2 * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004,
3 * 2005 Free Software Foundation, Inc.
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
28 #include <sys/types.h>
30 #endif /* !DISABLE_REGEX */
46 * A structure to store key identification as well as some stuff needed
50 struct key_item *next;
51 unsigned int ownertrust,min_ownertrust;
59 typedef struct key_item **KeyHashTable; /* see new_key_hash_table() */
62 * Structure to keep track of keys, this is used as an array wherre
63 * the item right after the last one has a keyblock set to NULL.
64 * Maybe we can drop this thing and replace it by key_item
71 /* control information for the trust DB */
79 static struct key_item *user_utk_list; /* temp. used to store --trusted-keys */
80 static struct key_item *utk_list; /* all ultimately trusted keys */
82 static int pending_check_trustdb;
84 static int validate_keys (int interactive);
87 /**********************************************
88 ************* some helpers *******************
89 **********************************************/
91 static struct key_item *
96 k = xmalloc_clear (sizeof *k);
101 release_key_items (struct key_item *k)
108 xfree (k->trust_regexp);
114 * For fast keylook up we need a hash table. Each byte of a KeyIDs
115 * should be distributed equally over the 256 possible values (except
116 * for v3 keyIDs but we consider them as not important here). So we
117 * can just use 10 bits to index a table of 1024 key items.
118 * Possible optimization: Don not use key_items but other hash_table when the
119 * duplicates lists gets too large.
122 new_key_hash_table (void)
124 struct key_item **tbl;
126 tbl = xmalloc_clear (1024 * sizeof *tbl);
131 release_key_hash_table (KeyHashTable tbl)
137 for (i=0; i < 1024; i++)
138 release_key_items (tbl[i]);
143 * Returns: True if the keyID is in the given hash table
146 test_key_hash_table (KeyHashTable tbl, u32 *kid)
150 for (k = tbl[(kid[1] & 0x03ff)]; k; k = k->next)
151 if (k->kid[0] == kid[0] && k->kid[1] == kid[1])
157 * Add a new key to the hash table. The key is identified by its key ID.
160 add_key_hash_table (KeyHashTable tbl, u32 *kid)
162 struct key_item *k, *kk;
164 for (k = tbl[(kid[1] & 0x03ff)]; k; k = k->next)
165 if (k->kid[0] == kid[0] && k->kid[1] == kid[1])
166 return; /* already in table */
168 kk = new_key_item ();
171 kk->next = tbl[(kid[1] & 0x03ff)];
172 tbl[(kid[1] & 0x03ff)] = kk;
176 * Release a key_array
179 release_key_array ( struct key_array *keys )
184 for (k=keys; k->keyblock; k++)
185 release_kbnode (k->keyblock);
191 /*********************************************
192 ********** Initialization *****************
193 *********************************************/
198 * Used to register extra ultimately trusted keys - this has to be done
199 * before initializing the validation module.
200 * FIXME: Should be replaced by a function to add those keys to the trustdb.
203 register_trusted_keyid(u32 *keyid)
208 k->kid[0] = keyid[0];
209 k->kid[1] = keyid[1];
210 k->next = user_utk_list;
215 register_trusted_key( const char *string )
217 KEYDB_SEARCH_DESC desc;
219 if (classify_user_id (string, &desc) != KEYDB_SEARCH_MODE_LONG_KID )
221 log_error(_("`%s' is not a valid long keyID\n"), string );
225 register_trusted_keyid(desc.u.kid);
229 * Helper to add a key to the global list of ultimately trusted keys.
230 * Retruns: true = inserted, false = already in in list.
237 for (k = utk_list; k; k = k->next)
239 if (k->kid[0] == kid[0] && k->kid[1] == kid[1])
248 k->ownertrust = TRUST_ULTIMATE;
251 if( opt.verbose > 1 )
252 log_info(_("key %s: accepted as trusted key\n"), keystr(kid));
258 * Verify that all our secret keys are usable and put them into the utk_list.
261 verify_own_keys(void)
271 /* scan the trustdb to find all ultimately trusted keys */
272 for (recnum=1; !tdbio_read_record (recnum, &rec, 0); recnum++ )
274 if ( rec.rectype == RECTYPE_TRUST
275 && (rec.r.trust.ownertrust & TRUST_MASK) == TRUST_ULTIMATE)
277 byte *fpr = rec.r.trust.fingerprint;
281 /* Problem: We do only use fingerprints in the trustdb but
282 * we need the keyID here to indetify the key; we can only
283 * use that ugly hack to distinguish between 16 and 20
284 * butes fpr - it does not work always so we better change
285 * the whole validation code to only work with
287 fprlen = (!fpr[16] && !fpr[17] && !fpr[18] && !fpr[19])? 16:20;
288 keyid_from_fingerprint (fpr, fprlen, kid);
290 log_info(_("key %s occurs more than once in the trustdb\n"),
295 /* Put any --trusted-key keys into the trustdb */
296 for (k = user_utk_list; k; k = k->next)
298 if ( add_utk (k->kid) )
299 { /* not yet in trustDB as ultimately trusted */
302 memset (&pk, 0, sizeof pk);
303 rc = get_pubkey (&pk, k->kid);
305 log_info(_("key %s: no public key for trusted key - skipped\n"),
309 update_ownertrust (&pk,
310 ((get_ownertrust (&pk) & ~TRUST_MASK)
312 release_public_key_parts (&pk);
315 log_info (_("key %s marked as ultimately trusted\n"),keystr(k->kid));
319 /* release the helper table table */
320 release_key_items (user_utk_list);
321 user_utk_list = NULL;
326 /*********************************************
327 *********** TrustDB stuff *******************
328 *********************************************/
331 * Read a record but die if it does not exist
334 read_record (ulong recno, TRUSTREC *rec, int rectype )
336 int rc = tdbio_read_record (recno, rec, rectype);
339 log_error(_("trust record %lu, req type %d: read failed: %s\n"),
340 recno, rec->rectype, g10_errstr(rc) );
343 if (rectype != rec->rectype)
345 log_error(_("trust record %lu is not of requested type %d\n"),
346 rec->recnum, rectype);
352 * Write a record and die on error
355 write_record (TRUSTREC *rec)
357 int rc = tdbio_write_record (rec);
360 log_error(_("trust record %lu, type %d: write failed: %s\n"),
361 rec->recnum, rec->rectype, g10_errstr(rc) );
367 * sync the TrustDb and die on error
372 int rc = tdbio_sync ();
375 log_error (_("trustdb: sync failed: %s\n"), g10_errstr(rc) );
381 trust_model_string(void)
383 switch(opt.trust_model)
385 case TM_CLASSIC: return "classic";
386 case TM_PGP: return "PGP";
387 case TM_EXTERNAL: return "external";
388 case TM_ALWAYS: return "always";
389 case TM_DIRECT: return "direct";
390 default: return "unknown";
395 * Perform some checks over the trustdb
396 * level 0: only open the db
397 * 1: used for initial program startup
400 setup_trustdb( int level, const char *dbname )
402 /* just store the args */
403 if( trustdb_args.init )
405 trustdb_args.level = level;
406 trustdb_args.dbname = dbname? xstrdup(dbname): NULL;
413 int level = trustdb_args.level;
414 const char* dbname = trustdb_args.dbname;
416 if( trustdb_args.init )
419 trustdb_args.init = 1;
421 if(level==0 || level==1)
423 int rc = tdbio_set_dbname( dbname, !!level );
425 log_fatal("can't init trustdb: %s\n", g10_errstr(rc) );
430 if(opt.trust_model==TM_AUTO)
432 /* Try and set the trust model off of whatever the trustdb says
434 opt.trust_model=tdbio_read_model();
436 /* Sanity check this ;) */
437 if(opt.trust_model!=TM_CLASSIC
438 && opt.trust_model!=TM_PGP
439 && opt.trust_model!=TM_EXTERNAL)
441 log_info(_("unable to use unknown trust model (%d) - "
442 "assuming %s trust model\n"),opt.trust_model,"PGP");
443 opt.trust_model=TM_PGP;
447 log_info(_("using %s trust model\n"),trust_model_string());
450 if(opt.trust_model==TM_PGP || opt.trust_model==TM_CLASSIC)
452 /* Verify the list of ultimately trusted keys and move the
453 --trusted-keys list there as well. */
457 if(!tdbio_db_matches_options())
458 pending_check_trustdb=1;
463 /***********************************************
464 ************* Print helpers ****************
465 ***********************************************/
468 * This function returns a letter for a trustvalue Trust flags
472 trust_letter (unsigned int value)
474 switch( (value & TRUST_MASK) )
476 case TRUST_UNKNOWN: return '-';
477 case TRUST_EXPIRED: return 'e';
478 case TRUST_UNDEFINED: return 'q';
479 case TRUST_NEVER: return 'n';
480 case TRUST_MARGINAL: return 'm';
481 case TRUST_FULLY: return 'f';
482 case TRUST_ULTIMATE: return 'u';
487 /* NOTE TO TRANSLATOR: these strings are similar to those in
488 trust_value_to_string(), but are a fixed length. This is needed to
489 make attractive information listings where columns line up
490 properly. The value "10" should be the length of the strings you
491 choose to translate to. This is the length in printable columns.
492 It gets passed to atoi() so everything after the number is
493 essentially a comment and need not be translated. Either key and
494 uid are both NULL, or neither are NULL. */
496 uid_trust_string_fixed(PKT_public_key *key,PKT_user_id *uid)
499 return _("10 translator see trustdb.c:uid_trust_string_fixed");
500 else if(uid->is_revoked || (key && key->is_revoked))
501 return _("[ revoked]");
502 else if(uid->is_expired)
503 return _("[ expired]");
505 switch(get_validity(key,uid)&TRUST_MASK)
507 case TRUST_UNKNOWN: return _("[ unknown]");
508 case TRUST_EXPIRED: return _("[ expired]");
509 case TRUST_UNDEFINED: return _("[ undef ]");
510 case TRUST_MARGINAL: return _("[marginal]");
511 case TRUST_FULLY: return _("[ full ]");
512 case TRUST_ULTIMATE: return _("[ultimate]");
518 /* The strings here are similar to those in
519 pkclist.c:do_edit_ownertrust() */
521 trust_value_to_string (unsigned int value)
523 switch( (value & TRUST_MASK) )
525 case TRUST_UNKNOWN: return _("unknown");
526 case TRUST_EXPIRED: return _("expired");
527 case TRUST_UNDEFINED: return _("undefined");
528 case TRUST_NEVER: return _("never");
529 case TRUST_MARGINAL: return _("marginal");
530 case TRUST_FULLY: return _("full");
531 case TRUST_ULTIMATE: return _("ultimate");
532 default: return "err";
537 string_to_trust_value (const char *str)
539 if(ascii_strcasecmp(str,"undefined")==0)
540 return TRUST_UNDEFINED;
541 else if(ascii_strcasecmp(str,"never")==0)
543 else if(ascii_strcasecmp(str,"marginal")==0)
544 return TRUST_MARGINAL;
545 else if(ascii_strcasecmp(str,"full")==0)
547 else if(ascii_strcasecmp(str,"ultimate")==0)
548 return TRUST_ULTIMATE;
554 * Recreate the WoT but do not ask for new ownertrusts. Special
555 * feature: In batch mode and without a forced yes, this is only done
556 * when a check is due. This can be used to run the check from a crontab
562 if(opt.trust_model==TM_PGP || opt.trust_model==TM_CLASSIC)
564 if (opt.batch && !opt.answer_yes)
568 scheduled = tdbio_read_nextcheck ();
571 log_info (_("no need for a trustdb check\n"));
575 if (scheduled > make_timestamp ())
577 log_info (_("next trustdb check due at %s\n"),
578 strtimestamp (scheduled));
586 log_info (_("no need for a trustdb check with `%s' trust model\n"),
587 trust_model_string());
598 if(opt.trust_model==TM_PGP || opt.trust_model==TM_CLASSIC)
601 log_info (_("no need for a trustdb update with `%s' trust model\n"),
602 trust_model_string());
606 revalidation_mark (void)
609 /* we simply set the time for the next check to 1 (far back in 1970)
610 * so that a --update-trustdb will be scheduled */
611 if (tdbio_write_nextcheck (1))
613 pending_check_trustdb = 1;
617 trustdb_pending_check(void)
619 return pending_check_trustdb;
622 /* If the trustdb is dirty, and we're interactive, update it.
623 Otherwise, check it unless no-auto-check-trustdb is set. */
625 trustdb_check_or_update(void)
627 if(trustdb_pending_check())
631 else if(!opt.no_auto_check_trustdb)
637 read_trust_options(byte *trust_model,ulong *created,ulong *nextcheck,
638 byte *marginals,byte *completes,byte *cert_depth)
644 read_record(0,&opts,RECTYPE_VER);
647 *trust_model=opts.r.ver.trust_model;
649 *created=opts.r.ver.created;
651 *nextcheck=opts.r.ver.nextcheck;
653 *marginals=opts.r.ver.marginals;
655 *completes=opts.r.ver.completes;
657 *cert_depth=opts.r.ver.cert_depth;
660 /***********************************************
661 *********** Ownertrust et al. ****************
662 ***********************************************/
665 read_trust_record (PKT_public_key *pk, TRUSTREC *rec)
670 rc = tdbio_search_trust_bypk (pk, rec);
672 return -1; /* no record yet */
675 log_error ("trustdb: searching trust record failed: %s\n",
680 if (rec->rectype != RECTYPE_TRUST)
682 log_error ("trustdb: record %lu is not a trust record\n",
684 return G10ERR_TRUSTDB;
691 * Return the assigned ownertrust value for the given public key.
692 * The key should be the primary key.
695 get_ownertrust ( PKT_public_key *pk)
700 rc = read_trust_record (pk, &rec);
702 return TRUST_UNKNOWN; /* no record yet */
706 return rc; /* actually never reached */
709 return rec.r.trust.ownertrust;
713 get_min_ownertrust (PKT_public_key *pk)
718 rc = read_trust_record (pk, &rec);
720 return TRUST_UNKNOWN; /* no record yet */
724 return rc; /* actually never reached */
727 return rec.r.trust.min_ownertrust;
731 * Same as get_ownertrust but this takes the minimum ownertrust value
732 * into into account, and will bump up the value as needed.
735 get_ownertrust_with_min (PKT_public_key *pk)
737 unsigned int otrust,otrust_min;
739 otrust = (get_ownertrust (pk) & TRUST_MASK);
740 otrust_min = get_min_ownertrust (pk);
741 if(otrust<otrust_min)
743 /* If the trust that the user has set is less than the trust
744 that was calculated from a trust signature chain, use the
745 higher of the two. We do this here and not in
746 get_ownertrust since the underlying ownertrust should not
747 really be set - just the appearance of the ownertrust. */
756 * Same as get_ownertrust but return a trust letter instead of an
757 * value. This takes the minimum ownertrust value into account.
760 get_ownertrust_info (PKT_public_key *pk)
762 return trust_letter(get_ownertrust_with_min(pk));
766 * Same as get_ownertrust but return a trust string instead of an
767 * value. This takes the minimum ownertrust value into account.
770 get_ownertrust_string (PKT_public_key *pk)
772 return trust_value_to_string(get_ownertrust_with_min(pk));
776 * Set the trust value of the given public key to the new value.
777 * The key should be a primary one.
780 update_ownertrust (PKT_public_key *pk, unsigned int new_trust )
785 rc = read_trust_record (pk, &rec);
789 log_debug ("update ownertrust from %u to %u\n",
790 (unsigned int)rec.r.trust.ownertrust, new_trust );
791 if (rec.r.trust.ownertrust != new_trust)
793 rec.r.trust.ownertrust = new_trust;
794 write_record( &rec );
795 revalidation_mark ();
800 { /* no record yet - create a new one */
804 log_debug ("insert ownertrust %u\n", new_trust );
806 memset (&rec, 0, sizeof rec);
807 rec.recnum = tdbio_new_recnum ();
808 rec.rectype = RECTYPE_TRUST;
809 fingerprint_from_pk (pk, rec.r.trust.fingerprint, &dummy);
810 rec.r.trust.ownertrust = new_trust;
812 revalidation_mark ();
823 update_min_ownertrust (u32 *kid, unsigned int new_trust )
829 pk = xmalloc_clear (sizeof *pk);
830 rc = get_pubkey (pk, kid);
833 log_error(_("public key %s not found: %s\n"),keystr(kid),g10_errstr(rc));
837 rc = read_trust_record (pk, &rec);
841 log_debug ("key %08lX%08lX: update min_ownertrust from %u to %u\n",
842 (ulong)kid[0],(ulong)kid[1],
843 (unsigned int)rec.r.trust.min_ownertrust,
845 if (rec.r.trust.min_ownertrust != new_trust)
847 rec.r.trust.min_ownertrust = new_trust;
848 write_record( &rec );
849 revalidation_mark ();
854 { /* no record yet - create a new one */
858 log_debug ("insert min_ownertrust %u\n", new_trust );
860 memset (&rec, 0, sizeof rec);
861 rec.recnum = tdbio_new_recnum ();
862 rec.rectype = RECTYPE_TRUST;
863 fingerprint_from_pk (pk, rec.r.trust.fingerprint, &dummy);
864 rec.r.trust.min_ownertrust = new_trust;
866 revalidation_mark ();
876 /* Clear the ownertrust and min_ownertrust values. Return true if a
877 change actually happened. */
879 clear_ownertrusts (PKT_public_key *pk)
884 rc = read_trust_record (pk, &rec);
889 log_debug ("clearing ownertrust (old value %u)\n",
890 (unsigned int)rec.r.trust.ownertrust);
891 log_debug ("clearing min_ownertrust (old value %u)\n",
892 (unsigned int)rec.r.trust.min_ownertrust);
894 if (rec.r.trust.ownertrust || rec.r.trust.min_ownertrust)
896 rec.r.trust.ownertrust = 0;
897 rec.r.trust.min_ownertrust = 0;
898 write_record( &rec );
899 revalidation_mark ();
912 * Note: Caller has to do a sync
915 update_validity (PKT_public_key *pk, PKT_user_id *uid,
916 int depth, int validity)
922 namehash_from_uid(uid);
924 rc = read_trust_record (pk, &trec);
930 if (rc == -1) /* no record yet - create a new one */
935 memset (&trec, 0, sizeof trec);
936 trec.recnum = tdbio_new_recnum ();
937 trec.rectype = RECTYPE_TRUST;
938 fingerprint_from_pk (pk, trec.r.trust.fingerprint, &dummy);
939 trec.r.trust.ownertrust = 0;
942 /* locate an existing one */
943 recno = trec.r.trust.validlist;
946 read_record (recno, &vrec, RECTYPE_VALID);
947 if ( !memcmp (vrec.r.valid.namehash, uid->namehash, 20) )
949 recno = vrec.r.valid.next;
952 if (!recno) /* insert a new validity record */
954 memset (&vrec, 0, sizeof vrec);
955 vrec.recnum = tdbio_new_recnum ();
956 vrec.rectype = RECTYPE_VALID;
957 memcpy (vrec.r.valid.namehash, uid->namehash, 20);
958 vrec.r.valid.next = trec.r.trust.validlist;
959 trec.r.trust.validlist = vrec.recnum;
961 vrec.r.valid.validity = validity;
962 vrec.r.valid.full_count = uid->help_full_count;
963 vrec.r.valid.marginal_count = uid->help_marginal_count;
964 write_record (&vrec);
965 trec.r.trust.depth = depth;
966 write_record (&trec);
970 /***********************************************
971 ********* Query trustdb values **************
972 ***********************************************/
974 /* Return true if key is disabled */
976 cache_disabled_value(PKT_public_key *pk)
983 return (pk->is_disabled==2);
987 rc = read_trust_record (pk, &trec);
993 if (rc == -1) /* no record found, so assume not disabled */
996 if(trec.r.trust.ownertrust & TRUST_FLAG_DISABLED)
999 /* Cache it for later so we don't need to look at the trustdb every
1011 check_trustdb_stale(void)
1013 static int did_nextcheck=0;
1017 && (opt.trust_model==TM_PGP || opt.trust_model==TM_CLASSIC))
1022 scheduled = tdbio_read_nextcheck ();
1023 if (scheduled && scheduled <= make_timestamp ())
1025 if (opt.no_auto_check_trustdb)
1027 pending_check_trustdb = 1;
1028 log_info (_("please do a --check-trustdb\n"));
1032 log_info (_("checking the trustdb\n"));
1040 * Return the validity information for PK. If the namehash is not
1041 * NULL, the validity of the corresponsing user ID is returned,
1042 * otherwise, a reasonable value for the entire key is returned.
1045 get_validity (PKT_public_key *pk, PKT_user_id *uid)
1047 TRUSTREC trec, vrec;
1050 unsigned int validity;
1052 PKT_public_key *main_pk;
1055 namehash_from_uid(uid);
1058 check_trustdb_stale();
1060 keyid_from_pk (pk, kid);
1061 if (pk->main_keyid[0] != kid[0] || pk->main_keyid[1] != kid[1])
1062 { /* this is a subkey - get the mainkey */
1063 main_pk = xmalloc_clear (sizeof *main_pk);
1064 rc = get_pubkey (main_pk, pk->main_keyid);
1067 char *tempkeystr=xstrdup(keystr(pk->main_keyid));
1068 log_error ("error getting main key %s of subkey %s: %s\n",
1069 tempkeystr, keystr(kid), g10_errstr(rc));
1071 validity = TRUST_UNKNOWN;
1078 if(opt.trust_model==TM_DIRECT)
1080 /* Note that this happens BEFORE any user ID stuff is checked.
1081 The direct trust model applies to keys as a whole. */
1082 validity=get_ownertrust(main_pk);
1086 rc = read_trust_record (main_pk, &trec);
1092 if (rc == -1) /* no record found */
1094 validity = TRUST_UNKNOWN;
1098 /* loop over all user IDs */
1099 recno = trec.r.trust.validlist;
1103 read_record (recno, &vrec, RECTYPE_VALID);
1107 /* If a user ID is given we return the validity for that
1108 user ID ONLY. If the namehash is not found, then there
1109 is no validity at all (i.e. the user ID wasn't
1111 if(memcmp(vrec.r.valid.namehash,uid->namehash,20)==0)
1113 validity=(vrec.r.valid.validity & TRUST_MASK);
1119 /* If no namehash is given, we take the maximum validity
1120 over all user IDs */
1121 if ( validity < (vrec.r.valid.validity & TRUST_MASK) )
1122 validity = (vrec.r.valid.validity & TRUST_MASK);
1125 recno = vrec.r.valid.next;
1128 if ( (trec.r.trust.ownertrust & TRUST_FLAG_DISABLED) )
1130 validity |= TRUST_FLAG_DISABLED;
1137 /* set some flags direct from the key */
1138 if (main_pk->is_revoked)
1139 validity |= TRUST_FLAG_REVOKED;
1140 if (main_pk != pk && pk->is_revoked)
1141 validity |= TRUST_FLAG_SUB_REVOKED;
1142 /* Note: expiration is a trust value and not a flag - don't know why
1143 * I initially designed it that way */
1144 if (main_pk->has_expired || pk->has_expired)
1145 validity = (validity & ~TRUST_MASK) | TRUST_EXPIRED;
1147 if (pending_check_trustdb)
1148 validity |= TRUST_FLAG_PENDING_CHECK;
1151 free_public_key (main_pk);
1156 get_validity_info (PKT_public_key *pk, PKT_user_id *uid)
1160 trustlevel = get_validity (pk, uid);
1161 if( trustlevel & TRUST_FLAG_REVOKED )
1163 return trust_letter ( trustlevel );
1167 get_validity_string (PKT_public_key *pk, PKT_user_id *uid)
1171 trustlevel = get_validity (pk, uid);
1172 if( trustlevel & TRUST_FLAG_REVOKED )
1173 return _("revoked");
1174 return trust_value_to_string(trustlevel);
1178 get_validity_counts (PKT_public_key *pk, PKT_user_id *uid)
1180 TRUSTREC trec, vrec;
1183 if(pk==NULL || uid==NULL)
1186 namehash_from_uid(uid);
1188 uid->help_marginal_count=uid->help_full_count=0;
1192 if(read_trust_record (pk, &trec)!=0)
1195 /* loop over all user IDs */
1196 recno = trec.r.trust.validlist;
1199 read_record (recno, &vrec, RECTYPE_VALID);
1201 if(memcmp(vrec.r.valid.namehash,uid->namehash,20)==0)
1203 uid->help_marginal_count=vrec.r.valid.marginal_count;
1204 uid->help_full_count=vrec.r.valid.full_count;
1205 /* printf("Fetched marginal %d, full %d\n",uid->help_marginal_count,uid->help_full_count); */
1209 recno = vrec.r.valid.next;
1214 list_trust_path( const char *username )
1219 * Enumerate all keys, which are needed to build all trust paths for
1220 * the given key. This function does not return the key itself or
1221 * the ultimate key (the last point in cerificate chain). Only
1222 * certificate chains which ends up at an ultimately trusted key
1223 * are listed. If ownertrust or validity is not NULL, the corresponding
1224 * value for the returned LID is also returned in these variable(s).
1226 * 1) create a void pointer and initialize it to NULL
1227 * 2) pass this void pointer by reference to this function.
1228 * Set lid to the key you want to enumerate and pass it by reference.
1229 * 3) call this function as long as it does not return -1
1230 * to indicate EOF. LID does contain the next key used to build the web
1231 * 4) Always call this function a last time with LID set to NULL,
1232 * so that it can free its context.
1234 * Returns: -1 on EOF or the level of the returned LID
1237 enum_cert_paths( void **context, ulong *lid,
1238 unsigned *ownertrust, unsigned *validity )
1245 * Print the current path
1248 enum_cert_paths_print( void **context, FILE *fp,
1249 int refresh, ulong selected_lid )
1256 /****************************************
1257 *********** NEW NEW NEW ****************
1258 ****************************************/
1261 ask_ownertrust (u32 *kid,int minimum)
1267 pk = xmalloc_clear (sizeof *pk);
1268 rc = get_pubkey (pk, kid);
1271 log_error (_("public key %s not found: %s\n"),
1272 keystr(kid), g10_errstr(rc) );
1273 return TRUST_UNKNOWN;
1276 if(opt.force_ownertrust)
1278 log_info("force trust for key %s to %s\n",
1279 keystr(kid),trust_value_to_string(opt.force_ownertrust));
1280 update_ownertrust(pk,opt.force_ownertrust);
1281 ot=opt.force_ownertrust;
1285 ot=edit_ownertrust(pk,0);
1287 ot = get_ownertrust (pk);
1289 ot = minimum?minimum:TRUST_UNDEFINED;
1294 free_public_key( pk );
1301 mark_keyblock_seen (KeyHashTable tbl, KBNODE node)
1303 for ( ;node; node = node->next )
1304 if (node->pkt->pkttype == PKT_PUBLIC_KEY
1305 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1309 keyid_from_pk (node->pkt->pkt.public_key, aki);
1310 add_key_hash_table (tbl, aki);
1316 dump_key_array (int depth, struct key_array *keys)
1318 struct key_array *kar;
1320 for (kar=keys; kar->keyblock; kar++)
1322 KBNODE node = kar->keyblock;
1325 keyid_from_pk(node->pkt->pkt.public_key, kid);
1326 printf ("%d:%08lX%08lX:K::%c::::\n",
1327 depth, (ulong)kid[0], (ulong)kid[1], '?');
1329 for (; node; node = node->next)
1331 if (node->pkt->pkttype == PKT_USER_ID)
1333 int len = node->pkt->pkt.user_id->len;
1337 printf ("%d:%08lX%08lX:U:::%c:::",
1338 depth, (ulong)kid[0], (ulong)kid[1],
1339 (node->flag & 4)? 'f':
1340 (node->flag & 2)? 'm':
1341 (node->flag & 1)? 'q':'-');
1342 print_string (stdout, node->pkt->pkt.user_id->name, len, ':');
1352 store_validation_status (int depth, KBNODE keyblock, KeyHashTable stored)
1358 for (node=keyblock; node; node = node->next)
1360 if (node->pkt->pkttype == PKT_USER_ID)
1362 PKT_user_id *uid = node->pkt->pkt.user_id;
1364 status = TRUST_FULLY;
1365 else if (node->flag & 2)
1366 status = TRUST_MARGINAL;
1367 else if (node->flag & 1)
1368 status = TRUST_UNDEFINED;
1374 update_validity (keyblock->pkt->pkt.public_key,
1375 uid, depth, status);
1377 mark_keyblock_seen(stored,keyblock);
1389 * check whether the signature sig is in the klist k
1391 static struct key_item *
1392 is_in_klist (struct key_item *k, PKT_signature *sig)
1394 for (; k; k = k->next)
1396 if (k->kid[0] == sig->keyid[0] && k->kid[1] == sig->keyid[1])
1403 * Mark the signature of the given UID which are used to certify it.
1404 * To do this, we first revmove all signatures which are not valid and
1405 * from the remain ones we look for the latest one. If this is not a
1406 * certification revocation signature we mark the signature by setting
1407 * node flag bit 8. Revocations are marked with flag 11, and sigs
1408 * from unavailable keys are marked with flag 12. Note that flag bits
1409 * 9 and 10 are used for internal purposes.
1412 mark_usable_uid_certs (KBNODE keyblock, KBNODE uidnode,
1413 u32 *main_kid, struct key_item *klist,
1414 u32 curtime, u32 *next_expire)
1419 /* first check all signatures */
1420 for (node=uidnode->next; node; node = node->next)
1424 node->flag &= ~(1<<8 | 1<<9 | 1<<10 | 1<<11 | 1<<12);
1425 if (node->pkt->pkttype == PKT_USER_ID
1426 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1428 if (node->pkt->pkttype != PKT_SIGNATURE)
1430 sig = node->pkt->pkt.signature;
1432 && sig->keyid[0] == main_kid[0] && sig->keyid[1] == main_kid[1])
1433 continue; /* ignore self-signatures if we pass in a main_kid */
1434 if (!IS_UID_SIG(sig) && !IS_UID_REV(sig))
1435 continue; /* we only look at these signature classes */
1436 if(sig->sig_class>=0x11 && sig->sig_class<=0x13 &&
1437 sig->sig_class-0x10<opt.min_cert_level)
1438 continue; /* treat anything under our min_cert_level as an
1439 invalid signature */
1440 if (klist && !is_in_klist (klist, sig))
1441 continue; /* no need to check it then */
1442 if ((rc=check_key_signature (keyblock, node, NULL)))
1444 /* we ignore anything that won't verify, but tag the
1446 if(rc==G10ERR_NO_PUBKEY)
1447 node->flag |= 1<<12;
1452 /* reset the remaining flags */
1453 for (; node; node = node->next)
1454 node->flag &= ~(1<<8 | 1<<9 | 1<<10 | 1<<11 | 1<<12);
1456 /* kbnode flag usage: bit 9 is here set for signatures to consider,
1457 * bit 10 will be set by the loop to keep track of keyIDs already
1458 * processed, bit 8 will be set for the usable signatures, and bit
1459 * 11 will be set for usable revocations. */
1461 /* for each cert figure out the latest valid one */
1462 for (node=uidnode->next; node; node = node->next)
1468 if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1470 if ( !(node->flag & (1<<9)) )
1471 continue; /* not a node to look at */
1472 if ( (node->flag & (1<<10)) )
1473 continue; /* signature with a keyID already processed */
1474 node->flag |= (1<<10); /* mark this node as processed */
1475 sig = node->pkt->pkt.signature;
1477 sigdate = sig->timestamp;
1478 kid[0] = sig->keyid[0]; kid[1] = sig->keyid[1];
1480 /* Now find the latest and greatest signature */
1481 for (n=uidnode->next; n; n = n->next)
1483 if (n->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1485 if ( !(n->flag & (1<<9)) )
1487 if ( (n->flag & (1<<10)) )
1488 continue; /* shortcut already processed signatures */
1489 sig = n->pkt->pkt.signature;
1490 if (kid[0] != sig->keyid[0] || kid[1] != sig->keyid[1])
1492 n->flag |= (1<<10); /* mark this node as processed */
1494 /* If signode is nonrevocable and unexpired and n isn't,
1495 then take signode (skip). It doesn't matter which is
1496 older: if signode was older then we don't want to take n
1497 as signode is nonrevocable. If n was older then we're
1498 automatically fine. */
1500 if(((IS_UID_SIG(signode->pkt->pkt.signature) &&
1501 !signode->pkt->pkt.signature->flags.revocable &&
1502 (signode->pkt->pkt.signature->expiredate==0 ||
1503 signode->pkt->pkt.signature->expiredate>curtime))) &&
1504 (!(IS_UID_SIG(n->pkt->pkt.signature) &&
1505 !n->pkt->pkt.signature->flags.revocable &&
1506 (n->pkt->pkt.signature->expiredate==0 ||
1507 n->pkt->pkt.signature->expiredate>curtime))))
1510 /* If n is nonrevocable and unexpired and signode isn't,
1511 then take n. Again, it doesn't matter which is older: if
1512 n was older then we don't want to take signode as n is
1513 nonrevocable. If signode was older then we're
1514 automatically fine. */
1516 if((!(IS_UID_SIG(signode->pkt->pkt.signature) &&
1517 !signode->pkt->pkt.signature->flags.revocable &&
1518 (signode->pkt->pkt.signature->expiredate==0 ||
1519 signode->pkt->pkt.signature->expiredate>curtime))) &&
1520 ((IS_UID_SIG(n->pkt->pkt.signature) &&
1521 !n->pkt->pkt.signature->flags.revocable &&
1522 (n->pkt->pkt.signature->expiredate==0 ||
1523 n->pkt->pkt.signature->expiredate>curtime))))
1526 sigdate = sig->timestamp;
1530 /* At this point, if it's newer, it goes in as the only
1531 remaining possibilities are signode and n are both either
1532 revocable or expired or both nonrevocable and unexpired.
1533 If the timestamps are equal take the later ordered
1534 packet, presuming that the key packets are hopefully in
1535 their original order. */
1537 if (sig->timestamp >= sigdate)
1540 sigdate = sig->timestamp;
1544 sig = signode->pkt->pkt.signature;
1545 if (IS_UID_SIG (sig))
1546 { /* this seems to be a usable one which is not revoked.
1547 * Just need to check whether there is an expiration time,
1548 * We do the expired certification after finding a suitable
1549 * certification, the assumption is that a signator does not
1550 * want that after the expiration of his certificate the
1551 * system falls back to an older certification which has a
1552 * different expiration time */
1556 p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_SIG_EXPIRE, NULL );
1557 expire = p? sig->timestamp + buffer_to_u32(p) : 0;
1559 if (expire==0 || expire > curtime )
1561 signode->flag |= (1<<8); /* yeah, found a good cert */
1562 if (next_expire && expire && expire < *next_expire)
1563 *next_expire = expire;
1567 signode->flag |= (1<<11);
1572 clean_sigs_from_uid(KBNODE keyblock,KBNODE uidnode,int noisy,int self_only)
1578 assert(keyblock->pkt->pkttype==PKT_PUBLIC_KEY);
1580 keyid_from_pk(keyblock->pkt->pkt.public_key,keyid);
1582 /* Passing in a 0 for current time here means that we'll never weed
1583 out an expired sig. This is correct behavior since we want to
1584 keep the most recent expired sig in a series. */
1585 mark_usable_uid_certs(keyblock,uidnode,NULL,NULL,0,NULL);
1587 /* What we want to do here is remove signatures that are not
1588 considered as part of the trust calculations. Thus, all invalid
1589 signatures are out, as are any signatures that aren't the last of
1590 a series of uid sigs or revocations It breaks down like this:
1591 coming out of mark_usable_uid_certs, if a sig is unflagged, it is
1592 not even a candidate. If a sig has flag 9 or 10, that means it
1593 was selected as a candidate and vetted. If a sig has flag 8 it
1594 is a usable signature. If a sig has flag 11 it is a usable
1595 revocation. If a sig has flag 12 it was issued by an unavailable
1596 key. "Usable" here means the most recent valid
1597 signature/revocation in a series from a particular signer.
1599 Delete everything that isn't a usable uid sig (which might be
1600 expired), a usable revocation, or a sig from an unavailable
1603 for(node=uidnode->next;
1604 node && node->pkt->pkttype==PKT_SIGNATURE;
1607 int keep=self_only?(node->pkt->pkt.signature->keyid[0]==keyid[0]
1608 && node->pkt->pkt.signature->keyid[1]==keyid[1]):1;
1610 /* Keep usable uid sigs ... */
1611 if((node->flag & (1<<8)) && keep)
1614 /* ... and usable revocations... */
1615 if((node->flag & (1<<11)) && keep)
1618 /* ... and sigs from unavailable keys. */
1619 /* disabled for now since more people seem to want sigs from
1620 unavailable keys removed altogether. */
1622 if(node->flag & (1<<12))
1626 /* Everything else we delete */
1628 /* At this point, if 12 is set, the signing key was unavailable.
1629 If 9 or 10 is set, it's superceded. Otherwise, it's
1633 log_info("removing signature from key %s on user ID \"%s\": %s\n",
1634 keystr(node->pkt->pkt.signature->keyid),
1635 uidnode->pkt->pkt.user_id->name,
1636 node->flag&(1<<12)?"key unavailable":
1637 node->flag&(1<<9)?"signature superceded":"invalid signature");
1639 delete_kbnode(node);
1646 /* This is substantially easier than clean_sigs_from_uid since we just
1647 have to establish if the uid has a valid self-sig, is not revoked,
1648 and is not expired. Note that this does not take into account
1649 whether the uid has a trust path to it - just whether the keyholder
1650 themselves has certified the uid. Returns true if the uid was
1651 compacted. To "compact" a user ID, we simply remove ALL signatures
1652 except the self-sig that caused the user ID to be remove-worthy.
1653 We don't actually remove the user ID packet itself since it might
1654 be ressurected in a later merge. Note that this function requires
1655 that the caller has already done a merge_keys_and_selfsig().
1657 TODO: change the import code to allow importing a uid with only a
1658 revocation if the uid already exists on the keyring. */
1661 clean_uid_from_key(KBNODE keyblock,KBNODE uidnode,int noisy)
1664 PKT_user_id *uid=uidnode->pkt->pkt.user_id;
1667 assert(keyblock->pkt->pkttype==PKT_PUBLIC_KEY);
1668 assert(uidnode->pkt->pkttype==PKT_USER_ID);
1670 /* Skip valid user IDs, compacted user IDs, and non-self-signed user
1671 IDs if --allow-non-selfsigned-uid is set. */
1672 if(uid->created || uid->flags.compacted
1673 || (!uid->is_expired && !uid->is_revoked
1674 && opt.allow_non_selfsigned_uid))
1677 for(node=uidnode->next;
1678 node && node->pkt->pkttype==PKT_SIGNATURE;
1680 if(!node->pkt->pkt.signature->flags.chosen_selfsig)
1682 delete_kbnode(node);
1684 uidnode->pkt->pkt.user_id->flags.compacted=1;
1690 char *user=utf8_to_native(uid->name,uid->len,0);
1693 reason=_("revoked");
1694 else if(uid->is_expired)
1695 reason=_("expired");
1697 reason=_("invalid");
1699 log_info("compacting user ID \"%s\" on key %s: %s\n",
1700 user,keystr_from_pk(keyblock->pkt->pkt.public_key),
1709 /* Needs to be called after a merge_keys_and_selfsig() */
1711 clean_one_uid(KBNODE keyblock,KBNODE uidnode,int noisy,int self_only,
1712 int *uids_cleaned,int *sigs_cleaned)
1716 assert(keyblock->pkt->pkttype==PKT_PUBLIC_KEY);
1717 assert(uidnode->pkt->pkttype==PKT_USER_ID);
1720 uids_cleaned=&dummy;
1723 sigs_cleaned=&dummy;
1725 /* Do clean_uid_from_key first since if it fires off, we don't
1726 have to bother with the other */
1727 *uids_cleaned+=clean_uid_from_key(keyblock,uidnode,noisy);
1728 if(!uidnode->pkt->pkt.user_id->flags.compacted)
1729 *sigs_cleaned+=clean_sigs_from_uid(keyblock,uidnode,noisy,self_only);
1733 clean_key(KBNODE keyblock,int noisy,int self_only,
1734 int *uids_cleaned,int *sigs_cleaned)
1738 merge_keys_and_selfsig(keyblock);
1740 for(uidnode=keyblock->next;
1741 uidnode && uidnode->pkt->pkttype!=PKT_PUBLIC_SUBKEY;
1742 uidnode=uidnode->next)
1743 if(uidnode->pkt->pkttype==PKT_USER_ID)
1744 clean_one_uid(keyblock,uidnode,noisy,self_only,
1745 uids_cleaned,sigs_cleaned);
1748 /* Used by validate_one_keyblock to confirm a regexp within a trust
1749 signature. Returns 1 for match, and 0 for no match or regex
1752 check_regexp(const char *expr,const char *string)
1754 #ifdef DISABLE_REGEX
1755 /* When DISABLE_REGEX is defined, assume all regexps do not
1758 #elif defined(__riscos__)
1759 return riscos_check_regexp(expr, string, DBG_TRUST);
1764 if(regcomp(&pat,expr,REG_ICASE|REG_NOSUB|REG_EXTENDED)!=0)
1767 ret=regexec(&pat,string,0,NULL,0);
1772 log_debug("regexp `%s' on `%s': %s\n",expr,string,ret==0?"YES":"NO");
1779 * Return true if the key is signed by one of the keys in the given
1780 * key ID list. User IDs with a valid signature are marked by node
1782 * flag bit 0: There is at least one signature
1783 * 1: There is marginal confidence that this is a legitimate uid
1784 * 2: There is full confidence that this is a legitimate uid.
1785 * 8: Used for internal purposes.
1786 * 9: Ditto (in mark_usable_uid_certs())
1788 * This function assumes that all kbnode flags are cleared on entry.
1791 validate_one_keyblock (KBNODE kb, struct key_item *klist,
1792 u32 curtime, u32 *next_expire)
1794 struct key_item *kr;
1795 KBNODE node, uidnode=NULL;
1796 PKT_user_id *uid=NULL;
1797 PKT_public_key *pk = kb->pkt->pkt.public_key;
1799 int issigned=0, any_signed = 0;
1801 keyid_from_pk(pk, main_kid);
1802 for (node=kb; node; node = node->next)
1804 /* A bit of discussion here: is it better for the web of trust
1805 to be built among only self-signed uids? On the one hand, a
1806 self-signed uid is a statement that the key owner definitely
1807 intended that uid to be there, but on the other hand, a
1808 signed (but not self-signed) uid does carry trust, of a sort,
1809 even if it is a statement being made by people other than the
1810 key owner "through" the uids on the key owner's key. I'm
1811 going with the latter. However, if the user ID was
1812 explicitly revoked, or passively allowed to expire, that
1813 should stop validity through the user ID until it is
1816 if (node->pkt->pkttype == PKT_USER_ID
1817 && !node->pkt->pkt.user_id->is_revoked
1818 && !node->pkt->pkt.user_id->is_expired)
1820 if (uidnode && issigned)
1822 if (uid->help_full_count >= opt.completes_needed
1823 || uid->help_marginal_count >= opt.marginals_needed )
1825 else if (uid->help_full_count || uid->help_marginal_count)
1831 uid=uidnode->pkt->pkt.user_id;
1833 /* If the selfsig is going to expire... */
1834 if(uid->expiredate && uid->expiredate<*next_expire)
1835 *next_expire = uid->expiredate;
1838 get_validity_counts(pk,uid);
1839 mark_usable_uid_certs (kb, uidnode, main_kid, klist,
1840 curtime, next_expire);
1842 else if (node->pkt->pkttype == PKT_SIGNATURE
1843 && (node->flag & (1<<8)) && uid)
1845 /* Note that we are only seeing unrevoked sigs here */
1846 PKT_signature *sig = node->pkt->pkt.signature;
1848 kr = is_in_klist (klist, sig);
1849 /* If the trust_regexp does not match, it's as if the sig
1850 did not exist. This is safe for non-trust sigs as well
1851 since we don't accept a regexp on the sig unless it's a
1853 if (kr && (kr->trust_regexp==NULL || opt.trust_model!=TM_PGP ||
1854 (uidnode && check_regexp(kr->trust_regexp,
1855 uidnode->pkt->pkt.user_id->name))))
1857 if(DBG_TRUST && opt.trust_model==TM_PGP && sig->trust_depth)
1858 log_debug("trust sig on %s, sig depth is %d, kr depth is %d\n",
1859 uidnode->pkt->pkt.user_id->name,sig->trust_depth,
1862 /* Are we part of a trust sig chain? We always favor
1863 the latest trust sig, rather than the greater or
1864 lesser trust sig or value. I could make a decent
1865 argument for any of these cases, but this seems to be
1866 what PGP does, and I'd like to be compatible. -dms */
1867 if(opt.trust_model==TM_PGP && sig->trust_depth
1868 && pk->trust_timestamp<=sig->timestamp
1869 && (sig->trust_depth<=kr->trust_depth
1870 || kr->ownertrust==TRUST_ULTIMATE))
1872 /* If we got here, we know that:
1874 this is a trust sig.
1876 it's a newer trust sig than any previous trust
1877 sig on this key (not uid).
1879 it is legal in that it was either generated by an
1880 ultimate key, or a key that was part of a trust
1881 chain, and the depth does not violate the
1884 if there is a regexp attached, it matched
1889 log_debug("replacing trust value %d with %d and "
1890 "depth %d with %d\n",
1891 pk->trust_value,sig->trust_value,
1892 pk->trust_depth,sig->trust_depth);
1894 pk->trust_value=sig->trust_value;
1895 pk->trust_depth=sig->trust_depth-1;
1897 /* If the trust sig contains a regexp, record it
1898 on the pk for the next round. */
1899 if(sig->trust_regexp)
1900 pk->trust_regexp=sig->trust_regexp;
1903 if (kr->ownertrust == TRUST_ULTIMATE)
1904 uid->help_full_count = opt.completes_needed;
1905 else if (kr->ownertrust == TRUST_FULLY)
1906 uid->help_full_count++;
1907 else if (kr->ownertrust == TRUST_MARGINAL)
1908 uid->help_marginal_count++;
1914 if (uidnode && issigned)
1916 if (uid->help_full_count >= opt.completes_needed
1917 || uid->help_marginal_count >= opt.marginals_needed )
1919 else if (uid->help_full_count || uid->help_marginal_count)
1930 search_skipfnc (void *opaque, u32 *kid, PKT_user_id *dummy)
1932 return test_key_hash_table ((KeyHashTable)opaque, kid);
1937 * Scan all keys and return a key_array of all suitable keys from
1938 * kllist. The caller has to pass keydb handle so that we don't use
1939 * to create our own. Returns either a key_array or NULL in case of
1940 * an error. No results found are indicated by an empty array.
1941 * Caller hast to release the returned array.
1943 static struct key_array *
1944 validate_key_list (KEYDB_HANDLE hd, KeyHashTable full_trust,
1945 struct key_item *klist, u32 curtime, u32 *next_expire)
1947 KBNODE keyblock = NULL;
1948 struct key_array *keys = NULL;
1949 size_t nkeys, maxkeys;
1951 KEYDB_SEARCH_DESC desc;
1954 keys = xmalloc ((maxkeys+1) * sizeof *keys);
1957 rc = keydb_search_reset (hd);
1960 log_error ("keydb_search_reset failed: %s\n", g10_errstr(rc));
1965 memset (&desc, 0, sizeof desc);
1966 desc.mode = KEYDB_SEARCH_MODE_FIRST;
1967 desc.skipfnc = search_skipfnc;
1968 desc.skipfncvalue = full_trust;
1969 rc = keydb_search (hd, &desc, 1);
1972 keys[nkeys].keyblock = NULL;
1977 log_error ("keydb_search_first failed: %s\n", g10_errstr(rc));
1982 desc.mode = KEYDB_SEARCH_MODE_NEXT; /* change mode */
1987 rc = keydb_get_keyblock (hd, &keyblock);
1990 log_error ("keydb_get_keyblock failed: %s\n", g10_errstr(rc));
1995 if ( keyblock->pkt->pkttype != PKT_PUBLIC_KEY)
1997 log_debug ("ooops: invalid pkttype %d encountered\n",
1998 keyblock->pkt->pkttype);
1999 dump_kbnode (keyblock);
2000 release_kbnode(keyblock);
2004 /* prepare the keyblock for further processing */
2005 merge_keys_and_selfsig (keyblock);
2006 clear_kbnode_flags (keyblock);
2007 pk = keyblock->pkt->pkt.public_key;
2008 if (pk->has_expired || pk->is_revoked)
2010 /* it does not make sense to look further at those keys */
2011 mark_keyblock_seen (full_trust, keyblock);
2013 else if (validate_one_keyblock (keyblock, klist, curtime, next_expire))
2017 if (pk->expiredate && pk->expiredate >= curtime
2018 && pk->expiredate < *next_expire)
2019 *next_expire = pk->expiredate;
2021 if (nkeys == maxkeys) {
2023 keys = xrealloc (keys, (maxkeys+1) * sizeof *keys);
2025 keys[nkeys++].keyblock = keyblock;
2027 /* Optimization - if all uids are fully trusted, then we
2028 never need to consider this key as a candidate again. */
2030 for (node=keyblock; node; node = node->next)
2031 if (node->pkt->pkttype == PKT_USER_ID && !(node->flag & 4))
2035 mark_keyblock_seen (full_trust, keyblock);
2040 release_kbnode (keyblock);
2043 while ( !(rc = keydb_search (hd, &desc, 1)) );
2046 log_error ("keydb_search_next failed: %s\n", g10_errstr(rc));
2051 keys[nkeys].keyblock = NULL;
2055 /* Caller must sync */
2057 reset_trust_records(void)
2061 int count = 0, nreset = 0;
2063 for (recnum=1; !tdbio_read_record (recnum, &rec, 0); recnum++ )
2065 if(rec.rectype==RECTYPE_TRUST)
2068 if(rec.r.trust.min_ownertrust)
2070 rec.r.trust.min_ownertrust=0;
2075 else if(rec.rectype==RECTYPE_VALID
2076 && ((rec.r.valid.validity&TRUST_MASK)
2077 || rec.r.valid.marginal_count
2078 || rec.r.valid.full_count))
2080 rec.r.valid.validity &= ~TRUST_MASK;
2081 rec.r.valid.marginal_count=rec.r.valid.full_count=0;
2089 log_info (_("%d keys processed (%d validity counts cleared)\n"),
2094 * Run the key validation procedure.
2096 * This works this way:
2097 * Step 1: Find all ultimately trusted keys (UTK).
2098 * mark them all as seen and put them into klist.
2099 * Step 2: loop max_cert_times
2100 * Step 3: if OWNERTRUST of any key in klist is undefined
2101 * ask user to assign ownertrust
2102 * Step 4: Loop over all keys in the keyDB which are not marked seen
2103 * Step 5: if key is revoked or expired
2105 * continue loop at Step 4
2106 * Step 6: For each user ID of that key signed by a key in klist
2107 * Calculate validity by counting trusted signatures.
2108 * Set validity of user ID
2109 * Step 7: If any signed user ID was found
2112 * Step 8: Build a new klist from all fully trusted keys from step 6
2118 validate_keys (int interactive)
2122 struct key_item *klist = NULL;
2124 struct key_array *keys = NULL;
2125 struct key_array *kar;
2126 KEYDB_HANDLE kdb = NULL;
2129 int ot_unknown, ot_undefined, ot_never, ot_marginal, ot_full, ot_ultimate;
2130 KeyHashTable stored,used,full_trust;
2131 u32 start_time, next_expire;
2133 /* Make sure we have all sigs cached. TODO: This is going to
2134 require some architectual re-thinking, as it is agonizingly slow.
2135 Perhaps combine this with reset_trust_records(), or only check
2136 the caches on keys that are actually involved in the web of
2138 keydb_rebuild_caches(0);
2140 start_time = make_timestamp ();
2141 next_expire = 0xffffffff; /* set next expire to the year 2106 */
2142 stored = new_key_hash_table ();
2143 used = new_key_hash_table ();
2144 full_trust = new_key_hash_table ();
2146 kdb = keydb_new (0);
2147 reset_trust_records();
2149 /* Fixme: Instead of always building a UTK list, we could just build it
2150 * here when needed */
2154 log_info (_("no ultimately trusted keys found\n"));
2158 /* mark all UTKs as used and fully_trusted and set validity to
2160 for (k=utk_list; k; k = k->next)
2165 keyblock = get_pubkeyblock (k->kid);
2168 log_error (_("public key of ultimately"
2169 " trusted key %s not found\n"), keystr(k->kid));
2172 mark_keyblock_seen (used, keyblock);
2173 mark_keyblock_seen (stored, keyblock);
2174 mark_keyblock_seen (full_trust, keyblock);
2175 pk = keyblock->pkt->pkt.public_key;
2176 for (node=keyblock; node; node = node->next)
2178 if (node->pkt->pkttype == PKT_USER_ID)
2179 update_validity (pk, node->pkt->pkt.user_id, 0, TRUST_ULTIMATE);
2181 if ( pk->expiredate && pk->expiredate >= start_time
2182 && pk->expiredate < next_expire)
2183 next_expire = pk->expiredate;
2185 release_kbnode (keyblock);
2191 log_info(_("%d marginal(s) needed, %d complete(s) needed, %s trust model\n"),
2192 opt.marginals_needed,opt.completes_needed,trust_model_string());
2194 for (depth=0; depth < opt.max_cert_depth; depth++)
2196 int valids=0,key_count;
2197 /* See whether we should assign ownertrust values to the keys in
2199 ot_unknown = ot_undefined = ot_never = 0;
2200 ot_marginal = ot_full = ot_ultimate = 0;
2201 for (k=klist; k; k = k->next)
2205 /* 120 and 60 are as per RFC2440 */
2206 if(k->trust_value>=120)
2208 else if(k->trust_value>=60)
2211 if(min!=k->min_ownertrust)
2212 update_min_ownertrust(k->kid,min);
2214 if (interactive && k->ownertrust == TRUST_UNKNOWN)
2216 k->ownertrust = ask_ownertrust (k->kid,min);
2218 if (k->ownertrust == -1)
2225 /* This can happen during transition from an old trustdb
2226 before trust sigs. It can also happen if a user uses two
2227 different versions of GnuPG or changes the --trust-model
2229 if(k->ownertrust<min)
2232 log_debug("key %08lX%08lX:"
2233 " overriding ownertrust `%s' with `%s'\n",
2234 (ulong)k->kid[0],(ulong)k->kid[1],
2235 trust_value_to_string(k->ownertrust),
2236 trust_value_to_string(min));
2241 if (k->ownertrust == TRUST_UNKNOWN)
2243 else if (k->ownertrust == TRUST_UNDEFINED)
2245 else if (k->ownertrust == TRUST_NEVER)
2247 else if (k->ownertrust == TRUST_MARGINAL)
2249 else if (k->ownertrust == TRUST_FULLY)
2251 else if (k->ownertrust == TRUST_ULTIMATE)
2257 /* Find all keys which are signed by a key in kdlist */
2258 keys = validate_key_list (kdb, full_trust, klist,
2259 start_time, &next_expire);
2262 log_error ("validate_key_list failed\n");
2263 rc = G10ERR_GENERAL;
2267 for (key_count=0, kar=keys; kar->keyblock; kar++, key_count++)
2270 /* Store the calculated valididation status somewhere */
2271 if (opt.verbose > 1)
2272 dump_key_array (depth, keys);
2274 for (kar=keys; kar->keyblock; kar++)
2275 store_validation_status (depth, kar->keyblock, stored);
2277 log_info (_("depth: %d valid: %3d signed: %3d"
2278 " trust: %d-, %dq, %dn, %dm, %df, %du\n"),
2279 depth, valids, key_count, ot_unknown, ot_undefined,
2280 ot_never, ot_marginal, ot_full, ot_ultimate );
2282 /* Build a new kdlist from all fully valid keys in KEYS */
2283 if (klist != utk_list)
2284 release_key_items (klist);
2286 for (kar=keys; kar->keyblock; kar++)
2288 for (node=kar->keyblock; node; node = node->next)
2290 if (node->pkt->pkttype == PKT_USER_ID && (node->flag & 4))
2294 /* have we used this key already? */
2295 keyid_from_pk (kar->keyblock->pkt->pkt.public_key, kid);
2296 if(test_key_hash_table(used,kid)==0)
2298 /* Normally we add both the primary and subkey
2299 ids to the hash via mark_keyblock_seen, but
2300 since we aren't using this hash as a skipfnc,
2301 that doesn't matter here. */
2302 add_key_hash_table (used,kid);
2303 k = new_key_item ();
2307 (get_ownertrust (kar->keyblock->pkt->pkt.public_key)
2310 get_min_ownertrust(kar->keyblock->pkt->pkt.public_key);
2312 kar->keyblock->pkt->pkt.public_key->trust_depth;
2314 kar->keyblock->pkt->pkt.public_key->trust_value;
2315 if(kar->keyblock->pkt->pkt.public_key->trust_regexp)
2317 xstrdup(kar->keyblock->pkt->
2318 pkt.public_key->trust_regexp);
2326 release_key_array (keys);
2329 break; /* no need to dive in deeper */
2333 keydb_release (kdb);
2334 release_key_array (keys);
2335 release_key_items (klist);
2336 release_key_hash_table (full_trust);
2337 release_key_hash_table (used);
2338 release_key_hash_table (stored);
2339 if (!rc && !quit) /* mark trustDB as checked */
2341 if (next_expire == 0xffffffff || next_expire < start_time )
2342 tdbio_write_nextcheck (0);
2345 tdbio_write_nextcheck (next_expire);
2346 log_info (_("next trustdb check due at %s\n"),
2347 strtimestamp (next_expire));
2350 if(tdbio_update_version_record()!=0)
2352 log_error(_("unable to update trustdb version record: "
2353 "write failed: %s\n"), g10_errstr(rc));
2358 pending_check_trustdb = 0;
projects / gnupg.git / blob