diff --git a/doc/ksba.texi b/doc/ksba.texi index 02d2645..b8ae345 100644 --- a/doc/ksba.texi +++ b/doc/ksba.texi @@ -1,1186 +1,1199 @@ \input texinfo @setfilename ksba.info @settitle The KSBA Reference Manual @dircategory GNU libraries @direntry * libksba: (ksba). An X.509 Library. @end direntry @include version.texi @c Unify some of the indices. @syncodeindex tp fn @syncodeindex pg fn @macro mycopyrightnotice Copyright @copyright{} 2002, 2003, 2004 g10 Code GmbH @end macro @macro mypermissionnotice Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. The text of the license can be found in the section entitled ``Copying''. @end macro @ifinfo This file documents the @acronym{KSBA} library to access X.509 and CMS data structures. This is edition @value{EDITION}, last updated @value{UPDATED}, of @cite{The KSBA Reference Manual}, for Version @value{VERSION}. @sp 1 @mycopyrightnotice{} @sp 1 @mypermissionnotice{} @end ifinfo @iftex @shorttitlepage The `KSBA' Reference Manual @titlepage @center @titlefont{The `KSBA'} @sp 1 @center @titlefont{Reference Manual} @sp 6 @center Edition @value{EDITION} @sp 1 @center last updated @value{UPDATED} @sp 1 @center for version @value{VERSION} @sp 1 @author by Werner Koch, g10 Code GmbH @email{wk@@gnupg.org} @page @vskip 0pt plus 1filll @mycopyrightnotice{} @sp 1 @mypermissionnotice{} @end titlepage @summarycontents @contents @page @end iftex @ifnottex @node Top @top Main Menu This is edition @value{EDITION}, last updated @value{UPDATED}, of @cite{The KSBA Reference Manual}, for Version @value{VERSION} of the @acronym{KSBA} library. @sp 1 @mycopyrightnotice{} @sp 1 @mypermissionnotice{} @sp 1 @end ifnottex @menu * Introduction:: How to use this manual. * Preparation:: What you should do before using the library. * Certificate Handling:: How to work with X.509 certificates. * CMS:: How to work with CMS (PKCS#7) messages. * CRLs:: How to work with Certificate Revocation Lists. * PKCS10:: How to request certificates. * Utilities:: Various utility functions. * Error Handling:: Error numbers and their meanings. Appendices * Component Labels:: Labels used in string representations. * Copying:: The GNU General Public License says how you can copy and share this manual. Indices * Concept Index:: Index of concepts and programs. * Function and Data Index:: Index of functions, variables and data types. @detailmenu --- The Detailed Node Listing --- Introduction * Getting Started:: * Features:: * Overview:: Preparation * Header:: * Building the source:: Certificate Handling * Creating certificates:: How to create a certificate object. * Retrieving attributes:: How to get the attributes of a certificate. * Setting attributes:: How to set certificates attributes. * User data:: How to associate other data with a certificate. Mastering the Cryptographic Message Syntax * CMS Basics:: * CMS Parser:: @end detailmenu @end menu @node Introduction @chapter Introduction @acronym{KSBA} is a library to make the task of working with X.509 certificates, CMS data and related data more easy. @menu * Getting Started:: * Features:: * Overview:: @end menu @node Getting Started @section Getting Started This manual documents the `KSBA' library programming interface. All functions and data types provided by the library are explained. The reader is assumed to possess basic knowledge about the implemented protocols. This manual can be used in several ways. If read from the beginning to the end, it gives a good introduction into the library and how it can be used in an application. Forward references are included where necessary. Later on, the manual can be used as a reference manual to get just the information needed about any particular interface of the library. Experienced programmers might want to start looking at the examples at the end of the manual, and then only read up those parts of the interface which are unclear. @node Features @section Features `KSBA' has a couple of advantages over other libraries doing a similar job, and over open coding the protocols in your application directly. @table @asis @item It's Free Software Anybody can use, modify, and redistribute it under the terms of the GNU General Public License (@pxref{Copying}). @item It hides the low level stuff `KSBA' a high level interface to the implemented protocols and presents the data in a consistent way. There is no more need to worry about all the nasty details of the protocols. The API gives the C programmer a more usual way of interacting with the data. @item It copes with the version details X.509 protocols tend to have many different versions and dialects. Applications must usually cope with all of this and it has to be coded over and over again. `KSBA' hides this by providing just one API which does the Right Thing. Support for new versions and features of the protocols will be added over time. @end table @node Overview @section Overview @c [Needs more stuff] The `KSBA' library is thread-safe as long as objects described by one context are only used by one thread at a time. No initialization is required. @node Preparation @chapter Preparation To use `KSBA', you have to perform some changes to your sources and the build system. The necessary changes are small and explained in the following sections. At the end of this chapter, it is described how the library is initialized, and how the requirements of the library are verified. @menu * Header:: * Version Check:: * Building the source:: @end menu @node Header @section Header All interfaces (data types and functions) of the library are defined in the header file @file{ksba.h}. You must include this in all programs using the library, either directly or through some other header file, like this: @smallexample #include @end smallexample The name space of `KSBA' is @code{ksba_*} for function names, @code{ksba*} for data types and @code{KSBA_*} for other symbols. In addition the same name prefixes with one prepended underscore are reserved for internal use and should never be used by an application. @node Version Check @section Version Check It is often desirable to check that the version of `KSBA' used is indeed one which fits all requirements. Even with binary compatibility, new features may have been introduced but through peculiarities of the runtime linker an old version gets actually used. So you better check that the version is as expected right after program startup. @deftypefun {const char *} ksba_check_version (@w{const char *@var{req_version}}) Check that the the version of the library is at minimum the one given as a string in @var{req_version} and return the actual version string of the library; return @code{NULL} if the condition is not met. If @code{NULL} is passed to this function, no check is done and only the version string is returned. It is a pretty good idea to run this function as soon as possible, because it may also initializes some subsystems. In a multi-threaded environment if should be called before any more threads are created. @end deftypefun @node Building the source @section Building the source If you want to compile a source file including the @file{ksba.h} header file, you must make sure that the compiler can find it in the directory hierarchy. This is accomplished by adding the path to the directory in which the header file is located to the compiler's include file search path (via the @option{-I} option). However, the path to the include file is determined at the time the source is configured. To solve this problem, `KSBA' ships with a small helper program @command{ksba-config} that knows about the path to the include file and other configuration options. The options that need to be added to the compiler invocation at compile time are output by the @option{--cflags} option of @command{ksba-config}. The following example shows how it can be used at the command line: @example gcc -c foo.c `ksba-config --cflags` @end example Adding the output of @samp{ksba-config --cflags} to the compiler's command line will ensure that the compiler can find the @file{ksba.h} header file. A similar problem occurs when linking the program with the library. Again, the compiler has to find the library files. For this to work, the path to the library files has to be added to the library search path (via the @option{-L} option). For this, the option @option{--libs} of @command{ksba-config} can be used. For convenience, this option also outputs all other options that are required to link the program with the `KSBA' libraries (in particular, the @samp{-lksba} option). The example shows how to link @file{foo.o} with the `KSBA' libraries to a program @command{foo}. @example gcc -o foo foo.o `ksba-config --libs` @end example Of course you can also combine both examples to a single command by specifying both options to @command{ksba-config}: @example gcc -o foo foo.c `ksba-config --cflags --libs` @end example @node Certificate Handling @chapter How to work with X.509 certificates. One of the most complex data formats are the X.509 certificates. @acronym{KSBA} provides an easy to use interface to handle them. @deftp {Data type} ksba_cert_t The @code{ksba_cert_t} type is a handle for an X.509 certificate. @end deftp @deftp {Data type} ksba_sexp_t The @code{ksba_sexp_t} type describes a canonically encoded S-expression stored in a memory buffer. It is alias for @code{unsigned char *}. Note that a length argument is not required because the length of such an S-expression is intrinsically available. @end deftp @menu * Creating certificates:: How to create a certificate object. * Retrieving attributes:: How to get the attributes of a certificate. * Setting attributes:: How to set certificates attributes. * User data:: How to associate other data with a certificate. @end menu @node Creating certificates @section How to create a certificate object This section explains how to create a certificate object, initialize it, copy it and eventually destroy it. @deftypefun ksba_cert_t ksba_cert_new (void) The function @code{ksba_cert_new} creates a new certificate object and returns a handle for it. The certificate object has initially one reference. The only reason why this function may fail is an out-of-memory condition in which case @code{NULL} is returned. You might then get the actual error code using @samp{gpg_error_from_errno (errno)}. @end deftypefun @deftypefun void ksba_cert_ref (@w{ksba_cert_t @var{cert}}) The function @code{ksba_cert_ref} bumps the reference counter of the certificate object up by one. Thus an extra @code{ksba_cert_release} is required to actually release the memory used for the object. @end deftypefun @deftypefun void ksba_cert_release (@w{ksba_cert_t @var{cert}}) The function @code{ksba_cert_release} reduces the number of references to the certificate object with the handle @var{cert}. If this was the last reference, it will also destroy the object and releases all associated resources. It is okay to pass @code{NULL} to the function in which case nothing happens. @end deftypefun @deftypefun gpg_error_t ksba_cert_read_der (@w{ksba_cert_t @var{cert}}, @w{ksba_reader_t @var{reader}}) Read the next certificate from the @var{reader} object and store it in the certificate object @var{cert} for future access. The certificate is parsed and rejected if it has any syntactical or semantical error (i.e. does not match the @acronym{ASN.1} description). The function returns @code{0} if the operation was successfully performed. An error code is returned on failure. @end deftypefun @deftypefun gpg_error_t ksba_cert_init_from_mem (@w{ksba_cert_t @var{cert}}, @w{const void *@var{buffer}}, @w{size_t @var{length}}) Parse the @var{buffer} which should contain a @acronym{DER} encoded certificate of @var{length} and initialize the certificate object @var{cert} with it. This function is intended as a convenience function to be used when a certificate is already available in a internal memory buffer. This avoids the extra code needed to setup the reader object. Note that @var{cert} must be a valid certificate object. The function returns @code{0} if the operation was successfully performed. An error code is returned on failure. @end deftypefun @node Retrieving attributes @section How to get the attributes of a certificate The functions in this section allow accessing the attributes of a certificate in a well defined manner. An error will be returned if the certificate object has not yet been initialized by means of @code{ksba_cert_read_der} or @code{ksba_cert_init_from_mem}. @deftypefun {const unsigned char *} ksba_cert_get_image (@w{ksba_cert_t @var{cert}}, @w{size_t *@var{r_length}}) This function returns a pointer to the @acronym{DER} encoded buffer with the raw certificate. The length of that buffer gets stored at @var{r_length}. This function is useful to export or store the raw certificate. The function returns @code{NULL} on error or a pointer to a buffer with the raw certificate data. That pointer is only valid as long as the certificate object @var{cert} is valid and has not been reinitialized. @end deftypefun @deftypefun gpg_error_t ksba_cert_hash (@w{ksba_cert_t @var{cert}}, @w{int @var{what}}, @w{void (*@var{hasher})(void *, const void *, size_t length)}, @w{void *@var{hasher_arg}}) This function feeds the data which is expected to be hashed into the supplied function @var{hasher}, where the first argument passed is @var{hasher_arg}, the second the pointer to the data to be hashed and the third the length of this data. The function returns @code{0} on success or an error code when something goes wrong. The @var{hasher} function is not expected to return an error; instead the caller should setup that function in a way to convey encountered errors by means of the @var{hasher_arg}. Note that a hash function is in general not expected to yield errors anyway. @end deftypefun @deftypefun {const char *} ksba_cert_get_digest_algo (@w{ksba_cert_t @var{cert}}) Figure out the the digest algorithm used for the signature and return its @acronym{OID} in dotted decimal format. This function is most likely used to setup the hash context before calling -@code{ksba_cert_hash}. Note that in the case of RSASSA-PSS the -returned value is the OID of rsaPSS (1.2.840.113549.1.1.10) and not -the OID of the digest algorithm to be used. In this case the digest -algorithm needs to be extracted from the S-expression returned by +@code{ksba_cert_hash}. For some certificate types the returned OID +has a special meaning: + +@table @code +@item 1.2.840.113549.1.1.10 +This indicates the RSASSA-PSS algorithm. The digest algorithm needs +to be extracted from the S-expression returned by @code{ksba_cert_get_sig_val}. +@item 1.3.101.112 +This is the Ed25519 algorithm which does not use a separate digest +algorithm. See RFC-8410. + +@item 1.3.101.112 +This is the Ed448 algorithm which does not use a separate digest +algorithm. See RFC-8410. + +@end table + The function returns @code{NULL} for an error; on success a constant string with the @acronym{OID} is returned. This string is valid as long the certificate object is valid. @end deftypefun @deftypefun ksba_sexp_t ksba_cert_get_serial (@w{ksba_cert_t @var{cert}}) The function returns the serial number of the certificate @var{cert}. The serial number is an integer returned as an canonical encoded S-expression with just one element. The caller must free the returned value. The value @code{NULL} is returned in case of error. @end deftypefun @deftypefun {char *} ksba_cert_get_issuer (@w{ksba_cert_t @var{cert}, int @var{idx}}) With @var{idx} given as @code{0}, this function returns the Distinguished Name (@acronym{DN}) of the certificate issuer; this usually is the name of a certification authority (@acronym{CA}). The format of the returned string is in accordance with RFC-2253. @code{NULL} is returned if the @acronym{DN} is not available; This is a severe error and actually should have been caught by the certificate reading function. With @var{idx} greater than zero, the function may be used to enumerate alternate issuer names. The function returns @code{NULL} when there are no more alternate names. Only alternate names recognized by @code{libksba} are returned, others are simply skipped. The format of the returned name is either a RFC-2253 formated string which can be detected by checking whether the first character is a letter or digit. RFC-822 conformant email addresses are returned enclosed in angle brackets; the opening angle bracket should be used to detect this. Other formats are returned as an S-Expression in canonical format, so a opening parenthesis should be used to detect this encoding. The name may include binary null characters, thus strlen may return a length shorter than actually used. The real length is implicitly given by the structure of the S-expression, an extra null is appended for safety reasons. The caller must free the returned string using @code{ksba_free} or whatever function has been registered as a replacement. @end deftypefun @deftypefun {char *} ksba_cert_get_subject (@w{ksba_cert_t @var{cert}, int @var{idx}}) With @var{idx} given as @code{0}, this function returns the Distinguished Name (@acronym{DN}) of the certificate's subject. The format of the returned string is in accordance with RFC-2253. @code{NULL} is returned if the @acronym{DN} is not available. With @var{idx} greater than zero, the function may be used to enumerate alternate subject names. The function returns @code{NULL} when there are no more alternate names. Only alternate names recognized by @code{libksba} are returned, others are simply skipped. The format of the returned name is either a RFC-2253 formated string which can be detected by checking whether the first character is a letter or digit. RFC-2822 conform email addresses are returned enclosed in angle brackets; the opening angle bracket should be used to detect this. Other formats are returned as an S-Expression in canonical format, so a opening parenthesis should be used to detect this encoding, the name may include binary null characters, thus strlen may return a length shorter than actually used. The real length is implicitly given by the structure of the S-expression, an extra null is appended for safety reasons. The caller must free the returned string using @code{ksba_free} or whatever function has been registered as a replacement. @end deftypefun @deftp {Data type} ksba_isotime_t Due to problems with the C data type @code{time_t}, which will overflow on most 32 bit machines in the year 2038, it was not advisable to use this type for referencing times stored in certificates. Instead, you should use the @code{ksba_isotime_t} type, which can represent any time since the year 0. It is implemented as a buffer of 16 bytes and may be handled like a standard string. It should be initialized to zero (i.e. the first byte needs to be 0x00) if it does not hold a valid date. Date values themselves are stored in ISO format and assumed to be referenced from UTC. The string with the date value is always guaranteed to be of length 15 and having a format like: @samp{"19610711T172059"}. Note that the `T' is required by ISO rules. A simple assignment of these data types is not a good idea. You may use @code{strcpy} or better a specialized function like: @example void copy_time (ksba_isotime_t d, const ksba_isotime_t s) @{ if (!*s) memset (d, 0, 16); else strcpy (d, s); @} @end example For reasons of documentation a special function should also be used to compare such times: @example int cmp_time (const ksba_isotime_t a, const ksba_isotime_t b) @{ return strcmp (a, b); @} @end example @end deftp @deftypefun gpg_error_t ksba_cert_get_validity (@w{ksba_cert_t @var{cert}, int @var{what}, ksba_isotime_t @var{timebuf}}) Return the validity dates from the certificate. If no value is available an empty date object (i.e. a @code{strlen} will be stored at @var{timebuf}, otherwise it will receive the date. On failure an error code is returned. To return the `notBefore' date, the value @code{0} must be supplied for @var{what}; @code{1} yields the `notAfter' value. @end deftypefun @deftypefun ksba_sexp_t ksba_cert_get_public_key (@w{ksba_cert_t @var{cert}}) @c {{{{ CONTINUE HERE }}}}}} @c !FIXME! [This needs to get written - for now please see libksba/src/cert.c] @end deftypefun @deftypefun ksba_sexp_t ksba_cert_get_sig_val (ksba_cert_t @var{cert}) @c !FIXME! [This needs to get written - for now please see libksba/src/cert.c] @end deftypefun @deftypefun gpg_error_t ksba_cert_get_extension (@w{ksba_cert_t @var{cert}, int @var{idx}, char const **@var{r_oid}, int *@var{r_crit}, size_t *@var{r_deroff}, size_t *@var{r_derlen}}) @c !FIXME! [This needs to get written - for now please see libksba/src/cert.c] @end deftypefun @deftypefun gpg_error_t ksba_cert_is_ca (@w{ksba_cert_t @var{cert}, int *@var{r_ca}, int *@var{r_pathlen}}) Return information on the basicConstraint (2.5.19.19) of CERT. R_CA receives true if this is a CA and only in that case R_PATHLEN is set to the maximum certification path length or -1 if there is no such limitation @end deftypefun @deftypefun gpg_error_t ksba_cert_get_key_usage (@w{ksba_cert_t @var{cert}, unsigned int *@var{r_flags}}) Get the key usage flags. The function returns @code{GPG_ERR_NO_DATA} if no key usage is specified. The usage flags are as shown in RFC3280, section 4.2.1.3. The key usage flags are represented by a bitmask, and you can test each bit using symbolic constants, which tells you if that usage is set on the certificate. The constants are @table @code @item KSBA_KEYUSAGE_DIGITAL_SIGNATURE Usable for digitalSignature. @item KSBA_KEYUSAGE_NON_REPUDIATION Usable for nonRepudiation. @item KSBA_KEYUSAGE_KEY_ENCIPHERMENT Usable for keyEncipherment. @item KSBA_KEYUSAGE_DATA_ENCIPHERMENT Usable for dataEncipherment. @item KSBA_KEYUSAGE_KEY_AGREEMENT Usable for for keyAgreement. @item KSBA_KEYUSAGE_KEY_CERT_SIGN Usable for keyCertSign. @item KSBA_KEYUSAGE_CRL_SIGN Usable for cRLSign. @item KSBA_KEYUSAGE_ENCIPHER_ONLY Usable for encipherOnly. @item KSBA_KEYUSAGE_DECIPHER_ONLY Usable for decipherOnly. @end table These are the basic constraints on usage of a certificate. If you need to get additional constraints, see @code{ksba_cert_get_ext_key_usages}. @end deftypefun @deftypefun gpg_error_t ksba_cert_get_ext_key_usages (@w{ksba_cert_t @var{cert}, char **@var{result}}) Return a string containing the extended usages for the certificate, delimited by linefeeds. @end deftypefun @deftypefun gpg_error_t ksba_cert_get_cert_policies (@w{ksba_cert_t @var{cert}, char **@var{r_policies}}) Return a string with the certificatePolicies delimited by linefeeds. The return values may be extended to carry more information per line, so the caller should only use the first white-space delimited token per line. The function returns @code{GPG_ERR_NO_DATA} when this extension is not used. Caller must free the returned value. @end deftypefun @deftypefun gpg_error_t ksba_cert_get_crl_dist_point (@w{ksba_cert_t @var{cert}, int @var{idx}, ksba_name_t *@var{r_distpoint}, ksba_name_t *@var{r_issuer}, unsigned int *@var{r_reason}}) Return the CRLDistPoints given in the certificate extension of certificate @var{cert}. @var{idx} should be iterated starting from 0 until the function returns @code{GPG_ERR_EOF}. @var{r_distpoint} returns a ksba_name_t object with the distribution point name(s); the return value may be @code{NULL} to indicate that this name is not available. @var{r_issuer} returns the CRL issuer; if the returned value is @code{NULL} the caller should assume that the CRL issuer is the same as the certificate issuer. @var{r_reason} returns the reason for the CRL. This is a bit encoded value with no bit set if no reason has been specified in the certificate. The caller may pass @code{NULL} to any of the pointer arguments if he is not interested in this value. The return values for @var{r_distpoint} and @var{r_issuer} must be released by the caller using @code{ksba_name_release}. @end deftypefun @deftypefun gpg_error_t ksba_cert_get_subj_key_id (@w{ksba_cert_t @var{cert}, int *@var{r_crit}, ksba_sexp_t *@var{r_keyid}}) Return the subjectKeyIdentifier extension as a simple allocated S-expression at the address of @var{r_keyid}. 0 is returned on success, @code{GPG_ERR_NO_DATA} if no such extension is available or any other error code. If @var{r_crit} is not passed as @code{NULL}, the critical flag of this is extension is stored at this address. @end deftypefun @deftypefun gpg_error_t ksba_cert_get_auth_key_id (@w{ksba_cert_t @var{cert}, ksba_sexp_t *@var{r_keyid}, ksba_name_t *@var{r_name}, ksba_sexp_t *@var{r_serial}}) Return the authorityKeyIdentifier in @var{r_name} and @var{r_serial} or in @var{r_keyid}. @code{GPG_ERR_NO_DATA} is returned if no authorityKeyIdentifier has been found. This error code is also returned if @var{r_keyid} has been given as NULL and only an authorityKeyIdentifier with the keyIdentifier method is available. @end deftypefun @deftypefun gpg_error_t ksba_cert_get_authority_info_access (@w{ksba_cert_t @var{cert}, int @var{idx}, char **@var{r_method}, ksba_name_t *@var{r_location}}) Return the authorityInfoAccess attributes. @var{idx} should be iterated starting from 0 until this function returns @code{GPG_ERR_EOF}. @var{r_method} returns an allocated string with the OID of one item and @var{r_location} returns the GeneralName for that OID. The returned values for @var{r_method} and @var{r_location} must be released by the caller unless the function returned an error; the function will however make sure that @var{r_method} and @var{r_location} will point to @code{NULL} if the function returns an error. See RFC-2459, section 4.2.2.1 for the definition of this attribute. @end deftypefun @deftypefun gpg_error_t ksba_cert_get_subject_info_access (@w{ksba_cert_t @var{cert}, int @var{idx}, char **@var{r_method}, ksba_name_t *@var{r_location}}) Return the subjectInfoAccess attributes. @var{idx} should be iterated starting from 0 until this function returns @code{GPG_ERR_EOF}. @var{r_method} returns an allocated string with the OID of one item and @var{r_location} returns the GeneralName for that OID. The returned values for @var{r_method} and @var{r_location} must be released by the caller unless the function returned an error; the function will however make sure that @var{r_method} and @var{r_location} will point to @code{NULL} if the function returns an error. See RFC-2459, section 4.2.2.2 for the definition of this attribute. @end deftypefun @node Setting attributes @section How to set certificate attributes [This needs to be written. For example code see newpg/sm/sign.c] @node User data @section How to associate other data with a certificate. Certificate objects play a central role in many applications and often it is desirable to associate other data with the certificate to avoid wrapping the certificate object into an own object. `KSBA' provides a mechanism for this by means of two functions: @deftypefun gpg_error_t ksba_cert_set_user_data (@w{ksba_cert_t @var{cert}, const char *@var{key}, const void *@var{data}, size_t @var{datalen}}) Stores arbitrary data along with a certificate. The data is expected in the buffer @var{data} of length @var{datalen}. It will be stored under the string @var{key}. If data is already stored under this key it will be replaced by the new data. Using @code{NULL} for @var{data} will effectively delete the data. On error (i.e. out of memory) an already existing data object stored under @var{key} may get deleted. @strong{Caution:} This function is definitely not thread safe because we don't employ any locking mechanisms. @end deftypefun @deftypefun gpg_error_t ksba_cert_get_user_data (@w{ksba_cert_t @var{cert},} @w{const char *@var{key},} @w{void *@var{buffer},} @w{size_t @var{bufferlen},} @w{size_t *@var{datalen}}) Return user data for certificate @var{cert} stored under the string @var{key}. The caller needs to provide a suitable large @var{buffer} and the usable length of this buffer in @var{bufferlen}. If @var{datalen} is not @code{NULL}, the length of the data stored in @var{buffer} will be stored there. If @var{buffer} is given as @code{NULL}, @var{bufferlen} will be ignored and the required length of the buffer will be returned at @var{datalen}. On success 0 is returned. If no data is stored under the given key, @code{GPG_ERR_NOT_FOUND} is returned. If the provided buffer is too short and @var{buffer} is not @code{NULL}, @code{GPG_ERR_BUFFER_TOO_SHORT} will be returned. @end deftypefun @node CMS @chapter Mastering the Cryptographic Message Syntax The @acronym{CMS} is also known under the name PKCS#7. Is is a cryptographic framework for securing data transactions and storage, much like OpenPGP. It is heavily based on X.509 semantics and for example used with the email encryption protocol S/MIME. @menu * CMS Basics:: * CMS Parser:: @end menu @node CMS Basics @section CMS Basics All operations with the CMS framework require the use of a so called CMS object which is internally used to keep track of the current state and to store some meta information. @deftp {Data type} ksba_cms_t The @code{ksba_cms_t} type is used for this CMS object. @end deftp @deftp {Data type} ksba_stop_reason_t The @code{ksba_stop_reason_t} type is an enumeration used for communication between the phases of a parsing or building process. @end deftp @deftypefun ksba_cms_t ksba_cms_new (void) This function creates a new CMS object. The only reason the function may fail is an out-of-memory condition in which case @code{NULL} is returned. It is safe for the caller to translate this to the standard error code @code{GPG_ERR_ENOMEM}. Any object created with this function should be released after use by using @code{ksba_cms_release}. @end deftypefun @deftypefun void ksba_cms_release (@w{ksba_cms_t @var{cms}}) Release all resources associated with the @var{CMS} object. It is perfectly okay to pass @code{NULL} to this function in which case nothing happens. @end deftypefun @deftypefun gpg_error_t ksba_cms_set_reader_writer (@w{ksba_cms_t @var{cms}, ksba_reader_t @var{r}, ksba_writer_t @var{w}}) About all usages of the CMS framework require some input and output data (great surprise!). To accomplish this in the most abstract way, no direct output functions are used - instead special reader and writer objects are used instead. Depending on the desired operations either a reader, a writer or both must be given. Associate a reader object with @var{cms} by passing it as @var{r} and a writer object by passing it as @var{w}. Note that no reference counting is done,so make sure that those objects have a lifetime at least as long as @var{CMS}. If you forget to set these objects, you will get an appropriate error later when data is actually to be read or written. The function returns zero on success or an error code when invalid objects are passed. @end deftypefun @node CMS Parser @section CMS Parser @acronym{KSBA} includes a versatile CMS parser for encryption (enveloped data) and digital signing. The parser is capable of handling arbitrary amounts of data without requiring much memory. Well, certain objects are build in memory because it can be assumed that those objects are limited in size; e.g. it does not make sense to use a video clip as the @acronym{DN} despite the fact that the standard does not forbid it. @deftypefun gpg_error_t ksba_cms_parse (@w{ksba_cms_t @var{cms}, ksba_stop_reason_t *@var{r_stopreason}}) This is the core function of the parser and commonly used in a loop. The parsing process is divided into several phases to allow the user to get information at the right time and prepare for further processing. The caller has to act on certain stop reasons which are returned by @var{r_stopreason} and set up things accordingly; @acronym{KSBA} may introduce new stop reasons to let the caller know other details; there is no need for the caller to act on every stop reason; it should only do so for reasons that the caller understands and which are mandatory. The function will return with an error if the caller did not setup things correctly for certain stop reasons. @end deftypefun The use of this function is best explained by an example, leaving out all error checking. @example do @{ ksba_cms_parse (cms, &stopreason); if (stopreason == KSBA_SR_BEGIN_DATA) @{ get_recipients (); decrypt_session_key (); setup_bulk_decryption (); @} else if (stopreason == KSBA_SR_END_DATA) @{ remove_padding (); @} @} while (stopreason != KSBA_SR_READY); @end example This function assumes that the parsed data is so called `enveloped data'. @c FIXME: Reference to a list of stop reasons used here. As @acronym{CMS} provides a common framework for a variety of data formats, it is probably very useful to check the type of that data very early. This can be accomplished by hooking into the stop reason @code{KSBA_SR_GOT_CONTENT} and retrieving the content using the following function. @deftypefun ksba_content_t ksba_cms_get_content_type (@w{ksba_cms_t @var{cms}, int @var{what}}) By using a value of @code{0} for @var{what} this function returns the content type of the outer container; using @code{1} does return the content type of the enclosed object. @deftp {Data type} ksba_content_t The @code{ksba_content_t} type is an enumeration used to describe the content of a CMS message. Here is a list of possible values: @table @code @item KSBA_CT_NONE No content type known (value @code{0}) @item KSBA_CT_DATA The content is plain data, not further interpreted. @item KSBA_CT_SIGNED_DATA The content is an signed CMS object. This also includes the case of a detached signature where no actual data is included in the message. @item KSBA_CT_ENVELOPED_DATA The content is encrypted using a session key. @item KSBA_CT_DIGESTED_DATA Not yet supported @item KSBA_CT_ENCRYPTED_DATA Not yet supported @item KSBA_CT_AUTH_DATA Not yet supported @end table @end deftp @end deftypefun @deftypefun {const char *} ksba_cms_get_content_oid (@w{ksba_cms_t @var{cms}, int @var{what}}) Return the object ID of @var{cms}. This is a constant string valid as long as the context is valid and no new parse is started. This function is similar to @code{ksba_cms_get_content_type} but returns the @acronym{OID} actually used in the data. Depending on the value of @var{what} different values are returned: Using a value of @code{0} yields the OID of the outer container, a value of @code{1} yields the OID of the inner container if available and the value @code{2} returns the OID of the algorithm used to encrypt the inner container. @end deftypefun @node CRLs @chapter Certification Revocation Lists KSBA also comes with an API to process certification revocation lists. The API is similar to the @acronym{CMS} one but returns the contents entry by entry. @node PKCS10 @chapter Certification Requests When using decentral generated keys, it is necessary to send out special formated messages so that a CA can generate the certificate. @node Utilities @chapter Utilities A few utility function and objects are available. Some of them must be used to support some of the main functions. @menu * Names:: General Names object * OIDs:: Object Identifier helpers * DNs:: Distinguished Name helpers @end menu @node Names @section General Names object This is an object to handle some of the names used in X.509. We need this object approach because those names may come as a set and there is no other clean way to access them. @deftp {Data type} ksba_name_t The @code{ksba_name_t} type is an object to represent names sets. @end deftp @deftypefun void ksba_name_release (@w{ksba_name_t @var{name}}) This function releases the object @var{name}. Passing @code{NULL} is allowed. @end deftypefun @deftypefun {const char *} ksba_name_enum (@w{ksba_name_t @var{name}, int @var{idx}}) By iterating @var{idx} up starting with 0, this function returns all General Names stored in @var{name}. The format of the returned name is either a RFC-2253 formated one which can be detected by checking whether the first character is letter or a digit. RFC 2822 conformant email addresses are returned enclosed in angle brackets, the opening angle bracket should be used to detect this. Other formats are returned as an S-Expression in canonical format, so an opening parenthesis may be used to detect this encoding, in this case the name may include binary null characters, so strlen might return a length shorter than actually used, the real length is implicitly given by the structure of the S-Exp, an extra null is appended for safety reasons. One common format return is a Universal Resource Identifier which has the S-expression: @samp{(uri )}. The returned string has the same lifetime as @var{name}. @end deftypefun @deftypefun {char *} ksba_name_get_uri (@w{ksba_name_t @var{name}, int @var{idx}}) Convenience function to return names representing an URI. Caller must free the returned value. Note that this function should not be used to enumerate the names. Here is an example on how you can use this function to enumerate all @acronym{URI}s: @example void print_names (ksba_name_t name) @{ int idx; const char *s; for (idx=0; (s = ksba_name_enum (name, idx)); idx++) @{ char *p = ksba_name_get_uri (name, idx); if (p) @{ puts (p); ksba_free (p); @} @} @} @end example @end deftypefun @node OIDs @section Object Identifier helpers @c !FIXME! [This needs to get written - for now please see libksba/src/oids.c] @node DNs @section Distinguished Name helpers These are helper functions for the so called distinguished names. They are used for example as the issuer and subject name. @deftypefun gpg_error_t ksba_dn_teststr (@w{const char *@var{string}}, @w{int @var{seq}}, @w{size_t *@var{rerroff}}, @w{size_t *@var{rerrlen}}) Assuming that @var{string} contains an RFC-2253 encoded string, test whether this string may be passed as a valid DN to libksba. On success the functions returns @code{0}. On error the function returns an error code and stores the offset of the erroneous part at @var{rerroff}. @var{rerrlen} will then receive the length of the erroneous part. This function is mostly useful to test whether a certain component label is supported. @var{seq} should be passed as @code{0} for now. Any of @var{rerroff} and @var{rerrlen} may be passed as @var{NULL} if the caller is not interested at this value. @end deftypefun gpg_error_t ksba_dn_str2der (const char *string, void **rder, size_t *rderlen); gpg_error_t ksba_dn_der2str (const void *der, size_t derlen, char **r_string); @node Error Handling @chapter Error Handling Most functions in `KSBA' will return an error if they fail. For this reason, the application should always catch the error condition and take appropriate measures, for example by releasing the resources and passing the error up to the caller, or by displaying a descriptive message to the user and canceling the operation. Some error values do not indicate a system error or an error in the operation, but the reasonable result of an operation. For example, if you try to access optional attributes of a certificate that are not present, you get an appropriate error message. Some error values have specific meanings if returned by a specific function. Such cases are described in the documentation of those functions. All error codes are defined by the library @code{libgpg-error}. See there for ways to check the error values and print descriptive strings. Please be aware that you can't check directly against an error code but have to do it like this: @example err = ksba_foo (); if (gpg_err_code (err) == GPG_ERR_EOF) okay = 1; @end example The only exception is that success (i.e. no error) is defined to be @code{0}; thus you may directly test for success like: @example if (!ksba_foo ()) okay = 1; @end example @c The following table lists the error codes as used by this library. @c @c @table @code @c @c @end table @c @node Component Labels @appendix Component Labels RFC-2253 defines the following table with string representations of name components: @multitable {SERIALNUMBER} {organizationalUnit} {xxx} @item Label @tab Component @tab OID @item @item C @tab countryName @tab 2.5.4.6 @item CN @tab commonName @tab 2.5.4.3 @item DC @tab domainComponent @tab 0.9.2342.19200300.100.1.25 @item L @tab localityName @tab 2.5.4.7 @item O @tab organizationName @tab 2.5.4.10 @item OU @tab organizationalUnit @tab 2.5.4.11 @item ST @tab stateOrProvince @tab 2.5.4.8 @item STREET @tab streetAddress @tab 2.5.4.9 @item UID @tab userid @tab 0.9.2342.19200300.100.1.1 @end multitable They are used internally for converting a DN into its string representation; components not listed in this table will be represented by their OID. For the other direction, i.e. creating a DN from the string representation, KSBA recognizes the following extra labels: @multitable {SERIALNUMBER} {organizationalUnit} {xxx} @item Label @tab Component @tab OID @item @item ADDR @tab postalAddress @tab 2.5.4.16 @item BC @tab businessCategory @tab 2.5.4.15 @item D @tab description @tab 2.5.4.13 @item EMAIL @tab emailAddress @tab 1.2.840.113549.1.9.1 @item GN @tab givenName @tab 2.5.4.42 @item POSTALCODE @tab postalCode @tab 2.5.4.17 @item PSEUDO @tab pseudonym @tab 2.5.4.65 @item SERIALNUMBER @tab serialNumber @tab 2.5.4.5 @item SN @tab surname @tab 2.5.4.4 @item T @tab title @tab 2.5.4.12 @end multitable @include gpl.texi @node Concept Index @unnumbered Concept Index @printindex cp @node Function and Data Index @unnumbered Function and Data Index @printindex fn @bye Old Information which might not be correct anymore: --------------------------------------------------- KSBA provides these subsystems: * ASN.1 Parser (ksba_asn_*) KSBA provides a simple ASN.1 parser which can be used to read definitions directly from an ASN.1 module without the need of generating extra tables. For ease of maintenance it also comes with a tool to create static data structures to avoid that overhead and the need to include ASN.1 modules. The primary goal of this parser is to provide the ASN.1 syntax tree to be used by other library modules. * BER Decoder (ksba_ber_decoder_*) This is a decoder for the ASN.1 Basic Encoding Rules with a facility to detect valid DER encoding (DER is a subset of BER). By using thresholds and pre-registered callout function it is possible to work on indefinite length data stream and limiting the memory usage to a fixed upper bound. * BER Encoder (ksba_ber_encoder_*) This is the counterpart to the DER Decoder with the ability to restrict the encoding to DER. * Certificate Handling (ksba_cert_*) The main bulk of the provided functions are used to give a clean interface to X.509 certificates by translating X.509 data types to more standard data types. * CMS Handling (ksba_cms_*) The Cryptographic Message Syntax is the core data type for S/MIME and therefore KSBA provides an interface to parse and create these objects without the need to cope with ASN.1. * Reader and Writer (ksba_reader_*, ksba_writer_*) Abstraction objects to access memory areas, files or file descriptor. diff --git a/src/keyinfo.c b/src/keyinfo.c index 40c4704..3dc0f34 100644 --- a/src/keyinfo.c +++ b/src/keyinfo.c @@ -1,2007 +1,2033 @@ /* keyinfo.c - Parse and build a keyInfo structure * Copyright (C) 2001, 2002, 2007, 2008, 2012 g10 Code GmbH * * This file is part of KSBA. * * KSBA is free software; you can redistribute it and/or modify * it under the terms of either * * - the GNU Lesser General Public License as published by the Free * Software Foundation; either version 3 of the License, or (at * your option) any later version. * * or * * - the GNU General Public License as published by the Free * Software Foundation; either version 2 of the License, or (at * your option) any later version. * * or both in parallel, as here. * * KSBA is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public * License for more details. * * You should have received a copies of the GNU General Public License * and the GNU Lesser General Public License along with this program; * if not, see . */ /* Instead of using the ASN parser - which is easily possible - we use a simple handcoded one to speed up the operation and to make it more robust. */ #include #include #include #include #include #include "util.h" #include "asn1-func.h" #include "keyinfo.h" #include "shared.h" #include "convert.h" #include "ber-help.h" #include "sexp-parse.h" #include "stringbuf.h" /* Constants used for the public key algorithms. */ typedef enum { PKALGO_RSA, PKALGO_DSA, PKALGO_ECC, PKALGO_X25519, PKALGO_X448, PKALGO_ED25519, PKALGO_ED448 } pkalgo_t; struct algo_table_s { const char *oidstring; const unsigned char *oid; /* NULL indicattes end of table */ int oidlen; int supported; /* Values > 1 are also used to indicate hacks. */ pkalgo_t pkalgo; const char *algo_string; const char *elem_string; /* parameter name or '-' */ const char *ctrl_string; /* expected tag values (value > 127 are raw data)*/ const char *parmelem_string; /* parameter name or '-'. */ const char *parmctrl_string; /* expected tag values. */ const char *digest_string; /* The digest algo if included in the OID. */ }; /* Special values for the supported field. */ #define SUPPORTED_RSAPSS 2 static const struct algo_table_s pk_algo_table[] = { { /* iso.member-body.us.rsadsi.pkcs.pkcs-1.1 */ "1.2.840.113549.1.1.1", /* rsaEncryption (RSAES-PKCA1-v1.5) */ "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01", 9, 1, PKALGO_RSA, "rsa", "-ne", "\x30\x02\x02" }, { /* iso.member-body.us.rsadsi.pkcs.pkcs-1.7 */ "1.2.840.113549.1.1.7", /* RSAES-OAEP */ "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x07", 9, 0, PKALGO_RSA, "rsa", "-ne", "\x30\x02\x02"}, { /* iso.member-body.us.rsadsi.pkcs.pkcs-1.10 */ "1.2.840.113549.1.1.10", /* rsaPSS */ "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x0a", 9, SUPPORTED_RSAPSS, PKALGO_RSA, "rsa", "-ne", "\x30\x02\x02"}, { /* */ "2.5.8.1.1", /* rsa (ambiguous due to missing padding rules)*/ "\x55\x08\x01\x01", 4, 1, PKALGO_RSA, "ambiguous-rsa", "-ne", "\x30\x02\x02" }, { /* iso.member-body.us.x9-57.x9cm.1 */ "1.2.840.10040.4.1", /* dsa */ "\x2a\x86\x48\xce\x38\x04\x01", 7, 1, PKALGO_DSA, "dsa", "y", "\x02", "-pqg", "\x30\x02\x02\x02" }, { /* iso.member-body.us.ansi-x9-62.2.1 */ "1.2.840.10045.2.1", /* ecPublicKey */ "\x2a\x86\x48\xce\x3d\x02\x01", 7, 1, PKALGO_ECC, "ecc", "q", "\x80" }, { /* iso.identified-organization.thawte.110 */ "1.3.101.110", /* X25519 */ "\x2b\x65\x6e", 3, 1, PKALGO_X25519, "ecc", "q", "\x80" }, { /* iso.identified-organization.thawte.111 */ "1.3.101.111", /* X448 */ "\x2b\x65\x6f", 3, 1, PKALGO_X448, "ecc", "q", "\x80" }, { /* iso.identified-organization.thawte.112 */ "1.3.101.112", /* Ed25519 */ "\x2b\x65\x70", 3, 1, PKALGO_ED25519, "ecc", "q", "\x80" }, { /* iso.identified-organization.thawte.113 */ "1.3.101.113", /* Ed448 */ "\x2b\x65\x71", 3, 1, PKALGO_ED448, "ecc", "q", "\x80" }, {NULL} }; static const struct algo_table_s sig_algo_table[] = { { /* iso.member-body.us.rsadsi.pkcs.pkcs-1.5 */ "1.2.840.113549.1.1.5", /* sha1WithRSAEncryption */ "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05", 9, 1, PKALGO_RSA, "rsa", "s", "\x82", NULL, NULL, "sha1" }, { /* iso.member-body.us.rsadsi.pkcs.pkcs-1.4 */ "1.2.840.113549.1.1.4", /* md5WithRSAEncryption */ "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04", 9, 1, PKALGO_RSA, "rsa", "s", "\x82", NULL, NULL, "md5" }, { /* iso.member-body.us.rsadsi.pkcs.pkcs-1.2 */ "1.2.840.113549.1.1.2", /* md2WithRSAEncryption */ "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02", 9, 0, PKALGO_RSA, "rsa", "s", "\x82", NULL, NULL, "md2" }, { /* iso.member-body.us.x9-57.x9cm.1 */ "1.2.840.10040.4.3", /* dsa */ "\x2a\x86\x48\xce\x38\x04\x01", 7, 1, PKALGO_DSA, "dsa", "-rs", "\x30\x02\x02" }, { /* iso.member-body.us.x9-57.x9cm.3 */ "1.2.840.10040.4.3", /* dsaWithSha1 */ "\x2a\x86\x48\xce\x38\x04\x03", 7, 1, PKALGO_DSA, "dsa", "-rs", "\x30\x02\x02", NULL, NULL, "sha1" }, { /* Teletrust signature algorithm. */ "1.3.36.8.5.1.2.2", /* dsaWithRIPEMD160 */ "\x2b\x24\x08\x05\x01\x02\x02", 7, 1, PKALGO_DSA, "dsa", "-rs", "\x30\x02\x02", NULL, NULL, "rmd160" }, { /* NIST Algorithm */ "2.16.840.1.101.3.4.3.1", /* dsaWithSha224 */ "\x06\x09\x60\x86\x48\x01\x65\x03\x04\x03\x01", 11, 1, PKALGO_DSA, "dsa", "-rs", "\x30\x02\x02", NULL, NULL, "sha224" }, { /* NIST Algorithm (the draft also used .1 but we better use .2) */ "2.16.840.1.101.3.4.3.2", /* dsaWithSha256 */ "\x06\x09\x60\x86\x48\x01\x65\x03\x04\x03\x01", 11, 1, PKALGO_DSA, "dsa", "-rs", "\x30\x02\x02", NULL, NULL, "sha256" }, { /* iso.member-body.us.ansi-x9-62.signatures.ecdsa-with-sha1 */ "1.2.840.10045.4.1", /* ecdsa */ "\x2a\x86\x48\xce\x3d\x04\x01", 7, 1, PKALGO_ECC, "ecdsa", "-rs", "\x30\x02\x02", NULL, NULL, "sha1" }, { /* iso.member-body.us.ansi-x9-62.signatures.ecdsa-with-specified */ "1.2.840.10045.4.3", "\x2a\x86\x48\xce\x3d\x04\x03", 7, 1, PKALGO_ECC, "ecdsa", "-rs", "\x30\x02\x02", NULL, NULL, NULL }, /* The digest algorithm is given by the parameter. */ { /* iso.member-body.us.ansi-x9-62.signatures.ecdsa-with-sha224 */ "1.2.840.10045.4.3.1", "\x2a\x86\x48\xce\x3d\x04\x03\x01", 8, 1, PKALGO_ECC, "ecdsa", "-rs", "\x30\x02\x02", NULL, NULL, "sha224" }, { /* iso.member-body.us.ansi-x9-62.signatures.ecdsa-with-sha256 */ "1.2.840.10045.4.3.2", "\x2a\x86\x48\xce\x3d\x04\x03\x02", 8, 1, PKALGO_ECC, "ecdsa", "-rs", "\x30\x02\x02", NULL, NULL, "sha256" }, { /* iso.member-body.us.ansi-x9-62.signatures.ecdsa-with-sha384 */ "1.2.840.10045.4.3.3", "\x2a\x86\x48\xce\x3d\x04\x03\x03", 8, 1, PKALGO_ECC, "ecdsa", "-rs", "\x30\x02\x02", NULL, NULL, "sha384" }, { /* iso.member-body.us.ansi-x9-62.signatures.ecdsa-with-sha512 */ "1.2.840.10045.4.3.4", "\x2a\x86\x48\xce\x3d\x04\x03\x04", 8, 1, PKALGO_ECC, "ecdsa", "-rs", "\x30\x02\x02", NULL, NULL, "sha512" }, { /* iso.member-body.us.rsadsi.pkcs.pkcs-1.1 */ "1.2.840.113549.1.1.1", /* rsaEncryption used without hash algo*/ "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01", 9, 1, PKALGO_RSA, "rsa", "s", "\x82" }, { /* from NIST's OIW - actually belongs in a pure hash table */ "1.3.14.3.2.26", /* sha1 */ "\x2B\x0E\x03\x02\x1A", 5, 0, PKALGO_RSA, "sha-1", "", "", NULL, NULL, "sha1" }, { /* As used by telesec cards */ "1.3.36.3.3.1.2", /* rsaSignatureWithripemd160 */ "\x2b\x24\x03\x03\x01\x02", 6, 1, PKALGO_RSA, "rsa", "s", "\x82", NULL, NULL, "rmd160" }, { /* from NIST's OIW - used by TU Darmstadt */ "1.3.14.3.2.29", /* sha-1WithRSAEncryption */ "\x2B\x0E\x03\x02\x1D", 5, 1, PKALGO_RSA, "rsa", "s", "\x82", NULL, NULL, "sha1" }, { /* from PKCS#1 */ "1.2.840.113549.1.1.11", /* sha256WithRSAEncryption */ "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x0b", 9, 1, PKALGO_RSA, "rsa", "s", "\x82", NULL, NULL, "sha256" }, { /* from PKCS#1 */ "1.2.840.113549.1.1.12", /* sha384WithRSAEncryption */ "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x0c", 9, 1, PKALGO_RSA, "rsa", "s", "\x82", NULL, NULL, "sha384" }, { /* from PKCS#1 */ "1.2.840.113549.1.1.13", /* sha512WithRSAEncryption */ "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x0d", 9, 1, PKALGO_RSA, "rsa", "s", "\x82", NULL, NULL, "sha512" }, { /* iso.member-body.us.rsadsi.pkcs.pkcs-1.10 */ "1.2.840.113549.1.1.10", /* rsaPSS */ "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x0a", 9, SUPPORTED_RSAPSS, PKALGO_RSA, "rsa", "s", "\x82", NULL, NULL, NULL}, { /* TeleTrust signature scheme with RSA signature and DSI according to ISO/IEC 9796-2 with random number and RIPEMD-160. I am not sure for what this is good; thus disabled. */ "1.3.36.3.4.3.2.2", /* sigS_ISO9796-2rndWithrsa_ripemd160 */ "\x2B\x24\x03\x04\x03\x02\x02", 7, 0, PKALGO_RSA, "rsa", "s", "\x82", NULL, NULL, "rmd160" }, { /* iso.identified-organization.thawte.112 */ "1.3.101.112", /* Ed25519 */ "\x2b\x65\x70", 3, - 1, PKALGO_ED25519, "eddsa", "-rs", "\x80", NULL, NULL, NULL }, + 1, PKALGO_ED25519, "eddsa", "", "", NULL, NULL, NULL }, { /* iso.identified-organization.thawte.113 */ "1.3.101.113", /* Ed448 */ "\x2b\x65\x71", 3, - 1, PKALGO_ED448, "eddsa", "-rs", "\x80", NULL, NULL, NULL }, + 1, PKALGO_ED448, "eddsa", "", "", NULL, NULL, NULL }, {NULL} }; static const struct algo_table_s enc_algo_table[] = { {/* iso.member-body.us.rsadsi.pkcs.pkcs-1.1 */ "1.2.840.113549.1.1.1", /* rsaEncryption (RSAES-PKCA1-v1.5) */ "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01", 9, 1, PKALGO_RSA, "rsa", "a", "\x82" }, {/* iso.member-body.us.ansi-x9-62.2.1 */ "1.2.840.10045.2.1", /* ecPublicKey */ "\x2a\x86\x48\xce\x3d\x02\x01", 7, 1, PKALGO_ECC, "ecdh", "e", "\x80" }, {NULL} }; /* This tables maps names of ECC curves names to OIDs. A similar table is used by Libgcrypt. */ static const struct { const char *oid; const char *name; } curve_names[] = { { "1.3.6.1.4.1.3029.1.5.1", "Curve25519" }, { "1.3.6.1.4.1.11591.15.1", "Ed25519" }, { "1.2.840.10045.3.1.1", "NIST P-192" }, { "1.2.840.10045.3.1.1", "nistp192" }, { "1.2.840.10045.3.1.1", "prime192v1" }, { "1.2.840.10045.3.1.1", "secp192r1" }, { "1.3.132.0.33", "NIST P-224" }, { "1.3.132.0.33", "nistp224" }, { "1.3.132.0.33", "secp224r1" }, { "1.2.840.10045.3.1.7", "NIST P-256" }, { "1.2.840.10045.3.1.7", "nistp256" }, { "1.2.840.10045.3.1.7", "prime256v1" }, { "1.2.840.10045.3.1.7", "secp256r1" }, { "1.3.132.0.34", "NIST P-384" }, { "1.3.132.0.34", "nistp384" }, { "1.3.132.0.34", "secp384r1" }, { "1.3.132.0.35", "NIST P-521" }, { "1.3.132.0.35", "nistp521" }, { "1.3.132.0.35", "secp521r1" }, { "1.3.36.3.3.2.8.1.1.1" , "brainpoolP160r1" }, { "1.3.36.3.3.2.8.1.1.3" , "brainpoolP192r1" }, { "1.3.36.3.3.2.8.1.1.5" , "brainpoolP224r1" }, { "1.3.36.3.3.2.8.1.1.7" , "brainpoolP256r1" }, { "1.3.36.3.3.2.8.1.1.9" , "brainpoolP320r1" }, { "1.3.36.3.3.2.8.1.1.11", "brainpoolP384r1" }, { "1.3.36.3.3.2.8.1.1.13", "brainpoolP512r1" }, { "1.2.643.2.2.35.1", "GOST2001-CryptoPro-A" }, { "1.2.643.2.2.35.2", "GOST2001-CryptoPro-B" }, { "1.2.643.2.2.35.3", "GOST2001-CryptoPro-C" }, { "1.2.643.7.1.2.1.2.1", "GOST2012-tc26-A" }, { "1.2.643.7.1.2.1.2.2", "GOST2012-tc26-B" }, { "1.3.132.0.10", "secp256k1" }, { NULL, NULL} }; #define TLV_LENGTH(prefix) do { \ if (!prefix ## len) \ return gpg_error (GPG_ERR_INV_KEYINFO); \ c = *(prefix)++; prefix ## len--; \ if (c == 0x80) \ return gpg_error (GPG_ERR_NOT_DER_ENCODED); \ if (c == 0xff) \ return gpg_error (GPG_ERR_BAD_BER); \ \ if ( !(c & 0x80) ) \ len = c; \ else \ { \ int count = c & 0x7f; \ \ for (len=0; count; count--) \ { \ len <<= 8; \ if (!prefix ## len) \ return gpg_error (GPG_ERR_BAD_BER);\ c = *(prefix)++; prefix ## len--; \ len |= c & 0xff; \ } \ } \ if (len > prefix ## len) \ return gpg_error (GPG_ERR_INV_KEYINFO); \ } while (0) /* Given a string BUF of length BUFLEN with either the name of an ECC curve or its OID in dotted form return the DER encoding of the OID. The caller must free the result. On error NULL is returned. */ static unsigned char * get_ecc_curve_oid (const unsigned char *buf, size_t buflen, size_t *r_oidlen) { unsigned char *der_oid; /* Skip an optional "oid." prefix. */ if (buflen > 4 && buf[3] == '.' && digitp (buf+4) && ((buf[0] == 'o' && buf[1] == 'i' && buf[2] == 'd') ||(buf[0] == 'O' && buf[1] == 'I' && buf[2] == 'D'))) { buf += 4; buflen -= 4; } /* If it does not look like an OID - map it through the table. */ if (buflen && !digitp (buf)) { int i; for (i=0; curve_names[i].oid; i++) if (buflen == strlen (curve_names[i].name) && !memcmp (buf, curve_names[i].name, buflen)) break; if (!curve_names[i].oid) return NULL; /* Not found. */ buf = curve_names[i].oid; buflen = strlen (curve_names[i].oid); } if (_ksba_oid_from_buf (buf, buflen, &der_oid, r_oidlen)) return NULL; return der_oid; } /* Return the OFF and the LEN of algorithm within DER. Do some checks and return the number of bytes read in r_nread, adding this to der does point into the BIT STRING. mode 0: just get the algorithm identifier. FIXME: should be able to handle BER Encoding. mode 1: as described. */ static gpg_error_t get_algorithm (int mode, const unsigned char *der, size_t derlen, size_t *r_nread, size_t *r_pos, size_t *r_len, int *r_bitstr, size_t *r_parm_pos, size_t *r_parm_len, int *r_parm_type) { int c; const unsigned char *start = der; const unsigned char *startseq; unsigned long seqlen, len; *r_bitstr = 0; if (r_parm_pos) *r_parm_pos = 0; if (r_parm_len) *r_parm_len = 0; if (r_parm_type) *r_parm_type = 0; /* get the inner sequence */ if (!derlen) return gpg_error (GPG_ERR_INV_KEYINFO); c = *der++; derlen--; if ( c != 0x30 ) return gpg_error (GPG_ERR_UNEXPECTED_TAG); /* not a SEQUENCE */ TLV_LENGTH(der); seqlen = len; startseq = der; /* get the object identifier */ if (!derlen) return gpg_error (GPG_ERR_INV_KEYINFO); c = *der++; derlen--; if ( c != 0x06 ) return gpg_error (GPG_ERR_UNEXPECTED_TAG); /* not an OBJECT IDENTIFIER */ TLV_LENGTH(der); /* der does now point to an oid of length LEN */ *r_pos = der - start; *r_len = len; der += len; derlen -= len; seqlen -= der - startseq;; /* Parse the parameter. */ if (seqlen) { const unsigned char *startparm = der; if (!derlen) return gpg_error (GPG_ERR_INV_KEYINFO); c = *der++; derlen--; if ( c == 0x05 ) { /* gpgrt_log_debug ("%s: parameter: NULL \n", __func__); */ if (!derlen) return gpg_error (GPG_ERR_INV_KEYINFO); c = *der++; derlen--; if (c) return gpg_error (GPG_ERR_BAD_BER); /* NULL must have a length of 0 */ seqlen -= 2; } else if (r_parm_pos && r_parm_len && c == 0x04) { /* This is an octet string parameter and we need it. */ if (r_parm_type) *r_parm_type = TYPE_OCTET_STRING; TLV_LENGTH(der); *r_parm_pos = der - start; *r_parm_len = len; seqlen -= der - startparm; der += len; derlen -= len; seqlen -= len; } else if (r_parm_pos && r_parm_len && c == 0x06) { /* This is an object identifier. */ if (r_parm_type) *r_parm_type = TYPE_OBJECT_ID; TLV_LENGTH(der); *r_parm_pos = der - start; *r_parm_len = len; seqlen -= der - startparm; der += len; derlen -= len; seqlen -= len; } else if (r_parm_pos && r_parm_len && c == 0x30) { /* This is a sequence. */ if (r_parm_type) *r_parm_type = TYPE_SEQUENCE; TLV_LENGTH(der); *r_parm_pos = startparm - start; *r_parm_len = len + (der - startparm); seqlen -= der - startparm; der += len; derlen -= len; seqlen -= len; } else { /* printf ("parameter: with tag %02x - ignored\n", c); */ TLV_LENGTH(der); seqlen -= der - startparm; /* skip the value */ der += len; derlen -= len; seqlen -= len; } } if (seqlen) return gpg_error (GPG_ERR_INV_KEYINFO); if (mode) { /* move forward to the BIT_STR */ if (!derlen) return gpg_error (GPG_ERR_INV_KEYINFO); c = *der++; derlen--; if (c == 0x03) *r_bitstr = 1; /* BIT STRING */ else if (c == 0x04) ; /* OCTECT STRING */ else return gpg_error (GPG_ERR_UNEXPECTED_TAG); /* not a BIT STRING */ TLV_LENGTH(der); } *r_nread = der - start; return 0; } gpg_error_t _ksba_parse_algorithm_identifier (const unsigned char *der, size_t derlen, size_t *r_nread, char **r_oid) { return _ksba_parse_algorithm_identifier2 (der, derlen, r_nread, r_oid, NULL, NULL); } /* Note that R_NREAD, R_PARM, and R_PARMLEN are optional. */ gpg_error_t _ksba_parse_algorithm_identifier2 (const unsigned char *der, size_t derlen, size_t *r_nread, char **r_oid, char **r_parm, size_t *r_parmlen) { gpg_error_t err; int is_bitstr; size_t nread, off, len, off2, len2; int parm_type; /* fixme: get_algorithm might return the error invalid keyinfo - this should be invalid algorithm identifier */ *r_oid = NULL; if (r_nread) *r_nread = 0; off2 = len2 = 0; err = get_algorithm (0, der, derlen, &nread, &off, &len, &is_bitstr, &off2, &len2, &parm_type); if (err) return err; if (r_nread) *r_nread = nread; *r_oid = ksba_oid_to_str (der+off, len); if (!*r_oid) return gpg_error (GPG_ERR_ENOMEM); /* Special hack for ecdsaWithSpecified. We replace the returned OID by the one in the parameter. */ if (off2 && len2 && parm_type == TYPE_SEQUENCE && !strcmp (*r_oid, "1.2.840.10045.4.3")) { xfree (*r_oid); *r_oid = NULL; err = get_algorithm (0, der+off2, len2, &nread, &off, &len, &is_bitstr, NULL, NULL, NULL); if (err) { if (r_nread) *r_nread = 0; return err; } *r_oid = ksba_oid_to_str (der+off2+off, len); if (!*r_oid) { if (r_nread) *r_nread = 0; return gpg_error (GPG_ERR_ENOMEM); } off2 = len2 = 0; /* So that R_PARM is set to NULL. */ } if (r_parm && r_parmlen) { if (off2 && len2) { *r_parm = xtrymalloc (len2); if (!*r_parm) { xfree (*r_oid); *r_oid = NULL; return gpg_error (GPG_ERR_ENOMEM); } memcpy (*r_parm, der+off2, len2); *r_parmlen = len2; } else { *r_parm = NULL; *r_parmlen = 0; } } return 0; } /* Assume that der is a buffer of length DERLEN with a DER encoded ASN.1 structure like this: keyInfo ::= SEQUENCE { SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } publicKey BIT STRING } The function parses this structure and create a SEXP suitable to be used as a public key in Libgcrypt. The S-Exp will be returned in a string which the caller must free. We don't pass an ASN.1 node here but a plain memory block. */ gpg_error_t _ksba_keyinfo_to_sexp (const unsigned char *der, size_t derlen, ksba_sexp_t *r_string) { gpg_error_t err; int c; size_t nread, off, len, parm_off, parm_len; int parm_type; char *parm_oid = NULL; int algoidx; int is_bitstr; const unsigned char *parmder = NULL; size_t parmderlen = 0; const unsigned char *ctrl; const char *elem; struct stringbuf sb; *r_string = NULL; /* check the outer sequence */ if (!derlen) return gpg_error (GPG_ERR_INV_KEYINFO); c = *der++; derlen--; if ( c != 0x30 ) return gpg_error (GPG_ERR_UNEXPECTED_TAG); /* not a SEQUENCE */ TLV_LENGTH(der); /* and now the inner part */ err = get_algorithm (1, der, derlen, &nread, &off, &len, &is_bitstr, &parm_off, &parm_len, &parm_type); if (err) return err; /* look into our table of supported algorithms */ for (algoidx=0; pk_algo_table[algoidx].oid; algoidx++) { if ( len == pk_algo_table[algoidx].oidlen && !memcmp (der+off, pk_algo_table[algoidx].oid, len)) break; } if (!pk_algo_table[algoidx].oid) return gpg_error (GPG_ERR_UNKNOWN_ALGORITHM); if (!pk_algo_table[algoidx].supported) return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM); if (parm_off && parm_len && parm_type == TYPE_OBJECT_ID) parm_oid = ksba_oid_to_str (der+parm_off, parm_len); else if (parm_off && parm_len) { parmder = der + parm_off; parmderlen = parm_len; } der += nread; derlen -= nread; if (is_bitstr) { /* Funny: X.509 defines the signature value as a bit string but CMS as an octet string - for ease of implementation we always allow both */ if (!derlen) { xfree (parm_oid); return gpg_error (GPG_ERR_INV_KEYINFO); } c = *der++; derlen--; if (c) fprintf (stderr, "warning: number of unused bits is not zero\n"); } /* fixme: we should calculate the initial length form the size of the sequence, so that we don't need a realloc later */ init_stringbuf (&sb, 100); put_stringbuf (&sb, "(10:public-key("); /* fixme: we can also use the oidstring here and prefix it with "oid." - this way we can pass more information into Libgcrypt or whatever library is used */ put_stringbuf_sexp (&sb, pk_algo_table[algoidx].algo_string); /* Insert the curve name for ECC. */ if (pk_algo_table[algoidx].pkalgo == PKALGO_ECC && parm_oid) { put_stringbuf (&sb, "("); put_stringbuf_sexp (&sb, "curve"); put_stringbuf_sexp (&sb, parm_oid); put_stringbuf (&sb, ")"); } + else if (pk_algo_table[algoidx].pkalgo == PKALGO_ED25519 + || pk_algo_table[algoidx].pkalgo == PKALGO_ED448 + || pk_algo_table[algoidx].pkalgo == PKALGO_X25519 + || pk_algo_table[algoidx].pkalgo == PKALGO_X448) + { + put_stringbuf (&sb, "("); + put_stringbuf_sexp (&sb, "curve"); + put_stringbuf_sexp (&sb, pk_algo_table[algoidx].oidstring); + put_stringbuf (&sb, ")"); + } /* If parameters are given and we have a description for them, parse them. */ if (parmder && parmderlen && pk_algo_table[algoidx].parmelem_string && pk_algo_table[algoidx].parmctrl_string) { elem = pk_algo_table[algoidx].parmelem_string; ctrl = pk_algo_table[algoidx].parmctrl_string; for (; *elem; ctrl++, elem++) { int is_int; if ( (*ctrl & 0x80) && !elem[1] ) { /* Hack to allow reading a raw value. */ is_int = 1; len = parmderlen; } else { if (!parmderlen) { xfree (parm_oid); return gpg_error (GPG_ERR_INV_KEYINFO); } c = *parmder++; parmderlen--; if ( c != *ctrl ) { xfree (parm_oid); return gpg_error (GPG_ERR_UNEXPECTED_TAG); } is_int = c == 0x02; TLV_LENGTH (parmder); } if (is_int && *elem != '-') /* Take this integer. */ { char tmp[2]; put_stringbuf (&sb, "("); tmp[0] = *elem; tmp[1] = 0; put_stringbuf_sexp (&sb, tmp); put_stringbuf_mem_sexp (&sb, parmder, len); parmder += len; parmderlen -= len; put_stringbuf (&sb, ")"); } } } /* FIXME: We don't release the stringbuf in case of error better let the macro jump to a label */ elem = pk_algo_table[algoidx].elem_string; ctrl = pk_algo_table[algoidx].ctrl_string; for (; *elem; ctrl++, elem++) { int is_int; if ( (*ctrl & 0x80) && !elem[1] ) { /* Hack to allow reading a raw value. */ is_int = 1; len = derlen; } else { if (!derlen) { xfree (parm_oid); return gpg_error (GPG_ERR_INV_KEYINFO); } c = *der++; derlen--; if ( c != *ctrl ) { xfree (parm_oid); return gpg_error (GPG_ERR_UNEXPECTED_TAG); } is_int = c == 0x02; TLV_LENGTH (der); } if (is_int && *elem != '-') /* Take this integer. */ { char tmp[2]; put_stringbuf (&sb, "("); tmp[0] = *elem; tmp[1] = 0; put_stringbuf_sexp (&sb, tmp); put_stringbuf_mem_sexp (&sb, der, len); der += len; derlen -= len; put_stringbuf (&sb, ")"); } } put_stringbuf (&sb, "))"); xfree (parm_oid); *r_string = get_stringbuf (&sb); if (!*r_string) return gpg_error (GPG_ERR_ENOMEM); return 0; } /* Match the algorithm string given in BUF which is of length BUFLEN with the known algorithms from our table and returns the table entries for the DER encoded OID. If WITH_SIG is true, the table of signature algorithms is consulted first. */ static const unsigned char * oid_from_buffer (const unsigned char *buf, int buflen, int *oidlen, pkalgo_t *r_pkalgo, int with_sig) { int i; /* Ignore an optional "oid." prefix. */ if (buflen > 4 && buf[3] == '.' && digitp (buf+4) && ((buf[0] == 'o' && buf[1] == 'i' && buf[2] == 'd') ||(buf[0] == 'O' && buf[1] == 'I' && buf[2] == 'D'))) { buf += 4; buflen -= 4; } if (with_sig) { /* Scan the signature table first. */ for (i=0; sig_algo_table[i].oid; i++) { if (!sig_algo_table[i].supported) continue; if (buflen == strlen (sig_algo_table[i].oidstring) && !memcmp (buf, sig_algo_table[i].oidstring, buflen)) break; if (buflen == strlen (sig_algo_table[i].algo_string) && !memcmp (buf, sig_algo_table[i].algo_string, buflen)) break; } if (sig_algo_table[i].oid) { *r_pkalgo = sig_algo_table[i].pkalgo; *oidlen = sig_algo_table[i].oidlen; return sig_algo_table[i].oid; } } /* Scan the standard table. */ for (i=0; pk_algo_table[i].oid; i++) { if (!pk_algo_table[i].supported) continue; if (buflen == strlen (pk_algo_table[i].oidstring) && !memcmp (buf, pk_algo_table[i].oidstring, buflen)) break; if (buflen == strlen (pk_algo_table[i].algo_string) && !memcmp (buf, pk_algo_table[i].algo_string, buflen)) break; } if (!pk_algo_table[i].oid) return NULL; *r_pkalgo = pk_algo_table[i].pkalgo; *oidlen = pk_algo_table[i].oidlen; return pk_algo_table[i].oid; } /* Take a public-key S-Exp and convert it into a DER encoded publicKeyInfo */ gpg_error_t _ksba_keyinfo_from_sexp (ksba_const_sexp_t sexp, unsigned char **r_der, size_t *r_derlen) { gpg_error_t err; const unsigned char *s; char *endp; unsigned long n, n1; const unsigned char *oid; int oidlen; unsigned char *curve_oid = NULL; size_t curve_oidlen; pkalgo_t pkalgo; int i; struct { const char *name; int namelen; const unsigned char *value; int valuelen; } parm[10]; int parmidx; int idxtbl[10]; int idxtbllen; const char *parmdesc, *algoparmdesc; ksba_writer_t writer = NULL; void *algoparmseq_value = NULL; size_t algoparmseq_len; void *bitstr_value = NULL; size_t bitstr_len; if (!sexp) return gpg_error (GPG_ERR_INV_VALUE); s = sexp; if (*s != '(') return gpg_error (GPG_ERR_INV_SEXP); s++; n = strtoul (s, &endp, 10); s = endp; if (!n || *s != ':') return gpg_error (GPG_ERR_INV_SEXP); /* we don't allow empty lengths */ s++; if (n != 10 || memcmp (s, "public-key", 10)) return gpg_error (GPG_ERR_UNKNOWN_SEXP); s += 10; if (*s != '(') return gpg_error (digitp (s)? GPG_ERR_UNKNOWN_SEXP : GPG_ERR_INV_SEXP); s++; /* Break out the algorithm ID */ n = strtoul (s, &endp, 10); s = endp; if (!n || *s != ':') return gpg_error (GPG_ERR_INV_SEXP); /* we don't allow empty lengths */ s++; oid = oid_from_buffer (s, n, &oidlen, &pkalgo, 0); if (!oid) return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM); s += n; /* Collect all the values */ for (parmidx = 0; *s != ')' ; parmidx++) { if (parmidx >= DIM(parm)) return gpg_error (GPG_ERR_GENERAL); if (*s != '(') return gpg_error (digitp(s)? GPG_ERR_UNKNOWN_SEXP:GPG_ERR_INV_SEXP); s++; n = strtoul (s, &endp, 10); s = endp; if (!n || *s != ':') return gpg_error (GPG_ERR_INV_SEXP); s++; parm[parmidx].name = s; parm[parmidx].namelen = n; s += n; if (!digitp(s)) return gpg_error (GPG_ERR_UNKNOWN_SEXP); /* ... or invalid S-Exp. */ n = strtoul (s, &endp, 10); s = endp; if (!n || *s != ':') return gpg_error (GPG_ERR_INV_SEXP); s++; parm[parmidx].value = s; parm[parmidx].valuelen = n; s += n; if ( *s != ')') return gpg_error (GPG_ERR_UNKNOWN_SEXP); /* ... or invalid S-Exp. */ s++; } s++; /* Allow for optional elements. */ if (*s == '(') { int depth = 1; err = sskip (&s, &depth); if (err) return err; } /* We need another closing parenthesis. */ if ( *s != ')' ) return gpg_error (GPG_ERR_INV_SEXP); /* Describe the parameters in the order we want them and construct IDXTBL to access them. For DSA wie also set algoparmdesc so that we can later build the parameters for the algorithmIdentifier. */ algoparmdesc = NULL; switch (pkalgo) { case PKALGO_RSA: parmdesc = "ne"; break; case PKALGO_DSA: parmdesc = "y" ; algoparmdesc = "pqg"; break; case PKALGO_ECC: parmdesc = "Cq"; for (i = 0; i < parmidx; i++) if (parm[i].namelen == 5 && !memcmp (parm[i].name,"curve",5)) { /* FIXME: Access to pk_algo_table with constant is ugly. */ if (parm[i].valuelen == 7 && !memcmp (parm[i].value, "Ed25519", 7)) { pkalgo = PKALGO_ED25519; parmdesc = "q"; oid = pk_algo_table[7].oid; oidlen = pk_algo_table[7].oidlen; break; } else if (parm[i].valuelen == 5 && !memcmp (parm[i].value, "Ed448", 5)) { pkalgo = PKALGO_ED448; parmdesc = "q"; oid = pk_algo_table[8].oid; oidlen = pk_algo_table[8].oidlen; break; } } break; default: return gpg_error (GPG_ERR_UNKNOWN_ALGORITHM); } idxtbllen = 0; for (s = parmdesc; *s; s++) { for (i=0; i < parmidx; i++) { assert (idxtbllen < DIM (idxtbl)); switch (*s) { case 'C': /* Magic value for "curve". */ if (parm[i].namelen == 5 && !memcmp (parm[i].name, "curve", 5)) { idxtbl[idxtbllen++] = i; i = parmidx; /* Break inner loop. */ } break; default: if (parm[i].namelen == 1 && parm[i].name[0] == *s) { idxtbl[idxtbllen++] = i; i = parmidx; /* Break inner loop. */ } break; } } } if (idxtbllen != strlen (parmdesc)) return gpg_error (GPG_ERR_UNKNOWN_SEXP); if (pkalgo == PKALGO_ECC) { curve_oid = get_ecc_curve_oid (parm[idxtbl[0]].value, parm[idxtbl[0]].valuelen, &curve_oidlen); if (!curve_oid) return gpg_error (GPG_ERR_UNKNOWN_SEXP); } /* Create write object. */ err = ksba_writer_new (&writer); if (err) goto leave; err = ksba_writer_set_mem (writer, 1024); if (err) goto leave; /* We create the keyinfo in 2 steps: 1. We build the inner one and encapsulate it in a bit string. 2. We create the outer sequence include the algorithm identifier and the bit string from step 1. */ if (pkalgo == PKALGO_ECC) { /* Write the bit string header and the number of unused bits. */ err = _ksba_ber_write_tl (writer, TYPE_BIT_STRING, CLASS_UNIVERSAL, 0, parm[idxtbl[1]].valuelen + 1); if (!err) err = ksba_writer_write (writer, "", 1); /* And the actual raw value. */ if (!err) err = ksba_writer_write (writer, parm[idxtbl[1]].value, parm[idxtbl[1]].valuelen); if (err) goto leave; } else if (pkalgo == PKALGO_ED25519 || pkalgo == PKALGO_ED448) { /* Write the bit string header and the number of unused bits. */ err = _ksba_ber_write_tl (writer, TYPE_BIT_STRING, CLASS_UNIVERSAL, 0, parm[idxtbl[0]].valuelen + 1); if (!err) err = ksba_writer_write (writer, "", 1); /* And the actual raw value. */ if (!err) err = ksba_writer_write (writer, parm[idxtbl[0]].value, parm[idxtbl[0]].valuelen); if (err) goto leave; } else /* RSA and DSA */ { /* Calculate the size of the sequence value and the size of the bit string value. Note that in case there is only one integer to write, no sequence is used. */ for (n=0, i=0; i < idxtbllen; i++ ) { n += _ksba_ber_count_tl (TYPE_INTEGER, CLASS_UNIVERSAL, 0, parm[idxtbl[i]].valuelen); n += parm[idxtbl[i]].valuelen; } n1 = 1; /* # of unused bits. */ if (idxtbllen > 1) n1 += _ksba_ber_count_tl (TYPE_SEQUENCE, CLASS_UNIVERSAL, 1, n); n1 += n; /* Write the bit string header and the number of unused bits. */ err = _ksba_ber_write_tl (writer, TYPE_BIT_STRING, CLASS_UNIVERSAL, 0, n1); if (!err) err = ksba_writer_write (writer, "", 1); if (err) goto leave; /* Write the sequence tag and the integers. */ if (idxtbllen > 1) err = _ksba_ber_write_tl (writer, TYPE_SEQUENCE, CLASS_UNIVERSAL, 1,n); if (err) goto leave; for (i=0; i < idxtbllen; i++) { /* fixme: we should make sure that the integer conforms to the ASN.1 encoding rules. */ err = _ksba_ber_write_tl (writer, TYPE_INTEGER, CLASS_UNIVERSAL, 0, parm[idxtbl[i]].valuelen); if (!err) err = ksba_writer_write (writer, parm[idxtbl[i]].value, parm[idxtbl[i]].valuelen); if (err) goto leave; } } /* Get the encoded bit string. */ bitstr_value = ksba_writer_snatch_mem (writer, &bitstr_len); if (!bitstr_value) { err = gpg_error (GPG_ERR_ENOMEM); goto leave; } /* If the algorithmIdentifier requires a sequence with parameters, build them now. We can reuse the IDXTBL for that. */ if (algoparmdesc) { idxtbllen = 0; for (s = algoparmdesc; *s; s++) { for (i=0; i < parmidx; i++) { assert (idxtbllen < DIM (idxtbl)); if (parm[i].namelen == 1 && parm[i].name[0] == *s) { idxtbl[idxtbllen++] = i; break; } } } if (idxtbllen != strlen (algoparmdesc)) return gpg_error (GPG_ERR_UNKNOWN_SEXP); err = ksba_writer_set_mem (writer, 1024); if (err) goto leave; /* Calculate the size of the sequence. */ for (n=0, i=0; i < idxtbllen; i++ ) { n += _ksba_ber_count_tl (TYPE_INTEGER, CLASS_UNIVERSAL, 0, parm[idxtbl[i]].valuelen); n += parm[idxtbl[i]].valuelen; } /* n += _ksba_ber_count_tl (TYPE_SEQUENCE, CLASS_UNIVERSAL, 1, n); */ /* Write the sequence tag followed by the integers. */ err = _ksba_ber_write_tl (writer, TYPE_SEQUENCE, CLASS_UNIVERSAL, 1, n); if (err) goto leave; for (i=0; i < idxtbllen; i++) { err = _ksba_ber_write_tl (writer, TYPE_INTEGER, CLASS_UNIVERSAL, 0, parm[idxtbl[i]].valuelen); if (!err) err = ksba_writer_write (writer, parm[idxtbl[i]].value, parm[idxtbl[i]].valuelen); if (err) goto leave; } /* Get the encoded sequence. */ algoparmseq_value = ksba_writer_snatch_mem (writer, &algoparmseq_len); if (!algoparmseq_value) { err = gpg_error (GPG_ERR_ENOMEM); goto leave; } } else algoparmseq_len = 0; /* Reinitialize the buffer to create the outer sequence. */ err = ksba_writer_set_mem (writer, 1024); if (err) goto leave; /* Calulate lengths. */ n = _ksba_ber_count_tl (TYPE_OBJECT_ID, CLASS_UNIVERSAL, 0, oidlen); n += oidlen; if (algoparmseq_len) { n += algoparmseq_len; } else if (pkalgo == PKALGO_ECC) { n += _ksba_ber_count_tl (TYPE_OBJECT_ID, CLASS_UNIVERSAL, 0, curve_oidlen); n += curve_oidlen; } else if (pkalgo == PKALGO_RSA) { n += _ksba_ber_count_tl (TYPE_NULL, CLASS_UNIVERSAL, 0, 0); } n1 = n; n1 += _ksba_ber_count_tl (TYPE_SEQUENCE, CLASS_UNIVERSAL, 1, n); n1 += bitstr_len; /* The outer sequence. */ err = _ksba_ber_write_tl (writer, TYPE_SEQUENCE, CLASS_UNIVERSAL, 1, n1); if (err) goto leave; /* The sequence. */ err = _ksba_ber_write_tl (writer, TYPE_SEQUENCE, CLASS_UNIVERSAL, 1, n); if (err) goto leave; /* The object id. */ err = _ksba_ber_write_tl (writer, TYPE_OBJECT_ID,CLASS_UNIVERSAL, 0, oidlen); if (!err) err = ksba_writer_write (writer, oid, oidlen); if (err) goto leave; /* The parameter. */ if (algoparmseq_len) { err = ksba_writer_write (writer, algoparmseq_value, algoparmseq_len); } else if (pkalgo == PKALGO_ECC) { err = _ksba_ber_write_tl (writer, TYPE_OBJECT_ID, CLASS_UNIVERSAL, 0, curve_oidlen); if (!err) err = ksba_writer_write (writer, curve_oid, curve_oidlen); } else if (pkalgo == PKALGO_RSA) { err = _ksba_ber_write_tl (writer, TYPE_NULL, CLASS_UNIVERSAL, 0, 0); } if (err) goto leave; /* Append the pre-constructed bit string. */ err = ksba_writer_write (writer, bitstr_value, bitstr_len); if (err) goto leave; /* Get the result. */ *r_der = ksba_writer_snatch_mem (writer, r_derlen); if (!*r_der) err = gpg_error (GPG_ERR_ENOMEM); leave: ksba_writer_release (writer); xfree (bitstr_value); xfree (curve_oid); return err; } /* Take a sig-val s-expression and convert it into a DER encoded algorithmInfo. Unfortunately this function clones a lot of code from _ksba_keyinfo_from_sexp. */ gpg_error_t _ksba_algoinfo_from_sexp (ksba_const_sexp_t sexp, unsigned char **r_der, size_t *r_derlen) { gpg_error_t err; const unsigned char *s; char *endp; unsigned long n; const unsigned char *oid; int oidlen; unsigned char *curve_oid = NULL; size_t curve_oidlen; pkalgo_t pkalgo; int i; struct { const char *name; int namelen; const unsigned char *value; int valuelen; } parm[10]; int parmidx; int idxtbl[10]; int idxtbllen; const char *parmdesc, *algoparmdesc; ksba_writer_t writer = NULL; void *algoparmseq_value = NULL; size_t algoparmseq_len; if (!sexp) return gpg_error (GPG_ERR_INV_VALUE); s = sexp; if (*s != '(') return gpg_error (GPG_ERR_INV_SEXP); s++; n = strtoul (s, &endp, 10); s = endp; if (!n || *s != ':') return gpg_error (GPG_ERR_INV_SEXP); /* We don't allow empty lengths. */ s++; if (n == 7 && !memcmp (s, "sig-val", 7)) s += 7; else if (n == 10 && !memcmp (s, "public-key", 10)) s += 10; else return gpg_error (GPG_ERR_UNKNOWN_SEXP); if (*s != '(') return gpg_error (digitp (s)? GPG_ERR_UNKNOWN_SEXP : GPG_ERR_INV_SEXP); s++; /* Break out the algorithm ID */ n = strtoul (s, &endp, 10); s = endp; if (!n || *s != ':') return gpg_error (GPG_ERR_INV_SEXP); /* We don't allow empty lengths. */ s++; oid = oid_from_buffer (s, n, &oidlen, &pkalgo, 1); if (!oid) return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM); s += n; /* Collect all the values */ for (parmidx = 0; *s != ')' ; parmidx++) { if (parmidx >= DIM(parm)) return gpg_error (GPG_ERR_GENERAL); if (*s != '(') return gpg_error (digitp(s)? GPG_ERR_UNKNOWN_SEXP:GPG_ERR_INV_SEXP); s++; n = strtoul (s, &endp, 10); s = endp; if (!n || *s != ':') return gpg_error (GPG_ERR_INV_SEXP); s++; parm[parmidx].name = s; parm[parmidx].namelen = n; s += n; if (!digitp(s)) return gpg_error (GPG_ERR_UNKNOWN_SEXP); /* ... or invalid S-Exp. */ n = strtoul (s, &endp, 10); s = endp; if (!n || *s != ':') return gpg_error (GPG_ERR_INV_SEXP); s++; parm[parmidx].value = s; parm[parmidx].valuelen = n; s += n; if ( *s != ')') return gpg_error (GPG_ERR_UNKNOWN_SEXP); /* ... or invalid S-Exp. */ s++; } s++; /* Allow for optional elements. */ if (*s == '(') { int depth = 1; err = sskip (&s, &depth); if (err) return err; } /* We need another closing parenthesis. */ if ( *s != ')' ) return gpg_error (GPG_ERR_INV_SEXP); /* Describe the parameters in the order we want them and construct IDXTBL to access them. For DSA wie also set algoparmdesc so that we can later build the parameters for the algorithmIdentifier. */ algoparmdesc = NULL; switch (pkalgo) { case PKALGO_RSA: parmdesc = ""; break; case PKALGO_DSA: parmdesc = "" ; algoparmdesc = "pqg"; break; case PKALGO_ECC: parmdesc = "C"; break; default: return gpg_error (GPG_ERR_UNKNOWN_ALGORITHM); } idxtbllen = 0; for (s = parmdesc; *s; s++) { for (i=0; i < parmidx; i++) { assert (idxtbllen < DIM (idxtbl)); switch (*s) { case 'C': /* Magic value for "curve". */ if (parm[i].namelen == 5 && !memcmp (parm[i].name, "curve", 5)) { idxtbl[idxtbllen++] = i; i = parmidx; /* Break inner loop. */ } break; default: if (parm[i].namelen == 1 && parm[i].name[0] == *s) { idxtbl[idxtbllen++] = i; i = parmidx; /* Break inner loop. */ } break; } } } if (idxtbllen != strlen (parmdesc)) return gpg_error (GPG_ERR_UNKNOWN_SEXP); if (pkalgo == PKALGO_ECC) { curve_oid = get_ecc_curve_oid (parm[idxtbl[0]].value, parm[idxtbl[0]].valuelen, &curve_oidlen); if (!curve_oid) return gpg_error (GPG_ERR_UNKNOWN_SEXP); } /* Create write object. */ err = ksba_writer_new (&writer); if (err) goto leave; err = ksba_writer_set_mem (writer, 1024); if (err) goto leave; /* Create the sequence of the algorithm identifier. */ /* If the algorithmIdentifier requires a sequence with parameters, build them now. We can reuse the IDXTBL for that. */ if (algoparmdesc) { idxtbllen = 0; for (s = algoparmdesc; *s; s++) { for (i=0; i < parmidx; i++) { assert (idxtbllen < DIM (idxtbl)); if (parm[i].namelen == 1 && parm[i].name[0] == *s) { idxtbl[idxtbllen++] = i; break; } } } if (idxtbllen != strlen (algoparmdesc)) return gpg_error (GPG_ERR_UNKNOWN_SEXP); err = ksba_writer_set_mem (writer, 1024); if (err) goto leave; /* Calculate the size of the sequence. */ for (n=0, i=0; i < idxtbllen; i++ ) { n += _ksba_ber_count_tl (TYPE_INTEGER, CLASS_UNIVERSAL, 0, parm[idxtbl[i]].valuelen); n += parm[idxtbl[i]].valuelen; } /* Write the sequence tag followed by the integers. */ err = _ksba_ber_write_tl (writer, TYPE_SEQUENCE, CLASS_UNIVERSAL, 1, n); if (err) goto leave; for (i=0; i < idxtbllen; i++) { err = _ksba_ber_write_tl (writer, TYPE_INTEGER, CLASS_UNIVERSAL, 0, parm[idxtbl[i]].valuelen); if (!err) err = ksba_writer_write (writer, parm[idxtbl[i]].value, parm[idxtbl[i]].valuelen); if (err) goto leave; } /* Get the encoded sequence. */ algoparmseq_value = ksba_writer_snatch_mem (writer, &algoparmseq_len); if (!algoparmseq_value) { err = gpg_error (GPG_ERR_ENOMEM); goto leave; } } else algoparmseq_len = 0; /* Reinitialize the buffer to create the sequence. */ err = ksba_writer_set_mem (writer, 1024); if (err) goto leave; /* Calulate lengths. */ n = _ksba_ber_count_tl (TYPE_OBJECT_ID, CLASS_UNIVERSAL, 0, oidlen); n += oidlen; if (algoparmseq_len) { n += algoparmseq_len; } else if (pkalgo == PKALGO_ECC) { n += _ksba_ber_count_tl (TYPE_OBJECT_ID, CLASS_UNIVERSAL, 0, curve_oidlen); n += curve_oidlen; } else if (pkalgo == PKALGO_RSA) { n += _ksba_ber_count_tl (TYPE_NULL, CLASS_UNIVERSAL, 0, 0); } /* Write the sequence. */ err = _ksba_ber_write_tl (writer, TYPE_SEQUENCE, CLASS_UNIVERSAL, 1, n); if (err) goto leave; /* Write the object id. */ err = _ksba_ber_write_tl (writer, TYPE_OBJECT_ID, CLASS_UNIVERSAL, 0, oidlen); if (!err) err = ksba_writer_write (writer, oid, oidlen); if (err) goto leave; /* Write the parameters. */ if (algoparmseq_len) { err = ksba_writer_write (writer, algoparmseq_value, algoparmseq_len); } else if (pkalgo == PKALGO_ECC) { /* We only support the namedCuve choice for ECC parameters. */ err = _ksba_ber_write_tl (writer, TYPE_OBJECT_ID, CLASS_UNIVERSAL, 0, curve_oidlen); if (!err) err = ksba_writer_write (writer, curve_oid, curve_oidlen); } else if (pkalgo == PKALGO_RSA) { err = _ksba_ber_write_tl (writer, TYPE_NULL, CLASS_UNIVERSAL, 0, 0); } if (err) goto leave; /* Get the result. */ *r_der = ksba_writer_snatch_mem (writer, r_derlen); if (!*r_der) err = gpg_error (GPG_ERR_ENOMEM); leave: ksba_writer_release (writer); xfree (curve_oid); return err; } /* Helper function to parse the parameters used for rsaPSS. * Given this sample DER object in (DER,DERLEN): * * SEQUENCE { * [0] { * SEQUENCE { * OBJECT IDENTIFIER sha-512 (2 16 840 1 101 3 4 2 3) * } * } * [1] { * SEQUENCE { * OBJECT IDENTIFIER pkcs1-MGF (1 2 840 113549 1 1 8) * SEQUENCE { * OBJECT IDENTIFIER sha-512 (2 16 840 1 101 3 4 2 3) * } * } * } * [2] { * INTEGER 64 * } * } * * The function returns the first OID at R_PSSHASH and the salt length * at R_SALTLEN. If the salt length is missing its default value is * returned. In case object does not resemble a the expected rsaPSS * parameters GPG_ERR_INV_OBJ is returned; other errors are returned * for an syntatically invalid object. On error NULL is stored at * R_PSSHASH. */ gpg_error_t _ksba_keyinfo_get_pss_info (const unsigned char *der, size_t derlen, char **r_psshash, unsigned int *r_saltlen) { gpg_error_t err; struct tag_info ti; char *psshash = NULL; char *tmpoid = NULL; unsigned int saltlen; *r_psshash = NULL; *r_saltlen = 0; err = parse_sequence (&der, &derlen, &ti); if (err) goto leave; /* Get the hash algo. */ err = parse_context_tag (&der, &derlen, &ti, 0); if (err) goto unknown_parms; err = parse_sequence (&der, &derlen, &ti); if (err) goto unknown_parms; err = parse_object_id_into_str (&der, &derlen, &psshash); if (err) goto unknown_parms; err = parse_optional_null (&der, &derlen, NULL); if (err) goto unknown_parms; /* Check the MGF OID and that its hash algo matches. */ err = parse_context_tag (&der, &derlen, &ti, 1); if (err) goto unknown_parms; err = parse_sequence (&der, &derlen, &ti); if (err) goto leave; err = parse_object_id_into_str (&der, &derlen, &tmpoid); if (err) goto unknown_parms; if (strcmp (tmpoid, "1.2.840.113549.1.1.8")) /* MGF1 */ goto unknown_parms; err = parse_sequence (&der, &derlen, &ti); if (err) goto leave; xfree (tmpoid); err = parse_object_id_into_str (&der, &derlen, &tmpoid); if (err) goto unknown_parms; if (strcmp (tmpoid, psshash)) goto unknown_parms; err = parse_optional_null (&der, &derlen, NULL); if (err) goto unknown_parms; /* Get the optional saltLength. */ err = parse_context_tag (&der, &derlen, &ti, 2); if (gpg_err_code (err) == GPG_ERR_INV_OBJ || gpg_err_code (err) == GPG_ERR_FALSE) saltlen = 20; /* Optional element - use default value */ else if (err) goto unknown_parms; else { err = parse_integer (&der, &derlen, &ti); if (err) goto leave; for (saltlen=0; ti.length; ti.length--) { saltlen <<= 8; saltlen |= (*der++) & 0xff; derlen--; } } /* All fine. */ *r_psshash = psshash; psshash = NULL; *r_saltlen = saltlen; err = 0; goto leave; unknown_parms: err = gpg_error (GPG_ERR_INV_OBJ); leave: xfree (psshash); xfree (tmpoid); return err; } /* Mode 0: work as described under _ksba_sigval_to_sexp * mode 1: work as described under _ksba_encval_to_sexp * mode 2: same as mode 1 but for ECDH; in this mode * KEYENCRYALO, KEYWRAPALGO, ENCRKEY, ENCRYKLEYLEN * are also required. */ static gpg_error_t cryptval_to_sexp (int mode, const unsigned char *der, size_t derlen, const char *keyencralgo, const char *keywrapalgo, const void *encrkey, size_t encrkeylen, ksba_sexp_t *r_string) { gpg_error_t err; const struct algo_table_s *algo_table; int c; size_t nread, off, len; int algoidx; int is_bitstr; const unsigned char *ctrl; const char *elem; struct stringbuf sb; size_t parm_off, parm_len; int parm_type; char *pss_hash = NULL; unsigned int salt_length = 0; /* FIXME: The entire function is very similar to keyinfo_to_sexp */ *r_string = NULL; if (!mode) algo_table = sig_algo_table; else algo_table = enc_algo_table; err = get_algorithm (1, der, derlen, &nread, &off, &len, &is_bitstr, &parm_off, &parm_len, &parm_type); if (err) return err; /* look into our table of supported algorithms */ for (algoidx=0; algo_table[algoidx].oid; algoidx++) { if ( len == algo_table[algoidx].oidlen && !memcmp (der+off, algo_table[algoidx].oid, len)) break; } if (!algo_table[algoidx].oid) return gpg_error (GPG_ERR_UNKNOWN_ALGORITHM); if (!algo_table[algoidx].supported) return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM); if (parm_type == TYPE_SEQUENCE && algo_table[algoidx].supported == SUPPORTED_RSAPSS) { /* This is rsaPSS and we collect the parameters. We simplify * this by assuming that pkcs1-MGF is used with an identical * hash algorithm. All other kinds of parameters are ignored. */ err = _ksba_keyinfo_get_pss_info (der + parm_off, parm_len, &pss_hash, &salt_length); if (gpg_err_code (err) == GPG_ERR_INV_OBJ) err = 0; if (err) return err; } der += nread; derlen -= nread; if (is_bitstr) { /* Funny: X.509 defines the signature value as a bit string but CMS as an octet string - for ease of implementation we always allow both */ if (!derlen) return gpg_error (GPG_ERR_INV_KEYINFO); c = *der++; derlen--; if (c) fprintf (stderr, "warning: number of unused bits is not zero\n"); } /* fixme: we should calculate the initial length form the size of the sequence, so that we don't neen a realloc later */ init_stringbuf (&sb, 100); put_stringbuf (&sb, mode? "(7:enc-val(":"(7:sig-val("); put_stringbuf_sexp (&sb, algo_table[algoidx].algo_string); /* FIXME: We don't release the stringbuf in case of error better let the macro jump to a label */ - elem = algo_table[algoidx].elem_string; - ctrl = algo_table[algoidx].ctrl_string; - for (; *elem; ctrl++, elem++) + if (!mode && (algo_table[algoidx].pkalgo == PKALGO_ED25519 + ||algo_table[algoidx].pkalgo == PKALGO_ED448)) { - int is_int; - - if ( (*ctrl & 0x80) && !elem[1] ) - { /* Hack to allow a raw value */ - is_int = 1; - len = derlen; - } - else + /* EdDSA is special: R and S are simply concatenated; see rfc8410. */ + put_stringbuf (&sb, "(1:r"); + put_stringbuf_mem_sexp (&sb, der, derlen/2); + put_stringbuf (&sb, ")"); + der += derlen/2; + derlen /= 2; + put_stringbuf (&sb, "(1:s"); + put_stringbuf_mem_sexp (&sb, der, derlen); + put_stringbuf (&sb, ")"); + } + else + { + elem = algo_table[algoidx].elem_string; + ctrl = algo_table[algoidx].ctrl_string; + for (; *elem; ctrl++, elem++) { - if (!derlen) - return gpg_error (GPG_ERR_INV_KEYINFO); - c = *der++; derlen--; - if ( c != *ctrl ) - return gpg_error (GPG_ERR_UNEXPECTED_TAG); - is_int = c == 0x02; - TLV_LENGTH (der); - } - if (is_int && *elem != '-') - { /* take this integer */ - char tmp[2]; + int is_int; - put_stringbuf (&sb, "("); - tmp[0] = *elem; tmp[1] = 0; - put_stringbuf_sexp (&sb, tmp); - put_stringbuf_mem_sexp (&sb, der, len); - der += len; - derlen -= len; - put_stringbuf (&sb, ")"); + if ( (*ctrl & 0x80) && !elem[1] ) + { /* Hack to allow a raw value */ + is_int = 1; + len = derlen; + } + else + { + if (!derlen) + return gpg_error (GPG_ERR_INV_KEYINFO); + c = *der++; derlen--; + if ( c != *ctrl ) + return gpg_error (GPG_ERR_UNEXPECTED_TAG); + is_int = c == 0x02; + TLV_LENGTH (der); + } + if (is_int && *elem != '-') + { /* take this integer */ + char tmp[2]; + + put_stringbuf (&sb, "("); + tmp[0] = *elem; tmp[1] = 0; + put_stringbuf_sexp (&sb, tmp); + put_stringbuf_mem_sexp (&sb, der, len); + der += len; + derlen -= len; + put_stringbuf (&sb, ")"); + } } } if (mode == 2) /* ECDH */ { put_stringbuf (&sb, "(1:s"); put_stringbuf_mem_sexp (&sb, encrkey, encrkeylen); put_stringbuf (&sb, ")"); } put_stringbuf (&sb, ")"); if (!mode && algo_table[algoidx].digest_string) { /* Insert the hash algorithm if included in the OID. */ put_stringbuf (&sb, "(4:hash"); put_stringbuf_sexp (&sb, algo_table[algoidx].digest_string); put_stringbuf (&sb, ")"); } if (!mode && pss_hash) { put_stringbuf (&sb, "(5:flags3:pss)"); put_stringbuf (&sb, "(9:hash-algo"); put_stringbuf_sexp (&sb, pss_hash); put_stringbuf (&sb, ")"); put_stringbuf (&sb, "(11:salt-length"); put_stringbuf_uint (&sb, salt_length); put_stringbuf (&sb, ")"); } if (mode == 2) /* ECDH */ { put_stringbuf (&sb, "(9:encr-algo"); put_stringbuf_sexp (&sb, keyencralgo); put_stringbuf (&sb, ")(9:wrap-algo"); put_stringbuf_sexp (&sb, keywrapalgo); put_stringbuf (&sb, ")"); } put_stringbuf (&sb, ")"); *r_string = get_stringbuf (&sb); if (!*r_string) return gpg_error (GPG_ERR_ENOMEM); xfree (pss_hash); return 0; } /* Assume that DER is a buffer of length DERLEN with a DER encoded Asn.1 structure like this: SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } signature BIT STRING We only allow parameters == NULL. The function parses this structure and creates a S-Exp suitable to be used as signature value in Libgcrypt: (sig-val ( ( ) ... ( )) (hash algo)) The S-Exp will be returned in a string which the caller must free. We don't pass an ASN.1 node here but a plain memory block. */ gpg_error_t _ksba_sigval_to_sexp (const unsigned char *der, size_t derlen, ksba_sexp_t *r_string) { return cryptval_to_sexp (0, der, derlen, NULL, NULL, NULL, 0, r_string); } /* Assume that der is a buffer of length DERLEN with a DER encoded * ASN.1 structure like this: * * SEQUENCE { * algorithm OBJECT IDENTIFIER, * parameters ANY DEFINED BY algorithm OPTIONAL * } * encryptedKey OCTET STRING * * The function parses this structure and creates a S-expression * suitable to be used as encrypted value in Libgcrypt's public key * functions: * * (enc-val * ( * ( ) * ... * ( ) * )) * * The S-expression will be returned in a string which the caller must * free. Note that the input buffer may not a proper ASN.1 object but * a plain memory block; this is becuase the SEQUENCE is followed by * an OCTET STRING or BIT STRING. */ gpg_error_t _ksba_encval_to_sexp (const unsigned char *der, size_t derlen, ksba_sexp_t *r_string) { return cryptval_to_sexp (1, der, derlen, NULL, NULL, NULL, 0, r_string); } /* Assume that der is a buffer of length DERLEN with a DER encoded * ASN.1 structure like this: * * [1] { * SEQUENCE { * algorithm OBJECT IDENTIFIER, * parameters ANY DEFINED BY algorithm OPTIONAL * } * encryptedKey BIT STRING * } * * The function parses this structure and creates an S-expression * conveying all parameters required for ECDH: * * (enc-val * (ecdh * (e ) * (s ) * (ukm ) * (encr-algo ) * (wrap-algo ))) * * E is the ephemeral public key and S is the encrypted key. The user * keying material (ukm) is optional. The S-expression will be * returned in a string which the caller must free. */ gpg_error_t _ksba_encval_kari_to_sexp (const unsigned char *der, size_t derlen, const char *keyencralgo, const char *keywrapalgo, const void *enckey, size_t enckeylen, ksba_sexp_t *r_string) { gpg_error_t err; struct tag_info ti; size_t save_derlen = derlen; err = parse_context_tag (&der, &derlen, &ti, 1); if (err) return err; if (save_derlen < ti.nhdr) return gpg_error (GPG_ERR_INV_BER); derlen = save_derlen - ti.nhdr; return cryptval_to_sexp (2, der, derlen, keyencralgo, keywrapalgo, enckey, enckeylen, r_string); } diff --git a/tests/samples/README b/tests/samples/README index 886b0a2..9884dc4 100644 --- a/tests/samples/README +++ b/tests/samples/README @@ -1,73 +1,84 @@ Certificates downloaded from http://www.magmacom.com/~mbartel/iso/\ certificates/samples/sample_certificates.html on 2003-11-20: authority.crt A root certificate betsy.crt An "everyday" certificate. bull.crt Same but includes a BMPString. Note, that these certs use MD2. Certificates downloaded from http://www.openvalidation.org/download/downloadrootcertsCA1.htm and on 2003-11-20 and prefixed with "ov-": ov-root-ca-cert.crt Root certificate ov-ocsp-server.crt The certificate of the OCSP responder ov-user.crt User certificate ov-userrev.crt A user certificate revoked by OCSP ov-server.crt A server (SSL) certificate ov-serverrev.crt A server certificate revoked by OCSP ov-user.p12 Private keys for the above certificates, ov-userrev.p12 passphrase is "start". ov-server.p12 ov-serverrev.p12 ov-test-crl.crl The current CRL The responder adress is http://ocsp.openvalidation.org Certificates downloaded from http://www.openvalidation.org/en/test/ca2.html on 2006-08-30 and prefixed with "ov2-": ov2-root-ca-cert.crt Root certificate ov2-ocsp-server.crt The certificate of the OCSP responder ov2-user.crt User certificate ov2-userrev.crt A user certificate revoked by OCSP Certificates downloaded on 2007-04-05 from http://dev.experimentalstuff.com:8082/CIC_sample-certs_2006-06-22.zip and converted to binary format. These are signed with ECDSA-P256-SHA384, ECDSA-P256-SHA512, and ECDSA-P384-SHA512. secp256r1-sha384_cert.crt secp256r1-sha512_cert.crt secp384r1-sha512_cert.crt From http://dev.experimentalstuff.com:8082/certs/secp256r1ca.cert.pem openssl-secp256r1ca.cert.crt - ECDH sample enveloped data from the Mozilla bug tracker: ecdh-sample1.p7m ecdh-sample1.p7m.asn Commented dump. RSA sample enveloped data created with gpgsm rsa-sample1.p7m rsa-sample1.p7m.asn Commented dump RSA sample signature created with gpgsm rsa-sample1.p7s rsa-sample1.p7s.asn Commented dump ECDSA sample signature created with Governikus Signer ecdsa-sample1.p7s signed data is hitchhiker.txt ecdsa-sample1.p7s.asn Commented dump + +ED25519 sample self-signed certificates + + ed25519-rfc8410.crt from RFC8410 + ed25519-rfc8410.key + ed25519-ossl-1.crt generated with OpenSSL + ed25519-ossl-1.key + +ED448 sample self-signed certificate + + ed448-ossl-1.crt generated with OpenSSL + ed448-ossl-1.key generated with OpenSSL diff --git a/tests/samples/ed25519-ossl-1.crt b/tests/samples/ed25519-ossl-1.crt new file mode 100644 index 0000000..7e07c72 Binary files /dev/null and b/tests/samples/ed25519-ossl-1.crt differ diff --git a/tests/samples/ed25519-ossl-1.key b/tests/samples/ed25519-ossl-1.key new file mode 100644 index 0000000..736cc22 Binary files /dev/null and b/tests/samples/ed25519-ossl-1.key differ diff --git a/tests/samples/ed25519-rfc8410.crt b/tests/samples/ed25519-rfc8410.crt new file mode 100644 index 0000000..d0c5ae6 Binary files /dev/null and b/tests/samples/ed25519-rfc8410.crt differ diff --git a/tests/samples/ed25519-rfc8410.key b/tests/samples/ed25519-rfc8410.key new file mode 100644 index 0000000..cb780b3 Binary files /dev/null and b/tests/samples/ed25519-rfc8410.key differ diff --git a/tests/samples/ed448-ossl-1.crt b/tests/samples/ed448-ossl-1.crt new file mode 100644 index 0000000..abafcef Binary files /dev/null and b/tests/samples/ed448-ossl-1.crt differ diff --git a/tests/samples/ed448-ossl-1.key b/tests/samples/ed448-ossl-1.key new file mode 100644 index 0000000..d1e8c57 Binary files /dev/null and b/tests/samples/ed448-ossl-1.key differ