/src/gnupg/common/openpgp-oid.c
Line | Count | Source |
1 | | /* openpgp-oids.c - OID helper for OpenPGP |
2 | | * Copyright (C) 2011 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2013 Werner Koch |
4 | | * |
5 | | * This file is part of GnuPG. |
6 | | * |
7 | | * This file is free software; you can redistribute it and/or modify |
8 | | * it under the terms of either |
9 | | * |
10 | | * - the GNU Lesser General Public License as published by the Free |
11 | | * Software Foundation; either version 3 of the License, or (at |
12 | | * your option) any later version. |
13 | | * |
14 | | * or |
15 | | * |
16 | | * - the GNU General Public License as published by the Free |
17 | | * Software Foundation; either version 2 of the License, or (at |
18 | | * your option) any later version. |
19 | | * |
20 | | * or both in parallel, as here. |
21 | | * |
22 | | * This file is distributed in the hope that it will be useful, |
23 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
24 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
25 | | * GNU General Public License for more details. |
26 | | * |
27 | | * You should have received a copy of the GNU General Public License |
28 | | * along with this program; if not, see <https://www.gnu.org/licenses/>. |
29 | | */ |
30 | | |
31 | | #include <config.h> |
32 | | #include <stdlib.h> |
33 | | #include <errno.h> |
34 | | #include <ctype.h> |
35 | | #include <assert.h> |
36 | | |
37 | | #include "util.h" |
38 | | #include "openpgpdefs.h" |
39 | | |
40 | | /* A table with all our supported OpenPGP curves. */ |
41 | | static struct { |
42 | | const char *name; /* Standard name. */ |
43 | | const char *oidstr; /* IETF formatted OID. */ |
44 | | unsigned int nbits; /* Nominal bit length of the curve. */ |
45 | | const char *alias; /* NULL or alternative name of the curve. */ |
46 | | const char *abbr; /* NULL or abbreviated name of the curve. */ |
47 | | int pubkey_algo; /* Required OpenPGP algo or 0 for ECDSA/ECDH. */ |
48 | | } oidtable[] = { |
49 | | |
50 | | { "Curve25519", "1.3.6.1.4.1.3029.1.5.1", 255, "cv25519", NULL, |
51 | | PUBKEY_ALGO_ECDH /* only during development */}, |
52 | | { "Ed25519", "1.3.6.1.4.1.11591.15.1", 255, "ed25519", NULL, |
53 | | PUBKEY_ALGO_EDDSA }, |
54 | | { "Curve25519", "1.3.101.110", 255, "cv25519", NULL, |
55 | | PUBKEY_ALGO_ECDH }, |
56 | | { "Ed25519", "1.3.101.112", 255, "ed25519", NULL, |
57 | | PUBKEY_ALGO_EDDSA }, |
58 | | { "X448", "1.3.101.111", 448, "cv448", NULL, |
59 | | PUBKEY_ALGO_ECDH }, |
60 | | { "Ed448", "1.3.101.113", 456, "ed448", NULL, |
61 | | PUBKEY_ALGO_EDDSA }, |
62 | | |
63 | | { "NIST P-256", "1.2.840.10045.3.1.7", 256, "nistp256", NULL, |
64 | | 0 }, |
65 | | { "NIST P-384", "1.3.132.0.34", 384, "nistp384", NULL, |
66 | | 0 }, |
67 | | { "NIST P-521", "1.3.132.0.35", 521, "nistp521", NULL, |
68 | | 0 }, |
69 | | |
70 | | { "brainpoolP256r1", "1.3.36.3.3.2.8.1.1.7", 256, NULL, "bp256", |
71 | | 0 }, |
72 | | { "brainpoolP384r1", "1.3.36.3.3.2.8.1.1.11", 384, NULL, "bp384", |
73 | | 0 }, |
74 | | { "brainpoolP512r1", "1.3.36.3.3.2.8.1.1.13", 512, NULL, "bp512", |
75 | | 0 }, |
76 | | |
77 | | { "secp256k1", "1.3.132.0.10", 256 }, |
78 | | |
79 | | { NULL, NULL, 0} |
80 | | }; |
81 | | |
82 | | |
83 | | /* The OID for Curve Ed25519 in OpenPGP format. The shorter v5 |
84 | | * variant may only be used with v5 keys. */ |
85 | | static const char oid_ed25519[] = |
86 | | { 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xda, 0x47, 0x0f, 0x01 }; |
87 | | static const char oid_ed25519_v5[] = { 0x03, 0x2b, 0x65, 0x70 }; |
88 | | |
89 | | /* The OID for Curve25519 in OpenPGP format. The shorter v5 |
90 | | * variant may only be used with v5 keys. */ |
91 | | static const char oid_cv25519[] = |
92 | | { 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x97, 0x55, 0x01, 0x05, 0x01 }; |
93 | | static const char oid_cv25519_v5[] = { 0x03, 0x2b, 0x65, 0x6e }; |
94 | | |
95 | | /* The OID for X448 in OpenPGP format. */ |
96 | | /* |
97 | | * Here, we have a little semantic discrepancy. X448 is the name of |
98 | | * the ECDH computation and the OID is assigned to the algorithm in |
99 | | * RFC 8410. Note that this OID is not the one which is assigned to |
100 | | * the curve itself (originally in 8410). Nevertheless, we use "X448" |
101 | | * for the curve in libgcrypt. |
102 | | */ |
103 | | static const char oid_cv448[] = { 0x03, 0x2b, 0x65, 0x6f }; |
104 | | |
105 | | /* The OID for Ed448 in OpenPGP format. */ |
106 | | static const char oid_ed448[] = { 0x03, 0x2b, 0x65, 0x71 }; |
107 | | |
108 | | |
109 | | /* A table to store keyalgo strings like "rsa2048 or "ed25519" so that |
110 | | * we do not need to allocate them. This is currently a simple array |
111 | | * but may eventually be changed to a fast data structure. Noet that |
112 | | * unknown algorithms are stored with (NBITS,CURVE) set to (0,NULL). */ |
113 | | struct keyalgo_string_s |
114 | | { |
115 | | enum gcry_pk_algos algo; /* Mandatory. */ |
116 | | unsigned int nbits; /* Size for classical algos. */ |
117 | | char *curve; /* Curvename (OID) or NULL. */ |
118 | | char *name; /* Allocated name. */ |
119 | | }; |
120 | | static struct keyalgo_string_s *keyalgo_strings; /* The table. */ |
121 | | static size_t keyalgo_strings_size; /* Allocated size. */ |
122 | | static size_t keyalgo_strings_used; /* Used size. */ |
123 | | |
124 | | |
125 | | /* Helper for openpgp_oid_from_str. */ |
126 | | static size_t |
127 | | make_flagged_int (unsigned long value, char *buf, size_t buflen) |
128 | 0 | { |
129 | 0 | int more = 0; |
130 | 0 | int shift; |
131 | | |
132 | | /* fixme: figure out the number of bits in an ulong and start with |
133 | | that value as shift (after making it a multiple of 7) a more |
134 | | straightforward implementation is to do it in reverse order using |
135 | | a temporary buffer - saves a lot of compares */ |
136 | 0 | for (more=0, shift=28; shift > 0; shift -= 7) |
137 | 0 | { |
138 | 0 | if (more || value >= (1<<shift)) |
139 | 0 | { |
140 | 0 | buf[buflen++] = 0x80 | (value >> shift); |
141 | 0 | value -= (value >> shift) << shift; |
142 | 0 | more = 1; |
143 | 0 | } |
144 | 0 | } |
145 | 0 | buf[buflen++] = value; |
146 | 0 | return buflen; |
147 | 0 | } |
148 | | |
149 | | |
150 | | /* Convert the OID given in dotted decimal form in STRING to an DER |
151 | | * encoding and store it as an opaque value at R_MPI. The format of |
152 | | * the DER encoded is not a regular ASN.1 object but the modified |
153 | | * format as used by OpenPGP for the ECC curve description. On error |
154 | | * the function returns and error code an NULL is stored at R_BUG. |
155 | | * Note that scanning STRING stops at the first white space |
156 | | * character. */ |
157 | | gpg_error_t |
158 | | openpgp_oid_from_str (const char *string, gcry_mpi_t *r_mpi) |
159 | 0 | { |
160 | 0 | unsigned char *buf; |
161 | 0 | size_t buflen; |
162 | 0 | unsigned long val1, val; |
163 | 0 | const char *endp; |
164 | 0 | int arcno; |
165 | |
|
166 | 0 | *r_mpi = NULL; |
167 | |
|
168 | 0 | if (!string || !*string) |
169 | 0 | return gpg_error (GPG_ERR_INV_VALUE); |
170 | | |
171 | | /* We can safely assume that the encoded OID is shorter than the string. */ |
172 | 0 | buf = xtrymalloc (1 + strlen (string) + 2); |
173 | 0 | if (!buf) |
174 | 0 | return gpg_error_from_syserror (); |
175 | | /* Save the first byte for the length. */ |
176 | 0 | buflen = 1; |
177 | |
|
178 | 0 | val1 = 0; /* Avoid compiler warning. */ |
179 | 0 | arcno = 0; |
180 | 0 | do { |
181 | 0 | arcno++; |
182 | 0 | val = strtoul (string, (char**)&endp, 10); |
183 | 0 | if (!digitp (string) || !(*endp == '.' || !*endp)) |
184 | 0 | { |
185 | 0 | xfree (buf); |
186 | 0 | return gpg_error (GPG_ERR_INV_OID_STRING); |
187 | 0 | } |
188 | 0 | if (*endp == '.') |
189 | 0 | string = endp+1; |
190 | |
|
191 | 0 | if (arcno == 1) |
192 | 0 | { |
193 | 0 | if (val > 2) |
194 | 0 | break; /* Not allowed, error caught below. */ |
195 | 0 | val1 = val; |
196 | 0 | } |
197 | 0 | else if (arcno == 2) |
198 | 0 | { /* Need to combine the first two arcs in one octet. */ |
199 | 0 | if (val1 < 2) |
200 | 0 | { |
201 | 0 | if (val > 39) |
202 | 0 | { |
203 | 0 | xfree (buf); |
204 | 0 | return gpg_error (GPG_ERR_INV_OID_STRING); |
205 | 0 | } |
206 | 0 | buf[buflen++] = val1*40 + val; |
207 | 0 | } |
208 | 0 | else |
209 | 0 | { |
210 | 0 | val += 80; |
211 | 0 | buflen = make_flagged_int (val, buf, buflen); |
212 | 0 | } |
213 | 0 | } |
214 | 0 | else |
215 | 0 | { |
216 | 0 | buflen = make_flagged_int (val, buf, buflen); |
217 | 0 | } |
218 | 0 | } while (*endp == '.'); |
219 | | |
220 | 0 | if (arcno == 1 || buflen < 2 || buflen > 254 ) |
221 | 0 | { /* It is not possible to encode only the first arc. */ |
222 | 0 | xfree (buf); |
223 | 0 | return gpg_error (GPG_ERR_INV_OID_STRING); |
224 | 0 | } |
225 | | |
226 | 0 | *buf = buflen - 1; |
227 | 0 | *r_mpi = gcry_mpi_set_opaque (NULL, buf, buflen * 8); |
228 | 0 | if (!*r_mpi) |
229 | 0 | { |
230 | 0 | xfree (buf); |
231 | 0 | return gpg_error_from_syserror (); |
232 | 0 | } |
233 | 0 | return 0; |
234 | 0 | } |
235 | | |
236 | | |
237 | | /* Return a malloced string representation of the OID in the buffer |
238 | | * (BUF,LEN). In case of an error NULL is returned and ERRNO is set. |
239 | | * As per OpenPGP spec the first byte of the buffer is the length of |
240 | | * the rest; the function performs a consistency check. */ |
241 | | char * |
242 | | openpgp_oidbuf_to_str (const unsigned char *buf, size_t len) |
243 | 56 | { |
244 | 56 | char *string, *p; |
245 | 56 | int n = 0; |
246 | 56 | unsigned long val, valmask; |
247 | | |
248 | 56 | valmask = (unsigned long)0xfe << (8 * (sizeof (valmask) - 1)); |
249 | | /* The first bytes gives the length; check consistency. */ |
250 | | |
251 | 56 | if (!len || buf[0] != len -1) |
252 | 0 | { |
253 | 0 | gpg_err_set_errno (EINVAL); |
254 | 0 | return NULL; |
255 | 0 | } |
256 | | /* Skip length byte. */ |
257 | 56 | len--; |
258 | 56 | buf++; |
259 | | |
260 | | /* To calculate the length of the string we can safely assume an |
261 | | upper limit of 3 decimal characters per byte. Two extra bytes |
262 | | account for the special first octet */ |
263 | 56 | string = p = xtrymalloc (len*(1+3)+2+1); |
264 | 56 | if (!string) |
265 | 0 | return NULL; |
266 | 56 | if (!len) |
267 | 0 | { |
268 | 0 | *p = 0; |
269 | 0 | return string; |
270 | 0 | } |
271 | | |
272 | 56 | if (buf[0] < 40) |
273 | 24 | p += sprintf (p, "0.%d", buf[n]); |
274 | 32 | else if (buf[0] < 80) |
275 | 22 | p += sprintf (p, "1.%d", buf[n]-40); |
276 | 10 | else { |
277 | 10 | val = buf[n] & 0x7f; |
278 | 16 | while ( (buf[n]&0x80) && ++n < len ) |
279 | 6 | { |
280 | 6 | if ( (val & valmask) ) |
281 | 0 | goto badoid; /* Overflow. */ |
282 | 6 | val <<= 7; |
283 | 6 | val |= buf[n] & 0x7f; |
284 | 6 | } |
285 | 10 | if (val < 80) |
286 | 0 | goto badoid; |
287 | 10 | val -= 80; |
288 | 10 | sprintf (p, "2.%lu", val); |
289 | 10 | p += strlen (p); |
290 | 10 | } |
291 | 186 | for (n++; n < len; n++) |
292 | 130 | { |
293 | 130 | val = buf[n] & 0x7f; |
294 | 170 | while ( (buf[n]&0x80) && ++n < len ) |
295 | 40 | { |
296 | 40 | if ( (val & valmask) ) |
297 | 0 | goto badoid; /* Overflow. */ |
298 | 40 | val <<= 7; |
299 | 40 | val |= buf[n] & 0x7f; |
300 | 40 | } |
301 | 130 | sprintf (p, ".%lu", val); |
302 | 130 | p += strlen (p); |
303 | 130 | } |
304 | | |
305 | 56 | *p = 0; |
306 | 56 | return string; |
307 | | |
308 | 0 | badoid: |
309 | | /* Return a special OID (gnu.gnupg.badoid) to indicate the error |
310 | | case. The OID is broken and thus we return one which can't do |
311 | | any harm. Formally this does not need to be a bad OID but an OID |
312 | | with an arc that can't be represented in a 32 bit word is more |
313 | | than likely corrupt. */ |
314 | 0 | xfree (string); |
315 | 0 | return xtrystrdup ("1.3.6.1.4.1.11591.2.12242973"); |
316 | 56 | } |
317 | | |
318 | | |
319 | | /* Return a malloced string representation of the OID in the opaque |
320 | | * MPI A. In case of an error NULL is returned and ERRNO is set. */ |
321 | | char * |
322 | | openpgp_oid_to_str (gcry_mpi_t a) |
323 | 56 | { |
324 | 56 | const unsigned char *buf; |
325 | 56 | unsigned int lengthi; |
326 | | |
327 | 56 | if (!a |
328 | 56 | || !gcry_mpi_get_flag (a, GCRYMPI_FLAG_OPAQUE) |
329 | 56 | || !(buf = gcry_mpi_get_opaque (a, &lengthi))) |
330 | 0 | { |
331 | 0 | gpg_err_set_errno (EINVAL); |
332 | 0 | return NULL; |
333 | 0 | } |
334 | | |
335 | 56 | return openpgp_oidbuf_to_str (buf, (lengthi+7)/8); |
336 | 56 | } |
337 | | |
338 | | |
339 | | /* Return true if (BUF,LEN) represents the OID for Ed25519. */ |
340 | | int |
341 | | openpgp_oidbuf_is_ed25519 (const void *buf, size_t len) |
342 | 0 | { |
343 | 0 | if (!buf) |
344 | 0 | return 0; |
345 | 0 | return ((len == DIM (oid_ed25519) |
346 | 0 | && !memcmp (buf, oid_ed25519, DIM (oid_ed25519))) |
347 | 0 | || (len == DIM (oid_ed25519_v5) |
348 | 0 | && !memcmp (buf, oid_ed25519_v5, DIM (oid_ed25519_v5)))); |
349 | 0 | } |
350 | | |
351 | | |
352 | | /* Return true if A represents the OID for Ed25519. */ |
353 | | int |
354 | | openpgp_oid_is_ed25519 (gcry_mpi_t a) |
355 | 0 | { |
356 | 0 | const unsigned char *buf; |
357 | 0 | unsigned int nbits; |
358 | |
|
359 | 0 | if (!a || !gcry_mpi_get_flag (a, GCRYMPI_FLAG_OPAQUE)) |
360 | 0 | return 0; |
361 | | |
362 | 0 | buf = gcry_mpi_get_opaque (a, &nbits); |
363 | 0 | return openpgp_oidbuf_is_ed25519 (buf, (nbits+7)/8); |
364 | 0 | } |
365 | | |
366 | | |
367 | | /* Return true if (BUF,LEN) represents the OID for Curve25519. */ |
368 | | int |
369 | | openpgp_oidbuf_is_cv25519 (const void *buf, size_t len) |
370 | 0 | { |
371 | 0 | if (!buf) |
372 | 0 | return 0; |
373 | 0 | return ((len == DIM (oid_cv25519) |
374 | 0 | && !memcmp (buf, oid_cv25519, DIM (oid_cv25519))) |
375 | 0 | || (len == DIM (oid_cv25519_v5) |
376 | 0 | && !memcmp (buf, oid_cv25519_v5, DIM (oid_cv25519_v5)))); |
377 | 0 | } |
378 | | |
379 | | |
380 | | /* Return true if (BUF,LEN) represents the OID for Ed448. */ |
381 | | static int |
382 | | openpgp_oidbuf_is_ed448 (const void *buf, size_t len) |
383 | 0 | { |
384 | 0 | return (buf && len == DIM (oid_ed448) |
385 | 0 | && !memcmp (buf, oid_ed448, DIM (oid_ed448))); |
386 | 0 | } |
387 | | |
388 | | |
389 | | /* Return true if (BUF,LEN) represents the OID for X448. */ |
390 | | static int |
391 | | openpgp_oidbuf_is_cv448 (const void *buf, size_t len) |
392 | 0 | { |
393 | 0 | return (buf && len == DIM (oid_cv448) |
394 | 0 | && !memcmp (buf, oid_cv448, DIM (oid_cv448))); |
395 | 0 | } |
396 | | |
397 | | |
398 | | /* Return true if the MPI A represents the OID for Curve25519. */ |
399 | | int |
400 | | openpgp_oid_is_cv25519 (gcry_mpi_t a) |
401 | 0 | { |
402 | 0 | const unsigned char *buf; |
403 | 0 | unsigned int nbits; |
404 | |
|
405 | 0 | if (!a || !gcry_mpi_get_flag (a, GCRYMPI_FLAG_OPAQUE)) |
406 | 0 | return 0; |
407 | | |
408 | 0 | buf = gcry_mpi_get_opaque (a, &nbits); |
409 | 0 | return openpgp_oidbuf_is_cv25519 (buf, (nbits+7)/8); |
410 | 0 | } |
411 | | |
412 | | |
413 | | /* Return true if the MPI A represents the OID for Ed448. */ |
414 | | int |
415 | | openpgp_oid_is_ed448 (gcry_mpi_t a) |
416 | 0 | { |
417 | 0 | const unsigned char *buf; |
418 | 0 | unsigned int nbits; |
419 | |
|
420 | 0 | if (!a || !gcry_mpi_get_flag (a, GCRYMPI_FLAG_OPAQUE)) |
421 | 0 | return 0; |
422 | | |
423 | 0 | buf = gcry_mpi_get_opaque (a, &nbits); |
424 | 0 | return openpgp_oidbuf_is_ed448 (buf, (nbits+7)/8); |
425 | 0 | } |
426 | | |
427 | | |
428 | | /* Return true if the MPI A represents the OID for X448. */ |
429 | | int |
430 | | openpgp_oid_is_cv448 (gcry_mpi_t a) |
431 | 0 | { |
432 | 0 | const unsigned char *buf; |
433 | 0 | unsigned int nbits; |
434 | |
|
435 | 0 | if (!a || !gcry_mpi_get_flag (a, GCRYMPI_FLAG_OPAQUE)) |
436 | 0 | return 0; |
437 | | |
438 | 0 | buf = gcry_mpi_get_opaque (a, &nbits); |
439 | 0 | return openpgp_oidbuf_is_cv448 (buf, (nbits+7)/8); |
440 | 0 | } |
441 | | |
442 | | |
443 | | /* Map the Libgcrypt ECC curve NAME to an OID. If R_NBITS is not NULL |
444 | | store the bit size of the curve there. Returns NULL for unknown |
445 | | curve names. If R_ALGO is not NULL and a specific ECC algorithm is |
446 | | required for this curve its OpenPGP algorithm number is stored |
447 | | there; otherwise 0 is stored which indicates that ECDSA or ECDH can |
448 | | be used. SELECTOR specifies which OID should be returned: -1 for |
449 | | don't care, 0 for old OID, 1 for new OID. */ |
450 | | const char * |
451 | | openpgp_curve_to_oid (const char *name, unsigned int *r_nbits, int *r_algo, |
452 | | int selector) |
453 | 0 | { |
454 | 0 | int i; |
455 | 0 | unsigned int nbits = 0; |
456 | 0 | const char *oidstr = NULL; |
457 | 0 | int algo = 0; |
458 | |
|
459 | 0 | if (name) |
460 | 0 | { |
461 | 0 | for (i=0; oidtable[i].name; i++) |
462 | 0 | if (!ascii_strcasecmp (oidtable[i].name, name) |
463 | 0 | || (oidtable[i].alias |
464 | 0 | && !ascii_strcasecmp (oidtable[i].alias, name))) |
465 | 0 | { |
466 | 0 | oidstr = oidtable[i].oidstr; |
467 | 0 | nbits = oidtable[i].nbits; |
468 | 0 | algo = oidtable[i].pubkey_algo; |
469 | 0 | break; |
470 | 0 | } |
471 | 0 | if (!oidtable[i].name) |
472 | 0 | { |
473 | | /* If not found assume the input is already an OID and check |
474 | | whether we support it. */ |
475 | 0 | for (i=0; oidtable[i].name; i++) |
476 | 0 | if (!ascii_strcasecmp (name, oidtable[i].oidstr)) |
477 | 0 | { |
478 | 0 | oidstr = oidtable[i].oidstr; |
479 | 0 | nbits = oidtable[i].nbits; |
480 | 0 | algo = oidtable[i].pubkey_algo; |
481 | 0 | break; |
482 | 0 | } |
483 | 0 | } |
484 | 0 | } |
485 | | |
486 | | /* Special handling for Curve25519, where we have two valid OIDs. */ |
487 | 0 | if (algo && i == 0) |
488 | 0 | { |
489 | | /* Select new OID, if wanted. */ |
490 | 0 | if (selector > 0) |
491 | 0 | oidstr = oidtable[2].oidstr; |
492 | 0 | } |
493 | |
|
494 | 0 | if (r_nbits) |
495 | 0 | *r_nbits = nbits; |
496 | 0 | if (r_algo) |
497 | 0 | *r_algo = algo; |
498 | 0 | return oidstr; |
499 | 0 | } |
500 | | |
501 | | |
502 | | /* Map an OpenPGP OID to the Libgcrypt curve name. Returns NULL for |
503 | | * unknown curve names. MODE defines which version of the curve name |
504 | | * is returned. For example: |
505 | | * |
506 | | * | OID | mode=0 | mode=1 | mode=2 | |
507 | | * |----------------------+-----------------+-----------------+----------| |
508 | | * | 1.2.840.10045.3.1.7 | nistp256 | NIST P-256 | nistp256 | |
509 | | * | 1.3.36.3.3.2.8.1.1.7 | brainpoolP256r1 | brainpoolP256r1 | bp256 | |
510 | | * |
511 | | * Thus mode 0 returns the name as commonly used gpg, mode 1 returns |
512 | | * the canonical name, and mode 2 prefers an abbreviated name over the |
513 | | * commonly used name. |
514 | | */ |
515 | | const char * |
516 | | openpgp_oid_to_curve (const char *oidstr, int mode) |
517 | 45 | { |
518 | 45 | int i; |
519 | | |
520 | 45 | if (!oidstr) |
521 | 0 | return NULL; |
522 | | |
523 | 555 | for (i=0; oidtable[i].name; i++) |
524 | 521 | if (!strcmp (oidtable[i].oidstr, oidstr)) |
525 | 11 | { |
526 | 11 | if (mode == 2) |
527 | 0 | { |
528 | 0 | if (oidtable[i].abbr) |
529 | 0 | return oidtable[i].abbr; |
530 | 0 | mode = 0; /* No abbreviation - fallback to mode 0. */ |
531 | 0 | } |
532 | 11 | return !mode && oidtable[i].alias? oidtable[i].alias : oidtable[i].name; |
533 | 11 | } |
534 | | |
535 | 34 | return NULL; |
536 | 45 | } |
537 | | |
538 | | |
539 | | /* Map an OpenPGP OID, name or alias to the Libgcrypt curve name. |
540 | | * Returns NULL for unknown curve names. Unless CANON is set we |
541 | | * prefer an alias name here which is more suitable for printing. */ |
542 | | const char * |
543 | | openpgp_oid_or_name_to_curve (const char *oidname, int canon) |
544 | 0 | { |
545 | 0 | int i; |
546 | |
|
547 | 0 | if (!oidname) |
548 | 0 | return NULL; |
549 | | |
550 | 0 | for (i=0; oidtable[i].name; i++) |
551 | 0 | if (!ascii_strcasecmp (oidtable[i].oidstr, oidname) |
552 | 0 | || !ascii_strcasecmp (oidtable[i].name, oidname) |
553 | 0 | || (oidtable[i].alias |
554 | 0 | && !ascii_strcasecmp (oidtable[i].alias, oidname))) |
555 | 0 | return !canon && oidtable[i].alias? oidtable[i].alias : oidtable[i].name; |
556 | | |
557 | 0 | return NULL; |
558 | 0 | } |
559 | | |
560 | | |
561 | | /* Return true if the curve with NAME is supported. */ |
562 | | static int |
563 | | curve_supported_p (const char *name) |
564 | 0 | { |
565 | 0 | int result = 0; |
566 | 0 | gcry_sexp_t keyparms; |
567 | |
|
568 | 0 | if (!gcry_sexp_build (&keyparms, NULL, "(public-key(ecc(curve %s)))", name)) |
569 | 0 | { |
570 | 0 | result = !!gcry_pk_get_curve (keyparms, 0, NULL); |
571 | 0 | gcry_sexp_release (keyparms); |
572 | 0 | } |
573 | 0 | return result; |
574 | 0 | } |
575 | | |
576 | | |
577 | | /* Enumerate available and supported OpenPGP curves. The caller needs |
578 | | to set the integer variable at ITERP to zero and keep on calling |
579 | | this function until NULL is returned. */ |
580 | | const char * |
581 | | openpgp_enum_curves (int *iterp) |
582 | 0 | { |
583 | 0 | int idx = *iterp; |
584 | |
|
585 | 0 | while (idx >= 0 && idx < DIM (oidtable) && oidtable[idx].name) |
586 | 0 | { |
587 | 0 | if (curve_supported_p (oidtable[idx].name)) |
588 | 0 | { |
589 | 0 | *iterp = idx + 1; |
590 | 0 | return oidtable[idx].alias? oidtable[idx].alias : oidtable[idx].name; |
591 | 0 | } |
592 | 0 | idx++; |
593 | 0 | } |
594 | 0 | *iterp = idx; |
595 | 0 | return NULL; |
596 | 0 | } |
597 | | |
598 | | |
599 | | /* Return the Libgcrypt name for the gpg curve NAME if supported. If |
600 | | * R_ALGO is not NULL the required OpenPGP public key algo or 0 is |
601 | | * stored at that address. If R_NBITS is not NULL the nominal bitsize |
602 | | * of the curves is stored there. NULL is returned if the curve is |
603 | | * not supported. */ |
604 | | const char * |
605 | | openpgp_is_curve_supported (const char *name, int *r_algo, |
606 | | unsigned int *r_nbits) |
607 | 0 | { |
608 | 0 | int idx; |
609 | |
|
610 | 0 | if (r_algo) |
611 | 0 | *r_algo = 0; |
612 | 0 | if (r_nbits) |
613 | 0 | *r_nbits = 0; |
614 | 0 | for (idx = 0; idx < DIM (oidtable) && oidtable[idx].name; idx++) |
615 | 0 | { |
616 | 0 | if ((!ascii_strcasecmp (name, oidtable[idx].name) |
617 | 0 | || (oidtable[idx].alias |
618 | 0 | && !ascii_strcasecmp (name, (oidtable[idx].alias))) |
619 | 0 | || (oidtable[idx].abbr |
620 | 0 | && !ascii_strcasecmp (name, (oidtable[idx].abbr)))) |
621 | 0 | && curve_supported_p (oidtable[idx].name)) |
622 | 0 | { |
623 | 0 | if (r_algo) |
624 | 0 | *r_algo = oidtable[idx].pubkey_algo; |
625 | 0 | if (r_nbits) |
626 | 0 | *r_nbits = oidtable[idx].nbits; |
627 | 0 | return oidtable[idx].name; |
628 | 0 | } |
629 | 0 | } |
630 | 0 | return NULL; |
631 | 0 | } |
632 | | |
633 | | |
634 | | /* Map a Gcrypt public key algorithm number to the used by OpenPGP. |
635 | | * Returns 0 for unknown gcry algorithm. */ |
636 | | pubkey_algo_t |
637 | | map_gcry_pk_to_openpgp (enum gcry_pk_algos algo) |
638 | 0 | { |
639 | 0 | switch (algo) |
640 | 0 | { |
641 | 0 | case GCRY_PK_EDDSA: return PUBKEY_ALGO_EDDSA; |
642 | 0 | case GCRY_PK_ECDSA: return PUBKEY_ALGO_ECDSA; |
643 | 0 | case GCRY_PK_ECDH: return PUBKEY_ALGO_ECDH; |
644 | 0 | case GCRY_PK_KEM: return PUBKEY_ALGO_KYBER; |
645 | 0 | default: return algo < 110 ? (pubkey_algo_t)algo : 0; |
646 | 0 | } |
647 | 0 | } |
648 | | |
649 | | |
650 | | /* Map an OpenPGP public key algorithm number to the one used by |
651 | | * Libgcrypt. Returns 0 for unknown gcry algorithm. */ |
652 | | enum gcry_pk_algos |
653 | | map_openpgp_pk_to_gcry (pubkey_algo_t algo) |
654 | 0 | { |
655 | 0 | switch (algo) |
656 | 0 | { |
657 | 0 | case PUBKEY_ALGO_EDDSA: return GCRY_PK_EDDSA; |
658 | 0 | case PUBKEY_ALGO_ECDSA: return GCRY_PK_ECDSA; |
659 | 0 | case PUBKEY_ALGO_ECDH: return GCRY_PK_ECDH; |
660 | 0 | default: return algo < 110 ? (enum gcry_pk_algos)algo : 0; |
661 | 0 | } |
662 | 0 | } |
663 | | |
664 | | |
665 | | /* Return a string describing the public key algorithm and the |
666 | | * keysize. For elliptic curves the function prints the name of the |
667 | | * curve because the keysize is a property of the curve. ALGO is the |
668 | | * Gcrypt algorithm number, CURVE is either NULL or gives the OID of |
669 | | * the curve, NBITS is either 0 or the size for algorithms like RSA. |
670 | | * The returned string is taken from permanent table. Examples |
671 | | * for the output are: |
672 | | * |
673 | | * "rsa3072" - RSA with 3072 bit |
674 | | * "elg1024" - Elgamal with 1024 bit |
675 | | * "ed25519" - ECC using the curve Ed25519. |
676 | | * "E_1.2.3.4" - ECC using the unsupported curve with OID "1.2.3.4". |
677 | | * "E_1.3.6.1.4.1.11591.2.12242973" - ECC with a bogus OID. |
678 | | * "unknown_N" - Unknown OpenPGP algorithm N. |
679 | | * If N is > 110 this is a gcrypt algo. |
680 | | */ |
681 | | const char * |
682 | | get_keyalgo_string (enum gcry_pk_algos algo, |
683 | | unsigned int nbits, const char *curve) |
684 | 0 | { |
685 | 0 | const char *prefix; |
686 | 0 | int i; |
687 | 0 | char *name, *curvebuf; |
688 | |
|
689 | 0 | switch (algo) |
690 | 0 | { |
691 | 0 | case GCRY_PK_RSA: prefix = "rsa"; break; |
692 | 0 | case GCRY_PK_ELG: prefix = "elg"; break; |
693 | 0 | case GCRY_PK_DSA: prefix = "dsa"; break; |
694 | 0 | case GCRY_PK_ECC: |
695 | 0 | case GCRY_PK_ECDH: |
696 | 0 | case GCRY_PK_ECDSA: |
697 | 0 | case GCRY_PK_EDDSA: prefix = ""; break; |
698 | 0 | default: prefix = NULL; break; |
699 | 0 | } |
700 | | |
701 | 0 | if (prefix && *prefix && nbits) |
702 | 0 | { |
703 | 0 | for (i=0; i < keyalgo_strings_used; i++) |
704 | 0 | { |
705 | 0 | if (keyalgo_strings[i].algo == algo |
706 | 0 | && keyalgo_strings[i].nbits |
707 | 0 | && keyalgo_strings[i].nbits == nbits) |
708 | 0 | return keyalgo_strings[i].name; |
709 | 0 | } |
710 | | /* Not yet in the table - add it. */ |
711 | 0 | name = xasprintf ("%s%u", prefix, nbits); |
712 | 0 | nbits = nbits? nbits : 1; /* No nbits - oops - use 1 instead. */ |
713 | 0 | curvebuf = NULL; |
714 | 0 | } |
715 | 0 | else if (prefix && !*prefix) |
716 | 0 | { |
717 | 0 | const char *curvename; |
718 | |
|
719 | 0 | for (i=0; i < keyalgo_strings_used; i++) |
720 | 0 | { |
721 | 0 | if (keyalgo_strings[i].algo == algo |
722 | 0 | && keyalgo_strings[i].curve && curve |
723 | 0 | && !ascii_strcasecmp (keyalgo_strings[i].curve, curve)) |
724 | 0 | return keyalgo_strings[i].name; |
725 | 0 | } |
726 | | |
727 | | /* Not yet in the table - add it. */ |
728 | 0 | curvename = openpgp_oid_or_name_to_curve (curve, 0); |
729 | 0 | if (curvename) |
730 | 0 | name = xasprintf ("%s", curvename); |
731 | 0 | else if (curve) |
732 | 0 | name = xasprintf ("E_%s", curve); |
733 | 0 | else |
734 | 0 | name = xasprintf ("E_error"); |
735 | 0 | nbits = 0; |
736 | 0 | curvebuf = curve? xstrdup (curve) : NULL; |
737 | 0 | } |
738 | 0 | else |
739 | 0 | { |
740 | 0 | for (i=0; i < keyalgo_strings_used; i++) |
741 | 0 | { |
742 | 0 | if (keyalgo_strings[i].algo == algo |
743 | 0 | && !keyalgo_strings[i].nbits |
744 | 0 | && !keyalgo_strings[i].curve) |
745 | 0 | return keyalgo_strings[i].name; |
746 | 0 | } |
747 | | /* Not yet in the table - add it. */ |
748 | 0 | name = xasprintf ("unknown_%u", (unsigned int)algo); |
749 | 0 | nbits = 0; |
750 | 0 | curvebuf = NULL; |
751 | 0 | } |
752 | | |
753 | | /* Store a new entry. This is a loop because of a possible nPth |
754 | | * thread switch during xrealloc. */ |
755 | 0 | while (keyalgo_strings_used >= keyalgo_strings_size) |
756 | 0 | { |
757 | 0 | keyalgo_strings_size += 10; |
758 | 0 | if (keyalgo_strings_size > 1024*1024) |
759 | 0 | log_fatal ("%s: table getting too large - possible DoS\n", __func__); |
760 | 0 | keyalgo_strings = xrealloc (keyalgo_strings, (keyalgo_strings_size |
761 | 0 | * sizeof *keyalgo_strings)); |
762 | 0 | } |
763 | 0 | keyalgo_strings[keyalgo_strings_used].algo = algo; |
764 | 0 | keyalgo_strings[keyalgo_strings_used].nbits = nbits; |
765 | 0 | keyalgo_strings[keyalgo_strings_used].curve = curvebuf; |
766 | 0 | keyalgo_strings[keyalgo_strings_used].name = name; |
767 | 0 | keyalgo_strings_used++; |
768 | |
|
769 | 0 | return name; /* Note that this is in the table. */ |
770 | 0 | } |