sm: Support creation of EdDSA certificates.

* sm/misc.c (transform_sigval): Support EdDSA.
* sm/certreqgen.c (create_request): Support EdDSA cert creation.
* sm/certcheck.c (gpgsm_check_cert_sig): Map some ECC algo OIDs to
hash algos.
* sm/call-agent.c (struct sethash_inq_parm_s): New.
(sethash_inq_cb): New.
(gpgsm_agent_pksign): Add mode to pass plain data for EdDSA.
--

Tested using a parameter file

    Key-Type: EdDSA
    Key-Length: 1024
    Key-Grip: 09D9AE3D494F7888C93BE5106AD8A734A87617F0
    Key-Usage: sign
    Serial: random
    Name-DN: CN=dummy test ed25519

where the keygrip is from a gpg generated Ed25519 key.  ECDSA was
tested using

    Key-Type: ECDSA
    Key-Length: 1024
    Key-Grip: 8E06A180EFFE4C65B812150CAF19BF30C0689A4C
    Key-Usage: sign
    Serial: random
    Name-DN: CN=dummy test nistp256

and RSA using

    Key-Type: RSA
    Key-Length: 2048
    Key-Grip: C6A6390E9388CDBAD71EAEA698233FE5E04F001E
    Key-Usage: sign
    Serial: random
    Name-DN: CN=dummy test rsa

The command used in all cases is

  gpgsm -v --gen-key --batch  a.parm >a.crt
  gpgsm -v --import <a.crt

More support, in particular in the user interface, is required and
will follow soon.

GnuPG-bug-id: 4888
Signed-off-by: Werner Koch <[email protected]>

1 files changed, 50 insertions, 7 deletions

diff --git a/sm/call-agent.c b/sm/call-agent.c
index 5f4236b69..ec8020517 100644
--- a/sm/call-agent.c
+++ b/sm/call-agent.c
@@ -76,6 +76,13 @@ struct import_key_parm_s
   size_t keylen;
 };
 
+struct sethash_inq_parm_s
+{
+  assuan_context_t ctx;
+  const void *data;
+  size_t datalen;
+};
+
 struct default_inq_parm_s
 {
   ctrl_t ctrl;
@@ -257,8 +264,29 @@ default_inq_cb (void *opaque, const char *line)
 
 
 
+/* This is the inquiry callback required by the SETHASH command.  */
+static gpg_error_t
+sethash_inq_cb (void *opaque, const char *line)
+{
+  gpg_error_t err = 0;
+  struct sethash_inq_parm_s *parm = opaque;
+
+  if (has_leading_keyword (line, "TBSDATA"))
+    {
+      err = assuan_send_data (parm->ctx, parm->data, parm->datalen);
+    }
+  else
+    log_error ("ignoring gpg-agent inquiry '%s'\n", line);
+
+  return err;
+}
+
+
 /* Call the agent to do a sign operation using the key identified by
-   the hex string KEYGRIP. */
+ * the hex string KEYGRIP.  If DIGESTALGO is given (DIGEST,DIGESTLEN)
+ * gives the to be signed hash created using the given algo.  If
+ * DIGESTALGO is not given (i.e. zero) (DIGEST,DIGESTALGO) give the
+ * entire data to-be-signed. */
 int
 gpgsm_agent_pksign (ctrl_t ctrl, const char *keygrip, const char *desc,
                     unsigned char *digest, size_t digestlen, int digestalgo,
@@ -277,7 +305,7 @@ gpgsm_agent_pksign (ctrl_t ctrl, const char *keygrip, const char *desc,
   inq_parm.ctrl = ctrl;
   inq_parm.ctx = agent_ctx;
 
-  if (digestlen*2 + 50 > DIM(line))
+  if (digestalgo && digestlen*2 + 50 > DIM(line))
     return gpg_error (GPG_ERR_GENERAL);
 
   rc = assuan_transact (agent_ctx, "RESET", NULL, NULL, NULL, NULL, NULL, NULL);
@@ -298,11 +326,26 @@ gpgsm_agent_pksign (ctrl_t ctrl, const char *keygrip, const char *desc,
         return rc;
     }
 
-  sprintf (line, "SETHASH %d ", digestalgo);
-  p = line + strlen (line);
-  for (i=0; i < digestlen ; i++, p += 2 )
-    sprintf (p, "%02X", digest[i]);
-  rc = assuan_transact (agent_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
+  if (!digestalgo)
+    {
+      struct sethash_inq_parm_s sethash_inq_parm;
+
+      sethash_inq_parm.ctx = agent_ctx;
+      sethash_inq_parm.data = digest;
+      sethash_inq_parm.datalen = digestlen;
+      rc = assuan_transact (agent_ctx, "SETHASH --inquire",
+                            NULL, NULL, sethash_inq_cb, &sethash_inq_parm,
+                            NULL, NULL);
+    }
+  else
+    {
+      snprintf (line, sizeof line, "SETHASH %d ", digestalgo);
+      p = line + strlen (line);
+      for (i=0; i < digestlen ; i++, p += 2 )
+        sprintf (p, "%02X", digest[i]);
+      rc = assuan_transact (agent_ctx, line,
+                            NULL, NULL, NULL, NULL, NULL, NULL);
+    }
   if (rc)
     return rc;