1 /* gpg-wks-client.c - A client for the Web Key Service protocols.
2 * Copyright (C) 2016, 2022 g10 Code GmbH
3 * Copyright (C) 2016 Bundesamt für Sicherheit in der Informationstechnik
5 * This file is part of GnuPG.
7 * This file is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU Lesser General Public License as
9 * published by the Free Software Foundation; either version 2.1 of
10 * the License, or (at your option) any later version.
12 * This file is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public License
18 * along with this program; if not, see <https://www.gnu.org/licenses/>.
19 * SPDX-License-Identifier: LGPL-2.1-or-later
27 #include <sys/types.h>
30 #define INCLUDED_BY_MAIN_MODULE 1
31 #include "../common/util.h"
32 #include "../common/status.h"
33 #include "../common/i18n.h"
34 #include "../common/sysutils.h"
35 #include "../common/init.h"
36 #include "../common/asshelp.h"
37 #include "../common/userids.h"
38 #include "../common/ccparray.h"
39 #include "../common/exectool.h"
40 #include "../common/mbox-util.h"
41 #include "../common/name-value.h"
42 #include "../common/comopt.h"
43 #include "call-dirmngr.h"
44 #include "mime-maker.h"
45 #include "send-mail.h"
49 /* Constants to identify the commands and options. */
50 enum cmd_and_opt_values
86 /* The list of commands and options. */
87 static gpgrt_opt_t opts[] = {
88 ARGPARSE_group (300, ("@Commands:\n ")),
90 ARGPARSE_c (aSupported, "supported",
91 ("check whether provider supports WKS")),
92 ARGPARSE_c (aCheck, "check",
93 ("check whether a key is available")),
94 ARGPARSE_c (aCreate, "create",
95 ("create a publication request")),
96 ARGPARSE_c (aReceive, "receive",
97 ("receive a MIME confirmation request")),
98 ARGPARSE_c (aRead, "read",
99 ("receive a plain text confirmation request")),
100 ARGPARSE_c (aMirror, "mirror",
101 "mirror an LDAP directory"),
102 ARGPARSE_c (aInstallKey, "install-key",
103 "install a key into a directory"),
104 ARGPARSE_c (aRemoveKey, "remove-key",
105 "remove a key from a directory"),
106 ARGPARSE_c (aPrintWKDHash, "print-wkd-hash",
107 "print the WKD identifier for the given user ids"),
108 ARGPARSE_c (aPrintWKDURL, "print-wkd-url",
109 "print the WKD URL for the given user id"),
111 ARGPARSE_group (301, ("@\nOptions:\n ")),
113 ARGPARSE_s_n (oVerbose, "verbose", ("verbose")),
114 ARGPARSE_s_n (oQuiet, "quiet", ("be somewhat more quiet")),
115 ARGPARSE_s_s (oDebug, "debug", "@"),
116 ARGPARSE_s_s (oGpgProgram, "gpg", "@"),
117 ARGPARSE_s_n (oSend, "send", "send the mail using sendmail"),
118 ARGPARSE_s_s (oOutput, "output", "|FILE|write the mail to FILE"),
119 ARGPARSE_s_i (oStatusFD, "status-fd", N_("|FD|write status info to this FD")),
120 ARGPARSE_s_n (oNoAutostart, "no-autostart", "@"),
121 ARGPARSE_s_n (oWithColons, "with-colons", "@"),
122 ARGPARSE_s_s (oBlacklist, "blacklist", "@"),
123 ARGPARSE_s_s (oDirectory, "directory", "@"),
124 ARGPARSE_s_n (oAddRevocs, "add-revocs", "add revocation certificates"),
125 ARGPARSE_s_n (oNoAddRevocs, "no-add-revocs", "do not add revocation certificates"),
127 ARGPARSE_s_s (oFakeSubmissionAddr, "fake-submission-addr", "@"),
133 /* The list of supported debug flags. */
134 static struct debug_flags_s debug_flags [] =
136 { DBG_MIME_VALUE , "mime" },
137 { DBG_PARSER_VALUE , "parser" },
138 { DBG_CRYPTO_VALUE , "crypto" },
139 { DBG_MEMORY_VALUE , "memory" },
140 { DBG_MEMSTAT_VALUE, "memstat" },
141 { DBG_IPC_VALUE , "ipc" },
142 { DBG_EXTPROG_VALUE, "extprog" },
148 /* Value of the option --fake-submission-addr. */
149 const char *fake_submission_addr;
151 /* An array with blacklisted addresses and its length. Use
152 * is_in_blacklist to check. */
153 static char **blacklist_array;
154 static size_t blacklist_array_len;
157 static void wrong_args (const char *text) GPGRT_ATTR_NORETURN;
158 static void add_blacklist (const char *fname);
159 static gpg_error_t proc_userid_from_stdin (gpg_error_t (*func)(const char *),
161 static gpg_error_t command_supported (char *userid);
162 static gpg_error_t command_check (char *userid);
163 static gpg_error_t command_create (const char *fingerprint, const char *userid);
164 static gpg_error_t encrypt_response (estream_t *r_output, estream_t input,
165 const char *addrspec,
166 const char *fingerprint);
167 static gpg_error_t read_confirmation_request (estream_t msg);
168 static gpg_error_t command_receive_cb (void *opaque,
169 const char *mediatype, estream_t fp,
171 static gpg_error_t command_mirror (char *domain[]);
175 /* Print usage information and provide strings for help. */
177 my_strusage( int level )
183 case 9: p = "LGPL-2.1-or-later"; break;
184 case 11: p = "gpg-wks-client"; break;
185 case 12: p = "@GNUPG@"; break;
186 case 13: p = VERSION; break;
187 case 14: p = GNUPG_DEF_COPYRIGHT_LINE; break;
188 case 17: p = PRINTABLE_OS_NAME; break;
189 case 19: p = ("Please report bugs to <@EMAIL@>.\n"); break;
193 p = ("Usage: gpg-wks-client [command] [options] [args] (-h for help)");
196 p = ("Syntax: gpg-wks-client [command] [options] [args]\n"
197 "Client for the Web Key Service\n");
200 default: p = NULL; break;
207 wrong_args (const char *text)
209 es_fprintf (es_stderr, _("usage: %s [options] %s\n"),
210 gpgrt_strusage (11), text);
216 /* Command line parsing. */
217 static enum cmd_and_opt_values
218 parse_arguments (gpgrt_argparse_t *pargs, gpgrt_opt_t *popts)
220 enum cmd_and_opt_values cmd = 0;
221 int no_more_options = 0;
223 while (!no_more_options && gpgrt_argparse (NULL, pargs, popts))
225 switch (pargs->r_opt)
227 case oQuiet: opt.quiet = 1; break;
228 case oVerbose: opt.verbose++; break;
230 if (parse_debug_flag (pargs->r.ret_str, &opt.debug, debug_flags))
232 pargs->r_opt = ARGPARSE_INVALID_ARG;
233 pargs->err = ARGPARSE_PRINT_ERROR;
238 opt.gpg_program = pargs->r.ret_str;
241 opt.directory = pargs->r.ret_str;
244 opt.use_sendmail = 1;
247 opt.output = pargs->r.ret_str;
249 case oFakeSubmissionAddr:
250 fake_submission_addr = pargs->r.ret_str;
253 wks_set_status_fd (translate_sys2libc_fd_int (pargs->r.ret_int, 1));
259 opt.no_autostart = 1;
262 add_blacklist (pargs->r.ret_str);
284 default: pargs->err = ARGPARSE_PRINT_ERROR; break;
293 /* gpg-wks-client main. */
295 main (int argc, char **argv)
297 gpg_error_t err, delayed_err;
298 gpgrt_argparse_t pargs;
299 enum cmd_and_opt_values cmd;
301 gnupg_reopen_std ("gpg-wks-client");
302 gpgrt_set_strusage (my_strusage);
303 log_set_prefix ("gpg-wks-client", GPGRT_LOG_WITH_PREFIX);
305 /* Make sure that our subsystems are ready. */
307 init_common_subsystems (&argc, &argv);
309 assuan_set_gpg_err_source (GPG_ERR_SOURCE_DEFAULT);
310 setup_libassuan_logging (&opt.debug, NULL);
312 opt.add_revocs = 1; /* Default add revocation certs. */
314 /* Parse the command line. */
317 pargs.flags = ARGPARSE_FLAG_KEEP;
318 cmd = parse_arguments (&pargs, opts);
319 gpgrt_argparse (NULL, &pargs, NULL);
321 /* Check if gpg is build with sendmail support */
322 if (opt.use_sendmail && !NAME_OF_SENDMAIL[0])
324 err = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
325 log_error ("sending mail is not supported in this build: %s\n",
329 if (log_get_errorcount (0))
332 /* Process common component options. Note that we set the config
333 * dir only here so that --homedir will have an effect. */
334 gpgrt_set_confdir (GPGRT_CONFDIR_SYS, gnupg_sysconfdir ());
335 gpgrt_set_confdir (GPGRT_CONFDIR_USER, gnupg_homedir ());
336 if (parse_comopt (GNUPG_MODULE_NAME_CONNECT_AGENT, opt.verbose > 1))
338 if (comopt.no_autostart)
339 opt.no_autostart = 1;
341 /* Print a warning if an argument looks like an option. */
342 if (!opt.quiet && !(pargs.flags & ARGPARSE_FLAG_STOP_SEEN))
346 for (i=0; i < argc; i++)
347 if (argv[i][0] == '-' && argv[i][1] == '-')
348 log_info (("NOTE: '%s' is not considered an option\n"), argv[i]);
351 /* Set defaults for non given options. */
352 if (!opt.gpg_program)
353 opt.gpg_program = gnupg_module_name (GNUPG_MODULE_NAME_GPG);
356 opt.directory = "openpgpkey";
358 /* Tell call-dirmngr what options we want. */
359 set_dirmngr_options (opt.verbose, (opt.debug & DBG_IPC_VALUE),
363 /* Check that the top directory exists. */
364 if (cmd == aInstallKey || cmd == aRemoveKey || cmd == aMirror)
368 if (gnupg_stat (opt.directory, &sb))
370 err = gpg_error_from_syserror ();
371 log_error ("error accessing directory '%s': %s\n",
372 opt.directory, gpg_strerror (err));
375 if (!S_ISDIR(sb.st_mode))
377 log_error ("error accessing directory '%s': %s\n",
378 opt.directory, "not a directory");
379 err = gpg_error (GPG_ERR_ENOENT);
384 /* Run the selected command. */
390 for (; argc; argc--, argv++)
391 command_supported (*argv);
397 wrong_args ("--supported DOMAIN");
398 err = command_supported (argv[0]);
399 if (err && gpg_err_code (err) != GPG_ERR_FALSE)
400 log_error ("checking support failed: %s\n", gpg_strerror (err));
406 wrong_args ("--create FINGERPRINT USER-ID");
407 err = command_create (argv[0], argv[1]);
409 log_error ("creating request failed: %s\n", gpg_strerror (err));
414 wrong_args ("--receive < MIME-DATA");
415 err = wks_receive (es_stdin, command_receive_cb, NULL);
417 log_error ("processing mail failed: %s\n", gpg_strerror (err));
422 wrong_args ("--read < WKS-DATA");
423 err = read_confirmation_request (es_stdin);
425 log_error ("processing mail failed: %s\n", gpg_strerror (err));
430 wrong_args ("--check USER-ID");
431 err = command_check (argv[0]);
436 err = command_mirror (NULL);
438 err = command_mirror (argv);
443 err = wks_cmd_install_key (NULL, NULL);
445 err = wks_cmd_install_key (*argv, argv[1]);
447 wrong_args ("--install-key [FILE|FINGERPRINT USER-ID]");
452 wrong_args ("--remove-key USER-ID");
453 err = wks_cmd_remove_key (*argv);
460 if (cmd == aPrintWKDHash)
461 err = proc_userid_from_stdin (wks_cmd_print_wkd_hash,
462 "printing WKD hash");
464 err = proc_userid_from_stdin (wks_cmd_print_wkd_url,
469 for (err = delayed_err = 0; !err && argc; argc--, argv++)
471 if (cmd == aPrintWKDHash)
472 err = wks_cmd_print_wkd_hash (*argv);
474 err = wks_cmd_print_wkd_url (*argv);
475 if (gpg_err_code (err) == GPG_ERR_INV_USER_ID)
477 /* Diagnostic already printed. */
482 log_error ("printing hash failed: %s\n", gpg_strerror (err));
497 wks_write_status (STATUS_FAILURE, "- %u", err);
498 else if (log_get_errorcount (0))
499 wks_write_status (STATUS_FAILURE, "- %u", GPG_ERR_GENERAL);
501 wks_write_status (STATUS_SUCCESS, NULL);
502 return (err || log_get_errorcount (0))? 1:0;
507 /* Read a file FNAME into a buffer and return that malloced buffer.
508 * Caller must free the buffer. On error NULL is returned, on success
509 * the valid length of the buffer is stored at R_LENGTH. The returned
510 * buffer is guaranteed to be Nul terminated. */
512 read_file (const char *fname, size_t *r_length)
518 if (!strcmp (fname, "-"))
520 size_t nread, bufsize = 0;
531 buf = xmalloc (bufsize+1);
533 buf = xrealloc (buf, bufsize+1);
535 nread = es_fread (buf+buflen, 1, NCHUNK, fp);
536 if (nread < NCHUNK && es_ferror (fp))
538 log_error ("error reading '[stdin]': %s\n", strerror (errno));
544 while (nread == NCHUNK);
551 fp = es_fopen (fname, "rb");
554 log_error ("can't open '%s': %s\n", fname, strerror (errno));
558 if (fstat (es_fileno (fp), &st))
560 log_error ("can't stat '%s': %s\n", fname, strerror (errno));
566 buf = xmalloc (buflen+1);
567 if (es_fread (buf, buflen, 1, fp) != 1)
569 log_error ("error reading '%s': %s\n", fname, strerror (errno));
584 cmp_blacklist (const void *arg_a, const void *arg_b)
586 const char *a = *(const char **)arg_a;
587 const char *b = *(const char **)arg_b;
588 return strcmp (a, b);
592 /* Add a blacklist to our global table. This is called during option
593 * parsing and thus any use of log_error will eventually stop further
596 add_blacklist (const char *fname)
601 size_t arraysize, arrayidx;
603 buffer = read_file (fname, NULL);
607 /* Estimate the number of entries by counting the non-comment lines. */
608 arraysize = 2; /* For the first and an extra NULL item. */
609 for (p=buffer; *p; p++)
610 if (*p == '\n' && p[1] && p[1] != '#')
613 array = xcalloc (arraysize, sizeof *array);
616 /* Loop over all lines. */
617 for (p = buffer; p && *p; p = pend)
619 pend = strchr (p, '\n');
623 if (!*p || *p == '#' )
626 log_assert (arrayidx < arraysize);
630 log_assert (arrayidx < arraysize);
632 qsort (array, arrayidx, sizeof *array, cmp_blacklist);
634 blacklist_array = array;
635 blacklist_array_len = arrayidx;
636 gpgrt_annotate_leaked_object (buffer);
637 gpgrt_annotate_leaked_object (blacklist_array);
641 /* Return true if NAME is in a blacklist. */
643 is_in_blacklist (const char *name)
645 if (!name || !blacklist_array)
647 return !!bsearch (&name, blacklist_array, blacklist_array_len,
648 sizeof *blacklist_array, cmp_blacklist);
653 /* Read user ids from stdin and call FUNC for each user id. TEXT is
654 * used for error messages. */
656 proc_userid_from_stdin (gpg_error_t (*func)(const char *), const char *text)
659 gpg_error_t delayed_err = 0;
663 /* If we are on a terminal disable buffering to get direct response. */
664 if (gnupg_isatty (es_fileno (es_stdin))
665 && gnupg_isatty (es_fileno (es_stdout)))
667 es_setvbuf (es_stdin, NULL, _IONBF, 0);
668 es_setvbuf (es_stdout, NULL, _IOLBF, 0);
671 while (es_fgets (line, sizeof line - 1, es_stdin))
674 if (!n || line[n-1] != '\n')
676 err = gpg_error (*line? GPG_ERR_LINE_TOO_LONG
677 : GPG_ERR_INCOMPLETE_LINE);
678 log_error ("error reading stdin: %s\n", gpg_strerror (err));
683 if (gpg_err_code (err) == GPG_ERR_INV_USER_ID)
689 log_error ("%s failed: %s\n", text, gpg_strerror (err));
691 if (es_ferror (es_stdin))
693 err = gpg_error_from_syserror ();
694 log_error ("error reading stdin: %s\n", gpg_strerror (err));
707 /* Add the user id UID to the key identified by FINGERPRINT. */
709 add_user_id (const char *fingerprint, const char *uid)
713 const char **argv = NULL;
715 ccparray_init (&ccp, 0);
717 ccparray_put (&ccp, "--no-options");
719 ccparray_put (&ccp, "--quiet");
721 ccparray_put (&ccp, "--verbose");
722 ccparray_put (&ccp, "--batch");
723 ccparray_put (&ccp, "--always-trust");
724 ccparray_put (&ccp, "--quick-add-uid");
725 ccparray_put (&ccp, fingerprint);
726 ccparray_put (&ccp, uid);
728 ccparray_put (&ccp, NULL);
729 argv = ccparray_get (&ccp, NULL);
732 err = gpg_error_from_syserror ();
735 err = gnupg_exec_tool_stream (opt.gpg_program, argv, NULL,
740 log_error ("adding user id failed: %s\n", gpg_strerror (err));
751 struct decrypt_stream_parm_s
759 decrypt_stream_status_cb (void *opaque, const char *keyword, char *args)
761 struct decrypt_stream_parm_s *decinfo = opaque;
764 log_debug ("gpg status: %s %s\n", keyword, args);
765 if (!strcmp (keyword, "DECRYPTION_KEY") && !decinfo->fpr)
767 const char *fields[3];
769 if (split_fields (args, fields, DIM (fields)) >= 3)
771 decinfo->fpr = xstrdup (fields[0]);
772 decinfo->mainfpr = xstrdup (fields[1]);
773 decinfo->otrust = *fields[2];
778 /* Decrypt the INPUT stream to a new stream which is stored at success
781 decrypt_stream (estream_t *r_output, struct decrypt_stream_parm_s *decinfo,
790 memset (decinfo, 0, sizeof *decinfo);
792 output = es_fopenmem (0, "w+b");
795 err = gpg_error_from_syserror ();
796 log_error ("error allocating memory buffer: %s\n", gpg_strerror (err));
800 ccparray_init (&ccp, 0);
802 ccparray_put (&ccp, "--no-options");
803 /* We limit the output to 64 KiB to avoid DoS using compression
804 * tricks. A regular client will anyway only send a minimal key;
805 * that is one w/o key signatures and attribute packets. */
806 ccparray_put (&ccp, "--max-output=0x10000");
808 ccparray_put (&ccp, "--quiet");
810 ccparray_put (&ccp, "--verbose");
811 ccparray_put (&ccp, "--batch");
812 ccparray_put (&ccp, "--status-fd=2");
813 ccparray_put (&ccp, "--decrypt");
814 ccparray_put (&ccp, "--");
816 ccparray_put (&ccp, NULL);
817 argv = ccparray_get (&ccp, NULL);
820 err = gpg_error_from_syserror ();
823 err = gnupg_exec_tool_stream (opt.gpg_program, argv, input,
825 decrypt_stream_status_cb, decinfo);
826 if (!err && (!decinfo->fpr || !decinfo->mainfpr || !decinfo->otrust))
827 err = gpg_error (GPG_ERR_INV_ENGINE);
830 log_error ("decryption failed: %s\n", gpg_strerror (err));
833 else if (opt.verbose)
834 log_info ("decryption succeeded\n");
843 xfree (decinfo->fpr);
844 xfree (decinfo->mainfpr);
845 memset (decinfo, 0, sizeof *decinfo);
853 /* Return the submission address for the address or just the domain in
854 * ADDRSPEC. The submission address is stored as a malloced string at
855 * R_SUBMISSION_ADDRESS. At R_POLICY the policy flags of the domain
856 * are stored. The caller needs to free them with wks_free_policy.
857 * The function returns an error code on failure to find a submission
858 * address or policy file. Note: The function may store NULL at
859 * R_SUBMISSION_ADDRESS but return success to indicate that the web
860 * key directory is supported but not the web key service. As per WKD
861 * specs a policy file is always required and will thus be return on
864 get_policy_and_sa (const char *addrspec, int silent,
865 policy_flags_t *r_policy, char **r_submission_address)
868 estream_t mbuf = NULL;
871 policy_flags_t policy = NULL;
872 char *submission_to = NULL;
874 *r_submission_address = NULL;
877 domain = strchr (addrspec, '@');
883 s = domain? domain : addrspec;
884 es_write_sanitized (es_stdout, s, strlen (s), ":", NULL);
885 es_putc (':', es_stdout);
888 /* We first try to get the submission address from the policy file
889 * (this is the new method). If both are available we check that
890 * they match and print a warning if not. In the latter case we
891 * keep on using the one from the submission-address file. */
892 err = wkd_get_policy_flags (addrspec, &mbuf);
893 if (err && gpg_err_code (err) != GPG_ERR_NO_DATA
894 && gpg_err_code (err) != GPG_ERR_NO_NAME)
896 if (!opt.with_colons)
897 log_error ("error reading policy flags for '%s': %s\n",
898 domain, gpg_strerror (err));
903 if (!opt.with_colons)
904 log_error ("provider for '%s' does NOT support the Web Key Directory\n",
906 err = gpg_error (GPG_ERR_FALSE);
910 policy = xtrycalloc (1, sizeof *policy);
912 err = gpg_error_from_syserror ();
914 err = wks_parse_policy (policy, mbuf, 1);
920 err = wkd_get_submission_address (addrspec, &submission_to);
921 if (err && !policy->submission_address)
923 if (!silent && !opt.with_colons)
924 log_error (_("error looking up submission address for domain '%s'"
925 ": %s\n"), domain, gpg_strerror (err));
926 if (!silent && gpg_err_code (err) == GPG_ERR_NO_DATA && !opt.with_colons)
927 log_error (_("this domain probably doesn't support WKS.\n"));
931 if (submission_to && policy->submission_address
932 && ascii_strcasecmp (submission_to, policy->submission_address))
933 log_info ("Warning: different submission addresses (sa=%s, po=%s)\n",
934 submission_to, policy->submission_address);
936 if (!submission_to && policy->submission_address)
938 submission_to = xtrystrdup (policy->submission_address);
941 err = gpg_error_from_syserror ();
947 *r_submission_address = submission_to;
948 submission_to = NULL;
954 if (*r_policy && !*r_submission_address)
955 es_fprintf (es_stdout, "1:0::");
956 else if (*r_policy && *r_submission_address)
957 es_fprintf (es_stdout, "1:1::");
958 else if (err && !(gpg_err_code (err) == GPG_ERR_FALSE
959 || gpg_err_code (err) == GPG_ERR_NO_DATA
960 || gpg_err_code (err) == GPG_ERR_UNKNOWN_HOST))
961 es_fprintf (es_stdout, "0:0:%d:", err);
963 es_fprintf (es_stdout, "0:0::");
966 es_fprintf (es_stdout, "%u:%u:%u:",
967 (*r_policy)->protocol_version,
968 (*r_policy)->auth_submit,
969 (*r_policy)->mailbox_only);
971 es_putc ('\n', es_stdout);
974 xfree (submission_to);
975 wks_free_policy (policy);
983 /* Check whether the provider supports the WKS protocol. */
985 command_supported (char *userid)
988 char *addrspec = NULL;
989 char *submission_to = NULL;
990 policy_flags_t policy = NULL;
992 if (!strchr (userid, '@'))
994 char *tmp = xstrconcat ("foo@", userid, NULL);
995 addrspec = mailbox_from_userid (tmp, 0);
999 addrspec = mailbox_from_userid (userid, 0);
1002 log_error (_("\"%s\" is not a proper mail address\n"), userid);
1003 err = gpg_error (GPG_ERR_INV_USER_ID);
1007 /* Get the submission address. */
1008 err = get_policy_and_sa (addrspec, 1, &policy, &submission_to);
1009 if (err || !submission_to)
1012 || gpg_err_code (err) == GPG_ERR_FALSE
1013 || gpg_err_code (err) == GPG_ERR_NO_DATA
1014 || gpg_err_code (err) == GPG_ERR_UNKNOWN_HOST
1017 /* FALSE is returned if we already figured out that even the
1018 * Web Key Directory is not supported and thus printed an
1020 if (opt.verbose && gpg_err_code (err) != GPG_ERR_FALSE
1021 && !opt.with_colons)
1023 if (gpg_err_code (err) == GPG_ERR_NO_DATA)
1024 log_info ("provider for '%s' does NOT support WKS\n",
1027 log_info ("provider for '%s' does NOT support WKS (%s)\n",
1028 addrspec, gpg_strerror (err));
1030 err = gpg_error (GPG_ERR_FALSE);
1031 if (!opt.with_colons)
1032 log_inc_errorcount ();
1037 if (opt.verbose && !opt.with_colons)
1038 log_info ("provider for '%s' supports WKS\n", addrspec);
1041 wks_free_policy (policy);
1043 xfree (submission_to);
1050 /* Check whether the key for USERID is available in the WKD. */
1052 command_check (char *userid)
1055 char *addrspec = NULL;
1056 estream_t key = NULL;
1058 uidinfo_list_t mboxes = NULL;
1062 addrspec = mailbox_from_userid (userid, 0);
1065 log_error (_("\"%s\" is not a proper mail address\n"), userid);
1066 err = gpg_error (GPG_ERR_INV_USER_ID);
1070 /* Get the submission address. */
1071 err = wkd_get_key (addrspec, &key);
1072 switch (gpg_err_code (err))
1076 log_info ("public key for '%s' found via WKD\n", addrspec);
1077 /* Fixme: Check that the key contains the user id. */
1080 case GPG_ERR_NO_DATA: /* No such key. */
1082 log_info ("public key for '%s' NOT found via WKD\n", addrspec);
1083 err = gpg_error (GPG_ERR_NO_PUBKEY);
1084 log_inc_errorcount ();
1087 case GPG_ERR_UNKNOWN_HOST:
1089 log_info ("error looking up '%s' via WKD: %s\n",
1090 addrspec, gpg_strerror (err));
1091 err = gpg_error (GPG_ERR_NOT_SUPPORTED);
1095 log_error ("error looking up '%s' via WKD: %s\n",
1096 addrspec, gpg_strerror (err));
1103 /* Look closer at the key. */
1104 err = wks_list_key (key, &fpr, &mboxes);
1107 log_error ("error parsing key: %s\n", gpg_strerror (err));
1108 err = gpg_error (GPG_ERR_NO_PUBKEY);
1113 log_info ("fingerprint: %s\n", fpr);
1115 for (sl = mboxes; sl; sl = sl->next)
1117 if (sl->mbox && !strcmp (sl->mbox, addrspec))
1121 log_info (" user-id: %s\n", sl->uid);
1122 log_info (" created: %s\n", asctimestamp (sl->created));
1124 log_info (" addr-spec: %s\n", sl->mbox);
1125 if (sl->expired || sl->revoked)
1126 log_info (" flags:%s%s\n",
1127 sl->expired? " expired":"", sl->revoked?" revoked":"");
1132 log_error ("public key for '%s' has no user id with the mail address\n",
1134 err = gpg_error (GPG_ERR_CERT_REVOKED);
1136 else if (opt.output)
1139 const char *fname = opt.output;
1141 if (*fname == '-' && !fname[1])
1144 err = wks_write_to_file (key, fname);
1146 log_error ("writing key to '%s' failed: %s\n",
1147 fname? fname : "[stdout]", gpg_strerror (err));
1152 free_uidinfo_list (mboxes);
1160 /* Locate the key by fingerprint and userid and send a publication
1163 command_create (const char *fingerprint, const char *userid)
1166 KEYDB_SEARCH_DESC desc;
1167 char *addrspec = NULL;
1168 estream_t key = NULL;
1169 estream_t keyenc = NULL;
1170 char *submission_to = NULL;
1171 mime_maker_t mime = NULL;
1172 policy_flags_t policy = NULL;
1174 int posteo_hack = 0;
1176 uidinfo_list_t uidlist = NULL;
1177 uidinfo_list_t uid, thisuid;
1181 if (classify_user_id (fingerprint, &desc, 1)
1182 || desc.mode != KEYDB_SEARCH_MODE_FPR)
1184 log_error (_("\"%s\" is not a fingerprint\n"), fingerprint);
1185 err = gpg_error (GPG_ERR_INV_NAME);
1189 addrspec = mailbox_from_userid (userid, 0);
1192 log_error (_("\"%s\" is not a proper mail address\n"), userid);
1193 err = gpg_error (GPG_ERR_INV_USER_ID);
1196 err = wks_get_key (&key, fingerprint, addrspec, 0, 1);
1200 domain = strchr (addrspec, '@');
1201 log_assert (domain);
1204 /* Get the submission address. */
1205 if (fake_submission_addr)
1207 policy = xcalloc (1, sizeof *policy);
1208 submission_to = xstrdup (fake_submission_addr);
1213 err = get_policy_and_sa (addrspec, 0, &policy, &submission_to);
1218 log_error (_("this domain probably doesn't support WKS.\n"));
1219 err = gpg_error (GPG_ERR_NO_DATA);
1224 log_info ("submitting request to '%s'\n", submission_to);
1226 if (policy->auth_submit)
1227 log_info ("no confirmation required for '%s'\n", addrspec);
1229 /* In case the key has several uids with the same addr-spec we will
1230 * use the newest one. */
1231 err = wks_list_key (key, NULL, &uidlist);
1234 log_error ("error parsing key: %s\n",gpg_strerror (err));
1235 err = gpg_error (GPG_ERR_NO_PUBKEY);
1241 for (uid = uidlist; uid; uid = uid->next)
1244 continue; /* Should not happen anyway. */
1245 if (policy->mailbox_only && ascii_strcasecmp (uid->uid, uid->mbox))
1246 continue; /* UID has more than just the mailbox. */
1250 log_info ("ignoring expired user id '%s'\n", uid->uid);
1254 if (uid->created > thistime)
1256 thistime = uid->created;
1261 thisuid = uidlist; /* This is the case for a missing timestamp. */
1264 log_error ("public key %s has no mail address '%s'\n",
1265 fingerprint, addrspec);
1266 err = gpg_error (GPG_ERR_INV_USER_ID);
1271 log_info ("submitting key with user id '%s'\n", thisuid->uid);
1273 /* If we have more than one user id we need to filter the key to
1274 * include only THISUID. */
1280 err = wks_filter_uid (&newkey, key, thisuid->uid, 1);
1283 log_error ("error filtering key: %s\n", gpg_strerror (err));
1284 err = gpg_error (GPG_ERR_NO_PUBKEY);
1291 if (policy->mailbox_only
1292 && (!thisuid->mbox || ascii_strcasecmp (thisuid->uid, thisuid->mbox)))
1294 log_info ("Warning: policy requires 'mailbox-only'"
1295 " - adding user id '%s'\n", addrspec);
1296 err = add_user_id (fingerprint, addrspec);
1300 /* Need to get the key again. This time we request filtering
1301 * for the full user id, so that we do not need check and filter
1305 err = wks_get_key (&key, fingerprint, addrspec, 1, 1);
1312 if (es_fseek (key, 0, SEEK_END))
1314 err = gpg_error_from_syserror ();
1315 log_error ("error seeking stream: %s\n", gpg_strerror (err));
1318 err = wks_find_add_revocs (key, addrspec);
1321 log_error ("error finding revocations for '%s': %s\n",
1322 addrspec, gpg_strerror (err));
1328 /* Now put the armor around the key. */
1333 err = wks_armor_key (&newkey, key,
1335 /* */ : ("Content-Type: application/pgp-keys\n"
1339 log_error ("error armoring key: %s\n", gpg_strerror (err));
1346 /* Hack to support posteo but let them disable this by setting the
1347 * new policy-version flag. */
1348 if (policy->protocol_version < 3
1349 && !ascii_strcasecmp (domain, "posteo.de"))
1351 log_info ("Warning: Using draft-1 method for domain '%s'\n", domain);
1356 /* Encrypt the key part. */
1360 err = encrypt_response (&keyenc, key, submission_to, fingerprint);
1368 err = mime_maker_new (&mime, NULL);
1371 err = mime_maker_add_header (mime, "From", addrspec);
1374 err = mime_maker_add_header (mime, "To", submission_to);
1377 err = mime_maker_add_header (mime, "Subject", "Key publishing request");
1381 /* Tell server which draft we support. */
1382 err = mime_maker_add_header (mime, "Wks-Draft-Version",
1383 STR2(WKS_DRAFT_VERSION));
1394 /* Needs a multipart/mixed with one(!) attachment. It does
1395 * not grok a non-multipart mail. */
1396 err = mime_maker_add_header (mime, "Content-Type", "multipart/mixed");
1399 err = mime_maker_add_container (mime);
1404 err = mime_maker_add_header (mime, "Content-type",
1405 "application/pgp-keys");
1409 if (es_fclose_snatch (key, &data, &datalen))
1411 err = gpg_error_from_syserror ();
1415 err = mime_maker_add_body_data (mime, data, datalen);
1422 err = mime_maker_add_header (mime, "Content-Type",
1423 "multipart/encrypted; "
1424 "protocol=\"application/pgp-encrypted\"");
1427 err = mime_maker_add_container (mime);
1431 err = mime_maker_add_header (mime, "Content-Type",
1432 "application/pgp-encrypted");
1435 err = mime_maker_add_body (mime, "Version: 1\n");
1438 err = mime_maker_add_header (mime, "Content-Type",
1439 "application/octet-stream");
1443 err = mime_maker_add_stream (mime, &keyenc);
1448 err = wks_send_mime (mime);
1451 mime_maker_release (mime);
1452 xfree (submission_to);
1453 free_uidinfo_list (uidlist);
1456 wks_free_policy (policy);
1465 encrypt_response_status_cb (void *opaque, const char *keyword, char *args)
1467 gpg_error_t *failure = opaque;
1468 const char *fields[2];
1471 log_debug ("gpg status: %s %s\n", keyword, args);
1473 if (!strcmp (keyword, "FAILURE"))
1475 if (split_fields (args, fields, DIM (fields)) >= 2
1476 && !strcmp (fields[0], "encrypt"))
1477 *failure = strtoul (fields[1], NULL, 10);
1483 /* Encrypt the INPUT stream to a new stream which is stored at success
1484 * at R_OUTPUT. Encryption is done for ADDRSPEC and for FINGERPRINT
1485 * (so that the sent message may later be inspected by the user). We
1486 * currently retrieve that key from the WKD, DANE, or from "local".
1487 * "local" is last to prefer the latest key version but use a local
1488 * copy in case we are working offline. It might be useful for the
1489 * server to send the fingerprint of its encryption key - or even the
1490 * entire key back. */
1492 encrypt_response (estream_t *r_output, estream_t input, const char *addrspec,
1493 const char *fingerprint)
1499 gpg_error_t gpg_err = 0;
1503 output = es_fopenmem (0, "w+b");
1506 err = gpg_error_from_syserror ();
1507 log_error ("error allocating memory buffer: %s\n", gpg_strerror (err));
1511 ccparray_init (&ccp, 0);
1513 ccparray_put (&ccp, "--no-options");
1514 if (opt.verbose < 2)
1515 ccparray_put (&ccp, "--quiet");
1517 ccparray_put (&ccp, "--verbose");
1518 ccparray_put (&ccp, "--batch");
1519 ccparray_put (&ccp, "--status-fd=2");
1520 ccparray_put (&ccp, "--always-trust");
1521 ccparray_put (&ccp, "--armor");
1522 ccparray_put (&ccp, "-z0"); /* No compression for improved robustness. */
1523 if (fake_submission_addr)
1524 ccparray_put (&ccp, "--auto-key-locate=clear,local");
1526 ccparray_put (&ccp, "--auto-key-locate=clear,wkd,dane,local");
1527 ccparray_put (&ccp, "--recipient");
1528 ccparray_put (&ccp, addrspec);
1529 ccparray_put (&ccp, "--recipient");
1530 ccparray_put (&ccp, fingerprint);
1531 ccparray_put (&ccp, "--encrypt");
1532 ccparray_put (&ccp, "--");
1534 ccparray_put (&ccp, NULL);
1535 argv = ccparray_get (&ccp, NULL);
1538 err = gpg_error_from_syserror ();
1541 err = gnupg_exec_tool_stream (opt.gpg_program, argv, input,
1543 encrypt_response_status_cb, &gpg_err);
1548 log_error ("encryption failed: %s\n", gpg_strerror (err));
1564 send_confirmation_response (const char *sender, const char *address,
1565 const char *nonce, int encrypt,
1566 const char *fingerprint)
1569 estream_t body = NULL;
1570 estream_t bodyenc = NULL;
1571 mime_maker_t mime = NULL;
1573 body = es_fopenmem (0, "w+b");
1576 err = gpg_error_from_syserror ();
1577 log_error ("error allocating memory buffer: %s\n", gpg_strerror (err));
1581 /* It is fine to use 8 bit encoding because that is encrypted and
1582 * only our client will see it. */
1585 es_fputs ("Content-Type: application/vnd.gnupg.wks\n"
1586 "Content-Transfer-Encoding: 8bit\n"
1591 es_fprintf (body, ("type: confirmation-response\n"
1602 err = encrypt_response (&bodyenc, body, sender, fingerprint);
1609 err = mime_maker_new (&mime, NULL);
1612 err = mime_maker_add_header (mime, "From", address);
1615 err = mime_maker_add_header (mime, "To", sender);
1618 err = mime_maker_add_header (mime, "Subject", "Key publication confirmation");
1621 err = mime_maker_add_header (mime, "Wks-Draft-Version",
1622 STR2(WKS_DRAFT_VERSION));
1628 err = mime_maker_add_header (mime, "Content-Type",
1629 "multipart/encrypted; "
1630 "protocol=\"application/pgp-encrypted\"");
1633 err = mime_maker_add_container (mime);
1637 err = mime_maker_add_header (mime, "Content-Type",
1638 "application/pgp-encrypted");
1641 err = mime_maker_add_body (mime, "Version: 1\n");
1644 err = mime_maker_add_header (mime, "Content-Type",
1645 "application/octet-stream");
1649 err = mime_maker_add_stream (mime, &bodyenc);
1655 err = mime_maker_add_header (mime, "Content-Type",
1656 "application/vnd.gnupg.wks");
1659 err = mime_maker_add_stream (mime, &body);
1664 err = wks_send_mime (mime);
1667 mime_maker_release (mime);
1668 es_fclose (bodyenc);
1674 /* Reply to a confirmation request. The MSG has already been
1675 * decrypted and we only need to send the nonce back. MAINFPR is
1676 * either NULL or the primary key fingerprint of the key used to
1677 * decrypt the request. */
1679 process_confirmation_request (estream_t msg, const char *mainfpr)
1684 const char *value, *sender, *address, *fingerprint, *nonce;
1686 err = nvc_parse (&nvc, NULL, msg);
1689 log_error ("parsing the WKS message failed: %s\n", gpg_strerror (err));
1695 log_debug ("request follows:\n");
1696 nvc_write (nvc, log_get_stream ());
1699 /* Check that this is a confirmation request. */
1700 if (!((item = nvc_lookup (nvc, "type:")) && (value = nve_value (item))
1701 && !strcmp (value, "confirmation-request")))
1704 log_error ("received unexpected wks message '%s'\n", value);
1706 log_error ("received invalid wks message: %s\n", "'type' missing");
1707 err = gpg_error (GPG_ERR_UNEXPECTED_MSG);
1711 /* Get the fingerprint. */
1712 if (!((item = nvc_lookup (nvc, "fingerprint:"))
1713 && (value = nve_value (item))
1714 && strlen (value) >= 40))
1716 log_error ("received invalid wks message: %s\n",
1717 "'fingerprint' missing or invalid");
1718 err = gpg_error (GPG_ERR_INV_DATA);
1721 fingerprint = value;
1723 /* Check that the fingerprint matches the key used to decrypt the
1724 * message. In --read mode or with the old format we don't have the
1725 * decryption key; thus we can't bail out. */
1726 if (!mainfpr || ascii_strcasecmp (mainfpr, fingerprint))
1728 log_info ("target fingerprint: %s\n", fingerprint);
1729 log_info ("but decrypted with: %s\n", mainfpr);
1730 log_error ("confirmation request not decrypted with target key\n");
1733 err = gpg_error (GPG_ERR_INV_DATA);
1738 /* Get the address. */
1739 if (!((item = nvc_lookup (nvc, "address:")) && (value = nve_value (item))
1740 && is_valid_mailbox (value)))
1742 log_error ("received invalid wks message: %s\n",
1743 "'address' missing or invalid");
1744 err = gpg_error (GPG_ERR_INV_DATA);
1748 /* FIXME: Check that the "address" matches the User ID we want to
1751 /* Get the sender. */
1752 if (!((item = nvc_lookup (nvc, "sender:")) && (value = nve_value (item))
1753 && is_valid_mailbox (value)))
1755 log_error ("received invalid wks message: %s\n",
1756 "'sender' missing or invalid");
1757 err = gpg_error (GPG_ERR_INV_DATA);
1761 /* FIXME: Check that the "sender" matches the From: address. */
1763 /* Get the nonce. */
1764 if (!((item = nvc_lookup (nvc, "nonce:")) && (value = nve_value (item))
1765 && strlen (value) > 16))
1767 log_error ("received invalid wks message: %s\n",
1768 "'nonce' missing or too short");
1769 err = gpg_error (GPG_ERR_INV_DATA);
1774 /* Send the confirmation. If no key was found, try again without
1776 err = send_confirmation_response (sender, address, nonce, 1, fingerprint);
1777 if (gpg_err_code (err) == GPG_ERR_NO_PUBKEY)
1779 log_info ("no encryption key found - sending response in the clear\n");
1780 err = send_confirmation_response (sender, address, nonce, 0, NULL);
1789 /* Read a confirmation request and decrypt it if needed. This
1790 * function may not be used with a mail or MIME message but only with
1791 * the actual encrypted or plaintext WKS data. */
1793 read_confirmation_request (estream_t msg)
1797 estream_t plaintext = NULL;
1799 /* We take a really simple approach to check whether MSG is
1800 * encrypted: We know that an encrypted message is always armored
1801 * and thus starts with a few dashes. It is even sufficient to
1802 * check for a single dash, because that can never be a proper first
1803 * WKS data octet. We need to skip leading spaces, though. */
1804 while ((c = es_fgetc (msg)) == ' ' || c == '\t' || c == '\r' || c == '\n')
1808 log_error ("can't process an empty message\n");
1809 return gpg_error (GPG_ERR_INV_DATA);
1811 if (es_ungetc (c, msg) != c)
1813 log_error ("error ungetting octet from message\n");
1814 return gpg_error (GPG_ERR_INTERNAL);
1818 err = process_confirmation_request (msg, NULL);
1821 struct decrypt_stream_parm_s decinfo;
1823 err = decrypt_stream (&plaintext, &decinfo, msg);
1825 log_error ("decryption failed: %s\n", gpg_strerror (err));
1826 else if (decinfo.otrust != 'u')
1828 err = gpg_error (GPG_ERR_WRONG_SECKEY);
1829 log_error ("key used to decrypt the confirmation request"
1830 " was not generated by us (otrust=%c)\n", decinfo.otrust);
1833 err = process_confirmation_request (plaintext, decinfo.mainfpr);
1834 xfree (decinfo.fpr);
1835 xfree (decinfo.mainfpr);
1838 es_fclose (plaintext);
1843 /* Called from the MIME receiver to process the plain text data in MSG. */
1845 command_receive_cb (void *opaque, const char *mediatype,
1846 estream_t msg, unsigned int flags)
1853 if (!strcmp (mediatype, "application/vnd.gnupg.wks"))
1854 err = read_confirmation_request (msg);
1857 log_info ("ignoring unexpected message of type '%s'\n", mediatype);
1858 err = gpg_error (GPG_ERR_UNEXPECTED_MSG);
1866 /* An object used to communicate with the mirror_one_key callback. */
1871 unsigned int nkeys; /* Number of keys processed. */
1872 unsigned int nuids; /* Number of published user ids. */
1873 } mirror_one_key_parm;
1876 /* Return true if the Given a mail DOMAIN and the full addrspec MBOX
1879 domain_matches_mbox (const char *domain, const char *mbox)
1883 if (!domain || !mbox)
1885 s = strchr (domain, '@');
1889 return 0; /* Not a valid domain. */
1891 s = strchr (mbox, '@');
1893 return 0; /* Not a valid mbox. */
1896 return !ascii_strcasecmp (domain, mbox);
1900 /* Core of mirror_one_key with the goal of mirroring just one uid.
1901 * UIDLIST is used to figure out whether the given MBOX occurs several
1902 * times in UIDLIST and then to single out the newest one. This is
1903 * so that for a key with
1904 * uid: Joe Someone <joe@example.org>
1905 * uid: Joe <joe@example.org>
1906 * only the news user id (and thus its self-signature) is used.
1907 * UIDLIST is nodified to set all MBOX fields to NULL for a processed
1908 * user id. FPR is the fingerprint of the key.
1911 mirror_one_keys_userid (estream_t key, const char *mbox, uidinfo_list_t uidlist,
1915 uidinfo_list_t uid, thisuid, firstuid;
1917 estream_t newkey = NULL;
1919 /* Find the UID we want to use. */
1921 thisuid = firstuid = NULL;
1922 for (uid = uidlist; uid; uid = uid->next)
1924 if ((uid->flags & 1) || !uid->mbox || strcmp (uid->mbox, mbox))
1925 continue; /* Already processed or no matching mbox. */
1926 uid->flags |= 1; /* Set "processed" flag. */
1929 if (uid->created > thistime)
1931 thistime = uid->created;
1936 thisuid = firstuid; /* This is the case for a missing timestamp. */
1939 log_error ("error finding the user id for %s (%s)\n", fpr, mbox);
1940 err = gpg_error (GPG_ERR_NO_USER_ID);
1944 /* Always filter the key so that the result will be non-armored. */
1946 err = wks_filter_uid (&newkey, key, thisuid->uid, 1);
1949 log_error ("error filtering key %s: %s\n", fpr, gpg_strerror (err));
1950 err = gpg_error (GPG_ERR_NO_PUBKEY);
1956 if (es_fseek (newkey, 0, SEEK_END))
1958 err = gpg_error_from_syserror ();
1959 log_error ("error seeking stream: %s\n", gpg_strerror (err));
1962 err = wks_find_add_revocs (newkey, mbox);
1965 log_error ("error finding revocations for '%s': %s\n",
1966 mbox, gpg_strerror (err));
1972 err = wks_install_key_core (newkey, mbox);
1974 log_info ("key %s published for '%s'\n", fpr, mbox);
1975 mirror_one_key_parm.nuids++;
1976 if (!opt.quiet && !(mirror_one_key_parm.nuids % 25))
1977 log_info ("%u user ids from %d keys so far\n",
1978 mirror_one_key_parm.nuids, mirror_one_key_parm.nkeys);
1986 /* The callback used by command_mirror. It received an estream with
1987 * one key and should return success to process the next key. */
1989 mirror_one_key (estream_t key)
1991 gpg_error_t err = 0;
1993 uidinfo_list_t uidlist = NULL;
1995 const char *domain = mirror_one_key_parm.domain;
1997 /* List the key to get all user ids. */
1998 err = wks_list_key (key, &fpr, &uidlist);
2001 log_error ("error parsing a key: %s - skipped\n",
2002 gpg_strerror (err));
2003 mirror_one_key_parm.anyerror = 1;
2007 for (uid = uidlist; uid; uid = uid->next)
2009 if (!uid->mbox || (uid->flags & 1))
2010 continue; /* No mail box or already processed. */
2013 if (!domain_matches_mbox (domain, uid->mbox))
2014 continue; /* We don't want this one. */
2015 if (is_in_blacklist (uid->mbox))
2018 err = mirror_one_keys_userid (key, uid->mbox, uidlist, fpr);
2021 log_error ("error processing key %s: %s - skipped\n",
2022 fpr, gpg_strerror (err));
2023 mirror_one_key_parm.anyerror = 1;
2028 mirror_one_key_parm.nkeys++;
2032 free_uidinfo_list (uidlist);
2038 /* Copy the keys from the configured LDAP server into a local WKD.
2039 * DOMAINLIST is an array of domain names to restrict the copy to only
2040 * the given domains; if it is NULL all keys are mirrored. */
2042 command_mirror (char *domainlist[])
2046 char *domainbuf = NULL;
2048 mirror_one_key_parm.anyerror = 0;
2049 mirror_one_key_parm.nkeys = 0;
2050 mirror_one_key_parm.nuids = 0;
2054 mirror_one_key_parm.domain = "";
2055 err = wkd_dirmngr_ks_get (NULL, mirror_one_key);
2059 while ((domain = *domainlist++))
2061 if (*domain != '.' && domain[1] != '@')
2063 /* This does not already specify a mail search by
2064 * domain. Change it. */
2066 domainbuf = xstrconcat (".@", domain, NULL);
2069 mirror_one_key_parm.domain = domain;
2071 log_info ("mirroring keys for domain '%s'\n", domain+2);
2072 err = wkd_dirmngr_ks_get (domain, mirror_one_key);
2079 log_info ("a total of %u user ids from %d keys published\n",
2080 mirror_one_key_parm.nuids, mirror_one_key_parm.nkeys);
2082 log_error ("error mirroring LDAP directory: %s <%s>\n",
2083 gpg_strerror (err), gpg_strsource (err));
2084 else if (mirror_one_key_parm.anyerror)
2085 log_info ("warning: errors encountered - not all keys are mirrored\n");