search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
2008-05-15 Marcus Brinkmann <marcus@g10code.de>
[gnupg.git] / sm / certcheck.c
blob7f26f80dcb49aa59dcd7757dd9303f49bd8a10ff
1 /* certcheck.c - check one certificate
2 * Copyright (C) 2001, 2003, 2004 Free Software Foundation, Inc.
3 *
4 * This file is part of GnuPG.
5 *
6 * GnuPG is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * GnuPG is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include <config.h>
21 #include <stdio.h>
22 #include <stdlib.h>
23 #include <string.h>
24 #include <errno.h>
25 #include <unistd.h>
26 #include <time.h>
27 #include <assert.h>
28
29 #include "gpgsm.h"
30 #include <gcrypt.h>
31 #include <ksba.h>
32
33 #include "keydb.h"
34 #include "i18n.h"
35
36
37 /* Remove this if libgcrypt 1.3.0 is required. */
38 #define MY_GCRY_PK_ECDSA 301
39
40
41 /* Return the number of bits of the Q parameter from the DSA key
42 KEY. */
43 static unsigned int
44 get_dsa_qbits (gcry_sexp_t key)
45 {
46 gcry_sexp_t l1, l2;
47 gcry_mpi_t q;
48 unsigned int nbits;
49
50 l1 = gcry_sexp_find_token (key, "public-key", 0);
51 if (!l1)
52 return 0; /* Does not contain a key object. */
53 l2 = gcry_sexp_cadr (l1);
54 gcry_sexp_release (l1);
55 l1 = gcry_sexp_find_token (l2, "q", 1);
56 gcry_sexp_release (l2);
57 if (!l1)
58 return 0; /* Invalid object. */
59 q = gcry_sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG);
60 gcry_sexp_release (l1);
61 if (!q)
62 return 0; /* Missing value. */
63 nbits = gcry_mpi_get_nbits (q);
64 gcry_mpi_release (q);
65
66 return nbits;
67 }
68
69
70 static int
71 do_encode_md (gcry_md_hd_t md, int algo, int pkalgo, unsigned int nbits,
72 gcry_sexp_t pkey, gcry_mpi_t *r_val)
73 {
74 int n;
75 size_t nframe;
76 unsigned char *frame;
77
78 if (pkalgo == GCRY_PK_DSA || pkalgo == MY_GCRY_PK_ECDSA)
79 {
80 unsigned int qbits;
81
82 if ( pkalgo == MY_GCRY_PK_ECDSA )
83 qbits = gcry_pk_get_nbits (pkey);
84 else
85 qbits = get_dsa_qbits (pkey);
86
87 if ( (qbits%8) )
88 {
89 log_error(_("DSA requires the hash length to be a"
90 " multiple of 8 bits\n"));
91 return gpg_error (GPG_ERR_INTERNAL);
92 }
93
94 /* Don't allow any Q smaller than 160 bits. We don't want
95 someone to issue signatures from a key with a 16-bit Q or
96 something like that, which would look correct but allow
97 trivial forgeries. Yes, I know this rules out using MD5 with
98 DSA. ;) */
99 if (qbits < 160)
100 {
101 log_error (_("%s key uses an unsafe (%u bit) hash\n"),
102 gcry_pk_algo_name (pkalgo), qbits);
103 return gpg_error (GPG_ERR_INTERNAL);
104 }
105
106 /* Check if we're too short. Too long is safe as we'll
107 automatically left-truncate. */
108 nframe = gcry_md_get_algo_dlen (algo);
109 if (nframe < qbits/8)
110 {
111 log_error (_("a %u bit hash is not valid for a %u bit %s key\n"),
112 (unsigned int)nframe*8,
113 gcry_pk_get_nbits (pkey),
114 gcry_pk_algo_name (pkalgo));
115 /* FIXME: we need to check the requirements for ECDSA. */
116 if (nframe < 20 || pkalgo == GCRY_PK_DSA )
117 return gpg_error (GPG_ERR_INTERNAL);
118 }
119
120 frame = xtrymalloc (nframe);
121 if (!frame)
122 return out_of_core ();
123 memcpy (frame, gcry_md_read (md, algo), nframe);
124 n = nframe;
125 /* Truncate. */
126 if (n > qbits/8)
127 n = qbits/8;
128 }
129 else
130 {
131 int i;
132 unsigned char asn[100];
133 size_t asnlen;
134 size_t len;
135
136 nframe = (nbits+7) / 8;
137
138 asnlen = DIM(asn);
139 if (!algo || gcry_md_test_algo (algo))
140 return gpg_error (GPG_ERR_DIGEST_ALGO);
141 if (gcry_md_algo_info (algo, GCRYCTL_GET_ASNOID, asn, &asnlen))
142 {
143 log_error ("no object identifier for algo %d\n", algo);
144 return gpg_error (GPG_ERR_INTERNAL);
145 }
146
147 len = gcry_md_get_algo_dlen (algo);
148
149 if ( len + asnlen + 4 > nframe )
150 {
151 log_error ("can't encode a %d bit MD into a %d bits frame\n",
152 (int)(len*8), (int)nbits);
153 return gpg_error (GPG_ERR_INTERNAL);
154 }
155
156 /* We encode the MD in this way:
157 *
158 * 0 A PAD(n bytes) 0 ASN(asnlen bytes) MD(len bytes)
159 *
160 * PAD consists of FF bytes.
161 */
162 frame = xtrymalloc (nframe);
163 if (!frame)
164 return out_of_core ();
165 n = 0;
166 frame[n++] = 0;
167 frame[n++] = 1; /* block type */
168 i = nframe - len - asnlen -3 ;
169 assert ( i > 1 );
170 memset ( frame+n, 0xff, i ); n += i;
171 frame[n++] = 0;
172 memcpy ( frame+n, asn, asnlen ); n += asnlen;
173 memcpy ( frame+n, gcry_md_read(md, algo), len ); n += len;
174 assert ( n == nframe );
175 }
176 if (DBG_CRYPTO)
177 {
178 int j;
179 log_debug ("encoded hash:");
180 for (j=0; j < nframe; j++)
181 log_printf (" %02X", frame[j]);
182 log_printf ("\n");
183 }
184
185 gcry_mpi_scan (r_val, GCRYMPI_FMT_USG, frame, n, &nframe);
186 xfree (frame);
187 return 0;
188 }
189
190 /* Return the public key algorithm id from the S-expression PKEY.
191 FIXME: libgcrypt should provide such a function. Note that this
192 implementation uses the names as used by libksba. */
193 static int
194 pk_algo_from_sexp (gcry_sexp_t pkey)
195 {
196 gcry_sexp_t l1, l2;
197 const char *name;
198 size_t n;
199 int algo;
200
201 l1 = gcry_sexp_find_token (pkey, "public-key", 0);
202 if (!l1)
203 return 0; /* Not found. */
204 l2 = gcry_sexp_cadr (l1);
205 gcry_sexp_release (l1);
206
207 name = gcry_sexp_nth_data (l2, 0, &n);
208 if (!name)
209 algo = 0; /* Not found. */
210 else if (n==3 && !memcmp (name, "rsa", 3))
211 algo = GCRY_PK_RSA;
212 else if (n==3 && !memcmp (name, "dsa", 3))
213 algo = GCRY_PK_DSA;
214 /* Because this function is called only for verification we can
215 assume that ECC actually means ECDSA. */
216 else if (n==3 && !memcmp (name, "ecc", 3))
217 algo = MY_GCRY_PK_ECDSA;
218 else if (n==13 && !memcmp (name, "ambiguous-rsa", 13))
219 algo = GCRY_PK_RSA;
220 else
221 algo = 0;
222 gcry_sexp_release (l2);
223 return algo;
224 }
225
226
227 /* Check the signature on CERT using the ISSUER-CERT. This function
228 does only test the cryptographic signature and nothing else. It is
229 assumed that the ISSUER_CERT is valid. */
230 int
231 gpgsm_check_cert_sig (ksba_cert_t issuer_cert, ksba_cert_t cert)
232 {
233 const char *algoid;
234 gcry_md_hd_t md;
235 int rc, algo;
236 gcry_mpi_t frame;
237 ksba_sexp_t p;
238 size_t n;
239 gcry_sexp_t s_sig, s_hash, s_pkey;
240
241 algo = gcry_md_map_name ( (algoid=ksba_cert_get_digest_algo (cert)));
242 if (!algo)
243 {
244 log_error ("unknown hash algorithm `%s'\n", algoid? algoid:"?");
245 if (algoid
246 && ( !strcmp (algoid, "1.2.840.113549.1.1.2")
247 ||!strcmp (algoid, "1.2.840.113549.2.2")))
248 log_info (_("(this is the MD2 algorithm)\n"));
249 return gpg_error (GPG_ERR_GENERAL);
250 }
251 rc = gcry_md_open (&md, algo, 0);
252 if (rc)
253 {
254 log_error ("md_open failed: %s\n", gpg_strerror (rc));
255 return rc;
256 }
257 if (DBG_HASHING)
258 gcry_md_start_debug (md, "hash.cert");
259
260 rc = ksba_cert_hash (cert, 1, HASH_FNC, md);
261 if (rc)
262 {
263 log_error ("ksba_cert_hash failed: %s\n", gpg_strerror (rc));
264 gcry_md_close (md);
265 return rc;
266 }
267 gcry_md_final (md);
268
269 p = ksba_cert_get_sig_val (cert);
270 n = gcry_sexp_canon_len (p, 0, NULL, NULL);
271 if (!n)
272 {
273 log_error ("libksba did not return a proper S-Exp\n");
274 gcry_md_close (md);
275 ksba_free (p);
276 return gpg_error (GPG_ERR_BUG);
277 }
278 if (DBG_CRYPTO)
279 {
280 int j;
281 log_debug ("signature value:");
282 for (j=0; j < n; j++)
283 log_printf (" %02X", p[j]);
284 log_printf ("\n");
285 }
286
287 rc = gcry_sexp_sscan ( &s_sig, NULL, (char*)p, n);
288 ksba_free (p);
289 if (rc)
290 {
291 log_error ("gcry_sexp_scan failed: %s\n", gpg_strerror (rc));
292 gcry_md_close (md);
293 return rc;
294 }
295
296 p = ksba_cert_get_public_key (issuer_cert);
297 n = gcry_sexp_canon_len (p, 0, NULL, NULL);
298 if (!n)
299 {
300 log_error ("libksba did not return a proper S-Exp\n");
301 gcry_md_close (md);
302 ksba_free (p);
303 gcry_sexp_release (s_sig);
304 return gpg_error (GPG_ERR_BUG);
305 }
306 rc = gcry_sexp_sscan ( &s_pkey, NULL, (char*)p, n);
307 ksba_free (p);
308 if (rc)
309 {
310 log_error ("gcry_sexp_scan failed: %s\n", gpg_strerror (rc));
311 gcry_md_close (md);
312 gcry_sexp_release (s_sig);
313 return rc;
314 }
315
316 rc = do_encode_md (md, algo, pk_algo_from_sexp (s_pkey),
317 gcry_pk_get_nbits (s_pkey), s_pkey, &frame);
318 if (rc)
319 {
320 gcry_md_close (md);
321 gcry_sexp_release (s_sig);
322 gcry_sexp_release (s_pkey);
323 return rc;
324 }
325
326 /* put hash into the S-Exp s_hash */
327 if ( gcry_sexp_build (&s_hash, NULL, "%m", frame) )
328 BUG ();
329 gcry_mpi_release (frame);
330
331
332 rc = gcry_pk_verify (s_sig, s_hash, s_pkey);
333 if (DBG_X509)
334 log_debug ("gcry_pk_verify: %s\n", gpg_strerror (rc));
335 gcry_md_close (md);
336 gcry_sexp_release (s_sig);
337 gcry_sexp_release (s_hash);
338 gcry_sexp_release (s_pkey);
339 return rc;
340 }
341
342
343
344 int
345 gpgsm_check_cms_signature (ksba_cert_t cert, ksba_const_sexp_t sigval,
346 gcry_md_hd_t md, int mdalgo, int *r_pkalgo)
347 {
348 int rc;
349 ksba_sexp_t p;
350 gcry_mpi_t frame;
351 gcry_sexp_t s_sig, s_hash, s_pkey;
352 size_t n;
353 int pkalgo;
354
355 if (r_pkalgo)
356 *r_pkalgo = 0;
357
358 n = gcry_sexp_canon_len (sigval, 0, NULL, NULL);
359 if (!n)
360 {
361 log_error ("libksba did not return a proper S-Exp\n");
362 return gpg_error (GPG_ERR_BUG);
363 }
364 rc = gcry_sexp_sscan (&s_sig, NULL, (char*)sigval, n);
365 if (rc)
366 {
367 log_error ("gcry_sexp_scan failed: %s\n", gpg_strerror (rc));
368 return rc;
369 }
370
371 p = ksba_cert_get_public_key (cert);
372 n = gcry_sexp_canon_len (p, 0, NULL, NULL);
373 if (!n)
374 {
375 log_error ("libksba did not return a proper S-Exp\n");
376 ksba_free (p);
377 gcry_sexp_release (s_sig);
378 return gpg_error (GPG_ERR_BUG);
379 }
380 if (DBG_CRYPTO)
381 log_printhex ("public key: ", p, n);
382
383 rc = gcry_sexp_sscan ( &s_pkey, NULL, (char*)p, n);
384 ksba_free (p);
385 if (rc)
386 {
387 log_error ("gcry_sexp_scan failed: %s\n", gpg_strerror (rc));
388 gcry_sexp_release (s_sig);
389 return rc;
390 }
391
392 pkalgo = pk_algo_from_sexp (s_pkey);
393 if (r_pkalgo)
394 *r_pkalgo = pkalgo;
395 rc = do_encode_md (md, mdalgo, pkalgo,
396 gcry_pk_get_nbits (s_pkey), s_pkey, &frame);
397 if (rc)
398 {
399 gcry_sexp_release (s_sig);
400 gcry_sexp_release (s_pkey);
401 return rc;
402 }
403 /* put hash into the S-Exp s_hash */
404 if ( gcry_sexp_build (&s_hash, NULL, "%m", frame) )
405 BUG ();
406 gcry_mpi_release (frame);
407
408 rc = gcry_pk_verify (s_sig, s_hash, s_pkey);
409 if (DBG_X509)
410 log_debug ("gcry_pk_verify: %s\n", gpg_strerror (rc));
411 gcry_sexp_release (s_sig);
412 gcry_sexp_release (s_hash);
413 gcry_sexp_release (s_pkey);
414 return rc;
415 }
416
417
418
419 int
420 gpgsm_create_cms_signature (ctrl_t ctrl, ksba_cert_t cert,
421 gcry_md_hd_t md, int mdalgo,
422 unsigned char **r_sigval)
423 {
424 int rc;
425 char *grip, *desc;
426 size_t siglen;
427
428 grip = gpgsm_get_keygrip_hexstring (cert);
429 if (!grip)
430 return gpg_error (GPG_ERR_BAD_CERT);
431
432 desc = gpgsm_format_keydesc (cert);
433
434 rc = gpgsm_agent_pksign (ctrl, grip, desc, gcry_md_read(md, mdalgo),
435 gcry_md_get_algo_dlen (mdalgo), mdalgo,
436 r_sigval, &siglen);
437 xfree (desc);
438 xfree (grip);
439 return rc;
440 }
441
442
443
gnupg svn clone