diff options
| author | Werner Koch <[email protected]> | 2017-10-17 19:10:19 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2017-10-17 19:10:19 +0000 |
| commit | 825abec0e7f38667a34dce3025fc2f3a05001dde (patch) | |
| tree | 8508d92f6b68271377353c15756cec57f03fc694 /g10/keylist.c | |
| parent | sm: Fix colon listing of fields > 12 in crt records. (diff) | |
| download | gnupg-825abec0e7f38667a34dce3025fc2f3a05001dde.tar.gz gnupg-825abec0e7f38667a34dce3025fc2f3a05001dde.zip | |
gpg,sm: New option --with-key-screening.
* common/pkscreening.c: New.
* common/pkscreening.h: New.
* common/Makefile.am (common_sources): Add them.
* g10/gpg.c (opts): New option --with-key-screening.
* g10/options.h (struct opt): New field with_key_screening.
* g10/keylist.c: Include pkscreening.h.
(print_pk_screening): New.
(list_keyblock_print): Call it.
(print_compliance_flags): Call it.
* sm/gpgsm.c (opts): New option --with-key-screening.
* sm/gpgsm.h (scruct opt): New field with_key_screening.
* sm/keylist.c: Include pkscreening.h.
(print_pk_screening): New.
(print_compliance_flags): Call it. Add new arg cert.
(list_cert_colon): Pass arg cert
(list_cert_std): Call print_pk_screening.
* sm/fingerprint.c (gpgsm_get_rsa_modulus): New.
--
This new option can be used to detect ROCA affected keys. To scan an
entire keyring and print the affected fingerprints use this:
gpg -k --with-key-screening --with-colons | gawk -F: \
'$1~/pub|sub|sec|ssb|crt/ && $18~/\<6001\>/ {found=1;next};
$1=="fpr" && found {print $10}; {found=0}'
The same works for gpgsm. Note that we need gawk due to the "\<" in
the r.e.
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to 'g10/keylist.c')
| -rw-r--r-- | g10/keylist.c | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/g10/keylist.c b/g10/keylist.c index dccae91c9..bcbad450a 100644 --- a/g10/keylist.c +++ b/g10/keylist.c @@ -45,6 +45,7 @@ #include "../common/zb32.h" #include "tofu.h" #include "../common/compliance.h" +#include "../common/pkscreening.h" static void list_all (ctrl_t, int, int); @@ -696,6 +697,37 @@ print_key_data (PKT_public_key * pk) } } + +/* Various public key screenings. (Right now just ROCA). With + * COLON_MODE set the output is formatted for use in the compliance + * field of a colon listing. + */ +static void +print_pk_screening (PKT_public_key *pk, int colon_mode) +{ + gpg_error_t err; + + if (is_RSA (pk->pubkey_algo) && pubkey_get_npkey (pk->pubkey_algo)) + { + err = screen_key_for_roca (pk->pkey[0]); + if (!err) + ; + else if (gpg_err_code (err) == GPG_ERR_TRUE) + { + if (colon_mode) + es_fprintf (es_stdout, colon_mode > 1? " %d":"%d", 6001); + else + es_fprintf (es_stdout, + " Screening: ROCA vulnerability detected\n"); + } + else if (!colon_mode) + es_fprintf (es_stdout, " Screening: [ROCA check failed: %s]\n", + gpg_strerror (err)); + } + +} + + static void print_capabilities (ctrl_t ctrl, PKT_public_key *pk, KBNODE keyblock) { @@ -922,6 +954,9 @@ list_keyblock_print (ctrl_t ctrl, kbnode_t keyblock, int secret, int fpr, if (opt.with_key_data) print_key_data (pk); + if (opt.with_key_screening) + print_pk_screening (pk, 0); + if (opt.with_key_origin && (pk->keyorg || pk->keyupdate || pk->updateurl)) { @@ -1063,6 +1098,8 @@ list_keyblock_print (ctrl_t ctrl, kbnode_t keyblock, int secret, int fpr, es_fprintf (es_stdout, " Keygrip = %s\n", hexgrip); if (opt.with_key_data) print_key_data (pk2); + if (opt.with_key_screening) + print_pk_screening (pk2, 0); } else if (opt.list_sigs && node->pkt->pkttype == PKT_SIGNATURE && !skip_sigs) @@ -1227,6 +1264,9 @@ print_compliance_flags (PKT_public_key *pk, gnupg_status_compliance_flag (CO_DE_VS)); any++; } + + if (opt.with_key_screening) + print_pk_screening (pk, 1+any); } |