search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add gpgconf related dummy options default_pubkey_algo.
[gnupg.git] / sm / certreqgen.c
blob7026a303fd03dd9c0923370e94b33ee9d00adb51
1 /* certreqgen.c - Generate a key and a certification request
2 * Copyright (C) 2002, 2003, 2005, 2007 Free Software Foundation, Inc.
3 *
4 * This file is part of GnuPG.
5 *
6 * GnuPG is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * GnuPG is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /*
21 The format of the native parameter file is follows:
22 o Text only, line length is limited to about 1000 chars.
23 o You must use UTF-8 encoding to specify non-ascii characters.
24 o Empty lines are ignored.
25 o Leading and trailing spaces are ignored.
26 o A hash sign as the first non white space character is a comment line.
27 o Control statements are indicated by a leading percent sign, the
28 arguments are separated by white space from the keyword.
29 o Parameters are specified by a keyword, followed by a colon. Arguments
30 are separated by white space.
31 o The first parameter must be "Key-Type", control statements
32 may be placed anywhere.
33 o Key generation takes place when either the end of the parameter file
34 is reached, the next "Key-Type" parameter is encountered or at the
35 controlstatement "%commit"
36 o Control statements:
37 %echo <text>
38 Print <text>.
39 %dry-run
40 Suppress actual key generation (useful for syntax checking).
41 %commit
42 Perform the key generation. Note that an implicit commit is done
43 at the next "Key-Type" parameter.
44 %certfile <filename>
45 Do not write the certificate to the keyDB but to <filename>.
46 This must be given before the first
47 commit to take place, duplicate specification of the same filename
48 is ignored, the last filename before a commit is used.
49 The filename is used until a new filename is used (at commit points)
50 and all keys are written to that file. If a new filename is given,
51 this file is created (and overwrites an existing one).
52 Both control statements must be given.
53 o The order of the parameters does not matter except for "Key-Type"
54 which must be the first parameter. The parameters are only for the
55 generated keyblock and parameters from previous key generations are not
56 used. Some syntactically checks may be performed.
57 The currently defined parameters are:
58 Key-Type: <algo>
59 Starts a new parameter block by giving the type of the
60 primary key. The algorithm must be capable of signing.
61 This is a required parameter. For now the only supported
62 algorithm is "rsa".
63 Key-Length: <length-in-bits>
64 Length of the key in bits. Default is 2048.
65 Key-Grip: hexstring
66 This is optional and used to generate a request for an already
67 existing key. Key-Length will be ignored when given,
68 Key-Usage: <usage-list>
69 Space or comma delimited list of key usage, allowed values are
70 "encrypt" and "sign". This is used to generate the KeyUsage extension.
71 Please make sure that the algorithm is capable of this usage. Default
72 is to allow encrypt and sign.
73 Name-DN: subject name
74 This is the DN name of the subject in rfc2253 format.
75 Name-Email: <string>
76 The is an email address for the altSubjectName
77 Name-DNS: <string>
78 The is an DNS name for the altSubjectName
79 Name-URI: <string>
80 The is an URI for the altSubjectName
81
82 Here is an example:
83 $ cat >foo <<EOF
84 %echo Generating a standard key
85 Key-Type: RSA
86 Key-Length: 2048
87 Name-DN: CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Düsseldorf,C=DE
88 Name-Email: joe@foo.bar
89 # Do a commit here, so that we can later print "done" :-)
90 %commit
91 %echo done
92 EOF
93 */
94
95
96 #include <config.h>
97 #include <stdio.h>
98 #include <stdlib.h>
99 #include <string.h>
100 #include <errno.h>
101 #include <unistd.h>
102 #include <time.h>
103 #include <assert.h>
104
105 #include "gpgsm.h"
106 #include <gcrypt.h>
107 #include <ksba.h>
108
109 #include "keydb.h"
110 #include "i18n.h"
111
112
113 enum para_name {
114 pKEYTYPE,
115 pKEYLENGTH,
116 pKEYGRIP,
117 pKEYUSAGE,
118 pNAMEDN,
119 pNAMEEMAIL,
120 pNAMEDNS,
121 pNAMEURI
122 };
123
124 struct para_data_s {
125 struct para_data_s *next;
126 int lnr;
127 enum para_name key;
128 union {
129 unsigned int usage;
130 char value[1];
131 } u;
132 };
133
134 struct reqgen_ctrl_s {
135 int lnr;
136 int dryrun;
137 ksba_writer_t writer;
138 };
139
140
141 static const char oidstr_keyUsage[] = "2.5.29.15";
142
143
144 static int proc_parameters (ctrl_t ctrl,
145 struct para_data_s *para,
146 struct reqgen_ctrl_s *outctrl);
147 static int create_request (ctrl_t ctrl,
148 struct para_data_s *para,
149 const char *carddirect,
150 ksba_const_sexp_t public,
151 struct reqgen_ctrl_s *outctrl);
152
153
154 \f
155 static void
156 release_parameter_list (struct para_data_s *r)
157 {
158 struct para_data_s *r2;
159
160 for (; r ; r = r2)
161 {
162 r2 = r->next;
163 xfree(r);
164 }
165 }
166
167 static struct para_data_s *
168 get_parameter (struct para_data_s *para, enum para_name key, int seq)
169 {
170 struct para_data_s *r;
171
172 for (r = para; r ; r = r->next)
173 if ( r->key == key && !seq--)
174 return r;
175 return NULL;
176 }
177
178 static const char *
179 get_parameter_value (struct para_data_s *para, enum para_name key, int seq)
180 {
181 struct para_data_s *r = get_parameter (para, key, seq);
182 return (r && *r->u.value)? r->u.value : NULL;
183 }
184
185 static int
186 get_parameter_algo (struct para_data_s *para, enum para_name key)
187 {
188 struct para_data_s *r = get_parameter (para, key, 0);
189 if (!r)
190 return -1;
191 if (digitp (r->u.value))
192 return atoi( r->u.value );
193 return gcry_pk_map_name (r->u.value);
194 }
195
196 /* Parse the usage parameter. Returns 0 on success. Note that we
197 only care about sign and encrypt and don't (yet) allow all the
198 other X.509 usage to be specified; instead we will use a fixed
199 mapping to the X.509 usage flags. */
200 static int
201 parse_parameter_usage (struct para_data_s *para, enum para_name key)
202 {
203 struct para_data_s *r = get_parameter (para, key, 0);
204 char *p, *pn;
205 unsigned int use;
206
207 if (!r)
208 return 0; /* none (this is an optional parameter)*/
209
210 use = 0;
211 pn = r->u.value;
212 while ( (p = strsep (&pn, " \t,")) )
213 {
214 if (!*p)
215 ;
216 else if ( !ascii_strcasecmp (p, "sign") )
217 use |= GCRY_PK_USAGE_SIGN;
218 else if ( !ascii_strcasecmp (p, "encrypt") )
219 use |= GCRY_PK_USAGE_ENCR;
220 else
221 {
222 log_error ("line %d: invalid usage list\n", r->lnr);
223 return -1; /* error */
224 }
225 }
226 r->u.usage = use;
227 return 0;
228 }
229
230
231 static unsigned int
232 get_parameter_uint (struct para_data_s *para, enum para_name key)
233 {
234 struct para_data_s *r = get_parameter (para, key, 0);
235
236 if (!r)
237 return 0;
238
239 if (r->key == pKEYUSAGE)
240 return r->u.usage;
241
242 return (unsigned int)strtoul (r->u.value, NULL, 10);
243 }
244
245
246
247 /* Read the certificate generation parameters from FP and generate
248 (all) certificate requests. */
249 static int
250 read_parameters (ctrl_t ctrl, estream_t fp, ksba_writer_t writer)
251 {
252 static struct {
253 const char *name;
254 enum para_name key;
255 int allow_dups;
256 } keywords[] = {
257 { "Key-Type", pKEYTYPE},
258 { "Key-Length", pKEYLENGTH },
259 { "Key-Grip", pKEYGRIP },
260 { "Key-Usage", pKEYUSAGE },
261 { "Name-DN", pNAMEDN },
262 { "Name-Email", pNAMEEMAIL, 1 },
263 { "Name-DNS", pNAMEDNS, 1 },
264 { "Name-URI", pNAMEURI, 1 },
265 { NULL, 0 }
266 };
267 char line[1024], *p;
268 const char *err = NULL;
269 struct para_data_s *para, *r;
270 int i, rc = 0, any = 0;
271 struct reqgen_ctrl_s outctrl;
272
273 memset (&outctrl, 0, sizeof (outctrl));
274 outctrl.writer = writer;
275
276 err = NULL;
277 para = NULL;
278 while (es_fgets (line, DIM(line)-1, fp) )
279 {
280 char *keyword, *value;
281
282 outctrl.lnr++;
283 if (*line && line[strlen(line)-1] != '\n')
284 {
285 err = "line too long";
286 break;
287 }
288 for (p=line; spacep (p); p++)
289 ;
290 if (!*p || *p == '#')
291 continue;
292
293 keyword = p;
294 if (*keyword == '%')
295 {
296 for (; *p && !spacep (p); p++)
297 ;
298 if (*p)
299 *p++ = 0;
300 for (; spacep (p); p++)
301 ;
302 value = p;
303 trim_trailing_spaces (value);
304
305 if (!ascii_strcasecmp (keyword, "%echo"))
306 log_info ("%s\n", value);
307 else if (!ascii_strcasecmp (keyword, "%dry-run"))
308 outctrl.dryrun = 1;
309 else if (!ascii_strcasecmp( keyword, "%commit"))
310 {
311 rc = proc_parameters (ctrl, para, &outctrl);
312 if (rc)
313 goto leave;
314 any = 1;
315 release_parameter_list (para);
316 para = NULL;
317 }
318 else
319 log_info ("skipping control `%s' (%s)\n", keyword, value);
320
321 continue;
322 }
323
324
325 if (!(p = strchr (p, ':')) || p == keyword)
326 {
327 err = "missing colon";
328 break;
329 }
330 if (*p)
331 *p++ = 0;
332 for (; spacep (p); p++)
333 ;
334 if (!*p)
335 {
336 err = "missing argument";
337 break;
338 }
339 value = p;
340 trim_trailing_spaces (value);
341
342 for (i=0; (keywords[i].name
343 && ascii_strcasecmp (keywords[i].name, keyword)); i++)
344 ;
345 if (!keywords[i].name)
346 {
347 err = "unknown keyword";
348 break;
349 }
350 if (keywords[i].key != pKEYTYPE && !para)
351 {
352 err = "parameter block does not start with \"Key-Type\"";
353 break;
354 }
355
356 if (keywords[i].key == pKEYTYPE && para)
357 {
358 rc = proc_parameters (ctrl, para, &outctrl);
359 if (rc)
360 goto leave;
361 any = 1;
362 release_parameter_list (para);
363 para = NULL;
364 }
365 else if (!keywords[i].allow_dups)
366 {
367 for (r = para; r && r->key != keywords[i].key; r = r->next)
368 ;
369 if (r)
370 {
371 err = "duplicate keyword";
372 break;
373 }
374 }
375
376 r = xtrycalloc (1, sizeof *r + strlen( value ));
377 if (!r)
378 {
379 err = "out of core";
380 break;
381 }
382 r->lnr = outctrl.lnr;
383 r->key = keywords[i].key;
384 strcpy (r->u.value, value);
385 r->next = para;
386 para = r;
387 }
388
389 if (err)
390 {
391 log_error ("line %d: %s\n", outctrl.lnr, err);
392 rc = gpg_error (GPG_ERR_GENERAL);
393 }
394 else if (es_ferror(fp))
395 {
396 log_error ("line %d: read error: %s\n", outctrl.lnr, strerror(errno) );
397 rc = gpg_error (GPG_ERR_GENERAL);
398 }
399 else if (para)
400 {
401 rc = proc_parameters (ctrl, para, &outctrl);
402 if (rc)
403 goto leave;
404 any = 1;
405 }
406
407 if (!rc && !any)
408 rc = gpg_error (GPG_ERR_NO_DATA);
409
410 leave:
411 release_parameter_list (para);
412 return rc;
413 }
414
415 /* check whether there are invalid characters in the email address S */
416 static int
417 has_invalid_email_chars (const char *s)
418 {
419 int at_seen=0;
420 static char valid_chars[] = "01234567890_-."
421 "abcdefghijklmnopqrstuvwxyz"
422 "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
423 for (; *s; s++)
424 {
425 if (*s & 0x80)
426 return 1;
427 if (*s == '@')
428 at_seen++;
429 else if (!at_seen && !( !!strchr (valid_chars, *s) || *s == '+'))
430 return 1;
431 else if (at_seen && !strchr (valid_chars, *s))
432 return 1;
433 }
434 return at_seen != 1;
435 }
436
437
438 /* Check that all required parameters are given and perform the action */
439 static int
440 proc_parameters (ctrl_t ctrl,
441 struct para_data_s *para, struct reqgen_ctrl_s *outctrl)
442 {
443 gpg_error_t err;
444 struct para_data_s *r;
445 const char *s;
446 int i;
447 unsigned int nbits;
448 char numbuf[20];
449 unsigned char keyparms[100];
450 int rc;
451 ksba_sexp_t public;
452 int seq;
453 size_t erroff, errlen;
454 char *cardkeyid = NULL;
455
456 /* Check that we have all required parameters; */
457 assert (get_parameter (para, pKEYTYPE, 0));
458
459 /* We can only use RSA for now. There is a problem with pkcs-10 on
460 how to use ElGamal because it is expected that a PK algorithm can
461 always be used for signing. Another problem is that on-card
462 generated encryption keys may not be used for signing. */
463 i = get_parameter_algo (para, pKEYTYPE);
464 if (!i && (s = get_parameter_value (para, pKEYTYPE, 0)) && *s)
465 {
466 /* Hack to allow creation of certificates directly from a smart
467 card. For example: "Key-Type: card:OPENPGP.3". */
468 if (!strncmp (s, "card:", 5) && s[5])
469 cardkeyid = xtrystrdup (s+5);
470 }
471 if ( (i < 1 || i != GCRY_PK_RSA) && !cardkeyid )
472 {
473 r = get_parameter (para, pKEYTYPE, 0);
474 log_error (_("line %d: invalid algorithm\n"), r->lnr);
475 return gpg_error (GPG_ERR_INV_PARAMETER);
476 }
477
478 /* Check the keylength. NOTE: If you change this make sure that it
479 macthes the gpgconflist item in gpgsm.c */
480 if (!get_parameter (para, pKEYLENGTH, 0))
481 nbits = 2048;
482 else
483 nbits = get_parameter_uint (para, pKEYLENGTH);
484 if ((nbits < 1024 || nbits > 4096) && !cardkeyid)
485 {
486 /* The BSI specs dated 2002-11-25 don't allow lengths below 1024. */
487 r = get_parameter (para, pKEYLENGTH, 0);
488 log_error (_("line %d: invalid key length %u (valid are %d to %d)\n"),
489 r->lnr, nbits, 1024, 4096);
490 xfree (cardkeyid);
491 return gpg_error (GPG_ERR_INV_PARAMETER);
492 }
493
494 /* Check the usage. */
495 if (parse_parameter_usage (para, pKEYUSAGE))
496 {
497 xfree (cardkeyid);
498 return gpg_error (GPG_ERR_INV_PARAMETER);
499 }
500
501 /* Check that there is a subject name and that this DN fits our
502 requirements. */
503 if (!(s=get_parameter_value (para, pNAMEDN, 0)))
504 {
505 r = get_parameter (para, pNAMEDN, 0);
506 log_error (_("line %d: no subject name given\n"), r->lnr);
507 xfree (cardkeyid);
508 return gpg_error (GPG_ERR_INV_PARAMETER);
509 }
510 err = ksba_dn_teststr (s, 0, &erroff, &errlen);
511 if (err)
512 {
513 r = get_parameter (para, pNAMEDN, 0);
514 if (gpg_err_code (err) == GPG_ERR_UNKNOWN_NAME)
515 log_error (_("line %d: invalid subject name label `%.*s'\n"),
516 r->lnr, (int)errlen, s+erroff);
517 else
518 log_error (_("line %d: invalid subject name `%s' at pos %d\n"),
519 r->lnr, s, (int)erroff);
520
521 xfree (cardkeyid);
522 return gpg_error (GPG_ERR_INV_PARAMETER);
523 }
524
525 /* Check that the optional email address is okay. */
526 for (seq=0; (s=get_parameter_value (para, pNAMEEMAIL, seq)); seq++)
527 {
528 if (has_invalid_email_chars (s)
529 || *s == '@'
530 || s[strlen(s)-1] == '@'
531 || s[strlen(s)-1] == '.'
532 || strstr(s, ".."))
533 {
534 r = get_parameter (para, pNAMEEMAIL, seq);
535 log_error (_("line %d: not a valid email address\n"), r->lnr);
536 xfree (cardkeyid);
537 return gpg_error (GPG_ERR_INV_PARAMETER);
538 }
539 }
540
541 if (cardkeyid) /* Take the key from the current smart card. */
542 {
543 rc = gpgsm_agent_readkey (ctrl, 1, cardkeyid, &public);
544 if (rc)
545 {
546 r = get_parameter (para, pKEYTYPE, 0);
547 log_error (_("line %d: error reading key `%s' from card: %s\n"),
548 r->lnr, cardkeyid, gpg_strerror (rc));
549 xfree (cardkeyid);
550 return rc;
551 }
552 }
553 else if ((s=get_parameter_value (para, pKEYGRIP, 0))) /* Use existing key.*/
554 {
555 rc = gpgsm_agent_readkey (ctrl, 0, s, &public);
556 if (rc)
557 {
558 r = get_parameter (para, pKEYTYPE, 0);
559 log_error (_("line %d: error getting key by keygrip `%s': %s\n"),
560 r->lnr, s, gpg_strerror (rc));
561 xfree (cardkeyid);
562 return rc;
563 }
564 }
565 else /* Generate new key. */
566 {
567 sprintf (numbuf, "%u", nbits);
568 snprintf ((char*)keyparms, DIM (keyparms)-1,
569 "(6:genkey(3:rsa(5:nbits%d:%s)))",
570 (int)strlen (numbuf), numbuf);
571 rc = gpgsm_agent_genkey (ctrl, keyparms, &public);
572 if (rc)
573 {
574 r = get_parameter (para, pKEYTYPE, 0);
575 log_error (_("line %d: key generation failed: %s <%s>\n"),
576 r->lnr, gpg_strerror (rc), gpg_strsource (rc));
577 xfree (cardkeyid);
578 return rc;
579 }
580 }
581
582 rc = create_request (ctrl, para, cardkeyid, public, outctrl);
583 xfree (public);
584 xfree (cardkeyid);
585
586 return rc;
587 }
588
589
590 /* Parameters are checked, the key pair has been created. Now
591 generate the request and write it out */
592 static int
593 create_request (ctrl_t ctrl,
594 struct para_data_s *para,
595 const char *carddirect,
596 ksba_const_sexp_t public,
597 struct reqgen_ctrl_s *outctrl)
598 {
599 ksba_certreq_t cr;
600 gpg_error_t err;
601 gcry_md_hd_t md;
602 ksba_stop_reason_t stopreason;
603 int rc = 0;
604 const char *s;
605 unsigned int use;
606 int seq;
607 char *buf, *p;
608 size_t len;
609 char numbuf[30];
610
611 err = ksba_certreq_new (&cr);
612 if (err)
613 return err;
614
615 rc = gcry_md_open (&md, GCRY_MD_SHA1, 0);
616 if (rc)
617 {
618 log_error ("md_open failed: %s\n", gpg_strerror (rc));
619 goto leave;
620 }
621 if (DBG_HASHING)
622 gcry_md_start_debug (md, "cr.cri");
623
624 ksba_certreq_set_hash_function (cr, HASH_FNC, md);
625 ksba_certreq_set_writer (cr, outctrl->writer);
626
627 err = ksba_certreq_add_subject (cr, get_parameter_value (para, pNAMEDN, 0));
628 if (err)
629 {
630 log_error ("error setting the subject's name: %s\n",
631 gpg_strerror (err));
632 rc = err;
633 goto leave;
634 }
635
636 for (seq=0; (s = get_parameter_value (para, pNAMEEMAIL, seq)); seq++)
637 {
638 buf = xtrymalloc (strlen (s) + 3);
639 if (!buf)
640 {
641 rc = out_of_core ();
642 goto leave;
643 }
644 *buf = '<';
645 strcpy (buf+1, s);
646 strcat (buf+1, ">");
647 err = ksba_certreq_add_subject (cr, buf);
648 xfree (buf);
649 if (err)
650 {
651 log_error ("error setting the subject's alternate name: %s\n",
652 gpg_strerror (err));
653 rc = err;
654 goto leave;
655 }
656 }
657
658 for (seq=0; (s = get_parameter_value (para, pNAMEDNS, seq)); seq++)
659 {
660 len = strlen (s);
661 assert (len);
662 snprintf (numbuf, DIM(numbuf), "%u:", (unsigned int)len);
663 buf = p = xtrymalloc (11 + strlen (numbuf) + len + 3);
664 if (!buf)
665 {
666 rc = out_of_core ();
667 goto leave;
668 }
669 p = stpcpy (p, "(8:dns-name");
670 p = stpcpy (p, numbuf);
671 p = stpcpy (p, s);
672 strcpy (p, ")");
673
674 err = ksba_certreq_add_subject (cr, buf);
675 xfree (buf);
676 if (err)
677 {
678 log_error ("error setting the subject's alternate name: %s\n",
679 gpg_strerror (err));
680 rc = err;
681 goto leave;
682 }
683 }
684
685 for (seq=0; (s = get_parameter_value (para, pNAMEURI, seq)); seq++)
686 {
687 len = strlen (s);
688 assert (len);
689 snprintf (numbuf, DIM(numbuf), "%u:", (unsigned int)len);
690 buf = p = xtrymalloc (6 + strlen (numbuf) + len + 3);
691 if (!buf)
692 {
693 rc = out_of_core ();
694 goto leave;
695 }
696 p = stpcpy (p, "(3:uri");
697 p = stpcpy (p, numbuf);
698 p = stpcpy (p, s);
699 strcpy (p, ")");
700
701 err = ksba_certreq_add_subject (cr, buf);
702 xfree (buf);
703 if (err)
704 {
705 log_error ("error setting the subject's alternate name: %s\n",
706 gpg_strerror (err));
707 rc = err;
708 goto leave;
709 }
710 }
711
712
713 err = ksba_certreq_set_public_key (cr, public);
714 if (err)
715 {
716 log_error ("error setting the public key: %s\n",
717 gpg_strerror (err));
718 rc = err;
719 goto leave;
720 }
721
722
723 use = get_parameter_uint (para, pKEYUSAGE);
724 if (use == GCRY_PK_USAGE_SIGN)
725 {
726 /* For signing only we encode the bits:
727 KSBA_KEYUSAGE_DIGITAL_SIGNATURE
728 KSBA_KEYUSAGE_NON_REPUDIATION */
729 err = ksba_certreq_add_extension (cr, oidstr_keyUsage, 1,
730 "\x03\x02\x06\xC0", 4);
731 }
732 else if (use == GCRY_PK_USAGE_ENCR)
733 {
734 /* For encrypt only we encode the bits:
735 KSBA_KEYUSAGE_KEY_ENCIPHERMENT
736 KSBA_KEYUSAGE_DATA_ENCIPHERMENT */
737 err = ksba_certreq_add_extension (cr, oidstr_keyUsage, 1,
738 "\x03\x02\x04\x30", 4);
739 }
740 else
741 err = 0; /* Both or none given: don't request one. */
742 if (err)
743 {
744 log_error ("error setting the key usage: %s\n",
745 gpg_strerror (err));
746 rc = err;
747 goto leave;
748 }
749
750
751 do
752 {
753 err = ksba_certreq_build (cr, &stopreason);
754 if (err)
755 {
756 log_error ("ksba_certreq_build failed: %s\n", gpg_strerror (err));
757 rc = err;
758 goto leave;
759 }
760 if (stopreason == KSBA_SR_NEED_SIG)
761 {
762 gcry_sexp_t s_pkey;
763 size_t n;
764 unsigned char grip[20];
765 char hexgrip[41];
766 unsigned char *sigval;
767 size_t siglen;
768
769 n = gcry_sexp_canon_len (public, 0, NULL, NULL);
770 if (!n)
771 {
772 log_error ("libksba did not return a proper S-Exp\n");
773 rc = gpg_error (GPG_ERR_BUG);
774 goto leave;
775 }
776 rc = gcry_sexp_sscan (&s_pkey, NULL, (const char*)public, n);
777 if (rc)
778 {
779 log_error ("gcry_sexp_scan failed: %s\n", gpg_strerror (rc));
780 goto leave;
781 }
782 if ( !gcry_pk_get_keygrip (s_pkey, grip) )
783 {
784 rc = gpg_error (GPG_ERR_GENERAL);
785 log_error ("can't figure out the keygrip\n");
786 gcry_sexp_release (s_pkey);
787 goto leave;
788 }
789 gcry_sexp_release (s_pkey);
790 bin2hex (grip, 20, hexgrip);
791
792 log_info ("about to sign CSR for key: &%s\n", hexgrip);
793
794 if (carddirect)
795 rc = gpgsm_scd_pksign (ctrl, carddirect, NULL,
796 gcry_md_read(md, GCRY_MD_SHA1),
797 gcry_md_get_algo_dlen (GCRY_MD_SHA1),
798 GCRY_MD_SHA1,
799 &sigval, &siglen);
800 else
801 {
802 char *orig_codeset;
803 char *desc;
804
805 orig_codeset = i18n_switchto_utf8 ();
806 desc = percent_plus_escape
807 (_("To complete this certificate request please enter"
808 " the passphrase for the key you just created once"
809 " more.\n"));
810 i18n_switchback (orig_codeset);
811 rc = gpgsm_agent_pksign (ctrl, hexgrip, desc,
812 gcry_md_read(md, GCRY_MD_SHA1),
813 gcry_md_get_algo_dlen (GCRY_MD_SHA1),
814 GCRY_MD_SHA1,
815 &sigval, &siglen);
816 xfree (desc);
817 }
818 if (rc)
819 {
820 log_error ("signing failed: %s\n", gpg_strerror (rc));
821 goto leave;
822 }
823
824 err = ksba_certreq_set_sig_val (cr, sigval);
825 xfree (sigval);
826 if (err)
827 {
828 log_error ("failed to store the sig_val: %s\n",
829 gpg_strerror (err));
830 rc = err;
831 goto leave;
832 }
833 }
834 }
835 while (stopreason != KSBA_SR_READY);
836
837
838 leave:
839 gcry_md_close (md);
840 ksba_certreq_release (cr);
841 return rc;
842 }
843
844
845 \f
846 /* Create a new key by reading the parameters from IN_FP. Multiple
847 keys may be created */
848 int
849 gpgsm_genkey (ctrl_t ctrl, estream_t in_stream, FILE *out_fp)
850 {
851 int rc;
852 Base64Context b64writer = NULL;
853 ksba_writer_t writer;
854
855 ctrl->pem_name = "CERTIFICATE REQUEST";
856 rc = gpgsm_create_writer (&b64writer, ctrl, out_fp, NULL, &writer);
857 if (rc)
858 {
859 log_error ("can't create writer: %s\n", gpg_strerror (rc));
860 goto leave;
861 }
862
863 rc = read_parameters (ctrl, in_stream, writer);
864 if (rc)
865 {
866 log_error ("error creating certificate request: %s <%s>\n",
867 gpg_strerror (rc), gpg_strsource (rc));
868 goto leave;
869 }
870
871 rc = gpgsm_finish_writer (b64writer);
872 if (rc)
873 {
874 log_error ("write failed: %s\n", gpg_strerror (rc));
875 goto leave;
876 }
877
878 gpgsm_status (ctrl, STATUS_KEY_CREATED, "P");
879 log_info ("certificate request created\n");
880
881 leave:
882 gpgsm_destroy_writer (b64writer);
883 return rc;
884 }
885
gnupg svn clone