1 /* certreqgen.c - Generate a key and a certification [request]
2 * Copyright (C) 2002, 2003, 2005, 2007, 2010,
3 * 2011 Free Software Foundation, Inc.
4 *
5 * This file is part of GnuPG.
6 *
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <https://www.gnu.org/licenses/>.
19 */
20
21 /*
22 The format of the parameter file is described in the manual under
23 "Unattended Usage".
24
25 Here is an example:
26 $ cat >foo <<EOF
27 %echo Generating a standard key
28 Key-Type: RSA
29 Key-Length: 3072
30 Name-DN: CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Ddorf,C=DE
31 Name-Email: joe@foo.bar
32 # Do a commit here, so that we can later print a "done"
33 %commit
34 %echo done
35 EOF
36
37 This parameter file was used to create the STEED CA:
38 Key-Type: RSA
39 Key-Length: 1024
40 Key-Grip: 68A638998DFABAC510EA645CE34F9686B2EDF7EA
41 Key-Usage: cert
42 Serial: 1
43 Name-DN: CN=The STEED Self-Signing Nonthority
44 Not-Before: 2011-11-11
45 Not-After: 2106-02-06
46 Subject-Key-Id: 68A638998DFABAC510EA645CE34F9686B2EDF7EA
47 Extension: 2.5.29.19 c 30060101ff020101
48 Extension: 1.3.6.1.4.1.11591.2.2.2 n 0101ff
49 Signing-Key: 68A638998DFABAC510EA645CE34F9686B2EDF7EA
50 %commit
51
52 */
53
54
55 #include <config.h>
56 #include <stdio.h>
57 #include <stdlib.h>
58 #include <string.h>
59 #include <errno.h>
60 #include <unistd.h>
61 #include <time.h>
62
63 #include "gpgsm.h"
64 #include <gcrypt.h>
65 #include <ksba.h>
66
67 #include "keydb.h"
68 #include "../common/i18n.h"
69 #include "../common/membuf.h"
70
71
72 enum para_name
73 {
74 pKEYTYPE,
75 pKEYLENGTH,
76 pKEYGRIP,
77 pKEYCURVE,
78 pKEYUSAGE,
79 pNAMEDN,
80 pNAMEEMAIL,
81 pNAMEDNS,
82 pNAMEURI,
83 pSERIAL,
84 pISSUERDN,
85 pNOTBEFORE,
86 pNOTAFTER,
87 pSIGNINGKEY,
88 pHASHALGO,
89 pAUTHKEYID,
90 pSUBJKEYID,
91 pEXTENSION
92 };
93
94 struct para_data_s
95 {
96 struct para_data_s *next;
97 int lnr;
98 enum para_name key;
99 union {
100 unsigned int usage;
101 char value[1];
102 } u;
103 };
104
105 struct reqgen_ctrl_s
106 {
107 int lnr;
108 int dryrun;
109 };
110
111
112 static const char oidstr_authorityKeyIdentifier[] = "2.5.29.35";
113 static const char oidstr_subjectKeyIdentifier[] = "2.5.29.14";
114 static const char oidstr_keyUsage[] = "2.5.29.15";
115 static const char oidstr_basicConstraints[] = "2.5.29.19";
116 static const char oidstr_standaloneCertificate[] = "1.3.6.1.4.1.11591.2.2.1";
117
118
119 static int proc_parameters (ctrl_t ctrl,
120 struct para_data_s *para,
121 estream_t out_fp,
122 struct reqgen_ctrl_s *outctrl);
123 static int create_request (ctrl_t ctrl,
124 struct para_data_s *para,
125 const char *carddirect,
126 ksba_const_sexp_t public,
127 ksba_const_sexp_t sigkey,
128 ksba_writer_t writer);
129
130
131
132 static void
release_parameter_list(struct para_data_s * r)133 release_parameter_list (struct para_data_s *r)
134 {
135 struct para_data_s *r2;
136
137 for (; r ; r = r2)
138 {
139 r2 = r->next;
140 xfree(r);
141 }
142 }
143
144 static struct para_data_s *
get_parameter(struct para_data_s * para,enum para_name key,int seq)145 get_parameter (struct para_data_s *para, enum para_name key, int seq)
146 {
147 struct para_data_s *r;
148
149 for (r = para; r ; r = r->next)
150 if ( r->key == key && !seq--)
151 return r;
152 return NULL;
153 }
154
155 static const char *
get_parameter_value(struct para_data_s * para,enum para_name key,int seq)156 get_parameter_value (struct para_data_s *para, enum para_name key, int seq)
157 {
158 struct para_data_s *r = get_parameter (para, key, seq);
159 return (r && *r->u.value)? r->u.value : NULL;
160 }
161
162 static int
get_parameter_algo(struct para_data_s * para,enum para_name key)163 get_parameter_algo (struct para_data_s *para, enum para_name key)
164 {
165 struct para_data_s *r = get_parameter (para, key, 0);
166 if (!r)
167 return -1;
168 if (digitp (r->u.value))
169 return atoi( r->u.value );
170 return gcry_pk_map_name (r->u.value);
171 }
172
173 /* Parse the usage parameter. Returns 0 on success. Note that we
174 only care about sign and encrypt and don't (yet) allow all the
175 other X.509 usage to be specified; instead we will use a fixed
176 mapping to the X.509 usage flags. */
177 static int
parse_parameter_usage(struct para_data_s * para,enum para_name key)178 parse_parameter_usage (struct para_data_s *para, enum para_name key)
179 {
180 struct para_data_s *r = get_parameter (para, key, 0);
181 char *p, *pn;
182 unsigned int use;
183
184 if (!r)
185 return 0; /* none (this is an optional parameter)*/
186
187 use = 0;
188 pn = r->u.value;
189 while ( (p = strsep (&pn, " \t,")) )
190 {
191 if (!*p)
192 ;
193 else if ( !ascii_strcasecmp (p, "sign") )
194 use |= GCRY_PK_USAGE_SIGN;
195 else if ( !ascii_strcasecmp (p, "encrypt")
196 || !ascii_strcasecmp (p, "encr") )
197 use |= GCRY_PK_USAGE_ENCR;
198 else if ( !ascii_strcasecmp (p, "cert") )
199 use |= GCRY_PK_USAGE_CERT;
200 else
201 {
202 log_error ("line %d: invalid usage list\n", r?r->lnr:0);
203 return -1; /* error */
204 }
205 }
206 r->u.usage = use;
207 return 0;
208 }
209
210
211 static unsigned int
get_parameter_uint(struct para_data_s * para,enum para_name key)212 get_parameter_uint (struct para_data_s *para, enum para_name key)
213 {
214 struct para_data_s *r = get_parameter (para, key, 0);
215
216 if (!r)
217 return 0;
218
219 if (r->key == pKEYUSAGE)
220 return r->u.usage;
221
222 return (unsigned int)strtoul (r->u.value, NULL, 10);
223 }
224
225
226
227 /* Read the certificate generation parameters from FP and generate
228 (all) certificate requests. */
229 static int
read_parameters(ctrl_t ctrl,estream_t fp,estream_t out_fp)230 read_parameters (ctrl_t ctrl, estream_t fp, estream_t out_fp)
231 {
232 static struct {
233 const char *name;
234 enum para_name key;
235 int allow_dups;
236 } keywords[] = {
237 { "Key-Type", pKEYTYPE},
238 { "Key-Length", pKEYLENGTH },
239 { "Key-Grip", pKEYGRIP },
240 { "Key-Curve", pKEYCURVE },
241 { "Key-Usage", pKEYUSAGE },
242 { "Name-DN", pNAMEDN },
243 { "Name-Email", pNAMEEMAIL, 1 },
244 { "Name-DNS", pNAMEDNS, 1 },
245 { "Name-URI", pNAMEURI, 1 },
246 { "Serial", pSERIAL },
247 { "Issuer-DN", pISSUERDN },
248 { "Creation-Date", pNOTBEFORE },
249 { "Not-Before", pNOTBEFORE },
250 { "Expire-Date", pNOTAFTER },
251 { "Not-After", pNOTAFTER },
252 { "Signing-Key", pSIGNINGKEY },
253 { "Hash-Algo", pHASHALGO },
254 { "Authority-Key-Id", pAUTHKEYID },
255 { "Subject-Key-Id", pSUBJKEYID },
256 { "Extension", pEXTENSION, 1 },
257 { NULL, 0 }
258 };
259 char line[1024], *p;
260 const char *err = NULL;
261 struct para_data_s *para, *r;
262 int i, rc = 0, any = 0;
263 struct reqgen_ctrl_s outctrl;
264
265 memset (&outctrl, 0, sizeof (outctrl));
266
267 err = NULL;
268 para = NULL;
269 while (es_fgets (line, DIM(line)-1, fp) )
270 {
271 char *keyword, *value;
272
273 outctrl.lnr++;
274 if (*line && line[strlen(line)-1] != '\n')
275 {
276 err = "line too long";
277 break;
278 }
279 for (p=line; spacep (p); p++)
280 ;
281 if (!*p || *p == '#')
282 continue;
283
284 keyword = p;
285 if (*keyword == '%')
286 {
287 for (; *p && !ascii_isspace (*p); p++)
288 ;
289 if (*p)
290 *p++ = 0;
291 for (; ascii_isspace (*p); p++)
292 ;
293 value = p;
294 trim_trailing_spaces (value);
295
296 if (!ascii_strcasecmp (keyword, "%echo"))
297 log_info ("%s\n", value);
298 else if (!ascii_strcasecmp (keyword, "%dry-run"))
299 outctrl.dryrun = 1;
300 else if (!ascii_strcasecmp( keyword, "%commit"))
301 {
302 rc = proc_parameters (ctrl, para, out_fp, &outctrl);
303 if (rc)
304 goto leave;
305 any = 1;
306 release_parameter_list (para);
307 para = NULL;
308 }
309 else
310 log_info ("skipping control '%s' (%s)\n", keyword, value);
311
312 continue;
313 }
314
315
316 if (!(p = strchr (p, ':')) || p == keyword)
317 {
318 err = "missing colon";
319 break;
320 }
321 if (*p)
322 *p++ = 0;
323 for (; spacep (p); p++)
324 ;
325 if (!*p)
326 {
327 err = "missing argument";
328 break;
329 }
330 value = p;
331 trim_trailing_spaces (value);
332
333 for (i=0; (keywords[i].name
334 && ascii_strcasecmp (keywords[i].name, keyword)); i++)
335 ;
336 if (!keywords[i].name)
337 {
338 err = "unknown keyword";
339 break;
340 }
341 if (keywords[i].key != pKEYTYPE && !para)
342 {
343 err = "parameter block does not start with \"Key-Type\"";
344 break;
345 }
346
347 if (keywords[i].key == pKEYTYPE && para)
348 {
349 rc = proc_parameters (ctrl, para, out_fp, &outctrl);
350 if (rc)
351 goto leave;
352 any = 1;
353 release_parameter_list (para);
354 para = NULL;
355 }
356 else if (!keywords[i].allow_dups)
357 {
358 for (r = para; r && r->key != keywords[i].key; r = r->next)
359 ;
360 if (r)
361 {
362 err = "duplicate keyword";
363 break;
364 }
365 }
366
367 r = xtrycalloc (1, sizeof *r + strlen( value ));
368 if (!r)
369 {
370 err = "out of core";
371 break;
372 }
373 r->lnr = outctrl.lnr;
374 r->key = keywords[i].key;
375 strcpy (r->u.value, value);
376 r->next = para;
377 para = r;
378 }
379
380 if (err)
381 {
382 log_error ("line %d: %s\n", outctrl.lnr, err);
383 rc = gpg_error (GPG_ERR_GENERAL);
384 }
385 else if (es_ferror(fp))
386 {
387 log_error ("line %d: read error: %s\n", outctrl.lnr, strerror(errno) );
388 rc = gpg_error (GPG_ERR_GENERAL);
389 }
390 else if (para)
391 {
392 rc = proc_parameters (ctrl, para, out_fp, &outctrl);
393 if (rc)
394 goto leave;
395 any = 1;
396 }
397
398 if (!rc && !any)
399 rc = gpg_error (GPG_ERR_NO_DATA);
400
401 leave:
402 release_parameter_list (para);
403 return rc;
404 }
405
406 /* check whether there are invalid characters in the email address S */
407 static int
has_invalid_email_chars(const char * s)408 has_invalid_email_chars (const char *s)
409 {
410 int at_seen=0;
411 static char valid_chars[] = "01234567890_-."
412 "abcdefghijklmnopqrstuvwxyz"
413 "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
414 for (; *s; s++)
415 {
416 if (*s & 0x80)
417 return 1;
418 if (*s == '@')
419 at_seen++;
420 else if (!at_seen && !( !!strchr (valid_chars, *s) || *s == '+'))
421 return 1;
422 else if (at_seen && !strchr (valid_chars, *s))
423 return 1;
424 }
425 return at_seen != 1;
426 }
427
428
429 /* Check that all required parameters are given and perform the action */
430 static int
proc_parameters(ctrl_t ctrl,struct para_data_s * para,estream_t out_fp,struct reqgen_ctrl_s * outctrl)431 proc_parameters (ctrl_t ctrl, struct para_data_s *para,
432 estream_t out_fp, struct reqgen_ctrl_s *outctrl)
433 {
434 gpg_error_t err;
435 struct para_data_s *r;
436 const char *s, *string;
437 int i;
438 int algo;
439 unsigned int nbits;
440 char numbuf[20];
441 unsigned char keyparms[100];
442 int rc = 0;
443 ksba_sexp_t public = NULL;
444 ksba_sexp_t sigkey = NULL;
445 int seq;
446 size_t erroff, errlen;
447 char *cardkeyid = NULL;
448
449 /* Check that we have all required parameters; */
450 log_assert (get_parameter (para, pKEYTYPE, 0));
451
452 /* There is a problem with pkcs-10 on how to use ElGamal because it
453 is expected that a PK algorithm can always be used for
454 signing. Another problem is that on-card generated encryption
455 keys may not be used for signing. */
456 algo = get_parameter_algo (para, pKEYTYPE);
457 if (!algo && (s = get_parameter_value (para, pKEYTYPE, 0)) && *s)
458 {
459 /* Hack to allow creation of certificates directly from a smart
460 card. For example: "Key-Type: card:OPENPGP.3". */
461 if (!strncmp (s, "card:", 5) && s[5])
462 cardkeyid = xtrystrdup (s+5);
463 }
464 if (algo < 1 && !cardkeyid)
465 {
466 r = get_parameter (para, pKEYTYPE, 0);
467 if (r)
468 log_error (_("line %d: invalid algorithm\n"), r?r->lnr:0);
469 else
470 log_error ("No Key-Type specified\n");
471 return gpg_error (GPG_ERR_INV_PARAMETER);
472 }
473
474 /* Check the keylength. NOTE: If you change this make sure that it
475 macthes the gpgconflist item in gpgsm.c */
476 if (!get_parameter (para, pKEYLENGTH, 0))
477 nbits = 3072;
478 else
479 nbits = get_parameter_uint (para, pKEYLENGTH);
480 if ((nbits < 1024 || nbits > 4096) && !cardkeyid)
481 {
482 /* The BSI specs dated 2002-11-25 don't allow lengths below 1024. */
483 r = get_parameter (para, pKEYLENGTH, 0);
484 log_error (_("line %d: invalid key length %u (valid are %d to %d)\n"),
485 r?r->lnr:0, nbits, 1024, 4096);
486 xfree (cardkeyid);
487 return gpg_error (GPG_ERR_INV_PARAMETER);
488 }
489
490 /* Check the usage. */
491 if (parse_parameter_usage (para, pKEYUSAGE))
492 {
493 xfree (cardkeyid);
494 return gpg_error (GPG_ERR_INV_PARAMETER);
495 }
496
497 /* Check that there is a subject name and that this DN fits our
498 requirements. */
499 if (!(s=get_parameter_value (para, pNAMEDN, 0)))
500 {
501 r = get_parameter (para, pNAMEDN, 0);
502 log_error (_("line %d: no subject name given\n"), r?r->lnr:0);
503 xfree (cardkeyid);
504 return gpg_error (GPG_ERR_INV_PARAMETER);
505 }
506 err = ksba_dn_teststr (s, 0, &erroff, &errlen);
507 if (err)
508 {
509 r = get_parameter (para, pNAMEDN, 0);
510 if (gpg_err_code (err) == GPG_ERR_UNKNOWN_NAME)
511 log_error (_("line %d: invalid subject name label '%.*s'\n"),
512 r?r->lnr:0, (int)errlen, s+erroff);
513 else
514 log_error (_("line %d: invalid subject name '%s' at pos %d\n"),
515 r?r->lnr:0, s, (int)erroff);
516
517 xfree (cardkeyid);
518 return gpg_error (GPG_ERR_INV_PARAMETER);
519 }
520
521 /* Check that the optional email address is okay. */
522 for (seq=0; (s=get_parameter_value (para, pNAMEEMAIL, seq)); seq++)
523 {
524 if (has_invalid_email_chars (s)
525 || *s == '@'
526 || s[strlen(s)-1] == '@'
527 || s[strlen(s)-1] == '.'
528 || strstr(s, ".."))
529 {
530 r = get_parameter (para, pNAMEEMAIL, seq);
531 log_error (_("line %d: not a valid email address\n"), r?r->lnr:0);
532 xfree (cardkeyid);
533 return gpg_error (GPG_ERR_INV_PARAMETER);
534 }
535 }
536
537 /* Check the optional serial number. */
538 string = get_parameter_value (para, pSERIAL, 0);
539 if (string)
540 {
541 if (!strcmp (string, "random"))
542 ; /* Okay. */
543 else
544 {
545 for (s=string, i=0; hexdigitp (s); s++, i++)
546 ;
547 if (*s)
548 {
549 r = get_parameter (para, pSERIAL, 0);
550 log_error (_("line %d: invalid serial number\n"), r?r->lnr:0);
551 xfree (cardkeyid);
552 return gpg_error (GPG_ERR_INV_PARAMETER);
553 }
554 }
555 }
556
557 /* Check the optional issuer DN. */
558 string = get_parameter_value (para, pISSUERDN, 0);
559 if (string)
560 {
561 err = ksba_dn_teststr (string, 0, &erroff, &errlen);
562 if (err)
563 {
564 r = get_parameter (para, pISSUERDN, 0);
565 if (gpg_err_code (err) == GPG_ERR_UNKNOWN_NAME)
566 log_error (_("line %d: invalid issuer name label '%.*s'\n"),
567 r?r->lnr:0, (int)errlen, string+erroff);
568 else
569 log_error (_("line %d: invalid issuer name '%s' at pos %d\n"),
570 r?r->lnr:0, string, (int)erroff);
571 xfree (cardkeyid);
572 return gpg_error (GPG_ERR_INV_PARAMETER);
573 }
574 }
575
576 /* Check the optional creation date. */
577 string = get_parameter_value (para, pNOTBEFORE, 0);
578 if (string && !string2isotime (NULL, string))
579 {
580 r = get_parameter (para, pNOTBEFORE, 0);
581 log_error (_("line %d: invalid date given\n"), r?r->lnr:0);
582 xfree (cardkeyid);
583 return gpg_error (GPG_ERR_INV_PARAMETER);
584 }
585
586
587 /* Check the optional expire date. */
588 string = get_parameter_value (para, pNOTAFTER, 0);
589 if (string && !string2isotime (NULL, string))
590 {
591 r = get_parameter (para, pNOTAFTER, 0);
592 log_error (_("line %d: invalid date given\n"), r?r->lnr:0);
593 xfree (cardkeyid);
594 return gpg_error (GPG_ERR_INV_PARAMETER);
595 }
596
597 /* Get the optional signing key. */
598 string = get_parameter_value (para, pSIGNINGKEY, 0);
599 if (string)
600 {
601 rc = gpgsm_agent_readkey (ctrl, 0, string, &sigkey);
602 if (rc)
603 {
604 r = get_parameter (para, pKEYTYPE, 0);
605 log_error (_("line %d: error getting signing key by keygrip '%s'"
606 ": %s\n"), r?r->lnr:0, s, gpg_strerror (rc));
607 xfree (cardkeyid);
608 return rc;
609 }
610 }
611
612 /* Check the optional hash-algo. */
613 {
614 int mdalgo;
615
616 string = get_parameter_value (para, pHASHALGO, 0);
617 if (string && !((mdalgo = gcry_md_map_name (string))
618 && (mdalgo == GCRY_MD_SHA1
619 || mdalgo == GCRY_MD_SHA256
620 || mdalgo == GCRY_MD_SHA384
621 || mdalgo == GCRY_MD_SHA512)))
622 {
623 r = get_parameter (para, pHASHALGO, 0);
624 log_error (_("line %d: invalid hash algorithm given\n"), r?r->lnr:0);
625 xfree (cardkeyid);
626 return gpg_error (GPG_ERR_INV_PARAMETER);
627 }
628 }
629
630 /* Check the optional AuthorityKeyId. */
631 string = get_parameter_value (para, pAUTHKEYID, 0);
632 if (string && strcmp (string, "none"))
633 {
634 for (s=string, i=0; hexdigitp (s); s++, i++)
635 ;
636 if (*s || (i&1))
637 {
638 r = get_parameter (para, pAUTHKEYID, 0);
639 log_error (_("line %d: invalid authority-key-id\n"), r?r->lnr:0);
640 xfree (cardkeyid);
641 return gpg_error (GPG_ERR_INV_PARAMETER);
642 }
643 }
644
645 /* Check the optional SubjectKeyId. */
646 string = get_parameter_value (para, pSUBJKEYID, 0);
647 if (string && strcmp (string, "none"))
648 {
649 for (s=string, i=0; hexdigitp (s); s++, i++)
650 ;
651 if (*s || (i&1))
652 {
653 r = get_parameter (para, pSUBJKEYID, 0);
654 log_error (_("line %d: invalid subject-key-id\n"), r?r->lnr:0);
655 xfree (cardkeyid);
656 return gpg_error (GPG_ERR_INV_PARAMETER);
657 }
658 }
659
660 /* Check the optional extensions. */
661 for (seq=0; (string=get_parameter_value (para, pEXTENSION, seq)); seq++)
662 {
663 int okay = 0;
664
665 s = strpbrk (string, " \t:");
666 if (s)
667 {
668 s++;
669 while (spacep (s))
670 s++;
671 if (*s && strchr ("nNcC", *s))
672 {
673 s++;
674 while (spacep (s))
675 s++;
676 if (*s == ':')
677 s++;
678 if (*s)
679 {
680 while (spacep (s))
681 s++;
682 for (i=0; hexdigitp (s); s++, i++)
683 ;
684 if (!((*s && *s != ':') || !i || (i&1)))
685 okay = 1;
686 }
687 }
688 }
689 if (!okay)
690 {
691 r = get_parameter (para, pEXTENSION, seq);
692 log_error (_("line %d: invalid extension syntax\n"), r? r->lnr:0);
693 xfree (cardkeyid);
694 return gpg_error (GPG_ERR_INV_PARAMETER);
695 }
696 }
697
698 /* Create or retrieve the public key. */
699 if (cardkeyid) /* Take the key from the current smart card. */
700 {
701 rc = gpgsm_agent_readkey (ctrl, 1, cardkeyid, &public);
702 if (rc)
703 {
704 r = get_parameter (para, pKEYTYPE, 0);
705 log_error (_("line %d: error reading key '%s' from card: %s\n"),
706 r?r->lnr:0, cardkeyid, gpg_strerror (rc));
707 xfree (sigkey);
708 xfree (cardkeyid);
709 return rc;
710 }
711 }
712 else if ((s=get_parameter_value (para, pKEYGRIP, 0))) /* Use existing key.*/
713 {
714 rc = gpgsm_agent_readkey (ctrl, 0, s, &public);
715 if (rc)
716 {
717 r = get_parameter (para, pKEYTYPE, 0);
718 log_error (_("line %d: error getting key by keygrip '%s': %s\n"),
719 r->lnr, s, gpg_strerror (rc));
720 xfree (sigkey);
721 xfree (cardkeyid);
722 return rc;
723 }
724 }
725 else if (!outctrl->dryrun) /* Generate new key. */
726 {
727 if (algo == GCRY_PK_RSA)
728 {
729 sprintf (numbuf, "%u", nbits);
730 snprintf ((char*)keyparms, DIM (keyparms),
731 "(6:genkey(3:rsa(5:nbits%d:%s)))",
732 (int)strlen (numbuf), numbuf);
733 }
734 else if (algo == GCRY_PK_ECC)
735 {
736 const char *curve = get_parameter_value (para, pKEYCURVE, 0);
737 const char *flags;
738
739 if (!strcmp (curve, "Ed25519"))
740 flags = "(5:flags5:eddsa)";
741 else if (!strcmp (curve, "Curve25519"))
742 flags = "(5:flags9:djb-tweak)";
743 else
744 flags = "";
745
746 snprintf ((char*)keyparms, DIM (keyparms),
747 "(6:genkey(3:ecc(5:curve%zu:%s)%s))",
748 strlen (curve), curve, flags);
749 }
750 else
751 {
752 r = get_parameter (para, pKEYTYPE, 0);
753 log_error (_("line %d: invalid algorithm\n"), r?r->lnr:0);
754 xfree (sigkey);
755 xfree (cardkeyid);
756 return gpg_error (GPG_ERR_INV_PARAMETER);
757 }
758 rc = gpgsm_agent_genkey (ctrl, keyparms, &public);
759 if (rc)
760 {
761 r = get_parameter (para, pKEYTYPE, 0);
762 log_error (_("line %d: key generation failed: %s <%s>\n"),
763 r?r->lnr:0, gpg_strerror (rc), gpg_strsource (rc));
764 xfree (sigkey);
765 xfree (cardkeyid);
766 return rc;
767 }
768 }
769
770
771 if (!outctrl->dryrun)
772 {
773 gnupg_ksba_io_t b64writer = NULL;
774 ksba_writer_t writer;
775 int create_cert ;
776
777 create_cert = !!get_parameter_value (para, pSERIAL, 0);
778
779 ctrl->pem_name = create_cert? "CERTIFICATE" : "CERTIFICATE REQUEST";
780
781 rc = gnupg_ksba_create_writer
782 (&b64writer, ((ctrl->create_pem? GNUPG_KSBA_IO_PEM : 0)
783 | (ctrl->create_base64? GNUPG_KSBA_IO_BASE64 : 0)),
784 ctrl->pem_name, out_fp, &writer);
785 if (rc)
786 log_error ("can't create writer: %s\n", gpg_strerror (rc));
787 else
788 {
789 rc = create_request (ctrl, para, cardkeyid, public, sigkey, writer);
790 if (!rc)
791 {
792 rc = gnupg_ksba_finish_writer (b64writer);
793 if (rc)
794 log_error ("write failed: %s\n", gpg_strerror (rc));
795 else
796 {
797 gpgsm_status (ctrl, STATUS_KEY_CREATED, "P");
798 log_info ("certificate%s created\n",
799 create_cert?"":" request");
800 }
801 }
802 gnupg_ksba_destroy_writer (b64writer);
803 }
804 }
805
806 xfree (sigkey);
807 xfree (public);
808 xfree (cardkeyid);
809
810 return rc;
811 }
812
813
814 /* Parameters are checked, the key pair has been created. Now
815 generate the request and write it out */
816 static int
create_request(ctrl_t ctrl,struct para_data_s * para,const char * carddirect,ksba_const_sexp_t public,ksba_const_sexp_t sigkey,ksba_writer_t writer)817 create_request (ctrl_t ctrl,
818 struct para_data_s *para,
819 const char *carddirect,
820 ksba_const_sexp_t public,
821 ksba_const_sexp_t sigkey,
822 ksba_writer_t writer)
823 {
824 ksba_certreq_t cr;
825 gpg_error_t err;
826 gcry_md_hd_t md;
827 ksba_stop_reason_t stopreason;
828 int rc = 0;
829 const char *s, *string;
830 unsigned int use;
831 int seq;
832 char *buf, *p;
833 size_t len;
834 char numbuf[30];
835 ksba_isotime_t atime;
836 int certmode = 0;
837 int mdalgo;
838 membuf_t tbsbuffer;
839 membuf_t *tbsmb = NULL;
840 size_t publiclen;
841 size_t sigkeylen;
842 int publicpkalgo; /* The gcrypt public key algo of the public key. */
843 int sigkeypkalgo; /* The gcrypt public key algo of the signing key. */
844
845 err = ksba_certreq_new (&cr);
846 if (err)
847 return err;
848
849 publiclen = gcry_sexp_canon_len (public, 0, NULL, NULL);
850 sigkeylen = sigkey? gcry_sexp_canon_len (sigkey, 0, NULL, NULL) : 0;
851
852 publicpkalgo = get_pk_algo_from_canon_sexp (public, publiclen);
853 sigkeypkalgo = sigkey? get_pk_algo_from_canon_sexp (public, publiclen) : 0;
854
855 if (publicpkalgo == GCRY_PK_EDDSA)
856 {
857 mdalgo = GCRY_MD_SHA512;
858 md = NULL; /* We sign the data and not a hash. */
859 init_membuf (&tbsbuffer, 2048);
860 tbsmb = &tbsbuffer;
861 ksba_certreq_set_hash_function
862 (cr, (void (*)(void *, const void*,size_t))put_membuf, tbsmb);
863 }
864 else
865 {
866 if ((string = get_parameter_value (para, pHASHALGO, 0)))
867 mdalgo = gcry_md_map_name (string);
868 else
869 mdalgo = GCRY_MD_SHA256;
870 rc = gcry_md_open (&md, mdalgo, 0);
871 if (rc)
872 {
873 log_error ("md_open failed: %s\n", gpg_strerror (rc));
874 goto leave;
875 }
876 if (DBG_HASHING)
877 gcry_md_debug (md, "cr.cri");
878 ksba_certreq_set_hash_function (cr, HASH_FNC, md);
879 }
880
881 ksba_certreq_set_writer (cr, writer);
882
883 err = ksba_certreq_add_subject (cr, get_parameter_value (para, pNAMEDN, 0));
884 if (err)
885 {
886 log_error ("error setting the subject's name: %s\n",
887 gpg_strerror (err));
888 rc = err;
889 goto leave;
890 }
891
892 for (seq=0; (s = get_parameter_value (para, pNAMEEMAIL, seq)); seq++)
893 {
894 buf = xtrymalloc (strlen (s) + 3);
895 if (!buf)
896 {
897 rc = out_of_core ();
898 goto leave;
899 }
900 *buf = '<';
901 strcpy (buf+1, s);
902 strcat (buf+1, ">");
903 err = ksba_certreq_add_subject (cr, buf);
904 xfree (buf);
905 if (err)
906 {
907 log_error ("error setting the subject's alternate name: %s\n",
908 gpg_strerror (err));
909 rc = err;
910 goto leave;
911 }
912 }
913
914 for (seq=0; (s = get_parameter_value (para, pNAMEDNS, seq)); seq++)
915 {
916 len = strlen (s);
917 log_assert (len);
918 snprintf (numbuf, DIM(numbuf), "%u:", (unsigned int)len);
919 buf = p = xtrymalloc (11 + strlen (numbuf) + len + 3);
920 if (!buf)
921 {
922 rc = out_of_core ();
923 goto leave;
924 }
925 p = stpcpy (p, "(8:dns-name");
926 p = stpcpy (p, numbuf);
927 p = stpcpy (p, s);
928 strcpy (p, ")");
929
930 err = ksba_certreq_add_subject (cr, buf);
931 xfree (buf);
932 if (err)
933 {
934 log_error ("error setting the subject's alternate name: %s\n",
935 gpg_strerror (err));
936 rc = err;
937 goto leave;
938 }
939 }
940
941 for (seq=0; (s = get_parameter_value (para, pNAMEURI, seq)); seq++)
942 {
943 len = strlen (s);
944 log_assert (len);
945 snprintf (numbuf, DIM(numbuf), "%u:", (unsigned int)len);
946 buf = p = xtrymalloc (6 + strlen (numbuf) + len + 3);
947 if (!buf)
948 {
949 rc = out_of_core ();
950 goto leave;
951 }
952 p = stpcpy (p, "(3:uri");
953 p = stpcpy (p, numbuf);
954 p = stpcpy (p, s);
955 strcpy (p, ")");
956
957 err = ksba_certreq_add_subject (cr, buf);
958 xfree (buf);
959 if (err)
960 {
961 log_error ("error setting the subject's alternate name: %s\n",
962 gpg_strerror (err));
963 rc = err;
964 goto leave;
965 }
966 }
967
968 err = ksba_certreq_set_public_key (cr, public);
969 if (err)
970 {
971 log_error ("error setting the public key: %s\n", gpg_strerror (err));
972 rc = err;
973 goto leave;
974 }
975
976 /* Set key usage flags. */
977 use = get_parameter_uint (para, pKEYUSAGE);
978 if (use)
979 {
980 unsigned int mask, pos;
981 unsigned char der[4];
982
983 der[0] = 0x03;
984 der[1] = 0x02;
985 der[2] = 0;
986 der[3] = 0;
987 if ((use & GCRY_PK_USAGE_SIGN))
988 {
989 /* For signing only we encode the bits:
990 KSBA_KEYUSAGE_DIGITAL_SIGNATURE
991 KSBA_KEYUSAGE_NON_REPUDIATION = 0b11 -> 0b11000000 */
992 der[3] |= 0xc0;
993 }
994 if ((use & GCRY_PK_USAGE_ENCR))
995 {
996 /* For encrypt only we encode the bits:
997 KSBA_KEYUSAGE_KEY_ENCIPHERMENT
998 KSBA_KEYUSAGE_DATA_ENCIPHERMENT = 0b1100 -> 0b00110000 */
999 der[3] |= 0x30;
1000 }
1001 if ((use & GCRY_PK_USAGE_CERT))
1002 {
1003 /* For certify only we encode the bits:
1004 KSBA_KEYUSAGE_KEY_CERT_SIGN
1005 KSBA_KEYUSAGE_CRL_SIGN = 0b1100000 -> 0b00000110 */
1006 der[3] |= 0x06;
1007 }
1008
1009 /* Count number of unused bits. */
1010 for (mask=1, pos=0; pos < 8 * sizeof mask; pos++, mask <<= 1)
1011 {
1012 if ((der[3] & mask))
1013 break;
1014 der[2]++;
1015 }
1016
1017 err = ksba_certreq_add_extension (cr, oidstr_keyUsage, 1, der, 4);
1018 if (err)
1019 {
1020 log_error ("error setting the key usage: %s\n",
1021 gpg_strerror (err));
1022 rc = err;
1023 goto leave;
1024 }
1025 }
1026
1027
1028 /* See whether we want to create an X.509 certificate. */
1029 string = get_parameter_value (para, pSERIAL, 0);
1030 if (string)
1031 {
1032 certmode = 1;
1033
1034 /* Store the serial number. */
1035 if (!strcmp (string, "random"))
1036 {
1037 char snbuf[3+8+1];
1038
1039 memcpy (snbuf, "(8:", 3);
1040 gcry_create_nonce (snbuf+3, 8);
1041 /* Clear high bit to guarantee a positive integer. */
1042 snbuf[3] &= 0x7f;
1043 snbuf[3+8] = ')';
1044 err = ksba_certreq_set_serial (cr, snbuf);
1045 }
1046 else
1047 {
1048 char *hexbuf;
1049
1050 /* Allocate a buffer large enough to prefix the string with
1051 a '0' so to have an even number of digits. Prepend two
1052 further '0' so that the binary result will have a leading
1053 0 byte and thus can't be the representation of a negative
1054 number. Note that ksba_certreq_set_serial strips all
1055 unneeded leading 0 bytes. */
1056 hexbuf = p = xtrymalloc (2 + 1 + strlen (string) + 1);
1057 if (!hexbuf)
1058 {
1059 err = gpg_error_from_syserror ();
1060 goto leave;
1061 }
1062 if ((strlen (string) & 1))
1063 *p++ = '0';
1064 *p++ = '0';
1065 *p++ = '0';
1066 strcpy (p, string);
1067 for (p=hexbuf, len=0; p[0] && p[1]; p += 2)
1068 ((unsigned char*)hexbuf)[len++] = xtoi_2 (p);
1069 /* Now build the S-expression. */
1070 snprintf (numbuf, DIM(numbuf), "%u:", (unsigned int)len);
1071 buf = p = xtrymalloc (1 + strlen (numbuf) + len + 1 + 1);
1072 if (!buf)
1073 {
1074 err = gpg_error_from_syserror ();
1075 xfree (hexbuf);
1076 goto leave;
1077 }
1078 p = stpcpy (stpcpy (buf, "("), numbuf);
1079 memcpy (p, hexbuf, len);
1080 p += len;
1081 strcpy (p, ")");
1082 xfree (hexbuf);
1083 err = ksba_certreq_set_serial (cr, buf);
1084 xfree (buf);
1085 }
1086 if (err)
1087 {
1088 log_error ("error setting the serial number: %s\n",
1089 gpg_strerror (err));
1090 goto leave;
1091 }
1092
1093
1094 /* Store the issuer DN. If no issuer DN is given and no signing
1095 key has been set we add the standalone extension and the
1096 basic constraints to mark it as a self-signed CA
1097 certificate. */
1098 string = get_parameter_value (para, pISSUERDN, 0);
1099 if (string)
1100 {
1101 /* Issuer DN given. Note that this may be the same as the
1102 subject DN and thus this could as well be a self-signed
1103 certificate. However the caller needs to explicitly
1104 specify basicConstraints and so forth. */
1105 err = ksba_certreq_set_issuer (cr, string);
1106 if (err)
1107 {
1108 log_error ("error setting the issuer DN: %s\n",
1109 gpg_strerror (err));
1110 goto leave;
1111 }
1112
1113 }
1114 else if (!string && !sigkey)
1115 {
1116 /* Self-signed certificate requested. Add basicConstraints
1117 and the custom GnuPG standalone extension. */
1118 err = ksba_certreq_add_extension (cr, oidstr_basicConstraints, 1,
1119 "\x30\x03\x01\x01\xff", 5);
1120 if (err)
1121 goto leave;
1122 err = ksba_certreq_add_extension (cr, oidstr_standaloneCertificate, 0,
1123 "\x01\x01\xff", 3);
1124 if (err)
1125 goto leave;
1126 }
1127
1128 /* Store the creation date. */
1129 string = get_parameter_value (para, pNOTBEFORE, 0);
1130 if (string)
1131 {
1132 if (!string2isotime (atime, string))
1133 BUG (); /* We already checked the value. */
1134 }
1135 else
1136 gnupg_get_isotime (atime);
1137 err = ksba_certreq_set_validity (cr, 0, atime);
1138 if (err)
1139 {
1140 log_error ("error setting the creation date: %s\n",
1141 gpg_strerror (err));
1142 goto leave;
1143 }
1144
1145
1146 /* Store the expire date. If it is not given, libksba inserts a
1147 default value. */
1148 string = get_parameter_value (para, pNOTAFTER, 0);
1149 if (string)
1150 {
1151 if (!string2isotime (atime, string))
1152 BUG (); /* We already checked the value. */
1153 err = ksba_certreq_set_validity (cr, 1, atime);
1154 if (err)
1155 {
1156 log_error ("error setting the expire date: %s\n",
1157 gpg_strerror (err));
1158 goto leave;
1159 }
1160 }
1161
1162
1163 /* Figure out the signing algorithm. If no sigkey has been
1164 given we set it to the public key to create a self-signed
1165 certificate. */
1166 if (!sigkey)
1167 {
1168 sigkey = public;
1169 sigkeylen = publiclen;
1170 sigkeypkalgo = publicpkalgo;
1171 }
1172
1173 /* Set the the digestinfo aka siginfo. */
1174 {
1175 unsigned char *siginfo;
1176
1177 err = transform_sigval (sigkey, sigkeylen, mdalgo, &siginfo, NULL);
1178 if (!err)
1179 {
1180 err = ksba_certreq_set_siginfo (cr, siginfo);
1181 xfree (siginfo);
1182 }
1183 if (err)
1184 {
1185 log_error ("error setting the siginfo: %s\n",
1186 gpg_strerror (err));
1187 rc = err;
1188 goto leave;
1189 }
1190 }
1191
1192
1193 /* Insert the AuthorityKeyId. */
1194 string = get_parameter_value (para, pAUTHKEYID, 0);
1195 if (string && !strcmp (string, "none"))
1196 ; /* Do not issue an AKI. */
1197 else if (string)
1198 {
1199 char *hexbuf;
1200
1201 /* Allocate a buffer for in-place conversion. We also add 4
1202 extra bytes space for the tags and lengths fields. */
1203 hexbuf = xtrymalloc (4 + strlen (string) + 1);
1204 if (!hexbuf)
1205 {
1206 err = gpg_error_from_syserror ();
1207 goto leave;
1208 }
1209 strcpy (hexbuf+4, string);
1210 for (p=hexbuf+4, len=0; p[0] && p[1]; p += 2)
1211 ((unsigned char*)hexbuf)[4+len++] = xtoi_2 (p);
1212 if (len > 125)
1213 {
1214 err = gpg_error (GPG_ERR_TOO_LARGE);
1215 xfree (hexbuf);
1216 goto leave;
1217 }
1218 hexbuf[0] = 0x30; /* Tag for a Sequence. */
1219 hexbuf[1] = len+2;
1220 hexbuf[2] = 0x80; /* Context tag for an implicit Octet string. */
1221 hexbuf[3] = len;
1222 err = ksba_certreq_add_extension (cr, oidstr_authorityKeyIdentifier,
1223 0, hexbuf, 4+len);
1224 xfree (hexbuf);
1225 if (err)
1226 {
1227 log_error ("error setting the AKI: %s\n", gpg_strerror (err));
1228 goto leave;
1229 }
1230 }
1231 else if (publicpkalgo == GCRY_PK_EDDSA || publicpkalgo == GCRY_PK_ECC)
1232 {
1233 /* For EdDSA and ECC we add the public key as default identifier. */
1234 const unsigned char *q;
1235 size_t qlen, derlen;
1236 unsigned char *der;
1237
1238 err = get_ecc_q_from_canon_sexp (public, publiclen, &q, &qlen);
1239 if (err)
1240 {
1241 log_error ("error getting Q from public key: %s\n",
1242 gpg_strerror (err));
1243 goto leave;
1244 }
1245 if (publicpkalgo == GCRY_PK_EDDSA && qlen>32 && (qlen&1) && *q==0x40)
1246 {
1247 /* Skip our optional native encoding octet. */
1248 q++;
1249 qlen--;
1250 }
1251 /* FIXME: For plain ECC we should better use a compressed
1252 * point. That requires an updated Libgcrypt. Without that
1253 * using nistp521 won't work due to the length check below. */
1254 if (qlen > 125)
1255 {
1256 err = gpg_error (GPG_ERR_TOO_LARGE);
1257 goto leave;
1258 }
1259 derlen = 4 + qlen;
1260 der = xtrymalloc (derlen);
1261 if (!der)
1262 {
1263 err = gpg_error_from_syserror ();
1264 goto leave;
1265 }
1266 der[0] = 0x30; /* Sequence */
1267 der[1] = qlen + 2;
1268 der[2] = 0x80; /* Context tag for an implict Octet String. */
1269 der[3] = qlen;
1270 memcpy (der+4, q, qlen);
1271 err = ksba_certreq_add_extension (cr, oidstr_authorityKeyIdentifier,
1272 0, der, derlen);
1273 xfree (der);
1274 if (err)
1275 {
1276 log_error ("error setting the AKI: %s\n", gpg_strerror (err));
1277 goto leave;
1278 }
1279 }
1280
1281 /* Insert the SubjectKeyId. */
1282 string = get_parameter_value (para, pSUBJKEYID, 0);
1283 if (string && !strcmp (string, "none"))
1284 ; /* Do not issue an SKI. */
1285 else if (string)
1286 {
1287 char *hexbuf;
1288
1289 /* Allocate a buffer for in-place conversion. We also add 2
1290 extra bytes space for the tag and length field. */
1291 hexbuf = xtrymalloc (2 + strlen (string) + 1);
1292 if (!hexbuf)
1293 {
1294 err = gpg_error_from_syserror ();
1295 goto leave;
1296 }
1297 strcpy (hexbuf+2, string);
1298 for (p=hexbuf+2, len=0; p[0] && p[1]; p += 2)
1299 ((unsigned char*)hexbuf)[2+len++] = xtoi_2 (p);
1300 if (len > 127)
1301 {
1302 err = gpg_error (GPG_ERR_TOO_LARGE);
1303 xfree (hexbuf);
1304 goto leave;
1305 }
1306 hexbuf[0] = 0x04; /* Tag for an Octet string. */
1307 hexbuf[1] = len;
1308 err = ksba_certreq_add_extension (cr, oidstr_subjectKeyIdentifier, 0,
1309 hexbuf, 2+len);
1310 xfree (hexbuf);
1311 if (err)
1312 {
1313 log_error ("error setting SKI: %s\n", gpg_strerror (err));
1314 goto leave;
1315 }
1316 }
1317 else if (sigkeypkalgo == GCRY_PK_EDDSA || sigkeypkalgo == GCRY_PK_ECC)
1318 {
1319 /* For EdDSA and ECC we add the public key as default identifier. */
1320 const unsigned char *q;
1321 size_t qlen, derlen;
1322 unsigned char *der;
1323
1324 /* FIXME: This assumes that the to-be-certified key uses the
1325 * same algorithm as the certification key - this is not
1326 * always the case; in fact it is common that they
1327 * differ. */
1328 err = get_ecc_q_from_canon_sexp (sigkey, sigkeylen, &q, &qlen);
1329 if (err)
1330 {
1331 log_error ("error getting Q from signature key: %s\n",
1332 gpg_strerror (err));
1333 goto leave;
1334 }
1335 if (sigkeypkalgo == GCRY_PK_EDDSA && qlen>32 && (qlen&1) && *q==0x40)
1336 {
1337 /* Skip our optional native encoding octet. */
1338 q++;
1339 qlen--;
1340 }
1341 if (qlen > 127)
1342 {
1343 err = gpg_error (GPG_ERR_TOO_LARGE);
1344 goto leave;
1345 }
1346 derlen = 2 + qlen;
1347 der = xtrymalloc (derlen);
1348 if (!der)
1349 {
1350 err = gpg_error_from_syserror ();
1351 goto leave;
1352 }
1353 der[0] = 0x04; /* Octet String */
1354 der[1] = qlen;
1355 memcpy (der+2, q, qlen);
1356 err = ksba_certreq_add_extension (cr, oidstr_subjectKeyIdentifier, 0,
1357 der, derlen);
1358 xfree (der);
1359 if (err)
1360 {
1361 log_error ("error setting the SKI: %s\n", gpg_strerror (err));
1362 goto leave;
1363 }
1364 }
1365
1366 /* Insert additional extensions. */
1367 for (seq=0; (string = get_parameter_value (para, pEXTENSION, seq)); seq++)
1368 {
1369 char *hexbuf;
1370 char *oidstr;
1371 int crit = 0;
1372
1373 s = strpbrk (string, " \t:");
1374 if (!s)
1375 {
1376 err = gpg_error (GPG_ERR_INTERNAL);
1377 goto leave;
1378 }
1379
1380 oidstr = xtrymalloc (s - string + 1);
1381 if (!oidstr)
1382 {
1383 err = gpg_error_from_syserror ();
1384 goto leave;
1385 }
1386 memcpy (oidstr, string, (s-string));
1387 oidstr[(s-string)] = 0;
1388
1389 s++;
1390 while (spacep (s))
1391 s++;
1392 if (!*s)
1393 {
1394 err = gpg_error (GPG_ERR_INTERNAL);
1395 xfree (oidstr);
1396 goto leave;
1397 }
1398
1399 if (strchr ("cC", *s))
1400 crit = 1;
1401 s++;
1402 while (spacep (s))
1403 s++;
1404 if (*s == ':')
1405 s++;
1406 while (spacep (s))
1407 s++;
1408
1409 hexbuf = xtrystrdup (s);
1410 if (!hexbuf)
1411 {
1412 err = gpg_error_from_syserror ();
1413 xfree (oidstr);
1414 goto leave;
1415 }
1416 for (p=hexbuf, len=0; p[0] && p[1]; p += 2)
1417 ((unsigned char*)hexbuf)[len++] = xtoi_2 (p);
1418 err = ksba_certreq_add_extension (cr, oidstr, crit,
1419 hexbuf, len);
1420 xfree (oidstr);
1421 xfree (hexbuf);
1422 }
1423 }
1424 else
1425 {
1426 sigkey = public;
1427 sigkeylen = publiclen;
1428 sigkeypkalgo = publicpkalgo;
1429 }
1430
1431 do
1432 {
1433 err = ksba_certreq_build (cr, &stopreason);
1434 if (err)
1435 {
1436 log_error ("ksba_certreq_build failed: %s\n", gpg_strerror (err));
1437 rc = err;
1438 goto leave;
1439 }
1440 if (stopreason == KSBA_SR_NEED_SIG)
1441 {
1442 gcry_sexp_t s_pkey;
1443 unsigned char grip[20];
1444 char hexgrip[41];
1445 unsigned char *sigval, *newsigval;
1446 size_t siglen;
1447 void *tbsdata;
1448 size_t tbsdatalen;
1449
1450 rc = gcry_sexp_sscan (&s_pkey, NULL, (const char*)sigkey, sigkeylen);
1451 if (rc)
1452 {
1453 log_error ("gcry_sexp_scan failed: %s\n", gpg_strerror (rc));
1454 goto leave;
1455 }
1456 if ( !gcry_pk_get_keygrip (s_pkey, grip) )
1457 {
1458 rc = gpg_error (GPG_ERR_GENERAL);
1459 log_error ("can't figure out the keygrip\n");
1460 gcry_sexp_release (s_pkey);
1461 goto leave;
1462 }
1463 gcry_sexp_release (s_pkey);
1464 bin2hex (grip, 20, hexgrip);
1465
1466 if (!opt.quiet)
1467 log_info ("about to sign the %s for key: &%s\n",
1468 certmode? "certificate":"CSR", hexgrip);
1469
1470 if (carddirect && !certmode)
1471 {
1472 if (tbsmb)
1473 {
1474 tbsdata = get_membuf (tbsmb, &tbsdatalen);
1475 tbsmb = NULL;
1476 if (!tbsdata)
1477 rc = gpg_error_from_syserror ();
1478 else
1479 rc = gpgsm_scd_pksign (ctrl, carddirect, NULL,
1480 tbsdata, tbsdatalen, 0,
1481 &sigval, &siglen);
1482 xfree (tbsdata);
1483 }
1484 else
1485 rc = gpgsm_scd_pksign (ctrl, carddirect, NULL,
1486 gcry_md_read (md, mdalgo),
1487 gcry_md_get_algo_dlen (mdalgo),
1488 mdalgo,
1489 &sigval, &siglen);
1490 }
1491 else
1492 {
1493 char *orig_codeset;
1494 char *desc;
1495
1496 orig_codeset = i18n_switchto_utf8 ();
1497 desc = percent_plus_escape
1498 (_("To complete this certificate request please enter"
1499 " the passphrase for the key you just created once"
1500 " more.\n"));
1501 i18n_switchback (orig_codeset);
1502 if (tbsmb)
1503 {
1504 tbsdata = get_membuf (tbsmb, &tbsdatalen);
1505 tbsmb = NULL;
1506 if (!tbsdata)
1507 rc = gpg_error_from_syserror ();
1508 else
1509 rc = gpgsm_agent_pksign (ctrl, hexgrip, desc,
1510 tbsdata, tbsdatalen, 0,
1511
1512 &sigval, &siglen);
1513 xfree (tbsdata);
1514 }
1515 else
1516 rc = gpgsm_agent_pksign (ctrl, hexgrip, desc,
1517 gcry_md_read(md, mdalgo),
1518 gcry_md_get_algo_dlen (mdalgo),
1519 mdalgo,
1520 &sigval, &siglen);
1521 xfree (desc);
1522 }
1523 if (rc)
1524 {
1525 log_error ("signing failed: %s\n", gpg_strerror (rc));
1526 goto leave;
1527 }
1528
1529 err = transform_sigval (sigval, siglen, mdalgo, &newsigval, NULL);
1530 xfree (sigval);
1531 if (!err)
1532 {
1533 err = ksba_certreq_set_sig_val (cr, newsigval);
1534 xfree (newsigval);
1535 }
1536 if (err)
1537 {
1538 log_error ("failed to store the sig_val: %s\n",
1539 gpg_strerror (err));
1540 rc = err;
1541 goto leave;
1542 }
1543 }
1544 }
1545 while (stopreason != KSBA_SR_READY);
1546
1547
1548 leave:
1549 if (tbsmb)
1550 xfree (get_membuf (tbsmb, NULL));
1551 gcry_md_close (md);
1552 ksba_certreq_release (cr);
1553 return rc;
1554 }
1555
1556
1557
1558 /* Create a new key by reading the parameters from IN_FP. Multiple
1559 keys may be created */
1560 int
gpgsm_genkey(ctrl_t ctrl,estream_t in_stream,estream_t out_stream)1561 gpgsm_genkey (ctrl_t ctrl, estream_t in_stream, estream_t out_stream)
1562 {
1563 int rc;
1564
1565 rc = read_parameters (ctrl, in_stream, out_stream);
1566 if (rc)
1567 {
1568 log_error ("error creating certificate request: %s <%s>\n",
1569 gpg_strerror (rc), gpg_strsource (rc));
1570 goto leave;
1571 }
1572
1573 leave:
1574 return rc;
1575 }
1576