1 /* keylist.c - Print information about OpenPGP keys
2 * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006,
3 * 2008, 2010, 2012 Free Software Foundation, Inc.
4 * Copyright (C) 2013, 2014 Werner Koch
6 * This file is part of GnuPG.
8 * GnuPG is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * GnuPG is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <https://www.gnu.org/licenses/>.
27 #ifdef HAVE_DOSISH_SYSTEM
28 # include <fcntl.h> /* for setmode() */
34 #include "../common/status.h"
37 #include "../common/util.h"
38 #include "../common/ttyio.h"
41 #include "../common/i18n.h"
42 #include "../common/status.h"
43 #include "call-agent.h"
44 #include "../common/mbox-util.h"
45 #include "../common/zb32.h"
47 #include "../common/init.h"
48 #include "../common/recsel.h"
49 #include "../common/compliance.h"
50 #include "../common/pkscreening.h"
53 static void list_all (ctrl_t, int, int);
54 static void list_one (ctrl_t ctrl,
55 strlist_t names, int secret, int mark_secret);
56 static void locate_one (ctrl_t ctrl, strlist_t names, int no_local);
57 static void print_card_serialno (const char *serialno);
59 struct keylist_context
61 int check_sigs; /* If set signatures shall be verified. */
62 int good_sigs; /* Counter used if CHECK_SIGS is set. */
63 int inv_sigs; /* Counter used if CHECK_SIGS is set. */
64 int no_key; /* Counter used if CHECK_SIGS is set. */
65 int oth_err; /* Counter used if CHECK_SIGS is set. */
66 int no_validity; /* Do not show validity. */
69 /* An object and a global instance to store selectors created from
70 * --list-filter select=EXPR.
76 struct list_filter_s list_filter;
79 /* The stream used to write attribute packets to. */
80 static estream_t attrib_fp;
85 static void list_keyblock (ctrl_t ctrl,
86 kbnode_t keyblock, int secret, int has_secret,
87 int fpr, struct keylist_context *listctx);
89 /* Release resources from a keylist context. */
91 keylist_context_release (struct keylist_context *listctx)
93 (void)listctx; /* Nothing to release. */
98 release_list_filter (struct list_filter_s *filt)
100 recsel_release (filt->selkey);
106 cleanup_keylist_globals (void)
108 release_list_filter (&list_filter);
112 /* Parse and set an list filter from string. STRING has the format
113 * "NAME=EXPR" with NAME being the name of the filter. Spaces before
114 * and after NAME are not allowed. If this function is all called
115 * several times all expressions for the same NAME are concatenated.
116 * Supported filter names are:
118 * - select :: If the expression evaluates to true for a certain key
119 * this key will be listed. The expression may use any
120 * variable defined for the export and import filters.
124 parse_and_set_list_filter (const char *string)
128 /* Auto register the cleanup function. */
129 register_mem_cleanup_func (cleanup_keylist_globals);
131 if (!strncmp (string, "select=", 7))
132 err = recsel_parse_expr (&list_filter.selkey, string+7);
134 err = gpg_error (GPG_ERR_INV_NAME);
140 /* List the keys. If list is NULL, all available keys are listed.
141 * With LOCATE_MODE set the locate algorithm is used to find a key; if
142 * in addition NO_LOCAL is set the locate does not look into the local
145 public_key_list (ctrl_t ctrl, strlist_t list, int locate_mode, int no_local)
147 #ifndef NO_TRUST_MODELS
150 byte trust_model, marginals, completes, cert_depth, min_cert_level;
151 ulong created, nextcheck;
153 read_trust_options (ctrl, &trust_model, &created, &nextcheck,
154 &marginals, &completes, &cert_depth, &min_cert_level);
156 es_fprintf (es_stdout, "tru:");
158 if (nextcheck && nextcheck <= make_timestamp ())
159 es_fprintf (es_stdout, "o");
160 if (trust_model != opt.trust_model)
161 es_fprintf (es_stdout, "t");
162 if (opt.trust_model == TM_PGP || opt.trust_model == TM_CLASSIC
163 || opt.trust_model == TM_TOFU_PGP)
165 if (marginals != opt.marginals_needed)
166 es_fprintf (es_stdout, "m");
167 if (completes != opt.completes_needed)
168 es_fprintf (es_stdout, "c");
169 if (cert_depth != opt.max_cert_depth)
170 es_fprintf (es_stdout, "d");
171 if (min_cert_level != opt.min_cert_level)
172 es_fprintf (es_stdout, "l");
175 es_fprintf (es_stdout, ":%d:%lu:%lu", trust_model, created, nextcheck);
177 /* Only show marginals, completes, and cert_depth in the classic
178 or PGP trust models since they are not meaningful
181 if (trust_model == TM_PGP || trust_model == TM_CLASSIC)
182 es_fprintf (es_stdout, ":%d:%d:%d", marginals, completes, cert_depth);
183 es_fprintf (es_stdout, "\n");
185 #endif /*!NO_TRUST_MODELS*/
187 /* We need to do the stale check right here because it might need to
188 update the keyring while we already have the keyring open. This
189 is very bad for W32 because of a sharing violation. For real OSes
190 it might lead to false results if we are later listing a keyring
191 which is associated with the inode of a deleted file. */
192 check_trustdb_stale (ctrl);
195 tofu_begin_batch_update (ctrl);
199 locate_one (ctrl, list, no_local);
201 list_all (ctrl, 0, opt.with_secret);
203 list_one (ctrl, list, 0, opt.with_secret);
206 tofu_end_batch_update (ctrl);
212 secret_key_list (ctrl_t ctrl, strlist_t list)
216 check_trustdb_stale (ctrl);
219 list_all (ctrl, 1, 0);
220 else /* List by user id */
221 list_one (ctrl, list, 1, 0);
225 /* Helper for print_key_info and print_key_info_log. */
227 format_key_info (ctrl_t ctrl, PKT_public_key *pk, int secret)
231 char pkstrbuf[PUBKEY_STRING_SIZE];
234 keyid_from_pk (pk, keyid);
236 /* If the pk was chosen by a particular user ID, that is the one to
239 p = utf8_to_native (pk->user_id->name, pk->user_id->len, 0);
241 p = get_user_id_native (ctrl, keyid);
243 result = xtryasprintf ("%s %s/%s %s %s",
244 secret? (pk->flags.primary? "sec":"ssb")
245 /* */ : (pk->flags.primary? "pub":"sub"),
246 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf),
247 keystr (keyid), datestr_from_pk (pk), p);
253 /* Print basic information about a public or secret key. With FP
254 * passed as NULL, the tty output interface is used, otherwise output
255 * is directed to the given stream. INDENT gives the requested
256 * indentation; if that is a negative value indentation is suppressed
257 * for the first line. SECRET tells that the PK has a secret part.
258 * FIXME: This is similar in use to print_key_line and thus both
259 * functions should eventually be united.
262 print_key_info (ctrl_t ctrl, estream_t fp,
263 int indent, PKT_public_key *pk, int secret)
265 int indentabs = indent >= 0? indent : -indent;
268 /* Note: Negative values for INDENT are not yet needed. */
270 info = format_key_info (ctrl, pk, secret);
272 if (!fp && indent >= 0)
273 tty_printf ("\n"); /* (Backward compatibility to old code) */
274 tty_fprintf (fp, "%*s%s\n", indentabs, "",
275 info? info : "[Ooops - out of core]");
281 /* Same as print_key_info put print using the log functions at
284 print_key_info_log (ctrl_t ctrl, int loglevel,
285 int indent, PKT_public_key *pk, int secret)
287 int indentabs = indent >= 0? indent : -indent;
290 info = format_key_info (ctrl, pk, secret);
292 log_log (loglevel, "%*s%s\n", indentabs, "",
293 info? info : "[Ooops - out of core]");
299 /* Print basic information of a secret key including the card serial
300 number information. */
301 #ifdef ENABLE_CARD_SUPPORT
303 print_card_key_info (estream_t fp, kbnode_t keyblock)
309 char pkstrbuf[PUBKEY_STRING_SIZE];
312 for (node = keyblock; node; node = node->next)
314 if (node->pkt->pkttype == PKT_PUBLIC_KEY
315 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
318 PKT_public_key *pk = node->pkt->pkt.public_key;
321 rc = hexkeygrip_from_pk (pk, &hexgrip);
324 log_error ("error computing a keygrip: %s\n", gpg_strerror (rc));
327 else if (!agent_get_keyinfo (NULL, hexgrip, &serialno, NULL))
328 s2k_char = serialno? '>':' ';
330 s2k_char = '#'; /* Key not found. */
332 tty_fprintf (fp, "%s%c %s/%s %n",
333 node->pkt->pkttype == PKT_PUBLIC_KEY ? "sec" : "ssb",
335 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf),
338 tty_fprintf (fp, _("created: %s"), datestr_from_pk (pk));
339 tty_fprintf (fp, " ");
340 tty_fprintf (fp, _("expires: %s"), expirestr_from_pk (pk));
343 tty_fprintf (fp, "\n%*s%s", indent, "", _("card-no: "));
344 if (strlen (serialno) == 32
345 && !strncmp (serialno, "D27600012401", 12))
347 /* This is an OpenPGP card. Print the relevant part. */
348 /* Example: D2760001240101010001000003470000 */
350 tty_fprintf (fp, "%.*s %.*s", 4, serialno+16, 8, serialno+20);
353 tty_fprintf (fp, "%s", serialno);
355 tty_fprintf (fp, "\n");
361 #endif /*ENABLE_CARD_SUPPORT*/
364 /* Print the preferences line. Allowed values for MODE are:
365 * -1 - print to the TTY
366 * 0 - print to stdout.
370 show_preferences (PKT_user_id *uid, int indent, int mode, int verbose)
372 estream_t fp = mode < 0? NULL : mode ? log_get_stream () : es_stdout;
373 const prefitem_t fake = { 0, 0 };
374 const prefitem_t *prefs;
389 int any, des_seen = 0, sha1_seen = 0, uncomp_seen = 0;
391 tty_fprintf (fp, "%*s %s", indent, "", _("Cipher: "));
392 for (i = any = 0; prefs[i].type; i++)
394 if (prefs[i].type == PREFTYPE_SYM)
397 tty_fprintf (fp, ", ");
399 /* We don't want to display strings for experimental algos */
400 if (!openpgp_cipher_test_algo (prefs[i].value)
401 && prefs[i].value < 100)
402 tty_fprintf (fp, "%s", openpgp_cipher_algo_name (prefs[i].value));
404 tty_fprintf (fp, "[%d]", prefs[i].value);
405 if (prefs[i].value == CIPHER_ALGO_3DES)
412 tty_fprintf (fp, ", ");
413 tty_fprintf (fp, "%s", openpgp_cipher_algo_name (CIPHER_ALGO_3DES));
415 tty_fprintf (fp, "\n%*s %s", indent, "", _("AEAD: "));
416 for (i = any = 0; prefs[i].type; i++)
418 if (prefs[i].type == PREFTYPE_AEAD)
421 tty_fprintf (fp, ", ");
423 /* We don't want to display strings for experimental algos */
424 if (!openpgp_aead_test_algo (prefs[i].value)
425 && prefs[i].value < 100)
426 tty_fprintf (fp, "%s", openpgp_aead_algo_name (prefs[i].value));
428 tty_fprintf (fp, "[%d]", prefs[i].value);
431 tty_fprintf (fp, "\n%*s %s", indent, "", _("Digest: "));
432 for (i = any = 0; prefs[i].type; i++)
434 if (prefs[i].type == PREFTYPE_HASH)
437 tty_fprintf (fp, ", ");
439 /* We don't want to display strings for experimental algos */
440 if (!gcry_md_test_algo (prefs[i].value) && prefs[i].value < 100)
441 tty_fprintf (fp, "%s", gcry_md_algo_name (prefs[i].value));
443 tty_fprintf (fp, "[%d]", prefs[i].value);
444 if (prefs[i].value == DIGEST_ALGO_SHA1)
451 tty_fprintf (fp, ", ");
452 tty_fprintf (fp, "%s", gcry_md_algo_name (DIGEST_ALGO_SHA1));
454 tty_fprintf (fp, "\n%*s %s", indent, "", _("Compression: "));
455 for (i = any = 0; prefs[i].type; i++)
457 if (prefs[i].type == PREFTYPE_ZIP)
459 const char *s = compress_algo_to_string (prefs[i].value);
462 tty_fprintf (fp, ", ");
464 /* We don't want to display strings for experimental algos */
465 if (s && prefs[i].value < 100)
466 tty_fprintf (fp, "%s", s);
468 tty_fprintf (fp, "[%d]", prefs[i].value);
469 if (prefs[i].value == COMPRESS_ALGO_NONE)
476 tty_fprintf (fp, ", ");
479 tty_fprintf (fp, "%s",
480 compress_algo_to_string (COMPRESS_ALGO_ZIP));
481 tty_fprintf (fp, ", ");
483 tty_fprintf (fp, "%s", compress_algo_to_string (COMPRESS_ALGO_NONE));
485 if (uid->flags.mdc || uid->flags.aead || !uid->flags.ks_modify)
487 tty_fprintf (fp, "\n%*s %s", indent, "", _("Features: "));
491 tty_fprintf (fp, "MDC");
497 tty_fprintf (fp, ", ");
498 tty_fprintf (fp, "AEAD");
500 if (!uid->flags.ks_modify)
503 tty_fprintf (fp, ", ");
504 tty_fprintf (fp, _("Keyserver no-modify"));
507 tty_fprintf (fp, "\n");
511 tty_fprintf (fp, "%*s", indent, "");
512 for (i = 0; prefs[i].type; i++)
514 tty_fprintf (fp, " %c%d", prefs[i].type == PREFTYPE_SYM ? 'S' :
515 prefs[i].type == PREFTYPE_AEAD ? 'A' :
516 prefs[i].type == PREFTYPE_HASH ? 'H' :
517 prefs[i].type == PREFTYPE_ZIP ? 'Z' : '?',
521 tty_fprintf (fp, " [mdc]");
523 tty_fprintf (fp, " [aead]");
524 if (!uid->flags.ks_modify)
525 tty_fprintf (fp, " [no-ks-modify]");
526 tty_fprintf (fp, "\n");
531 /* Flags = 0x01 hashed 0x02 critical. */
533 status_one_subpacket (sigsubpkttype_t type, size_t len, int flags,
538 /* Don't print these. */
542 snprintf (status, sizeof status,
543 "%d %u %u ", type, flags, (unsigned int) len);
545 write_status_text_and_buffer (STATUS_SIG_SUBPACKET, status, buf, len, 0);
549 /* Print a policy URL. Allowed values for MODE are:
550 * -1 - print to the TTY
551 * 0 - print to stdout.
552 * 1 - use log_info and emit status messages.
553 * 2 - emit only status messages.
556 show_policy_url (PKT_signature * sig, int indent, int mode)
561 estream_t fp = mode < 0? NULL : mode ? log_get_stream () : es_stdout;
563 while ((p = enum_sig_subpkt (sig, 1, SIGSUBPKT_POLICY, &len, &seq, &crit)))
569 tty_fprintf (fp, "%*s", indent, "");
572 str = _("Critical signature policy: ");
574 str = _("Signature policy: ");
576 log_info ("%s", str);
578 tty_fprintf (fp, "%s", str);
579 tty_print_utf8_string2 (fp, p, len, 0);
580 tty_fprintf (fp, "\n");
584 write_status_buffer (STATUS_POLICY_URL, p, len, 0);
589 /* Print a keyserver URL. Allowed values for MODE are:
590 * -1 - print to the TTY
591 * 0 - print to stdout.
592 * 1 - use log_info and emit status messages.
593 * 2 - emit only status messages.
596 show_keyserver_url (PKT_signature * sig, int indent, int mode)
601 estream_t fp = mode < 0? NULL : mode ? log_get_stream () : es_stdout;
603 while ((p = enum_sig_subpkt (sig, 1, SIGSUBPKT_PREF_KS, &len, &seq, &crit)))
609 tty_fprintf (fp, "%*s", indent, "");
612 str = _("Critical preferred keyserver: ");
614 str = _("Preferred keyserver: ");
616 log_info ("%s", str);
618 tty_fprintf (fp, "%s", str);
619 tty_print_utf8_string2 (fp, p, len, 0);
620 tty_fprintf (fp, "\n");
624 status_one_subpacket (SIGSUBPKT_PREF_KS, len,
625 (crit ? 0x02 : 0) | 0x01, p);
630 /* Print notation data. Allowed values for MODE are:
631 * -1 - print to the TTY
632 * 0 - print to stdout.
633 * 1 - use log_info and emit status messages.
634 * 2 - emit only status messages.
636 * Defined bits in WHICH:
637 * 1 - standard notations
641 show_notation (PKT_signature * sig, int indent, int mode, int which)
643 estream_t fp = mode < 0? NULL : mode ? log_get_stream () : es_stdout;
644 notation_t nd, notations;
649 notations = sig_to_notation (sig);
651 /* There may be multiple notations in the same sig. */
652 for (nd = notations; nd; nd = nd->next)
656 int has_at = !!strchr (nd->name, '@');
658 if ((which & 1 && !has_at) || (which & 2 && has_at))
662 tty_fprintf (fp, "%*s", indent, "");
664 if (nd->flags.critical)
665 str = _("Critical signature notation: ");
667 str = _("Signature notation: ");
669 log_info ("%s", str);
671 tty_fprintf (fp, "%s", str);
672 /* This is all UTF8 */
673 tty_print_utf8_string2 (fp, nd->name, strlen (nd->name), 0);
674 tty_fprintf (fp, "=");
675 tty_print_utf8_string2 (fp, nd->value, strlen (nd->value), 0);
676 /* (We need to use log_printf so that the next call to a
677 log function does not insert an extra LF.) */
681 tty_fprintf (fp, "\n");
687 write_status_buffer (STATUS_NOTATION_NAME,
688 nd->name, strlen (nd->name), 0);
689 if (nd->flags.critical || nd->flags.human)
690 write_status_text (STATUS_NOTATION_FLAGS,
691 nd->flags.critical && nd->flags.human? "1 1" :
692 nd->flags.critical? "1 0" : "0 1");
693 if (!nd->flags.human && nd->bdat && nd->blen)
694 write_status_buffer (STATUS_NOTATION_DATA,
695 nd->bdat, nd->blen, 250);
697 write_status_buffer (STATUS_NOTATION_DATA,
698 nd->value, strlen (nd->value), 50);
702 free_notation (notations);
707 print_signature_stats (struct keylist_context *s)
710 return; /* Signature checking was not requested. */
712 /* Better flush stdout so that the stats are always printed after
714 es_fflush (es_stdout);
717 log_info (ngettext("%d good signature\n",
718 "%d good signatures\n", s->good_sigs), s->good_sigs);
721 log_info (ngettext("%d bad signature\n",
722 "%d bad signatures\n", s->inv_sigs), s->inv_sigs);
725 log_info (ngettext("%d signature not checked due to a missing key\n",
726 "%d signatures not checked due to missing keys\n",
727 s->no_key), s->no_key);
730 log_info (ngettext("%d signature not checked due to an error\n",
731 "%d signatures not checked due to errors\n",
732 s->oth_err), s->oth_err);
736 /* List all keys. If SECRET is true only secret keys are listed. If
737 MARK_SECRET is true secret keys are indicated in a public key
740 list_all (ctrl_t ctrl, int secret, int mark_secret)
743 KBNODE keyblock = NULL;
746 const char *lastresname, *resname;
747 struct keylist_context listctx;
749 memset (&listctx, 0, sizeof (listctx));
751 listctx.check_sigs = 1;
753 hd = keydb_new (ctrl);
755 rc = gpg_error_from_syserror ();
757 rc = keydb_search_first (hd);
760 if (gpg_err_code (rc) != GPG_ERR_NOT_FOUND)
761 log_error ("keydb_search_first failed: %s\n", gpg_strerror (rc));
769 glo_ctrl.silence_parse_warnings++;
770 rc = keydb_get_keyblock (hd, &keyblock);
772 glo_ctrl.silence_parse_warnings--;
775 if (gpg_err_code (rc) == GPG_ERR_LEGACY_KEY)
776 continue; /* Skip legacy keys. */
777 log_error ("keydb_get_keyblock failed: %s\n", gpg_strerror (rc));
781 if (secret || mark_secret)
782 any_secret = !agent_probe_any_secret_key (ctrl, keyblock);
786 if (secret && !any_secret)
787 ; /* Secret key listing requested but this isn't one. */
790 if (!opt.with_colons && !(opt.list_options & LIST_SHOW_ONLY_FPR_MBOX))
792 resname = keydb_get_resource_name (hd);
793 if (lastresname != resname)
797 es_fprintf (es_stdout, "%s\n", resname);
798 for (i = strlen (resname); i; i--)
799 es_putc ('-', es_stdout);
800 es_putc ('\n', es_stdout);
801 lastresname = resname;
804 merge_keys_and_selfsig (ctrl, keyblock);
805 list_keyblock (ctrl, keyblock, secret, any_secret, opt.fingerprint,
808 release_kbnode (keyblock);
811 while (!(rc = keydb_search_next (hd)));
812 es_fflush (es_stdout);
813 if (rc && gpg_err_code (rc) != GPG_ERR_NOT_FOUND)
814 log_error ("keydb_search_next failed: %s\n", gpg_strerror (rc));
815 if (keydb_get_skipped_counter (hd))
816 log_info (ngettext("Warning: %lu key skipped due to its large size\n",
817 "Warning: %lu keys skipped due to their large sizes\n",
818 keydb_get_skipped_counter (hd)),
819 keydb_get_skipped_counter (hd));
821 if (opt.check_sigs && !opt.with_colons)
822 print_signature_stats (&listctx);
825 keylist_context_release (&listctx);
826 release_kbnode (keyblock);
832 list_one (ctrl_t ctrl, strlist_t names, int secret, int mark_secret)
835 KBNODE keyblock = NULL;
839 const char *keyring_str = _("Keyring");
841 struct keylist_context listctx;
843 memset (&listctx, 0, sizeof (listctx));
844 if (!secret && opt.check_sigs)
845 listctx.check_sigs = 1;
847 /* fixme: using the bynames function has the disadvantage that we
848 * don't know whether one of the names given was not found. OTOH,
849 * this function has the advantage to list the names in the
850 * sequence as defined by the keyDB and does not duplicate
851 * outputs. A solution could be do test whether all given have
852 * been listed (this needs a way to use the keyDB search
853 * functions) or to have the search function return indicators for
854 * found names. Yet another way is to use the keydb search
855 * facilities directly. */
856 rc = getkey_bynames (ctrl, &ctx, NULL, names, secret, &keyblock);
859 log_error ("error reading key: %s\n", gpg_strerror (rc));
860 getkey_end (ctrl, ctx);
861 write_status_error ("keylist.getkey", rc);
867 /* getkey_bynames makes sure that only secret keys are returned
868 * if requested, thus we do not need to test again. With
869 * MARK_SECRET set (ie. option --with-secret) we have to test
870 * for a secret key, though. */
873 else if (mark_secret)
874 any_secret = !agent_probe_any_secret_key (ctrl, keyblock);
878 if (secret && !any_secret)
879 ;/* Secret key listing requested but getkey_bynames failed. */
882 if ((opt.list_options & LIST_SHOW_KEYRING) && !opt.with_colons)
884 resname = keydb_get_resource_name (get_ctx_handle (ctx));
885 es_fprintf (es_stdout, "%s: %s\n", keyring_str, resname);
886 for (i = strlen (resname) + strlen (keyring_str) + 2; i; i--)
887 es_putc ('-', es_stdout);
888 es_putc ('\n', es_stdout);
890 list_keyblock (ctrl, keyblock, secret, any_secret,
891 opt.fingerprint, &listctx);
893 release_kbnode (keyblock);
895 while (!getkey_next (ctrl, ctx, NULL, &keyblock));
896 getkey_end (ctrl, ctx);
898 if (opt.check_sigs && !opt.with_colons)
899 print_signature_stats (&listctx);
901 keylist_context_release (&listctx);
906 locate_one (ctrl_t ctrl, strlist_t names, int no_local)
910 GETKEY_CTX ctx = NULL;
911 KBNODE keyblock = NULL;
912 struct keylist_context listctx;
914 memset (&listctx, 0, sizeof (listctx));
916 listctx.check_sigs = 1;
918 for (sl = names; sl; sl = sl->next)
920 rc = get_best_pubkey_byname (ctrl,
921 no_local? GET_PUBKEY_NO_LOCAL
922 /* */: GET_PUBKEY_NORMAL,
923 &ctx, NULL, sl->d, &keyblock, 1);
926 if (gpg_err_code (rc) != GPG_ERR_NO_PUBKEY)
927 log_error ("error reading key: %s\n", gpg_strerror (rc));
928 else if (opt.verbose)
929 log_info (_("key \"%s\" not found: %s\n"),
930 sl->d, gpg_strerror (rc));
936 list_keyblock (ctrl, keyblock, 0, 0, opt.fingerprint, &listctx);
937 release_kbnode (keyblock);
939 while (ctx && !getkey_next (ctrl, ctx, NULL, &keyblock));
940 getkey_end (ctrl, ctx);
945 if (opt.check_sigs && !opt.with_colons)
946 print_signature_stats (&listctx);
948 keylist_context_release (&listctx);
953 print_key_data (PKT_public_key * pk)
955 int n = pk ? pubkey_get_npkey (pk->pubkey_algo) : 0;
958 for (i = 0; i < n; i++)
960 es_fprintf (es_stdout, "pkd:%d:%u:", i, mpi_get_nbits (pk->pkey[i]));
961 mpi_print (es_stdout, pk->pkey[i], 1);
962 es_putc (':', es_stdout);
963 es_putc ('\n', es_stdout);
968 /* Various public key screenings. (Right now just ROCA). With
969 * COLON_MODE set the output is formatted for use in the compliance
970 * field of a colon listing.
973 print_pk_screening (PKT_public_key *pk, int colon_mode)
977 if (is_RSA (pk->pubkey_algo) && pubkey_get_npkey (pk->pubkey_algo))
979 err = screen_key_for_roca (pk->pkey[0]);
982 else if (gpg_err_code (err) == GPG_ERR_TRUE)
985 es_fprintf (es_stdout, colon_mode > 1? " %d":"%d", 6001);
987 es_fprintf (es_stdout,
988 " Screening: ROCA vulnerability detected\n");
990 else if (!colon_mode)
991 es_fprintf (es_stdout, " Screening: [ROCA check failed: %s]\n",
999 print_capabilities (ctrl_t ctrl, PKT_public_key *pk, KBNODE keyblock)
1001 unsigned int use = pk->pubkey_usage;
1004 if (use & PUBKEY_USAGE_ENC)
1005 es_putc ('e', es_stdout);
1007 if (use & PUBKEY_USAGE_SIG)
1009 es_putc ('s', es_stdout);
1010 if (pk->flags.primary)
1012 es_putc ('c', es_stdout);
1013 /* The PUBKEY_USAGE_CERT flag was introduced later and we
1014 used to always print 'c' for a primary key. To avoid any
1015 regression here we better track whether we printed 'c'
1021 if ((use & PUBKEY_USAGE_CERT) && !c_printed)
1022 es_putc ('c', es_stdout);
1024 if ((use & PUBKEY_USAGE_AUTH))
1025 es_putc ('a', es_stdout);
1027 if (use & PUBKEY_USAGE_RENC)
1028 es_putc ('r', es_stdout);
1029 if ((use & PUBKEY_USAGE_TIME))
1030 es_putc ('t', es_stdout);
1031 if ((use & PUBKEY_USAGE_GROUP))
1032 es_putc ('g', es_stdout);
1034 if ((use & PUBKEY_USAGE_UNKNOWN))
1035 es_putc ('?', es_stdout);
1039 /* Figure out the usable capabilities. */
1041 int enc = 0, sign = 0, cert = 0, auth = 0, disabled = 0;
1043 for (k = keyblock; k; k = k->next)
1045 if (k->pkt->pkttype == PKT_PUBLIC_KEY
1046 || k->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1048 pk = k->pkt->pkt.public_key;
1050 if (pk->flags.primary)
1051 disabled = pk_is_disabled (pk);
1053 if (pk->flags.valid && !pk->flags.revoked && !pk->has_expired)
1055 if (pk->pubkey_usage & PUBKEY_USAGE_ENC)
1057 if (pk->pubkey_usage & PUBKEY_USAGE_SIG)
1060 if (pk->flags.primary)
1063 if (pk->pubkey_usage & PUBKEY_USAGE_CERT)
1065 if ((pk->pubkey_usage & PUBKEY_USAGE_AUTH))
1071 es_putc ('E', es_stdout);
1073 es_putc ('S', es_stdout);
1075 es_putc ('C', es_stdout);
1077 es_putc ('A', es_stdout);
1079 es_putc ('D', es_stdout);
1082 es_putc (':', es_stdout);
1086 /* FLAGS: 0x01 hashed
1089 print_one_subpacket (sigsubpkttype_t type, size_t len, int flags,
1094 es_fprintf (es_stdout, "spk:%d:%u:%u:", type, flags, (unsigned int) len);
1096 for (i = 0; i < len; i++)
1098 /* printable ascii other than : and % */
1099 if (buf[i] >= 32 && buf[i] <= 126 && buf[i] != ':' && buf[i] != '%')
1100 es_fprintf (es_stdout, "%c", buf[i]);
1102 es_fprintf (es_stdout, "%%%02X", buf[i]);
1105 es_fprintf (es_stdout, "\n");
1110 print_subpackets_colon (PKT_signature * sig)
1114 log_assert (opt.show_subpackets);
1116 for (i = opt.show_subpackets; *i; i++)
1124 while ((p = enum_sig_subpkt (sig, 1, *i, &len, &seq, &crit)))
1125 print_one_subpacket (*i, len, 0x01 | (crit ? 0x02 : 0), p);
1129 while ((p = enum_sig_subpkt (sig, 0, *i, &len, &seq, &crit)))
1130 print_one_subpacket (*i, len, 0x00 | (crit ? 0x02 : 0), p);
1136 dump_attribs (const PKT_user_id *uid, PKT_public_key *pk)
1143 for (i = 0; i < uid->numattribs; i++)
1145 if (is_status_enabled ())
1147 byte array[MAX_FINGERPRINT_LEN], *p;
1148 char buf[(MAX_FINGERPRINT_LEN * 2) + 90];
1153 fingerprint_from_pk (pk, array, &n);
1156 for (j = 0; j < n; j++, p++)
1157 sprintf (buf + 2 * j, "%02X", *p);
1159 sprintf (buf + strlen (buf), " %lu %u %u %u %lu %lu %u",
1160 (ulong) uid->attribs[i].len, uid->attribs[i].type, i + 1,
1161 uid->numattribs, (ulong) uid->created,
1162 (ulong) uid->expiredate,
1163 ((uid->flags.primary ? 0x01 : 0) | (uid->flags.revoked ? 0x02 : 0) |
1164 (uid->flags.expired ? 0x04 : 0)));
1165 write_status_text (STATUS_ATTRIBUTE, buf);
1168 es_fwrite (uid->attribs[i].data, uid->attribs[i].len, 1, attrib_fp);
1169 es_fflush (attrib_fp);
1174 /* Order two signatures. We first order by keyid and then by creation
1177 cmp_signodes (const void *av, const void *bv)
1179 const kbnode_t an = *(const kbnode_t *)av;
1180 const kbnode_t bn = *(const kbnode_t *)bv;
1181 const PKT_signature *a;
1182 const PKT_signature *b;
1185 /* log_assert (an->pkt->pkttype == PKT_SIGNATURE); */
1186 /* log_assert (bn->pkt->pkttype == PKT_SIGNATURE); */
1188 a = an->pkt->pkt.signature;
1189 b = bn->pkt->pkt.signature;
1191 /* Self-signatures are ordered first. */
1192 if ((an->flag & NODFLG_MARK_B) && !(bn->flag & NODFLG_MARK_B))
1194 if (!(an->flag & NODFLG_MARK_B) && (bn->flag & NODFLG_MARK_B))
1197 /* then the keyids. (which are or course the same for self-sigs). */
1198 i = keyid_cmp (a->keyid, b->keyid);
1202 /* Followed by creation time */
1203 if (a->timestamp > b->timestamp)
1205 if (a->timestamp < b->timestamp)
1208 /* followed by the class in a way that a rev comes first. */
1209 if (a->sig_class > b->sig_class)
1211 if (a->sig_class < b->sig_class)
1214 /* To make the sort stable we compare the entire structure as last resort. */
1215 return memcmp (a, b, sizeof *a);
1219 /* Helper for list_keyblock_print. */
1221 list_signature_print (ctrl_t ctrl, kbnode_t keyblock, kbnode_t node,
1222 struct keylist_context *listctx)
1224 /* (extra indentation to keep the diff history short) */
1225 PKT_signature *sig = node->pkt->pkt.signature;
1228 char *reason_text = NULL;
1229 char *reason_comment = NULL;
1230 size_t reason_commentlen;
1231 int reason_code = 0;
1233 if (listctx->check_sigs)
1235 rc = check_key_signature (ctrl, keyblock, node, NULL);
1236 switch (gpg_err_code (rc))
1239 listctx->good_sigs++;
1242 case GPG_ERR_BAD_SIGNATURE:
1243 listctx->inv_sigs++;
1246 case GPG_ERR_NO_PUBKEY:
1247 case GPG_ERR_UNUSABLE_PUBKEY:
1256 /* TODO: Make sure a cached sig record here still has
1257 the pk that issued it. See also
1258 keyedit.c:print_and_check_one_sig */
1266 if (sig->sig_class == 0x20 || sig->sig_class == 0x28
1267 || sig->sig_class == 0x30)
1270 reason_code = get_revocation_reason (sig, &reason_text,
1272 &reason_commentlen);
1274 else if ((sig->sig_class & ~3) == 0x10)
1276 else if (sig->sig_class == 0x18)
1278 else if (sig->sig_class == 0x1F)
1282 es_fprintf (es_stdout, "sig "
1283 "[unexpected signature class 0x%02x]\n",
1288 es_fputs (sigstr, es_stdout);
1289 es_fprintf (es_stdout, "%c%c %c%c%c%c%c%c %s %s",
1290 sigrc, (sig->sig_class - 0x10 > 0 &&
1291 sig->sig_class - 0x10 <
1292 4) ? '0' + sig->sig_class - 0x10 : ' ',
1293 sig->flags.exportable ? ' ' : 'L',
1294 sig->flags.revocable ? ' ' : 'R',
1295 sig->flags.policy_url ? 'P' : ' ',
1296 sig->flags.notation ? 'N' : ' ',
1297 sig->flags.expired ? 'X' : ' ',
1298 (sig->trust_depth > 9) ? 'T' : (sig->trust_depth >
1300 sig->trust_depth : ' ', keystr (sig->keyid),
1301 datestr_from_sig (sig));
1302 if (opt.list_options & LIST_SHOW_SIG_EXPIRE)
1303 es_fprintf (es_stdout, " %s", expirestr_from_sig (sig));
1304 es_fprintf (es_stdout, " ");
1306 es_fprintf (es_stdout, "[%s] ", gpg_strerror (rc));
1307 else if (sigrc == '?')
1309 else if (!opt.fast_list_mode)
1312 char *p = get_user_id (ctrl, sig->keyid, &n, NULL);
1313 print_utf8_buffer (es_stdout, p, n);
1316 es_putc ('\n', es_stdout);
1318 if (sig->flags.policy_url
1319 && (opt.list_options & LIST_SHOW_POLICY_URLS))
1320 show_policy_url (sig, 3, 0);
1322 if (sig->flags.notation && (opt.list_options & LIST_SHOW_NOTATIONS))
1323 show_notation (sig, 3, 0,
1325 list_options & LIST_SHOW_STD_NOTATIONS) ? 1 : 0)
1328 list_options & LIST_SHOW_USER_NOTATIONS) ? 2 :
1331 if (sig->flags.pref_ks
1332 && (opt.list_options & LIST_SHOW_KEYSERVER_URLS))
1333 show_keyserver_url (sig, 3, 0);
1335 if (reason_text && (reason_code || reason_comment))
1337 es_fprintf (es_stdout, " %s%s\n",
1338 _("reason for revocation: "), reason_text);
1341 const byte *s, *s_lf;
1345 n = reason_commentlen;
1349 /* We don't want any empty lines, so we skip them. */
1350 for (;n && *s == '\n'; s++, n--)
1354 s_lf = memchr (s, '\n', n);
1355 n_lf = s_lf? s_lf - s : n;
1356 es_fprintf (es_stdout, " %s",
1357 _("revocation comment: "));
1358 es_write_sanitized (es_stdout, s, n_lf, NULL, NULL);
1359 es_putc ('\n', es_stdout);
1360 s += n_lf; n -= n_lf;
1366 xfree (reason_text);
1367 xfree (reason_comment);
1369 /* fixme: check or list other sigs here */
1374 list_keyblock_print (ctrl_t ctrl, kbnode_t keyblock, int secret, int fpr,
1375 struct keylist_context *listctx)
1382 char *hexgrip = NULL;
1383 char *serialno = NULL;
1385 /* Get the keyid from the keyblock. */
1386 node = find_kbnode (keyblock, PKT_PUBLIC_KEY);
1389 log_error ("Oops; key lost!\n");
1390 dump_kbnode (keyblock);
1394 pk = node->pkt->pkt.public_key;
1395 mainkid = pk_keyid (pk);
1397 if (secret || opt.with_keygrip)
1399 rc = hexkeygrip_from_pk (pk, &hexgrip);
1401 log_error ("error computing a keygrip: %s\n", gpg_strerror (rc));
1406 /* Encode some info about the secret key in SECRET. */
1407 if (!agent_get_keyinfo (NULL, hexgrip, &serialno, NULL))
1408 secret = serialno? 3 : 1;
1410 secret = 2; /* Key not found. */
1413 if (!listctx->no_validity)
1414 check_trustdb_stale (ctrl);
1416 /* Print the "pub" line and in KF_NONE mode the fingerprint. */
1417 print_key_line (ctrl, es_stdout, pk, secret);
1420 print_fingerprint (ctrl, NULL, pk, 0);
1422 if (opt.with_keygrip && hexgrip)
1423 es_fprintf (es_stdout, " Keygrip = %s\n", hexgrip);
1426 print_card_serialno (serialno);
1428 if (opt.with_key_data)
1429 print_key_data (pk);
1431 if (opt.with_key_screening)
1432 print_pk_screening (pk, 0);
1434 if (opt.with_key_origin
1435 && (pk->keyorg || pk->keyupdate || pk->updateurl))
1437 char updatestr[MK_DATESTR_SIZE];
1439 es_fprintf (es_stdout, " origin=%s last=%s %s",
1440 key_origin_string (pk->keyorg),
1441 mk_datestr (updatestr, sizeof updatestr, pk->keyupdate),
1442 pk->updateurl? "url=":"");
1444 print_utf8_string (es_stdout, pk->updateurl);
1445 es_putc ('\n', es_stdout);
1448 for (node = keyblock; node; node = node->next)
1450 if (is_deleted_kbnode (node))
1453 if (node->pkt->pkttype == PKT_USER_ID)
1455 PKT_user_id *uid = node->pkt->pkt.user_id;
1457 int kl = opt.keyid_format == KF_NONE? 10 : keystrlen ();
1459 if ((uid->flags.expired || uid->flags.revoked)
1460 && !(opt.list_options & LIST_SHOW_UNUSABLE_UIDS))
1468 if (attrib_fp && uid->attrib_data != NULL)
1469 dump_attribs (uid, pk);
1471 if ((uid->flags.revoked || uid->flags.expired)
1472 || ((opt.list_options & LIST_SHOW_UID_VALIDITY)
1473 && !listctx->no_validity))
1475 const char *validity;
1477 validity = uid_trust_string_fixed (ctrl, pk, uid);
1478 indent = ((kl + (opt.legacy_list_mode? 9:11))
1479 - atoi (uid_trust_string_fixed (ctrl, NULL, NULL)));
1480 if (indent < 0 || indent > 40)
1483 es_fprintf (es_stdout, "uid%*s%s ", indent, "", validity);
1487 indent = kl + (opt.legacy_list_mode? 10:12);
1488 es_fprintf (es_stdout, "uid%*s", indent, "");
1491 print_utf8_buffer (es_stdout, uid->name, uid->len);
1492 es_putc ('\n', es_stdout);
1494 if ((opt.list_options & LIST_SHOW_PREF_VERBOSE))
1495 show_preferences (uid, indent+2, 0, 1);
1496 else if ((opt.list_options & LIST_SHOW_PREF))
1497 show_preferences (uid, indent+2, 0, 0);
1499 if (opt.with_wkd_hash)
1501 char *mbox, *hash, *p;
1504 mbox = mailbox_from_userid (uid->name, 0);
1505 if (mbox && (p = strchr (mbox, '@')))
1508 gcry_md_hash_buffer (GCRY_MD_SHA1, hashbuf,
1509 mbox, strlen (mbox));
1510 hash = zb32_encode (hashbuf, 8*20);
1513 es_fprintf (es_stdout, " %*s%s@%s\n",
1514 indent, "", hash, p);
1521 if (opt.with_key_origin
1522 && (uid->keyorg || uid->keyupdate || uid->updateurl))
1524 char updatestr[MK_DATESTR_SIZE];
1526 es_fprintf (es_stdout, " %*sorigin=%s last=%s %s",
1528 key_origin_string (uid->keyorg),
1529 mk_datestr (updatestr, sizeof updatestr,
1531 uid->updateurl? "url=":"");
1533 print_utf8_string (es_stdout, uid->updateurl);
1534 es_putc ('\n', es_stdout);
1537 if ((opt.list_options & LIST_SHOW_PHOTOS) && uid->attribs != NULL)
1538 show_photos (ctrl, uid->attribs, uid->numattribs, pk, uid);
1540 else if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1542 PKT_public_key *pk2 = node->pkt->pkt.public_key;
1544 if ((pk2->flags.revoked || pk2->has_expired)
1545 && !(opt.list_options & LIST_SHOW_UNUSABLE_SUBKEYS))
1553 xfree (serialno); serialno = NULL;
1554 xfree (hexgrip); hexgrip = NULL;
1555 if (secret || opt.with_keygrip)
1557 rc = hexkeygrip_from_pk (pk2, &hexgrip);
1559 log_error ("error computing a keygrip: %s\n",
1564 if (!agent_get_keyinfo (NULL, hexgrip, &serialno, NULL))
1565 secret = serialno? 3 : 1;
1567 secret = 2; /* Key not found. */
1570 /* Print the "sub" line. */
1571 print_key_line (ctrl, es_stdout, pk2, secret);
1572 if (fpr > 1 || opt.with_subkey_fingerprint)
1574 print_fingerprint (ctrl, NULL, pk2, 0);
1576 print_card_serialno (serialno);
1578 if (opt.with_keygrip && hexgrip)
1579 es_fprintf (es_stdout, " Keygrip = %s\n", hexgrip);
1580 if (opt.with_key_data)
1581 print_key_data (pk2);
1582 if (opt.with_key_screening)
1583 print_pk_screening (pk2, 0);
1585 else if (opt.list_sigs
1586 && node->pkt->pkttype == PKT_SIGNATURE && !skip_sigs)
1588 if ((opt.list_options & LIST_SORT_SIGS))
1591 unsigned int sigcount = 0;
1595 for (n=node; n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1597 sigarray = xcalloc (sigcount, sizeof *sigarray);
1600 for (n=node; n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next)
1602 if (!keyid_cmp (mainkid, n->pkt->pkt.signature->keyid))
1603 n->flag |= NODFLG_MARK_B; /* Is a self-sig. */
1605 n->flag &= ~NODFLG_MARK_B;
1607 sigarray[sigcount++] = node = n;
1609 /* Note that NODE is now at the last signature. */
1611 qsort (sigarray, sigcount, sizeof *sigarray, cmp_signodes);
1613 for (idx=0; idx < sigcount; idx++)
1614 list_signature_print (ctrl, keyblock, sigarray[idx], listctx);
1618 list_signature_print (ctrl, keyblock, node, listctx);
1621 es_putc ('\n', es_stdout);
1627 /* Do a simple key listing printing only the fingerprint and the mail
1628 * address of valid keys. */
1630 list_keyblock_simple (ctrl_t ctrl, kbnode_t keyblock)
1635 char hexfpr[2*MAX_FINGERPRINT_LEN+1];
1640 node = find_kbnode (keyblock, PKT_PUBLIC_KEY);
1643 log_error ("Oops; key lost!\n");
1644 dump_kbnode (keyblock);
1647 hexfingerprint (node->pkt->pkt.public_key, hexfpr, sizeof hexfpr);
1649 for (kbctx = NULL; (node = walk_kbnode (keyblock, &kbctx, 0));)
1651 if (node->pkt->pkttype == PKT_USER_ID)
1653 PKT_user_id *uid = node->pkt->pkt.user_id;
1655 if (uid->attrib_data)
1658 if (uid->flags.expired || uid->flags.revoked)
1661 mbox = mailbox_from_userid (uid->name, 0);
1664 ec = gpg_err_code_from_syserror ();
1665 if (ec != GPG_ERR_EINVAL)
1666 log_error ("error getting mailbox from user-id: %s\n",
1670 es_fprintf (es_stdout, "%s %s\n", hexfpr, mbox);
1678 print_revokers (estream_t fp, PKT_public_key * pk)
1680 /* print the revoker record */
1681 if (!pk->revkey && pk->numrevkeys)
1687 for (i = 0; i < pk->numrevkeys; i++)
1691 es_fprintf (fp, "rvk:::%d::::::", pk->revkey[i].algid);
1692 p = pk->revkey[i].fpr;
1693 for (j = 0; j < pk->revkey[i].fprlen; j++, p++)
1694 es_fprintf (fp, "%02X", *p);
1695 es_fprintf (fp, ":%02x%s:\n",
1696 pk->revkey[i].class,
1697 (pk->revkey[i].class & 0x40) ? "s" : "");
1703 /* Print the compliance flags to field 18. PK is the public key.
1704 * KEYLENGTH is the length of the key in bits and CURVENAME is either
1705 * NULL or the name of the curve. The latter two args are here
1706 * merely because the caller has already computed them. */
1708 print_compliance_flags (PKT_public_key *pk,
1709 unsigned int keylength, const char *curvename)
1714 keylength = nbits_from_pk (pk);
1716 if (pk->version == 5)
1718 es_fputs (gnupg_status_compliance_flag (CO_GNUPG), es_stdout);
1721 if (gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, 0, pk->pkey,
1722 keylength, curvename))
1724 es_fprintf (es_stdout, any ? " %s" : "%s",
1725 gnupg_status_compliance_flag (CO_DE_VS));
1729 if (opt.with_key_screening)
1730 print_pk_screening (pk, 1+any);
1734 /* List a key in colon mode. If SECRET is true this is a secret key
1735 record (i.e. requested via --list-secret-key). If HAS_SECRET a
1736 secret key is available even if SECRET is not set. */
1738 list_keyblock_colon (ctrl_t ctrl, kbnode_t keyblock,
1739 int secret, int has_secret)
1746 int trustletter = 0;
1747 int trustletter_print;
1748 int ownertrust_print;
1751 char *hexgrip_buffer = NULL;
1752 const char *hexgrip = NULL;
1753 char *serialno = NULL;
1755 unsigned int keylength;
1757 const char *curvename = NULL;
1759 /* Get the keyid from the keyblock. */
1760 node = find_kbnode (keyblock, PKT_PUBLIC_KEY);
1763 log_error ("Oops; key lost!\n");
1764 dump_kbnode (keyblock);
1768 pk = node->pkt->pkt.public_key;
1769 if (secret || has_secret || opt.with_keygrip || opt.with_key_data)
1771 rc = hexkeygrip_from_pk (pk, &hexgrip_buffer);
1773 log_error ("error computing a keygrip: %s\n", gpg_strerror (rc));
1774 /* In the error case we print an empty string so that we have a
1775 * "grp" record for each primary and subkey - even if it is
1776 * empty. This may help to prevent sync problems. */
1777 hexgrip = hexgrip_buffer? hexgrip_buffer : "";
1780 if ((secret || has_secret)
1781 && agent_get_keyinfo (NULL, hexgrip, &serialno, NULL))
1782 stubkey = 1; /* Key not found. */
1784 keyid_from_pk (pk, keyid);
1785 if (!pk->flags.valid)
1786 trustletter_print = 'i';
1787 else if (pk->flags.revoked)
1788 trustletter_print = 'r';
1789 else if (pk->has_expired)
1790 trustletter_print = 'e';
1791 else if (opt.fast_list_mode || opt.no_expensive_trust_checks)
1792 trustletter_print = 0;
1795 trustletter = get_validity_info (ctrl, keyblock, pk, NULL);
1796 if (trustletter == 'u')
1798 trustletter_print = trustletter;
1801 if (!opt.fast_list_mode && !opt.no_expensive_trust_checks)
1802 ownertrust_print = get_ownertrust_info (ctrl, pk, 0);
1804 ownertrust_print = 0;
1806 keylength = nbits_from_pk (pk);
1808 es_fputs (secret? "sec:":"pub:", es_stdout);
1809 if (trustletter_print)
1810 es_putc (trustletter_print, es_stdout);
1811 es_fprintf (es_stdout, ":%u:%d:%08lX%08lX:%s:%s::",
1814 (ulong) keyid[0], (ulong) keyid[1],
1815 colon_datestr_from_pk (pk), colon_strtime (pk->expiredate));
1817 if (ownertrust_print)
1818 es_putc (ownertrust_print, es_stdout);
1819 es_putc (':', es_stdout);
1821 es_putc (':', es_stdout);
1822 es_putc (':', es_stdout);
1823 print_capabilities (ctrl, pk, keyblock);
1824 es_putc (':', es_stdout); /* End of field 13. */
1825 es_putc (':', es_stdout); /* End of field 14. */
1826 if (secret || has_secret)
1829 es_putc ('#', es_stdout);
1831 es_fputs (serialno, es_stdout);
1832 else if (has_secret)
1833 es_putc ('+', es_stdout);
1835 es_putc (':', es_stdout); /* End of field 15. */
1836 es_putc (':', es_stdout); /* End of field 16. */
1837 if (pk->pubkey_algo == PUBKEY_ALGO_ECDSA
1838 || pk->pubkey_algo == PUBKEY_ALGO_EDDSA
1839 || pk->pubkey_algo == PUBKEY_ALGO_ECDH)
1841 curve = openpgp_oid_to_str (pk->pkey[0]);
1842 curvename = openpgp_oid_to_curve (curve, 0);
1845 es_fputs (curvename, es_stdout);
1847 es_putc (':', es_stdout); /* End of field 17. */
1848 print_compliance_flags (pk, keylength, curvename);
1849 es_putc (':', es_stdout); /* End of field 18 (compliance). */
1851 es_fputs (colon_strtime (pk->keyupdate), es_stdout);
1852 es_putc (':', es_stdout); /* End of field 19 (last_update). */
1853 es_fprintf (es_stdout, "%d%s", pk->keyorg, pk->updateurl? " ":"");
1855 es_write_sanitized (es_stdout, pk->updateurl, strlen (pk->updateurl),
1857 es_putc (':', es_stdout); /* End of field 20 (origin). */
1858 es_putc ('\n', es_stdout);
1860 print_revokers (es_stdout, pk);
1861 print_fingerprint (ctrl, NULL, pk, 0);
1863 es_fprintf (es_stdout, "grp:::::::::%s:\n", hexgrip);
1864 if (opt.with_key_data)
1865 print_key_data (pk);
1867 for (kbctx = NULL; (node = walk_kbnode (keyblock, &kbctx, 0));)
1869 if (node->pkt->pkttype == PKT_USER_ID)
1871 PKT_user_id *uid = node->pkt->pkt.user_id;
1874 if (attrib_fp && uid->attrib_data != NULL)
1875 dump_attribs (uid, pk);
1877 if (uid->flags.revoked)
1879 else if (uid->flags.expired)
1881 else if (opt.no_expensive_trust_checks)
1886 uid_validity = get_validity_info (ctrl, keyblock, pk, uid);
1888 es_fputs (uid->attrib_data? "uat:":"uid:", es_stdout);
1890 es_putc (uid_validity, es_stdout);
1891 es_fputs ("::::", es_stdout);
1893 es_fprintf (es_stdout, "%s:", colon_strtime (uid->created));
1894 es_fprintf (es_stdout, "%s:", colon_strtime (uid->expiredate));
1896 namehash_from_uid (uid);
1898 for (i = 0; i < 20; i++)
1899 es_fprintf (es_stdout, "%02X", uid->namehash[i]);
1901 es_fprintf (es_stdout, "::");
1903 if (uid->attrib_data)
1904 es_fprintf (es_stdout, "%u %lu", uid->numattribs, uid->attrib_len);
1906 es_write_sanitized (es_stdout, uid->name, uid->len, ":", NULL);
1907 es_fputs (":::::::::", es_stdout);
1909 es_fputs (colon_strtime (uid->keyupdate), es_stdout);
1910 es_putc (':', es_stdout); /* End of field 19 (last_update). */
1911 es_fprintf (es_stdout, "%d%s", uid->keyorg, uid->updateurl? " ":"");
1913 es_write_sanitized (es_stdout,
1914 uid->updateurl, strlen (uid->updateurl),
1916 es_putc (':', es_stdout); /* End of field 20 (origin). */
1917 es_putc ('\n', es_stdout);
1919 if (!uid->attrib_data && opt.with_tofu_info
1920 && (opt.trust_model == TM_TOFU || opt.trust_model == TM_TOFU_PGP))
1922 /* Print a "tfs" record. */
1923 tofu_write_tfs_record (ctrl, es_stdout, pk, uid->name);
1927 else if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
1930 PKT_public_key *pk2;
1931 int need_hexgrip = !!hexgrip;
1933 pk2 = node->pkt->pkt.public_key;
1934 xfree (hexgrip_buffer); hexgrip_buffer = NULL; hexgrip = NULL;
1935 xfree (serialno); serialno = NULL;
1937 || secret || has_secret || opt.with_keygrip || opt.with_key_data)
1939 rc = hexkeygrip_from_pk (pk2, &hexgrip_buffer);
1941 log_error ("error computing a keygrip: %s\n",
1943 hexgrip = hexgrip_buffer? hexgrip_buffer : "";
1946 if ((secret||has_secret)
1947 && agent_get_keyinfo (NULL, hexgrip, &serialno, NULL))
1948 stubkey = 1; /* Key not found. */
1950 keyid_from_pk (pk2, keyid2);
1951 es_fputs (secret? "ssb:":"sub:", es_stdout);
1952 if (!pk2->flags.valid)
1953 es_putc ('i', es_stdout);
1954 else if (pk2->flags.revoked)
1955 es_putc ('r', es_stdout);
1956 else if (pk2->has_expired)
1957 es_putc ('e', es_stdout);
1958 else if (opt.fast_list_mode || opt.no_expensive_trust_checks)
1962 /* TRUSTLETTER should always be defined here. */
1964 es_fprintf (es_stdout, "%c", trustletter);
1966 keylength = nbits_from_pk (pk2);
1967 es_fprintf (es_stdout, ":%u:%d:%08lX%08lX:%s:%s:::::",
1970 (ulong) keyid2[0], (ulong) keyid2[1],
1971 colon_datestr_from_pk (pk2),
1972 colon_strtime (pk2->expiredate));
1973 print_capabilities (ctrl, pk2, NULL);
1974 es_putc (':', es_stdout); /* End of field 13. */
1975 es_putc (':', es_stdout); /* End of field 14. */
1976 if (secret || has_secret)
1979 es_putc ('#', es_stdout);
1981 es_fputs (serialno, es_stdout);
1982 else if (has_secret)
1983 es_putc ('+', es_stdout);
1985 es_putc (':', es_stdout); /* End of field 15. */
1986 es_putc (':', es_stdout); /* End of field 16. */
1987 if (pk2->pubkey_algo == PUBKEY_ALGO_ECDSA
1988 || pk2->pubkey_algo == PUBKEY_ALGO_EDDSA
1989 || pk2->pubkey_algo == PUBKEY_ALGO_ECDH)
1992 curve = openpgp_oid_to_str (pk2->pkey[0]);
1993 curvename = openpgp_oid_to_curve (curve, 0);
1996 es_fputs (curvename, es_stdout);
1998 es_putc (':', es_stdout); /* End of field 17. */
1999 print_compliance_flags (pk2, keylength, curvename);
2000 es_putc (':', es_stdout); /* End of field 18. */
2001 es_putc ('\n', es_stdout);
2002 print_fingerprint (ctrl, NULL, pk2, 0);
2004 es_fprintf (es_stdout, "grp:::::::::%s:\n", hexgrip);
2005 if (opt.with_key_data)
2006 print_key_data (pk2);
2008 else if (opt.list_sigs && node->pkt->pkttype == PKT_SIGNATURE)
2010 PKT_signature *sig = node->pkt->pkt.signature;
2011 int sigrc, fprokay = 0;
2014 byte fparray[MAX_FINGERPRINT_LEN];
2017 char *issuer_fpr = NULL;
2018 char *reason_text = NULL;
2019 char *reason_comment = NULL;
2020 size_t reason_commentlen;
2021 int reason_code = 0; /* Init to silence compiler warning. */
2023 if (sig->sig_class == 0x20 || sig->sig_class == 0x28
2024 || sig->sig_class == 0x30)
2027 reason_code = get_revocation_reason (sig, &reason_text,
2029 &reason_commentlen);
2031 else if ((sig->sig_class & ~3) == 0x10)
2033 else if (sig->sig_class == 0x18)
2035 else if (sig->sig_class == 0x1F)
2039 es_fprintf (es_stdout, "sig::::::::::%02x%c:\n",
2040 sig->sig_class, sig->flags.exportable ? 'x' : 'l');
2046 PKT_public_key *signer_pk = NULL;
2048 es_fflush (es_stdout);
2049 if (opt.no_sig_cache)
2050 signer_pk = xmalloc_clear (sizeof (PKT_public_key));
2052 rc = check_key_signature2 (ctrl, keyblock, node, NULL, signer_pk,
2054 switch (gpg_err_code (rc))
2059 case GPG_ERR_BAD_SIGNATURE:
2062 case GPG_ERR_NO_PUBKEY:
2063 case GPG_ERR_UNUSABLE_PUBKEY:
2071 if (opt.no_sig_cache)
2075 fingerprint_from_pk (signer_pk, fparray, &fplen);
2078 free_public_key (signer_pk);
2084 sigrc = ' '; /* Note the fix-up below in --list-sigs mode. */
2087 if (sigrc != '%' && sigrc != '?' && !opt.fast_list_mode)
2090 siguid = get_user_id (ctrl, sig->keyid, &siguidlen, &nouid);
2091 if (!opt.check_sigs && nouid)
2092 sigrc = '?'; /* No key in local keyring. */
2101 es_fputs (sigstr, es_stdout);
2102 es_putc (':', es_stdout);
2104 es_putc (sigrc, es_stdout);
2105 es_fprintf (es_stdout, "::%d:%08lX%08lX:%s:%s:", sig->pubkey_algo,
2106 (ulong) sig->keyid[0], (ulong) sig->keyid[1],
2107 colon_datestr_from_sig (sig),
2108 colon_expirestr_from_sig (sig));
2110 if (sig->trust_depth || sig->trust_value)
2111 es_fprintf (es_stdout, "%d %d", sig->trust_depth, sig->trust_value);
2112 es_fprintf (es_stdout, ":");
2114 if (sig->trust_regexp)
2115 es_write_sanitized (es_stdout, sig->trust_regexp,
2116 strlen (sig->trust_regexp), ":", NULL);
2117 es_fprintf (es_stdout, ":");
2120 es_fprintf (es_stdout, "[%s] ", gpg_strerror (rc));
2122 es_write_sanitized (es_stdout, siguid, siguidlen, ":", NULL);
2124 es_fprintf (es_stdout, ":%02x%c", sig->sig_class,
2125 sig->flags.exportable ? 'x' : 'l');
2127 es_fprintf (es_stdout, ",%02x", reason_code);
2128 es_fputs ("::", es_stdout);
2130 if (opt.no_sig_cache && opt.check_sigs && fprokay)
2132 for (i = 0; i < fplen; i++)
2133 es_fprintf (es_stdout, "%02X", fparray[i]);
2135 else if ((issuer_fpr = issuer_fpr_string (sig)))
2136 es_fputs (issuer_fpr, es_stdout);
2138 es_fprintf (es_stdout, ":::%d:", sig->digest_algo);
2142 es_fputs ("::::", es_stdout);
2143 es_write_sanitized (es_stdout, reason_comment, reason_commentlen,
2145 es_putc (':', es_stdout);
2147 es_putc ('\n', es_stdout);
2149 if (opt.show_subpackets)
2150 print_subpackets_colon (sig);
2152 /* fixme: check or list other sigs here */
2153 xfree (reason_text);
2154 xfree (reason_comment);
2161 xfree (hexgrip_buffer);
2166 * Reorder the keyblock so that the primary user ID (and not attribute
2167 * packet) comes first. Fixme: Replace this by a generic sort
2170 do_reorder_keyblock (KBNODE keyblock, int attr)
2172 KBNODE primary = NULL, primary0 = NULL, primary2 = NULL;
2175 for (node = keyblock; node; primary0 = node, node = node->next)
2177 if (node->pkt->pkttype == PKT_USER_ID &&
2178 ((attr && node->pkt->pkt.user_id->attrib_data) ||
2179 (!attr && !node->pkt->pkt.user_id->attrib_data)) &&
2180 node->pkt->pkt.user_id->flags.primary)
2182 primary = primary2 = node;
2183 for (node = node->next; node; primary2 = node, node = node->next)
2185 if (node->pkt->pkttype == PKT_USER_ID
2186 || node->pkt->pkttype == PKT_PUBLIC_SUBKEY
2187 || node->pkt->pkttype == PKT_SECRET_SUBKEY)
2196 return; /* No primary key flag found (should not happen). */
2198 for (last = NULL, node = keyblock; node; last = node, node = node->next)
2200 if (node->pkt->pkttype == PKT_USER_ID)
2204 log_assert (last); /* The user ID is never the first packet. */
2205 log_assert (primary0); /* Ditto (this is the node before primary). */
2206 if (node == primary)
2207 return; /* Already the first one. */
2209 last->next = primary;
2210 primary0->next = primary2->next;
2211 primary2->next = node;
2215 reorder_keyblock (KBNODE keyblock)
2217 do_reorder_keyblock (keyblock, 1);
2218 do_reorder_keyblock (keyblock, 0);
2223 list_keyblock (ctrl_t ctrl,
2224 KBNODE keyblock, int secret, int has_secret, int fpr,
2225 struct keylist_context *listctx)
2227 reorder_keyblock (keyblock);
2229 if (list_filter.selkey)
2232 struct impex_filter_parm_s parm;
2235 for (parm.node = keyblock; parm.node; parm.node = parm.node->next)
2237 if (recsel_select (list_filter.selkey, impex_filter_getval, &parm))
2244 return; /* Skip this one. */
2247 if (opt.with_colons)
2248 list_keyblock_colon (ctrl, keyblock, secret, has_secret);
2249 else if ((opt.list_options & LIST_SHOW_ONLY_FPR_MBOX))
2251 if (!listctx->no_validity)
2252 check_trustdb_stale (ctrl);
2253 list_keyblock_simple (ctrl, keyblock);
2256 list_keyblock_print (ctrl, keyblock, secret, fpr, listctx);
2259 es_fflush (es_stdout);
2263 /* Public function used by keygen to list a keyblock. If NO_VALIDITY
2264 * is set the validity of a key is never shown. */
2266 list_keyblock_direct (ctrl_t ctrl,
2267 kbnode_t keyblock, int secret, int has_secret, int fpr,
2270 struct keylist_context listctx;
2272 memset (&listctx, 0, sizeof (listctx));
2273 listctx.no_validity = !!no_validity;
2274 list_keyblock (ctrl, keyblock, secret, has_secret, fpr, &listctx);
2275 keylist_context_release (&listctx);
2279 /* Print an hex digit in ICAO spelling. */
2281 print_icao_hexdigit (estream_t fp, int c)
2283 static const char *list[16] = {
2284 "Zero", "One", "Two", "Three", "Four", "Five", "Six", "Seven",
2285 "Eight", "Niner", "Alfa", "Bravo", "Charlie", "Delta", "Echo", "Foxtrot"
2288 tty_fprintf (fp, "%s", list[c&15]);
2293 * Function to print the finperprint.
2294 * mode 0: as used in key listings, opt.with_colons is honored
2295 * 1: print using log_info ()
2296 * 2: direct use of tty
2297 * 3: direct use of tty but only primary key.
2298 * 4: direct use of tty but only subkey.
2299 * 10: Same as 0 but with_colons etc is ignored.
2300 * 20: Same as 0 but using a compact format.
2302 * Modes 1 and 2 will try and print both subkey and primary key
2303 * fingerprints. A MODE with bit 7 set is used internally. If
2304 * OVERRIDE_FP is not NULL that stream will be used in 0 instead
2305 * of es_stdout or instead of the TTY in modes 2 and 3.
2308 print_fingerprint (ctrl_t ctrl, estream_t override_fp,
2309 PKT_public_key *pk, int mode)
2311 char hexfpr[2*MAX_FINGERPRINT_LEN+1];
2317 int with_colons = opt.with_colons;
2318 int with_icao = opt.with_icao_spelling;
2327 else if (mode == 20)
2334 if (!opt.fingerprint && !opt.with_fingerprint
2335 && opt.with_subkey_fingerprint)
2338 if (pk->main_keyid[0] == pk->keyid[0]
2339 && pk->main_keyid[1] == pk->keyid[1])
2342 /* Just to be safe */
2343 if ((mode & 0x80) && !primary)
2345 log_error ("primary key is not really primary!\n");
2351 if (!primary && (mode == 1 || mode == 2))
2353 PKT_public_key *primary_pk = xmalloc_clear (sizeof (*primary_pk));
2354 get_pubkey (ctrl, primary_pk, pk->main_keyid);
2355 print_fingerprint (ctrl, override_fp, primary_pk, (mode | 0x80));
2356 free_public_key (primary_pk);
2361 fp = log_get_stream ();
2363 text = _("Primary key fingerprint:");
2365 text = _(" Subkey fingerprint:");
2369 fp = override_fp; /* Use tty or given stream. */
2371 /* TRANSLATORS: this should fit into 24 bytes so that the
2372 * fingerprint data is properly aligned with the user ID */
2373 text = _(" Primary key fingerprint:");
2375 text = _(" Subkey fingerprint:");
2379 fp = override_fp; /* Use tty or given stream. */
2380 text = _(" Key fingerprint =");
2384 fp = override_fp; /* Use tty or given stream. */
2385 text = _(" Subkey fingerprint:");
2389 fp = override_fp? override_fp : es_stdout;
2390 if (opt.keyid_format == KF_NONE)
2392 text = " "; /* To indent ICAO spelling. */
2396 text = _(" Key fingerprint =");
2399 hexfingerprint (pk, hexfpr, sizeof hexfpr);
2400 if (with_colons && !mode)
2402 es_fprintf (fp, "fpr:::::::::%s:", hexfpr);
2404 else if (compact && !opt.fingerprint && !opt.with_fingerprint)
2406 tty_fprintf (fp, "%*s%s", 6, "", hexfpr);
2410 char fmtfpr[MAX_FORMATTED_FINGERPRINT_LEN + 1];
2411 format_hexfingerprint (hexfpr, fmtfpr, sizeof fmtfpr);
2413 tty_fprintf (fp, "%*s%s", 6, "", fmtfpr);
2415 tty_fprintf (fp, "%s %s", text, fmtfpr);
2417 tty_fprintf (fp, "\n");
2418 if (!with_colons && with_icao)
2421 tty_fprintf (fp, "%*s\"", (int)strlen(text)+1, "");
2422 for (i = 0, p = hexfpr; *p; i++, p++)
2427 tty_fprintf (fp, "\n%*s ", (int)strlen(text)+1, "");
2429 tty_fprintf (fp, " ");
2431 tty_fprintf (fp, " ");
2432 print_icao_hexdigit (fp, xtoi_1 (p));
2434 tty_fprintf (fp, "\"\n");
2438 /* Print the serial number of an OpenPGP card if available. */
2440 print_card_serialno (const char *serialno)
2444 if (opt.with_colons)
2445 return; /* Handled elsewhere. */
2447 es_fputs (_(" Card serial no. ="), es_stdout);
2448 es_putc (' ', es_stdout);
2449 if (strlen (serialno) == 32 && !strncmp (serialno, "D27600012401", 12))
2451 /* This is an OpenPGP card. Print the relevant part. */
2452 /* Example: D2760001240101010001000003470000 */
2454 es_fprintf (es_stdout, "%.*s %.*s", 4, serialno+16, 8, serialno+20);
2457 es_fputs (serialno, es_stdout);
2458 es_putc ('\n', es_stdout);
2462 /* Print a public or secret (sub)key line. Example:
2464 * pub dsa2048 2007-12-31 [SC] [expires: 2018-12-31]
2465 * 80615870F5BAD690333686D0F2AD85AC1E42B367
2467 * pub rsa2048 2017-12-31 [SC] [expires: 2028-12-31]
2468 * 80615870F5BAD690333686D0F2AD85AC1E42B3671122334455
2470 * Some global options may result in a different output format. If
2471 * SECRET is set, "sec" or "ssb" is used instead of "pub" or "sub" and
2472 * depending on the value a flag character is shown:
2474 * 1 := ' ' Regular secret key
2475 * 2 := '#' Stub secret key
2476 * 3 := '>' Secret key is on a token.
2479 print_key_line (ctrl_t ctrl, estream_t fp, PKT_public_key *pk, int secret)
2481 char pkstrbuf[PUBKEY_STRING_SIZE];
2483 tty_fprintf (fp, "%s%c %s",
2484 pk->flags.primary? (secret? "sec":"pub")
2485 /**/ : (secret? "ssb":"sub"),
2486 secret == 2? '#' : secret == 3? '>' : ' ',
2487 pubkey_string (pk, pkstrbuf, sizeof pkstrbuf));
2488 if (opt.keyid_format != KF_NONE)
2489 tty_fprintf (fp, "/%s", keystr_from_pk (pk));
2490 tty_fprintf (fp, " %s", datestr_from_pk (pk));
2492 if (pk->flags.primary
2493 && !(openpgp_pk_algo_usage (pk->pubkey_algo)
2494 & (PUBKEY_USAGE_CERT| PUBKEY_USAGE_SIG|PUBKEY_USAGE_AUTH)))
2496 /* A primary key which is really not capable to sign. */
2497 tty_fprintf (fp, " [INVALID_ALGO]");
2499 else if ((opt.list_options & LIST_SHOW_USAGE))
2501 tty_fprintf (fp, " [%s]", usagestr_from_pk (pk, 0));
2504 if (pk->flags.revoked)
2506 tty_fprintf (fp, " [");
2507 tty_fprintf (fp, _("revoked: %s"), revokestr_from_pk (pk));
2508 tty_fprintf (fp, "]");
2510 else if (pk->has_expired)
2512 tty_fprintf (fp, " [");
2513 tty_fprintf (fp, _("expired: %s"), expirestr_from_pk (pk));
2514 tty_fprintf (fp, "]");
2516 else if (pk->expiredate)
2518 tty_fprintf (fp, " [");
2519 tty_fprintf (fp, _("expires: %s"), expirestr_from_pk (pk));
2520 tty_fprintf (fp, "]");
2524 /* I need to think about this some more. It's easy enough to
2525 include, but it looks sort of confusing in the listing... */
2526 if (opt.list_options & LIST_SHOW_VALIDITY)
2528 int validity = get_validity (ctrl, pk, NULL, NULL, 0);
2529 tty_fprintf (fp, " [%s]", trust_value_to_string (validity));
2533 if (pk->pubkey_algo >= 100)
2534 tty_fprintf (fp, " [experimental algorithm %d]", pk->pubkey_algo);
2536 tty_fprintf (fp, "\n");
2538 /* if the user hasn't explicitly asked for human-readable
2539 fingerprints, show compact fpr of primary key: */
2540 if (pk->flags.primary &&
2541 !opt.fingerprint && !opt.with_fingerprint)
2542 print_fingerprint (ctrl, fp, pk, 20);
2547 set_attrib_fd (int fd)
2549 static int last_fd = -1;
2551 if (fd != -1 && last_fd == fd)
2554 /* Fixme: Do we need to check for the log stream here? */
2555 if (attrib_fp && attrib_fp != log_get_stream ())
2556 es_fclose (attrib_fp);
2561 if (! gnupg_fd_valid (fd))
2562 log_fatal ("attribute-fd is invalid: %s\n", strerror (errno));
2564 #ifdef HAVE_DOSISH_SYSTEM
2565 setmode (fd, O_BINARY);
2568 attrib_fp = es_stdout;
2570 attrib_fp = es_stderr;
2572 attrib_fp = es_fdopen (fd, "wb");
2575 log_fatal ("can't open fd %d for attribute output: %s\n",
2576 fd, strerror (errno));