2
* Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
3
* 2008, 2012 Free Software Foundation, Inc.
5
* This file is part of GnuPG.
7
* GnuPG is free software; you can redistribute it and/or modify
8
* it under the terms of the GNU General Public License as published by
9
* the Free Software Foundation; either version 3 of the License, or
10
* (at your option) any later version.
12
* GnuPG is distributed in the hope that it will be useful,
13
* but WITHOUT ANY WARRANTY; without even the implied warranty of
14
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
* GNU General Public License for more details.
17
* You should have received a copy of the GNU General Public License
18
* along with this program; if not, see <http://www.gnu.org/licenses/>.
28
#include <sys/types.h>
30
#endif /* !DISABLE_REGEX */
46
* A structure to store key identification as well as some stuff needed
50
struct key_item *next;
51
unsigned int ownertrust,min_ownertrust;
59
typedef struct key_item **KeyHashTable; /* see new_key_hash_table() */
62
* Structure to keep track of keys, this is used as an array wherre
63
* the item right after the last one has a keyblock set to NULL.
64
* Maybe we can drop this thing and replace it by key_item
71
/* control information for the trust DB */
76
int no_trustdb; /* Set if a trustdb file is not available. */
80
static struct key_item *user_utk_list; /* temp. used to store --trusted-keys */
81
static struct key_item *utk_list; /* all ultimately trusted keys */
83
static int pending_check_trustdb;
85
static int validate_keys (int interactive);
88
/**********************************************
89
************* some helpers *******************
90
**********************************************/
92
static struct key_item *
97
k = xmalloc_clear (sizeof *k);
102
release_key_items (struct key_item *k)
109
xfree (k->trust_regexp);
115
* For fast keylook up we need a hash table. Each byte of a KeyIDs
116
* should be distributed equally over the 256 possible values (except
117
* for v3 keyIDs but we consider them as not important here). So we
118
* can just use 10 bits to index a table of 1024 key items.
119
* Possible optimization: Don not use key_items but other hash_table when the
120
* duplicates lists gets too large.
123
new_key_hash_table (void)
125
struct key_item **tbl;
127
tbl = xmalloc_clear (1024 * sizeof *tbl);
132
release_key_hash_table (KeyHashTable tbl)
138
for (i=0; i < 1024; i++)
139
release_key_items (tbl[i]);
144
* Returns: True if the keyID is in the given hash table
147
test_key_hash_table (KeyHashTable tbl, u32 *kid)
151
for (k = tbl[(kid[1] & 0x03ff)]; k; k = k->next)
152
if (k->kid[0] == kid[0] && k->kid[1] == kid[1])
158
* Add a new key to the hash table. The key is identified by its key ID.
161
add_key_hash_table (KeyHashTable tbl, u32 *kid)
163
struct key_item *k, *kk;
165
for (k = tbl[(kid[1] & 0x03ff)]; k; k = k->next)
166
if (k->kid[0] == kid[0] && k->kid[1] == kid[1])
167
return; /* already in table */
169
kk = new_key_item ();
172
kk->next = tbl[(kid[1] & 0x03ff)];
173
tbl[(kid[1] & 0x03ff)] = kk;
177
* Release a key_array
180
release_key_array ( struct key_array *keys )
185
for (k=keys; k->keyblock; k++)
186
release_kbnode (k->keyblock);
192
/*********************************************
193
********** Initialization *****************
194
*********************************************/
199
* Used to register extra ultimately trusted keys - this has to be done
200
* before initializing the validation module.
201
* FIXME: Should be replaced by a function to add those keys to the trustdb.
204
register_trusted_keyid(u32 *keyid)
209
k->kid[0] = keyid[0];
210
k->kid[1] = keyid[1];
211
k->next = user_utk_list;
216
register_trusted_key( const char *string )
218
KEYDB_SEARCH_DESC desc;
220
if (classify_user_id (string, &desc) != KEYDB_SEARCH_MODE_LONG_KID )
222
log_error(_("`%s' is not a valid long keyID\n"), string );
226
register_trusted_keyid(desc.u.kid);
230
* Helper to add a key to the global list of ultimately trusted keys.
231
* Retruns: true = inserted, false = already in in list.
238
for (k = utk_list; k; k = k->next)
240
if (k->kid[0] == kid[0] && k->kid[1] == kid[1])
249
k->ownertrust = TRUST_ULTIMATE;
252
if( opt.verbose > 1 )
253
log_info(_("key %s: accepted as trusted key\n"), keystr(kid));
259
* Verify that all our secret keys are usable and put them into the utk_list.
262
verify_own_keys(void)
272
/* scan the trustdb to find all ultimately trusted keys */
273
for (recnum=1; !tdbio_read_record (recnum, &rec, 0); recnum++ )
275
if ( rec.rectype == RECTYPE_TRUST
276
&& (rec.r.trust.ownertrust & TRUST_MASK) == TRUST_ULTIMATE)
278
byte *fpr = rec.r.trust.fingerprint;
282
/* Problem: We do only use fingerprints in the trustdb but
283
* we need the keyID here to indetify the key; we can only
284
* use that ugly hack to distinguish between 16 and 20
285
* butes fpr - it does not work always so we better change
286
* the whole validation code to only work with
288
fprlen = (!fpr[16] && !fpr[17] && !fpr[18] && !fpr[19])? 16:20;
289
keyid_from_fingerprint (fpr, fprlen, kid);
291
log_info(_("key %s occurs more than once in the trustdb\n"),
296
/* Put any --trusted-key keys into the trustdb */
297
for (k = user_utk_list; k; k = k->next)
299
if ( add_utk (k->kid) )
300
{ /* not yet in trustDB as ultimately trusted */
303
memset (&pk, 0, sizeof pk);
304
rc = get_pubkey (&pk, k->kid);
306
log_info(_("key %s: no public key for trusted key - skipped\n"),
310
update_ownertrust (&pk,
311
((get_ownertrust (&pk) & ~TRUST_MASK)
313
release_public_key_parts (&pk);
316
log_info (_("key %s marked as ultimately trusted\n"),keystr(k->kid));
320
/* release the helper table table */
321
release_key_items (user_utk_list);
322
user_utk_list = NULL;
327
/*********************************************
328
*********** TrustDB stuff *******************
329
*********************************************/
332
* Read a record but die if it does not exist
335
read_record (ulong recno, TRUSTREC *rec, int rectype )
337
int rc = tdbio_read_record (recno, rec, rectype);
340
log_error(_("trust record %lu, req type %d: read failed: %s\n"),
341
recno, rec->rectype, g10_errstr(rc) );
344
if (rectype != rec->rectype)
346
log_error(_("trust record %lu is not of requested type %d\n"),
347
rec->recnum, rectype);
353
* Write a record and die on error
356
write_record (TRUSTREC *rec)
358
int rc = tdbio_write_record (rec);
361
log_error(_("trust record %lu, type %d: write failed: %s\n"),
362
rec->recnum, rec->rectype, g10_errstr(rc) );
368
* sync the TrustDb and die on error
373
int rc = tdbio_sync ();
376
log_error (_("trustdb: sync failed: %s\n"), g10_errstr(rc) );
382
trust_model_string(void)
384
switch(opt.trust_model)
386
case TM_CLASSIC: return "classic";
387
case TM_PGP: return "PGP";
388
case TM_EXTERNAL: return "external";
389
case TM_ALWAYS: return "always";
390
case TM_DIRECT: return "direct";
391
default: return "unknown";
396
* Perform some checks over the trustdb
397
* level 0: only open the db
398
* 1: used for initial program startup
401
setup_trustdb( int level, const char *dbname )
403
/* just store the args */
404
if( trustdb_args.init )
406
trustdb_args.level = level;
407
trustdb_args.dbname = dbname? xstrdup(dbname): NULL;
412
how_to_fix_the_trustdb ()
414
const char *name = trustdb_args.dbname;
417
name = "trustdb.gpg";
419
log_info (_("You may try to re-create the trustdb using the commands:\n"));
420
log_info (" cd %s\n", default_homedir ());
421
log_info (" gpg2 --export-ownertrust > otrust.tmp\n");
422
#ifdef HAVE_W32_SYSTEM
423
log_info (" del %s\n", name);
425
log_info (" rm %s\n", name);
427
log_info (" gpg2 --import-ownertrust < otrust.tmp\n");
428
log_info (_("If that does not work, please consult the manual\n"));
435
int level = trustdb_args.level;
436
const char* dbname = trustdb_args.dbname;
438
if( trustdb_args.init )
441
trustdb_args.init = 1;
443
if(level==0 || level==1)
445
int rc = tdbio_set_dbname (dbname, !!level, &trustdb_args.no_trustdb);
447
log_fatal("can't init trustdb: %s\n", g10_errstr(rc) );
452
if(opt.trust_model==TM_AUTO)
454
/* Try and set the trust model off of whatever the trustdb says
456
opt.trust_model=tdbio_read_model();
458
/* Sanity check this ;) */
459
if(opt.trust_model!=TM_CLASSIC
460
&& opt.trust_model!=TM_PGP
461
&& opt.trust_model!=TM_EXTERNAL)
463
log_info(_("unable to use unknown trust model (%d) - "
464
"assuming %s trust model\n"),opt.trust_model,"PGP");
465
opt.trust_model=TM_PGP;
469
log_info(_("using %s trust model\n"),trust_model_string());
472
if(opt.trust_model==TM_PGP || opt.trust_model==TM_CLASSIC)
474
/* Verify the list of ultimately trusted keys and move the
475
--trusted-keys list there as well. */
479
if(!tdbio_db_matches_options())
480
pending_check_trustdb=1;
485
/***********************************************
486
************* Print helpers ****************
487
***********************************************/
490
* This function returns a letter for a trustvalue Trust flags
494
trust_letter (unsigned int value)
496
switch( (value & TRUST_MASK) )
498
case TRUST_UNKNOWN: return '-';
499
case TRUST_EXPIRED: return 'e';
500
case TRUST_UNDEFINED: return 'q';
501
case TRUST_NEVER: return 'n';
502
case TRUST_MARGINAL: return 'm';
503
case TRUST_FULLY: return 'f';
504
case TRUST_ULTIMATE: return 'u';
510
uid_trust_string_fixed(PKT_public_key *key,PKT_user_id *uid)
513
/* TRANSLATORS: these strings are similar to those in
514
trust_value_to_string(), but are a fixed length. This is needed to
515
make attractive information listings where columns line up
516
properly. The value "10" should be the length of the strings you
517
choose to translate to. This is the length in printable columns.
518
It gets passed to atoi() so everything after the number is
519
essentially a comment and need not be translated. Either key and
520
uid are both NULL, or neither are NULL. */
521
return _("10 translator see trustdb.c:uid_trust_string_fixed");
522
else if(uid->is_revoked || (key && key->is_revoked))
523
return _("[ revoked]");
524
else if(uid->is_expired)
525
return _("[ expired]");
527
switch(get_validity(key,uid)&TRUST_MASK)
529
case TRUST_UNKNOWN: return _("[ unknown]");
530
case TRUST_EXPIRED: return _("[ expired]");
531
case TRUST_UNDEFINED: return _("[ undef ]");
532
case TRUST_MARGINAL: return _("[marginal]");
533
case TRUST_FULLY: return _("[ full ]");
534
case TRUST_ULTIMATE: return _("[ultimate]");
540
/* The strings here are similar to those in
541
pkclist.c:do_edit_ownertrust() */
543
trust_value_to_string (unsigned int value)
545
switch( (value & TRUST_MASK) )
547
case TRUST_UNKNOWN: return _("unknown");
548
case TRUST_EXPIRED: return _("expired");
549
case TRUST_UNDEFINED: return _("undefined");
550
case TRUST_NEVER: return _("never");
551
case TRUST_MARGINAL: return _("marginal");
552
case TRUST_FULLY: return _("full");
553
case TRUST_ULTIMATE: return _("ultimate");
554
default: return "err";
559
string_to_trust_value (const char *str)
561
if(ascii_strcasecmp(str,"undefined")==0)
562
return TRUST_UNDEFINED;
563
else if(ascii_strcasecmp(str,"never")==0)
565
else if(ascii_strcasecmp(str,"marginal")==0)
566
return TRUST_MARGINAL;
567
else if(ascii_strcasecmp(str,"full")==0)
569
else if(ascii_strcasecmp(str,"ultimate")==0)
570
return TRUST_ULTIMATE;
576
* Recreate the WoT but do not ask for new ownertrusts. Special
577
* feature: In batch mode and without a forced yes, this is only done
578
* when a check is due. This can be used to run the check from a crontab
584
if(opt.trust_model==TM_PGP || opt.trust_model==TM_CLASSIC)
586
if (opt.batch && !opt.answer_yes)
590
scheduled = tdbio_read_nextcheck ();
593
log_info (_("no need for a trustdb check\n"));
597
if (scheduled > make_timestamp ())
599
log_info (_("next trustdb check due at %s\n"),
600
strtimestamp (scheduled));
608
log_info (_("no need for a trustdb check with `%s' trust model\n"),
609
trust_model_string());
620
if(opt.trust_model==TM_PGP || opt.trust_model==TM_CLASSIC)
623
log_info (_("no need for a trustdb update with `%s' trust model\n"),
624
trust_model_string());
628
revalidation_mark (void)
631
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
634
/* we simply set the time for the next check to 1 (far back in 1970)
635
* so that a --update-trustdb will be scheduled */
636
if (tdbio_write_nextcheck (1))
638
pending_check_trustdb = 1;
642
trustdb_pending_check(void)
644
return pending_check_trustdb;
647
/* If the trustdb is dirty, and we're interactive, update it.
648
Otherwise, check it unless no-auto-check-trustdb is set. */
650
trustdb_check_or_update(void)
652
if(trustdb_pending_check())
656
else if(!opt.no_auto_check_trustdb)
662
read_trust_options(byte *trust_model,ulong *created,ulong *nextcheck,
663
byte *marginals,byte *completes,byte *cert_depth,
664
byte *min_cert_level)
669
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
670
memset (&opts, 0, sizeof opts);
672
read_record(0,&opts,RECTYPE_VER);
675
*trust_model=opts.r.ver.trust_model;
677
*created=opts.r.ver.created;
679
*nextcheck=opts.r.ver.nextcheck;
681
*marginals=opts.r.ver.marginals;
683
*completes=opts.r.ver.completes;
685
*cert_depth=opts.r.ver.cert_depth;
687
*min_cert_level=opts.r.ver.min_cert_level;
690
/***********************************************
691
*********** Ownertrust et al. ****************
692
***********************************************/
695
read_trust_record (PKT_public_key *pk, TRUSTREC *rec)
700
rc = tdbio_search_trust_bypk (pk, rec);
702
return -1; /* no record yet */
705
log_error ("trustdb: searching trust record failed: %s\n",
710
if (rec->rectype != RECTYPE_TRUST)
712
log_error ("trustdb: record %lu is not a trust record\n",
714
return G10ERR_TRUSTDB;
721
* Return the assigned ownertrust value for the given public key.
722
* The key should be the primary key.
725
get_ownertrust ( PKT_public_key *pk)
730
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
731
return TRUST_UNKNOWN;
733
rc = read_trust_record (pk, &rec);
735
return TRUST_UNKNOWN; /* no record yet */
739
return rc; /* actually never reached */
742
return rec.r.trust.ownertrust;
746
get_min_ownertrust (PKT_public_key *pk)
751
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
752
return TRUST_UNKNOWN;
754
rc = read_trust_record (pk, &rec);
756
return TRUST_UNKNOWN; /* no record yet */
760
return rc; /* actually never reached */
763
return rec.r.trust.min_ownertrust;
767
* Same as get_ownertrust but this takes the minimum ownertrust value
768
* into into account, and will bump up the value as needed.
771
get_ownertrust_with_min (PKT_public_key *pk)
773
unsigned int otrust,otrust_min;
775
otrust = (get_ownertrust (pk) & TRUST_MASK);
776
otrust_min = get_min_ownertrust (pk);
777
if(otrust<otrust_min)
779
/* If the trust that the user has set is less than the trust
780
that was calculated from a trust signature chain, use the
781
higher of the two. We do this here and not in
782
get_ownertrust since the underlying ownertrust should not
783
really be set - just the appearance of the ownertrust. */
792
* Same as get_ownertrust but return a trust letter instead of an
793
* value. This takes the minimum ownertrust value into account.
796
get_ownertrust_info (PKT_public_key *pk)
798
return trust_letter(get_ownertrust_with_min(pk));
802
* Same as get_ownertrust but return a trust string instead of an
803
* value. This takes the minimum ownertrust value into account.
806
get_ownertrust_string (PKT_public_key *pk)
808
return trust_value_to_string(get_ownertrust_with_min(pk));
812
* Set the trust value of the given public key to the new value.
813
* The key should be a primary one.
816
update_ownertrust (PKT_public_key *pk, unsigned int new_trust )
821
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
824
rc = read_trust_record (pk, &rec);
828
log_debug ("update ownertrust from %u to %u\n",
829
(unsigned int)rec.r.trust.ownertrust, new_trust );
830
if (rec.r.trust.ownertrust != new_trust)
832
rec.r.trust.ownertrust = new_trust;
833
write_record( &rec );
834
revalidation_mark ();
839
{ /* no record yet - create a new one */
843
log_debug ("insert ownertrust %u\n", new_trust );
845
memset (&rec, 0, sizeof rec);
846
rec.recnum = tdbio_new_recnum ();
847
rec.rectype = RECTYPE_TRUST;
848
fingerprint_from_pk (pk, rec.r.trust.fingerprint, &dummy);
849
rec.r.trust.ownertrust = new_trust;
851
revalidation_mark ();
862
update_min_ownertrust (u32 *kid, unsigned int new_trust )
868
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
871
pk = xmalloc_clear (sizeof *pk);
872
rc = get_pubkey (pk, kid);
875
log_error(_("public key %s not found: %s\n"),keystr(kid),g10_errstr(rc));
879
rc = read_trust_record (pk, &rec);
883
log_debug ("key %08lX%08lX: update min_ownertrust from %u to %u\n",
884
(ulong)kid[0],(ulong)kid[1],
885
(unsigned int)rec.r.trust.min_ownertrust,
887
if (rec.r.trust.min_ownertrust != new_trust)
889
rec.r.trust.min_ownertrust = new_trust;
890
write_record( &rec );
891
revalidation_mark ();
896
{ /* no record yet - create a new one */
900
log_debug ("insert min_ownertrust %u\n", new_trust );
902
memset (&rec, 0, sizeof rec);
903
rec.recnum = tdbio_new_recnum ();
904
rec.rectype = RECTYPE_TRUST;
905
fingerprint_from_pk (pk, rec.r.trust.fingerprint, &dummy);
906
rec.r.trust.min_ownertrust = new_trust;
908
revalidation_mark ();
918
/* Clear the ownertrust and min_ownertrust values. Return true if a
919
change actually happened. */
921
clear_ownertrusts (PKT_public_key *pk)
926
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
929
rc = read_trust_record (pk, &rec);
934
log_debug ("clearing ownertrust (old value %u)\n",
935
(unsigned int)rec.r.trust.ownertrust);
936
log_debug ("clearing min_ownertrust (old value %u)\n",
937
(unsigned int)rec.r.trust.min_ownertrust);
939
if (rec.r.trust.ownertrust || rec.r.trust.min_ownertrust)
941
rec.r.trust.ownertrust = 0;
942
rec.r.trust.min_ownertrust = 0;
943
write_record( &rec );
944
revalidation_mark ();
957
* Note: Caller has to do a sync
960
update_validity (PKT_public_key *pk, PKT_user_id *uid,
961
int depth, int validity)
967
namehash_from_uid(uid);
969
rc = read_trust_record (pk, &trec);
975
if (rc == -1) /* no record yet - create a new one */
980
memset (&trec, 0, sizeof trec);
981
trec.recnum = tdbio_new_recnum ();
982
trec.rectype = RECTYPE_TRUST;
983
fingerprint_from_pk (pk, trec.r.trust.fingerprint, &dummy);
984
trec.r.trust.ownertrust = 0;
987
/* locate an existing one */
988
recno = trec.r.trust.validlist;
991
read_record (recno, &vrec, RECTYPE_VALID);
992
if ( !memcmp (vrec.r.valid.namehash, uid->namehash, 20) )
994
recno = vrec.r.valid.next;
997
if (!recno) /* insert a new validity record */
999
memset (&vrec, 0, sizeof vrec);
1000
vrec.recnum = tdbio_new_recnum ();
1001
vrec.rectype = RECTYPE_VALID;
1002
memcpy (vrec.r.valid.namehash, uid->namehash, 20);
1003
vrec.r.valid.next = trec.r.trust.validlist;
1004
trec.r.trust.validlist = vrec.recnum;
1006
vrec.r.valid.validity = validity;
1007
vrec.r.valid.full_count = uid->help_full_count;
1008
vrec.r.valid.marginal_count = uid->help_marginal_count;
1009
write_record (&vrec);
1010
trec.r.trust.depth = depth;
1011
write_record (&trec);
1015
/***********************************************
1016
********* Query trustdb values **************
1017
***********************************************/
1019
/* Return true if key is disabled */
1021
cache_disabled_value(PKT_public_key *pk)
1028
return (pk->is_disabled==2);
1031
if (trustdb_args.no_trustdb)
1032
return 0; /* No trustdb => not disabled. */
1034
rc = read_trust_record (pk, &trec);
1040
if (rc == -1) /* no record found, so assume not disabled */
1043
if(trec.r.trust.ownertrust & TRUST_FLAG_DISABLED)
1046
/* Cache it for later so we don't need to look at the trustdb every
1058
check_trustdb_stale(void)
1060
static int did_nextcheck=0;
1063
if (trustdb_args.no_trustdb)
1064
return; /* No trustdb => can't be stale. */
1067
&& (opt.trust_model==TM_PGP || opt.trust_model==TM_CLASSIC))
1072
scheduled = tdbio_read_nextcheck ();
1073
if ((scheduled && scheduled <= make_timestamp ())
1074
|| pending_check_trustdb)
1076
if (opt.no_auto_check_trustdb)
1078
pending_check_trustdb = 1;
1079
log_info (_("please do a --check-trustdb\n"));
1083
log_info (_("checking the trustdb\n"));
1091
* Return the validity information for PK. If the namehash is not
1092
* NULL, the validity of the corresponsing user ID is returned,
1093
* otherwise, a reasonable value for the entire key is returned.
1096
get_validity (PKT_public_key *pk, PKT_user_id *uid)
1098
TRUSTREC trec, vrec;
1101
unsigned int validity;
1103
PKT_public_key *main_pk;
1106
namehash_from_uid(uid);
1110
/* If we have no trustdb (which also means it has not been created)
1111
and the trust-model is always, we don't know the validity -
1112
return immediately. If we won't do that the tdbio code would try
1113
to open the trustdb and run into a fatal error. */
1114
if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
1115
return TRUST_UNKNOWN;
1117
check_trustdb_stale();
1119
keyid_from_pk (pk, kid);
1120
if (pk->main_keyid[0] != kid[0] || pk->main_keyid[1] != kid[1])
1121
{ /* this is a subkey - get the mainkey */
1122
main_pk = xmalloc_clear (sizeof *main_pk);
1123
rc = get_pubkey (main_pk, pk->main_keyid);
1126
char *tempkeystr=xstrdup(keystr(pk->main_keyid));
1127
log_error ("error getting main key %s of subkey %s: %s\n",
1128
tempkeystr, keystr(kid), g10_errstr(rc));
1130
validity = TRUST_UNKNOWN;
1137
if(opt.trust_model==TM_DIRECT)
1139
/* Note that this happens BEFORE any user ID stuff is checked.
1140
The direct trust model applies to keys as a whole. */
1141
validity=get_ownertrust(main_pk);
1145
rc = read_trust_record (main_pk, &trec);
1151
if (rc == -1) /* no record found */
1153
validity = TRUST_UNKNOWN;
1157
/* loop over all user IDs */
1158
recno = trec.r.trust.validlist;
1162
read_record (recno, &vrec, RECTYPE_VALID);
1166
/* If a user ID is given we return the validity for that
1167
user ID ONLY. If the namehash is not found, then there
1168
is no validity at all (i.e. the user ID wasn't
1170
if(memcmp(vrec.r.valid.namehash,uid->namehash,20)==0)
1172
validity=(vrec.r.valid.validity & TRUST_MASK);
1178
/* If no namehash is given, we take the maximum validity
1179
over all user IDs */
1180
if ( validity < (vrec.r.valid.validity & TRUST_MASK) )
1181
validity = (vrec.r.valid.validity & TRUST_MASK);
1184
recno = vrec.r.valid.next;
1187
if ( (trec.r.trust.ownertrust & TRUST_FLAG_DISABLED) )
1189
validity |= TRUST_FLAG_DISABLED;
1196
/* set some flags direct from the key */
1197
if (main_pk->is_revoked)
1198
validity |= TRUST_FLAG_REVOKED;
1199
if (main_pk != pk && pk->is_revoked)
1200
validity |= TRUST_FLAG_SUB_REVOKED;
1201
/* Note: expiration is a trust value and not a flag - don't know why
1202
* I initially designed it that way */
1203
if (main_pk->has_expired || pk->has_expired)
1204
validity = (validity & ~TRUST_MASK) | TRUST_EXPIRED;
1206
if (pending_check_trustdb)
1207
validity |= TRUST_FLAG_PENDING_CHECK;
1210
free_public_key (main_pk);
1215
get_validity_info (PKT_public_key *pk, PKT_user_id *uid)
1220
return '?'; /* Just in case a NULL PK is passed. */
1222
trustlevel = get_validity (pk, uid);
1223
if ( (trustlevel & TRUST_FLAG_REVOKED) )
1225
return trust_letter (trustlevel);
1229
get_validity_string (PKT_public_key *pk, PKT_user_id *uid)
1234
return "err"; /* Just in case a NULL PK is passed. */
1236
trustlevel = get_validity (pk, uid);
1237
if( trustlevel & TRUST_FLAG_REVOKED )
1238
return _("revoked");
1239
return trust_value_to_string(trustlevel);
1243
get_validity_counts (PKT_public_key *pk, PKT_user_id *uid)
1245
TRUSTREC trec, vrec;
1248
if(pk==NULL || uid==NULL)
1251
namehash_from_uid(uid);
1253
uid->help_marginal_count=uid->help_full_count=0;
1257
if(read_trust_record (pk, &trec)!=0)
1260
/* loop over all user IDs */
1261
recno = trec.r.trust.validlist;
1264
read_record (recno, &vrec, RECTYPE_VALID);
1266
if(memcmp(vrec.r.valid.namehash,uid->namehash,20)==0)
1268
uid->help_marginal_count=vrec.r.valid.marginal_count;
1269
uid->help_full_count=vrec.r.valid.full_count;
1270
/* printf("Fetched marginal %d, full %d\n",uid->help_marginal_count,uid->help_full_count); */
1274
recno = vrec.r.valid.next;
1279
list_trust_path( const char *username )
1285
* Enumerate all keys, which are needed to build all trust paths for
1286
* the given key. This function does not return the key itself or
1287
* the ultimate key (the last point in cerificate chain). Only
1288
* certificate chains which ends up at an ultimately trusted key
1289
* are listed. If ownertrust or validity is not NULL, the corresponding
1290
* value for the returned LID is also returned in these variable(s).
1292
* 1) create a void pointer and initialize it to NULL
1293
* 2) pass this void pointer by reference to this function.
1294
* Set lid to the key you want to enumerate and pass it by reference.
1295
* 3) call this function as long as it does not return -1
1296
* to indicate EOF. LID does contain the next key used to build the web
1297
* 4) Always call this function a last time with LID set to NULL,
1298
* so that it can free its context.
1300
* Returns: -1 on EOF or the level of the returned LID
1303
enum_cert_paths( void **context, ulong *lid,
1304
unsigned *ownertrust, unsigned *validity )
1315
* Print the current path
1318
enum_cert_paths_print (void **context, FILE *fp,
1319
int refresh, ulong selected_lid)
1329
/****************************************
1330
*********** NEW NEW NEW ****************
1331
****************************************/
1334
ask_ownertrust (u32 *kid,int minimum)
1340
pk = xmalloc_clear (sizeof *pk);
1341
rc = get_pubkey (pk, kid);
1344
log_error (_("public key %s not found: %s\n"),
1345
keystr(kid), g10_errstr(rc) );
1346
return TRUST_UNKNOWN;
1349
if(opt.force_ownertrust)
1351
log_info("force trust for key %s to %s\n",
1352
keystr(kid),trust_value_to_string(opt.force_ownertrust));
1353
update_ownertrust(pk,opt.force_ownertrust);
1354
ot=opt.force_ownertrust;
1358
ot=edit_ownertrust(pk,0);
1360
ot = get_ownertrust (pk);
1362
ot = minimum?minimum:TRUST_UNDEFINED;
1367
free_public_key( pk );
1374
mark_keyblock_seen (KeyHashTable tbl, KBNODE node)
1376
for ( ;node; node = node->next )
1377
if (node->pkt->pkttype == PKT_PUBLIC_KEY
1378
|| node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1382
keyid_from_pk (node->pkt->pkt.public_key, aki);
1383
add_key_hash_table (tbl, aki);
1389
dump_key_array (int depth, struct key_array *keys)
1391
struct key_array *kar;
1393
for (kar=keys; kar->keyblock; kar++)
1395
KBNODE node = kar->keyblock;
1398
keyid_from_pk(node->pkt->pkt.public_key, kid);
1399
printf ("%d:%08lX%08lX:K::%c::::\n",
1400
depth, (ulong)kid[0], (ulong)kid[1], '?');
1402
for (; node; node = node->next)
1404
if (node->pkt->pkttype == PKT_USER_ID)
1406
int len = node->pkt->pkt.user_id->len;
1410
printf ("%d:%08lX%08lX:U:::%c:::",
1411
depth, (ulong)kid[0], (ulong)kid[1],
1412
(node->flag & 4)? 'f':
1413
(node->flag & 2)? 'm':
1414
(node->flag & 1)? 'q':'-');
1415
print_string (stdout, node->pkt->pkt.user_id->name, len, ':');
1425
store_validation_status (int depth, KBNODE keyblock, KeyHashTable stored)
1431
for (node=keyblock; node; node = node->next)
1433
if (node->pkt->pkttype == PKT_USER_ID)
1435
PKT_user_id *uid = node->pkt->pkt.user_id;
1437
status = TRUST_FULLY;
1438
else if (node->flag & 2)
1439
status = TRUST_MARGINAL;
1440
else if (node->flag & 1)
1441
status = TRUST_UNDEFINED;
1447
update_validity (keyblock->pkt->pkt.public_key,
1448
uid, depth, status);
1450
mark_keyblock_seen(stored,keyblock);
1462
* check whether the signature sig is in the klist k
1464
static struct key_item *
1465
is_in_klist (struct key_item *k, PKT_signature *sig)
1467
for (; k; k = k->next)
1469
if (k->kid[0] == sig->keyid[0] && k->kid[1] == sig->keyid[1])
1476
* Mark the signature of the given UID which are used to certify it.
1477
* To do this, we first revmove all signatures which are not valid and
1478
* from the remain ones we look for the latest one. If this is not a
1479
* certification revocation signature we mark the signature by setting
1480
* node flag bit 8. Revocations are marked with flag 11, and sigs
1481
* from unavailable keys are marked with flag 12. Note that flag bits
1482
* 9 and 10 are used for internal purposes.
1485
mark_usable_uid_certs (KBNODE keyblock, KBNODE uidnode,
1486
u32 *main_kid, struct key_item *klist,
1487
u32 curtime, u32 *next_expire)
1492
/* first check all signatures */
1493
for (node=uidnode->next; node; node = node->next)
1497
node->flag &= ~(1<<8 | 1<<9 | 1<<10 | 1<<11 | 1<<12);
1498
if (node->pkt->pkttype == PKT_USER_ID
1499
|| node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1501
if (node->pkt->pkttype != PKT_SIGNATURE)
1503
sig = node->pkt->pkt.signature;
1505
&& sig->keyid[0] == main_kid[0] && sig->keyid[1] == main_kid[1])
1506
continue; /* ignore self-signatures if we pass in a main_kid */
1507
if (!IS_UID_SIG(sig) && !IS_UID_REV(sig))
1508
continue; /* we only look at these signature classes */
1509
if(sig->sig_class>=0x11 && sig->sig_class<=0x13 &&
1510
sig->sig_class-0x10<opt.min_cert_level)
1511
continue; /* treat anything under our min_cert_level as an
1512
invalid signature */
1513
if (klist && !is_in_klist (klist, sig))
1514
continue; /* no need to check it then */
1515
if ((rc=check_key_signature (keyblock, node, NULL)))
1517
/* we ignore anything that won't verify, but tag the
1519
if(rc==G10ERR_NO_PUBKEY)
1520
node->flag |= 1<<12;
1525
/* reset the remaining flags */
1526
for (; node; node = node->next)
1527
node->flag &= ~(1<<8 | 1<<9 | 1<<10 | 1<<11 | 1<<12);
1529
/* kbnode flag usage: bit 9 is here set for signatures to consider,
1530
* bit 10 will be set by the loop to keep track of keyIDs already
1531
* processed, bit 8 will be set for the usable signatures, and bit
1532
* 11 will be set for usable revocations. */
1534
/* for each cert figure out the latest valid one */
1535
for (node=uidnode->next; node; node = node->next)
1541
if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1543
if ( !(node->flag & (1<<9)) )
1544
continue; /* not a node to look at */
1545
if ( (node->flag & (1<<10)) )
1546
continue; /* signature with a keyID already processed */
1547
node->flag |= (1<<10); /* mark this node as processed */
1548
sig = node->pkt->pkt.signature;
1550
sigdate = sig->timestamp;
1551
kid[0] = sig->keyid[0]; kid[1] = sig->keyid[1];
1553
/* Now find the latest and greatest signature */
1554
for (n=uidnode->next; n; n = n->next)
1556
if (n->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1558
if ( !(n->flag & (1<<9)) )
1560
if ( (n->flag & (1<<10)) )
1561
continue; /* shortcut already processed signatures */
1562
sig = n->pkt->pkt.signature;
1563
if (kid[0] != sig->keyid[0] || kid[1] != sig->keyid[1])
1565
n->flag |= (1<<10); /* mark this node as processed */
1567
/* If signode is nonrevocable and unexpired and n isn't,
1568
then take signode (skip). It doesn't matter which is
1569
older: if signode was older then we don't want to take n
1570
as signode is nonrevocable. If n was older then we're
1571
automatically fine. */
1573
if(((IS_UID_SIG(signode->pkt->pkt.signature) &&
1574
!signode->pkt->pkt.signature->flags.revocable &&
1575
(signode->pkt->pkt.signature->expiredate==0 ||
1576
signode->pkt->pkt.signature->expiredate>curtime))) &&
1577
(!(IS_UID_SIG(n->pkt->pkt.signature) &&
1578
!n->pkt->pkt.signature->flags.revocable &&
1579
(n->pkt->pkt.signature->expiredate==0 ||
1580
n->pkt->pkt.signature->expiredate>curtime))))
1583
/* If n is nonrevocable and unexpired and signode isn't,
1584
then take n. Again, it doesn't matter which is older: if
1585
n was older then we don't want to take signode as n is
1586
nonrevocable. If signode was older then we're
1587
automatically fine. */
1589
if((!(IS_UID_SIG(signode->pkt->pkt.signature) &&
1590
!signode->pkt->pkt.signature->flags.revocable &&
1591
(signode->pkt->pkt.signature->expiredate==0 ||
1592
signode->pkt->pkt.signature->expiredate>curtime))) &&
1593
((IS_UID_SIG(n->pkt->pkt.signature) &&
1594
!n->pkt->pkt.signature->flags.revocable &&
1595
(n->pkt->pkt.signature->expiredate==0 ||
1596
n->pkt->pkt.signature->expiredate>curtime))))
1599
sigdate = sig->timestamp;
1603
/* At this point, if it's newer, it goes in as the only
1604
remaining possibilities are signode and n are both either
1605
revocable or expired or both nonrevocable and unexpired.
1606
If the timestamps are equal take the later ordered
1607
packet, presuming that the key packets are hopefully in
1608
their original order. */
1610
if (sig->timestamp >= sigdate)
1613
sigdate = sig->timestamp;
1617
sig = signode->pkt->pkt.signature;
1618
if (IS_UID_SIG (sig))
1619
{ /* this seems to be a usable one which is not revoked.
1620
* Just need to check whether there is an expiration time,
1621
* We do the expired certification after finding a suitable
1622
* certification, the assumption is that a signator does not
1623
* want that after the expiration of his certificate the
1624
* system falls back to an older certification which has a
1625
* different expiration time */
1629
p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_SIG_EXPIRE, NULL );
1630
expire = p? sig->timestamp + buffer_to_u32(p) : 0;
1632
if (expire==0 || expire > curtime )
1634
signode->flag |= (1<<8); /* yeah, found a good cert */
1635
if (next_expire && expire && expire < *next_expire)
1636
*next_expire = expire;
1640
signode->flag |= (1<<11);
1645
clean_sigs_from_uid(KBNODE keyblock,KBNODE uidnode,int noisy,int self_only)
1651
assert(keyblock->pkt->pkttype==PKT_PUBLIC_KEY);
1653
keyid_from_pk(keyblock->pkt->pkt.public_key,keyid);
1655
/* Passing in a 0 for current time here means that we'll never weed
1656
out an expired sig. This is correct behavior since we want to
1657
keep the most recent expired sig in a series. */
1658
mark_usable_uid_certs(keyblock,uidnode,NULL,NULL,0,NULL);
1660
/* What we want to do here is remove signatures that are not
1661
considered as part of the trust calculations. Thus, all invalid
1662
signatures are out, as are any signatures that aren't the last of
1663
a series of uid sigs or revocations It breaks down like this:
1664
coming out of mark_usable_uid_certs, if a sig is unflagged, it is
1665
not even a candidate. If a sig has flag 9 or 10, that means it
1666
was selected as a candidate and vetted. If a sig has flag 8 it
1667
is a usable signature. If a sig has flag 11 it is a usable
1668
revocation. If a sig has flag 12 it was issued by an unavailable
1669
key. "Usable" here means the most recent valid
1670
signature/revocation in a series from a particular signer.
1672
Delete everything that isn't a usable uid sig (which might be
1673
expired), a usable revocation, or a sig from an unavailable
1676
for(node=uidnode->next;
1677
node && node->pkt->pkttype==PKT_SIGNATURE;
1680
int keep=self_only?(node->pkt->pkt.signature->keyid[0]==keyid[0]
1681
&& node->pkt->pkt.signature->keyid[1]==keyid[1]):1;
1683
/* Keep usable uid sigs ... */
1684
if((node->flag & (1<<8)) && keep)
1687
/* ... and usable revocations... */
1688
if((node->flag & (1<<11)) && keep)
1691
/* ... and sigs from unavailable keys. */
1692
/* disabled for now since more people seem to want sigs from
1693
unavailable keys removed altogether. */
1695
if(node->flag & (1<<12))
1699
/* Everything else we delete */
1701
/* At this point, if 12 is set, the signing key was unavailable.
1702
If 9 or 10 is set, it's superseded. Otherwise, it's
1706
log_info("removing signature from key %s on user ID \"%s\": %s\n",
1707
keystr(node->pkt->pkt.signature->keyid),
1708
uidnode->pkt->pkt.user_id->name,
1709
node->flag&(1<<12)?"key unavailable":
1710
node->flag&(1<<9)?"signature superseded":"invalid signature");
1712
delete_kbnode(node);
1719
/* This is substantially easier than clean_sigs_from_uid since we just
1720
have to establish if the uid has a valid self-sig, is not revoked,
1721
and is not expired. Note that this does not take into account
1722
whether the uid has a trust path to it - just whether the keyholder
1723
themselves has certified the uid. Returns true if the uid was
1724
compacted. To "compact" a user ID, we simply remove ALL signatures
1725
except the self-sig that caused the user ID to be remove-worthy.
1726
We don't actually remove the user ID packet itself since it might
1727
be ressurected in a later merge. Note that this function requires
1728
that the caller has already done a merge_keys_and_selfsig().
1730
TODO: change the import code to allow importing a uid with only a
1731
revocation if the uid already exists on the keyring. */
1734
clean_uid_from_key(KBNODE keyblock,KBNODE uidnode,int noisy)
1737
PKT_user_id *uid=uidnode->pkt->pkt.user_id;
1740
assert(keyblock->pkt->pkttype==PKT_PUBLIC_KEY);
1741
assert(uidnode->pkt->pkttype==PKT_USER_ID);
1743
/* Skip valid user IDs, compacted user IDs, and non-self-signed user
1744
IDs if --allow-non-selfsigned-uid is set. */
1745
if(uid->created || uid->flags.compacted
1746
|| (!uid->is_expired && !uid->is_revoked
1747
&& opt.allow_non_selfsigned_uid))
1750
for(node=uidnode->next;
1751
node && node->pkt->pkttype==PKT_SIGNATURE;
1753
if(!node->pkt->pkt.signature->flags.chosen_selfsig)
1755
delete_kbnode(node);
1757
uidnode->pkt->pkt.user_id->flags.compacted=1;
1763
char *user=utf8_to_native(uid->name,uid->len,0);
1766
reason=_("revoked");
1767
else if(uid->is_expired)
1768
reason=_("expired");
1770
reason=_("invalid");
1772
log_info("compacting user ID \"%s\" on key %s: %s\n",
1773
user,keystr_from_pk(keyblock->pkt->pkt.public_key),
1782
/* Needs to be called after a merge_keys_and_selfsig() */
1784
clean_one_uid(KBNODE keyblock,KBNODE uidnode,int noisy,int self_only,
1785
int *uids_cleaned,int *sigs_cleaned)
1789
assert(keyblock->pkt->pkttype==PKT_PUBLIC_KEY);
1790
assert(uidnode->pkt->pkttype==PKT_USER_ID);
1793
uids_cleaned=&dummy;
1796
sigs_cleaned=&dummy;
1798
/* Do clean_uid_from_key first since if it fires off, we don't
1799
have to bother with the other */
1800
*uids_cleaned+=clean_uid_from_key(keyblock,uidnode,noisy);
1801
if(!uidnode->pkt->pkt.user_id->flags.compacted)
1802
*sigs_cleaned+=clean_sigs_from_uid(keyblock,uidnode,noisy,self_only);
1806
clean_key(KBNODE keyblock,int noisy,int self_only,
1807
int *uids_cleaned,int *sigs_cleaned)
1811
merge_keys_and_selfsig(keyblock);
1813
for(uidnode=keyblock->next;
1814
uidnode && uidnode->pkt->pkttype!=PKT_PUBLIC_SUBKEY;
1815
uidnode=uidnode->next)
1816
if(uidnode->pkt->pkttype==PKT_USER_ID)
1817
clean_one_uid(keyblock,uidnode,noisy,self_only,
1818
uids_cleaned,sigs_cleaned);
1821
/* Returns a sanitized copy of the regexp (which might be "", but not
1823
#ifndef DISABLE_REGEX
1825
sanitize_regexp(const char *old)
1827
size_t start=0,len=strlen(old),idx=0;
1828
int escaped=0,standard_bracket=0;
1829
char *new=xmalloc((len*2)+1); /* enough to \-escape everything if we
1832
/* There are basically two commonly-used regexps here. GPG and most
1833
versions of PGP use "<[^>]+[@.]example\.com>$" and PGP (9)
1834
command line uses "example.com" (i.e. whatever the user specfies,
1835
and we can't expect users know to use "\." instead of "."). So
1836
here are the rules: we're allowed to start with "<[^>]+[@.]" and
1837
end with ">$" or start and end with nothing. In between, the
1838
only legal regex character is ".", and everything else gets
1839
escaped. Part of the gotcha here is that some regex packages
1840
allow more than RFC-4880 requires. For example, 4880 has no "{}"
1841
operator, but GNU regex does. Commenting removes these operators
1842
from consideration. A possible future enhancement is to use
1843
commenting to effectively back off a given regex to the Henry
1844
Spencer syntax in 4880. -dshaw */
1846
/* Are we bracketed between "<[^>]+[@.]" and ">$" ? */
1847
if(len>=12 && strncmp(old,"<[^>]+[@.]",10)==0
1848
&& old[len-2]=='>' && old[len-1]=='$')
1850
strcpy(new,"<[^>]+[@.]");
1857
/* Walk the remaining characters and ensure that everything that is
1858
left is not an operational regex character. */
1859
for(;start<len;start++)
1861
if(!escaped && old[start]=='\\')
1863
else if(!escaped && old[start]!='.')
1868
new[idx++]=old[start];
1873
/* Note that the (sub)string we look at might end with a bare "\".
1874
If it does, leave it that way. If the regexp actually ended with
1875
">$", then it was escaping the ">" and is fine. If the regexp
1876
actually ended with the bare "\", then it's an illegal regexp and
1877
regcomp should kick it out. */
1879
if(standard_bracket)
1884
#endif /*!DISABLE_REGEX*/
1886
/* Used by validate_one_keyblock to confirm a regexp within a trust
1887
signature. Returns 1 for match, and 0 for no match or regex
1890
check_regexp(const char *expr,const char *string)
1892
#ifdef DISABLE_REGEX
1893
/* When DISABLE_REGEX is defined, assume all regexps do not
1900
regexp=sanitize_regexp(expr);
1903
ret=riscos_check_regexp(expr, string, DBG_TRUST);
1908
ret=regcomp(&pat,regexp,REG_ICASE|REG_NOSUB|REG_EXTENDED);
1911
ret=regexec(&pat,string,0,NULL,0);
1919
log_debug("regexp `%s' (`%s') on `%s': %s\n",
1920
regexp,expr,string,ret==0?"YES":"NO");
1929
* Return true if the key is signed by one of the keys in the given
1930
* key ID list. User IDs with a valid signature are marked by node
1932
* flag bit 0: There is at least one signature
1933
* 1: There is marginal confidence that this is a legitimate uid
1934
* 2: There is full confidence that this is a legitimate uid.
1935
* 8: Used for internal purposes.
1936
* 9: Ditto (in mark_usable_uid_certs())
1938
* This function assumes that all kbnode flags are cleared on entry.
1941
validate_one_keyblock (KBNODE kb, struct key_item *klist,
1942
u32 curtime, u32 *next_expire)
1944
struct key_item *kr;
1945
KBNODE node, uidnode=NULL;
1946
PKT_user_id *uid=NULL;
1947
PKT_public_key *pk = kb->pkt->pkt.public_key;
1949
int issigned=0, any_signed = 0;
1951
keyid_from_pk(pk, main_kid);
1952
for (node=kb; node; node = node->next)
1954
/* A bit of discussion here: is it better for the web of trust
1955
to be built among only self-signed uids? On the one hand, a
1956
self-signed uid is a statement that the key owner definitely
1957
intended that uid to be there, but on the other hand, a
1958
signed (but not self-signed) uid does carry trust, of a sort,
1959
even if it is a statement being made by people other than the
1960
key owner "through" the uids on the key owner's key. I'm
1961
going with the latter. However, if the user ID was
1962
explicitly revoked, or passively allowed to expire, that
1963
should stop validity through the user ID until it is
1966
if (node->pkt->pkttype == PKT_USER_ID
1967
&& !node->pkt->pkt.user_id->is_revoked
1968
&& !node->pkt->pkt.user_id->is_expired)
1970
if (uidnode && issigned)
1972
if (uid->help_full_count >= opt.completes_needed
1973
|| uid->help_marginal_count >= opt.marginals_needed )
1975
else if (uid->help_full_count || uid->help_marginal_count)
1981
uid=uidnode->pkt->pkt.user_id;
1983
/* If the selfsig is going to expire... */
1984
if(uid->expiredate && uid->expiredate<*next_expire)
1985
*next_expire = uid->expiredate;
1988
get_validity_counts(pk,uid);
1989
mark_usable_uid_certs (kb, uidnode, main_kid, klist,
1990
curtime, next_expire);
1992
else if (node->pkt->pkttype == PKT_SIGNATURE
1993
&& (node->flag & (1<<8)) && uid)
1995
/* Note that we are only seeing unrevoked sigs here */
1996
PKT_signature *sig = node->pkt->pkt.signature;
1998
kr = is_in_klist (klist, sig);
1999
/* If the trust_regexp does not match, it's as if the sig
2000
did not exist. This is safe for non-trust sigs as well
2001
since we don't accept a regexp on the sig unless it's a
2003
if (kr && (!kr->trust_regexp
2004
|| opt.trust_model != TM_PGP
2006
&& check_regexp(kr->trust_regexp,
2007
uidnode->pkt->pkt.user_id->name))))
2009
/* Are we part of a trust sig chain? We always favor
2010
the latest trust sig, rather than the greater or
2011
lesser trust sig or value. I could make a decent
2012
argument for any of these cases, but this seems to be
2013
what PGP does, and I'd like to be compatible. -dms */
2014
if (opt.trust_model == TM_PGP
2016
&& pk->trust_timestamp <= sig->timestamp)
2018
unsigned char depth;
2020
/* If the depth on the signature is less than the
2021
chain currently has, then use the signature depth
2022
so we don't increase the depth beyond what the
2023
signer wanted. If the depth on the signature is
2024
more than the chain currently has, then use the
2025
chain depth so we use as much of the signature
2026
depth as the chain will permit. An ultimately
2027
trusted signature can restart the depth to
2028
whatever level it likes. */
2030
if (sig->trust_depth < kr->trust_depth
2031
|| kr->ownertrust == TRUST_ULTIMATE)
2032
depth = sig->trust_depth;
2034
depth = kr->trust_depth;
2039
log_debug ("trust sig on %s, sig depth is %d,"
2040
" kr depth is %d\n",
2041
uidnode->pkt->pkt.user_id->name,
2045
/* If we got here, we know that:
2047
this is a trust sig.
2049
it's a newer trust sig than any previous trust
2050
sig on this key (not uid).
2052
it is legal in that it was either generated by an
2053
ultimate key, or a key that was part of a trust
2054
chain, and the depth does not violate the
2057
if there is a regexp attached, it matched
2062
log_debug ("replacing trust value %d with %d and "
2063
"depth %d with %d\n",
2064
pk->trust_value,sig->trust_value,
2065
pk->trust_depth,depth);
2067
pk->trust_value = sig->trust_value;
2068
pk->trust_depth = depth-1;
2070
/* If the trust sig contains a regexp, record it
2071
on the pk for the next round. */
2072
if (sig->trust_regexp)
2073
pk->trust_regexp = sig->trust_regexp;
2077
if (kr->ownertrust == TRUST_ULTIMATE)
2078
uid->help_full_count = opt.completes_needed;
2079
else if (kr->ownertrust == TRUST_FULLY)
2080
uid->help_full_count++;
2081
else if (kr->ownertrust == TRUST_MARGINAL)
2082
uid->help_marginal_count++;
2088
if (uidnode && issigned)
2090
if (uid->help_full_count >= opt.completes_needed
2091
|| uid->help_marginal_count >= opt.marginals_needed )
2093
else if (uid->help_full_count || uid->help_marginal_count)
2104
search_skipfnc (void *opaque, u32 *kid, PKT_user_id *dummy)
2107
return test_key_hash_table ((KeyHashTable)opaque, kid);
2112
* Scan all keys and return a key_array of all suitable keys from
2113
* kllist. The caller has to pass keydb handle so that we don't use
2114
* to create our own. Returns either a key_array or NULL in case of
2115
* an error. No results found are indicated by an empty array.
2116
* Caller hast to release the returned array.
2118
static struct key_array *
2119
validate_key_list (KEYDB_HANDLE hd, KeyHashTable full_trust,
2120
struct key_item *klist, u32 curtime, u32 *next_expire)
2122
KBNODE keyblock = NULL;
2123
struct key_array *keys = NULL;
2124
size_t nkeys, maxkeys;
2126
KEYDB_SEARCH_DESC desc;
2129
keys = xmalloc ((maxkeys+1) * sizeof *keys);
2132
rc = keydb_search_reset (hd);
2135
log_error ("keydb_search_reset failed: %s\n", g10_errstr(rc));
2140
memset (&desc, 0, sizeof desc);
2141
desc.mode = KEYDB_SEARCH_MODE_FIRST;
2142
desc.skipfnc = search_skipfnc;
2143
desc.skipfncvalue = full_trust;
2144
rc = keydb_search (hd, &desc, 1);
2147
keys[nkeys].keyblock = NULL;
2152
log_error ("keydb_search_first failed: %s\n", g10_errstr(rc));
2157
desc.mode = KEYDB_SEARCH_MODE_NEXT; /* change mode */
2162
rc = keydb_get_keyblock (hd, &keyblock);
2165
log_error ("keydb_get_keyblock failed: %s\n", g10_errstr(rc));
2170
if ( keyblock->pkt->pkttype != PKT_PUBLIC_KEY)
2172
log_debug ("ooops: invalid pkttype %d encountered\n",
2173
keyblock->pkt->pkttype);
2174
dump_kbnode (keyblock);
2175
release_kbnode(keyblock);
2179
/* prepare the keyblock for further processing */
2180
merge_keys_and_selfsig (keyblock);
2181
clear_kbnode_flags (keyblock);
2182
pk = keyblock->pkt->pkt.public_key;
2183
if (pk->has_expired || pk->is_revoked)
2185
/* it does not make sense to look further at those keys */
2186
mark_keyblock_seen (full_trust, keyblock);
2188
else if (validate_one_keyblock (keyblock, klist, curtime, next_expire))
2192
if (pk->expiredate && pk->expiredate >= curtime
2193
&& pk->expiredate < *next_expire)
2194
*next_expire = pk->expiredate;
2196
if (nkeys == maxkeys) {
2198
keys = xrealloc (keys, (maxkeys+1) * sizeof *keys);
2200
keys[nkeys++].keyblock = keyblock;
2202
/* Optimization - if all uids are fully trusted, then we
2203
never need to consider this key as a candidate again. */
2205
for (node=keyblock; node; node = node->next)
2206
if (node->pkt->pkttype == PKT_USER_ID && !(node->flag & 4))
2210
mark_keyblock_seen (full_trust, keyblock);
2215
release_kbnode (keyblock);
2218
while ( !(rc = keydb_search (hd, &desc, 1)) );
2221
log_error ("keydb_search_next failed: %s\n", g10_errstr(rc));
2226
keys[nkeys].keyblock = NULL;
2230
/* Caller must sync */
2232
reset_trust_records(void)
2236
int count = 0, nreset = 0;
2238
for (recnum=1; !tdbio_read_record (recnum, &rec, 0); recnum++ )
2240
if(rec.rectype==RECTYPE_TRUST)
2243
if(rec.r.trust.min_ownertrust)
2245
rec.r.trust.min_ownertrust=0;
2250
else if(rec.rectype==RECTYPE_VALID
2251
&& ((rec.r.valid.validity&TRUST_MASK)
2252
|| rec.r.valid.marginal_count
2253
|| rec.r.valid.full_count))
2255
rec.r.valid.validity &= ~TRUST_MASK;
2256
rec.r.valid.marginal_count=rec.r.valid.full_count=0;
2264
log_info (_("%d keys processed (%d validity counts cleared)\n"),
2269
* Run the key validation procedure.
2271
* This works this way:
2272
* Step 1: Find all ultimately trusted keys (UTK).
2273
* mark them all as seen and put them into klist.
2274
* Step 2: loop max_cert_times
2275
* Step 3: if OWNERTRUST of any key in klist is undefined
2276
* ask user to assign ownertrust
2277
* Step 4: Loop over all keys in the keyDB which are not marked seen
2278
* Step 5: if key is revoked or expired
2280
* continue loop at Step 4
2281
* Step 6: For each user ID of that key signed by a key in klist
2282
* Calculate validity by counting trusted signatures.
2283
* Set validity of user ID
2284
* Step 7: If any signed user ID was found
2287
* Step 8: Build a new klist from all fully trusted keys from step 6
2293
validate_keys (int interactive)
2297
struct key_item *klist = NULL;
2299
struct key_array *keys = NULL;
2300
struct key_array *kar;
2301
KEYDB_HANDLE kdb = NULL;
2304
int ot_unknown, ot_undefined, ot_never, ot_marginal, ot_full, ot_ultimate;
2305
KeyHashTable stored,used,full_trust;
2306
u32 start_time, next_expire;
2308
/* Make sure we have all sigs cached. TODO: This is going to
2309
require some architectual re-thinking, as it is agonizingly slow.
2310
Perhaps combine this with reset_trust_records(), or only check
2311
the caches on keys that are actually involved in the web of
2313
keydb_rebuild_caches(0);
2315
start_time = make_timestamp ();
2316
next_expire = 0xffffffff; /* set next expire to the year 2106 */
2317
stored = new_key_hash_table ();
2318
used = new_key_hash_table ();
2319
full_trust = new_key_hash_table ();
2321
kdb = keydb_new (0);
2322
reset_trust_records();
2324
/* Fixme: Instead of always building a UTK list, we could just build it
2325
* here when needed */
2329
log_info (_("no ultimately trusted keys found\n"));
2333
/* mark all UTKs as used and fully_trusted and set validity to
2335
for (k=utk_list; k; k = k->next)
2340
keyblock = get_pubkeyblock (k->kid);
2343
log_error (_("public key of ultimately"
2344
" trusted key %s not found\n"), keystr(k->kid));
2347
mark_keyblock_seen (used, keyblock);
2348
mark_keyblock_seen (stored, keyblock);
2349
mark_keyblock_seen (full_trust, keyblock);
2350
pk = keyblock->pkt->pkt.public_key;
2351
for (node=keyblock; node; node = node->next)
2353
if (node->pkt->pkttype == PKT_USER_ID)
2354
update_validity (pk, node->pkt->pkt.user_id, 0, TRUST_ULTIMATE);
2356
if ( pk->expiredate && pk->expiredate >= start_time
2357
&& pk->expiredate < next_expire)
2358
next_expire = pk->expiredate;
2360
release_kbnode (keyblock);
2366
log_info(_("%d marginal(s) needed, %d complete(s) needed, %s trust model\n"),
2367
opt.marginals_needed,opt.completes_needed,trust_model_string());
2369
for (depth=0; depth < opt.max_cert_depth; depth++)
2371
int valids=0,key_count;
2372
/* See whether we should assign ownertrust values to the keys in
2374
ot_unknown = ot_undefined = ot_never = 0;
2375
ot_marginal = ot_full = ot_ultimate = 0;
2376
for (k=klist; k; k = k->next)
2380
/* 120 and 60 are as per RFC2440 */
2381
if(k->trust_value>=120)
2383
else if(k->trust_value>=60)
2386
if(min!=k->min_ownertrust)
2387
update_min_ownertrust(k->kid,min);
2389
if (interactive && k->ownertrust == TRUST_UNKNOWN)
2391
k->ownertrust = ask_ownertrust (k->kid,min);
2393
if (k->ownertrust == -1)
2400
/* This can happen during transition from an old trustdb
2401
before trust sigs. It can also happen if a user uses two
2402
different versions of GnuPG or changes the --trust-model
2404
if(k->ownertrust<min)
2407
log_debug("key %08lX%08lX:"
2408
" overriding ownertrust `%s' with `%s'\n",
2409
(ulong)k->kid[0],(ulong)k->kid[1],
2410
trust_value_to_string(k->ownertrust),
2411
trust_value_to_string(min));
2416
if (k->ownertrust == TRUST_UNKNOWN)
2418
else if (k->ownertrust == TRUST_UNDEFINED)
2420
else if (k->ownertrust == TRUST_NEVER)
2422
else if (k->ownertrust == TRUST_MARGINAL)
2424
else if (k->ownertrust == TRUST_FULLY)
2426
else if (k->ownertrust == TRUST_ULTIMATE)
2432
/* Find all keys which are signed by a key in kdlist */
2433
keys = validate_key_list (kdb, full_trust, klist,
2434
start_time, &next_expire);
2437
log_error ("validate_key_list failed\n");
2438
rc = G10ERR_GENERAL;
2442
for (key_count=0, kar=keys; kar->keyblock; kar++, key_count++)
2445
/* Store the calculated valididation status somewhere */
2446
if (opt.verbose > 1)
2447
dump_key_array (depth, keys);
2449
for (kar=keys; kar->keyblock; kar++)
2450
store_validation_status (depth, kar->keyblock, stored);
2452
log_info (_("depth: %d valid: %3d signed: %3d"
2453
" trust: %d-, %dq, %dn, %dm, %df, %du\n"),
2454
depth, valids, key_count, ot_unknown, ot_undefined,
2455
ot_never, ot_marginal, ot_full, ot_ultimate );
2457
/* Build a new kdlist from all fully valid keys in KEYS */
2458
if (klist != utk_list)
2459
release_key_items (klist);
2461
for (kar=keys; kar->keyblock; kar++)
2463
for (node=kar->keyblock; node; node = node->next)
2465
if (node->pkt->pkttype == PKT_USER_ID && (node->flag & 4))
2469
/* have we used this key already? */
2470
keyid_from_pk (kar->keyblock->pkt->pkt.public_key, kid);
2471
if(test_key_hash_table(used,kid)==0)
2473
/* Normally we add both the primary and subkey
2474
ids to the hash via mark_keyblock_seen, but
2475
since we aren't using this hash as a skipfnc,
2476
that doesn't matter here. */
2477
add_key_hash_table (used,kid);
2478
k = new_key_item ();
2482
(get_ownertrust (kar->keyblock->pkt->pkt.public_key)
2485
get_min_ownertrust(kar->keyblock->pkt->pkt.public_key);
2487
kar->keyblock->pkt->pkt.public_key->trust_depth;
2489
kar->keyblock->pkt->pkt.public_key->trust_value;
2490
if(kar->keyblock->pkt->pkt.public_key->trust_regexp)
2492
xstrdup(kar->keyblock->pkt->
2493
pkt.public_key->trust_regexp);
2501
release_key_array (keys);
2504
break; /* no need to dive in deeper */
2508
keydb_release (kdb);
2509
release_key_array (keys);
2510
release_key_items (klist);
2511
release_key_hash_table (full_trust);
2512
release_key_hash_table (used);
2513
release_key_hash_table (stored);
2514
if (!rc && !quit) /* mark trustDB as checked */
2516
if (next_expire == 0xffffffff || next_expire < start_time )
2517
tdbio_write_nextcheck (0);
2520
tdbio_write_nextcheck (next_expire);
2521
log_info (_("next trustdb check due at %s\n"),
2522
strtimestamp (next_expire));
2525
if(tdbio_update_version_record()!=0)
2527
log_error(_("unable to update trustdb version record: "
2528
"write failed: %s\n"), g10_errstr(rc));
2533
pending_check_trustdb = 0;