diff options
Diffstat (limited to 'sm')
| -rw-r--r-- | sm/certchain.c | 3 | ||||
| -rw-r--r-- | sm/certcheck.c | 2 | ||||
| -rw-r--r-- | sm/certdump.c | 2 | ||||
| -rw-r--r-- | sm/certreqgen-ui.c | 2 | ||||
| -rw-r--r-- | sm/certreqgen.c | 4 | ||||
| -rw-r--r-- | sm/decrypt.c | 4 | ||||
| -rw-r--r-- | sm/fingerprint.c | 66 | ||||
| -rw-r--r-- | sm/gpgsm.c | 9 | ||||
| -rw-r--r-- | sm/gpgsm.h | 3 | ||||
| -rw-r--r-- | sm/import.c | 2 | ||||
| -rw-r--r-- | sm/keylist.c | 51 | ||||
| -rw-r--r-- | sm/qualified.c | 2 | ||||
| -rw-r--r-- | sm/verify.c | 6 |
13 files changed, 137 insertions, 19 deletions
diff --git a/sm/certchain.c b/sm/certchain.c index a361acaf0..4e18caf55 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -119,7 +119,8 @@ do_list (int is_error, int listmode, estream_t fp, const char *format, ...) } else { - log_logv (is_error? GPGRT_LOG_ERROR: GPGRT_LOG_INFO, format, arg_ptr); + log_logv (is_error? GPGRT_LOGLVL_ERROR: GPGRT_LOGLVL_INFO, + format, arg_ptr); log_printf ("\n"); } va_end (arg_ptr); diff --git a/sm/certcheck.c b/sm/certcheck.c index 1102bccad..51f1a9402 100644 --- a/sm/certcheck.c +++ b/sm/certcheck.c @@ -374,7 +374,7 @@ gpgsm_check_cms_signature (ksba_cert_t cert, ksba_const_sexp_t sigval, return gpg_error (GPG_ERR_BUG); } if (DBG_CRYPTO) - log_printhex ("public key: ", p, n); + log_printhex (p, n, "public key: "); rc = gcry_sexp_sscan ( &s_pkey, NULL, (char*)p, n); ksba_free (p); diff --git a/sm/certdump.c b/sm/certdump.c index edee76fa2..9567c67f5 100644 --- a/sm/certdump.c +++ b/sm/certdump.c @@ -167,7 +167,7 @@ gpgsm_dump_string (const char *string) else { log_printf ( "[ "); - log_printhex (NULL, string, strlen (string)); + log_printhex (string, strlen (string), NULL); log_printf ( " ]"); } } diff --git a/sm/certreqgen-ui.c b/sm/certreqgen-ui.c index 9772a3baf..4f8a1ac9d 100644 --- a/sm/certreqgen-ui.c +++ b/sm/certreqgen-ui.c @@ -138,7 +138,7 @@ gpgsm_gencertreq_tty (ctrl_t ctrl, estream_t output_stream) unsigned int nbits; int minbits = 1024; int maxbits = 4096; - int defbits = 2048; + int defbits = 3072; const char *keyusage; char *subject_name; membuf_t mb_email, mb_dns, mb_uri, mb_result; diff --git a/sm/certreqgen.c b/sm/certreqgen.c index 44318702a..1d610c1bb 100644 --- a/sm/certreqgen.c +++ b/sm/certreqgen.c @@ -26,7 +26,7 @@ $ cat >foo <<EOF %echo Generating a standard key Key-Type: RSA - Key-Length: 2048 + Key-Length: 3072 Name-DN: CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Ddorf,C=DE Name-Email: [email protected] # Do a commit here, so that we can later print a "done" @@ -468,7 +468,7 @@ proc_parameters (ctrl_t ctrl, struct para_data_s *para, /* Check the keylength. NOTE: If you change this make sure that it macthes the gpgconflist item in gpgsm.c */ if (!get_parameter (para, pKEYLENGTH, 0)) - nbits = 2048; + nbits = 3072; else nbits = get_parameter_uint (para, pKEYLENGTH); if ((nbits < 1024 || nbits > 4096) && !cardkeyid) diff --git a/sm/decrypt.c b/sm/decrypt.c index 60ed14a64..b0ab63f00 100644 --- a/sm/decrypt.c +++ b/sm/decrypt.c @@ -72,7 +72,7 @@ prepare_decryption (ctrl_t ctrl, const char *hexkeygrip, const char *desc, } if (DBG_CRYPTO) - log_printhex ("pkcs1 encoded session key:", seskey, seskeylen); + log_printhex (seskey, seskeylen, "pkcs1 encoded session key:"); n=0; if (seskeylen == 24 || seskeylen == 16) @@ -115,7 +115,7 @@ prepare_decryption (ctrl_t ctrl, const char *hexkeygrip, const char *desc, } if (DBG_CRYPTO) - log_printhex ("session key:", seskey+n, seskeylen-n); + log_printhex (seskey+n, seskeylen-n, "session key:"); rc = gcry_cipher_open (&parm->hd, parm->algo, parm->mode, 0); if (rc) diff --git a/sm/fingerprint.c b/sm/fingerprint.c index fbcec5883..4bf378a1c 100644 --- a/sm/fingerprint.c +++ b/sm/fingerprint.c @@ -196,7 +196,7 @@ gpgsm_get_keygrip (ksba_cert_t cert, unsigned char *array) return NULL; } if (DBG_X509) - log_printhex ("keygrip=", array, 20); + log_printhex (array, 20, "keygrip="); return array; } @@ -277,6 +277,70 @@ gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits) } +/* If KEY is an RSA key, return its modulus. For non-RSA keys or on + * error return NULL. */ +gcry_mpi_t +gpgsm_get_rsa_modulus (ksba_cert_t cert) +{ + gpg_error_t err; + gcry_sexp_t key; + gcry_sexp_t list = NULL; + gcry_sexp_t l2 = NULL; + char *name = NULL; + gcry_mpi_t modulus = NULL; + + { + ksba_sexp_t ckey; + size_t n; + + ckey = ksba_cert_get_public_key (cert); + if (!ckey) + return NULL; + n = gcry_sexp_canon_len (ckey, 0, NULL, NULL); + if (!n) + { + xfree (ckey); + return NULL; + } + err = gcry_sexp_sscan (&key, NULL, (char *)ckey, n); + xfree (ckey); + if (err) + return NULL; + } + + list = gcry_sexp_find_token (key, "public-key", 0); + if (!list) + list = gcry_sexp_find_token (key, "private-key", 0); + if (!list) + list = gcry_sexp_find_token (key, "protected-private-key", 0); + if (!list) + list = gcry_sexp_find_token (key, "shadowed-private-key", 0); + + gcry_sexp_release (key); + if (!list) + return NULL; /* No suitable key. */ + + l2 = gcry_sexp_cadr (list); + gcry_sexp_release (list); + list = l2; + l2 = NULL; + + name = gcry_sexp_nth_string (list, 0); + if (!name) + ; + else if (gcry_pk_map_name (name) == GCRY_PK_RSA) + { + l2 = gcry_sexp_find_token (list, "n", 1); + if (l2) + modulus = gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG); + } + + gcry_free (name); + gcry_sexp_release (l2); + gcry_sexp_release (list); + return modulus; +} + /* For certain purposes we need a certificate id which has an upper diff --git a/sm/gpgsm.c b/sm/gpgsm.c index da1783df2..b0547876a 100644 --- a/sm/gpgsm.c +++ b/sm/gpgsm.c @@ -156,6 +156,7 @@ enum cmd_and_opt_values { oWithMD5Fingerprint, oWithKeygrip, oWithSecret, + oWithKeyScreening, oAnswerYes, oAnswerNo, oKeyring, @@ -393,6 +394,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oWithFingerprint, "with-fingerprint", "@"), ARGPARSE_s_n (oWithKeygrip, "with-keygrip", "@"), ARGPARSE_s_n (oWithSecret, "with-secret", "@"), + ARGPARSE_s_n (oWithKeyScreening,"with-key-screening", "@"), ARGPARSE_s_s (oDisableCipherAlgo, "disable-cipher-algo", "@"), ARGPARSE_s_s (oDisablePubkeyAlgo, "disable-pubkey-algo", "@"), ARGPARSE_s_n (oIgnoreTimeConflict, "ignore-time-conflict", "@"), @@ -1295,6 +1297,10 @@ main ( int argc, char **argv) opt.with_keygrip = 1; break; + case oWithKeyScreening: + opt.with_key_screening = 1; + break; + case oOptions: /* config files may not be nested (silently ignore them) */ if (!configfp) @@ -1800,8 +1806,7 @@ main ( int argc, char **argv) /* The next one is an info only item and should match what proc_parameters actually implements. */ es_printf ("default_pubkey_algo:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT, - "RSA-2048"); - es_printf ("compliance:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT, "gnupg"); + "RSA-3072"); } break; diff --git a/sm/gpgsm.h b/sm/gpgsm.h index 325948aff..d3fbde515 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -85,6 +85,8 @@ struct int with_keygrip; /* Option --with-keygrip active. */ + int with_key_screening; /* Option --with-key-screening active. */ + int pinentry_mode; int request_origin; @@ -259,6 +261,7 @@ unsigned long gpgsm_get_short_fingerprint (ksba_cert_t cert, unsigned char *gpgsm_get_keygrip (ksba_cert_t cert, unsigned char *array); char *gpgsm_get_keygrip_hexstring (ksba_cert_t cert); int gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits); +gcry_mpi_t gpgsm_get_rsa_modulus (ksba_cert_t cert); char *gpgsm_get_certid (ksba_cert_t cert); diff --git a/sm/import.c b/sm/import.c index 8796cd206..ca693824a 100644 --- a/sm/import.c +++ b/sm/import.c @@ -836,7 +836,7 @@ parse_p12 (ctrl_t ctrl, ksba_reader_t reader, struct stats_s *stats) log_error ("can't calculate keygrip\n"); goto leave; } - log_printhex ("keygrip=", grip, 20); + log_printhex (grip, 20, "keygrip="); /* Convert to canonical encoding using a function which pads it to a multiple of 64 bits. We need this padding for AESWRAP. */ diff --git a/sm/keylist.c b/sm/keylist.c index 9997da812..ea2a22093 100644 --- a/sm/keylist.c +++ b/sm/keylist.c @@ -37,6 +37,7 @@ #include "../common/i18n.h" #include "../common/tlv.h" #include "../common/compliance.h" +#include "../common/pkscreening.h" struct list_external_parm_s { @@ -238,6 +239,38 @@ print_key_data (ksba_cert_t cert, estream_t fp) #endif } + +/* Various public key screenings. (Right now just ROCA). With + * COLON_MODE set the output is formatted for use in the compliance + * field of a colon listing. */ +static void +print_pk_screening (ksba_cert_t cert, int colon_mode, estream_t fp) +{ + gpg_error_t err; + gcry_mpi_t modulus; + + modulus = gpgsm_get_rsa_modulus (cert); + if (modulus) + { + err = screen_key_for_roca (modulus); + if (!err) + ; + else if (gpg_err_code (err) == GPG_ERR_TRUE) + { + if (colon_mode) + es_fprintf (fp, colon_mode > 1? " %d":"%d", 6001); + else + es_fprintf (fp, " screening: ROCA vulnerability detected\n"); + } + else if (!colon_mode) + es_fprintf (fp, " screening: [ROCA check failed: %s]\n", + gpg_strerror (err)); + gcry_mpi_release (modulus); + } + +} + + static void print_capabilities (ksba_cert_t cert, estream_t fp) { @@ -348,10 +381,19 @@ email_kludge (const char *name) /* Print the compliance flags to field 18. ALGO is the gcrypt algo * number. NBITS is the length of the key in bits. */ static void -print_compliance_flags (int algo, unsigned int nbits, estream_t fp) +print_compliance_flags (ksba_cert_t cert, int algo, unsigned int nbits, + estream_t fp) { + int any = 0; + if (gnupg_pk_is_compliant (CO_DE_VS, algo, NULL, nbits, NULL)) - es_fputs (gnupg_status_compliance_flag (CO_DE_VS), fp); + { + es_fputs (gnupg_status_compliance_flag (CO_DE_VS), fp); + any++; + } + + if (opt.with_key_screening) + print_pk_screening (cert, 1+any, fp); } @@ -526,7 +568,7 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity, es_putc (':', fp); /* End of field 15. */ es_putc (':', fp); /* End of field 16. */ es_putc (':', fp); /* End of field 17. */ - print_compliance_flags (algo, nbits, fp); + print_compliance_flags (cert, algo, nbits, fp); es_putc (':', fp); /* End of field 18. */ es_putc ('\n', fp); @@ -1253,6 +1295,9 @@ list_cert_std (ctrl_t ctrl, ksba_cert_t cert, estream_t fp, int have_secret, } } + if (opt.with_key_screening) + print_pk_screening (cert, 0, fp); + if (have_secret) { char *cardsn; diff --git a/sm/qualified.c b/sm/qualified.c index 564e77929..6a7b47306 100644 --- a/sm/qualified.c +++ b/sm/qualified.c @@ -58,7 +58,7 @@ read_list (char *key, char *country, int *lnr) if (!listname) { - listname = make_filename (gnupg_datadir (), "qualified.txt", NULL); + listname = make_filename (gnupg_sysconfdir (), "qualified.txt", NULL); listfp = fopen (listname, "r"); if (!listfp && errno != ENOENT) { diff --git a/sm/verify.c b/sm/verify.c index 10b3f4378..b7b9fa8be 100644 --- a/sm/verify.c +++ b/sm/verify.c @@ -512,10 +512,10 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) if (DBG_X509) { if (msgdigest) - log_printhex ("message: ", msgdigest, msgdigestlen); + log_printhex (msgdigest, msgdigestlen, "message: "); if (s) - log_printhex ("computed: ", - s, gcry_md_get_algo_dlen (algo)); + log_printhex (s, gcry_md_get_algo_dlen (algo), + "computed: "); } fpr = gpgsm_fpr_and_name_for_status (cert); gpgsm_status (ctrl, STATUS_BADSIG, fpr); |