From d7e707170fbe2956deb3d81e2802d21352079722 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 16 Apr 2021 20:21:23 +0200 Subject: gpg: Lookup a missing public key of the current card via LDAP. * g10/getkey.c (get_seckey_default_or_card): Lookup a missing public key from the current card via LDAP. * g10/call-dirmngr.c: Include keyserver-intetnal.h. (gpg_dirmngr_ks_get): Rename arg quick into flags. Take care of the new LDAP flag. * g10/keyserver-internal.h (KEYSERVER_IMPORT_FLAG_QUICK): New. Replace the use of the value 1 for the former quick arg. (KEYSERVER_IMPORT_FLAG_LDAP): New. * g10/keyserver.c (keyserver_get_chunk): Increase the reserved line length. * dirmngr/ks-action.c (ks_action_get): Add arg ldap_only. * dirmngr/server.c (cmd_ks_get): Add option --ldap. -- This change makes it easy to start working with gnupg: Just insert the smartcard or token provided to you and the first time you sign a message the public key associated with the current card will be imported and everything is set without any configuration. This works only with an LDAP directory because it can be expected that the public key has been put into the LDAP during card personalization. Of course an LDAP server needs to be configured; in a Windows AD domain this can be a mere "keyserver ldap:///" in dirmngr.conf. Other configured keyservers are ignored. Requirements for the card driver: The $SIGNKEYID attribute must exists and a query for the KEY-FPR attribute needs to return the OpenPGP fingerprint for that key. This is currently supported for OpenPGP cards and certain PKCS#15 cards. Signed-off-by: Werner Koch --- dirmngr/server.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'dirmngr/server.c') diff --git a/dirmngr/server.c b/dirmngr/server.c index f6c2c45f1..0ccba2987 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -2403,11 +2403,12 @@ cmd_ks_search (assuan_context_t ctx, char *line) static const char hlp_ks_get[] = - "KS_GET {}\n" + "KS_GET [--quick] [--ldap] {}\n" "\n" "Get the keys matching PATTERN from the configured OpenPGP keyservers\n" "(see command KEYSERVER). Each pattern should be a keyid, a fingerprint,\n" - "or an exact name indicated by the '=' prefix."; + "or an exact name indicated by the '=' prefix. Option --quick uses a\n" + "shorter timeout; --ldap will use only ldap servers"; static gpg_error_t cmd_ks_get (assuan_context_t ctx, char *line) { @@ -2416,9 +2417,11 @@ cmd_ks_get (assuan_context_t ctx, char *line) strlist_t list, sl; char *p; estream_t outfp; + int ldap_only; if (has_option (line, "--quick")) ctrl->timeout = opt.connect_quick_timeout; + ldap_only = has_option (line, "--ldap"); line = skip_options (line); /* Break the line into a strlist. Each pattern is by @@ -2460,7 +2463,8 @@ cmd_ks_get (assuan_context_t ctx, char *line) ctrl->server_local->inhibit_data_logging = 1; ctrl->server_local->inhibit_data_logging_now = 0; ctrl->server_local->inhibit_data_logging_count = 0; - err = ks_action_get (ctrl, ctrl->server_local->keyservers, list, outfp); + err = ks_action_get (ctrl, ctrl->server_local->keyservers, + list, ldap_only, outfp); es_fclose (outfp); ctrl->server_local->inhibit_data_logging = 0; } -- cgit v1.2.3