| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
same API as the other auto-key-locate fetchers.
* getkey.c (get_pubkey_byname): Use the fingerprint of the key that we
actually fetched. This helps prevent problems where the key that we
fetched doesn't have the same name that we used to fetch it. In the
case of CERT and PKA, this is an actual security requirement as the
URL might point to a key put in by an attacker. By forcing the use of
the fingerprint, we won't use the attacker's key here.
|
| |
|
|
|
|
| |
keyserver_import_cert, keyserver_import_name, keyserver_import_ldap):
Pass fingerprint info through.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
--no-auto-key-locate.
* options.h, gpg.c (main): Keep track of each keyserver registered so
we can match on them later.
* keyserver-internal.h, keyserver.c (cmp_keyserver_spec,
keyserver_match), gpgv.c: New. Find a keyserver that matches ours and
return its spec.
* getkey.c (get_pubkey_byname): Use it here to get the per-keyserver
options from an earlier keyserver.
|
| |
|
|
|
|
|
| |
(parse_keyserver_options): Moved from here. (parse_keyserver_uri): Use it
here so each keyserver can have some private options in addition to the
main keyserver-options (e.g. per-keyserver auth).
|
| |
|
|
|
|
| |
getkey.c (free_akl, parse_auto_key_locate, get_pubkey_byname): The obvious
next step: allow arbitrary keyservers in the auto-key-locate list.
|
| |
|
|
|
|
|
|
|
|
| |
importing at -r time. The URL in the PKA record may point to a key put in
by an attacker. Fix is to use the fingerprint from the PKA record as the
recipient. This ensures that the PKA record is followed.
* keyserver-internal.h, keyserver.c (keyserver_import_pka): Return the
fingerprint we requested.
|
| |
|
|
|
|
| |
* keyserver-internal.h, keyserver.c (keyserver_import_ldap): Import using
the PGP Universal trick of asking ldap://keys.(maildomain) for the key.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
getkey.c:get_pubkey_byname which was getting crowded.
* keyserver.c (keyserver_import_cert): Import a key found in DNS via CERT
records. Can handle both the PGP (actual key) and IPGP (URL) CERT types.
* getkey.c (get_pubkey_byname): Call them both here.
* options.h, keyserver.c (parse_keyserver_options): Add
"auto-cert-retrieve" option with optional max size argument.
|
| |
|
|
|
|
|
|
|
|
| |
* keyserver-internal.h, keyserver.c (keyserver_spawn, keyserver_work,
keygerver_getname): New keyserver_getname function to fetch keys by name.
* getkey.c (get_pubkey_byname): Call it here to enable locating keys by
full mailbox from a keyserver a la PKA. Try PKA first, though, as it is
likely to be faster.
|
| |
|
|
|
|
|
|
|
|
| |
when fetching a URI.
* keyserver-internal.h, keyserver.c (keyserver_fetch): New. Fetch an
arbitrary URI using the keyserver helpers.
* gpg.c (main): Call it from here for --fetch-keys.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
card to fetch an updated copy. Works with either straight URLs or HKP or
LDAP keyservers.
* keyserver-internal.h, keyserver.c (keyserver_import_fprint), import.c
(revocation_present): Use a keyserver_spec so the caller can pass in
whatever keyserver they like.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
keyservers, and auto-key-retrieve is set, try and get a missing key from
the preferred keyserver subpacket when we verify the sig.
* gpgv.c (parse_preferred_keyserver, free_keyserver_spec): Stubs.
* keyserver.c (keyidlist): Use new parse_preferred_keyserver function.
(keyserver_work): Use the passed-in keyserver spec rather than the options
global one.
* keyserver-internal.h, keyserver.c (parse_preferred_keyserver): New
function to take a sig and return a split out keyserver_spec.
(keyserver_import_keyid): Now takes a keyserver_spec.
|
| |
|
|
|
|
|
| |
Improved URI parser that keeps track of the path information and doesn't
modify the input string. (keyserver_spawn): Tell keyserver plugins about
the path.
|
| |
|
|
|
|
|
|
|
|
| |
preferred keyserver on "keyserver" command line. Sanity check keyserver
URL before accepting it.
* keyserver-internal.h, g10.c (main), keyserver.c (parse_keyserver_uri):
Add an option to require the scheme:// and change all callers.
(free_keyserver_spec): Make public.
|
| |
|
|
|
|
|
|
| |
and properly handle a partial match against an option with an argument.
* keyserver-internal.h, keyserver.c (parse_keyserver_options): Use new
optsep and argsplit functions.
|
| |
|
|
|
|
|
| |
keyserver.c (parse_keyserver_uri): Parse keyserver URI into a structure.
Cleanup for new "guess my keyserver" functionality, as well as refreshing
via a preferred keyserver subpacket.
|
| |
|
|
|
|
|
|
|
|
| |
show_prompt, keyserver_search_prompt, keyserver_spawn): Go to version 1 of
the keyserver protocol. This is a better design, similar to
--with-colons, that allows for keys with multiple user IDs rather than
using multiple keys. It also matches the machine readable pksd format.
Also use a prettier --search-keys listing format that can fill different
size windows (currently set at 24 lines).
|
| |
|
