gpg: Lookup a missing public key of the current card via LDAP.

* g10/getkey.c (get_seckey_default_or_card): Lookup a missing public key from the current card via LDAP. * g10/call-dirmngr.c: Include keyserver-intetnal.h. (gpg_dirmngr_ks_get): Rename arg quick into flags. Take care of the new LDAP flag. * g10/keyserver-internal.h (KEYSERVER_IMPORT_FLAG_QUICK): New. Replace the use of the value 1 for the former quick arg. (KEYSERVER_IMPORT_FLAG_LDAP): New. * g10/keyserver.c (keyserver_get_chunk): Increase the reserved line length. * dirmngr/ks-action.c (ks_action_get): Add arg ldap_only. * dirmngr/server.c (cmd_ks_get): Add option --ldap. -- This change makes it easy to start working with gnupg: Just insert the smartcard or token provided to you and the first time you sign a message the public key associated with the current card will be imported and everything is set without any configuration. This works only with an LDAP directory because it can be expected that the public key has been put into the LDAP during card personalization. Of course an LDAP server needs to be configured; in a Windows AD domain this can be a mere "keyserver ldap:///" in dirmngr.conf. Other configured keyservers are ignored. Requirements for the card driver: The $SIGNKEYID attribute must exists and a query for the KEY-FPR attribute needs to return the OpenPGP fingerprint for that key. This is currently supported for OpenPGP cards and certain PKCS#15 cards. Signed-off-by: Werner Koch <[email protected]>
author: Werner Koch <[email protected]> 2021-04-16 18:21:23 +0000
committer: Werner Koch <[email protected]> 2021-04-16 18:21:23 +0000
commit: d7e707170fbe2956deb3d81e2802d21352079722 (patch)
tree: 69192a8a16bce8ea053039d882d8bdfff6e1bc77 /g10/keyserver.c
parent: scd:p15: Support attribute KEY-FPR. (diff)
download: gnupg-d7e707170fbe2956deb3d81e2802d21352079722.tar.gz
gnupg-d7e707170fbe2956deb3d81e2802d21352079722.zip
1 files changed, 17 insertions, 14 deletions
diff --git a/g10/keyserver.c b/g10/keyserver.c
index c4a1d5e19..a0620565c 100644
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@@ -105,7 +105,7 @@ static struct parse_options keyserver_opts[]=
 static gpg_error_t keyserver_get (ctrl_t ctrl,
                                   KEYDB_SEARCH_DESC *desc, int ndesc,
                                   struct keyserver_spec *override_keyserver,
-                                  int quick,
+                                  unsigned int flags,
                                   unsigned char **r_fpr, size_t *r_fprlen);
 static gpg_error_t keyserver_put (ctrl_t ctrl, strlist_t keyspecs);
 
@@ -1156,7 +1156,8 @@ keyserver_import_ntds (ctrl_t ctrl, const char *mbox,
 
 int
 keyserver_import_fprint (ctrl_t ctrl, const byte *fprint,size_t fprint_len,
-			 struct keyserver_spec *keyserver, int quick)
+			 struct keyserver_spec *keyserver,
+                         unsigned int flags)
 {
   KEYDB_SEARCH_DESC desc;
 
@@ -1172,12 +1173,13 @@ keyserver_import_fprint (ctrl_t ctrl, const byte *fprint,size_t fprint_len,
 
   /* TODO: Warn here if the fingerprint we got doesn't match the one
      we asked for? */
-  return keyserver_get (ctrl, &desc, 1, keyserver, quick, NULL, NULL);
+  return keyserver_get (ctrl, &desc, 1, keyserver, flags, NULL, NULL);
 }
 
 int
 keyserver_import_keyid (ctrl_t ctrl,
-                        u32 *keyid,struct keyserver_spec *keyserver, int quick)
+                        u32 *keyid,struct keyserver_spec *keyserver,
+                        unsigned int flags)
 {
   KEYDB_SEARCH_DESC desc;
 
@@ -1187,7 +1189,7 @@ keyserver_import_keyid (ctrl_t ctrl,
   desc.u.kid[0]=keyid[0];
   desc.u.kid[1]=keyid[1];
 
-  return keyserver_get (ctrl, &desc, 1, keyserver, quick, NULL, NULL);
+  return keyserver_get (ctrl, &desc, 1, keyserver, flags, NULL, NULL);
 }
 
 
@@ -1579,7 +1581,7 @@ keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
                      int *r_ndesc_used,
                      import_stats_t stats_handle,
                      struct keyserver_spec *override_keyserver,
-                     int quick,
+                     unsigned int flags,
                      unsigned char **r_fpr, size_t *r_fprlen)
 
 {
@@ -1608,7 +1610,7 @@ keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
      single request will be rejected only later by gpg_dirmngr_ks_get
      but we are sure that R_NDESC_USED has been updated.  This avoids
      a possible indefinite loop.  */
-  linelen = 17; /* "KS_GET --quick --" */
+  linelen = 24; /* "KS_GET --quick --ldap --" */
   for (npat=npat_fpr=0, idx=0; idx < ndesc; idx++)
     {
       int quiet = 0;
@@ -1732,7 +1734,7 @@ keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
 
   only_fprs = (npat && npat == npat_fpr);
 
-  err = gpg_dirmngr_ks_get (ctrl, pattern, override_keyserver, quick,
+  err = gpg_dirmngr_ks_get (ctrl, pattern, override_keyserver, flags,
                             &datastream, &source);
   for (idx=0; idx < npat; idx++)
     xfree (pattern[idx]);
@@ -1786,11 +1788,12 @@ keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
    (DESC,NDESC).  Allowed search modes are keyid, fingerprint, and
    exact searches.  OVERRIDE_KEYSERVER gives an optional override
    keyserver. If (R_FPR,R_FPRLEN) are not NULL, they may return the
-   fingerprint of a single imported key.  If QUICK is set, dirmngr is
-   advised to use a shorter timeout. */
+   fingerprint of a single imported key.  If the FLAG bit
+   KEYSERVER_IMPORT_FLAG_QUICK is set, dirmngr is advised to use a
+   shorter timeout. */
 static gpg_error_t
 keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
-               struct keyserver_spec *override_keyserver, int quick,
+               struct keyserver_spec *override_keyserver, unsigned int flags,
                unsigned char **r_fpr, size_t *r_fprlen)
 {
   gpg_error_t err;
@@ -1803,7 +1806,7 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
   for (;;)
     {
       err = keyserver_get_chunk (ctrl, desc, ndesc, &ndesc_used, stats_handle,
-                                 override_keyserver, quick, r_fpr, r_fprlen);
+                                 override_keyserver, flags, r_fpr, r_fprlen);
       if (!err)
         any_good = 1;
       if (err || ndesc_used >= ndesc)
@@ -2031,7 +2034,7 @@ keyserver_import_cert (ctrl_t ctrl, const char *name, int dane_mode,
 
 /* Import a key using the Web Key Directory protocol.  */
 gpg_error_t
-keyserver_import_wkd (ctrl_t ctrl, const char *name, int quick,
+keyserver_import_wkd (ctrl_t ctrl, const char *name, unsigned int flags,
                       unsigned char **fpr, size_t *fpr_len)
 {
   gpg_error_t err;
@@ -2050,7 +2053,7 @@ keyserver_import_wkd (ctrl_t ctrl, const char *name, int quick,
       return err;
     }
 
-  err = gpg_dirmngr_wkd_get (ctrl, mbox, quick, &key, &url);
+  err = gpg_dirmngr_wkd_get (ctrl, mbox, flags, &key, &url);
   if (err)
     ;
   else if (key)
author	Werner Koch <[email protected]>	2021-04-16 18:21:23 +0000
committer	Werner Koch <[email protected]>	2021-04-16 18:21:23 +0000
commit	d7e707170fbe2956deb3d81e2802d21352079722 (patch)
tree	69192a8a16bce8ea053039d882d8bdfff6e1bc77 /g10/keyserver.c
parent	scd:p15: Support attribute KEY-FPR. (diff)
download	gnupg-d7e707170fbe2956deb3d81e2802d21352079722.tar.gz gnupg-d7e707170fbe2956deb3d81e2802d21352079722.zip