (cmd_get_passphrase): Take care of --repeat with
--newsymkey.
--
GnuPG-bug-id: 4997
|
|
* g10/gpg.c (oChUid): New.
(opts): Add --chuid.
(main): Implement --chuid. Delay setting of homedir until the new
chuid is done.
* sm/gpgsm.c (main): Delay setting of homedir until the new chuid is
done.
* tools/gpg-card.c (oChUid): New.
(opts): Add --chuid.
(changeuser): New helper var.
(main): Implement --chuid.
* tools/gpg-connect-agent.c (oChUid): New.
(opts): Add --chuid.
(main): Implement --chuid.
--
Signed-off-by: Werner Koch <[email protected]>
|
|
--
|
|
* sm/gpgsm.c (oChUid, opts): New option --chuid.
(main): Implement option.
--
This option will at least be useful for Scute.
Signed-off-by: Werner Koch <[email protected]>
|
|
* tools/gpgconf.c (oChUid, opts): New option --chuid.
(main): Implement.
--
Signed-off-by: Werner Koch <[email protected]>
|
|
* sm/keylist.c (list_cert_colon): Emit a new "fp2" record.
(list_cert_raw): Print the SHA2 fingerprint.
(list_cert_std): Ditto.
Signed-off-by: Werner Koch <[email protected]>
|
|
* common/gpgrlhelp.c (read_write_history): New.
(gnupg_rl_initialize): Register new function.
* common/ttyio.c (my_rl_rw_history): New var.
(tty_private_set_rl_hooks): Add arg read_write_history.
(tty_read_history): New.
(tty_write_history): New.
* tools/gpg-card.c (HISTORYNAME): New.
(oNoHistory): New enum value.
(opts): New option --no-history.
(cmd_history): New.
(cmds): New command "history".
(interactive_loop): Read and save the history.
* tools/gpg-connect-agent.c (HISTORYNAME): New.
(opts): New option --no-history.
(main): Read and save the history. New command /history.
--
Yeah, finally we have stored history; I should have added this much
earlier.
Signed-off-by: Werner Koch <[email protected]>
|
|
* g10/pkclist.c (write_trust_status): Add arg mbox.
(check_signatures_trust): Appenmd mbox to the status lines.
--
GnuPG-bug-id: 4735
Signed-off-by: Werner Koch <[email protected]>
|
|
* g10/mainproc.c (check_sig_and_print): Add failsafe check for PK.
Pass KEYBLOCK down do check_signatures_trust. Protect existsing error
ocde in case the signature expired.
* g10/pkclist.c (is_in_sender_list): New.
(check_signatures_trust): Add args keyblock and pk. Add new uid based
checking code.
* g10/test-stubs.c, g10/gpgv.c: Adjust stubs.
--
GnuPG-bug-id: 4735
Signed-off-by: Werner Koch <[email protected]>
|
|
--
Fixes-commit: 074ab108e768b2f946d789c1f3a7f14a65e07c52
which was recently pushed to make use of $SOURCE_DATE_EPOCH
as fallback.
Also fixes two typos
|
|
* doc/Makefile.am (defsincdate): In no repo mode and with
SOURCE_DATE_EPOCH set, use that instead of blanking the date.
--
GnuPG-bug-id: 4947
|
|
* tools/gpg-card.c: Include tlv.h.
(cmd_writecert): Add option --openpgp.
(cmd_readcert): Ditto.
--
We use the CERT object for this and encapsulate the key block in a CMS
object.
Signed-off-by: Werner Koch <[email protected]>
|
|
* scd/app-openpgp.c (do_getattr): Return KEY-STATUS
|
|
* sm/certreqgen.c (create_request): Create AKI and SKI by default.
--
GnuPG-bug-id: 4098
Signed-off-by: Werner Koch <[email protected]>
|
|
* sm/fingerprint.c (gpgsm_get_key_algo_info): Factor code out to ...
(gpgsm_get_key_algo_info2): new.
(gpgsm_pubkey_algo_string): New.
* sm/keylist.c (list_cert_colon): Put curve into field 17
(list_cert_raw): Print the unified key algotithm string instead of the
algo and size.
(list_cert_std): Ditto.
--
It is important to known whether a 256 bit ECC uses a NIST or a
Brainpool curve.
Signed-off-by: Werner Koch <[email protected]>
|
|
* sm/certchain.c (find_up): Disable external lookups in offline mode.
Always allow AKI lookup if CRLs are also enabled.
--
GnuPG-bug-id: 4898
Signed-off-by: Werner Koch <[email protected]>
|
