From 1a85ee9a431bd2243e0ad79ce5eefa78e274a491 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 2 Dec 2022 10:03:36 +0100 Subject: gpg: New export option "mode1003". * agent/command.c (cmd_export_key): Add option --mode1003. (command_has_option): Ditto. * g10/build-packet.c (do_key): Implement mode 1003. * g10/parse-packet.c (parse_key): Ditto. * g10/options.h (EXPORT_MODE1003): New.o * g10/call-agent.c (agent_export_key): Add arg mode1003. * g10/export.c (parse_export_options): Add "mode1003" (secret_key_to_mode1003): New. (receive_seckey_from_agent): Add arg mode1003. (do_export_one_keyblock): Pass option down. -- This option allows to export a secret key in GnuPG's native format. Thus no re-encryption is required and further the public key parameters are also authenticated if a protection passphrase has been used. Note that --import is not yet able to handle this new mode. Although old version of GnuPG will bail out with "invalid packet" if a mode1003 exported secret key is seen. --- g10/call-agent.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) (limited to 'g10/call-agent.c') diff --git a/g10/call-agent.c b/g10/call-agent.c index 27b5cacfb..66812e998 100644 --- a/g10/call-agent.c +++ b/g10/call-agent.c @@ -2997,13 +2997,15 @@ agent_import_key (ctrl_t ctrl, const char *desc, char **cache_nonce_addr, keygrip, DESC a prompt to be displayed with the agent's passphrase question (needs to be plus+percent escaped). if OPENPGP_PROTECTED is not zero, ensure that the key material is returned in RFC - 4880-compatible passphrased-protected form. If CACHE_NONCE_ADDR is - not NULL the agent is advised to first try a passphrase associated - with that nonce. On success the key is stored as a canonical - S-expression at R_RESULT and R_RESULTLEN. */ + 4880-compatible passphrased-protected form; if instead MODE1003 is + not zero the raw gpg-agent private key format is requested (either + protected or unprotected). If CACHE_NONCE_ADDR is not NULL the + agent is advised to first try a passphrase associated with that + nonce. On success the key is stored as a canonical S-expression at + R_RESULT and R_RESULTLEN. */ gpg_error_t agent_export_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc, - int openpgp_protected, char **cache_nonce_addr, + int openpgp_protected, int mode1003, char **cache_nonce_addr, unsigned char **r_result, size_t *r_resultlen, u32 *keyid, u32 *mainkeyid, int pubkey_algo) { @@ -3028,6 +3030,12 @@ agent_export_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc, return err; dfltparm.ctx = agent_ctx; + /* Check that the gpg-agent supports the --mode1003 option. */ + if (mode1003 && assuan_transact (agent_ctx, + "GETINFO cmd_has_option EXPORT_KEY mode1003", + NULL, NULL, NULL, NULL, NULL, NULL)) + return gpg_error (GPG_ERR_NOT_SUPPORTED); + if (desc) { snprintf (line, DIM(line), "SETKEYDESC %s", desc); @@ -3038,7 +3046,7 @@ agent_export_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc, } snprintf (line, DIM(line), "EXPORT_KEY %s%s%s %s", - openpgp_protected ? "--openpgp ":"", + mode1003? "--mode1003" : openpgp_protected ? "--openpgp ":"", cache_nonce_addr && *cache_nonce_addr? "--cache-nonce=":"", cache_nonce_addr && *cache_nonce_addr? *cache_nonce_addr:"", hexkeygrip); -- cgit v1.2.3