| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
| |
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
| |
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
| |
--
GnuPG-bug-id: 5189
Signed-off-by: bobwxc <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
| |
* tools/wks-util.c (wks_cmd_install_key): Don't set u+x on the file.
(ensure_policy_file): No need to make the policy file group writable.
--
The policy file is rarely changed thus no need to g+w. Setting +x on
a plain file does not make sense at all.
GnuPG-bug-id: 5214
|
| |
|
|
|
|
| |
--
Signed-off-by: Yao Wei <[email protected]>
|
| |
|
|
| |
--
|
| |
|
|
|
|
|
| |
--
GnuPG-bug-id: 5189
Signed-off-by: bobwxc <[email protected]>
|
| |
|
|
|
|
| |
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
* common/dotlock.c (dotlock_create_unix): Remove debug output.
--
This was left over from developement about 10 years ago. Exhibits
itself when using sshfs.
GnuPG-bug-id: 5193
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-ldap.c: Wrap some ldap calls.
--
The former gpgkeys_ldap module has once been ported to dirmngr but
unfortunately the dirmngr_ldap wrapper has not been used so that we
have internal LDAP calls with these problems:
- No usable timeouts.
- On non-Windows platforms a lot of extra libs and possibly even a
second copy of Libgcrypt is pulled in.
- Only one threads runs at a time.
This patch mitigates the last point.
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Change the new
support for KEYDB_SEARCH_MODE_MAIL.
(ks_ldap_get): Add a debug.
* g10/options.h (AKL_NTDS): New.
* g10/keyserver.c (keyserver_import_ntds): New.
(keyserver_get_chunk): Allow KEYDB_SEARCH_MODE_MAIL.
* g10/getkey.c (parse_auto_key_locate): Support "ntds".
(get_pubkey_byname): Ditto.
|
| |
|
|
|
|
|
|
|
|
|
| |
* dirmngr/http.h (struct parsed_uri_s): Add field ad_current.
* dirmngr/ldap-parse-uri.c (ldap_parse_uri): Set it.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Take care of ad_current.
--
Ported from 2.2.
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Add arg
serverinfo and allow searching by fingerprint.
(ks_ldap_get, ks_ldap_search): First connect then create teh filter.
--
With the new schema we can finally search by fingerprint.
|
| |
|
|
|
|
|
|
| |
--
With these modifications it is now possible to store and retrieve keys
from an AD without manually tweaking the schema. Permissions need to
be set manuallay, though.
|
| |
|
|
|
|
|
|
|
|
| |
* g10/call-dirmngr.c (ks_put_inq_cb): Emit "fpr" records.
* dirmngr/ks-engine-ldap.c (extract_attributes): Add args
extract-state and schemav2. Add data for the new schema version.
remove the legacy code to handle UIDs in the "pub" line.
(ks_ldap_put): Set new attributes for NTDS use the fingerprint as CN.
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
| |
--
I accidently added a gpgSubCertID attribute not realizing that the
pgpSubKeyID already carries the long keyid. Remove that. Note that
the pgpkeyID has the short keyid and the long keyid has the name
pgpCertID.
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-ldap.c (SERVERINFO_): New constants.
(my_ldap_connect): Relace args pgpkeyattrp and real_ldapp by a new
serverinfo arg. Set the new info flags.
(ks_ldap_get): Adjust for change.
(ks_ldap_search): Ditto.
(ks_ldap_put): Ditto. Replace xmalloc by xtrymalloc. Change the DN
for use with NTDS (aka Active Directory).
* doc/ldap/gnupg-ldap-init.ldif (pgpSoftware): Update definition of
pgpVersion.
* doc/ldap/gnupg-ldap-ad-init.ldif: New.
* doc/ldap/gnupg-ldap-ad-schema.ldif: New.
--
This is a first take on better Active Directory support. The main
change for NTDS in the code is that the an top-RDN of CN is used
instead of the old pgpCertID. More changes to come; for example using
and storing the fingerprint.
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-ldap.c (extract_attributes): Do not store the
pgpSignerID.
* g10/call-dirmngr.c (ks_put_inq_cb): Do not emit sig records.
--
The pgpSignerID has no use in the LDAP and thus don't store it.
David's idea back in 2004 was
/* This bit is really for the benefit of people who
store their keys in LDAP servers. It makes it easy
to do queries for things like "all keys signed by
Isabella". */
See-commit: 3ddd4410aef928827e1c8d4fb02c1ccd3f8eaea5
I consider this dangerous because such a query is not able to validate
the signature, does not get revocation signatures, and also has no
information about the validity of the signatures. Further many keys
are spammed tehse days with faked signatures and it does not make
sense to blow up the LDAP with such garbage.
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/ks-engine-ldap.c (ks_ldap_put): Extract attribites into
addlist.
--
The code used the wrong list which resulting in adding attributes
marked for deletion. In particular Active Directory does not accept
such an data and rejects them. The bug was introduced into 2.1 while
porting the code from the old keyserver helpers to dirmngr.
Fixes-commit: 51341badb623927f2a358588c725a356fc77dbe7
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
* scd/app-nks.c (do_readkey): Allow KEYGRIP access.
Support NKS-IDLM.XXXX keyref.
--
GnuPG-bug-id: 5150
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
| |
* scd/app-nks.c (pubkey_from_pk_file): New.
(keygripstr_from_pk_file): Use pubkey_from_pk_file.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
| |
* scd/app-nks.c (do_readcert): Support KEYGRIP.
--
GnuPG-bug-id: 5150
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
| |
* scd/app-nks.c (iterate_over_filelist): New.
(do_with_keygrip): Use iterate_over_filelist.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
* tools/gpg-wks-client.c (read_confirmation_request): Print trust
letter.
--
The trust letter gives a hint on what's wrong with the key.
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
| |
* scd/ccid-driver.c (abort_cmd): Add INIT argument to support
synchronize until success, even ignoring timeout.
(bulk_in): Normal use case of abort_cmd.
(ccid_vendor_specific_init): Initial use case of abort_cmd.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
* scd/ccid-driver.c (ccid_vendor_specific_setup): Only for SPR532,
call libusb_clear_halt.
--
GnuPG-bug-id: 5167
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
| |
* scd/ccid-driver.c (ccid_setup_intr): Don't call libusb_clear_halt.
--
GnuPG-bug-id: 5167
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
| |
* scd/app-openpgp.c (get_public_key): Yubikey NEO also has this issue.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
* agent/pkdecrypt.c (agent_pkdecrypt): Support decryption with card
but without a stub key.
--
GnuPG-bug-id: 5170
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
| |
* agent/agent.h (agent_pkdecrypt): Use gpg_error_t type.
* agent/pkdecrypt.c (agent_pkdecrypt): Use gpg_error_t type.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
| |
* agent/pksign.c (agent_pksign_do): Add support with no file.
--
GnuPG-bug-id: 5166
Signed-off-by: Ingo Klöcker <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/keygen.c (quick_generate_keypair): Set pCARDKEY flag if algostr
is "card" or "card/...".
--
For keys stored on NetKey cards or PIV cards we do not necessarily
know the creation time. Therefore set the cardkey flag if the generation
of a key from the keys available on the currently inserted smartcard
is requested with the special algo "card" or, in case of the extended
unattended mode, with an algo like "card/sign".
GnuPG-bug-id: 5141
Signed-off-by: Ingo Klöcker <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
* g10/call-agent.c (learn_status_cb): Assume >= 2 when no version.
* tools/card-call-scd.c (learn_status_cb): Likewise.
--
GnuPG-bug-id: 5100
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
* scd/app-nks.c (keygripstr_from_pk_file): Distinguish by APP_ID.
--
GnuPG-bug-id: 5150, 5161
Fixes-commit: 920154370834ad8d947aed19c9d914a27dde6baa
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
| |
* scd/command.c (cmd_keyinfo): Handle --data option correctly.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
* scd/app-openpgp.c (build_privkey_template): Adding another argument
of ecc_d_fixed_len to handle variable-size MPI.
--
GnuPG-bug-id: 5163
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
| |
* kbx/keybox-openpgp.c (keygrip_from_keyparm): Detect missing curve.
|
| |
|
|
|
|
|
|
|
|
|
| |
* doc/gpg.texi: Add parameters for batch generation of ECC keys.
--
There are parameters required for batch generation of ECC keys which
weren't mentioned in the documentation.
Signed-off-by: Jens Meißner <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* scd/app-nks.c (filelist): Use special value -1 for IDLM pubkeys.
(keygripstr_from_pk_file): Handle special value.
(do_readcert): Ditto.
(do_writecert): Ditto.
--
This allows to get information about the keys from the card. However
the do_readkey still requires a fallback to readcert. This does not
work because there are no certificates yet on the card. The fix is to
fully implement do_readkey.
|
| |
|
|
|
|
|
|
| |
* tools/card-call-scd.c (scd_apdu_strerror): New.
* tools/gpg-card.c (cmd_apdu): Print a description.
--
Pretty convenient to explore smartcards.
|
| |
|
|
|
|
|
|
|
| |
* scd/apdu.c (apdu_strerror): Add missing status codes.
* scd/command.c (cmd_getinfo): New sub-command apdu_strerror.
--
This is quite handy for gpg-card's APDU command and avoids that we
need to duplicate the mapping table or put it into a shared file.
|
| |
|
|
|
| |
* tools/gpg-card.c (cmd_passwd) [Netkey]: No Standard/QES menu if the
card does not support it. Print no error in cases the user canceled.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* scd/apdu.h (SW_HOST_UI_CANCELLED, SW_HOST_UI_TIMEOUT): New.
* scd/ccid-driver.h (CCID_DRIVER_ERR_UI_CANCELLED): New.
(CCID_DRIVER_ERR_UI_TIMEOUT): New.
* scd/ccid-driver.c (bulk_in): Handle PIN input cancel/timeout error.
* scd/iso7816.c (map_sw): Support SW_HOST_UI_CANCELLED and
SW_HOST_UI_TIMEOUT.
--
GnuPG-bug-id: 4614
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
* agent/divert-scd.c (ask_for_card): Detect and re-format the Yubikey
prompt.
* scd/app.c (app_munge_serialno): Fix Yubikey s/n munging.
(card_get_dispserialno): Ditto.
* scd/app-openpgp.c (get_disp_serialno): Remove.
(get_prompt_info): Use app_get_dispserialno.--
--
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* scd/app.c (app_dump_state): Also print the refcount.
(maybe_switch_app): Make sure the app exists on the card.
--
When switching the current card and the card does not support the same
apps as the former, we now reset the app to the first one.
Testcase is to use a standard OpenPGP card and a P15 card.
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* scd/app.c (is_same_serialno): New.
(check_application_conflict): Use this.
(select_application): Ditto.
(app_switch_current_card): Ditto.
* scd/app-openpgp.c (check_keyidstr): Ignore the card version and also
compare case insensitive.
--
This is required because we change what we emit as serialno of OpenPGP
cards but existing keys still use the old form of the serial
number (i.e. with a firmware version).
See-commit: 3a8250c02031080c6c8eebd5dea03f5f87f9ddd7
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
| |
* g10/export.c (do_export_one_keyblock): Report an error.
--
GnuPG-bug-id: 5151
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
* scd/app-nks.c (keygripstr_from_pk_file): Identify by cfid if
available.
--
GnuPG-bug-id: 5150
Signed-off-by: NIIBE Yutaka <[email protected]>
|
