diff options
author | Werner Koch <wk@gnupg.org> | 2020-12-17 10:20:28 +0100 |
---|---|---|
committer | Werner Koch <wk@gnupg.org> | 2020-12-17 10:20:28 +0100 |
commit | 2cadcce3e877c857bb8859574762b59b9c193b44 (patch) | |
tree | 61b0937ab480d3133e8df81290b0cbffd7f469c2 /dirmngr | |
parent | dirmngr: Finalize Active Directory LDAP Schema (diff) | |
download | gnupg2-2cadcce3e877c857bb8859574762b59b9c193b44.tar.xz gnupg2-2cadcce3e877c857bb8859574762b59b9c193b44.zip |
dirmngr: Allow LDAP searches via fingerprint.
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Add arg
serverinfo and allow searching by fingerprint.
(ks_ldap_get, ks_ldap_search): First connect then create teh filter.
--
With the new schema we can finally search by fingerprint.
Diffstat (limited to 'dirmngr')
-rw-r--r-- | dirmngr/ks-engine-ldap.c | 64 |
1 files changed, 41 insertions, 23 deletions
diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c index 49d389266..b9410351a 100644 --- a/dirmngr/ks-engine-ldap.c +++ b/dirmngr/ks-engine-ldap.c @@ -333,7 +333,8 @@ ks_ldap_help (ctrl_t ctrl, parsed_uri_t uri) *filter. It is the caller's responsibility to free *filter. *filter is only set if this function returns success (i.e., 0). */ static gpg_error_t -keyspec_to_ldap_filter (const char *keyspec, char **filter, int only_exact) +keyspec_to_ldap_filter (const char *keyspec, char **filter, int only_exact, + unsigned int serverinfo) { /* Remove search type indicator and adjust PATTERN accordingly. Note: don't include a preceding 0x when searching by keyid. */ @@ -361,9 +362,14 @@ keyspec_to_ldap_filter (const char *keyspec, char **filter, int only_exact) break; case KEYDB_SEARCH_MODE_MAIL: - if (! only_exact) - f = xasprintf ("(pgpUserID=*<%s>*)", - (freeme = ldap_escape_filter (desc.u.name))); + if (only_exact) + break; + if ((serverinfo & SERVERINFO_SCHEMAV2)) + f = xasprintf ("(gpgMailbox=%s)", + (freeme = ldap_escape_filter (desc.u.name))); + else + f = xasprintf ("(pgpUserID=*<%s>*)", + (freeme = ldap_escape_filter (desc.u.name))); break; case KEYDB_SEARCH_MODE_MAILSUB: @@ -387,6 +393,19 @@ keyspec_to_ldap_filter (const char *keyspec, char **filter, int only_exact) break; case KEYDB_SEARCH_MODE_FPR: + if ((serverinfo & SERVERINFO_SCHEMAV2)) + { + freeme = bin2hex (desc.u.fpr, desc.fprlen, NULL); + if (!freeme) + return gpg_error_from_syserror (); + f = xasprintf ("(|(gpgFingerprint=%s)(gpgSubFingerprint=%s))", + freeme, freeme); + /* FIXME: For an exact search and in case of a match on + * gpgSubFingerprint we need to check that there is only one + * matching value. */ + } + break; + case KEYDB_SEARCH_MODE_ISSUER: case KEYDB_SEARCH_MODE_ISSUER_SN: case KEYDB_SEARCH_MODE_SN: @@ -872,13 +891,6 @@ ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec, return gpg_error (GPG_ERR_NOT_SUPPORTED); } - /* Before connecting to the server, make sure we have a sane - keyspec. If not, there is no need to establish a network - connection. */ - err = keyspec_to_ldap_filter (keyspec, &filter, 1); - if (err) - return (err); - /* Make sure we are talking to an OpenPGP LDAP server. */ ldap_err = my_ldap_connect (uri, &ldap_conn, &basedn, &serverinfo); if (ldap_err || !basedn) @@ -886,10 +898,17 @@ ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec, if (ldap_err) err = ldap_err_to_gpg_err (ldap_err); else - err = GPG_ERR_GENERAL; + err = gpg_error (GPG_ERR_GENERAL); goto out; } + /* Now that we have information about the server we can construct a + * query best suited for the capabilities of the server. */ + err = keyspec_to_ldap_filter (keyspec, &filter, 1, serverinfo); + if (err) + goto out; + + { /* The ordering is significant. Specifically, "pgpcertid" needs to be the second item in the list, since everything after it @@ -1054,16 +1073,6 @@ ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern, return gpg_error (GPG_ERR_NOT_SUPPORTED); } - /* Before connecting to the server, make sure we have a sane - keyspec. If not, there is no need to establish a network - connection. */ - err = keyspec_to_ldap_filter (pattern, &filter, 0); - if (err) - { - log_error ("Bad search pattern: '%s'\n", pattern); - return (err); - } - /* Make sure we are talking to an OpenPGP LDAP server. */ ldap_err = my_ldap_connect (uri, &ldap_conn, &basedn, &serverinfo); if (ldap_err || !basedn) @@ -1075,6 +1084,15 @@ ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern, goto out; } + /* Now that we have information about the server we can construct a + * query best suited for the capabilities of the server. */ + err = keyspec_to_ldap_filter (pattern, &filter, 0, serverinfo); + if (err) + { + log_error ("Bad search pattern: '%s'\n", pattern); + goto out; + } + /* Even if we have no results, we want to return a stream. */ fp = es_fopenmem(0, "rw"); if (!fp) @@ -1911,7 +1929,7 @@ ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri, const char *infoend = (const char *) info + infolen - 1; /* Enable this code to dump the modlist to /tmp/modlist.txt. */ -#if 1 +#if 0 # warning Disable debug code before checking in. const int dump_modlist = 1; #else |