2 * Copyright (C) 2002-2012 Free Software Foundation, Inc.
4 * Author: Timo Schulz, Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 #include "gnutls_int.h"
24 #include "gnutls_errors.h"
25 #include "gnutls_mpi.h"
26 #include "gnutls_num.h"
27 #include "gnutls_datum.h"
28 #include "gnutls_global.h"
29 #include "gnutls_openpgp.h"
30 #include "read-file.h"
31 #include <gnutls/abstract.h>
32 #include <gnutls_str.h>
33 #include <gnutls_sig.h>
37 /* Map an OpenCDK error type to a GnuTLS error type. */
39 _gnutls_map_cdk_rc (int rc
)
46 return GNUTLS_E_PARSING_ERROR
;
48 return GNUTLS_E_SHORT_MEMORY_BUFFER
;
49 case CDK_General_Error
:
50 return GNUTLS_E_INTERNAL_ERROR
;
52 return GNUTLS_E_FILE_ERROR
;
54 return GNUTLS_E_MPI_SCAN_FAILED
;
55 case CDK_Error_No_Key
:
56 return GNUTLS_E_OPENPGP_GETKEY_FAILED
;
58 return GNUTLS_E_BASE64_DECODING_ERROR
;
60 return GNUTLS_E_INVALID_REQUEST
;
62 return GNUTLS_E_INTERNAL_ERROR
;
67 * gnutls_certificate_set_openpgp_key:
68 * @res: is a #gnutls_certificate_credentials_t structure.
69 * @crt: contains an openpgp public key
70 * @pkey: is an openpgp private key
72 * This function sets a certificate/private key pair in the
73 * gnutls_certificate_credentials_t structure. This function may be
74 * called more than once (in case multiple keys/certificates exist
77 * Note that this function requires that the preferred key ids have
78 * been set and be used. See gnutls_openpgp_crt_set_preferred_key_id().
79 * Otherwise the master key will be used.
81 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
82 * otherwise a negative error code is returned.
85 gnutls_certificate_set_openpgp_key (gnutls_certificate_credentials_t res
,
86 gnutls_openpgp_crt_t crt
,
87 gnutls_openpgp_privkey_t pkey
)
90 gnutls_privkey_t privkey
;
91 gnutls_pcert_st
*ccert
= NULL
;
94 gnutls_str_array_t names
;
96 _gnutls_str_array_init(&names
);
98 /* this should be first */
100 ret
= gnutls_privkey_init (&privkey
);
108 gnutls_privkey_import_openpgp (privkey
, pkey
,
109 GNUTLS_PRIVKEY_IMPORT_COPY
);
116 ccert
= gnutls_calloc (1, sizeof (gnutls_pcert_st
));
120 ret
= GNUTLS_E_MEMORY_ERROR
;
124 max_size
= sizeof(name
);
126 for (i
= 0; !(ret
< 0); i
++)
128 ret
= gnutls_openpgp_crt_get_name(crt
, i
, name
, &max_size
);
131 ret2
= _gnutls_str_array_append(&names
, name
, max_size
);
141 ret
= gnutls_pcert_import_openpgp (ccert
, crt
, 0);
148 ret
= certificate_credentials_append_pkey (res
, privkey
);
150 ret
= certificate_credential_append_crt_list (res
, names
, ccert
, 1);
160 /* FIXME: Check if the keys match. */
165 gnutls_privkey_deinit (privkey
);
167 _gnutls_str_array_clear(&names
);
172 * gnutls_openpgp_get_key:
173 * @key: the destination context to save the key.
174 * @keyring: the datum struct that contains all keyring information.
175 * @attr: The attribute (keyid, fingerprint, ...).
176 * @by: What attribute is used.
178 * This function can be used to retrieve keys by different pattern
179 * from a binary or a file keyring.
182 gnutls_openpgp_get_key (gnutls_datum_t
* key
,
183 gnutls_openpgp_keyring_t keyring
, key_attr_t by
,
186 cdk_kbnode_t knode
= NULL
;
187 unsigned long keyid
[2];
192 cdk_keydb_search_t st
;
194 if (!key
|| !keyring
|| by
== KEY_ATTR_NONE
)
197 return GNUTLS_E_INVALID_REQUEST
;
200 memset (key
, 0, sizeof *key
);
202 if (by
== KEY_ATTR_SHORT_KEYID
)
204 keyid
[0] = _gnutls_read_uint32 (pattern
);
207 else if (by
== KEY_ATTR_KEYID
)
209 keyid
[0] = _gnutls_read_uint32 (pattern
);
210 keyid
[1] = _gnutls_read_uint32 (pattern
+ 4);
215 rc
= cdk_keydb_search_start (&st
, keyring
->db
, by
, desc
);
217 rc
= cdk_keydb_search (st
, keyring
->db
, &knode
);
219 cdk_keydb_search_release (st
);
223 rc
= _gnutls_map_cdk_rc (rc
);
227 if (!cdk_kbnode_find (knode
, CDK_PKT_PUBLIC_KEY
))
229 rc
= GNUTLS_E_OPENPGP_GETKEY_FAILED
;
233 /* We let the function allocate the buffer to avoid
234 to call the function twice. */
235 rc
= cdk_kbnode_write_to_mem_alloc (knode
, &buf
, &len
);
237 _gnutls_datum_append (key
, buf
, len
);
241 cdk_kbnode_release (knode
);
246 * gnutls_certificate_set_openpgp_key_mem:
247 * @res: the destination context to save the data.
248 * @cert: the datum that contains the public key.
249 * @key: the datum that contains the secret key.
250 * @format: the format of the keys
252 * This funtion is used to load OpenPGP keys into the GnuTLS credential
253 * structure. The datum should contain at least one valid non encrypted subkey.
255 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
256 * negative error value.
259 gnutls_certificate_set_openpgp_key_mem (gnutls_certificate_credentials_t res
,
260 const gnutls_datum_t
* cert
,
261 const gnutls_datum_t
* key
,
262 gnutls_openpgp_crt_fmt_t format
)
264 return gnutls_certificate_set_openpgp_key_mem2 (res
, cert
, key
,
269 * gnutls_certificate_set_openpgp_key_file:
270 * @res: the destination context to save the data.
271 * @certfile: the file that contains the public key.
272 * @keyfile: the file that contains the secret key.
273 * @format: the format of the keys
275 * This funtion is used to load OpenPGP keys into the GnuTLS
276 * credentials structure. The file should contain at least one valid non encrypted subkey.
278 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
279 * negative error value.
282 gnutls_certificate_set_openpgp_key_file (gnutls_certificate_credentials_t res
,
283 const char *certfile
,
285 gnutls_openpgp_crt_fmt_t format
)
287 return gnutls_certificate_set_openpgp_key_file2 (res
, certfile
,
288 keyfile
, NULL
, format
);
292 get_keyid (gnutls_openpgp_keyid_t keyid
, const char *str
)
294 size_t keyid_size
= GNUTLS_OPENPGP_KEYID_SIZE
;
296 if (strlen (str
) != 16)
299 ("The OpenPGP subkey ID has to be 16 hexadecimal characters.\n");
300 return GNUTLS_E_INVALID_REQUEST
;
303 if (_gnutls_hex2bin (str
, strlen (str
), keyid
, &keyid_size
) < 0)
305 _gnutls_debug_log ("Error converting hex string: %s.\n", str
);
306 return GNUTLS_E_INVALID_REQUEST
;
313 * gnutls_certificate_set_openpgp_key_mem2:
314 * @res: the destination context to save the data.
315 * @cert: the datum that contains the public key.
316 * @key: the datum that contains the secret key.
317 * @subkey_id: a hex encoded subkey id
318 * @format: the format of the keys
320 * This funtion is used to load OpenPGP keys into the GnuTLS
321 * credentials structure. The datum should contain at least one valid non encrypted subkey.
323 * The special keyword "auto" is also accepted as @subkey_id. In that
324 * case the gnutls_openpgp_crt_get_auth_subkey() will be used to
325 * retrieve the subkey.
327 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
328 * negative error value.
333 gnutls_certificate_set_openpgp_key_mem2 (gnutls_certificate_credentials_t res
,
334 const gnutls_datum_t
* cert
,
335 const gnutls_datum_t
* key
,
336 const char *subkey_id
,
337 gnutls_openpgp_crt_fmt_t format
)
339 gnutls_openpgp_privkey_t pkey
;
340 gnutls_openpgp_crt_t crt
;
342 uint8_t keyid
[GNUTLS_OPENPGP_KEYID_SIZE
];
344 ret
= gnutls_openpgp_privkey_init (&pkey
);
351 ret
= gnutls_openpgp_privkey_import (pkey
, key
, format
, NULL
, 0);
355 gnutls_openpgp_privkey_deinit (pkey
);
359 ret
= gnutls_openpgp_crt_init (&crt
);
363 gnutls_openpgp_privkey_deinit (pkey
);
367 ret
= gnutls_openpgp_crt_import (crt
, cert
, format
);
371 gnutls_openpgp_privkey_deinit (pkey
);
372 gnutls_openpgp_crt_deinit (crt
);
376 if (subkey_id
!= NULL
)
378 if (strcasecmp (subkey_id
, "auto") == 0)
379 ret
= gnutls_openpgp_crt_get_auth_subkey (crt
, keyid
, 1);
381 ret
= get_keyid (keyid
, subkey_id
);
388 ret
= gnutls_openpgp_crt_set_preferred_key_id (crt
, keyid
);
390 ret
= gnutls_openpgp_privkey_set_preferred_key_id (pkey
, keyid
);
396 gnutls_openpgp_privkey_deinit (pkey
);
397 gnutls_openpgp_crt_deinit (crt
);
402 ret
= gnutls_certificate_set_openpgp_key (res
, crt
, pkey
);
404 gnutls_openpgp_crt_deinit (crt
);
405 gnutls_openpgp_privkey_deinit (pkey
);
411 * gnutls_certificate_set_openpgp_key_file2:
412 * @res: the destination context to save the data.
413 * @certfile: the file that contains the public key.
414 * @keyfile: the file that contains the secret key.
415 * @subkey_id: a hex encoded subkey id
416 * @format: the format of the keys
418 * This funtion is used to load OpenPGP keys into the GnuTLS credential
419 * structure. The file should contain at least one valid non encrypted subkey.
421 * The special keyword "auto" is also accepted as @subkey_id. In that
422 * case the gnutls_openpgp_crt_get_auth_subkey() will be used to
423 * retrieve the subkey.
425 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
426 * negative error value.
431 gnutls_certificate_set_openpgp_key_file2 (gnutls_certificate_credentials_t
432 res
, const char *certfile
,
434 const char *subkey_id
,
435 gnutls_openpgp_crt_fmt_t format
)
438 gnutls_datum_t key
, cert
;
442 if (!res
|| !keyfile
|| !certfile
)
445 return GNUTLS_E_INVALID_REQUEST
;
448 if (stat (certfile
, &statbuf
) || stat (keyfile
, &statbuf
))
451 return GNUTLS_E_FILE_ERROR
;
454 cert
.data
= (void*)read_binary_file (certfile
, &size
);
455 cert
.size
= (unsigned int) size
;
456 if (cert
.data
== NULL
)
459 return GNUTLS_E_FILE_ERROR
;
462 key
.data
= (void*)read_binary_file (keyfile
, &size
);
463 key
.size
= (unsigned int) size
;
464 if (key
.data
== NULL
)
468 return GNUTLS_E_FILE_ERROR
;
472 gnutls_certificate_set_openpgp_key_mem2 (res
, &cert
, &key
, subkey_id
,
489 gnutls_openpgp_count_key_names (const gnutls_datum_t
* cert
)
491 cdk_kbnode_t knode
, p
, ctx
;
501 if (cdk_kbnode_read_from_mem (&knode
, 0, cert
->data
, cert
->size
))
510 p
= cdk_kbnode_walk (knode
, &ctx
, 0);
513 pkt
= cdk_kbnode_get_packet (p
);
514 if (pkt
->pkttype
== CDK_PKT_USER_ID
)
518 cdk_kbnode_release (knode
);
523 * gnutls_certificate_set_openpgp_keyring_file:
524 * @c: A certificate credentials structure
525 * @file: filename of the keyring.
526 * @format: format of keyring.
528 * The function is used to set keyrings that will be used internally
529 * by various OpenPGP functions. For example to find a key when it
530 * is needed for an operations. The keyring will also be used at the
531 * verification functions.
533 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
534 * negative error value.
537 gnutls_certificate_set_openpgp_keyring_file (gnutls_certificate_credentials_t c
,
539 gnutls_openpgp_crt_fmt_t format
)
548 return GNUTLS_E_INVALID_REQUEST
;
551 ring
.data
= (void*)read_binary_file (file
, &size
);
552 ring
.size
= (unsigned int) size
;
553 if (ring
.data
== NULL
)
556 return GNUTLS_E_FILE_ERROR
;
560 gnutls_certificate_set_openpgp_keyring_mem (c
, ring
.data
, ring
.size
,
569 * gnutls_certificate_set_openpgp_keyring_mem:
570 * @c: A certificate credentials structure
571 * @data: buffer with keyring data.
572 * @dlen: length of data buffer.
573 * @format: the format of the keyring
575 * The function is used to set keyrings that will be used internally
576 * by various OpenPGP functions. For example to find a key when it
577 * is needed for an operations. The keyring will also be used at the
578 * verification functions.
580 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
581 * negative error value.
584 gnutls_certificate_set_openpgp_keyring_mem (gnutls_certificate_credentials_t
585 c
, const uint8_t * data
,
587 gnutls_openpgp_crt_fmt_t format
)
589 gnutls_datum_t ddata
;
592 ddata
.data
= (void *) data
;
595 if (!c
|| !data
|| !dlen
)
598 return GNUTLS_E_INVALID_REQUEST
;
601 rc
= gnutls_openpgp_keyring_init (&c
->keyring
);
608 rc
= gnutls_openpgp_keyring_import (c
->keyring
, &ddata
, format
);
612 gnutls_openpgp_keyring_deinit (c
->keyring
);
620 * _gnutls_openpgp_request_key - Receives a key from a database, key server etc
621 * @ret - a pointer to gnutls_datum_t structure.
622 * @cred - a gnutls_certificate_credentials_t structure.
623 * @key_fingerprint - The keyFingerprint
624 * @key_fingerprint_size - the size of the fingerprint
626 * Retrieves a key from a local database, keyring, or a key server. The
627 * return value is locally allocated.
631 _gnutls_openpgp_request_key (gnutls_session_t session
, gnutls_datum_t
* ret
,
632 const gnutls_certificate_credentials_t cred
,
633 uint8_t * key_fpr
, int key_fpr_size
)
637 if (!ret
|| !cred
|| !key_fpr
)
640 return GNUTLS_E_INVALID_REQUEST
;
643 if (key_fpr_size
!= 16 && key_fpr_size
!= 20)
644 return GNUTLS_E_HASH_FAILED
; /* only MD5 and SHA1 are supported */
646 rc
= gnutls_openpgp_get_key (ret
, cred
->keyring
, KEY_ATTR_FPR
, key_fpr
);
648 if (rc
>= 0) /* key was found */
654 rc
= GNUTLS_E_OPENPGP_GETKEY_FAILED
;
656 /* If the callback function was set, then try this one. */
657 if (session
->internals
.openpgp_recv_key_func
!= NULL
)
659 rc
= session
->internals
.openpgp_recv_key_func (session
,
665 rc
= GNUTLS_E_OPENPGP_GETKEY_FAILED
;
676 * gnutls_openpgp_set_recv_key_function:
677 * @session: a TLS session
678 * @func: the callback
680 * This funtion will set a key retrieval function for OpenPGP keys. This
681 * callback is only useful in server side, and will be used if the peer
682 * sent a key fingerprint instead of a full key.
686 gnutls_openpgp_set_recv_key_function (gnutls_session_t session
,
687 gnutls_openpgp_recv_key_func func
)
689 session
->internals
.openpgp_recv_key_func
= func
;