* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ * along with this program; if not, see <https://www.gnu.org/licenses/>.
*/
#include <config.h>
#include "i18n.h"
#include "membuf.h"
#include "host2net.h"
+#include "zb32.h"
#include "recsel.h"
#include "mbox-util.h"
#include "init.h"
/* A global variable to store the selector created from
* --export-filter keep-uid=EXPR.
+ * --export-filter drop-subkey=EXPR.
*
* FIXME: We should put this into the CTRL object but that requires a
* lot more changes right now.
*/
static recsel_expr_t export_keep_uid;
+static recsel_expr_t export_drop_subkey;
strlist_t users, int secret,
kbnode_t *keyblock_out, unsigned int options,
export_stats_t stats, int *any);
+static gpg_error_t print_pka_or_dane_records
+/**/ (iobuf_t out, kbnode_t keyblock, PKT_public_key *pk,
+ const void *data, size_t datalen,
+ int print_pka, int print_dane);
\f
static void
{
recsel_release (export_keep_uid);
export_keep_uid = NULL;
+ recsel_release (export_drop_subkey);
+ export_drop_subkey = NULL;
}
N_("remove unusable parts from key during export")},
{"export-minimal",EXPORT_MINIMAL|EXPORT_CLEAN,NULL,
N_("remove as much as possible from key during export")},
+
+ {"export-pka", EXPORT_PKA_FORMAT, NULL, NULL },
+ {"export-dane", EXPORT_DANE_FORMAT, NULL, NULL },
+
/* Aliases for backward compatibility */
{"include-local-sigs",EXPORT_LOCAL_SIGS,NULL,NULL},
{"include-attributes",EXPORT_ATTRIBUTES,NULL,NULL},
* - uid :: The entire user ID.
* - mbox :: The mail box part of the user ID.
* - primary :: Evaluate to true for the primary user ID.
+ *
+ * - drop-subkey :: If the expression evaluates to true for a subkey
+ * packet that subkey and all it dependencies will be
+ * remove from the keyblock. The expression may use these
+ * variables:
+ *
+ * - secret :: 1 for a secret subkey, else 0.
+ * - key_algo :: Public key algorithm id
*/
gpg_error_t
parse_and_set_export_filter (const char *string)
if (!strncmp (string, "keep-uid=", 9))
err = recsel_parse_expr (&export_keep_uid, string+9);
+ else if (!strncmp (string, "drop-subkey=", 12))
+ err = recsel_parse_expr (&export_drop_subkey, string+12);
else
err = gpg_error (GPG_ERR_INV_NAME);
if (rc)
return rc;
- if ( opt.armor )
+ if ( opt.armor && !(options & (EXPORT_PKA_FORMAT|EXPORT_DANE_FORMAT)) )
{
afx = new_armor_context ();
afx->what = secret? 5 : 1;
}
-/* Helper for apply_keep_uid_filter. */
-static const char *
-filter_getval (void *cookie, const char *propname)
+/* Write KEYBLOCK either to stdout or to the file set with the
+ * --output option. This is a simplified version of do_export_stream
+ * which supports only a few export options. */
+gpg_error_t
+write_keyblock_to_output (kbnode_t keyblock, int with_armor,
+ unsigned int options)
{
- kbnode_t node = cookie;
- const char *result;
+ gpg_error_t err;
+ const char *fname;
+ iobuf_t out;
+ kbnode_t node;
+ armor_filter_context_t *afx = NULL;
+ iobuf_t out_help = NULL;
+ PKT_public_key *pk = NULL;
+
+ fname = opt.outfile? opt.outfile : "-";
+ if (is_secured_filename (fname) )
+ return gpg_error (GPG_ERR_EPERM);
+
+ out = iobuf_create (fname, 0);
+ if (!out)
+ {
+ err = gpg_error_from_syserror ();
+ log_error(_("can't create '%s': %s\n"), fname, gpg_strerror (err));
+ return err;
+ }
+ if (opt.verbose)
+ log_info (_("writing to '%s'\n"), iobuf_get_fname_nonnull (out));
+
+ if ((options & (EXPORT_PKA_FORMAT|EXPORT_DANE_FORMAT)))
+ {
+ with_armor = 0;
+ out_help = iobuf_temp ();
+ }
- if (node->pkt->pkttype == PKT_USER_ID)
+ if (with_armor)
{
- if (!strcmp (propname, "uid"))
- result = node->pkt->pkt.user_id->name;
- else if (!strcmp (propname, "mbox"))
+ afx = new_armor_context ();
+ afx->what = 1;
+ push_armor_filter (afx, out);
+ }
+
+ for (node = keyblock; node; node = node->next)
+ {
+ if (is_deleted_kbnode (node) || node->pkt->pkttype == PKT_RING_TRUST)
+ continue;
+ if (!pk && (node->pkt->pkttype == PKT_PUBLIC_KEY
+ || node->pkt->pkttype == PKT_SECRET_KEY))
+ pk = node->pkt->pkt.public_key;
+
+ err = build_packet (out_help? out_help : out, node->pkt);
+ if (err)
{
- if (!node->pkt->pkt.user_id->mbox)
- {
- node->pkt->pkt.user_id->mbox
- = mailbox_from_userid (node->pkt->pkt.user_id->name);
- }
- return node->pkt->pkt.user_id->mbox;
+ log_error ("build_packet(%d) failed: %s\n",
+ node->pkt->pkttype, gpg_strerror (err) );
+ goto leave;
}
- else if (!strcmp (propname, "primary"))
- result = node->pkt->pkt.user_id->is_primary? "1":"0";
- else
- result = NULL;
}
- else
- result = NULL;
+ err = 0;
- return result;
+ if (out_help && pk)
+ {
+ const void *data;
+ size_t datalen;
+
+ iobuf_flush_temp (out_help);
+ data = iobuf_get_temp_buffer (out_help);
+ datalen = iobuf_get_temp_length (out_help);
+
+ err = print_pka_or_dane_records (out,
+ keyblock, pk, data, datalen,
+ (options & EXPORT_PKA_FORMAT),
+ (options & EXPORT_DANE_FORMAT));
+ }
+
+ leave:
+ if (err)
+ iobuf_cancel (out);
+ else
+ iobuf_close (out);
+ iobuf_cancel (out_help);
+ release_armor_context (afx);
+ return err;
}
+
/*
* Apply the keep-uid filter to the keyblock. The deleted nodes are
* marked and thus the caller should call commit_kbnode afterwards.
{
if (node->pkt->pkttype == PKT_USER_ID)
{
- if (!recsel_select (selector, filter_getval, node))
+ if (!recsel_select (selector, impex_filter_getval, node))
{
-
- log_debug ("keep-uid: deleting '%s'\n",
- node->pkt->pkt.user_id->name);
+ /* log_debug ("keep-uid: deleting '%s'\n", */
+ /* node->pkt->pkt.user_id->name); */
/* The UID packet and all following packets up to the
* next UID or a subkey. */
delete_kbnode (node);
node = node->next)
delete_kbnode (node->next);
}
- else
- log_debug ("keep-uid: keeping '%s'\n",
- node->pkt->pkt.user_id->name);
+ /* else */
+ /* log_debug ("keep-uid: keeping '%s'\n", */
+ /* node->pkt->pkt.user_id->name); */
}
}
}
+/*
+ * Apply the drop-subkey filter to the keyblock. The deleted nodes are
+ * marked and thus the caller should call commit_kbnode afterwards.
+ * KEYBLOCK must not have any blocks marked as deleted.
+ */
+static void
+apply_drop_subkey_filter (kbnode_t keyblock, recsel_expr_t selector)
+{
+ kbnode_t node;
+
+ for (node = keyblock->next; node; node = node->next )
+ {
+ if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY
+ || node->pkt->pkttype == PKT_SECRET_SUBKEY)
+ {
+ if (recsel_select (selector, impex_filter_getval, node))
+ {
+ log_debug ("drop-subkey: deleting a key\n");
+ /* The subkey packet and all following packets up to the
+ * next subkey. */
+ delete_kbnode (node);
+ for (; node->next
+ && node->next->pkt->pkttype != PKT_PUBLIC_SUBKEY
+ && node->next->pkt->pkttype != PKT_SECRET_SUBKEY ;
+ node = node->next)
+ delete_kbnode (node->next);
+ }
+ }
+ }
+}
+
+
+/* Print DANE or PKA records for all user IDs in KEYBLOCK to OUT. The
+ * data for the record is taken from (DATA,DATELEN). PK is the public
+ * key packet with the primary key. */
+static gpg_error_t
+print_pka_or_dane_records (iobuf_t out, kbnode_t keyblock, PKT_public_key *pk,
+ const void *data, size_t datalen,
+ int print_pka, int print_dane)
+{
+ gpg_error_t err = 0;
+ kbnode_t kbctx, node;
+ PKT_user_id *uid;
+ char *mbox = NULL;
+ char hashbuf[32];
+ char *hash = NULL;
+ char *domain;
+ const char *s;
+ unsigned int len;
+ estream_t fp = NULL;
+ char *hexdata = NULL;
+ char *hexfpr;
+
+ hexfpr = hexfingerprint (pk, NULL, 0);
+ hexdata = bin2hex (data, datalen, NULL);
+ if (!hexdata)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ ascii_strlwr (hexdata);
+ fp = es_fopenmem (0, "rw,samethread");
+ if (!fp)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+
+ for (kbctx = NULL; (node = walk_kbnode (keyblock, &kbctx, 0));)
+ {
+ if (node->pkt->pkttype != PKT_USER_ID)
+ continue;
+ uid = node->pkt->pkt.user_id;
+
+ if (uid->is_expired || uid->is_revoked)
+ continue;
+
+ xfree (mbox);
+ mbox = mailbox_from_userid (uid->name);
+ if (!mbox)
+ continue;
+
+ domain = strchr (mbox, '@');
+ *domain++ = 0;
+
+ if (print_pka)
+ {
+ es_fprintf (fp, "$ORIGIN _pka.%s.\n; %s\n; ", domain, hexfpr);
+ print_utf8_buffer (fp, uid->name, uid->len);
+ es_putc ('\n', fp);
+ gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf, mbox, strlen (mbox));
+ xfree (hash);
+ hash = zb32_encode (hashbuf, 8*20);
+ if (!hash)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ len = strlen (hexfpr)/2;
+ es_fprintf (fp, "%s TYPE37 \\# %u 0006 0000 00 %02X %s\n\n",
+ hash, 6 + len, len, hexfpr);
+ }
+
+ if (print_dane && hexdata)
+ {
+ es_fprintf (fp, "$ORIGIN _openpgpkey.%s.\n; %s\n; ", domain, hexfpr);
+ print_utf8_buffer (fp, uid->name, uid->len);
+ es_putc ('\n', fp);
+ gcry_md_hash_buffer (GCRY_MD_SHA256, hashbuf, mbox, strlen (mbox));
+ xfree (hash);
+ hash = bin2hex (hashbuf, 28, NULL);
+ if (!hash)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ ascii_strlwr (hash);
+ len = strlen (hexdata)/2;
+ es_fprintf (fp, "%s TYPE61 \\# %u (\n", hash, len);
+ for (s = hexdata; ;)
+ {
+ es_fprintf (fp, "\t%.64s\n", s);
+ if (strlen (s) < 64)
+ break;
+ s += 64;
+ }
+ es_fputs ("\t)\n\n", fp);
+ }
+ }
+
+ /* Make sure it is a string and write it. */
+ es_fputc (0, fp);
+ {
+ void *vp;
+
+ if (es_fclose_snatch (fp, &vp, NULL))
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ fp = NULL;
+ iobuf_writestr (out, vp);
+ es_free (vp);
+ }
+ err = 0;
+
+ leave:
+ xfree (hash);
+ xfree (mbox);
+ es_fclose (fp);
+ xfree (hexdata);
+ xfree (hexfpr);
+ return err;
+}
+
+
/* Helper for do_export_stream which writes one keyblock to OUT. */
static gpg_error_t
do_export_one_keyblock (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid,
strlist_t sl;
gcry_cipher_hd_t cipherhd = NULL;
struct export_stats_s dummystats;
+ iobuf_t out_help = NULL;
if (!stats)
stats = &dummystats;
if (!kdbhd)
return gpg_error_from_syserror ();
- /* For the DANE format override the options. */
- if ((options & EXPORT_DANE_FORMAT))
- options = (EXPORT_DANE_FORMAT | EXPORT_MINIMAL | EXPORT_CLEAN);
-
+ /* For the PKA and DANE format open a helper iobuf and for DANE
+ * enforce some options. */
+ if ((options & (EXPORT_PKA_FORMAT | EXPORT_DANE_FORMAT)))
+ {
+ out_help = iobuf_temp ();
+ if ((options & EXPORT_DANE_FORMAT))
+ options |= EXPORT_MINIMAL | EXPORT_CLEAN;
+ }
if (!users)
{
continue;
}
- /* The agent does not yet allow to export v3 packets. It is
+ /* The agent does not yet allow export of v3 packets. It is
actually questionable whether we should allow them at
all. */
if (pk->version == 3)
commit_kbnode (&keyblock);
}
+ if (export_drop_subkey)
+ {
+ commit_kbnode (&keyblock);
+ apply_drop_subkey_filter (keyblock, export_drop_subkey);
+ commit_kbnode (&keyblock);
+ }
+
/* And write it. */
- err = do_export_one_keyblock (ctrl, keyblock, keyid, out, secret,
- options, stats, any,
+ err = do_export_one_keyblock (ctrl, keyblock, keyid,
+ out_help? out_help : out,
+ secret, options, stats, any,
desc, ndesc, descindex, cipherhd);
if (err)
break;
*keyblock_out = keyblock;
break;
}
+
+ if (out_help)
+ {
+ /* We want to write PKA or DANE records. OUT_HELP has the
+ * keyblock and we print a record for each uid to OUT. */
+ const void *data;
+ size_t datalen;
+
+ iobuf_flush_temp (out_help);
+ data = iobuf_get_temp_buffer (out_help);
+ datalen = iobuf_get_temp_length (out_help);
+
+ err = print_pka_or_dane_records (out,
+ keyblock, pk, data, datalen,
+ (options & EXPORT_PKA_FORMAT),
+ (options & EXPORT_DANE_FORMAT));
+ if (err)
+ goto leave;
+
+ iobuf_close (out_help);
+ out_help = iobuf_temp ();
+ }
+
}
if (gpg_err_code (err) == GPG_ERR_NOT_FOUND)
err = 0;
leave:
+ iobuf_cancel (out_help);
gcry_cipher_close (cipherhd);
xfree(desc);
keydb_release (kdbhd);
projects / gnupg.git / blobdiff