Page MenuHome GnuPG
Create Task
Maniphest T6064

Kleopatra: Allow queries to list all certificates on the server
Closed, ResolvedPublic
Actions

Description

Kleopatra currently requires at least three characters for searching. The whish is to show all certificates on the keyserver, this is for active directory users who are setting up their directory and want to check if all keys are properly uploaded.

I currently do not have a proper test setup with such a server so I cannot check what the result of queries like "gpg --search '*'" would be.

Revisions and Commits

rKLEOPATRA Kleopatra
rKLEOPATRA82bc75082fcc Allow keyserver queries with a single character

Event Timeline

aheinecke triaged this task as Low priority.Jul 6 2022, 11:11 AM
aheinecke created this task.
ikloecker added a subscriber: ikloecker.Jul 6 2022, 2:56 PM

Many keyservers return a maximum number of results. I have seen results being capped at 100 keys.

Some tests with gpg:

$ gpg --search '*'
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
gpg: data source: https://162.213.33.8:443
gpg: key "*" not found on keyserver
gpg: keyserver search failed: Not found

$ gpg --search a
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
gpg: data source: https://162.213.33.8:443
gpg: key "a" not found on keyserver
gpg: keyserver search failed: Not found

$ gpg --search b
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
gpg: data source: https://162.213.33.8:443
(1)     Richard B Dervan <rdervan@abraxis.com>
        Richard B Dervan <dilbert@infoam.com>
        Richard B Dervan <rdervan@infoam.com>
         Richard B Dervan <dervari@mindspring.com>
        Richard B Dervan <airman@mindspring.com>
        Richard B Dervan <rdervan@mindspring.com>
          1024 bit DSA key 5CB459A905C3BD20, created: 1997-06-22
(2)     B Ishan A A Mendis <ishan@ishan-mendis.com>
          1024 bit DSA key 85FA659A8E3D1B30, created: 2009-03-10
(3)     Jrgen Brner <j.boerner@deutschland.ms>
          1024 bit DSA key B3C5FDB8044FA050, created: 2004-08-29
(4)       4096 bit RSA key 489C579095C4C870, created: 2011-07-25
(5)     Jan Bhringer <jan@bm-boehringer.de>
          1024 bit DSA key A48373F6386A6B80, created: 2005-09-08
(6)     SAF 13eme B.C.A <saf@bca13.terre.defense.gouv.fr>
          1024 bit DSA key BEC2BB80C2317C90, created: 2000-04-17
(7)     Darryl B. Levi <dlevi@amgen.com>
          1024 bit DSA key 6DB6312ADD3085B0, created: 1998-06-09
(8)     Stefan B <stefan.bathory@turbado.eu>
          3072 bit RSA key A1A47AFBCACFACC0, created: 2018-01-21
(9)     Patrick B?dard <blaise@colba.net>
          1024 bit DSA key 9492ECA61BFB5CD0, created: 1998-01-23
Keys 1-9 of 100 for "b".  Enter number(s), N)ext, or Q)uit >

Don't ask me why searching for 'a' doesn't give any results, but searching for 'b' gives results (capped at 100). In the end it depends on the server how many results are returned. I'm pretty sure that any sensible directory server will return paged results and I have no idea whether dirmngr requests more than one page. Kleopatra will happily crunch any keys dirmngr returns.

ikloecker added a commit: rKLEOPATRA82bc75082fcc: Allow keyserver queries with a single character.Jul 7 2022, 1:43 PM
ikloecker changed the task status from Open to Testing.Jul 7 2022, 1:50 PM
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a project: Restricted Project.

Lookups can now be started after entering a single character. Wildcards like * do not seem to be supported by OpenPGP key servers.

dirmngr refuses a lookup with an empty search string:

GPGME 20220707T134645 2713  chan_28 -> LISTKEYS 
GPGME 20220707T134645 2713  chan_28 <- ERR 50331693 Invalid argument <GpgSM>

Therefore, I require at least one character.

werner removed a project: Restricted Project.Sep 22 2022, 10:52 AM
ebo added a subscriber: ebo.Mar 15 2023, 1:55 PM

works with AD, too. Even with an "a" ;-)

But entering "*" (without the quotes) in the search field in Kleopatra results in no return hits and this debug output:

5 - 2023-03-15 12:29:13 dirmngr[5284]: SEARCH * FAILED 761
5 - 2023-03-15 12:29:13 dirmngr[5284]: ks-ldap: LDAP search error: 
5 - 2023-03-15 12:29:13 dirmngr[5284]: command 'KS_SEARCH' failed: Fehlerhaftes LDAP Suchfilter <Quelle nicht angegeben>

Is this the expected and desired behavior?

And on Windows trials with gpg look like this:

C:\Users\ebo-ad>gpg --search '*'
gpg: Schlüssel "'*'" wurde auf dem Schlüsselserver nicht gefunden

C:\Users\ebo-ad>gpg --search "*"
gpg: error searching keyserver: Fehlerhaftes LDAP Suchfilter
gpg: Suche auf dem Schlüsselserver fehlgeschlagen: Fehlerhaftes LDAP Suchfilter
ikloecker added a comment.Mar 16 2023, 10:15 AM

If it's possible to search for any keys on an LDAP server, then gpg's LDAP support could probably map "*" to the required LDAP search filter. I'm pretty sure that (modern) keyservers don't allow listing all keys.

ebo closed this task as Resolved.Mar 20 2023, 9:56 AM
ebo claimed this task.
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Apr 5 2023, 2:59 PM