gpg: Autoload designated revoker key and ADSK when needed.

* g10/options.h (opt): Move the definition of struct akl to global scope. * g10/keydb.h (enum get_pubkey_modes): Add GET_PUBKEY_TRY_LDAP. * g10/getkey.c (get_pubkey_byname): Implement GET_PUBKEY_BYNAME. * g10/keygen.c (prepare_desig_revoker): Use it here. (prepare_adsk): and here. -- The revoker key is required before we create it along with a new key. This is because the we need to know the algo and also to make sure that the key really exists. GnuPG-bug-id: 7133
author: Werner Koch <[email protected]> 2024-06-05 08:00:38 +0000
committer: Werner Koch <[email protected]> 2024-06-05 08:01:36 +0000
commit: 465ea9116d1f9467814143ed35b515034a849e86 (patch)
tree: 12717a50da05875d88b8ea3f6fe5011d8f7fd283
parent: gpg: Implement the LDAP AKL method. (diff)
download: gnupg-465ea9116d1f9467814143ed35b515034a849e86.tar.gz
gnupg-465ea9116d1f9467814143ed35b515034a849e86.zip
4 files changed, 42 insertions, 27 deletions
diff --git a/g10/getkey.c b/g10/getkey.c
index e0d99311a..e3a2deaae 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -916,6 +916,7 @@ key_byname (ctrl_t ctrl, GETKEY_CTX *retctx, strlist_t namelist,
  *                          auto-key-locate option list!
  *    GET_PUBKEY_NO_LOCAL - Only the auto key locate functionality is
  *                          used and no local search is done.
+ *    GET_PUBKEY_TRY_LDAP - If the key was not found locally try LDAP.
  *
  * If RETCTX is not NULL, then the constructed context is returned in
  * *RETCTX so that getpubkey_next can be used to get subsequent
@@ -968,7 +969,7 @@ get_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode,
   int nodefault = 0;
   int anylocalfirst = 0;
   int mechanism_type = AKL_NODEFAULT;
-
+  struct akl *used_akl = opt.auto_key_locate;
 
   /* If RETCTX is not NULL, then RET_KDBHD must be NULL.  */
   log_assert (retctx == NULL || ret_kdbhd == NULL);
@@ -990,12 +991,12 @@ get_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode,
       is_mbox = 1;
     }
 
-  /* If we are called due to --locate-external-key Check whether NAME
+  /* If we are called due to --locate-external-key check whether NAME
    * is a fingerprint and then try to lookup that key by configured
    * method which support lookup by fingerprint.  FPRBUF carries the
    * parsed fingerprint iff IS_FPR is true.  */
   is_fpr = 0;
-  if (!is_mbox && mode == GET_PUBKEY_NO_LOCAL)
+  if (!is_mbox && (mode == GET_PUBKEY_NO_LOCAL || mode == GET_PUBKEY_TRY_LDAP))
     {
       if (!classify_user_id (name, &fprbuf, 1)
           && fprbuf.mode == KEYDB_SEARCH_MODE_FPR)
@@ -1021,12 +1022,20 @@ get_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode,
    * implicitly).  */
   if (mode == GET_PUBKEY_NO_LOCAL)
     nodefault = 1;  /* Auto-key-locate but ignore "local".  */
-  else if (mode != GET_PUBKEY_NO_AKL)
+  else if (mode == GET_PUBKEY_NO_AKL)
+    ;
+  else if (mode == GET_PUBKEY_TRY_LDAP)
+    {
+      static struct akl ldap_only_akl = { AKL_LDAP, NULL, NULL };
+
+      used_akl = &ldap_only_akl;
+    }
+  else
     {
       /* auto-key-locate is enabled.  */
 
       /* nodefault is true if "nodefault" or "local" appear.  */
-      for (akl = opt.auto_key_locate; akl; akl = akl->next)
+      for (akl = used_akl; akl; akl = akl->next)
 	if (akl->type == AKL_NODEFAULT || akl->type == AKL_LOCAL)
 	  {
 	    nodefault = 1;
@@ -1034,7 +1043,7 @@ get_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode,
 	  }
       /* anylocalfirst is true if "local" appears before any other
 	 search methods (except "nodefault").  */
-      for (akl = opt.auto_key_locate; akl; akl = akl->next)
+      for (akl = used_akl; akl; akl = akl->next)
 	if (akl->type != AKL_NODEFAULT)
 	  {
 	    if (akl->type == AKL_LOCAL)
@@ -1085,7 +1094,7 @@ get_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode,
        * the local keyring).  Since the auto key locate feature is
        * enabled and NAME appears to be an email address, try the auto
        * locate feature.  */
-      for (akl = opt.auto_key_locate; akl; akl = akl->next)
+      for (akl = used_akl; akl; akl = akl->next)
 	{
 	  unsigned char *fpr = NULL;
 	  size_t fpr_len;
diff --git a/g10/keydb.h b/g10/keydb.h
index d43d1bcaa..9cb63cf73 100644
--- a/g10/keydb.h
+++ b/g10/keydb.h
@@ -372,7 +372,8 @@ enum get_pubkey_modes
   {
    GET_PUBKEY_NORMAL = 0,
    GET_PUBKEY_NO_AKL = 1,
-   GET_PUBKEY_NO_LOCAL = 2
+   GET_PUBKEY_NO_LOCAL = 2,
+   GET_PUBKEY_TRY_LDAP = 3
   };
 
 /* Find a public key identified by NAME.  */
diff --git a/g10/keygen.c b/g10/keygen.c
index 5908a09d0..0846a9e2f 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -4504,7 +4504,7 @@ prepare_desig_revoker (ctrl_t ctrl, const char *name)
 
   revoker_pk = xcalloc (1, sizeof *revoker_pk);
   revoker_pk->req_usage = PUBKEY_USAGE_CERT;
-  err = get_pubkey_byname (ctrl, GET_PUBKEY_NO_AKL,
+  err = get_pubkey_byname (ctrl, GET_PUBKEY_TRY_LDAP,
                            NULL, revoker_pk, name, NULL, NULL, 1);
   if (err)
     goto leave;
@@ -4565,7 +4565,7 @@ prepare_adsk (ctrl_t ctrl, const char *name)
 
   adsk_pk = xcalloc (1, sizeof *adsk_pk);
   adsk_pk->req_usage = PUBKEY_USAGE_ENC;
-  err = get_pubkey_byname (ctrl, GET_PUBKEY_NO_AKL,
+  err = get_pubkey_byname (ctrl, GET_PUBKEY_TRY_LDAP,
                            NULL, adsk_pk, name, NULL, NULL, 1);
   if (err)
     goto leave;
diff --git a/g10/options.h b/g10/options.h
index 3edcf2f21..053af915f 100644
--- a/g10/options.h
+++ b/g10/options.h
@@ -41,6 +41,26 @@ struct keyserver_spec
 };
 typedef struct keyserver_spec *keyserver_spec_t;
 
+/* The --auto-key-locate mechanisms object.  */
+struct akl
+{
+  enum {
+    AKL_NODEFAULT,
+    AKL_LOCAL,
+    AKL_CERT,
+    AKL_PKA,
+    AKL_DANE,
+    AKL_WKD,
+    AKL_LDAP,
+    AKL_NTDS,
+    AKL_KEYSERVER,
+    AKL_SPEC
+  } type;
+  keyserver_spec_t spec;
+  struct akl *next;
+};
+
+
 
 /* Global options for GPG.  */
 EXTERN_UNLESS_MAIN_MODULE
@@ -290,23 +310,7 @@ struct
 
   /* Linked list of ways to find a key if the key isn't on the local
      keyring. */
-  struct akl
-  {
-    enum {
-      AKL_NODEFAULT,
-      AKL_LOCAL,
-      AKL_CERT,
-      AKL_PKA,
-      AKL_DANE,
-      AKL_WKD,
-      AKL_LDAP,
-      AKL_NTDS,
-      AKL_KEYSERVER,
-      AKL_SPEC
-    } type;
-    keyserver_spec_t spec;
-    struct akl *next;
-  } *auto_key_locate;
+  struct akl *auto_key_locate;
 
   /* The value of --key-origin.  See parse_key_origin().  */
   int key_origin;
@@ -327,6 +331,7 @@ struct
   unsigned int compat_flags;
 } opt;
 
+
 /* CTRL is used to keep some global variables we currently can't
    avoid.  Future concurrent versions of gpg will put it into a per
    request structure CTRL. */
author	Werner Koch <[email protected]>	2024-06-05 08:00:38 +0000
committer	Werner Koch <[email protected]>	2024-06-05 08:01:36 +0000
commit	465ea9116d1f9467814143ed35b515034a849e86 (patch)
tree	12717a50da05875d88b8ea3f6fe5011d8f7fd283
parent	gpg: Implement the LDAP AKL method. (diff)
download	gnupg-465ea9116d1f9467814143ed35b515034a849e86.tar.gz gnupg-465ea9116d1f9467814143ed35b515034a849e86.zip