search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
2008-01-15 Marcus Brinkmann <marcus@g10code.de>
[gnupg.git] / scd / sc-copykeys.c
blob6a6c0e0d3596d40607d8b120936721b9edd83c1f
1 /* sc-copykeys.c - A tool to store keys on a smartcard.
2 * Copyright (C) 2003 Free Software Foundation, Inc.
3 *
4 * This file is part of GnuPG.
5 *
6 * GnuPG is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * GnuPG is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include <config.h>
21
22 #include <stdio.h>
23 #include <stdlib.h>
24 #include <string.h>
25 #include <assert.h>
26 #include <sys/types.h>
27 #include <sys/stat.h>
28 #include <unistd.h>
29
30 #define JNLIB_NEED_LOG_LOGV
31 #include "scdaemon.h"
32 #include <gcrypt.h>
33
34 #include "../common/ttyio.h"
35 #include "../common/simple-pwquery.h"
36 #include "apdu.h" /* for open_reader */
37 #include "atr.h"
38 #include "app-common.h"
39
40 #define _(a) (a)
41
42
43 enum cmd_and_opt_values
44 { oVerbose = 'v',
45 oReaderPort = 500,
46 octapiDriver,
47 oDebug,
48 oDebugAll,
49
50 aTest };
51
52
53 static ARGPARSE_OPTS opts[] = {
54
55 { 301, NULL, 0, "@Options:\n " },
56
57 { oVerbose, "verbose", 0, "verbose" },
58 { oReaderPort, "reader-port", 2, "|N|connect to reader at port N"},
59 { octapiDriver, "ctapi-driver", 2, "NAME|use NAME as ctAPI driver"},
60 { oDebug, "debug" ,4|16, "set debugging flags"},
61 { oDebugAll, "debug-all" ,0, "enable full debugging"},
62 {0}
63 };
64
65
66 static void copykeys (APP app, const char *fname);
67
68
69 static const char *
70 my_strusage (int level)
71 {
72 const char *p;
73 switch (level)
74 {
75 case 11: p = "sc-copykeys (GnuPG)";
76 break;
77 case 13: p = VERSION; break;
78 case 17: p = PRINTABLE_OS_NAME; break;
79 case 19: p = _("Please report bugs to <" PACKAGE_BUGREPORT ">.\n");
80 break;
81 case 1:
82 case 40: p = _("Usage: sc-copykeys [options] (-h for help)\n");
83 break;
84 case 41: p = _("Syntax: sc-copykeys [options] "
85 "file-with-key\n"
86 "Copy keys to a smartcards\n");
87 break;
88
89 default: p = NULL;
90 }
91 return p;
92 }
93
94
95 int
96 main (int argc, char **argv )
97 {
98 ARGPARSE_ARGS pargs;
99 int slot, rc;
100 const char *reader_port = NULL;
101 struct app_ctx_s appbuf;
102
103 memset (&appbuf, 0, sizeof appbuf);
104
105 set_strusage (my_strusage);
106 gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
107 log_set_prefix ("sc-copykeys", 1);
108
109 /* check that the libraries are suitable. Do it here because
110 the option parsing may need services of the library */
111 if (!gcry_check_version (NEED_LIBGCRYPT_VERSION) )
112 {
113 log_fatal (_("%s is too old (need %s, have %s)\n"), "libgcrypt",
114 NEED_LIBGCRYPT_VERSION, gcry_check_version (NULL) );
115 }
116
117 setup_libgcrypt_logging ();
118 gcry_control (GCRYCTL_DISABLE_SECMEM, 0); /* FIXME - we want to use it */
119 /* FIXME? gcry_control (GCRYCTL_USE_SECURE_RNDPOOL);*/
120
121 pargs.argc = &argc;
122 pargs.argv = &argv;
123 pargs.flags= 1; /* do not remove the args */
124 while (arg_parse (&pargs, opts) )
125 {
126 switch (pargs.r_opt)
127 {
128 case oVerbose: opt.verbose++; break;
129 case oDebug: opt.debug |= pargs.r.ret_ulong; break;
130 case oDebugAll: opt.debug = ~0; break;
131 case oReaderPort: reader_port = pargs.r.ret_str; break;
132 case octapiDriver: opt.ctapi_driver = pargs.r.ret_str; break;
133 default : pargs.err = 2; break;
134 }
135 }
136 if (log_get_errorcount(0))
137 exit(2);
138
139 if (argc != 1)
140 usage (1);
141
142 slot = apdu_open_reader (reader_port);
143 if (slot == -1)
144 exit (1);
145
146 /* FIXME: Use select_application. */
147 appbuf.slot = slot;
148 rc = app_select_openpgp (&appbuf);
149 if (rc)
150 {
151 log_error ("selecting openpgp failed: %s\n", gpg_strerror (rc));
152 exit (1);
153 }
154 appbuf.initialized = 1;
155 log_info ("openpgp application selected\n");
156
157 copykeys (&appbuf, *argv);
158
159
160 return 0;
161 }
162
163
164
165 void
166 send_status_info (CTRL ctrl, const char *keyword, ...)
167 {
168 /* DUMMY */
169 }
170
171
172
173 static char *
174 read_file (const char *fname, size_t *r_length)
175 {
176 FILE *fp;
177 struct stat st;
178 char *buf;
179 size_t buflen;
180
181 fp = fname? fopen (fname, "rb") : stdin;
182 if (!fp)
183 {
184 log_error ("can't open `%s': %s\n",
185 fname? fname: "[stdin]", strerror (errno));
186 return NULL;
187 }
188
189 if (fstat (fileno(fp), &st))
190 {
191 log_error ("can't stat `%s': %s\n",
192 fname? fname: "[stdin]", strerror (errno));
193 if (fname)
194 fclose (fp);
195 return NULL;
196 }
197
198 buflen = st.st_size;
199 buf = xmalloc (buflen+1);
200 if (fread (buf, buflen, 1, fp) != 1)
201 {
202 log_error ("error reading `%s': %s\n",
203 fname? fname: "[stdin]", strerror (errno));
204 if (fname)
205 fclose (fp);
206 xfree (buf);
207 return NULL;
208 }
209 if (fname)
210 fclose (fp);
211
212 *r_length = buflen;
213 return buf;
214 }
215
216
217 static gcry_sexp_t
218 read_key (const char *fname)
219 {
220 char *buf;
221 size_t buflen;
222 gcry_sexp_t private;
223 int rc;
224
225 buf = read_file (fname, &buflen);
226 if (!buf)
227 return NULL;
228
229 rc = gcry_sexp_new (&private, buf, buflen, 1);
230 if (rc)
231 {
232 log_error ("gcry_sexp_new failed: %s\n", gpg_strerror (rc));
233 return NULL;
234 }
235 xfree (buf);
236
237 return private;
238 }
239
240
241
242 static gcry_mpi_t *
243 sexp_to_kparms (gcry_sexp_t sexp, unsigned long *created)
244 {
245 gcry_sexp_t list, l2;
246 const char *name;
247 const char *s;
248 size_t n;
249 int i, idx;
250 const char *elems;
251 gcry_mpi_t *array;
252
253 *created = 0;
254 list = gcry_sexp_find_token (sexp, "private-key", 0 );
255 if(!list)
256 return NULL;
257
258 /* quick hack to get the creation time. */
259 l2 = gcry_sexp_find_token (list, "created", 0);
260 if (l2 && (name = gcry_sexp_nth_data (l2, 1, &n)))
261 {
262 char *tmp = xmalloc (n+1);
263 memcpy (tmp, name, n);
264 tmp[n] = 0;
265 *created = strtoul (tmp, NULL, 10);
266 xfree (tmp);
267 }
268 gcry_sexp_release (l2);
269 l2 = gcry_sexp_cadr (list);
270 gcry_sexp_release (list);
271 list = l2;
272 name = gcry_sexp_nth_data (list, 0, &n);
273 if(!name || n != 3 || memcmp (name, "rsa", 3))
274 {
275 gcry_sexp_release (list);
276 return NULL;
277 }
278
279 /* Parameter names used with RSA. */
280 elems = "nedpqu";
281 array = xcalloc (strlen(elems) + 1, sizeof *array);
282 for (idx=0, s=elems; *s; s++, idx++ )
283 {
284 l2 = gcry_sexp_find_token (list, s, 1);
285 if (!l2)
286 {
287 for (i=0; i<idx; i++)
288 gcry_mpi_release (array[i]);
289 xfree (array);
290 gcry_sexp_release (list);
291 return NULL; /* required parameter not found */
292 }
293 array[idx] = gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG);
294 gcry_sexp_release (l2);
295 if (!array[idx])
296 {
297 for (i=0; i<idx; i++)
298 gcry_mpi_release (array[i]);
299 xfree (array);
300 gcry_sexp_release (list);
301 return NULL; /* required parameter is invalid */
302 }
303 }
304
305 gcry_sexp_release (list);
306 return array;
307 }
308
309
310 /* Return true if the SHA1 fingerprint FPR consists only of zeroes. */
311 static int
312 fpr_is_zero (const char *fpr)
313 {
314 int i;
315
316 for (i=0; i < 20 && !fpr[i]; i++)
317 ;
318 return (i == 20);
319 }
320
321
322 static void
323 show_sha1_fpr (const unsigned char *fpr)
324 {
325 int i;
326
327 if (fpr)
328 {
329 for (i=0; i < 20 ; i+=2, fpr += 2 )
330 {
331 if (i == 10 )
332 tty_printf (" ");
333 tty_printf (" %02X%02X", *fpr, fpr[1]);
334 }
335 }
336 else
337 tty_printf (" [none]");
338 tty_printf ("\n");
339 }
340
341 /* Query the card, show a list of already stored keys and ask the user
342 where to store the key. Returns the key number or 0 for cancel
343 operation. */
344 static int
345 query_card (APP app)
346 {
347 int keyno = 0;
348 char *serialno, *disp_name, *pubkey_url;
349 unsigned char *fpr1, *fpr2, *fpr3;
350
351
352 if (app_openpgp_cardinfo (app,
353 &serialno,
354 &disp_name,
355 &pubkey_url,
356 &fpr1, &fpr2, &fpr3))
357 return 0;
358
359
360 for (;;)
361 {
362 char *answer;
363
364 tty_printf ("\n");
365
366 tty_printf ("Serial number ....: %s\n",
367 serialno? serialno : "[none]");
368 tty_printf ("Name of cardholder: %s\n",
369 disp_name && *disp_name? disp_name : "[not set]");
370 tty_printf ("URL of public key : %s\n",
371 pubkey_url && *pubkey_url? pubkey_url : "[not set]");
372 tty_printf ("Signature key ....:");
373 show_sha1_fpr (fpr1);
374 tty_printf ("Encryption key....:");
375 show_sha1_fpr (fpr2);
376 tty_printf ("Authentication key:");
377 show_sha1_fpr (fpr3);
378
379 tty_printf ("\n"
380 "1 - store as signature key and reset usage counter\n"
381 "2 - store as encryption key\n"
382 "3 - store as authentication key\n"
383 "Q - quit\n"
384 "\n");
385
386 answer = tty_get("Your selection? ");
387 tty_kill_prompt();
388 if (strlen (answer) != 1)
389 ;
390 else if ( *answer == '1' )
391 {
392 if ( (fpr1 && !fpr_is_zero (fpr1)) )
393 {
394 tty_printf ("\n");
395 log_error ("WARNING: signature key does already exists!\n");
396 tty_printf ("\n");
397 if ( tty_get_answer_is_yes ("Replace existing key? ") )
398 {
399 keyno = 1;
400 break;
401 }
402 }
403 else
404 {
405 keyno = 1;
406 break;
407 }
408 }
409 else if ( *answer == '2' )
410 {
411 if ( (fpr2 && !fpr_is_zero (fpr2)) )
412 {
413 tty_printf ("\n");
414 log_error ("WARNING: encryption key does already exists!\n");
415 tty_printf ("\n");
416 if ( tty_get_answer_is_yes ("Replace existing key? ") )
417 {
418 keyno = 2;
419 break;
420 }
421 }
422 else
423 {
424 keyno = 2;
425 break;
426 }
427 }
428 else if ( *answer == '3' )
429 {
430 if ( (fpr3 && !fpr_is_zero (fpr3)) )
431 {
432 tty_printf ("\n");
433 log_error ("WARNING: authentication key does already exists!\n");
434 tty_printf ("\n");
435 if ( tty_get_answer_is_yes ("Replace existing key? ") )
436 {
437 keyno = 3;
438 break;
439 }
440 }
441 else
442 {
443 keyno = 3;
444 break;
445 }
446 }
447 else if ( *answer == 'q' || *answer == 'Q')
448 {
449 keyno = 0;
450 break;
451 }
452 }
453
454 xfree (serialno);
455 xfree (disp_name);
456 xfree (pubkey_url);
457 xfree (fpr1);
458 xfree (fpr2);
459 xfree (fpr3);
460
461 return keyno;
462 }
463
464
465 /* Callback function to ask for a PIN. */
466 static gpg_error_t
467 pincb (void *arg, const char *prompt, char **pinvalue)
468 {
469 char *pin = xstrdup ("12345678");
470
471 /* pin = simple_pwquery (NULL, NULL, prompt, */
472 /* "We need the admin's PIN to store the key on the card", */
473 /* 0, NULL); */
474 /* if (!pin) */
475 /* return gpg_error (GPG_ERR_CANCELED); */
476
477
478
479 *pinvalue = pin;
480 return 0;
481 }
482
483
484 /* This function expects a file (or NULL for stdin) with the secret
485 and public key parameters. This file should consist of an
486 S-expression as used by gpg-agent. Only the unprotected format is
487 supported. Example:
488
489 (private-key
490 (rsa
491 (n #00e0ce9..[some bytes not shown]..51#)
492 (e #010001#)
493 (d #046129F..[some bytes not shown]..81#)
494 (p #00e861b..[some bytes not shown]..f1#)
495 (q #00f7a7c..[some bytes not shown]..61#)
496 (u #304559a..[some bytes not shown]..9b#))
497 (uri http://foo.bar x-foo:whatever_you_want))
498
499 */
500 static void
501 copykeys (APP app, const char *fname)
502 {
503 int rc;
504 gcry_sexp_t private;
505 gcry_mpi_t *mpis, rsa_n, rsa_e, rsa_p, rsa_q;
506 unsigned int nbits;
507 size_t n;
508 unsigned char *template, *tp;
509 unsigned char m[128], e[4];
510 size_t mlen, elen;
511 unsigned long creation_date;
512 time_t created_at;
513 int keyno;
514
515 if (!strcmp (fname, "-"))
516 fname = NULL;
517
518 private = read_key (fname);
519 if (!private)
520 exit (1);
521
522 mpis = sexp_to_kparms (private, &creation_date);
523 if (!creation_date)
524 {
525 log_info ("no creation date found - assuming current date\n");
526 created_at = time (NULL);
527 }
528 else
529 created_at = creation_date;
530 gcry_sexp_release (private);
531 if (!mpis)
532 {
533 log_error ("invalid structure of key file or not RSA\n");
534 exit (1);
535 }
536 /* MPIS is now an array with the key parameters as defined by OpenPGP. */
537 rsa_n = mpis[0];
538 rsa_e = mpis[1];
539 gcry_mpi_release (mpis[2]);
540 rsa_p = mpis[3];
541 rsa_q = mpis[4];
542 gcry_mpi_release (mpis[5]);
543 xfree (mpis);
544
545 nbits = gcry_mpi_get_nbits (rsa_e);
546 if (nbits < 2 || nbits > 32)
547 {
548 log_error ("public exponent too large (more than 32 bits)\n");
549 goto failure;
550 }
551 nbits = gcry_mpi_get_nbits (rsa_p);
552 if (nbits != 512)
553 {
554 log_error ("length of first RSA prime is not 512\n");
555 goto failure;
556 }
557 nbits = gcry_mpi_get_nbits (rsa_q);
558 if (nbits != 512)
559 {
560 log_error ("length of second RSA prime is not 512\n");
561 goto failure;
562 }
563
564 nbits = gcry_mpi_get_nbits (rsa_n);
565 if (nbits != 1024)
566 {
567 log_error ("length of RSA modulus is not 1024\n");
568 goto failure;
569 }
570
571 keyno = query_card (app);
572 if (!keyno)
573 goto failure;
574
575 /* Build the private key template as described in section 4.3.3.6 of
576 the specs.
577 0xC0 <length> public exponent
578 0xC1 <length> prime p
579 0xC2 <length> prime q */
580 template = tp = xmalloc (1+2 + 1+1+4 + 1+1+64 + 1+1+64);
581 *tp++ = 0xC0;
582 *tp++ = 4;
583 rc = gcry_mpi_print (GCRYMPI_FMT_USG, tp, 4, &n, rsa_e);
584 if (rc)
585 {
586 log_error ("mpi_print failed: %s\n", gpg_strerror (rc));
587 goto failure;
588 }
589 assert (n <= 4);
590 memcpy (e, tp, n);
591 elen = n;
592 if (n != 4)
593 {
594 memmove (tp+4-n, tp, 4-n);
595 memset (tp, 0, 4-n);
596 }
597 tp += 4;
598
599 *tp++ = 0xC1;
600 *tp++ = 64;
601 rc = gcry_mpi_print (GCRYMPI_FMT_USG, tp, 64, &n, rsa_p);
602 if (rc)
603 {
604 log_error ("mpi_print failed: %s\n", gpg_strerror (rc));
605 goto failure;
606 }
607 assert (n == 64);
608 tp += 64;
609
610 *tp++ = 0xC2;
611 *tp++ = 64;
612 rc = gcry_mpi_print (GCRYMPI_FMT_USG, tp, 64, &n, rsa_q);
613 if (rc)
614 {
615 log_error ("mpi_print failed: %s\n", gpg_strerror (rc));
616 goto failure;
617 }
618 assert (n == 64);
619 tp += 64;
620 assert (tp - template == 138);
621
622 /* (we need the modulus to calculate the fingerprint) */
623 rc = gcry_mpi_print (GCRYMPI_FMT_USG, m, 128, &n, rsa_n);
624 if (rc)
625 {
626 log_error ("mpi_print failed: %s\n", gpg_strerror (rc));
627 goto failure;
628 }
629 assert (n == 128);
630 mlen = 128;
631
632
633 rc = app_openpgp_storekey (app, keyno,
634 template, tp - template,
635 created_at,
636 m, mlen,
637 e, elen,
638 pincb, NULL);
639
640 if (rc)
641 {
642 log_error ("error storing key: %s\n", gpg_strerror (rc));
643 goto failure;
644 }
645 log_info ("key successfully stored\n");
646 {
647 unsigned char *mm, *ee;
648 size_t mmlen, eelen;
649 int i;
650
651 rc = app_openpgp_readkey (app, keyno, &mm, &mmlen, &ee, &eelen);
652 if (rc)
653 {
654 log_error ("error reading key back: %s\n", gpg_strerror (rc));
655 goto failure;
656 }
657
658 /* Strip leading zeroes. */
659 for (i=0; i < mmlen && !mm[i]; i++)
660 ;
661 mmlen -= i;
662 memmove (mm, mm+i, mmlen);
663 for (i=0; i < eelen && !ee[i]; i++)
664 ;
665 eelen -= i;
666 memmove (ee, ee+i, eelen);
667
668 if (eelen != elen || mmlen != mlen)
669 {
670 log_error ("key parameter length mismatch (n=%u/%u, e=%u/%u)\n",
671 (unsigned int)mlen, (unsigned int)mmlen,
672 (unsigned int)elen, (unsigned int)eelen);
673 xfree (mm);
674 xfree (ee);
675 goto failure;
676 }
677
678 if (memcmp (m, mm, mlen))
679 {
680 log_error ("key parameter n mismatch\n");
681 log_printhex ("original n: ", m, mlen);
682 log_printhex (" copied n: ", mm, mlen);
683 xfree (mm);
684 xfree (ee);
685 goto failure;
686 }
687 if (memcmp (e, ee, elen))
688 {
689 log_error ("key parameter e mismatch\n");
690 log_printhex ("original e: ", e, elen);
691 log_printhex (" copied e: ", ee, elen);
692 xfree (mm);
693 xfree (ee);
694 goto failure;
695 }
696 xfree (mm);
697 xfree (ee);
698 }
699
700
701 gcry_mpi_release (rsa_e);
702 gcry_mpi_release (rsa_p);
703 gcry_mpi_release (rsa_q);
704 gcry_mpi_release (rsa_n);
705 return;
706
707 failure:
708 gcry_mpi_release (rsa_e);
709 gcry_mpi_release (rsa_p);
710 gcry_mpi_release (rsa_q);
711 gcry_mpi_release (rsa_n);
712 exit (1);
713 }
714
715
gnupg svn clone