From 23a714598c247d78cfda46a6dc338b17e17cc194 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 12 Apr 2018 16:41:05 +0200
Subject: gpg: Extend the ERRSIG status line with a fingerprint.

* g10/mainproc.c (issuer_fpr_raw): New.
(issuer_fpr_string): Re-implement using issuer_fpr_rtaw.
(check_sig_and_print): Don't free ISSUER_FPR.  Use ISSUER_FPR_RAW.
Use write_status_printf.  Extend ERRSIG status.
--

Modern OpenPGP implementations put the ISSUER_FPR into the signature
to make it easier to discover the, public needed to check the
signature.  This is also useful in error messages and thus we add it.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 g10/mainproc.c | 57 ++++++++++++++++++++++++++++++++++++++-------------------
 1 file changed, 38 insertions(+), 19 deletions(-)

(limited to 'g10/mainproc.c')

diff --git a/g10/mainproc.c b/g10/mainproc.c
index 512d33c59..85828274f 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -1608,6 +1608,26 @@ akl_has_wkd_method (void)
 }
 
 
+/* Return the ISSUER fingerprint buffer and its lenbgth at R_LEN.
+ * Returns NULL if not available.  The returned buffer is valid as
+ * long as SIG is not modified.  */
+static const byte *
+issuer_fpr_raw (PKT_signature *sig, size_t *r_len)
+{
+  const byte *p;
+  size_t n;
+
+  p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
+  if (p && n == 21 && p[0] == 4)
+    {
+      *r_len = n - 1;
+      return p+1;
+    }
+  *r_len = 0;
+  return NULL;
+}
+
+
 /* Return the ISSUER fingerprint string in human readbale format if
  * available.  Caller must release the string.  */
 static char *
@@ -1616,10 +1636,8 @@ issuer_fpr_string (PKT_signature *sig)
   const byte *p;
   size_t n;
 
-  p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
-  if (p && n == 21 && p[0] == 4)
-    return bin2hex (p+1, n-1, NULL);
-  return NULL;
+  p = issuer_fpr_raw (sig, &n);
+  return p? bin2hex (p, n, NULL) : NULL;
 }
 
 
@@ -1659,7 +1677,7 @@ check_sig_and_print (CTX c, kbnode_t node)
   int rc;
   int is_expkey = 0;
   int is_revkey = 0;
-  char *issuer_fpr;
+  char *issuer_fpr = NULL;
   PKT_public_key *pk = NULL;  /* The public key for the signature or NULL. */
   int tried_ks_by_fpr;
 
@@ -1786,13 +1804,14 @@ check_sig_and_print (CTX c, kbnode_t node)
     write_status_text (STATUS_NEWSIG, NULL);
 
   astr = openpgp_pk_algo_name ( sig->pubkey_algo );
-  if ((issuer_fpr = issuer_fpr_string (sig)))
+  issuer_fpr = issuer_fpr_string (sig);
+
+  if (issuer_fpr)
     {
       log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
       log_info (_("               using %s key %s\n"),
                 astr? astr: "?", issuer_fpr);
 
-      xfree (issuer_fpr);
     }
   else if (!keystrlen () || keystrlen () > 8)
     {
@@ -1899,14 +1918,14 @@ check_sig_and_print (CTX c, kbnode_t node)
       const byte *p;
       size_t n;
 
-      p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
-      if (p && n == 21 && p[0] == 4)
+      p = issuer_fpr_raw (sig, &n);
+      if (p)
         {
           /* v4 packet with a SHA-1 fingerprint.  */
           free_public_key (pk);
           pk = NULL;
           glo_ctrl.in_auto_key_retrieve++;
-          res = keyserver_import_fprint (c->ctrl, p+1, n-1, opt.keyserver, 1);
+          res = keyserver_import_fprint (c->ctrl, p, n, opt.keyserver, 1);
           tried_ks_by_fpr = 1;
           glo_ctrl.in_auto_key_retrieve--;
           if (!res)
@@ -2273,22 +2292,22 @@ check_sig_and_print (CTX c, kbnode_t node)
     }
   else
     {
-      char buf[50];
-
-      snprintf (buf, sizeof buf, "%08lX%08lX %d %d %02x %lu %d",
-                (ulong)sig->keyid[0], (ulong)sig->keyid[1],
-                sig->pubkey_algo, sig->digest_algo,
-                sig->sig_class, (ulong)sig->timestamp, gpg_err_code (rc));
-      write_status_text (STATUS_ERRSIG, buf);
+      write_status_printf (STATUS_ERRSIG, "%08lX%08lX %d %d %02x %lu %d %s",
+                           (ulong)sig->keyid[0], (ulong)sig->keyid[1],
+                           sig->pubkey_algo, sig->digest_algo,
+                           sig->sig_class, (ulong)sig->timestamp,
+                           gpg_err_code (rc),
+                           issuer_fpr? issuer_fpr:"-");
       if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY)
         {
-          buf[16] = 0;
-          write_status_text (STATUS_NO_PUBKEY, buf);
+          write_status_printf (STATUS_NO_PUBKEY, "%08lX%08lX",
+                               (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
 	}
       if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED)
         log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
     }
 
+  xfree (issuer_fpr);
   return rc;
 }
 
-- 
cgit v1.2.3


From 69c3e7acb744e1e5606a4d946e3b948704cfbbae Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 12 Apr 2018 17:53:17 +0200
Subject: gpg: Extend the "sig" record in --list-mode.

* g10/getkey.c (get_user_id_string): Add arg R_NOUID.  Change call
callers.
(get_user_id): Add arg R_NOUID.  Change call callers.
* g10/mainproc.c (issuer_fpr_string): Make global.
* g10/keylist.c (list_keyblock_colon): Print a '?' for a missing key
also in --list-mode.  Print the "issuer fpr" field also if there is an
issuer fingerprint subpacket.
--

Scripts used to rely on the "User ID not found" string even in the
--with-colons listing.  However, that is not a good idea because that
string is subject to translations etc.  Now we have an explicit way of
telling that a key is missing.  For example:

  gpg --list-sigs --with-colons | \
    awk -F: '$1=="sig" && $2=="?" {if($13){print $13}else{print $5}}'

Prints all keyids or fingerprint of signing keys for which we do not
have the key in our local keyring.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 g10/mainproc.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'g10/mainproc.c')

diff --git a/g10/mainproc.c b/g10/mainproc.c
index 85828274f..49e728656 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -1209,7 +1209,7 @@ list_node (CTX c, kbnode_t node)
 	}
       else if (!opt.fast_list_mode)
         {
-          p = get_user_id (c->ctrl, sig->keyid, &n);
+          p = get_user_id (c->ctrl, sig->keyid, &n, NULL);
           es_write_sanitized (es_stdout, p, n,
                               opt.with_colons?":":NULL, NULL );
           xfree (p);
@@ -1630,7 +1630,8 @@ issuer_fpr_raw (PKT_signature *sig, size_t *r_len)
 
 /* Return the ISSUER fingerprint string in human readbale format if
  * available.  Caller must release the string.  */
-static char *
+/* FIXME: Move to another file.  */
+char *
 issuer_fpr_string (PKT_signature *sig)
 {
   const byte *p;
-- 
cgit v1.2.3


From f747b8f0734338baa1e608b193b213aca2c577e8 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Fri, 13 Apr 2018 16:42:34 +0900
Subject: g10: Fix memory leak in check_sig_and_print.

* g10/mainproc.c (check_sig_and_print): Free the public key.

--

GnuPG-bug-id: 3900
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
 g10/mainproc.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'g10/mainproc.c')

diff --git a/g10/mainproc.c b/g10/mainproc.c
index 49e728656..c7deeab5f 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -2308,6 +2308,7 @@ check_sig_and_print (CTX c, kbnode_t node)
         log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
     }
 
+  free_public_key (pk);
   xfree (issuer_fpr);
   return rc;
 }
-- 
cgit v1.2.3