1 /* ks-engine-ldap.c - talk to a LDAP keyserver
2 * Copyright (C) 2001, 2002, 2004, 2005, 2006
3 * 2007 Free Software Foundation, Inc.
4 * Copyright (C) 2015, 2020 g10 Code GmbH
6 * This file is part of GnuPG.
8 * GnuPG is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * GnuPG is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <https://www.gnu.org/licenses/>.
36 #include "../common/userids.h"
37 #include "../common/mbox-util.h"
38 #include "ks-engine.h"
39 #include "ldap-misc.h"
40 #include "ldap-parse-uri.h"
41 #include "ldapserver.h"
44 /* Flags with infos from the connected server. */
45 #define SERVERINFO_REALLDAP 1 /* This is not the PGP keyserver. */
46 #define SERVERINFO_PGPKEYV2 2 /* Needs "pgpeyV2" instead of "pgpKey" */
47 #define SERVERINFO_SCHEMAV2 4 /* Version 2 of the Schema. */
48 #define SERVERINFO_NTDS 8 /* Server is an Active Directory. */
52 time_t timegm(struct tm *tm);
58 ldap2epochtime (const char *timestr)
63 memset (&pgptime, 0, sizeof(pgptime));
67 sscanf (timestr, "%4d%2d%2d%2d%2d%2d",
75 pgptime.tm_year -= 1900;
76 pgptime.tm_isdst = -1;
79 /* mktime() takes the timezone into account, so we use timegm() */
81 answer = timegm (&pgptime);
86 /* Caller must free the result. */
88 tm2ldaptime (struct tm *tm)
98 snprintf (buf, sizeof buf, "%04d%02d%02d%02d%02d%02dZ",
106 return xstrdup (buf);
110 /* Caller must free */
112 epoch2ldaptime (time_t stamp)
115 if (gmtime_r (&stamp, &tm))
116 return tm2ldaptime (&tm);
118 return xstrdup ("INVALID TIME");
124 my_ldap_value_free (char **vals)
127 ldap_value_free (vals);
132 /* Print a help output for the schemata supported by this module. */
134 ks_ldap_help (ctrl_t ctrl, parsed_uri_t uri)
137 "Handler for LDAP URLs:\n"
138 " ldap://HOST:PORT/[BASEDN]????[bindname=BINDNAME,password=PASSWORD]\n"
140 "Note: basedn, bindname and password need to be percent escaped. In\n"
141 "particular, spaces need to be replaced with %20 and commas with %2c.\n"
142 "Thus bindname will typically be of the form:\n"
144 " uid=user%2cou=PGP%20Users%2cdc=EXAMPLE%2cdc=ORG\n"
146 "The ldaps:// and ldapi:// schemes are also supported. If ldaps is used\n"
147 "then the server's certificate will be checked. If it is not valid, any\n"
148 "operation will be aborted. Note that ldaps means LDAP with STARTTLS\n"
150 "As an alternative to an URL a string in this form may be used:\n"
152 " HOST:PORT:BINDNAME:PASSWORD:BASEDN:FLAGS:\n"
154 "The use of the percent sign or a colon in one of the string values is\n"
155 "currently not supported.\n"
157 "Supported methods: search, get, put\n";
161 err = ks_print_help (ctrl, " ldap");
162 else if (!strcmp (uri->scheme, "ldap")
163 || !strcmp (uri->scheme, "ldaps")
164 || !strcmp (uri->scheme, "ldapi")
166 err = ks_print_help (ctrl, data);
173 /* Convert a keyspec to a filter. Return an error if the keyspec is
174 bad or is not supported. The filter is escaped and returned in
175 *filter. It is the caller's responsibility to free *filter.
176 *filter is only set if this function returns success (i.e., 0). */
178 keyspec_to_ldap_filter (const char *keyspec, char **filter, int only_exact,
179 unsigned int serverinfo)
181 /* Remove search type indicator and adjust PATTERN accordingly.
182 Note: don't include a preceding 0x when searching by keyid. */
184 /* XXX: Should we include disabled / revoke options? */
185 KEYDB_SEARCH_DESC desc;
190 gpg_error_t err = classify_user_id (keyspec, &desc, 1);
196 case KEYDB_SEARCH_MODE_EXACT:
197 f = xasprintf ("(pgpUserID=%s)",
198 (freeme = ldap_escape_filter (desc.u.name)));
201 case KEYDB_SEARCH_MODE_SUBSTR:
203 f = xasprintf ("(pgpUserID=*%s*)",
204 (freeme = ldap_escape_filter (desc.u.name)));
207 case KEYDB_SEARCH_MODE_MAIL:
208 freeme = ldap_escape_filter (desc.u.name);
211 if (*freeme == '<' && freeme[1] && freeme[2])
213 /* Strip angle brackets. Note that it is does not
214 * matter whether we work on the plan or LDAP escaped
215 * version of the mailbox. */
217 if (p[strlen(p)-1] == '>')
222 if ((serverinfo & SERVERINFO_SCHEMAV2))
223 f = xasprintf ("(&(gpgMailbox=%s)(!(|(pgpRevoked=1)(pgpDisabled=1))))",
225 else if (!only_exact)
226 f = xasprintf ("(pgpUserID=*<%s>*)", p);
229 case KEYDB_SEARCH_MODE_MAILSUB:
231 f = xasprintf ("(pgpUserID=*<*%s*>*)",
232 (freeme = ldap_escape_filter (desc.u.name)));
235 case KEYDB_SEARCH_MODE_MAILEND:
237 f = xasprintf ("(pgpUserID=*<*%s>*)",
238 (freeme = ldap_escape_filter (desc.u.name)));
241 case KEYDB_SEARCH_MODE_SHORT_KID:
242 f = xasprintf ("(pgpKeyID=%08lX)", (ulong) desc.u.kid[1]);
244 case KEYDB_SEARCH_MODE_LONG_KID:
245 f = xasprintf ("(pgpCertID=%08lX%08lX)",
246 (ulong) desc.u.kid[0], (ulong) desc.u.kid[1]);
249 case KEYDB_SEARCH_MODE_FPR16:
250 case KEYDB_SEARCH_MODE_FPR20:
251 case KEYDB_SEARCH_MODE_FPR:
252 if ((serverinfo & SERVERINFO_SCHEMAV2))
254 freeme = bin2hex (desc.u.fpr, 20, NULL);
256 return gpg_error_from_syserror ();
257 f = xasprintf ("(|(gpgFingerprint=%s)(gpgSubFingerprint=%s))",
259 /* FIXME: For an exact search and in case of a match on
260 * gpgSubFingerprint we need to check that there is only one
265 case KEYDB_SEARCH_MODE_ISSUER:
266 case KEYDB_SEARCH_MODE_ISSUER_SN:
267 case KEYDB_SEARCH_MODE_SN:
268 case KEYDB_SEARCH_MODE_SUBJECT:
269 case KEYDB_SEARCH_MODE_KEYGRIP:
270 case KEYDB_SEARCH_MODE_WORDS:
271 case KEYDB_SEARCH_MODE_FIRST:
272 case KEYDB_SEARCH_MODE_NEXT:
281 log_error ("Unsupported search mode.\n");
282 return gpg_error (GPG_ERR_NOT_SUPPORTED);
292 /* Connect to an LDAP server and interrogate it.
294 - uri describes the server to connect to and various options
295 including whether to use TLS and the username and password (see
296 ldap_parse_uri for a description of the various fields).
298 This function returns:
300 - The ldap connection handle in *LDAP_CONNP.
302 - The base DN for the PGP key space by querying the
303 pgpBaseKeySpaceDN attribute (This is normally
304 'ou=PGP Keys,dc=EXAMPLE,dc=ORG').
306 - The attribute to lookup to find the pgp key. This is either
307 'pgpKey' or 'pgpKeyV2'.
309 - Whether this is a real ldap server. (It's unclear what this
312 The values are returned in the passed variables. If you pass NULL,
313 then the value won't be returned. It is the caller's
314 responsibility to release *LDAP_CONNP with ldap_unbind and xfree
317 If this function successfully interrogated the server, it returns
318 0. If there was an LDAP error, it returns the LDAP error code. If
319 an error occurred, *basednp, etc., are undefined (and don't need to
322 R_SERVERINFO receives information about the server.
324 If no LDAP error occurred, you still need to check that *basednp is
325 valid. If it is NULL, then the server does not appear to be an
326 OpenPGP Keyserver. */
328 my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
329 char **r_basedn, char **r_host, int *r_use_tls,
330 unsigned int *r_serverinfo)
334 ldap_server_t server = NULL;
335 LDAP *ldap_conn = NULL;
337 char *host = NULL; /* Host to use. */
338 int port; /* Port to use. */
339 int use_tls; /* 1 = starttls, 2 = ldap-over-tls */
340 int use_ntds; /* Use Active Directory authentication. */
341 const char *bindname;
342 const char *password;
343 const char *basedn_arg;
344 #ifndef HAVE_W32_SYSTEM
358 server = ldapserver_parse_one (uri->path, NULL, 0);
360 return gpg_error (GPG_ERR_LDAP_OTHER);
363 bindname = server->user;
364 password = bindname? server->pass : NULL;
365 basedn_arg = server->base;
366 use_tls = server->starttls? 1 : server->ldap_over_tls? 2 : 0;
367 use_ntds = server->ntds;
373 bindname = uri->auth;
374 password = bindname? uri_query_value (uri, "password") : NULL;
375 basedn_arg = uri->path;
376 use_tls = uri->use_tls ? 1 : 0;
377 use_ntds = uri->ad_current;
381 port = use_tls == 2? 636 : 389;
386 host = xtrystrdup (host);
389 err = gpg_error_from_syserror ();
395 log_info ("ldap connect to '%s:%d:%s:%s:%s:%s%s'\n",
397 basedn_arg ? basedn_arg : "",
398 bindname ? bindname : "",
399 password ? "*****" : "",
400 use_tls == 1? "starttls" : use_tls == 2? "ldaptls" : "plain",
401 use_ntds ? ",ntds":"");
404 /* If the uri specifies a secure connection and we don't support
405 TLS, then fail; don't silently revert to an insecure
409 #ifndef HAVE_LDAP_START_TLS_S
410 log_error ("ldap: can't connect to the server: no TLS support.");
411 err = GPG_ERR_LDAP_NOT_SUPPORTED;
417 #ifdef HAVE_W32_SYSTEM
418 /* Note that host==NULL uses the default domain controller. */
420 ldap_conn = ldap_sslinit (host, port, (use_tls == 2));
424 lerr = LdapGetLastError ();
425 err = ldap_err_to_gpg_err (lerr);
426 log_error ("error initializing LDAP '%s:%d': %s\n",
427 host, port, ldap_err2string (lerr));
431 tmpstr = xtryasprintf ("%s://%s:%d",
432 use_tls == 2? "ldaps" : "ldap",
436 err = gpg_error_from_syserror ();
440 lerr = ldap_initialize (&ldap_conn, tmpstr);
442 if (lerr != LDAP_SUCCESS || !ldap_conn)
444 err = ldap_err_to_gpg_err (lerr);
445 log_error ("error initializing LDAP '%s': %s\n",
446 tmpstr, ldap_err2string (lerr));
453 #ifdef HAVE_LDAP_SET_OPTION
455 int ver = LDAP_VERSION3;
457 lerr = ldap_set_option (ldap_conn, LDAP_OPT_PROTOCOL_VERSION, &ver);
458 if (lerr != LDAP_SUCCESS)
460 log_error ("ks-ldap: unable to go to LDAP 3: %s\n",
461 ldap_err2string (lerr));
462 err = ldap_err_to_gpg_err (lerr);
468 int ver = opt.ldaptimeout;
470 lerr = ldap_set_option (ldap_conn, LDAP_OPT_TIMELIMIT, &ver);
471 if (lerr != LDAP_SUCCESS)
473 log_error ("ks-ldap: unable to set LDAP timelimit to %us: %s\n",
474 opt.ldaptimeout, ldap_err2string (lerr));
475 err = ldap_err_to_gpg_err (lerr);
479 log_info ("ldap timeout set to %us\n", opt.ldaptimeout);
484 #ifdef HAVE_LDAP_START_TLS_S
487 #ifndef HAVE_W32_SYSTEM
488 int check_cert = LDAP_OPT_X_TLS_HARD; /* LDAP_OPT_X_TLS_NEVER */
490 lerr = ldap_set_option (ldap_conn,
491 LDAP_OPT_X_TLS_REQUIRE_CERT, &check_cert);
494 log_error ("ldap: error setting an TLS option: %s\n",
495 ldap_err2string (lerr));
496 err = ldap_err_to_gpg_err (lerr);
500 /* On Windows, the certificates are checked by default. If the
501 option to disable checking mentioned above is ever
502 implemented, the way to do that on Windows is to install a
503 callback routine using ldap_set_option (..,
504 LDAP_OPT_SERVER_CERTIFICATE, ..); */
508 lerr = ldap_start_tls_s (ldap_conn,
509 #ifdef HAVE_W32_SYSTEM
510 /* ServerReturnValue, result */
513 /* ServerControls, ClientControls */
518 log_error ("ldap: error switching to STARTTLS mode: %s\n",
519 ldap_err2string (lerr));
520 err = ldap_err_to_gpg_err (lerr);
528 #ifdef HAVE_W32_SYSTEM
530 lerr = ldap_bind_s (ldap_conn, NULL, NULL, LDAP_AUTH_NEGOTIATE);
532 if (lerr != LDAP_SUCCESS)
534 log_error ("error binding to LDAP via AD: %s\n",
535 ldap_err2string (lerr));
536 err = ldap_err_to_gpg_err (lerr);
540 log_error ("ldap: no Active Directory support but 'ntds' requested\n");
541 err = gpg_error (GPG_ERR_NOT_SUPPORTED);
549 /* Older Windows header dont have the const for the last two args.
550 * Thus we need to cast to avoid warnings. */
551 lerr = ldap_simple_bind_s (ldap_conn,
552 (char * const)bindname,
553 (char * const)password);
555 if (lerr != LDAP_SUCCESS)
557 log_error ("error binding to LDAP: %s\n", ldap_err2string (lerr));
558 err = ldap_err_to_gpg_err (lerr);
564 /* By default we don't bind as there is usually no need to. */
567 if (basedn_arg && *basedn_arg)
569 /* User specified base DN. In this case we know the server is a
570 * real LDAP server. */
571 basedn = xtrystrdup (basedn_arg);
574 err = gpg_error_from_syserror ();
577 *r_serverinfo |= SERVERINFO_REALLDAP;
580 { /* Look for namingContexts. */
581 LDAPMessage *res = NULL;
582 char *attr[] = { "namingContexts", NULL };
585 lerr = ldap_search_s (ldap_conn, "", LDAP_SCOPE_BASE,
586 "(objectClass=*)", attr, 0, &res);
589 if (lerr == LDAP_SUCCESS)
594 context = ldap_get_values (ldap_conn, res, "namingContexts");
598 /* We found some, so try each namingContext as the
599 * search base and look for pgpBaseKeySpaceDN. Because
600 * we found this, we know we're talking to a regular-ish
601 * LDAP server and not an LDAP keyserver. */
604 { "pgpBaseKeySpaceDN", "pgpVersion", "pgpSoftware", NULL };
606 *r_serverinfo |= SERVERINFO_REALLDAP;
608 for (i = 0; context[i] && !basedn; i++)
615 char *object = xasprintf ("cn=pgpServerInfo,%s",
618 lerr = ldap_search_s (ldap_conn, object, LDAP_SCOPE_BASE,
619 "(objectClass=*)", attr2, 0, &si_res);
624 if (lerr == LDAP_SUCCESS)
626 vals = ldap_get_values (ldap_conn, si_res,
627 "pgpBaseKeySpaceDN");
630 basedn = xtrystrdup (vals[0]);
632 my_ldap_value_free (vals);
634 vals = ldap_get_values (ldap_conn, si_res,
639 log_debug ("Server: \t%s\n", vals[0]);
640 if (!ascii_strcasecmp (vals[0], "GnuPG"))
643 my_ldap_value_free (vals);
645 vals = ldap_get_values (ldap_conn, si_res,
650 log_debug ("Version:\t%s\n", vals[0]);
655 nfields = split_fields (vals[0],
656 fields, DIM(fields));
657 if (nfields > 0 && atoi(fields[0]) > 1)
658 *r_serverinfo |= SERVERINFO_SCHEMAV2;
660 && !ascii_strcasecmp (fields[1], "ntds"))
661 *r_serverinfo |= SERVERINFO_NTDS;
664 my_ldap_value_free (vals);
667 /* From man ldap_search_s: "res parameter of
668 ldap_search_ext_s() and ldap_search_s() should be
669 freed with ldap_msgfree() regardless of return
670 value of these functions. */
671 ldap_msgfree (si_res);
674 ldap_value_free (context);
677 else /* ldap_search failed. */
679 /* We don't have an answer yet, which means the server might
680 be a PGP.com keyserver. */
682 LDAPMessage *si_res = NULL;
684 char *attr2[] = { "pgpBaseKeySpaceDN", "version", "software", NULL };
687 lerr = ldap_search_s (ldap_conn, "cn=pgpServerInfo", LDAP_SCOPE_BASE,
688 "(objectClass=*)", attr2, 0, &si_res);
690 if (lerr == LDAP_SUCCESS)
692 /* For the PGP LDAP keyserver, this is always
693 * "OU=ACTIVE,O=PGP KEYSPACE,C=US", but it might not be
696 vals = ldap_get_values (ldap_conn, si_res, "baseKeySpaceDN");
699 basedn = xtrystrdup (vals[0]);
701 my_ldap_value_free (vals);
703 vals = ldap_get_values (ldap_conn, si_res, "software");
707 log_debug ("ks-ldap: PGP Server: \t%s\n", vals[0]);
709 my_ldap_value_free (vals);
711 vals = ldap_get_values (ldap_conn, si_res, "version");
715 log_debug ("ks-ldap: PGP Server Version:\t%s\n", vals[0]);
717 /* If the version is high enough, use the new
718 pgpKeyV2 attribute. This design is iffy at best,
719 but it matches how PGP does it. I figure the NAI
720 folks assumed that there would never be an LDAP
721 keyserver vendor with a different numbering
723 if (atoi (vals[0]) > 1)
724 *r_serverinfo |= SERVERINFO_PGPKEYV2;
727 my_ldap_value_free (vals);
730 ldap_msgfree (si_res);
733 /* From man ldap_search_s: "res parameter of ldap_search_ext_s()
734 and ldap_search_s() should be freed with ldap_msgfree()
735 regardless of return value of these functions. */
740 if (!err && opt.debug)
742 log_debug ("ldap_conn: %p\n", ldap_conn);
743 log_debug ("server_type: %s\n", ((*r_serverinfo & SERVERINFO_REALLDAP)
744 ? "LDAP" : "PGP.com keyserver") );
745 log_debug ("basedn: %s\n", basedn);
746 log_debug ("pgpkeyattr: %s\n",
747 (*r_serverinfo & SERVERINFO_PGPKEYV2)? "pgpKeyV2":"pgpKey");
750 ldapserver_list_free (server);
756 ldap_unbind (ldap_conn);
769 *ldap_connp = ldap_conn;
775 /* Extract keys from an LDAP reply and write them out to the output
776 stream OUTPUT in a format GnuPG can import (either the OpenPGP
777 binary format or armored format). */
779 extract_keys (estream_t output,
780 LDAP *ldap_conn, const char *certid, LDAPMessage *message)
784 es_fprintf (output, "INFO %s BEGIN\n", certid);
786 /* Note: ldap_get_values returns a NULL terminated array of
789 vals = ldap_get_values (ldap_conn, message, "gpgfingerprint");
790 if (vals && vals[0] && vals[0][0])
791 es_fprintf (output, "pub:%s:", vals[0]);
793 es_fprintf (output, "pub:%s:", certid);
794 my_ldap_value_free (vals);
796 vals = ldap_get_values (ldap_conn, message, "pgpkeytype");
799 if (strcmp (vals[0], "RSA") == 0)
800 es_fprintf (output, "1");
801 else if (strcmp (vals[0],"DSS/DH") == 0)
802 es_fprintf (output, "17");
804 my_ldap_value_free (vals);
806 es_fprintf (output, ":");
808 vals = ldap_get_values (ldap_conn, message, "pgpkeysize");
811 int v = atoi (vals[0]);
813 es_fprintf (output, "%d", v);
815 my_ldap_value_free (vals);
817 es_fprintf (output, ":");
819 vals = ldap_get_values (ldap_conn, message, "pgpkeycreatetime");
822 if (strlen (vals[0]) == 15)
823 es_fprintf (output, "%u", (unsigned int) ldap2epochtime (vals[0]));
825 my_ldap_value_free (vals);
827 es_fprintf (output, ":");
829 vals = ldap_get_values (ldap_conn, message, "pgpkeyexpiretime");
832 if (strlen (vals[0]) == 15)
833 es_fprintf (output, "%u", (unsigned int) ldap2epochtime (vals[0]));
835 my_ldap_value_free (vals);
837 es_fprintf (output, ":");
839 vals = ldap_get_values (ldap_conn, message, "pgprevoked");
842 if (atoi (vals[0]) == 1)
843 es_fprintf (output, "r");
845 my_ldap_value_free (vals);
847 es_fprintf (output, "\n");
849 vals = ldap_get_values (ldap_conn, message, "pgpuserid");
853 for (i = 0; vals[i]; i++)
854 es_fprintf (output, "uid:%s\n", vals[i]);
856 my_ldap_value_free (vals);
858 es_fprintf (output, "INFO %s END\n", certid);
861 /* Get the key described key the KEYSPEC string from the keyserver
862 identified by URI. On success R_FP has an open stream to read the
865 ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec,
870 unsigned int serverinfo;
874 LDAP *ldap_conn = NULL;
877 LDAPMessage *message = NULL;
881 if (dirmngr_use_tor ())
883 /* For now we do not support LDAP over Tor. */
884 log_error (_("LDAP access not possible due to Tor mode\n"));
885 return gpg_error (GPG_ERR_NOT_SUPPORTED);
888 /* Make sure we are talking to an OpenPGP LDAP server. */
889 err = my_ldap_connect (uri, &ldap_conn,
890 &basedn, &host, &use_tls, &serverinfo);
894 err = gpg_error (GPG_ERR_GENERAL);
898 /* Now that we have information about the server we can construct a
899 * query best suited for the capabilities of the server. */
900 err = keyspec_to_ldap_filter (keyspec, &filter, 1, serverinfo);
905 log_debug ("ks-ldap: using filter: %s\n", filter);
908 /* The ordering is significant. Specifically, "pgpcertid" needs
909 to be the second item in the list, since everything after it
910 may be discarded if we aren't in verbose mode. */
914 "pgpcertid", "pgpuserid", "pgpkeyid", "pgprevoked", "pgpdisabled",
915 "pgpkeycreatetime", "modifytimestamp", "pgpkeysize", "pgpkeytype",
919 /* 1 if we want just attribute types; 0 if we want both attribute
920 * types and values. */
924 /* Replace "dummy". */
925 attrs[0] = (serverinfo & SERVERINFO_PGPKEYV2)? "pgpKeyV2" : "pgpKey";
928 ldap_err = ldap_search_s (ldap_conn, basedn, LDAP_SCOPE_SUBTREE,
929 filter, attrs, attrsonly, &message);
933 err = ldap_err_to_gpg_err (ldap_err);
935 log_error ("ks-ldap: LDAP search error: %s\n",
936 ldap_err2string (ldap_err));
940 count = ldap_count_entries (ldap_conn, message);
943 log_info ("ks-ldap: key %s not found on keyserver\n", keyspec);
946 err = ldap_to_gpg_err (ldap_conn);
948 err = gpg_error (GPG_ERR_NO_DATA);
954 /* There may be more than one unique result for a given keyID,
955 so we should fetch them all (test this by fetching short key
958 /* The set of entries that we've seen. */
959 strlist_t seen = NULL;
963 for (npth_unprotect (),
964 each = ldap_first_entry (ldap_conn, message),
968 each = ldap_next_entry (ldap_conn, each),
974 /* Use the long keyid to remove duplicates. The LDAP
975 server returns the same keyid more than once if there
976 are multiple user IDs on the key. Note that this does
977 NOT mean that a keyid that exists multiple times on the
978 keyserver will not be fetched. It means that each KEY,
979 no matter how many user IDs share its keyid, will be
980 fetched only once. If a keyid that belongs to more
981 than one key is fetched, the server quite properly
982 responds with all matching keys. -ds */
984 certid = ldap_get_values (ldap_conn, each, "pgpcertid");
985 if (certid && certid[0])
987 if (! strlist_find (seen, certid[0]))
989 /* It's not a duplicate, add it */
991 add_to_strlist (&seen, certid[0]);
994 fp = es_fopenmem(0, "rw");
996 extract_keys (fp, ldap_conn, certid[0], each);
998 vals = ldap_get_values (ldap_conn, each, attrs[0]);
1001 err = ldap_to_gpg_err (ldap_conn);
1002 log_error("ks-ldap: unable to retrieve key %s "
1003 "from keyserver\n", certid[0]);
1008 /* We should strip the new lines. */
1009 es_fprintf (fp, "KEY 0x%s BEGIN\n", certid[0]);
1010 es_fputs (vals[0], fp);
1011 es_fprintf (fp, "\nKEY 0x%s END\n", certid[0]);
1013 ldap_value_free (vals);
1019 my_ldap_value_free (certid);
1022 free_strlist (seen);
1025 err = gpg_error (GPG_ERR_NO_DATA);
1028 err = dirmngr_status_printf (ctrl, "SOURCE", "%s://%s",
1029 use_tls? "ldaps" : "ldap",
1036 ldap_msgfree (message);
1046 es_fseek (fp, 0, SEEK_SET);
1055 ldap_unbind (ldap_conn);
1063 /* Search the keyserver identified by URI for keys matching PATTERN.
1064 On success R_FP has an open stream to read the data. */
1066 ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
1071 unsigned int serverinfo;
1072 char *filter = NULL;
1073 LDAP *ldap_conn = NULL;
1074 char *basedn = NULL;
1075 estream_t fp = NULL;
1079 if (dirmngr_use_tor ())
1081 /* For now we do not support LDAP over Tor. */
1082 log_error (_("LDAP access not possible due to Tor mode\n"));
1083 return gpg_error (GPG_ERR_NOT_SUPPORTED);
1086 /* Make sure we are talking to an OpenPGP LDAP server. */
1087 err = my_ldap_connect (uri, &ldap_conn, &basedn, NULL, NULL, &serverinfo);
1091 err = GPG_ERR_GENERAL;
1095 /* Now that we have information about the server we can construct a
1096 * query best suited for the capabilities of the server. */
1097 err = keyspec_to_ldap_filter (pattern, &filter, 0, serverinfo);
1100 log_error ("Bad search pattern: '%s'\n", pattern);
1104 /* Even if we have no results, we want to return a stream. */
1105 fp = es_fopenmem(0, "rw");
1108 err = gpg_error_from_syserror ();
1114 LDAPMessage *res, *each;
1116 strlist_t dupelist = NULL;
1118 /* The maximum size of the search, including the optional stuff
1119 and the trailing \0 */
1122 "pgpcertid", "pgpuserid", "pgprevoked", "pgpdisabled",
1123 "pgpkeycreatetime", "pgpkeyexpiretime", "modifytimestamp",
1124 "pgpkeysize", "pgpkeytype", "gpgfingerprint",
1129 log_debug ("SEARCH '%s' => '%s' BEGIN\n", pattern, filter);
1132 ldap_err = ldap_search_s (ldap_conn, basedn,
1133 LDAP_SCOPE_SUBTREE, filter, attrs, 0, &res);
1139 if (ldap_err != LDAP_SUCCESS && ldap_err != LDAP_SIZELIMIT_EXCEEDED)
1141 err = ldap_err_to_gpg_err (ldap_err);
1143 log_error ("SEARCH %s FAILED %d\n", pattern, err);
1144 log_error ("ks-ldap: LDAP search error: %s\n",
1145 ldap_err2string (err));
1149 /* The LDAP server doesn't return a real count of unique keys, so we
1150 can't use ldap_count_entries here. */
1151 for (npth_unprotect (),
1152 each = ldap_first_entry (ldap_conn, res),
1156 each = ldap_next_entry (ldap_conn, each),
1159 char **certid = ldap_get_values (ldap_conn, each, "pgpcertid");
1160 if (certid && certid[0] && ! strlist_find (dupelist, certid[0]))
1162 add_to_strlist (&dupelist, certid[0]);
1165 my_ldap_value_free (certid);
1168 if (ldap_err == LDAP_SIZELIMIT_EXCEEDED)
1171 log_error ("ks-ldap: search results exceeded server limit."
1172 " First 1 result shown.\n");
1174 log_error ("ks-ldap: search results exceeded server limit."
1175 " First %d results shown.\n", count);
1178 free_strlist (dupelist);
1182 es_fputs ("info:1:0\n", fp);
1185 es_fprintf (fp, "info:1:%d\n", count);
1187 for (each = ldap_first_entry (ldap_conn, res);
1189 each = ldap_next_entry (ldap_conn, each))
1194 certid = ldap_get_values (ldap_conn, each, "pgpcertid");
1195 if (!certid || !certid[0])
1197 my_ldap_value_free (certid);
1201 /* Have we seen this certid before? */
1202 if (! strlist_find (dupelist, certid[0]))
1204 add_to_strlist (&dupelist, certid[0]);
1206 vals = ldap_get_values (ldap_conn, each, "gpgfingerprint");
1207 if (vals && vals[0] && vals[0][0])
1208 es_fprintf (fp, "pub:%s:", vals[0]);
1210 es_fprintf (fp, "pub:%s:", certid[0]);
1211 my_ldap_value_free (vals);
1213 vals = ldap_get_values (ldap_conn, each, "pgpkeytype");
1214 if (vals && vals[0])
1216 /* The LDAP server doesn't exactly handle this
1218 if (strcasecmp (vals[0], "RSA") == 0)
1220 else if (strcasecmp (vals[0], "DSS/DH") == 0)
1221 es_fputs ("17", fp);
1223 my_ldap_value_free (vals);
1227 vals = ldap_get_values (ldap_conn, each, "pgpkeysize");
1228 if (vals && vals[0])
1230 /* Not sure why, but some keys are listed with a
1231 key size of 0. Treat that like an unknown. */
1232 if (atoi (vals[0]) > 0)
1233 es_fprintf (fp, "%d", atoi (vals[0]));
1235 my_ldap_value_free (vals);
1239 /* YYYYMMDDHHmmssZ */
1241 vals = ldap_get_values (ldap_conn, each, "pgpkeycreatetime");
1242 if(vals && vals[0] && strlen (vals[0]) == 15)
1244 es_fprintf (fp, "%u",
1245 (unsigned int) ldap2epochtime(vals[0]));
1247 my_ldap_value_free (vals);
1251 vals = ldap_get_values (ldap_conn, each, "pgpkeyexpiretime");
1252 if (vals && vals[0] && strlen (vals[0]) == 15)
1254 es_fprintf (fp, "%u",
1255 (unsigned int) ldap2epochtime (vals[0]));
1257 my_ldap_value_free (vals);
1261 vals = ldap_get_values (ldap_conn, each, "pgprevoked");
1262 if (vals && vals[0])
1264 if (atoi (vals[0]) == 1)
1265 es_fprintf (fp, "r");
1267 my_ldap_value_free (vals);
1269 vals = ldap_get_values (ldap_conn, each, "pgpdisabled");
1270 if (vals && vals[0])
1272 if (atoi (vals[0]) ==1)
1273 es_fprintf (fp, "d");
1275 my_ldap_value_free (vals);
1278 /* This is not yet specified in the keyserver
1279 protocol, but may be someday. */
1282 vals = ldap_get_values (ldap_conn, each, "modifytimestamp");
1283 if(vals && vals[0] strlen (vals[0]) == 15)
1285 es_fprintf (fp, "%u",
1286 (unsigned int) ldap2epochtime (vals[0]));
1288 my_ldap_value_free (vals);
1291 es_fprintf (fp, "\n");
1293 /* Now print all the uids that have this certid */
1294 for (uids = ldap_first_entry (ldap_conn, res);
1296 uids = ldap_next_entry (ldap_conn, uids))
1298 vals = ldap_get_values (ldap_conn, uids, "pgpcertid");
1299 if (!vals || !vals[0])
1301 my_ldap_value_free (vals);
1305 if (!ascii_strcasecmp (certid[0], vals[0]))
1309 es_fprintf (fp, "uid:");
1311 uidvals = ldap_get_values (ldap_conn,
1315 /* Need to percent escape any colons */
1316 char *quoted = try_percent_escape (uidvals[0],
1319 es_fputs (quoted, fp);
1322 my_ldap_value_free (uidvals);
1324 es_fprintf (fp, "\n");
1327 ldap_value_free(vals);
1331 my_ldap_value_free (certid);
1336 free_strlist (dupelist);
1340 log_debug ("SEARCH %s END\n", pattern);
1349 /* Return the read stream. */
1351 es_fseek (fp, 0, SEEK_SET);
1359 ldap_unbind (ldap_conn);
1368 /* A modlist describes a set of changes to an LDAP entry. (An entry
1369 consists of 1 or more attributes. Attributes are <name, value>
1370 pairs. Note: an attribute may be multi-valued in which case
1371 multiple values are associated with a single name.)
1373 A modlist is a NULL terminated array of struct LDAPMod's.
1383 Is the ith modification.
1385 Each LDAPMod describes a change to a single attribute. Further,
1386 there is one modification for each attribute that we want to
1387 change. The attribute's new value is stored in LDAPMod.mod_values.
1388 If the attribute is multi-valued, we still only use a single
1389 LDAPMod structure: mod_values is a NULL-terminated array of
1390 strings. To delete an attribute from an entry, we set mod_values
1395 modlist[i]->mod_values == NULL
1397 then we remove the attribute.
1399 (Using LDAP_MOD_DELETE doesn't work here as we don't know if the
1400 attribute in question exists or not.)
1402 Note: this function does NOT copy or free ATTR. It does copy
1405 modlist_add (LDAPMod ***modlistp, char *attr, const char *value)
1407 LDAPMod **modlist = *modlistp;
1412 /* Search modlist for the attribute we're playing with. If modlist
1413 is NULL, then the list is empty. Recall: modlist is a NULL
1414 terminated array. */
1415 for (m = modlist; m && *m; m++, nummods ++)
1417 /* The attribute is already on the list. */
1421 if (strcasecmp ((*m)->mod_type, attr) != 0)
1424 /* We have this attribute already, so when the REPLACE happens,
1425 the server attributes will be replaced anyway. */
1429 /* Attributes can be multi-valued. See if the value is already
1430 present. mod_values is a NULL terminated array of pointers.
1431 Note: mod_values can be NULL. */
1432 for (ptr = (*m)->mod_values; ptr && *ptr; ptr++)
1434 if (strcmp (*ptr, value) == 0)
1435 /* Duplicate value, we're done. */
1440 /* Append the value. */
1441 ptr = xrealloc ((*m)->mod_values, sizeof (char *) * (numvalues + 2));
1443 (*m)->mod_values = ptr;
1444 ptr[numvalues] = xstrdup (value);
1446 ptr[numvalues + 1] = NULL;
1451 /* We didn't find the attr, so make one and add it to the end */
1453 /* Like attribute values, the list of attributes is NULL terminated
1454 array of pointers. */
1455 modlist = xrealloc (modlist, sizeof (LDAPMod *) * (nummods + 2));
1457 *modlistp = modlist;
1458 modlist[nummods] = xmalloc (sizeof (LDAPMod));
1460 modlist[nummods]->mod_op = LDAP_MOD_REPLACE;
1461 modlist[nummods]->mod_type = attr;
1464 modlist[nummods]->mod_values = xmalloc (sizeof(char *) * 2);
1466 modlist[nummods]->mod_values[0] = xstrdup (value);
1467 modlist[nummods]->mod_values[1] = NULL;
1470 modlist[nummods]->mod_values = NULL;
1472 modlist[nummods + 1] = NULL;
1477 /* Look up the value of an attribute in the specified modlist. If the
1478 attribute is not on the mod list, returns NULL. The result is a
1479 NULL-terminated array of strings. Don't change it. */
1481 modlist_lookup (LDAPMod **modlist, const char *attr)
1484 for (m = modlist; m && *m; m++)
1486 if (strcasecmp ((*m)->mod_type, attr) != 0)
1489 return (*m)->mod_values;
1495 /* Dump a modlist to a file. This is useful for debugging. */
1496 static estream_t modlist_dump (LDAPMod **modlist, estream_t output)
1500 modlist_dump (LDAPMod **modlist, estream_t output)
1508 output = es_fopenmem (0, "rw");
1514 for (m = modlist; m && *m; m++)
1516 es_fprintf (output, " %s:", (*m)->mod_type);
1518 if (! (*m)->mod_values)
1519 es_fprintf(output, " delete.\n");
1526 if ((*m)->mod_values[0] && (*m)->mod_values[1])
1527 /* Have at least 2. */
1531 es_fprintf (output, "\n");
1533 for ((ptr = (*m)->mod_values), (i = 1); ptr && *ptr; ptr++, i ++)
1535 /* Assuming terminals are about 80 characters wide,
1536 display at most about 10 lines of debugging
1537 output. If we do trim the buffer, append '...' to
1539 const int max_len = 10 * 70;
1540 size_t value_len = strlen (*ptr);
1541 int elide = value_len > max_len;
1544 es_fprintf (output, " %d. ", i);
1545 es_fprintf (output, "`%.*s", max_len, *ptr);
1547 es_fprintf (output, "...' (%zd bytes elided)",
1548 value_len - max_len);
1550 es_fprintf (output, "'");
1551 es_fprintf (output, "\n");
1557 es_fseek (output, 0, SEEK_SET);
1562 /* Free all of the memory allocated by the mod list. This assumes
1563 that the attribute names don't have to be freed, but the attributes
1564 values do. (Which is what modlist_add does.) */
1566 modlist_free (LDAPMod **modlist)
1573 /* Unwind and free the whole modlist structure */
1575 /* The modlist is a NULL terminated array of pointers. */
1576 for (ml = modlist; *ml; ml++)
1581 /* The list of values is a NULL termianted array of pointers.
1582 If the list is NULL, there are no values. */
1584 if (mod->mod_values)
1586 for (ptr = mod->mod_values; *ptr; ptr++)
1589 xfree (mod->mod_values);
1597 /* Append two onto the end of one. Two is not freed, but its pointers
1598 are now part of one. Make sure you don't free them both!
1600 As long as you don't add anything to ONE, TWO is still valid.
1601 After that all bets are off. */
1603 modlists_join (LDAPMod ***one, LDAPMod **two)
1605 int i, one_count = 0, two_count = 0;
1609 /* two is empty. Nothing to do. */
1613 /* one is empty. Just set it equal to *two. */
1619 for (grow = *one; *grow; grow++)
1622 for (grow = two; *grow; grow++)
1625 grow = xrealloc (*one, sizeof(LDAPMod *) * (one_count + two_count + 1));
1627 for (i = 0; i < two_count; i++)
1628 grow[one_count + i] = two[i];
1630 grow[one_count + i] = NULL;
1635 /* Given a string, unescape C escapes. In particular, \xXX. This
1636 modifies the string in place. */
1638 uncescape (char *str)
1643 char *first = strchr (str, '\\');
1645 /* No backslashes => no escaping. We're done. */
1648 /* Start at the first '\\'. */
1649 r = w = (uintptr_t) first - (uintptr_t) str;
1653 /* XXX: What to do about bad escapes?
1654 XXX: hextobyte already checks the string thus the hexdigitp
1655 could be removed. */
1656 if (str[r] == '\\' && str[r + 1] == 'x'
1657 && str[r+2] && str[r+3]
1658 && hexdigitp (str + r + 2)
1659 && hexdigitp (str + r + 3))
1661 int x = hextobyte (&str[r + 2]);
1662 log_assert (0 <= x && x <= 0xff);
1666 /* We consumed 4 characters and wrote 1. */
1671 str[w ++] = str[r ++];
1677 /* Given one line from an info block (`gpg --list-{keys,sigs}
1678 --with-colons KEYID'), pull it apart and fill in the modlist with
1679 the relevant (for the LDAP schema) attributes. EXTRACT_STATE
1680 should initally be set to 0 by the caller. SCHEMAV2 is set if the
1681 server supports the version 2 schema. */
1683 extract_attributes (LDAPMod ***modlist, int *extract_state,
1684 char *line, int schemav2)
1689 int is_pub, is_sub, is_uid, is_sig;
1691 /* Remove trailing whitespace */
1692 trim_trailing_spaces (line);
1694 fields = strsplit (line, ':', '\0', &field_count);
1695 if (field_count == 1)
1696 /* We only have a single field. There is definitely nothing to
1700 if (field_count < 7)
1703 is_pub = !ascii_strcasecmp ("pub", fields[0]);
1704 is_sub = !ascii_strcasecmp ("sub", fields[0]);
1705 is_uid = !ascii_strcasecmp ("uid", fields[0]);
1706 is_sig = !ascii_strcasecmp ("sig", fields[0]);
1707 if (!ascii_strcasecmp ("fpr", fields[0]))
1709 /* Special treatment for a fingerprint. */
1710 if (!(*extract_state & 1))
1711 goto out; /* Stray fingerprint line - ignore. */
1712 *extract_state &= ~1;
1713 if (field_count >= 10 && schemav2)
1715 if ((*extract_state & 2))
1716 modlist_add (modlist, "gpgFingerprint", fields[9]);
1718 modlist_add (modlist, "gpgSubFingerprint", fields[9]);
1723 *extract_state &= ~(1|2);
1725 *extract_state |= (1|2);
1727 *extract_state |= 1;
1729 if (!is_pub && !is_sub && !is_uid && !is_sig)
1730 goto out; /* Not a relevant line. */
1734 if (is_uid && strlen (keyid) == 0)
1735 ; /* The uid record type can have an empty keyid. */
1736 else if (strlen (keyid) == 16
1737 && strspn (keyid, "0123456789aAbBcCdDeEfF") == 16)
1738 ; /* Otherwise, we expect exactly 16 hex characters. */
1741 log_error ("malformed record!\n");
1750 for (flags = fields[1]; *flags; flags ++)
1764 /* Note: we always create the pgpDisabled and pgpRevoked
1765 attributes, regardless of whether the key is disabled/revoked
1766 or not. This is because a very common search is like
1767 "(&(pgpUserID=*isabella*)(pgpDisabled=0))" */
1771 modlist_add (modlist,"pgpDisabled", disabled ? "1" : "0");
1772 modlist_add (modlist,"pgpRevoked", revoked ? "1" : "0");
1776 if (is_pub || is_sub)
1781 val = atoi (fields[2]);
1782 if (val < 99999 && val > 0)
1784 /* We zero pad this on the left to make PGP happy. */
1785 snprintf (padded, sizeof padded, "%05u", val);
1786 modlist_add (modlist, "pgpKeySize", padded);
1792 char *algo = fields[3];
1793 int val = atoi (algo);
1810 modlist_add (modlist, "pgpKeyType", algo);
1813 if (is_pub || is_sub || is_sig)
1817 modlist_add (modlist, "pgpCertID", keyid); /* Long keyid(!) */
1818 modlist_add (modlist, "pgpKeyID", &keyid[8]); /* Short keyid */
1822 modlist_add (modlist, "pgpSubKeyID", keyid); /* Long keyid(!) */
1827 char *create_time = fields[5];
1829 if (strlen (create_time) == 0)
1833 char *create_time_orig = create_time;
1838 memset (&tm, 0, sizeof (tm));
1840 /* parse_timestamp handles both seconds fromt he epoch and
1841 ISO 8601 format. We also need to handle YYYY-MM-DD
1842 format (as generated by gpg1 --with-colons --list-key).
1843 Check that first and then if it fails, then try
1846 if (!isodate_human_to_tm (create_time, &tm))
1847 create_time = tm2ldaptime (&tm);
1848 else if ((t = parse_timestamp (create_time, &end)) != (time_t) -1
1852 if (!gnupg_gmtime (&t, &tm))
1855 create_time = tm2ldaptime (&tm);
1861 /* Failed to parse string. */
1862 log_error ("Failed to parse creation time ('%s')",
1868 modlist_add (modlist, "pgpKeyCreateTime", create_time);
1869 xfree (create_time);
1875 char *expire_time = fields[6];
1877 if (strlen (expire_time) == 0)
1881 char *expire_time_orig = expire_time;
1886 memset (&tm, 0, sizeof (tm));
1888 /* parse_timestamp handles both seconds fromt he epoch and
1889 ISO 8601 format. We also need to handle YYYY-MM-DD
1890 format (as generated by gpg1 --with-colons --list-key).
1891 Check that first and then if it fails, then try
1894 if (!isodate_human_to_tm (expire_time, &tm))
1895 expire_time = tm2ldaptime (&tm);
1896 else if ((t = parse_timestamp (expire_time, &end)) != (time_t) -1
1899 if (!gnupg_gmtime (&t, &tm))
1902 expire_time = tm2ldaptime (&tm);
1908 /* Failed to parse string. */
1909 log_error ("Failed to parse creation time ('%s')",
1915 modlist_add (modlist, "pgpKeyExpireTime", expire_time);
1916 xfree (expire_time);
1920 if (is_uid && field_count >= 10)
1922 char *uid = fields[9];
1926 modlist_add (modlist, "pgpUserID", uid);
1927 if (schemav2 && (mbox = mailbox_from_userid (uid)))
1929 modlist_add (modlist, "gpgMailbox", mbox);
1938 /* Send the key in {KEY,KEYLEN} with the metadata {INFO,INFOLEN} to
1939 the keyserver identified by URI. See server.c:cmd_ks_put for the
1940 format of the data and metadata. */
1942 ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri,
1943 void *data, size_t datalen,
1944 void *info, size_t infolen)
1946 gpg_error_t err = 0;
1948 unsigned int serverinfo;
1949 LDAP *ldap_conn = NULL;
1950 char *basedn = NULL;
1951 LDAPMod **modlist = NULL;
1952 LDAPMod **addlist = NULL;
1953 char *data_armored = NULL;
1956 /* The last byte of the info block. */
1957 const char *infoend = (const char *) info + infolen - 1;
1959 /* Enable this code to dump the modlist to /tmp/modlist.txt. */
1961 # warning Disable debug code before checking in.
1962 const int dump_modlist = 1;
1964 const int dump_modlist = 0;
1966 estream_t dump = NULL;
1968 /* Elide a warning. */
1971 if (dirmngr_use_tor ())
1973 /* For now we do not support LDAP over Tor. */
1974 log_error (_("LDAP access not possible due to Tor mode\n"));
1975 return gpg_error (GPG_ERR_NOT_SUPPORTED);
1978 err = my_ldap_connect (uri, &ldap_conn, &basedn, NULL, NULL, &serverinfo);
1982 err = GPG_ERR_GENERAL;
1986 if (!(serverinfo & SERVERINFO_REALLDAP))
1988 /* We appear to have a PGP.com Keyserver, which can unpack the
1989 * key on its own (not just a dump LDAP server). This will
1990 * rarely be the case these days. */
1998 memset (&mod, 0, sizeof (mod));
1999 mod.mod_op = LDAP_MOD_ADD;
2000 mod.mod_type = (serverinfo & SERVERINFO_PGPKEYV2)? "pgpKeyV2":"pgpKey";
2001 mod.mod_values = key;
2005 dn = xtryasprintf ("pgpCertid=virtual,%s", basedn);
2008 err = gpg_error_from_syserror ();
2011 ldap_err = ldap_add_s (ldap_conn, dn, attrs);
2014 if (ldap_err != LDAP_SUCCESS)
2016 err = ldap_err_to_gpg_err (err);
2023 modlist = xtrymalloc (sizeof (LDAPMod *));
2026 err = gpg_error_from_syserror ();
2033 dump = es_fopen("/tmp/modlist.txt", "w");
2035 log_error ("failed to open /tmp/modlist.txt: %s\n",
2036 gpg_strerror (gpg_error_from_syserror ()));
2040 es_fprintf(dump, "data (%zd bytes)\n", datalen);
2041 es_fprintf(dump, "info (%zd bytes): '\n", infolen);
2042 es_fwrite(info, infolen, 1, dump);
2043 es_fprintf(dump, "'\n");
2047 /* Start by nulling out all attributes. We try and do a modify
2048 operation first, so this ensures that we don't leave old
2049 attributes lying around. */
2050 modlist_add (&modlist, "pgpDisabled", NULL);
2051 modlist_add (&modlist, "pgpKeyID", NULL);
2052 modlist_add (&modlist, "pgpKeyType", NULL);
2053 modlist_add (&modlist, "pgpUserID", NULL);
2054 modlist_add (&modlist, "pgpKeyCreateTime", NULL);
2055 modlist_add (&modlist, "pgpRevoked", NULL);
2056 modlist_add (&modlist, "pgpSubKeyID", NULL);
2057 modlist_add (&modlist, "pgpKeySize", NULL);
2058 modlist_add (&modlist, "pgpKeyExpireTime", NULL);
2059 modlist_add (&modlist, "pgpCertID", NULL);
2060 if ((serverinfo & SERVERINFO_SCHEMAV2))
2062 modlist_add (&modlist, "gpgFingerprint", NULL);
2063 modlist_add (&modlist, "gpgSubFingerprint", NULL);
2064 modlist_add (&modlist, "gpgMailbox", NULL);
2067 /* Assemble the INFO stuff into LDAP attributes */
2073 char *newline = memchr (info, '\n', infolen);
2075 /* The last line is not \n terminated! Make a copy so we can
2076 add a NUL terminator. */
2078 temp = xmalloc (infolen + 1);
2079 memcpy (temp, info, infolen);
2081 newline = (char *) info + infolen;
2086 extract_attributes (&addlist, &extract_state, info,
2087 (serverinfo & SERVERINFO_SCHEMAV2));
2089 infolen = infolen - ((uintptr_t) newline - (uintptr_t) info + 1);
2094 log_assert ((char *) info + infolen - 1 == infoend);
2097 log_assert (infolen == -1);
2102 modlist_add (&addlist, "objectClass", "pgpKeyInfo");
2104 err = armor_data (&data_armored, data, datalen);
2108 modlist_add (&addlist,
2109 (serverinfo & SERVERINFO_PGPKEYV2)? "pgpKeyV2":"pgpKey",
2112 /* Now append addlist onto modlist. */
2113 modlists_join (&modlist, addlist);
2117 estream_t input = modlist_dump (modlist, NULL);
2120 copy_stream (input, dump);
2125 /* Going on the assumption that modify operations are more frequent
2126 than adds, we try a modify first. If it's not there, we just
2127 turn around and send an add command for the same key. Otherwise,
2128 the modify brings the server copy into compliance with our copy.
2129 Note that unlike the LDAP keyserver (and really, any other
2130 keyserver) this does NOT merge signatures, but replaces the whole
2131 key. This should make some people very happy. */
2136 if ((serverinfo & SERVERINFO_NTDS))
2138 /* The modern way using a CN RDN with the fingerprint. This
2139 * has the advantage that we won't have duplicate 64 bit
2140 * keyids in the store. In particular NTDS requires the
2141 * DN to be unique. */
2142 attrval = modlist_lookup (addlist, "gpgFingerprint");
2143 /* We should have exactly one value. */
2144 if (!attrval || !(attrval[0] && !attrval[1]))
2146 log_error ("ks-ldap: bad gpgFingerprint provided\n");
2147 err = GPG_ERR_GENERAL;
2150 dn = xtryasprintf ("CN=%s,%s", attrval[0], basedn);
2152 else /* The old style way. */
2154 attrval = modlist_lookup (addlist, "pgpCertID");
2155 /* We should have exactly one value. */
2156 if (!attrval || !(attrval[0] && !attrval[1]))
2158 log_error ("ks-ldap: bad pgpCertID provided\n");
2159 err = GPG_ERR_GENERAL;
2162 dn = xtryasprintf ("pgpCertID=%s,%s", attrval[0], basedn);
2166 err = gpg_error_from_syserror ();
2170 log_debug ("ks-ldap: using DN: %s\n", dn);
2173 err = ldap_modify_s (ldap_conn, dn, modlist);
2174 if (err == LDAP_NO_SUCH_OBJECT)
2175 err = ldap_add_s (ldap_conn, dn, addlist);
2180 if (err != LDAP_SUCCESS)
2182 log_error ("ks-ldap: error adding key to keyserver: %s\n",
2183 ldap_err2string (err));
2184 err = ldap_err_to_gpg_err (err);
2193 ldap_unbind (ldap_conn);
2197 modlist_free (modlist);
2200 xfree (data_armored);