diff options
Diffstat (limited to 'g10/keygen.c')
| -rw-r--r-- | g10/keygen.c | 363 |
1 files changed, 209 insertions, 154 deletions
diff --git a/g10/keygen.c b/g10/keygen.c index a4ed697c4..47bc2b14f 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -30,6 +30,7 @@ #include "cipher.h" #include "ttyio.h" #include "options.h" +#include "keydb.h" #if 0 #define TEST_ALGO 1 @@ -88,52 +89,128 @@ checksum_mpi( MPI a ) static void -write_uid( IOBUF out, const char *s, PKT_user_id **upkt ) +write_uid( KBNODE root, const char *s ) { - PACKET pkt; + PACKET *pkt = m_alloc_clear(sizeof *pkt ); size_t n = strlen(s); - int rc; - pkt.pkttype = PKT_USER_ID; - pkt.pkt.user_id = m_alloc( sizeof *pkt.pkt.user_id + n - 1 ); - pkt.pkt.user_id->len = n; - strcpy(pkt.pkt.user_id->name, s); - if( (rc = build_packet( out, &pkt )) ) - log_error("build_packet(user_id) failed: %s\n", g10_errstr(rc) ); - if( upkt ) { - *upkt = pkt.pkt.user_id; - pkt.pkt.user_id = NULL; - } - free_packet( &pkt ); + pkt->pkttype = PKT_USER_ID; + pkt->pkt.user_id = m_alloc( sizeof *pkt->pkt.user_id + n - 1 ); + pkt->pkt.user_id->len = n; + strcpy(pkt->pkt.user_id->name, s); + add_kbnode( root, new_kbnode( pkt ) ); } static int -write_selfsig( IOBUF out, PKT_public_cert *pkc, PKT_user_id *uid, - PKT_secret_cert *skc ) +write_selfsig( KBNODE root, KBNODE pub_root, PKT_secret_cert *skc ) { - PACKET pkt; + PACKET *pkt; PKT_signature *sig; + PKT_user_id *uid; int rc=0; + KBNODE kbctx, node; + PKT_public_cert *pkc; if( opt.verbose ) log_info("writing self signature\n"); + /* get the uid packet from the tree */ + for( kbctx=NULL; (node=walk_kbtree( root, &kbctx)) ; ) { + if( node->pkt->pkttype == PKT_USER_ID ) + break; + } + if( !node ) + log_bug(NULL); /* no user id packet in tree */ + uid = node->pkt->pkt.user_id; + /* get the pkc packet from the pub_tree */ + for( kbctx=NULL; (node=walk_kbtree( pub_root, &kbctx)) ; ) { + if( node->pkt->pkttype == PKT_PUBLIC_CERT ) + break; + } + if( !node ) + log_bug(NULL); + pkc = node->pkt->pkt.public_cert; + + /* and make the signature */ rc = make_keysig_packet( &sig, pkc, uid, skc, 0x13, DIGEST_ALGO_RMD160 ); if( rc ) { log_error("make_keysig_packet failed: %s\n", g10_errstr(rc) ); return rc; } - pkt.pkttype = PKT_SIGNATURE; - pkt.pkt.signature = sig; - if( (rc = build_packet( out, &pkt )) ) - log_error("build_packet(signature) failed: %s\n", g10_errstr(rc) ); - free_packet( &pkt ); + pkt = m_alloc_clear( sizeof *pkt ); + pkt->pkttype = PKT_SIGNATURE; + pkt->pkt.signature = sig; + add_kbnode( root, new_kbnode( pkt ) ); return rc; } +static int +gen_elg(unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek, + PKT_secret_cert **ret_skc ) +{ + int rc; + PACKET *pkt; + PKT_secret_cert *skc; + PKT_public_cert *pkc; + ELG_public_key pk; + ELG_secret_key sk; + unsigned nbytes; + + elg_generate( &pk, &sk, nbits ); + + skc = m_alloc( sizeof *skc ); + pkc = m_alloc( sizeof *pkc ); + skc->timestamp = pkc->timestamp = make_timestamp(); + skc->valid_days = pkc->valid_days = 0; /* fixme: make it configurable*/ + skc->pubkey_algo = pkc->pubkey_algo = PUBKEY_ALGO_ELGAMAL; + memset(&pkc->mfx, 0, sizeof pkc->mfx); + pkc->d.elg.p = pk.p; + pkc->d.elg.g = pk.g; + pkc->d.elg.y = pk.y; + skc->d.elg.p = sk.p; + skc->d.elg.g = sk.g; + skc->d.elg.y = sk.y; + skc->d.elg.x = sk.x; + + skc->d.elg.csum = checksum_mpi( skc->d.elg.x ); + /* return an unprotected version of the skc */ + *ret_skc = copy_secret_cert( NULL, skc ); + + if( !dek ) { + skc->d.elg.is_protected = 0; + skc->d.elg.protect_algo = 0; + } + else { + skc->d.elg.is_protected = 0; + skc->d.elg.protect_algo = CIPHER_ALGO_BLOWFISH; + randomize_buffer(skc->d.elg.protect.blowfish.iv, 8, 1); + rc = protect_secret_key( skc, dek ); + if( rc ) { + log_error("protect_secret_key failed: %s\n", g10_errstr(rc) ); + free_public_cert(pkc); + free_secret_cert(skc); + return rc; + } + } + + pkt = m_alloc_clear(sizeof *pkt); + pkt->pkttype = PKT_PUBLIC_CERT; + pkt->pkt.public_cert = pkc; + add_kbnode(pub_root, new_kbnode( pkt )); + + pkt = m_alloc_clear(sizeof *pkt); + pkt->pkttype = PKT_SECRET_CERT; + pkt->pkt.secret_cert = skc; + add_kbnode(sec_root, new_kbnode( pkt )); + + return 0; +} + + + #ifdef HAVE_RSA_CIPHER static int gen_rsa(unsigned nbits, IOBUF pub_io, IOBUF sec_io, DEK *dek, @@ -210,79 +287,12 @@ gen_rsa(unsigned nbits, IOBUF pub_io, IOBUF sec_io, DEK *dek, } #endif /*HAVE_RSA_CIPHER*/ + static int -gen_elg(unsigned nbits, IOBUF pub_io, IOBUF sec_io, DEK *dek, - PKT_public_cert **ret_pkc, PKT_secret_cert **ret_skc ) +gen_dsa(unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek, + PKT_secret_cert **ret_skc ) { - int rc; - PACKET pkt1, pkt2; - PKT_secret_cert *skc, *unprotected_skc; - PKT_public_cert *pkc; - ELG_public_key pk; - ELG_secret_key sk; - unsigned nbytes; - - init_packet(&pkt1); - init_packet(&pkt2); - - elg_generate( &pk, &sk, nbits ); - - skc = m_alloc( sizeof *skc ); - pkc = m_alloc( sizeof *pkc ); - skc->timestamp = pkc->timestamp = make_timestamp(); - skc->valid_days = pkc->valid_days = 0; /* fixme: make it configurable*/ - skc->pubkey_algo = pkc->pubkey_algo = PUBKEY_ALGO_ELGAMAL; - memset(&pkc->mfx, 0, sizeof pkc->mfx); - pkc->d.elg.p = pk.p; - pkc->d.elg.g = pk.g; - pkc->d.elg.y = pk.y; - skc->d.elg.p = sk.p; - skc->d.elg.g = sk.g; - skc->d.elg.y = sk.y; - skc->d.elg.x = sk.x; - - skc->d.elg.csum = checksum_mpi( skc->d.elg.x ); - unprotected_skc = copy_secret_cert( NULL, skc ); - if( !dek ) { - skc->d.elg.is_protected = 0; - skc->d.elg.protect_algo = 0; - } - else { - skc->d.elg.is_protected = 0; - skc->d.elg.protect_algo = CIPHER_ALGO_BLOWFISH; - randomize_buffer(skc->d.elg.protect.blowfish.iv, 8, 1); - rc = protect_secret_key( skc, dek ); - if( rc ) { - log_error("protect_secret_key failed: %s\n", g10_errstr(rc) ); - goto leave; - } - } - - pkt1.pkttype = PKT_PUBLIC_CERT; - pkt1.pkt.public_cert = pkc; - pkt2.pkttype = PKT_SECRET_CERT; - pkt2.pkt.secret_cert = skc; - - if( (rc = build_packet( pub_io, &pkt1 )) ) { - log_error("build public_cert packet failed: %s\n", g10_errstr(rc) ); - goto leave; - } - if( (rc = build_packet( sec_io, &pkt2 )) ) { - log_error("build secret_cert packet failed: %s\n", g10_errstr(rc) ); - goto leave; - } - *ret_pkc = pkt1.pkt.public_cert; - pkt1.pkt.public_cert = NULL; - *ret_skc = unprotected_skc; - unprotected_skc = NULL; - - - leave: - free_packet(&pkt1); - free_packet(&pkt2); - if( unprotected_skc ) - free_secret_cert( unprotected_skc ); - return rc; + return G10ERR_GENERAL; } @@ -295,14 +305,14 @@ generate_keypair() { char *answer; unsigned nbits; - char *pub_fname = "./pubring.g10"; - char *sec_fname = "./secring.g10"; + char *pub_fname = NULL; + char *sec_fname = NULL; char *uid = NULL; IOBUF pub_io = NULL; IOBUF sec_io = NULL; - PKT_public_cert *pkc = NULL; + KBNODE pub_root = NULL; + KBNODE sec_root = NULL; PKT_secret_cert *skc = NULL; - PKT_user_id *upkt = NULL; DEK *dek = NULL; int rc; int algo; @@ -315,8 +325,9 @@ generate_keypair() tty_printf("Please select the algorithm to use:\n" " (1) ElGamal is the suggested one.\n" #ifdef HAVE_RSA_CIPHER - " (2) RSA cannot be used inthe U.S.\n" + " (2) RSA cannot be used in the U.S.\n" #endif + " (3) DSA can only be used for signatures.\n" ); #endif @@ -324,7 +335,11 @@ generate_keypair() #ifdef TEST_ALGO algo = TEST_ALGO; #else - answer = tty_get("Your selection? (1,2) "); + answer = tty_get("Your selection? (1" + #ifdef HAVE_RSA_CIPHER + ",2" + #endif + ",3) "); tty_kill_prompt(); algo = *answer? atoi(answer): 1; m_free(answer); @@ -341,6 +356,11 @@ generate_keypair() break; } #endif + else if( algo == 3 ) { + algo = PUBKEY_ALGO_DSA; + algo_name = "DSA"; + break; + } } @@ -361,7 +381,9 @@ generate_keypair() nbits = *answer? atoi(answer): 1024; m_free(answer); #endif - if( nbits < 128 ) /* FIXME: change this to 768 */ + if( algo == PUBKEY_ALGO_DSA && (nbits < 512 || nbits > 1024) ) + tty_printf("DSA does only allow keysizes from 512 to 1024\n"); + else if( nbits < 128 ) /* FIXME: change this to 768 */ tty_printf("keysize too small; please select a larger one\n"); else if( nbits > 2048 ) { tty_printf("Keysizes larger than 2048 are not suggested, because " @@ -381,7 +403,11 @@ generate_keypair() break; } tty_printf("Requested keysize is %u bits\n", nbits ); - if( (nbits % 32) ) { + if( algo == PUBKEY_ALGO_DSA && (nbits % 64) ) { + nbits = ((nbits + 63) / 64) * 64; + tty_printf("rounded up to %u bits\n", nbits ); + } + else if( (nbits % 32) ) { nbits = ((nbits + 31) / 32) * 32; tty_printf("rounded up to %u bits\n", nbits ); } @@ -435,74 +461,103 @@ generate_keypair() } - /* now check wether we a are allowed to write the keyrings */ - if( !(rc=overwrite_filep( pub_fname )) ) { - if( !(pub_io = iobuf_create( pub_fname )) ) - log_error("can't create %s: %s\n", pub_fname, strerror(errno) ); - else if( opt.verbose ) - log_info("writing to '%s'\n", pub_fname ); - } - else if( rc != -1 ) { - log_error("Oops: overwrite_filep(%s): %s\n", pub_fname, g10_errstr(rc) ); - m_free(uid); - return; - } - else { - m_free(uid); - return; - } - if( !(rc=overwrite_filep( sec_fname )) ) { - if( !(sec_io = iobuf_create( sec_fname )) ) - log_error("can't create %s: %s\n", sec_fname, strerror(errno) ); - else if( opt.verbose ) - log_info("writing to '%s'\n", sec_fname ); - } - else if( rc != -1 ) { - log_error("Oops: overwrite_filep(%s): %s\n", sec_fname, g10_errstr(rc) ); - m_free(uid); - return; - } - else { - iobuf_cancel(pub_io); - m_free(uid); - return; + /* now check wether we a are allowed to write to the keyrings */ + pub_fname = make_filename("~/.g10", "pubring.g10", NULL ); + sec_fname = make_filename("~/.g10", "secring.g10", NULL ); + if( opt.verbose ) { + tty_printf("writing public certificate to '%s'\n", pub_fname ); + tty_printf("writing secret certificate to '%s'\n", sec_fname ); } - write_comment( pub_io, "#public key created by G10 pre-release " VERSION ); - write_comment( sec_io, "#secret key created by G10 pre-release " VERSION ); + /* we create the packets as a tree of kbnodes. Because the structure + * we create is known in advance we simply generate a linked list + * The first packet is a comment packet, followed by the userid and + * the self signature. + */ + pub_root = make_comment_node("#created by G10 pre-release " VERSION ); + sec_root = make_comment_node("#created by G10 pre-release " VERSION ); if( algo == PUBKEY_ALGO_ELGAMAL ) - rc = gen_elg(nbits, pub_io, sec_io, dek, &pkc, &skc); + rc = gen_elg(nbits, pub_root, sec_root, dek, &skc ); #ifdef HAVE_RSA_CIPHER else if( algo == PUBKEY_ALGO_RSA ) - rc = gen_rsa(nbits, pub_io, sec_io, dek, &pkc, &skc); + rc = gen_rsa(nbits, pub_io, sec_io, dek, &skc ); #endif + else if( algo == PUBKEY_ALGO_DSA ) + rc = gen_dsa(nbits, pub_root, sec_root, dek, &skc ); else log_bug(NULL); if( !rc ) - write_uid(pub_io, uid, &upkt ); + write_uid(pub_root, uid ); + if( !rc ) + write_uid(sec_root, uid ); if( !rc ) - write_uid(sec_io, uid, NULL ); + rc = write_selfsig(pub_root, pub_root, skc); if( !rc ) - rc = write_selfsig(pub_io, pkc, upkt, skc ); + rc = write_selfsig(sec_root, pub_root, skc); - if( rc ) { - iobuf_cancel(pub_io); - iobuf_cancel(sec_io); - tty_printf("Key generation failed: %s\n", g10_errstr(rc) ); - } - else { - iobuf_close(pub_io); - iobuf_close(sec_io); - tty_printf("public and secret key created and signed.\n" ); + if( !rc ) { + KBPOS pub_kbpos; + KBPOS sec_kbpos; + int rc1 = -1; + int rc2 = -1; + + /* we can now write the certificates */ + /* FIXME: should we check wether the user-id already exists? */ + + if( get_keyblock_handle( pub_fname, &pub_kbpos ) ) { + if( add_keyblock_resource( pub_fname, 1 ) ) { + log_error("can add keyblock file '%s'\n", pub_fname ); + rc = G10ERR_CREATE_FILE; + } + else if( get_keyblock_handle( pub_fname, &pub_kbpos ) ) { + log_error("can get keyblock handle for '%s'\n", pub_fname ); + rc = G10ERR_CREATE_FILE; + } + } + if( rc ) + ; + else if( get_keyblock_handle( sec_fname, &sec_kbpos ) ) { + if( add_keyblock_resource( sec_fname, 1 ) ) { + log_error("can add keyblock file '%s'\n", sec_fname ); + rc = G10ERR_CREATE_FILE; + } + else if( get_keyblock_handle( sec_fname, &sec_kbpos ) ) { + log_error("can get keyblock handle for '%s'\n", sec_fname ); + rc = G10ERR_CREATE_FILE; + } + } + + if( rc ) + ; + else if( (rc=rc1=lock_keyblock( &pub_kbpos )) ) + log_error("can't lock public keyring: %s\n", g10_errstr(rc) ); + else if( (rc=rc2=lock_keyblock( &sec_kbpos )) ) + log_error("can't lock secret keyring: %s\n", g10_errstr(rc) ); + else if( (rc=insert_keyblock( &pub_kbpos, pub_root )) ) + log_error("can't write public key: %s\n", g10_errstr(rc) ); + else if( (rc=insert_keyblock( &sec_kbpos, sec_root )) ) + log_error("can't write secret key: %s\n", g10_errstr(rc) ); + else { + tty_printf("public and secret key created and signed.\n" ); + } + + if( !rc1 ) + unlock_keyblock( &pub_kbpos ); + if( !rc2 ) + unlock_keyblock( &sec_kbpos ); } - if( pkc ) - free_public_cert( pkc ); - if( skc ) - free_secret_cert( skc ); - if( upkt ) - free_user_id( upkt ); + + + if( rc ) + tty_printf("Key generation failed: %s\n", g10_errstr(rc) ); + release_kbnode( pub_root ); + release_kbnode( sec_root ); + if( skc ) /* the unprotected secret certificate */ + free_secret_cert(skc); m_free(uid); m_free(dek); + m_free(pub_fname); + m_free(sec_fname); } |