search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Added (back) RFC5081 support in client mode.
[gnutls.git] / lib / openpgp / privkey.c
blob77ef7b403ac341406f212b68dcdb26756ce93b59
1 /*
2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* Functions on OpenPGP privkey parsing
24 */
25
26 #include <gnutls_int.h>
27 #include <gnutls_datum.h>
28 #include <gnutls_global.h>
29 #include <gnutls_errors.h>
30 #include <gnutls_num.h>
31 #include <openpgp_int.h>
32 #include <gnutls_openpgp.h>
33 #include <gnutls_sig.h>
34 #include <gnutls_pk.h>
35
36 /**
37 * gnutls_openpgp_privkey_init:
38 * @key: The structure to be initialized
39 *
40 * This function will initialize an OpenPGP key structure.
41 *
42 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
43 **/
44 int
45 gnutls_openpgp_privkey_init (gnutls_openpgp_privkey_t * key)
46 {
47 *key = gnutls_calloc (1, sizeof (gnutls_openpgp_privkey_int));
48
49 if (*key)
50 return 0; /* success */
51 return GNUTLS_E_MEMORY_ERROR;
52 }
53
54 /**
55 * gnutls_openpgp_privkey_deinit:
56 * @key: The structure to be initialized
57 *
58 * This function will deinitialize a key structure.
59 **/
60 void
61 gnutls_openpgp_privkey_deinit (gnutls_openpgp_privkey_t key)
62 {
63 if (!key)
64 return;
65
66 if (key->knode)
67 {
68 cdk_kbnode_release (key->knode);
69 key->knode = NULL;
70 }
71
72 gnutls_free (key);
73 }
74
75 /*-
76 * _gnutls_openpgp_privkey_cpy - This function copies a gnutls_openpgp_privkey_t structure
77 * @dest: The structure where to copy
78 * @src: The structure to be copied
79 *
80 * This function will copy an X.509 certificate structure.
81 *
82 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
83 * negative error value.
84 -*/
85 int
86 _gnutls_openpgp_privkey_cpy (gnutls_openpgp_privkey_t dest, gnutls_openpgp_privkey_t src)
87 {
88 int ret;
89 size_t raw_size=0;
90 uint8_t *der;
91 gnutls_datum_t tmp;
92
93 ret = gnutls_openpgp_privkey_export (src, GNUTLS_OPENPGP_FMT_RAW, NULL, 0, NULL, &raw_size);
94 if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
95 return gnutls_assert_val(ret);
96
97 der = gnutls_malloc (raw_size);
98 if (der == NULL)
99 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
100
101 ret = gnutls_openpgp_privkey_export (src, GNUTLS_OPENPGP_FMT_RAW, NULL, 0, der, &raw_size);
102 if (ret < 0)
103 {
104 gnutls_assert ();
105 gnutls_free (der);
106 return ret;
107 }
108
109 tmp.data = der;
110 tmp.size = raw_size;
111 ret = gnutls_openpgp_privkey_import (dest, &tmp, GNUTLS_OPENPGP_FMT_RAW, NULL, 0);
112
113 gnutls_free (der);
114
115 if (ret < 0)
116 return gnutls_assert_val(ret);
117
118 memcpy(dest->preferred_keyid, src->preferred_keyid, GNUTLS_OPENPGP_KEYID_SIZE);
119 dest->preferred_set = src->preferred_set;
120
121 return 0;
122 }
123
124 /**
125 * gnutls_openpgp_privkey_sec_param:
126 * @key: a key structure
127 *
128 * This function will return the security parameter appropriate with
129 * this private key.
130 *
131 * Returns: On success, a valid security parameter is returned otherwise
132 * %GNUTLS_SEC_PARAM_UNKNOWN is returned.
133 *
134 * Since: 2.12.0
135 **/
136 gnutls_sec_param_t
137 gnutls_openpgp_privkey_sec_param (gnutls_openpgp_privkey_t key)
138 {
139 gnutls_pk_algorithm_t algo;
140 unsigned int bits;
141
142 algo = gnutls_openpgp_privkey_get_pk_algorithm (key, &bits);
143 if (algo == GNUTLS_PK_UNKNOWN)
144 {
145 gnutls_assert ();
146 return GNUTLS_SEC_PARAM_UNKNOWN;
147 }
148
149 return gnutls_pk_bits_to_sec_param (algo, bits);
150 }
151
152 /**
153 * gnutls_openpgp_privkey_import:
154 * @key: The structure to store the parsed key.
155 * @data: The RAW or BASE64 encoded key.
156 * @format: One of #gnutls_openpgp_crt_fmt_t elements.
157 * @password: not used for now
158 * @flags: should be (0)
159 *
160 * This function will convert the given RAW or Base64 encoded key to
161 * the native gnutls_openpgp_privkey_t format. The output will be
162 * stored in 'key'.
163 *
164 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
165 **/
166 int
167 gnutls_openpgp_privkey_import (gnutls_openpgp_privkey_t key,
168 const gnutls_datum_t * data,
169 gnutls_openpgp_crt_fmt_t format,
170 const char *password, unsigned int flags)
171 {
172 cdk_packet_t pkt;
173 int rc, armor;
174
175 if (data->data == NULL || data->size == 0)
176 {
177 gnutls_assert ();
178 return GNUTLS_E_OPENPGP_GETKEY_FAILED;
179 }
180
181 if (format == GNUTLS_OPENPGP_FMT_RAW)
182 armor = 0;
183 else armor = 1;
184
185 rc = cdk_kbnode_read_from_mem (&key->knode, armor, data->data, data->size);
186 if (rc != 0)
187 {
188 rc = _gnutls_map_cdk_rc (rc);
189 gnutls_assert ();
190 return rc;
191 }
192
193 /* Test if the import was successful. */
194 pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_SECRET_KEY);
195 if (pkt == NULL)
196 {
197 gnutls_assert ();
198 return GNUTLS_E_OPENPGP_GETKEY_FAILED;
199 }
200
201 return 0;
202 }
203
204 /**
205 * gnutls_openpgp_privkey_export:
206 * @key: Holds the key.
207 * @format: One of gnutls_openpgp_crt_fmt_t elements.
208 * @password: the password that will be used to encrypt the key. (unused for now)
209 * @flags: (0) for future compatibility
210 * @output_data: will contain the key base64 encoded or raw
211 * @output_data_size: holds the size of output_data (and will be
212 * replaced by the actual size of parameters)
213 *
214 * This function will convert the given key to RAW or Base64 format.
215 * If the buffer provided is not long enough to hold the output, then
216 * GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
217 *
218 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
219 *
220 * Since: 2.4.0
221 **/
222 int
223 gnutls_openpgp_privkey_export (gnutls_openpgp_privkey_t key,
224 gnutls_openpgp_crt_fmt_t format,
225 const char *password, unsigned int flags,
226 void *output_data, size_t * output_data_size)
227 {
228 /* FIXME for now we do not export encrypted keys */
229 return _gnutls_openpgp_export (key->knode, format, output_data,
230 output_data_size, 1);
231 }
232
233 /**
234 * gnutls_openpgp_privkey_export2:
235 * @key: Holds the key.
236 * @format: One of gnutls_openpgp_crt_fmt_t elements.
237 * @password: the password that will be used to encrypt the key. (unused for now)
238 * @flags: (0) for future compatibility
239 * @out: will contain the raw or based64 encoded key
240 *
241 * This function will convert the given key to RAW or Base64 format.
242 * The output buffer is allocated using gnutls_malloc().
243 *
244 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
245 *
246 * Since: 3.1
247 **/
248 int
249 gnutls_openpgp_privkey_export2 (gnutls_openpgp_privkey_t key,
250 gnutls_openpgp_crt_fmt_t format,
251 const char *password, unsigned int flags,
252 gnutls_datum_t *out)
253 {
254 /* FIXME for now we do not export encrypted keys */
255 return _gnutls_openpgp_export2 (key->knode, format, out, 1);
256 }
257
258
259 /**
260 * gnutls_openpgp_privkey_get_pk_algorithm:
261 * @key: is an OpenPGP key
262 * @bits: if bits is non null it will hold the size of the parameters' in bits
263 *
264 * This function will return the public key algorithm of an OpenPGP
265 * certificate.
266 *
267 * If bits is non null, it should have enough size to hold the parameters
268 * size in bits. For RSA the bits returned is the modulus.
269 * For DSA the bits returned are of the public exponent.
270 *
271 * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
272 * success, or a negative error code on error.
273 *
274 * Since: 2.4.0
275 **/
276 gnutls_pk_algorithm_t
277 gnutls_openpgp_privkey_get_pk_algorithm (gnutls_openpgp_privkey_t key,
278 unsigned int *bits)
279 {
280 cdk_packet_t pkt;
281 int algo = 0, ret;
282 uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
283
284 if (!key)
285 {
286 gnutls_assert ();
287 return GNUTLS_PK_UNKNOWN;
288 }
289
290 ret = gnutls_openpgp_privkey_get_preferred_key_id (key, keyid);
291 if (ret == 0)
292 {
293 int idx;
294
295 idx = gnutls_openpgp_privkey_get_subkey_idx (key, keyid);
296 if (idx != GNUTLS_OPENPGP_MASTER_KEYID_IDX)
297 {
298 algo =
299 gnutls_openpgp_privkey_get_subkey_pk_algorithm (key, idx, bits);
300 return algo;
301 }
302 }
303
304 pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_SECRET_KEY);
305 if (pkt)
306 {
307 if (bits)
308 *bits = cdk_pk_get_nbits (pkt->pkt.secret_key->pk);
309 algo = _gnutls_openpgp_get_algo (pkt->pkt.secret_key->pk->pubkey_algo);
310 }
311
312 return algo;
313 }
314
315 int
316 _gnutls_openpgp_get_algo (int cdk_algo)
317 {
318 int algo;
319
320 if (is_RSA (cdk_algo))
321 algo = GNUTLS_PK_RSA;
322 else if (is_DSA (cdk_algo))
323 algo = GNUTLS_PK_DSA;
324 else
325 {
326 _gnutls_debug_log ("Unknown OpenPGP algorithm %d\n", cdk_algo);
327 algo = GNUTLS_PK_UNKNOWN;
328 }
329
330 return algo;
331 }
332
333 /**
334 * gnutls_openpgp_privkey_get_revoked_status:
335 * @key: the structure that contains the OpenPGP private key.
336 *
337 * Get revocation status of key.
338 *
339 * Returns: true (1) if the key has been revoked, or false (0) if it
340 * has not, or a negative error code indicates an error.
341 *
342 * Since: 2.4.0
343 **/
344 int
345 gnutls_openpgp_privkey_get_revoked_status (gnutls_openpgp_privkey_t key)
346 {
347 cdk_packet_t pkt;
348
349 if (!key)
350 {
351 gnutls_assert ();
352 return GNUTLS_E_INVALID_REQUEST;
353 }
354
355 pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_SECRET_KEY);
356 if (!pkt)
357 return GNUTLS_E_OPENPGP_GETKEY_FAILED;
358
359 if (pkt->pkt.secret_key->is_revoked != 0)
360 return 1;
361 return 0;
362 }
363
364 /**
365 * gnutls_openpgp_privkey_get_fingerprint:
366 * @key: the raw data that contains the OpenPGP secret key.
367 * @fpr: the buffer to save the fingerprint, must hold at least 20 bytes.
368 * @fprlen: the integer to save the length of the fingerprint.
369 *
370 * Get the fingerprint of the OpenPGP key. Depends on the
371 * algorithm, the fingerprint can be 16 or 20 bytes.
372 *
373 * Returns: On success, 0 is returned, or an error code.
374 *
375 * Since: 2.4.0
376 **/
377 int
378 gnutls_openpgp_privkey_get_fingerprint (gnutls_openpgp_privkey_t key,
379 void *fpr, size_t * fprlen)
380 {
381 cdk_packet_t pkt;
382 cdk_pkt_pubkey_t pk = NULL;
383
384 if (!fpr || !fprlen)
385 {
386 gnutls_assert ();
387 return GNUTLS_E_INVALID_REQUEST;
388 }
389
390 *fprlen = 0;
391
392 pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_SECRET_KEY);
393 if (!pkt)
394 {
395 gnutls_assert ();
396 return GNUTLS_E_OPENPGP_GETKEY_FAILED;
397 }
398
399 pk = pkt->pkt.secret_key->pk;
400 *fprlen = 20;
401
402 if (is_RSA (pk->pubkey_algo) && pk->version < 4)
403 *fprlen = 16;
404
405 cdk_pk_get_fingerprint (pk, fpr);
406
407 return 0;
408 }
409
410 /**
411 * gnutls_openpgp_privkey_get_key_id:
412 * @key: the structure that contains the OpenPGP secret key.
413 * @keyid: the buffer to save the keyid.
414 *
415 * Get key-id.
416 *
417 * Returns: the 64-bit keyID of the OpenPGP key.
418 *
419 * Since: 2.4.0
420 **/
421 int
422 gnutls_openpgp_privkey_get_key_id (gnutls_openpgp_privkey_t key,
423 gnutls_openpgp_keyid_t keyid)
424 {
425 cdk_packet_t pkt;
426 uint32_t kid[2];
427
428 if (!key || !keyid)
429 {
430 gnutls_assert ();
431 return GNUTLS_E_INVALID_REQUEST;
432 }
433
434 pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_SECRET_KEY);
435 if (!pkt)
436 return GNUTLS_E_OPENPGP_GETKEY_FAILED;
437
438 cdk_sk_get_keyid (pkt->pkt.secret_key, kid);
439 _gnutls_write_uint32 (kid[0], keyid);
440 _gnutls_write_uint32 (kid[1], keyid + 4);
441
442 return 0;
443 }
444
445 /**
446 * gnutls_openpgp_privkey_get_subkey_count:
447 * @key: is an OpenPGP key
448 *
449 * This function will return the number of subkeys present in the
450 * given OpenPGP certificate.
451 *
452 * Returns: the number of subkeys, or a negative error code on error.
453 *
454 * Since: 2.4.0
455 **/
456 int
457 gnutls_openpgp_privkey_get_subkey_count (gnutls_openpgp_privkey_t key)
458 {
459 cdk_kbnode_t p, ctx;
460 cdk_packet_t pkt;
461 int subkeys;
462
463 if (key == NULL)
464 {
465 gnutls_assert ();
466 return 0;
467 }
468
469 ctx = NULL;
470 subkeys = 0;
471 while ((p = cdk_kbnode_walk (key->knode, &ctx, 0)))
472 {
473 pkt = cdk_kbnode_get_packet (p);
474 if (pkt->pkttype == CDK_PKT_SECRET_SUBKEY)
475 subkeys++;
476 }
477
478 return subkeys;
479 }
480
481 /* returns the subkey with the given index */
482 static cdk_packet_t
483 _get_secret_subkey (gnutls_openpgp_privkey_t key, unsigned int indx)
484 {
485 cdk_kbnode_t p, ctx;
486 cdk_packet_t pkt;
487 unsigned int subkeys;
488
489 ctx = NULL;
490 subkeys = 0;
491 while ((p = cdk_kbnode_walk (key->knode, &ctx, 0)))
492 {
493 pkt = cdk_kbnode_get_packet (p);
494 if (pkt->pkttype == CDK_PKT_SECRET_SUBKEY && indx == subkeys++)
495 return pkt;
496 }
497
498 return NULL;
499 }
500
501 /**
502 * gnutls_openpgp_privkey_get_subkey_revoked_status:
503 * @key: the structure that contains the OpenPGP private key.
504 * @idx: is the subkey index
505 *
506 * Get revocation status of key.
507 *
508 * Returns: true (1) if the key has been revoked, or false (0) if it
509 * has not, or a negative error code indicates an error.
510 *
511 * Since: 2.4.0
512 **/
513 int
514 gnutls_openpgp_privkey_get_subkey_revoked_status (gnutls_openpgp_privkey_t
515 key, unsigned int idx)
516 {
517 cdk_packet_t pkt;
518
519 if (!key)
520 {
521 gnutls_assert ();
522 return GNUTLS_E_INVALID_REQUEST;
523 }
524
525 if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
526 return gnutls_openpgp_privkey_get_revoked_status(key);
527
528 pkt = _get_secret_subkey (key, idx);
529 if (!pkt)
530 return GNUTLS_E_OPENPGP_GETKEY_FAILED;
531
532 if (pkt->pkt.secret_key->is_revoked != 0)
533 return 1;
534 return 0;
535 }
536
537 /**
538 * gnutls_openpgp_privkey_get_subkey_pk_algorithm:
539 * @key: is an OpenPGP key
540 * @idx: is the subkey index
541 * @bits: if bits is non null it will hold the size of the parameters' in bits
542 *
543 * This function will return the public key algorithm of a subkey of an OpenPGP
544 * certificate.
545 *
546 * If bits is non null, it should have enough size to hold the parameters
547 * size in bits. For RSA the bits returned is the modulus.
548 * For DSA the bits returned are of the public exponent.
549 *
550 * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
551 * success, or a negative error code on error.
552 *
553 * Since: 2.4.0
554 **/
555 gnutls_pk_algorithm_t
556 gnutls_openpgp_privkey_get_subkey_pk_algorithm (gnutls_openpgp_privkey_t key,
557 unsigned int idx,
558 unsigned int *bits)
559 {
560 cdk_packet_t pkt;
561 int algo;
562
563 if (!key)
564 {
565 gnutls_assert ();
566 return GNUTLS_PK_UNKNOWN;
567 }
568
569 if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
570 return gnutls_openpgp_privkey_get_pk_algorithm(key, bits);
571
572 pkt = _get_secret_subkey (key, idx);
573
574 algo = 0;
575 if (pkt)
576 {
577 if (bits)
578 *bits = cdk_pk_get_nbits (pkt->pkt.secret_key->pk);
579 algo = pkt->pkt.secret_key->pubkey_algo;
580 if (is_RSA (algo))
581 algo = GNUTLS_PK_RSA;
582 else if (is_DSA (algo))
583 algo = GNUTLS_PK_DSA;
584 else
585 algo = GNUTLS_E_UNKNOWN_PK_ALGORITHM;
586 }
587
588 return algo;
589 }
590
591 /**
592 * gnutls_openpgp_privkey_get_subkey_idx:
593 * @key: the structure that contains the OpenPGP private key.
594 * @keyid: the keyid.
595 *
596 * Get index of subkey.
597 *
598 * Returns: the index of the subkey or a negative error value.
599 *
600 * Since: 2.4.0
601 **/
602 int
603 gnutls_openpgp_privkey_get_subkey_idx (gnutls_openpgp_privkey_t key,
604 const gnutls_openpgp_keyid_t keyid)
605 {
606 int ret;
607 uint32_t kid[2];
608 uint8_t master_id[GNUTLS_OPENPGP_KEYID_SIZE];
609
610 if (!key)
611 {
612 gnutls_assert ();
613 return GNUTLS_E_INVALID_REQUEST;
614 }
615
616 ret = gnutls_openpgp_privkey_get_key_id (key, master_id);
617 if (ret < 0)
618 return gnutls_assert_val(ret);
619 if (memcmp(master_id, keyid, GNUTLS_OPENPGP_KEYID_SIZE)==0)
620 return GNUTLS_OPENPGP_MASTER_KEYID_IDX;
621
622 KEYID_IMPORT (kid, keyid);
623 ret = _gnutls_openpgp_find_subkey_idx (key->knode, kid, 1);
624
625 if (ret < 0)
626 {
627 gnutls_assert ();
628 }
629
630 return ret;
631 }
632
633 /**
634 * gnutls_openpgp_privkey_get_subkey_creation_time:
635 * @key: the structure that contains the OpenPGP private key.
636 * @idx: the subkey index
637 *
638 * Get subkey creation time.
639 *
640 * Returns: the timestamp when the OpenPGP key was created.
641 *
642 * Since: 2.4.0
643 **/
644 time_t
645 gnutls_openpgp_privkey_get_subkey_creation_time (gnutls_openpgp_privkey_t key,
646 unsigned int idx)
647 {
648 cdk_packet_t pkt;
649 time_t timestamp;
650
651 if (!key)
652 return (time_t) - 1;
653
654 if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
655 pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_SECRET_KEY);
656 else
657 pkt = _get_secret_subkey (key, idx);
658
659 if (pkt)
660 timestamp = pkt->pkt.secret_key->pk->timestamp;
661 else
662 timestamp = 0;
663
664 return timestamp;
665 }
666
667 /**
668 * gnutls_openpgp_privkey_get_subkey_expiration_time:
669 * @key: the structure that contains the OpenPGP private key.
670 * @idx: the subkey index
671 *
672 * Get subkey expiration time. A value of '0' means that the key
673 * doesn't expire at all.
674 *
675 * Returns: the time when the OpenPGP key expires.
676 *
677 * Since: 2.4.0
678 **/
679 time_t
680 gnutls_openpgp_privkey_get_subkey_expiration_time (gnutls_openpgp_privkey_t
681 key, unsigned int idx)
682 {
683 cdk_packet_t pkt;
684 time_t timestamp;
685
686 if (!key)
687 return (time_t) - 1;
688
689 if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
690 pkt = cdk_kbnode_find_packet (key->knode, CDK_PKT_SECRET_KEY);
691 else
692 pkt = _get_secret_subkey (key, idx);
693
694 if (pkt)
695 timestamp = pkt->pkt.secret_key->pk->expiredate;
696 else
697 timestamp = 0;
698
699 return timestamp;
700 }
701
702 /**
703 * gnutls_openpgp_privkey_get_subkey_id:
704 * @key: the structure that contains the OpenPGP secret key.
705 * @idx: the subkey index
706 * @keyid: the buffer to save the keyid.
707 *
708 * Get the key-id for the subkey.
709 *
710 * Returns: the 64-bit keyID of the OpenPGP key.
711 *
712 * Since: 2.4.0
713 **/
714 int
715 gnutls_openpgp_privkey_get_subkey_id (gnutls_openpgp_privkey_t key,
716 unsigned int idx,
717 gnutls_openpgp_keyid_t keyid)
718 {
719 cdk_packet_t pkt;
720 uint32_t kid[2];
721
722 if (!key || !keyid)
723 {
724 gnutls_assert ();
725 return GNUTLS_E_INVALID_REQUEST;
726 }
727
728 if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
729 return gnutls_openpgp_privkey_get_key_id(key, keyid);
730
731 pkt = _get_secret_subkey (key, idx);
732 if (!pkt)
733 return GNUTLS_E_OPENPGP_GETKEY_FAILED;
734
735 cdk_sk_get_keyid (pkt->pkt.secret_key, kid);
736 _gnutls_write_uint32 (kid[0], keyid);
737 _gnutls_write_uint32 (kid[1], keyid + 4);
738
739 return 0;
740 }
741
742 /**
743 * gnutls_openpgp_privkey_get_subkey_fingerprint:
744 * @key: the raw data that contains the OpenPGP secret key.
745 * @idx: the subkey index
746 * @fpr: the buffer to save the fingerprint, must hold at least 20 bytes.
747 * @fprlen: the integer to save the length of the fingerprint.
748 *
749 * Get the fingerprint of an OpenPGP subkey. Depends on the
750 * algorithm, the fingerprint can be 16 or 20 bytes.
751 *
752 * Returns: On success, 0 is returned, or an error code.
753 *
754 * Since: 2.4.0
755 **/
756 int
757 gnutls_openpgp_privkey_get_subkey_fingerprint (gnutls_openpgp_privkey_t key,
758 unsigned int idx,
759 void *fpr, size_t * fprlen)
760 {
761 cdk_packet_t pkt;
762 cdk_pkt_pubkey_t pk = NULL;
763
764 if (!fpr || !fprlen)
765 {
766 gnutls_assert ();
767 return GNUTLS_E_INVALID_REQUEST;
768 }
769
770 if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
771 return gnutls_openpgp_privkey_get_fingerprint(key, fpr, fprlen);
772
773 *fprlen = 0;
774
775 pkt = _get_secret_subkey (key, idx);
776 if (!pkt)
777 return GNUTLS_E_OPENPGP_GETKEY_FAILED;
778
779
780 pk = pkt->pkt.secret_key->pk;
781 *fprlen = 20;
782
783 if (is_RSA (pk->pubkey_algo) && pk->version < 4)
784 *fprlen = 16;
785
786 cdk_pk_get_fingerprint (pk, fpr);
787
788 return 0;
789 }
790
791 /* Extracts DSA and RSA parameters from a certificate.
792 */
793 int
794 _gnutls_openpgp_privkey_get_mpis (gnutls_openpgp_privkey_t pkey,
795 uint32_t * keyid /*[2] */ ,
796 gnutls_pk_params_st * params)
797 {
798 int result;
799 unsigned int i, pk_algorithm;
800 cdk_packet_t pkt;
801
802 gnutls_pk_params_init(params);
803
804 if (keyid == NULL)
805 pkt = cdk_kbnode_find_packet (pkey->knode, CDK_PKT_SECRET_KEY);
806 else
807 pkt = _gnutls_openpgp_find_key (pkey->knode, keyid, 1);
808
809 if (pkt == NULL)
810 {
811 gnutls_assert ();
812 return GNUTLS_E_OPENPGP_GETKEY_FAILED;
813 }
814
815 pk_algorithm =
816 _gnutls_openpgp_get_algo (pkt->pkt.secret_key->pk->pubkey_algo);
817
818 switch (pk_algorithm)
819 {
820 case GNUTLS_PK_RSA:
821 /* openpgp does not hold all parameters as in PKCS #1
822 */
823 params->params_nr = RSA_PRIVATE_PARAMS - 2;
824 break;
825 case GNUTLS_PK_DSA:
826 params->params_nr = DSA_PRIVATE_PARAMS;
827 break;
828 default:
829 gnutls_assert ();
830 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
831 }
832
833 for (i = 0; i < params->params_nr; i++)
834 {
835 result = _gnutls_read_pgp_mpi (pkt, 1, i, &params->params[i]);
836 if (result < 0)
837 {
838 gnutls_assert ();
839 goto error;
840 }
841 }
842
843 /* fixup will generate exp1 and exp2 that are not
844 * available here.
845 */
846 result = _gnutls_pk_fixup (pk_algorithm, GNUTLS_IMPORT, params);
847 if (result < 0)
848 {
849 gnutls_assert ();
850 goto error;
851 }
852
853 return 0;
854
855 error:
856 gnutls_pk_params_release(params);
857
858 return result;
859 }
860
861 /* The internal version of export
862 */
863 static int
864 _get_sk_rsa_raw (gnutls_openpgp_privkey_t pkey, gnutls_openpgp_keyid_t keyid,
865 gnutls_datum_t * m, gnutls_datum_t * e,
866 gnutls_datum_t * d, gnutls_datum_t * p,
867 gnutls_datum_t * q, gnutls_datum_t * u)
868 {
869 int pk_algorithm, ret;
870 cdk_packet_t pkt;
871 uint32_t kid32[2];
872 gnutls_pk_params_st params;
873
874 if (pkey == NULL)
875 {
876 gnutls_assert ();
877 return GNUTLS_E_INVALID_REQUEST;
878 }
879
880 KEYID_IMPORT (kid32, keyid);
881
882 pkt = _gnutls_openpgp_find_key (pkey->knode, kid32, 1);
883 if (pkt == NULL)
884 {
885 gnutls_assert ();
886 return GNUTLS_E_OPENPGP_GETKEY_FAILED;
887 }
888
889 pk_algorithm =
890 _gnutls_openpgp_get_algo (pkt->pkt.secret_key->pk->pubkey_algo);
891
892 if (pk_algorithm != GNUTLS_PK_RSA)
893 {
894 gnutls_assert ();
895 return GNUTLS_E_INVALID_REQUEST;
896 }
897
898 ret = _gnutls_openpgp_privkey_get_mpis (pkey, kid32, &params);
899 if (ret < 0)
900 {
901 gnutls_assert ();
902 return ret;
903 }
904
905 ret = _gnutls_mpi_dprint (params.params[0], m);
906 if (ret < 0)
907 {
908 gnutls_assert ();
909 goto cleanup;
910 }
911
912 ret = _gnutls_mpi_dprint (params.params[1], e);
913 if (ret < 0)
914 {
915 gnutls_assert ();
916 _gnutls_free_datum (m);
917 goto cleanup;
918 }
919
920 ret = _gnutls_mpi_dprint (params.params[2], d);
921 if (ret < 0)
922 {
923 gnutls_assert ();
924 _gnutls_free_datum (m);
925 _gnutls_free_datum (e);
926 goto cleanup;
927 }
928
929 ret = _gnutls_mpi_dprint (params.params[3], p);
930 if (ret < 0)
931 {
932 gnutls_assert ();
933 _gnutls_free_datum (m);
934 _gnutls_free_datum (e);
935 _gnutls_free_datum (d);
936 goto cleanup;
937 }
938
939 ret = _gnutls_mpi_dprint (params.params[4], q);
940 if (ret < 0)
941 {
942 gnutls_assert ();
943 _gnutls_free_datum (m);
944 _gnutls_free_datum (e);
945 _gnutls_free_datum (d);
946 _gnutls_free_datum (p);
947 goto cleanup;
948 }
949
950 ret = _gnutls_mpi_dprint (params.params[5], u);
951 if (ret < 0)
952 {
953 gnutls_assert ();
954 _gnutls_free_datum (q);
955 _gnutls_free_datum (m);
956 _gnutls_free_datum (e);
957 _gnutls_free_datum (d);
958 _gnutls_free_datum (p);
959 goto cleanup;
960 }
961
962 ret = 0;
963
964 cleanup:
965 gnutls_pk_params_release(&params);
966 return ret;
967 }
968
969 static int
970 _get_sk_dsa_raw (gnutls_openpgp_privkey_t pkey, gnutls_openpgp_keyid_t keyid,
971 gnutls_datum_t * p, gnutls_datum_t * q,
972 gnutls_datum_t * g, gnutls_datum_t * y, gnutls_datum_t * x)
973 {
974 int pk_algorithm, ret;
975 cdk_packet_t pkt;
976 uint32_t kid32[2];
977 gnutls_pk_params_st params;
978
979 if (pkey == NULL)
980 {
981 gnutls_assert ();
982 return GNUTLS_E_INVALID_REQUEST;
983 }
984
985 KEYID_IMPORT (kid32, keyid);
986
987 pkt = _gnutls_openpgp_find_key (pkey->knode, kid32, 1);
988 if (pkt == NULL)
989 {
990 gnutls_assert ();
991 return GNUTLS_E_OPENPGP_GETKEY_FAILED;
992 }
993
994 pk_algorithm =
995 _gnutls_openpgp_get_algo (pkt->pkt.secret_key->pk->pubkey_algo);
996
997 if (pk_algorithm != GNUTLS_PK_DSA)
998 {
999 gnutls_assert ();
1000 return GNUTLS_E_INVALID_REQUEST;
1001 }
1002
1003 ret = _gnutls_openpgp_privkey_get_mpis (pkey, kid32, &params);
1004 if (ret < 0)
1005 {
1006 gnutls_assert ();
1007 return ret;
1008 }
1009
1010 /* P */
1011 ret = _gnutls_mpi_dprint (params.params[0], p);
1012 if (ret < 0)
1013 {
1014 gnutls_assert ();
1015 goto cleanup;
1016 }
1017
1018 /* Q */
1019 ret = _gnutls_mpi_dprint (params.params[1], q);
1020 if (ret < 0)
1021 {
1022 gnutls_assert ();
1023 _gnutls_free_datum (p);
1024 goto cleanup;
1025 }
1026
1027
1028 /* G */
1029 ret = _gnutls_mpi_dprint (params.params[2], g);
1030 if (ret < 0)
1031 {
1032 gnutls_assert ();
1033 _gnutls_free_datum (p);
1034 _gnutls_free_datum (q);
1035 goto cleanup;
1036 }
1037
1038
1039 /* Y */
1040 ret = _gnutls_mpi_dprint (params.params[3], y);
1041 if (ret < 0)
1042 {
1043 gnutls_assert ();
1044 _gnutls_free_datum (p);
1045 _gnutls_free_datum (g);
1046 _gnutls_free_datum (q);
1047 goto cleanup;
1048 }
1049
1050 ret = _gnutls_mpi_dprint (params.params[4], x);
1051 if (ret < 0)
1052 {
1053 gnutls_assert ();
1054 _gnutls_free_datum (y);
1055 _gnutls_free_datum (p);
1056 _gnutls_free_datum (g);
1057 _gnutls_free_datum (q);
1058 goto cleanup;
1059 }
1060
1061 ret = 0;
1062
1063 cleanup:
1064 gnutls_pk_params_release(&params);
1065 return ret;
1066 }
1067
1068
1069 /**
1070 * gnutls_openpgp_privkey_export_rsa_raw:
1071 * @pkey: Holds the certificate
1072 * @m: will hold the modulus
1073 * @e: will hold the public exponent
1074 * @d: will hold the private exponent
1075 * @p: will hold the first prime (p)
1076 * @q: will hold the second prime (q)
1077 * @u: will hold the coefficient
1078 *
1079 * This function will export the RSA private key's parameters found in
1080 * the given structure. The new parameters will be allocated using
1081 * gnutls_malloc() and will be stored in the appropriate datum.
1082 *
1083 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
1084 *
1085 * Since: 2.4.0
1086 **/
1087 int
1088 gnutls_openpgp_privkey_export_rsa_raw (gnutls_openpgp_privkey_t pkey,
1089 gnutls_datum_t * m, gnutls_datum_t * e,
1090 gnutls_datum_t * d, gnutls_datum_t * p,
1091 gnutls_datum_t * q, gnutls_datum_t * u)
1092 {
1093 uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
1094 int ret;
1095
1096 ret = gnutls_openpgp_privkey_get_key_id (pkey, keyid);
1097 if (ret < 0)
1098 {
1099 gnutls_assert ();
1100 return ret;
1101 }
1102
1103 return _get_sk_rsa_raw (pkey, keyid, m, e, d, p, q, u);
1104 }
1105
1106 /**
1107 * gnutls_openpgp_privkey_export_dsa_raw:
1108 * @pkey: Holds the certificate
1109 * @p: will hold the p
1110 * @q: will hold the q
1111 * @g: will hold the g
1112 * @y: will hold the y
1113 * @x: will hold the x
1114 *
1115 * This function will export the DSA private key's parameters found in
1116 * the given certificate. The new parameters will be allocated using
1117 * gnutls_malloc() and will be stored in the appropriate datum.
1118 *
1119 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
1120 *
1121 * Since: 2.4.0
1122 **/
1123 int
1124 gnutls_openpgp_privkey_export_dsa_raw (gnutls_openpgp_privkey_t pkey,
1125 gnutls_datum_t * p, gnutls_datum_t * q,
1126 gnutls_datum_t * g, gnutls_datum_t * y,
1127 gnutls_datum_t * x)
1128 {
1129 uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
1130 int ret;
1131
1132 ret = gnutls_openpgp_privkey_get_key_id (pkey, keyid);
1133 if (ret < 0)
1134 {
1135 gnutls_assert ();
1136 return ret;
1137 }
1138
1139 return _get_sk_dsa_raw (pkey, keyid, p, q, g, y, x);
1140 }
1141
1142 /**
1143 * gnutls_openpgp_privkey_export_subkey_rsa_raw:
1144 * @pkey: Holds the certificate
1145 * @idx: Is the subkey index
1146 * @m: will hold the modulus
1147 * @e: will hold the public exponent
1148 * @d: will hold the private exponent
1149 * @p: will hold the first prime (p)
1150 * @q: will hold the second prime (q)
1151 * @u: will hold the coefficient
1152 *
1153 * This function will export the RSA private key's parameters found in
1154 * the given structure. The new parameters will be allocated using
1155 * gnutls_malloc() and will be stored in the appropriate datum.
1156 *
1157 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
1158 *
1159 * Since: 2.4.0
1160 **/
1161 int
1162 gnutls_openpgp_privkey_export_subkey_rsa_raw (gnutls_openpgp_privkey_t pkey,
1163 unsigned int idx,
1164 gnutls_datum_t * m,
1165 gnutls_datum_t * e,
1166 gnutls_datum_t * d,
1167 gnutls_datum_t * p,
1168 gnutls_datum_t * q,
1169 gnutls_datum_t * u)
1170 {
1171 uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
1172 int ret;
1173
1174 if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
1175 ret = gnutls_openpgp_privkey_get_key_id (pkey, keyid);
1176 else
1177 ret = gnutls_openpgp_privkey_get_subkey_id (pkey, idx, keyid);
1178 if (ret < 0)
1179 {
1180 gnutls_assert ();
1181 return ret;
1182 }
1183
1184 return _get_sk_rsa_raw (pkey, keyid, m, e, d, p, q, u);
1185 }
1186
1187 /**
1188 * gnutls_openpgp_privkey_export_subkey_dsa_raw:
1189 * @pkey: Holds the certificate
1190 * @idx: Is the subkey index
1191 * @p: will hold the p
1192 * @q: will hold the q
1193 * @g: will hold the g
1194 * @y: will hold the y
1195 * @x: will hold the x
1196 *
1197 * This function will export the DSA private key's parameters found
1198 * in the given certificate. The new parameters will be allocated
1199 * using gnutls_malloc() and will be stored in the appropriate datum.
1200 *
1201 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
1202 *
1203 * Since: 2.4.0
1204 **/
1205 int
1206 gnutls_openpgp_privkey_export_subkey_dsa_raw (gnutls_openpgp_privkey_t pkey,
1207 unsigned int idx,
1208 gnutls_datum_t * p,
1209 gnutls_datum_t * q,
1210 gnutls_datum_t * g,
1211 gnutls_datum_t * y,
1212 gnutls_datum_t * x)
1213 {
1214 uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
1215 int ret;
1216
1217 if (idx == GNUTLS_OPENPGP_MASTER_KEYID_IDX)
1218 ret = gnutls_openpgp_privkey_get_key_id (pkey, keyid);
1219 else
1220 ret = gnutls_openpgp_privkey_get_subkey_id (pkey, idx, keyid);
1221
1222 if (ret < 0)
1223 {
1224 gnutls_assert ();
1225 return ret;
1226 }
1227
1228 return _get_sk_dsa_raw (pkey, keyid, p, q, g, y, x);
1229 }
1230
1231 /**
1232 * gnutls_openpgp_privkey_get_preferred_key_id:
1233 * @key: the structure that contains the OpenPGP public key.
1234 * @keyid: the struct to save the keyid.
1235 *
1236 * Get the preferred key-id for the key.
1237 *
1238 * Returns: the 64-bit preferred keyID of the OpenPGP key, or if it
1239 * hasn't been set it returns %GNUTLS_E_INVALID_REQUEST.
1240 **/
1241 int
1242 gnutls_openpgp_privkey_get_preferred_key_id (gnutls_openpgp_privkey_t key,
1243 gnutls_openpgp_keyid_t keyid)
1244 {
1245 if (!key->preferred_set)
1246 return gnutls_assert_val(GNUTLS_E_OPENPGP_PREFERRED_KEY_ERROR);
1247
1248 if (!key || !keyid)
1249 {
1250 gnutls_assert ();
1251 return GNUTLS_E_INVALID_REQUEST;
1252 }
1253
1254 memcpy (keyid, key->preferred_keyid, GNUTLS_OPENPGP_KEYID_SIZE);
1255
1256 return 0;
1257 }
1258
1259 /**
1260 * gnutls_openpgp_privkey_set_preferred_key_id:
1261 * @key: the structure that contains the OpenPGP public key.
1262 * @keyid: the selected keyid
1263 *
1264 * This allows setting a preferred key id for the given certificate.
1265 * This key will be used by functions that involve key handling.
1266 *
1267 * If the provided @keyid is %NULL then the master key is
1268 * set as preferred.
1269 *
1270 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
1271 * otherwise a negative error code is returned.
1272 **/
1273 int
1274 gnutls_openpgp_privkey_set_preferred_key_id (gnutls_openpgp_privkey_t key,
1275 const gnutls_openpgp_keyid_t
1276 keyid)
1277 {
1278 int ret;
1279
1280 if (!key)
1281 {
1282 gnutls_assert ();
1283 return GNUTLS_E_INVALID_REQUEST;
1284 }
1285
1286 if (keyid == NULL) /* set the master as preferred */
1287 {
1288 uint8_t tmp[GNUTLS_OPENPGP_KEYID_SIZE];
1289
1290 ret = gnutls_openpgp_privkey_get_key_id (key, tmp);
1291 if (ret < 0)
1292 return gnutls_assert_val(ret);
1293
1294 key->preferred_set = 1;
1295 memcpy (key->preferred_keyid, tmp, GNUTLS_OPENPGP_KEYID_SIZE);
1296
1297 return 0;
1298 }
1299
1300 /* check if the id is valid */
1301 ret = gnutls_openpgp_privkey_get_subkey_idx (key, keyid);
1302 if (ret < 0)
1303 {
1304 _gnutls_debug_log ("the requested subkey does not exist\n");
1305 gnutls_assert ();
1306 return ret;
1307 }
1308
1309 key->preferred_set = 1;
1310 memcpy (key->preferred_keyid, keyid, GNUTLS_OPENPGP_KEYID_SIZE);
1311
1312 return 0;
1313 }
1314
1315 /**
1316 * gnutls_openpgp_privkey_sign_hash:
1317 * @key: Holds the key
1318 * @hash: holds the data to be signed
1319 * @signature: will contain newly allocated signature
1320 *
1321 * This function will sign the given hash using the private key. You
1322 * should use gnutls_openpgp_privkey_set_preferred_key_id() before
1323 * calling this function to set the subkey to use.
1324 *
1325 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1326 * negative error value.
1327 *
1328 * Deprecated: Use gnutls_privkey_sign_hash() instead.
1329 */
1330 int
1331 gnutls_openpgp_privkey_sign_hash (gnutls_openpgp_privkey_t key,
1332 const gnutls_datum_t * hash,
1333 gnutls_datum_t * signature)
1334 {
1335 int result;
1336 gnutls_pk_params_st params;
1337 int pk_algorithm;
1338 uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
1339
1340 if (key == NULL)
1341 {
1342 gnutls_assert ();
1343 return GNUTLS_E_INVALID_REQUEST;
1344 }
1345
1346 result = gnutls_openpgp_privkey_get_preferred_key_id (key, keyid);
1347 if (result == 0)
1348 {
1349 uint32_t kid[2];
1350 int idx;
1351
1352 KEYID_IMPORT (kid, keyid);
1353
1354 idx = gnutls_openpgp_privkey_get_subkey_idx (key, keyid);
1355 pk_algorithm =
1356 gnutls_openpgp_privkey_get_subkey_pk_algorithm (key, idx, NULL);
1357 result =
1358 _gnutls_openpgp_privkey_get_mpis (key, kid, &params);
1359 }
1360 else
1361 {
1362 pk_algorithm = gnutls_openpgp_privkey_get_pk_algorithm (key, NULL);
1363 result = _gnutls_openpgp_privkey_get_mpis (key, NULL, &params);
1364 }
1365
1366 if (result < 0)
1367 {
1368 gnutls_assert ();
1369 return result;
1370 }
1371
1372
1373 result =
1374 _gnutls_pk_sign (pk_algorithm, signature, hash, &params);
1375
1376 gnutls_pk_params_release(&params);
1377
1378 if (result < 0)
1379 {
1380 gnutls_assert ();
1381 return result;
1382 }
1383
1384 return 0;
1385 }
1386
1387 /*-
1388 * _gnutls_openpgp_privkey_decrypt_data:
1389 * @key: Holds the key
1390 * @flags: (0) for now
1391 * @ciphertext: holds the data to be decrypted
1392 * @plaintext: will contain newly allocated plaintext
1393 *
1394 * This function will sign the given hash using the private key. You
1395 * should use gnutls_openpgp_privkey_set_preferred_key_id() before
1396 * calling this function to set the subkey to use.
1397 *
1398 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1399 * negative error value.
1400 -*/
1401 int
1402 _gnutls_openpgp_privkey_decrypt_data (gnutls_openpgp_privkey_t key,
1403 unsigned int flags,
1404 const gnutls_datum_t * ciphertext,
1405 gnutls_datum_t * plaintext)
1406 {
1407 int result, i;
1408 gnutls_pk_params_st params;
1409 int pk_algorithm;
1410 uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
1411
1412 if (key == NULL)
1413 {
1414 gnutls_assert ();
1415 return GNUTLS_E_INVALID_REQUEST;
1416 }
1417
1418 result = gnutls_openpgp_privkey_get_preferred_key_id (key, keyid);
1419 if (result == 0)
1420 {
1421 uint32_t kid[2];
1422
1423 KEYID_IMPORT (kid, keyid);
1424 result = _gnutls_openpgp_privkey_get_mpis (key, kid, &params);
1425
1426 i = gnutls_openpgp_privkey_get_subkey_idx (key, keyid);
1427
1428 pk_algorithm = gnutls_openpgp_privkey_get_subkey_pk_algorithm (key, i, NULL);
1429 }
1430 else
1431 {
1432 pk_algorithm = gnutls_openpgp_privkey_get_pk_algorithm (key, NULL);
1433
1434 result = _gnutls_openpgp_privkey_get_mpis (key, NULL, &params);
1435
1436 }
1437
1438 if (result < 0)
1439 {
1440 gnutls_assert ();
1441 return result;
1442 }
1443
1444 result = _gnutls_pk_decrypt (pk_algorithm, plaintext, ciphertext, &params);
1445
1446 gnutls_pk_params_release(&params);
1447
1448 if (result < 0)
1449 return gnutls_assert_val(result);
1450
1451 return 0;
1452 }
Implementation of the SSL/TLS protocol