24
24
#include <string.h>
25
25
#include <stdlib.h>
26
26
#include <assert.h>
29
31
#include "filter.h"
31
33
#include "status.h"
38
38
#include "options.h"
39
39
#include "packet.h"
40
41
#include "keyserver-internal.h"
46
#ifdef HAVE_W32_SYSTEM
47
/* It seems Vista doesn't grok X_OK and so fails access() tests.
48
Previous versions interpreted X_OK as F_OK anyway, so we'll just
52
#endif /* HAVE_W32_SYSTEM */
49
56
KEYDB_SEARCH_DESC desc;
50
time_t createtime,expiretime;
57
u32 createtime,expiretime;
60
int tell; /* tell remote process about this one */
64
{"include-revoked",1,&opt.keyserver_options.include_revoked},
65
{"include-disabled",1,&opt.keyserver_options.include_disabled},
66
{"include-subkeys",1,&opt.keyserver_options.include_subkeys},
67
{"keep-temp-files",0,&opt.keyserver_options.keep_temp_files},
68
{"honor-http-proxy",1,&opt.keyserver_options.honor_http_proxy},
69
{"broken-http-proxy",1,&opt.keyserver_options.broken_http_proxy},
70
{"refresh-add-fake-v3-keyids",0,&opt.keyserver_options.fake_v3_keyids},
71
{"auto-key-retrieve",0,&opt.keyserver_options.auto_key_retrieve},
72
{"try-dns-srv",1,&opt.keyserver_options.try_dns_srv},
76
static int keyserver_work(int action,STRLIST list,
77
KEYDB_SEARCH_DESC *desc,int count);
64
enum ks_action {KS_UNKNOWN=0,KS_GET,KS_GETNAME,KS_SEND,KS_SEARCH};
66
static struct parse_options keyserver_opts[]=
68
/* some of these options are not real - just for the help
70
{"max-cert-size",0,NULL,NULL},
71
{"include-revoked",0,NULL,N_("include revoked keys in search results")},
72
{"include-subkeys",0,NULL,N_("include subkeys when searching by key ID")},
73
{"use-temp-files",0,NULL,
74
N_("use temporary files to pass data to keyserver helpers")},
75
{"keep-temp-files",KEYSERVER_KEEP_TEMP_FILES,NULL,
76
N_("do not delete temporary files after using them")},
77
{"refresh-add-fake-v3-keyids",KEYSERVER_ADD_FAKE_V3,NULL,
79
{"auto-key-retrieve",KEYSERVER_AUTO_KEY_RETRIEVE,NULL,
80
N_("automatically retrieve keys when verifying signatures")},
81
{"honor-keyserver-url",KEYSERVER_HONOR_KEYSERVER_URL,NULL,
82
N_("honor the preferred keyserver URL set on the key")},
83
{"honor-pka-record",KEYSERVER_HONOR_PKA_RECORD,NULL,
84
N_("honor the PKA record set on a key when retrieving keys")},
88
static int keyserver_work(enum ks_action action,strlist_t list,
89
KEYDB_SEARCH_DESC *desc,int count,
90
unsigned char **fpr,size_t *fpr_len,
91
struct keyserver_spec *keyserver);
93
/* Reasonable guess */
94
#define DEFAULT_MAX_CERT_SIZE 16384
96
static size_t max_cert_size=DEFAULT_MAX_CERT_SIZE;
99
add_canonical_option(char *option,strlist_t *list)
101
char *arg=argsplit(option);
107
joined=xmalloc(strlen(option)+1+strlen(arg)+1);
108
/* Make a canonical name=value form with no spaces */
109
strcpy(joined,option);
112
append_to_strlist(list,joined);
116
append_to_strlist(list,option);
80
120
parse_keyserver_options(char *options)
84
while((tok=strsep(&options," ,")))
126
keyserver_opts[0].value=&max_cert;
128
while((tok=optsep(&options)))
91
for(i=0;keyserver_opts[i].name;i++)
93
if(ascii_strcasecmp(tok,keyserver_opts[i].name)==0)
95
*(keyserver_opts[i].flag)=1;
99
else if(ascii_strncasecmp("no-",tok,3)==0 &&
100
ascii_strcasecmp(&tok[3],keyserver_opts[i].name)==0)
102
*(keyserver_opts[i].flag)=0;
108
/* These options need more than just a flag */
111
if(ascii_strcasecmp(tok,"verbose")==0)
112
opt.keyserver_options.verbose++;
113
else if(ascii_strcasecmp(tok,"no-verbose")==0)
114
opt.keyserver_options.verbose--;
133
/* For backwards compatibility. 1.2.x used honor-http-proxy and
134
there are a good number of documents published that recommend
136
if(ascii_strcasecmp(tok,"honor-http-proxy")==0)
138
else if(ascii_strcasecmp(tok,"no-honor-http-proxy")==0)
141
/* We accept quite a few possible options here - some options to
142
handle specially, the keyserver_options list, and import and
143
export options that pertain to keyserver operations. Note
144
that you must use strncasecmp here as there might be an
145
=argument attached which will foil the use of strcasecmp. */
115
147
#ifdef EXEC_TEMPFILE_ONLY
116
else if(ascii_strcasecmp(tok,"use-temp-files")==0 ||
117
ascii_strcasecmp(tok,"no-use-temp-files")==0)
118
log_info(_("WARNING: keyserver option \"%s\" is not used "
119
"on this platform\n"),tok);
148
if(ascii_strncasecmp(tok,"use-temp-files",14)==0 ||
149
ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
150
log_info(_("WARNING: keyserver option `%s' is not used"
151
" on this platform\n"),tok);
121
else if(ascii_strcasecmp(tok,"use-temp-files")==0)
122
opt.keyserver_options.use_temp_files=1;
123
else if(ascii_strcasecmp(tok,"no-use-temp-files")==0)
124
opt.keyserver_options.use_temp_files=0;
153
if(ascii_strncasecmp(tok,"use-temp-files",14)==0)
154
opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
155
else if(ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
156
opt.keyserver_options.options&=~KEYSERVER_USE_TEMP_FILES;
127
if(!parse_import_options(tok,
128
&opt.keyserver_options.import_options) &&
129
!parse_export_options(tok,
130
&opt.keyserver_options.export_options))
131
add_to_strlist(&opt.keyserver_options.other,tok);
137
parse_keyserver_uri(char *uri,const char *configname,unsigned int configlineno)
158
else if(!parse_options(tok,&opt.keyserver_options.options,
160
&& !parse_import_options(tok,
161
&opt.keyserver_options.import_options,0)
162
&& !parse_export_options(tok,
163
&opt.keyserver_options.export_options,0))
165
/* All of the standard options have failed, so the option is
166
destined for a keyserver plugin. */
167
add_canonical_option(tok,&opt.keyserver_options.other);
173
max_cert_size=strtoul(max_cert,(char **)NULL,10);
176
max_cert_size=DEFAULT_MAX_CERT_SIZE;
183
free_keyserver_spec(struct keyserver_spec *keyserver)
185
xfree(keyserver->uri);
186
xfree(keyserver->scheme);
187
xfree(keyserver->auth);
188
xfree(keyserver->host);
189
xfree(keyserver->port);
190
xfree(keyserver->path);
191
xfree(keyserver->opaque);
192
free_strlist(keyserver->options);
196
/* Return 0 for match */
198
cmp_keyserver_spec(struct keyserver_spec *one,struct keyserver_spec *two)
200
if(ascii_strcasecmp(one->scheme,two->scheme)==0)
202
if(one->host && two->host && ascii_strcasecmp(one->host,two->host)==0)
204
if((one->port && two->port
205
&& ascii_strcasecmp(one->port,two->port)==0)
206
|| (!one->port && !two->port))
209
else if(one->opaque && two->opaque
210
&& ascii_strcasecmp(one->opaque,two->opaque)==0)
217
/* Try and match one of our keyservers. If we can, return that. If
218
we can't, return our input. */
219
struct keyserver_spec *
220
keyserver_match(struct keyserver_spec *spec)
222
struct keyserver_spec *ks;
224
for(ks=opt.keyserver;ks;ks=ks->next)
225
if(cmp_keyserver_spec(spec,ks)==0)
231
/* TODO: once we cut over to an all-curl world, we don't need this
232
parser any longer so it can be removed, or at least moved to
233
keyserver/ksutil.c for limited use in gpgkeys_ldap or the like. */
235
struct keyserver_spec *
236
parse_keyserver_uri(const char *string,int require_scheme,
237
const char *configname,unsigned int configlineno)
139
239
int assume_hkp=0;
143
opt.keyserver_host=NULL;
144
opt.keyserver_port=NULL;
145
opt.keyserver_opaque=NULL;
240
struct keyserver_spec *keyserver;
245
assert(string!=NULL);
247
keyserver=xmalloc_clear(sizeof(struct keyserver_spec));
251
options=strchr(uri,' ');
259
while((tok=optsep(&options)))
260
add_canonical_option(tok,&keyserver->options);
147
263
/* Get the scheme */
149
opt.keyserver_scheme=strsep(&uri,":");
265
for(idx=uri,count=0;*idx && *idx!=':';idx++)
269
/* Do we see the start of an RFC-2732 ipv6 address here? If so,
270
there clearly isn't a scheme so get out early. */
273
/* Was the '[' the first thing in the string? If not, we
274
have a mangled scheme with a [ in it so fail. */
285
if(*idx=='\0' || *idx=='[')
152
290
/* Assume HKP if there is no scheme */
154
uri=opt.keyserver_scheme;
155
opt.keyserver_scheme="hkp";
292
keyserver->scheme=xstrdup("hkp");
294
keyserver->uri=xmalloc(strlen(keyserver->scheme)+3+strlen(uri)+1);
295
strcpy(keyserver->uri,keyserver->scheme);
296
strcat(keyserver->uri,"://");
297
strcat(keyserver->uri,uri);
303
keyserver->uri=xstrdup(uri);
305
keyserver->scheme=xmalloc(count+1);
159
307
/* Force to lowercase */
162
for(i=opt.keyserver_scheme;*i!='\0';i++)
163
*i=ascii_tolower(*i);
309
keyserver->scheme[i]=ascii_tolower(uri[i]);
311
keyserver->scheme[i]='\0';
313
/* Skip past the scheme and colon */
166
if(ascii_strcasecmp(opt.keyserver_scheme,"x-broken-hkp")==0)
317
if(ascii_strcasecmp(keyserver->scheme,"x-broken-hkp")==0)
168
319
deprecated_warning(configname,configlineno,"x-broken-hkp",
169
320
"--keyserver-options ","broken-http-proxy");
170
opt.keyserver_scheme="hkp";
171
opt.keyserver_options.broken_http_proxy=1;
321
xfree(keyserver->scheme);
322
keyserver->scheme=xstrdup("hkp");
323
append_to_strlist(&opt.keyserver_options.other,"broken-http-proxy");
173
else if(ascii_strcasecmp(opt.keyserver_scheme,"x-hkp")==0
174
|| ascii_strcasecmp(opt.keyserver_scheme,"http")==0)
325
else if(ascii_strcasecmp(keyserver->scheme,"x-hkp")==0)
176
327
/* Canonicalize this to "hkp" so it works with both the internal
177
328
and external keyserver interface. */
178
opt.keyserver_scheme="hkp";
329
xfree(keyserver->scheme);
330
keyserver->scheme=xstrdup("hkp");
181
333
if(assume_hkp || (uri[0]=='/' && uri[1]=='/'))
190
opt.keyserver_host=strsep(&uri,":/");
191
if(opt.keyserver_host[0]=='\0')
192
return GPG_ERR_BAD_URI;
194
if(uri==NULL || uri[0]=='\0')
195
opt.keyserver_port=NULL;
341
/* Do we have userinfo auth data present? */
342
for(idx=uri,count=0;*idx && *idx!='@' && *idx!='/';idx++)
345
/* We found a @ before the slash, so that means everything
346
before the @ is auth data. */
352
keyserver->auth=xmalloc(count+1);
353
strncpy(keyserver->auth,uri,count);
354
keyserver->auth[count]='\0';
358
/* Is it an RFC-2732 ipv6 [literal address] ? */
361
for(idx=uri+1,count=1;*idx
362
&& ((isascii (*idx) && isxdigit(*idx))
363
|| *idx==':' || *idx=='.');idx++)
366
/* Is the ipv6 literal address terminated? */
373
for(idx=uri,count=0;*idx && *idx!=':' && *idx!='/';idx++)
379
keyserver->host=xmalloc(count+1);
380
strncpy(keyserver->host,uri,count);
381
keyserver->host[count]='\0';
383
/* Skip past the host */
201
opt.keyserver_port=strsep(&uri,"/");
203
/* Ports are digits only */
204
ch=opt.keyserver_port;
208
return GPG_ERR_BAD_URI;
213
388
/* It would seem to be reasonable to limit the range of the
214
389
ports to values between 1-65535, but RFC 1738 and 1808
215
390
imply there is no limit. Of course, the real world has
393
for(idx=uri+1,count=0;*idx && *idx!='/';idx++)
397
/* Ports are digits only */
402
keyserver->port=xmalloc(count+1);
403
strncpy(keyserver->port,uri+1,count);
404
keyserver->port[count]='\0';
406
/* Skip past the colon and port number */
219
/* (any path part of the URI is discarded for now as no keyserver
410
/* Everything else is the path */
412
keyserver->path=xstrdup(uri);
414
keyserver->path=xstrdup("/");
416
if(keyserver->path[1])
417
keyserver->flags.direct_uri=1;
222
419
else if(uri[0]!='/')
224
421
/* No slash means opaque. Just record the opaque blob and get
226
opt.keyserver_opaque=uri;
423
keyserver->opaque=xstrdup(uri);
231
427
/* One slash means absolute path. We don't need to support that
233
return GPG_ERR_BAD_URI;
236
if(opt.keyserver_scheme[0]=='\0')
237
return GPG_ERR_BAD_URI;
435
free_keyserver_spec(keyserver);
440
struct keyserver_spec *
441
parse_preferred_keyserver(PKT_signature *sig)
443
struct keyserver_spec *spec=NULL;
447
p=parse_sig_subpkt(sig->hashed,SIGSUBPKT_PREF_KS,&plen);
450
byte *dupe=xmalloc(plen+1);
454
spec=parse_keyserver_uri(dupe,1,NULL,0);
649
895
numlines+=keyrec->lines;
650
896
iobuf_close(keyrec->uidbuf);
905
/* Leave this commented out or now, and perhaps for a very long
906
time. All HKPish servers return HTML error messages for
910
log_info(_("keyserver does not support searching\n"));
665
log_info(_("key \"%s\" not found on keyserver\n"),searchstr);
916
log_info(_("key \"%s\" not found on keyserver\n"),localstr);
667
918
log_info(_("key not found on keyserver\n"));
926
/* We sometimes want to use a different gpgkeys_xxx for a given
927
protocol (for example, ldaps is handled by gpgkeys_ldap). Map
930
keyserver_typemap(const char *type)
932
if(strcmp(type,"ldaps")==0)
938
/* The PGP LDAP and the curl fetch-a-LDAP-object methodologies are
939
sufficiently different that we can't use curl to do LDAP. */
941
direct_uri_map(const char *scheme,unsigned int is_direct)
943
if(is_direct && strcmp(scheme,"ldap")==0)
949
#if GNUPG_MAJOR_VERSION == 2
950
#define GPGKEYS_PREFIX "gpg2keys_"
952
#define GPGKEYS_PREFIX "gpgkeys_"
954
#define GPGKEYS_CURL GPGKEYS_PREFIX "curl" EXEEXT
955
#define GPGKEYS_PREFIX_LEN (strlen(GPGKEYS_CURL))
672
956
#define KEYSERVER_ARGS_KEEP " -o \"%O\" \"%I\""
673
957
#define KEYSERVER_ARGS_NOKEEP " -o \"%o\" \"%i\""
676
keyserver_spawn(int action,STRLIST list,
677
KEYDB_SEARCH_DESC *desc,int count,int *prog)
960
keyserver_spawn(enum ks_action action,strlist_t list,KEYDB_SEARCH_DESC *desc,
961
int count,int *prog,unsigned char **fpr,size_t *fpr_len,
962
struct keyserver_spec *keyserver)
679
964
int ret=0,i,gotversion=0,outofband=0;
681
966
unsigned int maxlen,buflen;
682
char *command=NULL,*searchstr=NULL;
967
char *command,*end,*searchstr=NULL;
685
969
struct exec_info *spawn;
971
const char *libexecdir = gnupg_libexecdir ();
687
975
#ifdef EXEC_TEMPFILE_ONLY
688
opt.keyserver_options.use_temp_files=1;
976
opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
691
/* Push the libexecdir into path. If DISABLE_KEYSERVER_PATH is set,
692
use the 0 arg to replace the path. */
979
/* Build the filename for the helper to execute */
980
scheme=keyserver_typemap(keyserver->scheme);
693
982
#ifdef DISABLE_KEYSERVER_PATH
694
set_exec_path(GNUPG_LIBEXECDIR,0);
983
/* Destroy any path we might have. This is a little tricky,
984
portability-wise. It's not correct to delete the PATH
985
environment variable, as that may fall back to a system built-in
986
PATH. Similarly, it is not correct to set PATH to the null
987
string (PATH="") since this actually deletes the PATH environment
988
variable under MinGW. The safest thing to do here is to force
989
PATH to be GNUPG_LIBEXECDIR. All this is not that meaningful on
990
Unix-like systems (since we're going to give a full path to
991
gpgkeys_foo), but on W32 it prevents loading any DLLs from
992
directories in %PATH%.
994
After some more thinking about this we came to the conclusion
995
that it is better to load the helpers from the directory where
996
the program of this process lives. Fortunately Windows provides
997
a way to retrieve this and our gnupg_libexecdir function has been
998
modified to return just this. Setting the exec-path is not
1000
set_exec_path(libexecdir);
696
set_exec_path(GNUPG_LIBEXECDIR,opt.exec_path_set);
1003
if(opt.exec_path_set)
1005
/* If exec-path was set, and DISABLE_KEYSERVER_PATH is
1006
undefined, then don't specify a full path to gpgkeys_foo, so
1007
that the PATH can work. */
1008
command=xmalloc(GPGKEYS_PREFIX_LEN+strlen(scheme)+3+strlen(EXEEXT)+1);
699
/* Build the filename for the helper to execute */
700
command=xmalloc (strlen("gpgkeys_")+strlen(opt.keyserver_scheme)+1);
701
strcpy(command,"gpgkeys_");
702
strcat(command,opt.keyserver_scheme);
704
if(opt.keyserver_options.use_temp_files)
706
if(opt.keyserver_options.keep_temp_files)
1014
/* Specify a full path to gpgkeys_foo. */
1015
command=xmalloc(strlen(libexecdir)+strlen(DIRSEP_S)+
1016
GPGKEYS_PREFIX_LEN+strlen(scheme)+3+strlen(EXEEXT)+1);
1017
strcpy(command,libexecdir);
1018
strcat(command,DIRSEP_S);
1021
end=command+strlen(command);
1023
/* Build a path for the keyserver helper. If it is direct_uri
1024
(i.e. an object fetch and not a keyserver), then add "_uri" to
1025
the end to distinguish the keyserver helper from an object
1026
fetcher that can speak that protocol (this is a problem for
1029
strcat(command,GPGKEYS_PREFIX);
1030
strcat(command,scheme);
1032
/* This "_uri" thing is in case we need to call a direct handler
1033
instead of the keyserver handler. This lets us use gpgkeys_curl
1034
or gpgkeys_ldap_uri (we don't provide it, but a user might)
1035
instead of gpgkeys_ldap to fetch things like
1036
ldap://keyserver.pgp.com/o=PGP%20keys?pgpkey?sub?pgpkeyid=99242560 */
1038
if(direct_uri_map(scheme,keyserver->flags.direct_uri))
1039
strcat(command,"_uri");
1041
strcat(command,EXEEXT);
1043
/* Can we execute it? If not, try curl as our catchall. */
1044
if(path_access(command,X_OK)!=0)
1045
strcpy(end,GPGKEYS_CURL);
1047
if(opt.keyserver_options.options&KEYSERVER_USE_TEMP_FILES)
1049
if(opt.keyserver_options.options&KEYSERVER_KEEP_TEMP_FILES)
708
1051
command=xrealloc(command,strlen(command)+
709
1052
strlen(KEYSERVER_ARGS_KEEP)+1);
722
1065
ret=exec_write(&spawn,command,NULL,NULL,0,0);
727
fprintf(spawn->tochild,"# This is a gpg keyserver communications file\n");
1072
fprintf(spawn->tochild,
1073
"# This is a GnuPG %s keyserver communications file\n",VERSION);
728
1074
fprintf(spawn->tochild,"VERSION %d\n",KEYSERVER_PROTO_VERSION);
729
1075
fprintf(spawn->tochild,"PROGRAM %s\n",VERSION);
1076
fprintf(spawn->tochild,"SCHEME %s\n",keyserver->scheme);
731
if(opt.keyserver_opaque)
732
fprintf(spawn->tochild,"OPAQUE %s\n",opt.keyserver_opaque);
1078
if(keyserver->opaque)
1079
fprintf(spawn->tochild,"OPAQUE %s\n",keyserver->opaque);
735
if(opt.keyserver_host)
736
fprintf(spawn->tochild,"HOST %s\n",opt.keyserver_host);
738
if(opt.keyserver_port)
739
fprintf(spawn->tochild,"PORT %s\n",opt.keyserver_port);
1083
fprintf(spawn->tochild,"AUTH %s\n",keyserver->auth);
1086
fprintf(spawn->tochild,"HOST %s\n",keyserver->host);
1089
fprintf(spawn->tochild,"PORT %s\n",keyserver->port);
1092
fprintf(spawn->tochild,"PATH %s\n",keyserver->path);
744
for(i=0,kopts=keyserver_opts;kopts[i].name;i++)
745
if(*(kopts[i].flag) && kopts[i].tell)
746
fprintf(spawn->tochild,"OPTION %s\n",kopts[i].name);
748
for(i=0;i<opt.keyserver_options.verbose;i++)
749
fprintf(spawn->tochild,"OPTION verbose\n");
751
temp=opt.keyserver_options.other;
753
for(;temp;temp=temp->next)
1095
/* Write global options */
1097
for(temp=opt.keyserver_options.other;temp;temp=temp->next)
1098
fprintf(spawn->tochild,"OPTION %s\n",temp->d);
1100
/* Write per-keyserver options */
1102
for(temp=keyserver->options;temp;temp=temp->next)
754
1103
fprintf(spawn->tochild,"OPTION %s\n",temp->d);
760
1109
fprintf(spawn->tochild,"COMMAND GET\n\n");
1330
1840
/* Note this is different than the original HKP refresh. It allows
1331
1841
usernames to refresh only part of the keyring. */
1334
keyserver_refresh(STRLIST users)
1844
keyserver_refresh(strlist_t users)
1336
int rc,count,fakev3=0;
1846
int rc,count,numdesc,fakev3=0;
1337
1847
KEYDB_SEARCH_DESC *desc;
1339
/* We switch merge_only on during a refresh, as 'refresh' should
1340
never import new keys, even if their keyids match. Is it worth
1341
preserving the old merge_only value here? */
1848
unsigned int options=opt.keyserver_options.import_options;
1850
/* We switch merge-only on during a refresh, as 'refresh' should
1851
never import new keys, even if their keyids match. */
1852
opt.keyserver_options.import_options|=IMPORT_MERGE_ONLY;
1854
/* Similarly, we switch on fast-import, since refresh may make
1855
multiple import sets (due to preferred keyserver URLs). We don't
1856
want each set to rebuild the trustdb. Instead we do it once at
1858
opt.keyserver_options.import_options|=IMPORT_FAST;
1344
1860
/* If refresh_add_fake_v3_keyids is on and it's a HKP or MAILTO
1345
1861
scheme, then enable fake v3 keyid generation. */
1346
if(opt.keyserver_options.fake_v3_keyids && opt.keyserver_scheme &&
1347
(ascii_strcasecmp(opt.keyserver_scheme,"hkp")==0 ||
1348
ascii_strcasecmp(opt.keyserver_scheme,"mailto")==0))
1862
if((opt.keyserver_options.options&KEYSERVER_ADD_FAKE_V3) && opt.keyserver
1863
&& (ascii_strcasecmp(opt.keyserver->scheme,"hkp")==0 ||
1864
ascii_strcasecmp(opt.keyserver->scheme,"mailto")==0))
1351
rc=keyidlist(users,&desc,&count,fakev3);
1867
rc=keyidlist(users,&desc,&numdesc,fakev3);
1357
if(opt.keyserver_uri)
1876
/* Try to handle preferred keyserver keys first */
1877
for(i=0;i<numdesc;i++)
1879
if(desc[i].skipfncvalue)
1881
struct keyserver_spec *keyserver=desc[i].skipfncvalue;
1883
/* We use the keyserver structure we parsed out before.
1884
Note that a preferred keyserver without a scheme://
1885
will be interpreted as hkp:// */
1887
rc=keyserver_work(KS_GET,NULL,&desc[i],1,NULL,NULL,keyserver);
1889
log_info(_("WARNING: unable to refresh key %s"
1890
" via %s: %s\n"),keystr_from_desc(&desc[i]),
1891
keyserver->uri,g10_errstr(rc));
1894
/* We got it, so mark it as NONE so we don't try and
1895
get it again from the regular keyserver. */
1897
desc[i].mode=KEYDB_SEARCH_MODE_NONE;
1901
free_keyserver_spec(keyserver);
1360
log_info(_("refreshing 1 key from %s\n"),opt.keyserver_uri);
1911
log_info(_("refreshing 1 key from %s\n"),opt.keyserver->uri);
1362
1913
log_info(_("refreshing %d keys from %s\n"),
1363
count,opt.keyserver_uri);
1914
count,opt.keyserver->uri);
1366
rc=keyserver_work(GET,NULL,desc,count);
1917
rc=keyserver_work(KS_GET,NULL,desc,numdesc,NULL,NULL,opt.keyserver);
1922
opt.keyserver_options.import_options=options;
1924
/* If the original options didn't have fast import, and the trustdb
1925
is dirty, rebuild. */
1926
if(!(opt.keyserver_options.import_options&IMPORT_FAST))
1927
trustdb_check_or_update();
1375
keyserver_search(STRLIST tokens)
1933
keyserver_search(strlist_t tokens)
1378
return keyserver_work(SEARCH,tokens,NULL,0);
1936
return keyserver_work(KS_SEARCH,tokens,NULL,0,NULL,NULL,opt.keyserver);
1942
keyserver_fetch(strlist_t urilist)
1944
KEYDB_SEARCH_DESC desc;
1946
unsigned int options=opt.keyserver_options.import_options;
1948
/* Switch on fast-import, since fetch can handle more than one
1949
import and we don't want each set to rebuild the trustdb.
1950
Instead we do it once at the end. */
1951
opt.keyserver_options.import_options|=IMPORT_FAST;
1953
/* A dummy desc since we're not actually fetching a particular key
1955
memset(&desc,0,sizeof(desc));
1956
desc.mode=KEYDB_SEARCH_MODE_EXACT;
1958
for(sl=urilist;sl;sl=sl->next)
1960
struct keyserver_spec *spec;
1962
spec=parse_keyserver_uri(sl->d,1,NULL,0);
1967
rc=keyserver_work(KS_GET,NULL,&desc,1,NULL,NULL,spec);
1969
log_info (_("WARNING: unable to fetch URI %s: %s\n"),
1970
sl->d,g10_errstr(rc));
1972
free_keyserver_spec(spec);
1975
log_info (_("WARNING: unable to parse URI %s\n"),sl->d);
1978
opt.keyserver_options.import_options=options;
1980
/* If the original options didn't have fast import, and the trustdb
1981
is dirty, rebuild. */
1982
if(!(opt.keyserver_options.import_options&IMPORT_FAST))
1983
trustdb_check_or_update();
1988
/* Import key in a CERT or pointed to by a CERT */
1990
keyserver_import_cert(const char *name,unsigned char **fpr,size_t *fpr_len)
1992
char *domain,*look,*url;
1994
int type,rc=G10ERR_GENERAL;
1998
domain=strrchr(look,'@');
2002
type=get_dns_cert(look,max_cert_size,&key,fpr,fpr_len,&url);
2005
int armor_status=opt.no_armor;
2007
/* CERTs are always in binary format */
2010
rc=import_keys_stream(key,NULL,fpr,fpr_len,
2011
opt.keyserver_options.import_options);
2013
opt.no_armor=armor_status;
2017
else if(type==2 && *fpr)
2019
/* We only consider the IPGP type if a fingerprint was provided.
2020
This lets us select the right key regardless of what a URL
2021
points to, or get the key from a keyserver. */
2024
struct keyserver_spec *spec;
2026
spec=parse_keyserver_uri(url,1,NULL,0);
2029
strlist_t list=NULL;
2031
add_to_strlist(&list,url);
2033
rc=keyserver_fetch(list);
2036
free_keyserver_spec(spec);
2039
else if(opt.keyserver)
2041
/* If only a fingerprint is provided, try and fetch it from
2044
rc=keyserver_import_fprint(*fpr,*fpr_len,opt.keyserver);
2047
log_info(_("no keyserver known (use option --keyserver)\n"));
2049
/* Give a better string here? "CERT fingerprint for \"%s\"
2050
found, but no keyserver" " known (use option
2051
--keyserver)\n" ? */
2061
/* Import key pointed to by a PKA record. Return the requested
2062
fingerprint in fpr. */
2064
keyserver_import_pka(const char *name,unsigned char **fpr,size_t *fpr_len)
2072
uri = get_pka_info (name, *fpr);
2075
struct keyserver_spec *spec;
2076
spec = parse_keyserver_uri (uri, 1, NULL, 0);
2079
rc=keyserver_import_fprint (*fpr, 20, spec);
2080
free_keyserver_spec (spec);
2091
/* Import all keys that match name */
2093
keyserver_import_name(const char *name,unsigned char **fpr,size_t *fpr_len,
2094
struct keyserver_spec *keyserver)
2096
strlist_t list=NULL;
2099
append_to_strlist(&list,name);
2101
rc=keyserver_work(KS_GETNAME,list,NULL,0,fpr,fpr_len,keyserver);
2108
/* Use the PGP Universal trick of asking ldap://keys.(maildomain) for
2111
keyserver_import_ldap(const char *name,unsigned char **fpr,size_t *fpr_len)
2114
struct keyserver_spec *keyserver;
2115
strlist_t list=NULL;
2118
append_to_strlist(&list,name);
2120
/* Parse out the domain */
2121
domain=strrchr(name,'@');
2123
return G10ERR_GENERAL;
2127
keyserver=xmalloc_clear(sizeof(struct keyserver_spec));
2129
keyserver->scheme=xstrdup("ldap");
2130
keyserver->host=xmalloc(5+strlen(domain)+1);
2131
strcpy(keyserver->host,"keys.");
2132
strcat(keyserver->host,domain);
2133
keyserver->uri=xmalloc(strlen(keyserver->scheme)+
2134
3+strlen(keyserver->host)+1);
2135
strcpy(keyserver->uri,keyserver->scheme);
2136
strcat(keyserver->uri,"://");
2137
strcat(keyserver->uri,keyserver->host);
2139
rc=keyserver_work(KS_GETNAME,list,NULL,0,fpr,fpr_len,keyserver);
2143
free_keyserver_spec(keyserver);