Line | Count | Source |
1 | | /* sign.c - sign data |
2 | | * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, |
3 | | * 2007, 2010, 2012 Free Software Foundation, Inc. |
4 | | * |
5 | | * This file is part of GnuPG. |
6 | | * |
7 | | * GnuPG is free software; you can redistribute it and/or modify |
8 | | * it under the terms of the GNU General Public License as published by |
9 | | * the Free Software Foundation; either version 3 of the License, or |
10 | | * (at your option) any later version. |
11 | | * |
12 | | * GnuPG is distributed in the hope that it will be useful, |
13 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
15 | | * GNU General Public License for more details. |
16 | | * |
17 | | * You should have received a copy of the GNU General Public License |
18 | | * along with this program; if not, see <https://www.gnu.org/licenses/>. |
19 | | */ |
20 | | |
21 | | #include <config.h> |
22 | | #include <stdio.h> |
23 | | #include <stdlib.h> |
24 | | #include <string.h> |
25 | | #include <errno.h> |
26 | | |
27 | | #include "gpg.h" |
28 | | #include "options.h" |
29 | | #include "packet.h" |
30 | | #include "../common/status.h" |
31 | | #include "../common/iobuf.h" |
32 | | #include "keydb.h" |
33 | | #include "../common/util.h" |
34 | | #include "main.h" |
35 | | #include "filter.h" |
36 | | #include "../common/ttyio.h" |
37 | | #include "trustdb.h" |
38 | | #include "../common/status.h" |
39 | | #include "../common/i18n.h" |
40 | | #include "pkglue.h" |
41 | | #include "../common/sysutils.h" |
42 | | #include "call-agent.h" |
43 | | #include "../common/mbox-util.h" |
44 | | #include "../common/compliance.h" |
45 | | |
46 | | #ifdef HAVE_DOSISH_SYSTEM |
47 | | #define LF "\r\n" |
48 | | #else |
49 | 0 | #define LF "\n" |
50 | | #endif |
51 | | |
52 | | |
53 | | /* Hack */ |
54 | | static int recipient_digest_algo; |
55 | | |
56 | | |
57 | | /* A type for the extra data we hash into v5 signature packets. */ |
58 | | struct pt_extra_hash_data_s |
59 | | { |
60 | | unsigned char mode; |
61 | | u32 timestamp; |
62 | | unsigned char namelen; |
63 | | char name[1]; |
64 | | }; |
65 | | typedef struct pt_extra_hash_data_s *pt_extra_hash_data_t; |
66 | | |
67 | | |
68 | | /* |
69 | | * Create notations and other stuff. It is assumed that the strings |
70 | | * in STRLIST are already checked to contain only printable data and |
71 | | * have a valid NAME=VALUE format. If with_manu is set a "manu" |
72 | | * notation is also added: a value of 1 includes it in the standard |
73 | | * way and a value of 23 assumes that the data is de-vs compliant. |
74 | | */ |
75 | | static void |
76 | | mk_notation_policy_etc (ctrl_t ctrl, PKT_signature *sig, |
77 | | PKT_public_key *pk, PKT_public_key *pksk, int with_manu) |
78 | 0 | { |
79 | 0 | const char *string; |
80 | 0 | char *p = NULL; |
81 | 0 | strlist_t pu = NULL; |
82 | 0 | struct notation *nd = NULL; |
83 | 0 | struct notation *ndmanu = NULL; |
84 | 0 | struct expando_args args; |
85 | |
|
86 | 0 | log_assert (sig->version >= 4); |
87 | | |
88 | 0 | memset (&args, 0, sizeof(args)); |
89 | 0 | args.pk = pk; |
90 | 0 | args.pksk = pksk; |
91 | | |
92 | | /* Notation data. */ |
93 | 0 | if (IS_ATTST_SIGS(sig)) |
94 | 0 | ; |
95 | 0 | else if (IS_SIG(sig) && opt.sig_notations) |
96 | 0 | nd = opt.sig_notations; |
97 | 0 | else if (IS_CERT(sig) && opt.cert_notations) |
98 | 0 | nd = opt.cert_notations; |
99 | |
|
100 | 0 | if (with_manu) |
101 | 0 | { |
102 | 0 | ndmanu = name_value_to_notation |
103 | 0 | ("manu", |
104 | 0 | gnupg_manu_notation_value (with_manu == 23? CO_DE_VS : CO_GNUPG)); |
105 | 0 | ndmanu->next = nd; |
106 | 0 | nd = ndmanu; |
107 | 0 | } |
108 | |
|
109 | 0 | if (nd) |
110 | 0 | { |
111 | 0 | struct notation *item; |
112 | |
|
113 | 0 | for (item = nd; item; item = item->next) |
114 | 0 | { |
115 | 0 | item->altvalue = pct_expando (ctrl, item->value,&args); |
116 | 0 | if (!item->altvalue) |
117 | 0 | log_error (_("WARNING: unable to %%-expand notation " |
118 | 0 | "(too large). Using unexpanded.\n")); |
119 | 0 | } |
120 | |
|
121 | 0 | keygen_add_notations (sig, nd); |
122 | |
|
123 | 0 | for (item = nd; item; item = item->next) |
124 | 0 | { |
125 | 0 | xfree (item->altvalue); |
126 | 0 | item->altvalue = NULL; |
127 | 0 | } |
128 | 0 | if (with_manu) |
129 | 0 | { |
130 | | /* Restore the original nd and release ndmanu. */ |
131 | 0 | nd = ndmanu; |
132 | 0 | ndmanu->next = NULL; |
133 | 0 | free_notation (ndmanu); |
134 | 0 | } |
135 | 0 | } |
136 | | |
137 | | /* Set policy URL. */ |
138 | 0 | if (IS_ATTST_SIGS(sig)) |
139 | 0 | ; |
140 | 0 | else if (IS_SIG(sig) && opt.sig_policy_url) |
141 | 0 | pu = opt.sig_policy_url; |
142 | 0 | else if (IS_CERT(sig) && opt.cert_policy_url) |
143 | 0 | pu = opt.cert_policy_url; |
144 | |
|
145 | 0 | for (; pu; pu = pu->next) |
146 | 0 | { |
147 | 0 | string = pu->d; |
148 | |
|
149 | 0 | p = pct_expando (ctrl, string, &args); |
150 | 0 | if (!p) |
151 | 0 | { |
152 | 0 | log_error(_("WARNING: unable to %%-expand policy URL " |
153 | 0 | "(too large). Using unexpanded.\n")); |
154 | 0 | p = xstrdup(string); |
155 | 0 | } |
156 | |
|
157 | 0 | build_sig_subpkt (sig, (SIGSUBPKT_POLICY |
158 | 0 | | ((pu->flags & 1)?SIGSUBPKT_FLAG_CRITICAL:0)), |
159 | 0 | p, strlen (p)); |
160 | |
|
161 | 0 | xfree (p); |
162 | 0 | } |
163 | | |
164 | | /* Preferred keyserver URL. */ |
165 | 0 | if (IS_SIG(sig) && opt.sig_keyserver_url) |
166 | 0 | pu = opt.sig_keyserver_url; |
167 | |
|
168 | 0 | for (; pu; pu = pu->next) |
169 | 0 | { |
170 | 0 | string = pu->d; |
171 | |
|
172 | 0 | p = pct_expando (ctrl, string, &args); |
173 | 0 | if (!p) |
174 | 0 | { |
175 | 0 | log_error (_("WARNING: unable to %%-expand preferred keyserver URL" |
176 | 0 | " (too large). Using unexpanded.\n")); |
177 | 0 | p = xstrdup (string); |
178 | 0 | } |
179 | |
|
180 | 0 | build_sig_subpkt (sig, (SIGSUBPKT_PREF_KS |
181 | 0 | | ((pu->flags & 1)?SIGSUBPKT_FLAG_CRITICAL:0)), |
182 | 0 | p, strlen (p)); |
183 | 0 | xfree (p); |
184 | 0 | } |
185 | | |
186 | | /* Set signer's user id. */ |
187 | 0 | if (IS_SIG (sig) && !opt.flags.disable_signer_uid) |
188 | 0 | { |
189 | 0 | char *mbox; |
190 | | |
191 | | /* For now we use the uid which was used to locate the key. */ |
192 | 0 | if (pksk->user_id |
193 | 0 | && (mbox = mailbox_from_userid (pksk->user_id->name, 0))) |
194 | 0 | { |
195 | 0 | if (DBG_LOOKUP) |
196 | 0 | log_debug ("setting Signer's UID to '%s'\n", mbox); |
197 | 0 | build_sig_subpkt (sig, SIGSUBPKT_SIGNERS_UID, mbox, strlen (mbox)); |
198 | 0 | xfree (mbox); |
199 | 0 | } |
200 | 0 | else if (opt.sender_list) |
201 | 0 | { |
202 | | /* If a list of --sender was given we scan that list and use |
203 | | * the first one matching a user id of the current key. */ |
204 | | |
205 | | /* FIXME: We need to get the list of user ids for the PKSK |
206 | | * packet. That requires either a function to look it up |
207 | | * again or we need to extend the key packet struct to link |
208 | | * to the primary key which in turn could link to the user |
209 | | * ids. Too much of a change right now. Let's take just |
210 | | * one from the supplied list and hope that the caller |
211 | | * passed a matching one. */ |
212 | 0 | build_sig_subpkt (sig, SIGSUBPKT_SIGNERS_UID, |
213 | 0 | opt.sender_list->d, strlen (opt.sender_list->d)); |
214 | 0 | } |
215 | 0 | } |
216 | 0 | } |
217 | | |
218 | | |
219 | | |
220 | | /* |
221 | | * Put the Key Block subpacket into SIG for key PKSK. Returns an |
222 | | * error code on failure. |
223 | | */ |
224 | | static gpg_error_t |
225 | | mk_sig_subpkt_key_block (ctrl_t ctrl, PKT_signature *sig, PKT_public_key *pksk) |
226 | 0 | { |
227 | 0 | gpg_error_t err; |
228 | 0 | char *mbox; |
229 | 0 | char *filterexp = NULL; |
230 | 0 | int save_opt_armor = opt.armor; |
231 | 0 | int save_opt_verbose = opt.verbose; |
232 | 0 | char hexfpr[2*MAX_FINGERPRINT_LEN + 1]; |
233 | 0 | void *data = NULL; |
234 | 0 | size_t datalen; |
235 | 0 | kbnode_t keyblock = NULL; |
236 | |
|
237 | 0 | push_export_filters (); |
238 | 0 | opt.armor = 0; |
239 | |
|
240 | 0 | hexfingerprint (pksk, hexfpr, sizeof hexfpr); |
241 | | |
242 | | /* Get the user id so that we know which one to insert into the |
243 | | * key. */ |
244 | 0 | if (pksk->user_id |
245 | 0 | && (mbox = mailbox_from_userid (pksk->user_id->name, 0))) |
246 | 0 | { |
247 | 0 | if (DBG_LOOKUP) |
248 | 0 | log_debug ("including key with UID '%s' (specified)\n", mbox); |
249 | 0 | filterexp = xasprintf ("keep-uid= -- mbox = %s", mbox); |
250 | 0 | xfree (mbox); |
251 | 0 | } |
252 | 0 | else if (opt.sender_list) |
253 | 0 | { |
254 | | /* If --sender was given we use the first one from that list. */ |
255 | 0 | if (DBG_LOOKUP) |
256 | 0 | log_debug ("including key with UID '%s' (--sender)\n", |
257 | 0 | opt.sender_list->d); |
258 | 0 | filterexp = xasprintf ("keep-uid= -- mbox = %s", opt.sender_list->d); |
259 | 0 | } |
260 | 0 | else /* Use the primary user id. */ |
261 | 0 | { |
262 | 0 | if (DBG_LOOKUP) |
263 | 0 | log_debug ("including key with primary UID\n"); |
264 | 0 | filterexp = xstrdup ("keep-uid= primary -t"); |
265 | 0 | } |
266 | |
|
267 | 0 | if (DBG_LOOKUP) |
268 | 0 | log_debug ("export filter expression: %s\n", filterexp); |
269 | 0 | err = parse_and_set_export_filter (filterexp); |
270 | 0 | if (err) |
271 | 0 | goto leave; |
272 | 0 | xfree (filterexp); |
273 | 0 | filterexp = xasprintf ("drop-subkey= fpr <> %s && usage !~ e", hexfpr); |
274 | 0 | if (DBG_LOOKUP) |
275 | 0 | log_debug ("export filter expression: %s\n", filterexp); |
276 | 0 | err = parse_and_set_export_filter (filterexp); |
277 | 0 | if (err) |
278 | 0 | goto leave; |
279 | | |
280 | | |
281 | 0 | opt.verbose = 0; |
282 | 0 | err = export_pubkey_buffer (ctrl, hexfpr, EXPORT_MINIMAL|EXPORT_CLEAN, |
283 | 0 | "", 1, /* Prefix with the reserved byte. */ |
284 | 0 | NULL, &keyblock, &data, &datalen); |
285 | 0 | opt.verbose = save_opt_verbose; |
286 | 0 | if (err) |
287 | 0 | { |
288 | 0 | log_error ("failed to get to be included key: %s\n", gpg_strerror (err)); |
289 | 0 | goto leave; |
290 | 0 | } |
291 | | |
292 | 0 | build_sig_subpkt (sig, SIGSUBPKT_KEY_BLOCK, data, datalen); |
293 | |
|
294 | 0 | leave: |
295 | 0 | xfree (data); |
296 | 0 | release_kbnode (keyblock); |
297 | 0 | xfree (filterexp); |
298 | 0 | opt.armor = save_opt_armor; |
299 | 0 | pop_export_filters (); |
300 | 0 | return err; |
301 | 0 | } |
302 | | |
303 | | |
304 | | /* |
305 | | * Helper to hash a user ID packet. |
306 | | */ |
307 | | static void |
308 | | hash_uid (gcry_md_hd_t md, int sigversion, const PKT_user_id *uid) |
309 | 0 | { |
310 | 0 | byte buf[5]; |
311 | |
|
312 | 0 | (void)sigversion; |
313 | |
|
314 | 0 | if (uid->attrib_data) |
315 | 0 | { |
316 | 0 | buf[0] = 0xd1; /* Indicates an attribute packet. */ |
317 | 0 | buf[1] = uid->attrib_len >> 24; /* Always use 4 length bytes. */ |
318 | 0 | buf[2] = uid->attrib_len >> 16; |
319 | 0 | buf[3] = uid->attrib_len >> 8; |
320 | 0 | buf[4] = uid->attrib_len; |
321 | 0 | } |
322 | 0 | else |
323 | 0 | { |
324 | 0 | buf[0] = 0xb4; /* Indicates a userid packet. */ |
325 | 0 | buf[1] = uid->len >> 24; /* Always use 4 length bytes. */ |
326 | 0 | buf[2] = uid->len >> 16; |
327 | 0 | buf[3] = uid->len >> 8; |
328 | 0 | buf[4] = uid->len; |
329 | 0 | } |
330 | 0 | gcry_md_write( md, buf, 5 ); |
331 | |
|
332 | 0 | if (uid->attrib_data) |
333 | 0 | gcry_md_write (md, uid->attrib_data, uid->attrib_len ); |
334 | 0 | else |
335 | 0 | gcry_md_write (md, uid->name, uid->len ); |
336 | 0 | } |
337 | | |
338 | | |
339 | | /* |
340 | | * Helper to hash some parts from the signature. EXTRAHASH gives the |
341 | | * extra data to be hashed into v5 signatures; it may by NULL for |
342 | | * detached signatures. |
343 | | */ |
344 | | static void |
345 | | hash_sigversion_to_magic (gcry_md_hd_t md, const PKT_signature *sig, |
346 | | pt_extra_hash_data_t extrahash) |
347 | 0 | { |
348 | 0 | byte buf[10]; |
349 | 0 | int i; |
350 | 0 | size_t n; |
351 | |
|
352 | 0 | gcry_md_putc (md, sig->version); |
353 | 0 | gcry_md_putc (md, sig->sig_class); |
354 | 0 | gcry_md_putc (md, sig->pubkey_algo); |
355 | 0 | gcry_md_putc (md, sig->digest_algo); |
356 | 0 | if (sig->hashed) |
357 | 0 | { |
358 | 0 | n = sig->hashed->len; |
359 | 0 | gcry_md_putc (md, (n >> 8) ); |
360 | 0 | gcry_md_putc (md, n ); |
361 | 0 | gcry_md_write (md, sig->hashed->data, n ); |
362 | 0 | n += 6; |
363 | 0 | } |
364 | 0 | else |
365 | 0 | { |
366 | 0 | gcry_md_putc (md, 0); /* Always hash the length of the subpacket. */ |
367 | 0 | gcry_md_putc (md, 0); |
368 | 0 | n = 6; |
369 | 0 | } |
370 | | /* Hash data from the literal data packet. */ |
371 | 0 | if (sig->version >= 5 && (sig->sig_class == 0x00 || sig->sig_class == 0x01)) |
372 | 0 | { |
373 | | /* - One octet content format |
374 | | * - File name (one octet length followed by the name) |
375 | | * - Four octet timestamp */ |
376 | 0 | if (extrahash) |
377 | 0 | { |
378 | 0 | buf[0] = extrahash->mode; |
379 | 0 | buf[1] = extrahash->namelen; |
380 | 0 | gcry_md_write (md, buf, 2); |
381 | 0 | if (extrahash->namelen) |
382 | 0 | gcry_md_write (md, extrahash->name, extrahash->namelen); |
383 | 0 | buf[0] = extrahash->timestamp >> 24; |
384 | 0 | buf[1] = extrahash->timestamp >> 16; |
385 | 0 | buf[2] = extrahash->timestamp >> 8; |
386 | 0 | buf[3] = extrahash->timestamp; |
387 | 0 | gcry_md_write (md, buf, 4); |
388 | 0 | } |
389 | 0 | else /* Detached signatures */ |
390 | 0 | { |
391 | 0 | memset (buf, 0, 6); |
392 | 0 | gcry_md_write (md, buf, 6); |
393 | 0 | } |
394 | 0 | } |
395 | | /* Add some magic aka known as postscript. The idea was to make it |
396 | | * impossible to make up a document with a v3 signature and then |
397 | | * turn this into a v4 signature for another document. The last |
398 | | * hashed 5 bytes of a v4 signature should never look like a the |
399 | | * last 5 bytes of a v3 signature. The length can be used to parse |
400 | | * from the end. */ |
401 | 0 | i = 0; |
402 | 0 | buf[i++] = sig->version; /* Hash convention version. */ |
403 | 0 | buf[i++] = 0xff; /* Not any sig type value. */ |
404 | 0 | if (sig->version >= 5) |
405 | 0 | { |
406 | | /* Note: We don't hashed any data larger than 2^32 and thus we |
407 | | * can always use 0 here. See also note below. */ |
408 | 0 | buf[i++] = 0; |
409 | 0 | buf[i++] = 0; |
410 | 0 | buf[i++] = 0; |
411 | 0 | buf[i++] = 0; |
412 | 0 | } |
413 | 0 | buf[i++] = n >> 24; /* (n is only 16 bit, so this is always 0) */ |
414 | 0 | buf[i++] = n >> 16; |
415 | 0 | buf[i++] = n >> 8; |
416 | 0 | buf[i++] = n; |
417 | 0 | gcry_md_write (md, buf, i); |
418 | 0 | } |
419 | | |
420 | | |
421 | | /* Perform the sign operation. If CACHE_NONCE is given the agent is |
422 | | * advised to use that cached passphrase for the key. SIGNHINTS has |
423 | | * hints so that we can do some additional checks. */ |
424 | | static int |
425 | | do_sign (ctrl_t ctrl, PKT_public_key *pksk, PKT_signature *sig, |
426 | | gcry_md_hd_t md, int mdalgo, |
427 | | const char *cache_nonce, unsigned int signhints) |
428 | 0 | { |
429 | 0 | gpg_error_t err; |
430 | 0 | byte *dp; |
431 | 0 | char *hexgrip; |
432 | | |
433 | | /* An ADSK key commonly has a creation date older than the primary |
434 | | * key. For example because the ADSK is used as an archive key for |
435 | | * a group of users. */ |
436 | 0 | if (pksk->timestamp > sig->timestamp && !(signhints & SIGNHINT_ADSK)) |
437 | 0 | { |
438 | 0 | ulong d = pksk->timestamp - sig->timestamp; |
439 | 0 | log_info (ngettext("key %s was created %lu second" |
440 | 0 | " in the future (time warp or clock problem)\n", |
441 | 0 | "key %s was created %lu seconds" |
442 | 0 | " in the future (time warp or clock problem)\n", |
443 | 0 | d), keystr_from_pk (pksk), d); |
444 | 0 | if (!opt.ignore_time_conflict) |
445 | 0 | return gpg_error (GPG_ERR_TIME_CONFLICT); |
446 | 0 | } |
447 | | |
448 | 0 | print_pubkey_algo_note (pksk->pubkey_algo); |
449 | |
|
450 | 0 | if (!mdalgo) |
451 | 0 | mdalgo = gcry_md_get_algo (md); |
452 | |
|
453 | 0 | if ((signhints & SIGNHINT_KEYSIG) && !(signhints & SIGNHINT_SELFSIG) |
454 | 0 | && mdalgo == GCRY_MD_SHA1 |
455 | 0 | && !opt.flags.allow_weak_key_signatures) |
456 | 0 | { |
457 | | /* We do not allow the creation of third-party key signatures |
458 | | * using SHA-1 because we also reject them when verifying. Note |
459 | | * that this will render dsa1024 keys unsuitable for such |
460 | | * keysigs and in turn the WoT. */ |
461 | 0 | print_sha1_keysig_rejected_note (); |
462 | 0 | err = gpg_error (GPG_ERR_DIGEST_ALGO); |
463 | 0 | goto leave; |
464 | 0 | } |
465 | | |
466 | | /* Check compliance but always allow for key revocations. */ |
467 | 0 | if (!IS_KEY_REV (sig) |
468 | 0 | && ! gnupg_digest_is_allowed (opt.compliance, 1, mdalgo)) |
469 | 0 | { |
470 | 0 | log_error (_("digest algorithm '%s' may not be used in %s mode\n"), |
471 | 0 | gcry_md_algo_name (mdalgo), |
472 | 0 | gnupg_compliance_option_string (opt.compliance)); |
473 | 0 | err = gpg_error (GPG_ERR_DIGEST_ALGO); |
474 | 0 | goto leave; |
475 | 0 | } |
476 | | |
477 | 0 | if (!IS_KEY_REV (sig) |
478 | 0 | && ! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, |
479 | 0 | pksk->pubkey_algo, 0, |
480 | 0 | pksk->pkey, nbits_from_pk (pksk), NULL)) |
481 | 0 | { |
482 | 0 | log_error (_("key %s may not be used for signing in %s mode\n"), |
483 | 0 | keystr_from_pk (pksk), |
484 | 0 | gnupg_compliance_option_string (opt.compliance)); |
485 | 0 | err = gpg_error (GPG_ERR_PUBKEY_ALGO); |
486 | 0 | goto leave; |
487 | 0 | } |
488 | | |
489 | 0 | if (!gnupg_rng_is_compliant (opt.compliance)) |
490 | 0 | { |
491 | 0 | err = gpg_error (GPG_ERR_FORBIDDEN); |
492 | 0 | log_error (_("%s is not compliant with %s mode\n"), |
493 | 0 | "RNG", |
494 | 0 | gnupg_compliance_option_string (opt.compliance)); |
495 | 0 | write_status_error ("random-compliance", err); |
496 | 0 | goto leave; |
497 | 0 | } |
498 | | |
499 | 0 | print_digest_algo_note (mdalgo); |
500 | 0 | dp = gcry_md_read (md, mdalgo); |
501 | 0 | sig->digest_algo = mdalgo; |
502 | 0 | sig->digest_start[0] = dp[0]; |
503 | 0 | sig->digest_start[1] = dp[1]; |
504 | 0 | mpi_release (sig->data[0]); |
505 | 0 | sig->data[0] = NULL; |
506 | 0 | mpi_release (sig->data[1]); |
507 | 0 | sig->data[1] = NULL; |
508 | | |
509 | |
|
510 | 0 | err = hexkeygrip_from_pk (pksk, &hexgrip); |
511 | 0 | if (!err) |
512 | 0 | { |
513 | 0 | char *desc; |
514 | 0 | gcry_sexp_t s_sigval; |
515 | |
|
516 | 0 | desc = gpg_format_keydesc (ctrl, pksk, FORMAT_KEYDESC_NORMAL, 1); |
517 | | /* FIXME: Eventually support composite keys. */ |
518 | 0 | err = agent_pksign (NULL/*ctrl*/, cache_nonce, hexgrip, desc, |
519 | 0 | pksk->keyid, pksk->main_keyid, pksk->pubkey_algo, |
520 | 0 | dp, gcry_md_get_algo_dlen (mdalgo), mdalgo, |
521 | 0 | &s_sigval); |
522 | 0 | xfree (desc); |
523 | |
|
524 | 0 | if (err) |
525 | 0 | ; |
526 | 0 | else if (pksk->pubkey_algo == GCRY_PK_RSA |
527 | 0 | || pksk->pubkey_algo == GCRY_PK_RSA_S) |
528 | 0 | sig->data[0] = get_mpi_from_sexp (s_sigval, "s", GCRYMPI_FMT_USG); |
529 | 0 | else if (pksk->pubkey_algo == PUBKEY_ALGO_EDDSA |
530 | 0 | && openpgp_oid_is_ed25519 (pksk->pkey[0])) |
531 | 0 | { |
532 | 0 | err = sexp_extract_param_sos_nlz (s_sigval, "r", &sig->data[0]); |
533 | 0 | if (!err) |
534 | 0 | err = sexp_extract_param_sos_nlz (s_sigval, "s", &sig->data[1]); |
535 | 0 | } |
536 | 0 | else if (pksk->pubkey_algo == PUBKEY_ALGO_ECDSA |
537 | 0 | || pksk->pubkey_algo == PUBKEY_ALGO_EDDSA) |
538 | 0 | { |
539 | 0 | err = sexp_extract_param_sos (s_sigval, "r", &sig->data[0]); |
540 | 0 | if (!err) |
541 | 0 | err = sexp_extract_param_sos (s_sigval, "s", &sig->data[1]); |
542 | 0 | } |
543 | 0 | else |
544 | 0 | { |
545 | 0 | sig->data[0] = get_mpi_from_sexp (s_sigval, "r", GCRYMPI_FMT_USG); |
546 | 0 | sig->data[1] = get_mpi_from_sexp (s_sigval, "s", GCRYMPI_FMT_USG); |
547 | 0 | } |
548 | |
|
549 | 0 | gcry_sexp_release (s_sigval); |
550 | 0 | } |
551 | 0 | xfree (hexgrip); |
552 | |
|
553 | 0 | leave: |
554 | 0 | if (err) |
555 | 0 | log_error (_("signing failed: %s\n"), gpg_strerror (err)); |
556 | 0 | else |
557 | 0 | { |
558 | 0 | if (opt.verbose) |
559 | 0 | { |
560 | 0 | char *ustr = get_user_id_string_native (ctrl, sig->keyid); |
561 | 0 | log_info (_("%s/%s signature from: \"%s\"\n"), |
562 | 0 | openpgp_pk_algo_name (pksk->pubkey_algo), |
563 | 0 | openpgp_md_algo_name (sig->digest_algo), |
564 | 0 | ustr); |
565 | 0 | xfree (ustr); |
566 | 0 | } |
567 | 0 | } |
568 | 0 | return err; |
569 | 0 | } |
570 | | |
571 | | |
572 | | static int |
573 | | complete_sig (ctrl_t ctrl, |
574 | | PKT_signature *sig, PKT_public_key *pksk, gcry_md_hd_t md, |
575 | | const char *cache_nonce, unsigned int signhints) |
576 | 0 | { |
577 | 0 | int rc; |
578 | | |
579 | | /* if (!(rc = check_secret_key (pksk, 0))) */ |
580 | 0 | rc = do_sign (ctrl, pksk, sig, md, 0, cache_nonce, signhints); |
581 | 0 | return rc; |
582 | 0 | } |
583 | | |
584 | | |
585 | | /* Return true if the key seems to be on a version 1 OpenPGP card. |
586 | | This works by asking the agent and may fail if the card has not yet |
587 | | been used with the agent. */ |
588 | | static int |
589 | | openpgp_card_v1_p (PKT_public_key *pk) |
590 | 0 | { |
591 | 0 | gpg_error_t err; |
592 | 0 | int result; |
593 | | |
594 | | /* Shortcut if we are not using RSA: The v1 cards only support RSA |
595 | | thus there is no point in looking any further. */ |
596 | 0 | if (!is_RSA (pk->pubkey_algo)) |
597 | 0 | return 0; |
598 | | |
599 | 0 | if (!pk->flags.serialno_valid) |
600 | 0 | { |
601 | 0 | char *hexgrip; |
602 | | |
603 | | /* Note: No need to care about composite keys for non-RSA keys. */ |
604 | 0 | err = hexkeygrip_from_pk (pk, &hexgrip); |
605 | 0 | if (err) |
606 | 0 | { |
607 | 0 | log_error ("error computing a keygrip: %s\n", gpg_strerror (err)); |
608 | 0 | return 0; /* Ooops. */ |
609 | 0 | } |
610 | | |
611 | 0 | xfree (pk->serialno); |
612 | 0 | agent_get_keyinfo (NULL, hexgrip, &pk->serialno, NULL); |
613 | 0 | xfree (hexgrip); |
614 | 0 | pk->flags.serialno_valid = 1; |
615 | 0 | } |
616 | | |
617 | 0 | if (!pk->serialno) |
618 | 0 | result = 0; /* Error from a past agent_get_keyinfo or no card. */ |
619 | 0 | else |
620 | 0 | { |
621 | | /* The version number of the card is included in the serialno. */ |
622 | 0 | result = !strncmp (pk->serialno, "D2760001240101", 14); |
623 | 0 | } |
624 | 0 | return result; |
625 | 0 | } |
626 | | |
627 | | |
628 | | /* Get a matching hash algorithm for DSA and ECDSA. */ |
629 | | static int |
630 | | match_dsa_hash (unsigned int qbytes) |
631 | 0 | { |
632 | 0 | if (qbytes <= 20) |
633 | 0 | return DIGEST_ALGO_SHA1; |
634 | | |
635 | 0 | if (qbytes <= 28) |
636 | 0 | return DIGEST_ALGO_SHA224; |
637 | | |
638 | 0 | if (qbytes <= 32) |
639 | 0 | return DIGEST_ALGO_SHA256; |
640 | | |
641 | 0 | if (qbytes <= 48) |
642 | 0 | return DIGEST_ALGO_SHA384; |
643 | | |
644 | 0 | if (qbytes <= 66 ) /* 66 corresponds to 521 (64 to 512) */ |
645 | 0 | return DIGEST_ALGO_SHA512; |
646 | | |
647 | 0 | return DEFAULT_DIGEST_ALGO; |
648 | | /* DEFAULT_DIGEST_ALGO will certainly fail, but it's the best wrong |
649 | | answer we have if a digest larger than 512 bits is requested. */ |
650 | 0 | } |
651 | | |
652 | | |
653 | | /* |
654 | | First try --digest-algo. If that isn't set, see if the recipient |
655 | | has a preferred algorithm (which is also filtered through |
656 | | --personal-digest-prefs). If we're making a signature without a |
657 | | particular recipient (i.e. signing, rather than signing+encrypting) |
658 | | then take the first algorithm in --personal-digest-prefs that is |
659 | | usable for the pubkey algorithm. If --personal-digest-prefs isn't |
660 | | set, then take the OpenPGP default (i.e. SHA-1). |
661 | | |
662 | | Note that EdDSA takes an input of arbitrary length and thus |
663 | | we don't enforce any particular algorithm like we do for standard |
664 | | ECDSA. However, we use SHA256 as the default algorithm. |
665 | | |
666 | | Possible improvement: Use the highest-ranked usable algorithm from |
667 | | the signing key prefs either before or after using the personal |
668 | | list? |
669 | | */ |
670 | | static int |
671 | | hash_for (PKT_public_key *pk) |
672 | 0 | { |
673 | 0 | if (opt.def_digest_algo) |
674 | 0 | { |
675 | 0 | return opt.def_digest_algo; |
676 | 0 | } |
677 | 0 | else if (recipient_digest_algo && !is_weak_digest (recipient_digest_algo)) |
678 | 0 | { |
679 | 0 | return recipient_digest_algo; |
680 | 0 | } |
681 | 0 | else if (pk->pubkey_algo == PUBKEY_ALGO_EDDSA) |
682 | 0 | { |
683 | 0 | if (opt.personal_digest_prefs) |
684 | 0 | return opt.personal_digest_prefs[0].value; |
685 | 0 | else |
686 | 0 | if (gcry_mpi_get_nbits (pk->pkey[1]) > 256) |
687 | 0 | return DIGEST_ALGO_SHA512; |
688 | 0 | else |
689 | 0 | return DIGEST_ALGO_SHA256; |
690 | 0 | } |
691 | 0 | else if (pk->pubkey_algo == PUBKEY_ALGO_DSA |
692 | 0 | || pk->pubkey_algo == PUBKEY_ALGO_ECDSA) |
693 | 0 | { |
694 | 0 | unsigned int qbytes = gcry_mpi_get_nbits (pk->pkey[1]); |
695 | |
|
696 | 0 | if (pk->pubkey_algo == PUBKEY_ALGO_ECDSA) |
697 | 0 | qbytes = ecdsa_qbits_from_Q (qbytes); |
698 | 0 | qbytes = qbytes/8; |
699 | | |
700 | | /* It's a DSA key, so find a hash that is the same size as q or |
701 | | larger. If q is 160, assume it is an old DSA key and use a |
702 | | 160-bit hash unless --enable-dsa2 is set, in which case act |
703 | | like a new DSA key that just happens to have a 160-bit q |
704 | | (i.e. allow truncation). If q is not 160, by definition it |
705 | | must be a new DSA key. We ignore the personal_digest_prefs |
706 | | for ECDSA because they should always match the curve and |
707 | | truncated hashes are not useful either. Even worse, |
708 | | smartcards may reject non matching hash lengths for curves |
709 | | (e.g. using SHA-512 with brainpooolP385r1 on a Yubikey). */ |
710 | |
|
711 | 0 | if (pk->pubkey_algo == PUBKEY_ALGO_DSA && opt.personal_digest_prefs) |
712 | 0 | { |
713 | 0 | prefitem_t *prefs; |
714 | |
|
715 | 0 | if (qbytes != 20 || opt.flags.dsa2) |
716 | 0 | { |
717 | 0 | for (prefs=opt.personal_digest_prefs; prefs->type; prefs++) |
718 | 0 | if (gcry_md_get_algo_dlen (prefs->value) >= qbytes) |
719 | 0 | return prefs->value; |
720 | 0 | } |
721 | 0 | else |
722 | 0 | { |
723 | 0 | for (prefs=opt.personal_digest_prefs; prefs->type; prefs++) |
724 | 0 | if (gcry_md_get_algo_dlen (prefs->value) == qbytes) |
725 | 0 | return prefs->value; |
726 | 0 | } |
727 | 0 | } |
728 | | |
729 | 0 | return match_dsa_hash(qbytes); |
730 | 0 | } |
731 | 0 | else if (openpgp_card_v1_p (pk)) |
732 | 0 | { |
733 | | /* The sk lives on a smartcard, and old smartcards only handle |
734 | | SHA-1 and RIPEMD/160. Newer smartcards (v2.0) don't have |
735 | | this restriction anymore. Fortunately the serial number |
736 | | encodes the version of the card and thus we know that this |
737 | | key is on a v1 card. */ |
738 | 0 | if(opt.personal_digest_prefs) |
739 | 0 | { |
740 | 0 | prefitem_t *prefs; |
741 | |
|
742 | 0 | for (prefs=opt.personal_digest_prefs;prefs->type;prefs++) |
743 | 0 | if (prefs->value==DIGEST_ALGO_SHA1 |
744 | 0 | || prefs->value==DIGEST_ALGO_RMD160) |
745 | 0 | return prefs->value; |
746 | 0 | } |
747 | | |
748 | 0 | return DIGEST_ALGO_SHA1; |
749 | 0 | } |
750 | 0 | else if (opt.personal_digest_prefs) |
751 | 0 | { |
752 | | /* It's not DSA, so we can use whatever the first hash algorithm |
753 | | is in the pref list */ |
754 | 0 | return opt.personal_digest_prefs[0].value; |
755 | 0 | } |
756 | 0 | else |
757 | 0 | return DEFAULT_DIGEST_ALGO; |
758 | 0 | } |
759 | | |
760 | | |
761 | | static void |
762 | | print_status_sig_created (PKT_public_key *pk, PKT_signature *sig, int what) |
763 | 0 | { |
764 | 0 | byte array[MAX_FINGERPRINT_LEN]; |
765 | 0 | char buf[100+MAX_FINGERPRINT_LEN*2]; |
766 | 0 | size_t n; |
767 | |
|
768 | 0 | snprintf (buf, sizeof buf - 2*MAX_FINGERPRINT_LEN, "%c %d %d %02x %lu ", |
769 | 0 | what, sig->pubkey_algo, sig->digest_algo, sig->sig_class, |
770 | 0 | (ulong)sig->timestamp ); |
771 | 0 | fingerprint_from_pk (pk, array, &n); |
772 | 0 | bin2hex (array, n, buf + strlen (buf)); |
773 | |
|
774 | 0 | write_status_text( STATUS_SIG_CREATED, buf ); |
775 | 0 | } |
776 | | |
777 | | |
778 | | /* |
779 | | * Loop over the secret certificates in SK_LIST and build the one pass |
780 | | * signature packets. OpenPGP says that the data should be bracket by |
781 | | * the onepass-sig and signature-packet; so we build these onepass |
782 | | * packet here in reverse order. |
783 | | */ |
784 | | static int |
785 | | write_onepass_sig_packets (SK_LIST sk_list, IOBUF out, int sigclass ) |
786 | 0 | { |
787 | 0 | int skcount; |
788 | 0 | SK_LIST sk_rover; |
789 | |
|
790 | 0 | for (skcount=0, sk_rover=sk_list; sk_rover; sk_rover = sk_rover->next) |
791 | 0 | skcount++; |
792 | |
|
793 | 0 | for (; skcount; skcount--) |
794 | 0 | { |
795 | 0 | PKT_public_key *pk; |
796 | 0 | PKT_onepass_sig *ops; |
797 | 0 | PACKET pkt; |
798 | 0 | int i, rc; |
799 | |
|
800 | 0 | for (i=0, sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) |
801 | 0 | if (++i == skcount) |
802 | 0 | break; |
803 | |
|
804 | 0 | pk = sk_rover->pk; |
805 | 0 | ops = xmalloc_clear (sizeof *ops); |
806 | 0 | ops->sig_class = sigclass; |
807 | 0 | ops->digest_algo = hash_for (pk); |
808 | 0 | ops->pubkey_algo = pk->pubkey_algo; |
809 | 0 | keyid_from_pk (pk, ops->keyid); |
810 | 0 | ops->last = (skcount == 1); |
811 | |
|
812 | 0 | init_packet (&pkt); |
813 | 0 | pkt.pkttype = PKT_ONEPASS_SIG; |
814 | 0 | pkt.pkt.onepass_sig = ops; |
815 | 0 | rc = build_packet (out, &pkt); |
816 | 0 | free_packet (&pkt, NULL); |
817 | 0 | if (rc) |
818 | 0 | { |
819 | 0 | log_error ("build onepass_sig packet failed: %s\n", |
820 | 0 | gpg_strerror (rc)); |
821 | 0 | return rc; |
822 | 0 | } |
823 | 0 | } |
824 | | |
825 | 0 | return 0; |
826 | 0 | } |
827 | | |
828 | | |
829 | | /* |
830 | | * Helper to write the plaintext (literal data) packet. At |
831 | | * R_EXTRAHASH a malloced object with the extra data hashed |
832 | | * into v5 signatures is stored. |
833 | | */ |
834 | | static int |
835 | | write_plaintext_packet (iobuf_t out, iobuf_t inp, |
836 | | const char *fname, int ptmode, |
837 | | pt_extra_hash_data_t *r_extrahash) |
838 | 0 | { |
839 | 0 | PKT_plaintext *pt = NULL; |
840 | 0 | u32 filesize; |
841 | 0 | int rc = 0; |
842 | |
|
843 | 0 | if (!opt.no_literal) |
844 | 0 | pt = setup_plaintext_name (fname, inp); |
845 | | |
846 | | /* Try to calculate the length of the data. */ |
847 | 0 | if ( !iobuf_is_pipe_filename (fname) && *fname) |
848 | 0 | { |
849 | 0 | uint64_t tmpsize; |
850 | |
|
851 | 0 | tmpsize = iobuf_get_filelength (inp); |
852 | 0 | if (!tmpsize && opt.verbose) |
853 | 0 | log_info (_("WARNING: '%s' is an empty file\n"), fname); |
854 | | |
855 | | /* We can't encode the length of very large files because |
856 | | * OpenPGP uses only 32 bit for file sizes. So if the size of a |
857 | | * file is larger than 2^32 minus some bytes for packet headers, |
858 | | * we switch to partial length encoding. */ |
859 | 0 | if (tmpsize < (IOBUF_FILELENGTH_LIMIT - 65536)) |
860 | 0 | filesize = tmpsize; |
861 | 0 | else |
862 | 0 | filesize = 0; |
863 | | |
864 | | /* Because the text_filter modifies the length of the |
865 | | * data, it is not possible to know the used length |
866 | | * without a double read of the file - to avoid that |
867 | | * we simple use partial length packets. */ |
868 | 0 | if (ptmode == 't' || ptmode == 'u' || ptmode == 'm') |
869 | 0 | filesize = 0; |
870 | 0 | } |
871 | 0 | else |
872 | 0 | filesize = opt.set_filesize? opt.set_filesize : 0; /* stdin */ |
873 | |
|
874 | 0 | if (!opt.no_literal) |
875 | 0 | { |
876 | 0 | PACKET pkt; |
877 | | |
878 | | /* Note that PT has been initialized above in no_literal mode. */ |
879 | 0 | pt->timestamp = make_timestamp (); |
880 | 0 | pt->mode = ptmode; |
881 | 0 | pt->len = filesize; |
882 | 0 | pt->new_ctb = !pt->len; |
883 | 0 | pt->buf = inp; |
884 | 0 | init_packet (&pkt); |
885 | 0 | pkt.pkttype = PKT_PLAINTEXT; |
886 | 0 | pkt.pkt.plaintext = pt; |
887 | | /*cfx.datalen = filesize? calc_packet_length( &pkt ) : 0;*/ |
888 | 0 | if ((rc = build_packet (out, &pkt))) |
889 | 0 | log_error ("build_packet(PLAINTEXT) failed: %s\n", |
890 | 0 | gpg_strerror (rc) ); |
891 | |
|
892 | 0 | *r_extrahash = xtrymalloc (sizeof **r_extrahash + pt->namelen); |
893 | 0 | if (!*r_extrahash) |
894 | 0 | rc = gpg_error_from_syserror (); |
895 | 0 | else |
896 | 0 | { |
897 | 0 | (*r_extrahash)->mode = pt->mode; |
898 | 0 | (*r_extrahash)->timestamp = pt->timestamp; |
899 | 0 | (*r_extrahash)->namelen = pt->namelen; |
900 | | /* Note that the last byte of NAME won't be initialized |
901 | | * because we don't need it. */ |
902 | 0 | memcpy ((*r_extrahash)->name, pt->name, pt->namelen); |
903 | 0 | } |
904 | 0 | pt->buf = NULL; |
905 | 0 | free_packet (&pkt, NULL); |
906 | 0 | } |
907 | 0 | else |
908 | 0 | { |
909 | 0 | byte copy_buffer[4096]; |
910 | 0 | int bytes_copied; |
911 | |
|
912 | 0 | *r_extrahash = xtrymalloc (sizeof **r_extrahash); |
913 | 0 | if (!*r_extrahash) |
914 | 0 | { |
915 | 0 | rc = gpg_error_from_syserror (); |
916 | 0 | goto leave; |
917 | 0 | } |
918 | | /* FIXME: We need to parse INP to get the to be hashed data from |
919 | | * it. */ |
920 | 0 | (*r_extrahash)->mode = 0; |
921 | 0 | (*r_extrahash)->timestamp = 0; |
922 | 0 | (*r_extrahash)->namelen = 0; |
923 | |
|
924 | 0 | while ((bytes_copied = iobuf_read (inp, copy_buffer, 4096)) != -1) |
925 | 0 | if ((rc = iobuf_write (out, copy_buffer, bytes_copied))) |
926 | 0 | { |
927 | 0 | log_error ("copying input to output failed: %s\n", |
928 | 0 | gpg_strerror (rc)); |
929 | 0 | break; |
930 | 0 | } |
931 | 0 | wipememory (copy_buffer, 4096); /* burn buffer */ |
932 | 0 | } |
933 | | |
934 | 0 | leave: |
935 | 0 | return rc; |
936 | 0 | } |
937 | | |
938 | | |
939 | | /* |
940 | | * Write the signatures from the SK_LIST to OUT. HASH must be a |
941 | | * non-finalized hash which will not be changes here. EXTRAHASH is |
942 | | * either NULL or the extra data to be hashed into v5 signatures. |
943 | | */ |
944 | | static int |
945 | | write_signature_packets (ctrl_t ctrl, |
946 | | SK_LIST sk_list, IOBUF out, gcry_md_hd_t hash, |
947 | | pt_extra_hash_data_t extrahash, |
948 | | int sigclass, u32 timestamp, u32 duration, |
949 | | int status_letter, const char *cache_nonce) |
950 | 0 | { |
951 | 0 | SK_LIST sk_rover; |
952 | 0 | int with_manu; |
953 | | |
954 | | /* Loop over the certificates with secret keys. */ |
955 | 0 | for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) |
956 | 0 | { |
957 | 0 | PKT_public_key *pk; |
958 | 0 | PKT_signature *sig; |
959 | 0 | gcry_md_hd_t md; |
960 | 0 | gpg_error_t err; |
961 | |
|
962 | 0 | pk = sk_rover->pk; |
963 | | |
964 | | /* Build the signature packet. */ |
965 | 0 | sig = xtrycalloc (1, sizeof *sig); |
966 | 0 | if (!sig) |
967 | 0 | return gpg_error_from_syserror (); |
968 | | |
969 | 0 | if (pk->version >= 5) |
970 | 0 | sig->version = 5; /* Required for v5 keys. */ |
971 | 0 | else |
972 | 0 | sig->version = 4; /* Required. */ |
973 | |
|
974 | 0 | keyid_from_pk (pk, sig->keyid); |
975 | 0 | sig->digest_algo = hash_for (pk); |
976 | 0 | sig->pubkey_algo = pk->pubkey_algo; |
977 | 0 | if (timestamp) |
978 | 0 | sig->timestamp = timestamp; |
979 | 0 | else |
980 | 0 | sig->timestamp = make_timestamp(); |
981 | 0 | if (duration) |
982 | 0 | sig->expiredate = sig->timestamp + duration; |
983 | 0 | sig->sig_class = sigclass; |
984 | |
|
985 | 0 | if (gcry_md_copy (&md, hash)) |
986 | 0 | BUG (); |
987 | | |
988 | 0 | build_sig_subpkt_from_sig (sig, pk, 0); |
989 | |
|
990 | 0 | if (opt.compliance == CO_DE_VS |
991 | 0 | && gnupg_rng_is_compliant (CO_DE_VS)) |
992 | 0 | with_manu = 23; /* FIXME: Also check that the algos are compliant?*/ |
993 | 0 | else if (!(opt.compat_flags & COMPAT_NO_MANU)) |
994 | 0 | with_manu = 1; |
995 | 0 | else |
996 | 0 | with_manu = 0; |
997 | |
|
998 | 0 | mk_notation_policy_etc (ctrl, sig, NULL, pk, with_manu); |
999 | 0 | if (opt.flags.include_key_block && IS_SIG (sig)) |
1000 | 0 | err = mk_sig_subpkt_key_block (ctrl, sig, pk); |
1001 | 0 | else |
1002 | 0 | err = 0; |
1003 | 0 | hash_sigversion_to_magic (md, sig, extrahash); |
1004 | 0 | gcry_md_final (md); |
1005 | |
|
1006 | 0 | if (!err) |
1007 | 0 | err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0); |
1008 | 0 | gcry_md_close (md); |
1009 | 0 | if (!err) |
1010 | 0 | { |
1011 | | /* Write the packet. */ |
1012 | 0 | PACKET pkt; |
1013 | |
|
1014 | 0 | init_packet (&pkt); |
1015 | 0 | pkt.pkttype = PKT_SIGNATURE; |
1016 | 0 | pkt.pkt.signature = sig; |
1017 | 0 | err = build_packet (out, &pkt); |
1018 | 0 | if (!err && is_status_enabled()) |
1019 | 0 | print_status_sig_created (pk, sig, status_letter); |
1020 | 0 | free_packet (&pkt, NULL); |
1021 | 0 | if (err) |
1022 | 0 | log_error ("build signature packet failed: %s\n", |
1023 | 0 | gpg_strerror (err)); |
1024 | 0 | } |
1025 | 0 | else |
1026 | 0 | free_seckey_enc (sig); |
1027 | |
|
1028 | 0 | if (err) |
1029 | 0 | return err; |
1030 | 0 | } |
1031 | | |
1032 | 0 | return 0; |
1033 | 0 | } |
1034 | | |
1035 | | |
1036 | | /* |
1037 | | * Sign the files whose names are in FILENAME using all secret keys |
1038 | | * which can be taken from LOCUSR, if this is NULL, use the default |
1039 | | * secret key. |
1040 | | * If DETACHED has the value true, make a detached signature. |
1041 | | * If ENCRYPTFLAG is true, use REMUSER (or ask if it is NULL) to encrypt the |
1042 | | * signed data for these users. If ENCRYPTFLAG is 2 symmetric encryption |
1043 | | * is also used. |
1044 | | * If FILENAMES->d is NULL read from stdin and ignore the detached mode. |
1045 | | * If OUTFILE is not NULL; this file is used for output and the function |
1046 | | * does not ask for overwrite permission; output is then always |
1047 | | * uncompressed, non-armored and in binary mode. |
1048 | | */ |
1049 | | int |
1050 | | sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, |
1051 | | int encryptflag, strlist_t remusr, const char *outfile ) |
1052 | 0 | { |
1053 | 0 | const char *fname; |
1054 | 0 | armor_filter_context_t *afx; |
1055 | 0 | compress_filter_context_t zfx; |
1056 | 0 | gcry_md_hd_t md = NULL; |
1057 | 0 | md_filter_context_t mfx; |
1058 | 0 | md_thd_filter_context_t mfx2 = NULL; |
1059 | 0 | text_filter_context_t tfx; |
1060 | 0 | progress_filter_context_t *pfx; |
1061 | 0 | encrypt_filter_context_t efx; |
1062 | 0 | iobuf_t inp = NULL; |
1063 | 0 | iobuf_t out = NULL; |
1064 | 0 | PACKET pkt; |
1065 | 0 | int rc = 0; |
1066 | 0 | PK_LIST pk_list = NULL; |
1067 | 0 | SK_LIST sk_list = NULL; |
1068 | 0 | SK_LIST sk_rover = NULL; |
1069 | 0 | int multifile = 0; |
1070 | 0 | u32 duration=0; |
1071 | 0 | pt_extra_hash_data_t extrahash = NULL; |
1072 | |
|
1073 | 0 | pfx = new_progress_context (); |
1074 | 0 | afx = new_armor_context (); |
1075 | 0 | memset (&zfx, 0, sizeof zfx); |
1076 | 0 | memset (&mfx, 0, sizeof mfx); |
1077 | 0 | memset (&efx, 0, sizeof efx); |
1078 | 0 | efx.ctrl = ctrl; |
1079 | 0 | init_packet (&pkt); |
1080 | |
|
1081 | 0 | if (filenames) |
1082 | 0 | { |
1083 | 0 | fname = filenames->d; |
1084 | 0 | multifile = !!filenames->next; |
1085 | 0 | } |
1086 | 0 | else |
1087 | 0 | fname = NULL; |
1088 | |
|
1089 | 0 | if (fname && filenames->next && (!detached || encryptflag)) |
1090 | 0 | log_bug ("multiple files can only be detached signed"); |
1091 | | |
1092 | 0 | if (encryptflag == 2 |
1093 | 0 | && (rc = setup_symkey (&efx.symkey_s2k, &efx.symkey_dek))) |
1094 | 0 | goto leave; |
1095 | | |
1096 | 0 | if (opt.ask_sig_expire && !opt.batch) |
1097 | 0 | duration = ask_expire_interval(1,opt.def_sig_expire); |
1098 | 0 | else |
1099 | 0 | duration = parse_expire_string(opt.def_sig_expire); |
1100 | | |
1101 | | /* Note: In the old non-agent version the following call used to |
1102 | | * unprotect the secret key. This is now done on demand by the agent. */ |
1103 | 0 | if ((rc = build_sk_list (ctrl, locusr, &sk_list, PUBKEY_USAGE_SIG ))) |
1104 | 0 | goto leave; |
1105 | | |
1106 | 0 | if (encryptflag |
1107 | 0 | && (rc = build_pk_list (ctrl, remusr, &pk_list))) |
1108 | 0 | goto leave; |
1109 | | |
1110 | | /* Prepare iobufs. */ |
1111 | 0 | if (multifile) /* have list of filenames */ |
1112 | 0 | inp = NULL; /* we do it later */ |
1113 | 0 | else |
1114 | 0 | { |
1115 | 0 | inp = iobuf_open(fname); |
1116 | 0 | if (inp && is_secured_file (iobuf_get_fd (inp))) |
1117 | 0 | { |
1118 | 0 | iobuf_close (inp); |
1119 | 0 | inp = NULL; |
1120 | 0 | gpg_err_set_errno (EPERM); |
1121 | 0 | } |
1122 | 0 | if (!inp) |
1123 | 0 | { |
1124 | 0 | rc = gpg_error_from_syserror (); |
1125 | 0 | log_error (_("can't open '%s': %s\n"), fname? fname: "[stdin]", |
1126 | 0 | strerror (errno)); |
1127 | 0 | goto leave; |
1128 | 0 | } |
1129 | | |
1130 | 0 | handle_progress (pfx, inp, fname); |
1131 | 0 | } |
1132 | | |
1133 | 0 | if (outfile) |
1134 | 0 | { |
1135 | 0 | if (is_secured_filename (outfile)) |
1136 | 0 | { |
1137 | 0 | out = NULL; |
1138 | 0 | gpg_err_set_errno (EPERM); |
1139 | 0 | } |
1140 | 0 | else |
1141 | 0 | out = iobuf_create (outfile, 0); |
1142 | 0 | if (!out) |
1143 | 0 | { |
1144 | 0 | rc = gpg_error_from_syserror (); |
1145 | 0 | log_error (_("can't create '%s': %s\n"), outfile, gpg_strerror (rc)); |
1146 | 0 | goto leave; |
1147 | 0 | } |
1148 | 0 | else if (opt.verbose) |
1149 | 0 | log_info (_("writing to '%s'\n"), outfile); |
1150 | 0 | } |
1151 | 0 | else if ((rc = open_outfile (GNUPG_INVALID_FD, fname, |
1152 | 0 | opt.armor? 1 : detached? 2 : 0, 0, &out))) |
1153 | 0 | { |
1154 | 0 | goto leave; |
1155 | 0 | } |
1156 | | |
1157 | | /* Prepare to calculate the MD over the input. */ |
1158 | 0 | if (opt.textmode && !outfile && !multifile) |
1159 | 0 | { |
1160 | 0 | memset (&tfx, 0, sizeof tfx); |
1161 | 0 | iobuf_push_filter (inp, text_filter, &tfx); |
1162 | 0 | } |
1163 | |
|
1164 | 0 | if (gcry_md_open (&md, 0, 0)) |
1165 | 0 | BUG (); |
1166 | 0 | if (DBG_HASHING) |
1167 | 0 | gcry_md_debug (md, "sign"); |
1168 | | |
1169 | | /* If we're encrypting and signing, it is reasonable to pick the |
1170 | | * hash algorithm to use out of the recipient key prefs. This is |
1171 | | * best effort only, as in a DSA2 and smartcard world there are |
1172 | | * cases where we cannot please everyone with a single hash (DSA2 |
1173 | | * wants >160 and smartcards want =160). In the future this could |
1174 | | * be more complex with different hashes for each sk, but the |
1175 | | * current design requires a single hash for all SKs. */ |
1176 | 0 | if (pk_list) |
1177 | 0 | { |
1178 | 0 | if (opt.def_digest_algo) |
1179 | 0 | { |
1180 | 0 | if (!opt.expert |
1181 | 0 | && select_algo_from_prefs (pk_list,PREFTYPE_HASH, |
1182 | 0 | opt.def_digest_algo, |
1183 | 0 | NULL) != opt.def_digest_algo) |
1184 | 0 | { |
1185 | 0 | log_info (_("WARNING: forcing digest algorithm %s (%d)" |
1186 | 0 | " violates recipient preferences\n"), |
1187 | 0 | gcry_md_algo_name (opt.def_digest_algo), |
1188 | 0 | opt.def_digest_algo); |
1189 | 0 | } |
1190 | 0 | } |
1191 | 0 | else |
1192 | 0 | { |
1193 | 0 | int algo; |
1194 | 0 | int conflict = 0; |
1195 | 0 | struct pref_hint hint = { 0 }; |
1196 | |
|
1197 | 0 | hint.digest_length = 0; |
1198 | | |
1199 | | /* Of course, if the recipient asks for something |
1200 | | * unreasonable (like the wrong hash for a DSA key) then |
1201 | | * don't do it. Check all sk's - if any are DSA or live |
1202 | | * on a smartcard, then the hash has restrictions and we |
1203 | | * may not be able to give the recipient what they want. |
1204 | | * For DSA, pass a hint for the largest q we have. Note |
1205 | | * that this means that a q>160 key will override a q=160 |
1206 | | * key and force the use of truncation for the q=160 key. |
1207 | | * The alternative would be to ignore the recipient prefs |
1208 | | * completely and get a different hash for each DSA key in |
1209 | | * hash_for(). The override behavior here is more or less |
1210 | | * reasonable as it is under the control of the user which |
1211 | | * keys they sign with for a given message and the fact |
1212 | | * that the message with multiple signatures won't be |
1213 | | * usable on an implementation that doesn't understand |
1214 | | * DSA2 anyway. */ |
1215 | 0 | for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next ) |
1216 | 0 | { |
1217 | 0 | if (sk_rover->pk->pubkey_algo == PUBKEY_ALGO_DSA |
1218 | 0 | || sk_rover->pk->pubkey_algo == PUBKEY_ALGO_ECDSA) |
1219 | 0 | { |
1220 | 0 | int temp_hashlen = gcry_mpi_get_nbits (sk_rover->pk->pkey[1]); |
1221 | |
|
1222 | 0 | if (sk_rover->pk->pubkey_algo == PUBKEY_ALGO_ECDSA) |
1223 | 0 | { |
1224 | 0 | temp_hashlen = ecdsa_qbits_from_Q (temp_hashlen); |
1225 | 0 | if (!temp_hashlen) |
1226 | 0 | conflict = 1; /* Better don't use the prefs. */ |
1227 | 0 | temp_hashlen = (temp_hashlen+7)/8; |
1228 | | /* Fixup for that funny nistp521 (yes, 521) were |
1229 | | * we need to use a 512 bit hash algo. */ |
1230 | 0 | if (temp_hashlen == 66) |
1231 | 0 | temp_hashlen = 64; |
1232 | 0 | } |
1233 | 0 | else |
1234 | 0 | temp_hashlen = (temp_hashlen+7)/8; |
1235 | | |
1236 | | /* Pick a hash that is large enough for our largest |
1237 | | * Q or matches our Q. If there are several of them |
1238 | | * we run into a conflict and don't use the |
1239 | | * preferences. */ |
1240 | 0 | if (hint.digest_length < temp_hashlen) |
1241 | 0 | { |
1242 | 0 | if (sk_rover->pk->pubkey_algo == PUBKEY_ALGO_ECDSA) |
1243 | 0 | { |
1244 | 0 | if (hint.exact) |
1245 | 0 | conflict = 1; |
1246 | 0 | hint.exact = 1; |
1247 | 0 | } |
1248 | 0 | hint.digest_length = temp_hashlen; |
1249 | 0 | } |
1250 | 0 | } |
1251 | 0 | } |
1252 | |
|
1253 | 0 | if (!conflict |
1254 | 0 | && (algo = select_algo_from_prefs (pk_list, PREFTYPE_HASH, |
1255 | 0 | -1, &hint)) > 0) |
1256 | 0 | { |
1257 | | /* Note that we later check that the algo is not weak. */ |
1258 | 0 | recipient_digest_algo = algo; |
1259 | 0 | } |
1260 | 0 | } |
1261 | 0 | } |
1262 | |
|
1263 | 0 | for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) |
1264 | 0 | gcry_md_enable (md, hash_for (sk_rover->pk)); |
1265 | |
|
1266 | 0 | if (!multifile) |
1267 | 0 | { |
1268 | 0 | if (encryptflag && (opt.compat_flags & COMPAT_PARALLELIZED)) |
1269 | 0 | { |
1270 | 0 | iobuf_push_filter (inp, md_thd_filter, &mfx2); |
1271 | 0 | md_thd_filter_set_md (mfx2, md); |
1272 | 0 | } |
1273 | 0 | else |
1274 | 0 | { |
1275 | 0 | iobuf_push_filter (inp, md_filter, &mfx); |
1276 | 0 | mfx.md = md; |
1277 | 0 | } |
1278 | 0 | } |
1279 | |
|
1280 | 0 | if (detached && !encryptflag) |
1281 | 0 | afx->what = 2; |
1282 | |
|
1283 | 0 | if (opt.armor && !outfile) |
1284 | 0 | push_armor_filter (afx, out); |
1285 | |
|
1286 | 0 | if (encryptflag) |
1287 | 0 | { |
1288 | 0 | efx.pk_list = pk_list; |
1289 | | /* fixme: set efx.cfx.datalen if known */ |
1290 | 0 | iobuf_push_filter (out, encrypt_filter, &efx); |
1291 | 0 | } |
1292 | |
|
1293 | 0 | if (opt.compress_algo && !outfile && !detached) |
1294 | 0 | { |
1295 | 0 | int compr_algo = opt.compress_algo; |
1296 | |
|
1297 | 0 | if (!opt.explicit_compress_option |
1298 | 0 | && is_file_compressed (inp)) |
1299 | 0 | { |
1300 | 0 | if (opt.verbose) |
1301 | 0 | log_info(_("'%s' already compressed\n"), fname? fname: "[stdin]"); |
1302 | 0 | compr_algo = 0; |
1303 | 0 | } |
1304 | 0 | else if (compr_algo==-1) |
1305 | 0 | { |
1306 | | /* If we're not encrypting, then select_algo_from_prefs |
1307 | | * will fail and we'll end up with the default. If we are |
1308 | | * encrypting, select_algo_from_prefs cannot fail since |
1309 | | * there is an assumed preference for uncompressed data. |
1310 | | * Still, if it did fail, we'll also end up with the |
1311 | | * default. */ |
1312 | 0 | if ((compr_algo = select_algo_from_prefs (pk_list, PREFTYPE_ZIP, |
1313 | 0 | -1, NULL)) == -1) |
1314 | 0 | { |
1315 | 0 | compr_algo = default_compress_algo(); |
1316 | 0 | } |
1317 | 0 | } |
1318 | 0 | else if (!opt.expert && pk_list |
1319 | 0 | && select_algo_from_prefs (pk_list, PREFTYPE_ZIP, |
1320 | 0 | compr_algo, NULL) != compr_algo) |
1321 | 0 | { |
1322 | 0 | log_info (_("WARNING: forcing compression algorithm %s (%d)" |
1323 | 0 | " violates recipient preferences\n"), |
1324 | 0 | compress_algo_to_string (compr_algo), compr_algo); |
1325 | 0 | } |
1326 | | |
1327 | | /* Algo 0 means no compression. */ |
1328 | 0 | if (compr_algo) |
1329 | 0 | push_compress_filter (out, &zfx, compr_algo); |
1330 | 0 | } |
1331 | | |
1332 | | /* Write the one-pass signature packets if needed */ |
1333 | 0 | if (!detached) |
1334 | 0 | { |
1335 | 0 | rc = write_onepass_sig_packets (sk_list, out, |
1336 | 0 | opt.textmode && !outfile ? 0x01:0x00); |
1337 | 0 | if (rc) |
1338 | 0 | goto leave; |
1339 | 0 | } |
1340 | | |
1341 | 0 | write_status_begin_signing (md); |
1342 | | |
1343 | | /* Setup the inner packet. */ |
1344 | 0 | if (detached) |
1345 | 0 | { |
1346 | 0 | size_t iobuf_size = iobuf_set_buffer_size(0) * 1024; |
1347 | |
|
1348 | 0 | if (multifile) |
1349 | 0 | { |
1350 | 0 | strlist_t sl; |
1351 | |
|
1352 | 0 | if (opt.verbose) |
1353 | 0 | log_info (_("signing:") ); |
1354 | | /* Must walk reverse through this list. */ |
1355 | 0 | for (sl = strlist_last(filenames); |
1356 | 0 | sl; |
1357 | 0 | sl = strlist_prev( filenames, sl)) |
1358 | 0 | { |
1359 | 0 | inp = iobuf_open (sl->d); |
1360 | 0 | if (inp && is_secured_file (iobuf_get_fd (inp))) |
1361 | 0 | { |
1362 | 0 | iobuf_close (inp); |
1363 | 0 | inp = NULL; |
1364 | 0 | gpg_err_set_errno (EPERM); |
1365 | 0 | } |
1366 | 0 | if (!inp) |
1367 | 0 | { |
1368 | 0 | rc = gpg_error_from_syserror (); |
1369 | 0 | log_error (_("can't open '%s': %s\n"), |
1370 | 0 | sl->d, gpg_strerror (rc)); |
1371 | 0 | goto leave; |
1372 | 0 | } |
1373 | 0 | handle_progress (pfx, inp, sl->d); |
1374 | 0 | if (opt.verbose) |
1375 | 0 | log_printf (" '%s'", sl->d ); |
1376 | 0 | if (opt.textmode) |
1377 | 0 | { |
1378 | 0 | memset (&tfx, 0, sizeof tfx); |
1379 | 0 | iobuf_push_filter (inp, text_filter, &tfx); |
1380 | 0 | } |
1381 | 0 | if (encryptflag && (opt.compat_flags & COMPAT_PARALLELIZED)) |
1382 | 0 | { |
1383 | 0 | iobuf_push_filter (inp, md_thd_filter, &mfx2); |
1384 | 0 | md_thd_filter_set_md (mfx2, md); |
1385 | 0 | } |
1386 | 0 | else |
1387 | 0 | { |
1388 | 0 | iobuf_push_filter (inp, md_filter, &mfx); |
1389 | 0 | mfx.md = md; |
1390 | 0 | } |
1391 | 0 | while (iobuf_read (inp, NULL, iobuf_size) != -1) |
1392 | 0 | ; |
1393 | 0 | iobuf_close (inp); |
1394 | 0 | inp = NULL; |
1395 | 0 | } |
1396 | 0 | if (opt.verbose) |
1397 | 0 | log_printf ("\n"); |
1398 | 0 | } |
1399 | 0 | else |
1400 | 0 | { |
1401 | | /* Read, so that the filter can calculate the digest. */ |
1402 | 0 | while (iobuf_read (inp, NULL, iobuf_size) != -1) |
1403 | 0 | ; |
1404 | 0 | } |
1405 | 0 | } |
1406 | 0 | else |
1407 | 0 | { |
1408 | 0 | rc = write_plaintext_packet (out, inp, fname, |
1409 | 0 | (opt.textmode && !outfile) ? |
1410 | 0 | (opt.mimemode? 'm' : 't') : 'b', |
1411 | 0 | &extrahash); |
1412 | 0 | } |
1413 | | |
1414 | | /* Catch errors from above. */ |
1415 | 0 | if (rc) |
1416 | 0 | goto leave; |
1417 | | |
1418 | | /* Write the signatures. */ |
1419 | 0 | rc = write_signature_packets (ctrl, sk_list, out, md, extrahash, |
1420 | 0 | opt.textmode && !outfile? 0x01 : 0x00, |
1421 | 0 | 0, duration, detached ? 'D':'S', NULL); |
1422 | 0 | if (rc) |
1423 | 0 | goto leave; |
1424 | | |
1425 | | |
1426 | 0 | leave: |
1427 | 0 | if (rc) |
1428 | 0 | iobuf_cancel (out); |
1429 | 0 | else |
1430 | 0 | { |
1431 | 0 | iobuf_close (out); |
1432 | 0 | if (encryptflag) |
1433 | 0 | write_status (STATUS_END_ENCRYPTION); |
1434 | 0 | } |
1435 | 0 | iobuf_close (inp); |
1436 | 0 | gcry_md_close (md); |
1437 | 0 | release_sk_list (sk_list); |
1438 | 0 | release_pk_list (pk_list); |
1439 | 0 | recipient_digest_algo = 0; |
1440 | 0 | release_progress_context (pfx); |
1441 | 0 | release_armor_context (afx); |
1442 | 0 | xfree (extrahash); |
1443 | 0 | return rc; |
1444 | 0 | } |
1445 | | |
1446 | | |
1447 | | /* |
1448 | | * Make a clear signature. Note that opt.armor is not needed. |
1449 | | */ |
1450 | | int |
1451 | | clearsign_file (ctrl_t ctrl, |
1452 | | const char *fname, strlist_t locusr, const char *outfile) |
1453 | 0 | { |
1454 | 0 | armor_filter_context_t *afx; |
1455 | 0 | progress_filter_context_t *pfx; |
1456 | 0 | gcry_md_hd_t textmd = NULL; |
1457 | 0 | iobuf_t inp = NULL; |
1458 | 0 | iobuf_t out = NULL; |
1459 | 0 | PACKET pkt; |
1460 | 0 | int rc = 0; |
1461 | 0 | SK_LIST sk_list = NULL; |
1462 | 0 | SK_LIST sk_rover = NULL; |
1463 | 0 | u32 duration = 0; |
1464 | 0 | pt_extra_hash_data_t extrahash = NULL; |
1465 | |
|
1466 | 0 | pfx = new_progress_context (); |
1467 | 0 | afx = new_armor_context (); |
1468 | 0 | init_packet( &pkt ); |
1469 | |
|
1470 | 0 | if (opt.ask_sig_expire && !opt.batch) |
1471 | 0 | duration = ask_expire_interval (1, opt.def_sig_expire); |
1472 | 0 | else |
1473 | 0 | duration = parse_expire_string (opt.def_sig_expire); |
1474 | | |
1475 | | /* Note: In the old non-agent version the following call used to |
1476 | | * unprotect the secret key. This is now done on demand by the agent. */ |
1477 | 0 | if ((rc=build_sk_list (ctrl, locusr, &sk_list, PUBKEY_USAGE_SIG))) |
1478 | 0 | goto leave; |
1479 | | |
1480 | | /* Prepare iobufs. */ |
1481 | 0 | inp = iobuf_open (fname); |
1482 | 0 | if (inp && is_secured_file (iobuf_get_fd (inp))) |
1483 | 0 | { |
1484 | 0 | iobuf_close (inp); |
1485 | 0 | inp = NULL; |
1486 | 0 | gpg_err_set_errno (EPERM); |
1487 | 0 | } |
1488 | 0 | if (!inp) |
1489 | 0 | { |
1490 | 0 | rc = gpg_error_from_syserror (); |
1491 | 0 | log_error (_("can't open '%s': %s\n"), |
1492 | 0 | fname? fname: "[stdin]", gpg_strerror (rc)); |
1493 | 0 | goto leave; |
1494 | 0 | } |
1495 | 0 | handle_progress (pfx, inp, fname); |
1496 | |
|
1497 | 0 | if (outfile) |
1498 | 0 | { |
1499 | 0 | if (is_secured_filename (outfile)) |
1500 | 0 | { |
1501 | 0 | outfile = NULL; |
1502 | 0 | gpg_err_set_errno (EPERM); |
1503 | 0 | } |
1504 | 0 | else |
1505 | 0 | out = iobuf_create (outfile, 0); |
1506 | |
|
1507 | 0 | if (!out) |
1508 | 0 | { |
1509 | 0 | rc = gpg_error_from_syserror (); |
1510 | 0 | log_error (_("can't create '%s': %s\n"), outfile, gpg_strerror (rc)); |
1511 | 0 | goto leave; |
1512 | 0 | } |
1513 | 0 | else if (opt.verbose) |
1514 | 0 | log_info (_("writing to '%s'\n"), outfile); |
1515 | |
|
1516 | 0 | } |
1517 | 0 | else if ((rc = open_outfile (GNUPG_INVALID_FD, fname, 1, 0, &out))) |
1518 | 0 | { |
1519 | 0 | goto leave; |
1520 | 0 | } |
1521 | | |
1522 | 0 | iobuf_writestr (out, "-----BEGIN PGP SIGNED MESSAGE-----" LF); |
1523 | |
|
1524 | 0 | { |
1525 | 0 | const char *s; |
1526 | 0 | int any = 0; |
1527 | 0 | byte hashs_seen[256]; |
1528 | |
|
1529 | 0 | memset (hashs_seen, 0, sizeof hashs_seen); |
1530 | 0 | iobuf_writestr (out, "Hash: " ); |
1531 | 0 | for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) |
1532 | 0 | { |
1533 | 0 | int i = hash_for (sk_rover->pk); |
1534 | |
|
1535 | 0 | if (!hashs_seen[ i & 0xff ]) |
1536 | 0 | { |
1537 | 0 | s = gcry_md_algo_name (i); |
1538 | 0 | if (s) |
1539 | 0 | { |
1540 | 0 | hashs_seen[ i & 0xff ] = 1; |
1541 | 0 | if (any) |
1542 | 0 | iobuf_put (out, ','); |
1543 | 0 | iobuf_writestr (out, s); |
1544 | 0 | any = 1; |
1545 | 0 | } |
1546 | 0 | } |
1547 | 0 | } |
1548 | 0 | log_assert (any); |
1549 | 0 | iobuf_writestr (out, LF); |
1550 | 0 | } |
1551 | | |
1552 | 0 | if (opt.not_dash_escaped) |
1553 | 0 | iobuf_writestr (out, |
1554 | 0 | "NotDashEscaped: You need "GPG_NAME |
1555 | 0 | " to verify this message" LF); |
1556 | 0 | iobuf_writestr (out, LF ); |
1557 | |
|
1558 | 0 | if (gcry_md_open (&textmd, 0, 0)) |
1559 | 0 | BUG (); |
1560 | 0 | for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) |
1561 | 0 | gcry_md_enable (textmd, hash_for(sk_rover->pk)); |
1562 | |
|
1563 | 0 | if (DBG_HASHING) |
1564 | 0 | gcry_md_debug (textmd, "clearsign"); |
1565 | |
|
1566 | 0 | copy_clearsig_text (out, inp, textmd, !opt.not_dash_escaped, opt.escape_from); |
1567 | | /* fixme: check for read errors */ |
1568 | | |
1569 | | /* Now write the armor. */ |
1570 | 0 | afx->what = 2; |
1571 | 0 | push_armor_filter (afx, out); |
1572 | | |
1573 | | /* Prepare EXTRAHASH, so that it can be used for v5 signature. */ |
1574 | 0 | extrahash = xtrymalloc (sizeof *extrahash); |
1575 | 0 | if (!extrahash) |
1576 | 0 | { |
1577 | 0 | rc = gpg_error_from_syserror (); |
1578 | 0 | goto leave; |
1579 | 0 | } |
1580 | 0 | else |
1581 | 0 | { |
1582 | 0 | extrahash->mode = 't'; |
1583 | 0 | extrahash->timestamp = 0; |
1584 | 0 | extrahash->namelen = 0; |
1585 | 0 | } |
1586 | | |
1587 | | /* Write the signatures. */ |
1588 | 0 | rc = write_signature_packets (ctrl, sk_list, out, textmd, extrahash, |
1589 | 0 | 0x01, 0, duration, 'C', NULL); |
1590 | 0 | if (rc) |
1591 | 0 | goto leave; |
1592 | | |
1593 | 0 | leave: |
1594 | 0 | if (rc) |
1595 | 0 | iobuf_cancel (out); |
1596 | 0 | else |
1597 | 0 | iobuf_close (out); |
1598 | 0 | iobuf_close (inp); |
1599 | 0 | gcry_md_close (textmd); |
1600 | 0 | release_sk_list (sk_list); |
1601 | 0 | release_progress_context (pfx); |
1602 | 0 | release_armor_context (afx); |
1603 | 0 | xfree (extrahash); |
1604 | 0 | return rc; |
1605 | 0 | } |
1606 | | |
1607 | | |
1608 | | /* |
1609 | | * Sign and conventionally encrypt the given file. |
1610 | | * FIXME: Far too much code is duplicated - revamp the whole file. |
1611 | | */ |
1612 | | int |
1613 | | sign_symencrypt_file (ctrl_t ctrl, const char *fname, strlist_t locusr) |
1614 | 0 | { |
1615 | 0 | armor_filter_context_t *afx; |
1616 | 0 | progress_filter_context_t *pfx; |
1617 | 0 | compress_filter_context_t zfx; |
1618 | 0 | md_filter_context_t mfx; |
1619 | 0 | md_thd_filter_context_t mfx2 = NULL; |
1620 | 0 | gcry_md_hd_t md = NULL; |
1621 | 0 | text_filter_context_t tfx; |
1622 | 0 | cipher_filter_context_t cfx; |
1623 | 0 | iobuf_t inp = NULL; |
1624 | 0 | iobuf_t out = NULL; |
1625 | 0 | PACKET pkt; |
1626 | 0 | STRING2KEY *s2k = NULL; |
1627 | 0 | int rc = 0; |
1628 | 0 | SK_LIST sk_list = NULL; |
1629 | 0 | SK_LIST sk_rover = NULL; |
1630 | 0 | int algo; |
1631 | 0 | u32 duration = 0; |
1632 | 0 | int canceled; |
1633 | 0 | pt_extra_hash_data_t extrahash = NULL; |
1634 | |
|
1635 | 0 | pfx = new_progress_context (); |
1636 | 0 | afx = new_armor_context (); |
1637 | 0 | memset (&zfx, 0, sizeof zfx); |
1638 | 0 | memset (&mfx, 0, sizeof mfx); |
1639 | 0 | memset (&tfx, 0, sizeof tfx); |
1640 | 0 | memset (&cfx, 0, sizeof cfx); |
1641 | 0 | init_packet (&pkt); |
1642 | |
|
1643 | 0 | if (opt.ask_sig_expire && !opt.batch) |
1644 | 0 | duration = ask_expire_interval (1, opt.def_sig_expire); |
1645 | 0 | else |
1646 | 0 | duration = parse_expire_string (opt.def_sig_expire); |
1647 | | |
1648 | | /* Note: In the old non-agent version the following call used to |
1649 | | * unprotect the secret key. This is now done on demand by the agent. */ |
1650 | 0 | rc = build_sk_list (ctrl, locusr, &sk_list, PUBKEY_USAGE_SIG); |
1651 | 0 | if (rc) |
1652 | 0 | goto leave; |
1653 | | |
1654 | | /* Prepare iobufs. */ |
1655 | 0 | inp = iobuf_open (fname); |
1656 | 0 | if (inp && is_secured_file (iobuf_get_fd (inp))) |
1657 | 0 | { |
1658 | 0 | iobuf_close (inp); |
1659 | 0 | inp = NULL; |
1660 | 0 | gpg_err_set_errno (EPERM); |
1661 | 0 | } |
1662 | 0 | if (!inp) |
1663 | 0 | { |
1664 | 0 | rc = gpg_error_from_syserror (); |
1665 | 0 | log_error (_("can't open '%s': %s\n"), |
1666 | 0 | fname? fname: "[stdin]", gpg_strerror (rc)); |
1667 | 0 | goto leave; |
1668 | 0 | } |
1669 | 0 | handle_progress (pfx, inp, fname); |
1670 | | |
1671 | | /* Prepare key. */ |
1672 | 0 | s2k = xmalloc_clear (sizeof *s2k); |
1673 | 0 | s2k->mode = opt.s2k_mode; |
1674 | 0 | s2k->hash_algo = S2K_DIGEST_ALGO; |
1675 | |
|
1676 | 0 | algo = default_cipher_algo (); |
1677 | 0 | cfx.dek = passphrase_to_dek (algo, s2k, 1, 1, NULL, 0, &canceled); |
1678 | |
|
1679 | 0 | if (!cfx.dek || !cfx.dek->keylen) |
1680 | 0 | { |
1681 | 0 | rc = gpg_error (canceled?GPG_ERR_CANCELED:GPG_ERR_BAD_PASSPHRASE); |
1682 | 0 | log_error (_("error creating passphrase: %s\n"), gpg_strerror (rc)); |
1683 | 0 | goto leave; |
1684 | 0 | } |
1685 | | |
1686 | 0 | cfx.dek->use_aead = use_aead (NULL, cfx.dek->algo); |
1687 | 0 | if (!cfx.dek->use_aead) |
1688 | 0 | cfx.dek->use_mdc = !!use_mdc (NULL, cfx.dek->algo); |
1689 | |
|
1690 | 0 | if (!opt.quiet || !opt.batch) |
1691 | 0 | log_info (_("%s.%s encryption will be used\n"), |
1692 | 0 | openpgp_cipher_algo_name (algo), |
1693 | 0 | cfx.dek->use_aead? openpgp_aead_algo_name (cfx.dek->use_aead) |
1694 | 0 | /**/ : "CFB"); |
1695 | | |
1696 | | /* Now create the outfile. */ |
1697 | 0 | rc = open_outfile (GNUPG_INVALID_FD, fname, opt.armor? 1:0, 0, &out); |
1698 | 0 | if (rc) |
1699 | 0 | goto leave; |
1700 | | |
1701 | | /* Prepare to calculate the MD over the input. */ |
1702 | 0 | if (opt.textmode) |
1703 | 0 | iobuf_push_filter (inp, text_filter, &tfx); |
1704 | 0 | if (gcry_md_open (&md, 0, 0)) |
1705 | 0 | BUG (); |
1706 | 0 | if (DBG_HASHING) |
1707 | 0 | gcry_md_debug (md, "symc-sign"); |
1708 | |
|
1709 | 0 | for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) |
1710 | 0 | gcry_md_enable (md, hash_for (sk_rover->pk)); |
1711 | |
|
1712 | 0 | if ((opt.compat_flags & COMPAT_PARALLELIZED)) |
1713 | 0 | { |
1714 | 0 | iobuf_push_filter (inp, md_thd_filter, &mfx2); |
1715 | 0 | md_thd_filter_set_md (mfx2, md); |
1716 | 0 | } |
1717 | 0 | else |
1718 | 0 | { |
1719 | 0 | iobuf_push_filter (inp, md_filter, &mfx); |
1720 | 0 | mfx.md = md; |
1721 | 0 | } |
1722 | | |
1723 | | |
1724 | | /* Push armor output filter */ |
1725 | 0 | if (opt.armor) |
1726 | 0 | push_armor_filter (afx, out); |
1727 | | |
1728 | | /* Write the symmetric key packet */ |
1729 | | /* (current filters: armor)*/ |
1730 | 0 | { |
1731 | 0 | PKT_symkey_enc *enc = xmalloc_clear (sizeof *enc); |
1732 | | |
1733 | | /* FIXME: seskeylen is 0, thus we directly encrypt the session key: |
1734 | | * |
1735 | | * ...then the S2K algorithm applied to the passphrase produces |
1736 | | * the session key for decrypting the file, using the symmetric |
1737 | | * cipher algorithm from the Symmetric-Key Encrypted Session Key |
1738 | | * packet. |
1739 | | * |
1740 | | * The problem is that this does not allow us to add additional |
1741 | | * encrypted session keys. |
1742 | | */ |
1743 | |
|
1744 | 0 | enc->version = cfx.dek->use_aead ? 5 : 4; |
1745 | 0 | enc->cipher_algo = cfx.dek->algo; |
1746 | 0 | enc->aead_algo = cfx.dek->use_aead; |
1747 | 0 | enc->s2k = *s2k; |
1748 | 0 | pkt.pkttype = PKT_SYMKEY_ENC; |
1749 | 0 | pkt.pkt.symkey_enc = enc; |
1750 | 0 | if ((rc = build_packet (out, &pkt))) |
1751 | 0 | log_error ("build symkey packet failed: %s\n", gpg_strerror (rc)); |
1752 | 0 | xfree (enc); |
1753 | 0 | } |
1754 | | |
1755 | | /* Push the encryption filter */ |
1756 | 0 | iobuf_push_filter (out, |
1757 | 0 | cfx.dek->use_aead? cipher_filter_aead |
1758 | 0 | /**/ : cipher_filter_cfb, |
1759 | 0 | &cfx); |
1760 | | |
1761 | | /* Push the compress filter */ |
1762 | 0 | if (default_compress_algo()) |
1763 | 0 | { |
1764 | 0 | if (cfx.dek && (cfx.dek->use_mdc || cfx.dek->use_aead)) |
1765 | 0 | zfx.new_ctb = 1; |
1766 | 0 | push_compress_filter (out, &zfx,default_compress_algo() ); |
1767 | 0 | } |
1768 | | |
1769 | | /* Write the one-pass signature packets */ |
1770 | | /* (current filters: zip - encrypt - armor) */ |
1771 | 0 | rc = write_onepass_sig_packets (sk_list, out, opt.textmode? 0x01:0x00); |
1772 | 0 | if (rc) |
1773 | 0 | goto leave; |
1774 | | |
1775 | 0 | write_status_begin_signing (md); |
1776 | | |
1777 | | /* Pipe data through all filters; i.e. write the signed stuff. */ |
1778 | | /* (current filters: zip - encrypt - armor) */ |
1779 | 0 | rc = write_plaintext_packet (out, inp, fname, |
1780 | 0 | opt.textmode ? (opt.mimemode?'m':'t'):'b', |
1781 | 0 | &extrahash); |
1782 | 0 | if (rc) |
1783 | 0 | goto leave; |
1784 | | |
1785 | | /* Write the signatures. */ |
1786 | | /* (current filters: zip - encrypt - armor) */ |
1787 | 0 | rc = write_signature_packets (ctrl, sk_list, out, md, extrahash, |
1788 | 0 | opt.textmode? 0x01 : 0x00, |
1789 | 0 | 0, duration, 'S', NULL); |
1790 | 0 | if (rc) |
1791 | 0 | goto leave; |
1792 | | |
1793 | | |
1794 | 0 | leave: |
1795 | 0 | if (rc) |
1796 | 0 | iobuf_cancel (out); |
1797 | 0 | else |
1798 | 0 | { |
1799 | 0 | iobuf_close (out); |
1800 | 0 | write_status (STATUS_END_ENCRYPTION); |
1801 | 0 | } |
1802 | 0 | iobuf_close (inp); |
1803 | 0 | release_sk_list (sk_list); |
1804 | 0 | gcry_md_close (md); |
1805 | 0 | xfree (cfx.dek); |
1806 | 0 | xfree (s2k); |
1807 | 0 | release_progress_context (pfx); |
1808 | 0 | release_armor_context (afx); |
1809 | 0 | xfree (extrahash); |
1810 | 0 | return rc; |
1811 | 0 | } |
1812 | | |
1813 | | |
1814 | | /* |
1815 | | * Create a v4 signature in *RET_SIG. |
1816 | | * |
1817 | | * PK is the primary key to sign (required for all sigs) |
1818 | | * UID is the user id to sign (required for 0x10..0x13, 0x30) |
1819 | | * SUBPK is subkey to sign (required for 0x18, 0x19, 0x28) |
1820 | | * |
1821 | | * PKSK is the signing key |
1822 | | * |
1823 | | * SIGCLASS is the type of signature to create. |
1824 | | * |
1825 | | * TIMESTAMP is the timestamp to use for the signature. 0 means "now" |
1826 | | * |
1827 | | * DURATION is the amount of time (in seconds) until the signature |
1828 | | * expires. |
1829 | | * |
1830 | | * If CACHED_NONCE is not NULL the agent may use it to avoid |
1831 | | * additional Pinentry popups for the same keyblock. |
1832 | | * |
1833 | | * This function creates the following subpackets: issuer, created, |
1834 | | * and expire (if duration is not 0). Additional subpackets can be |
1835 | | * added using MKSUBPKT, which is called after these subpackets are |
1836 | | * added and before the signature is generated. OPAQUE is passed to |
1837 | | * MKSUBPKT. |
1838 | | */ |
1839 | | int |
1840 | | make_keysig_packet (ctrl_t ctrl, |
1841 | | PKT_signature **ret_sig, PKT_public_key *pk, |
1842 | | PKT_user_id *uid, PKT_public_key *subpk, |
1843 | | PKT_public_key *pksk, |
1844 | | int sigclass, |
1845 | | u32 timestamp, u32 duration, |
1846 | | int (*mksubpkt)(PKT_signature *, void *), void *opaque, |
1847 | | const char *cache_nonce) |
1848 | 0 | { |
1849 | 0 | PKT_signature *sig; |
1850 | 0 | int rc = 0; |
1851 | 0 | int sigversion; |
1852 | 0 | int digest_algo; |
1853 | 0 | gcry_md_hd_t md; |
1854 | 0 | u32 pk_keyid[2], pksk_keyid[2]; |
1855 | 0 | unsigned int signhints; |
1856 | 0 | int with_manu; |
1857 | |
|
1858 | 0 | log_assert ((sigclass&~3) == SIGCLASS_CERT |
1859 | 0 | || sigclass == SIGCLASS_KEY |
1860 | 0 | || sigclass == SIGCLASS_KEYREV |
1861 | 0 | || sigclass == SIGCLASS_SUBKEY |
1862 | 0 | || sigclass == SIGCLASS_BACKSIG |
1863 | 0 | || sigclass == SIGCLASS_CERTREV |
1864 | 0 | || sigclass == SIGCLASS_SUBREV ); |
1865 | | |
1866 | 0 | if (pksk->version >= 5) |
1867 | 0 | sigversion = 5; |
1868 | 0 | else |
1869 | 0 | sigversion = 4; |
1870 | | |
1871 | | /* Select the digest algo to use. */ |
1872 | 0 | if (opt.cert_digest_algo) /* Forceful override by the user. */ |
1873 | 0 | digest_algo = opt.cert_digest_algo; |
1874 | 0 | else if (pksk->pubkey_algo == PUBKEY_ALGO_DSA) /* Meet DSA requirements. */ |
1875 | 0 | digest_algo = match_dsa_hash (gcry_mpi_get_nbits (pksk->pkey[1])/8); |
1876 | 0 | else if (pksk->pubkey_algo == PUBKEY_ALGO_ECDSA) /* Meet ECDSA requirements. */ |
1877 | 0 | digest_algo = match_dsa_hash |
1878 | 0 | (ecdsa_qbits_from_Q (gcry_mpi_get_nbits (pksk->pkey[1]))/8); |
1879 | 0 | else if (pksk->pubkey_algo == PUBKEY_ALGO_EDDSA) |
1880 | 0 | { |
1881 | 0 | if (gcry_mpi_get_nbits (pksk->pkey[1]) > 256) |
1882 | 0 | digest_algo = DIGEST_ALGO_SHA512; |
1883 | 0 | else |
1884 | 0 | digest_algo = DIGEST_ALGO_SHA256; |
1885 | 0 | } |
1886 | 0 | else /* Use the default. */ |
1887 | 0 | digest_algo = DEFAULT_DIGEST_ALGO; |
1888 | |
|
1889 | 0 | signhints = SIGNHINT_KEYSIG; |
1890 | 0 | keyid_from_pk (pk, pk_keyid); |
1891 | 0 | keyid_from_pk (pksk, pksk_keyid); |
1892 | 0 | if (pk_keyid[0] == pksk_keyid[0] && pk_keyid[1] == pksk_keyid[1]) |
1893 | 0 | signhints |= SIGNHINT_SELFSIG; |
1894 | |
|
1895 | 0 | if (gcry_md_open (&md, digest_algo, 0)) |
1896 | 0 | BUG (); |
1897 | | |
1898 | | /* Hash the public key certificate. */ |
1899 | 0 | hash_public_key (md, pk); |
1900 | |
|
1901 | 0 | if (sigclass == SIGCLASS_SUBKEY || sigclass == SIGCLASS_BACKSIG |
1902 | 0 | || sigclass == SIGCLASS_SUBREV) |
1903 | 0 | { |
1904 | | /* Hash the subkey binding/backsig/revocation. */ |
1905 | 0 | hash_public_key (md, subpk); |
1906 | 0 | if ((subpk->pubkey_usage & PUBKEY_USAGE_RENC)) |
1907 | 0 | signhints |= SIGNHINT_ADSK; |
1908 | 0 | } |
1909 | 0 | else if (sigclass != SIGCLASS_KEY && sigclass != SIGCLASS_KEYREV) |
1910 | 0 | { |
1911 | | /* Hash the user id. */ |
1912 | 0 | hash_uid (md, sigversion, uid); |
1913 | 0 | } |
1914 | | /* Make the signature packet. */ |
1915 | 0 | sig = xmalloc_clear (sizeof *sig); |
1916 | 0 | sig->version = sigversion; |
1917 | 0 | sig->flags.exportable = 1; |
1918 | 0 | sig->flags.revocable = 1; |
1919 | 0 | keyid_from_pk (pksk, sig->keyid); |
1920 | 0 | sig->pubkey_algo = pksk->pubkey_algo; |
1921 | 0 | sig->digest_algo = digest_algo; |
1922 | 0 | sig->timestamp = timestamp? timestamp : make_timestamp (); |
1923 | 0 | if (duration) |
1924 | 0 | sig->expiredate = sig->timestamp + duration; |
1925 | 0 | sig->sig_class = sigclass; |
1926 | |
|
1927 | 0 | build_sig_subpkt_from_sig (sig, pksk, signhints); |
1928 | |
|
1929 | 0 | with_manu = 0; |
1930 | 0 | if ((signhints & SIGNHINT_SELFSIG) /* Only for self-signatures. */ |
1931 | 0 | && ((sigclass&~3) == SIGCLASS_CERT /* on UIDs and subkeys. */ |
1932 | 0 | || sigclass == SIGCLASS_SUBKEY)) |
1933 | 0 | { |
1934 | 0 | if (opt.compliance == CO_DE_VS |
1935 | 0 | && gnupg_rng_is_compliant (CO_DE_VS)) |
1936 | 0 | with_manu = 23; /* Always in de-vs mode. */ |
1937 | 0 | else if (!(opt.compat_flags & COMPAT_NO_MANU)) |
1938 | 0 | with_manu = 1; |
1939 | 0 | } |
1940 | |
|
1941 | 0 | mk_notation_policy_etc (ctrl, sig, pk, pksk, with_manu); |
1942 | | |
1943 | | /* Crucial that the call to mksubpkt comes LAST before the calls |
1944 | | * to finalize the sig as that makes it possible for the mksubpkt |
1945 | | * function to get a reliable pointer to the subpacket area. */ |
1946 | 0 | if (mksubpkt) |
1947 | 0 | rc = (*mksubpkt)(sig, opaque); |
1948 | |
|
1949 | 0 | if (!rc) |
1950 | 0 | { |
1951 | 0 | hash_sigversion_to_magic (md, sig, NULL); |
1952 | 0 | gcry_md_final (md); |
1953 | 0 | rc = complete_sig (ctrl, sig, pksk, md, cache_nonce, signhints); |
1954 | 0 | } |
1955 | |
|
1956 | 0 | gcry_md_close (md); |
1957 | 0 | if (rc) |
1958 | 0 | free_seckey_enc (sig); |
1959 | 0 | else |
1960 | 0 | *ret_sig = sig; |
1961 | 0 | return rc; |
1962 | 0 | } |
1963 | | |
1964 | | |
1965 | | |
1966 | | /* |
1967 | | * Create a new signature packet based on an existing one. |
1968 | | * Only user ID signatures are supported for now. |
1969 | | * PK is the public key to work on. |
1970 | | * PKSK is the key used to make the signature. |
1971 | | * |
1972 | | * TODO: Merge this with make_keysig_packet. |
1973 | | */ |
1974 | | gpg_error_t |
1975 | | update_keysig_packet (ctrl_t ctrl, |
1976 | | PKT_signature **ret_sig, |
1977 | | PKT_signature *orig_sig, |
1978 | | PKT_public_key *pk, |
1979 | | PKT_user_id *uid, |
1980 | | PKT_public_key *subpk, |
1981 | | PKT_public_key *pksk, |
1982 | | int (*mksubpkt)(PKT_signature *, void *), |
1983 | | void *opaque) |
1984 | 0 | { |
1985 | 0 | PKT_signature *sig; |
1986 | 0 | gpg_error_t rc = 0; |
1987 | 0 | int digest_algo; |
1988 | 0 | gcry_md_hd_t md; |
1989 | 0 | u32 pk_keyid[2], pksk_keyid[2]; |
1990 | 0 | unsigned int signhints = 0; |
1991 | |
|
1992 | 0 | if ((!orig_sig || !pk || !pksk) |
1993 | 0 | || (orig_sig->sig_class >= 0x10 && orig_sig->sig_class <= 0x13 && !uid) |
1994 | 0 | || (orig_sig->sig_class == 0x18 && !subpk)) |
1995 | 0 | return GPG_ERR_GENERAL; |
1996 | | |
1997 | | /* Either use the override digest algo or in the normal case the |
1998 | | * original digest algorithm. However, iff the original digest |
1999 | | * algorithms is SHA-1 and we are in gnupg or de-vs compliance mode |
2000 | | * we switch to SHA-256 (done by the macro). */ |
2001 | 0 | if (opt.cert_digest_algo) |
2002 | 0 | digest_algo = opt.cert_digest_algo; |
2003 | 0 | else if (pksk->pubkey_algo == PUBKEY_ALGO_DSA |
2004 | 0 | || pksk->pubkey_algo == PUBKEY_ALGO_ECDSA |
2005 | 0 | || pksk->pubkey_algo == PUBKEY_ALGO_EDDSA) |
2006 | 0 | digest_algo = orig_sig->digest_algo; |
2007 | 0 | else if (orig_sig->digest_algo == DIGEST_ALGO_SHA1 |
2008 | 0 | || orig_sig->digest_algo == DIGEST_ALGO_RMD160) |
2009 | 0 | digest_algo = DEFAULT_DIGEST_ALGO; |
2010 | 0 | else |
2011 | 0 | digest_algo = orig_sig->digest_algo; |
2012 | |
|
2013 | 0 | signhints = SIGNHINT_KEYSIG; |
2014 | 0 | keyid_from_pk (pk, pk_keyid); |
2015 | 0 | keyid_from_pk (pksk, pksk_keyid); |
2016 | 0 | if (pk_keyid[0] == pksk_keyid[0] && pk_keyid[1] == pksk_keyid[1]) |
2017 | 0 | signhints |= SIGNHINT_SELFSIG; |
2018 | |
|
2019 | 0 | if (gcry_md_open (&md, digest_algo, 0)) |
2020 | 0 | BUG (); |
2021 | | |
2022 | | /* Hash the public key certificate and the user id. */ |
2023 | 0 | hash_public_key (md, pk); |
2024 | |
|
2025 | 0 | if (orig_sig->sig_class == 0x18) |
2026 | 0 | hash_public_key (md, subpk); |
2027 | 0 | else |
2028 | 0 | hash_uid (md, orig_sig->version, uid); |
2029 | | |
2030 | | /* Create a new signature packet. */ |
2031 | 0 | sig = copy_signature (NULL, orig_sig); |
2032 | | |
2033 | | /* Don't generate version 3 signature, but newer. */ |
2034 | 0 | if (sig->version == 3) |
2035 | 0 | { |
2036 | 0 | if (pk->version > 3) |
2037 | 0 | sig->version = pk->version; |
2038 | 0 | else |
2039 | 0 | sig->version = 4; |
2040 | 0 | } |
2041 | |
|
2042 | 0 | sig->digest_algo = digest_algo; |
2043 | | |
2044 | | /* We need to create a new timestamp so that new sig expiration |
2045 | | * calculations are done correctly... */ |
2046 | 0 | sig->timestamp = make_timestamp(); |
2047 | | |
2048 | | /* ... but we won't make a timestamp earlier than the existing |
2049 | | * one. */ |
2050 | 0 | { |
2051 | 0 | int tmout = 0; |
2052 | 0 | while (sig->timestamp <= orig_sig->timestamp) |
2053 | 0 | { |
2054 | 0 | if (++tmout > 5 && !opt.ignore_time_conflict) |
2055 | 0 | { |
2056 | 0 | rc = gpg_error (GPG_ERR_TIME_CONFLICT); |
2057 | 0 | goto leave; |
2058 | 0 | } |
2059 | 0 | gnupg_sleep (1); |
2060 | 0 | sig->timestamp = make_timestamp(); |
2061 | 0 | } |
2062 | 0 | } |
2063 | | |
2064 | | /* Detect an ADSK key binding signature. */ |
2065 | 0 | if ((sig->sig_class == 0x18 |
2066 | 0 | || sig->sig_class == 0x19 || sig->sig_class == 0x28) |
2067 | 0 | && (pk->pubkey_usage & PUBKEY_USAGE_RENC)) |
2068 | 0 | signhints |= SIGNHINT_ADSK; |
2069 | | |
2070 | | /* Note that already expired sigs will remain expired (with a |
2071 | | * duration of 1) since build-packet.c:build_sig_subpkt_from_sig |
2072 | | * detects this case. */ |
2073 | | |
2074 | | /* Put the updated timestamp into the sig. Note that this will |
2075 | | * automagically lower any sig expiration dates to correctly |
2076 | | * correspond to the differences in the timestamps (i.e. the |
2077 | | * duration will shrink). */ |
2078 | 0 | build_sig_subpkt_from_sig (sig, pksk, signhints); |
2079 | |
|
2080 | 0 | if (mksubpkt) |
2081 | 0 | rc = (*mksubpkt)(sig, opaque); |
2082 | |
|
2083 | 0 | if (!rc) |
2084 | 0 | { |
2085 | 0 | hash_sigversion_to_magic (md, sig, NULL); |
2086 | 0 | gcry_md_final (md); |
2087 | 0 | rc = complete_sig (ctrl, sig, pksk, md, NULL, signhints); |
2088 | 0 | } |
2089 | |
|
2090 | 0 | leave: |
2091 | 0 | gcry_md_close (md); |
2092 | 0 | if (rc) |
2093 | 0 | free_seckey_enc (sig); |
2094 | 0 | else |
2095 | 0 | *ret_sig = sig; |
2096 | 0 | return rc; |
2097 | 0 | } |