2003-08-05 19:11:04 +02:00
|
|
|
|
/* import.c - Import certificates
|
2010-03-24 13:15:30 +01:00
|
|
|
|
* Copyright (C) 2001, 2003, 2004, 2009, 2010 Free Software Foundation, Inc.
|
2003-08-05 19:11:04 +02:00
|
|
|
|
*
|
|
|
|
|
|
* This file is part of GnuPG.
|
|
|
|
|
|
*
|
|
|
|
|
|
* GnuPG is free software; you can redistribute it and/or modify
|
|
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
2007-07-04 21:49:40 +02:00
|
|
|
|
* the Free Software Foundation; either version 3 of the License, or
|
2003-08-05 19:11:04 +02:00
|
|
|
|
* (at your option) any later version.
|
|
|
|
|
|
*
|
|
|
|
|
|
* GnuPG is distributed in the hope that it will be useful,
|
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
|
*
|
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
2016-11-05 12:02:19 +01:00
|
|
|
|
* along with this program; if not, see <https://www.gnu.org/licenses/>.
|
2003-08-05 19:11:04 +02:00
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
#include <errno.h>
|
|
|
|
|
|
#include <time.h>
|
|
|
|
|
|
#include <assert.h>
|
2004-12-20 17:17:25 +01:00
|
|
|
|
#include <unistd.h>
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
|
#include "gpgsm.h"
|
|
|
|
|
|
#include <gcrypt.h>
|
|
|
|
|
|
#include <ksba.h>
|
|
|
|
|
|
|
|
|
|
|
|
#include "keydb.h"
|
2017-03-07 12:21:23 +01:00
|
|
|
|
#include "../common/exechelp.h"
|
|
|
|
|
|
#include "../common/i18n.h"
|
|
|
|
|
|
#include "../common/sysutils.h"
|
2009-07-07 18:52:12 +02:00
|
|
|
|
#include "../kbx/keybox.h" /* for KEYBOX_FLAG_* */
|
2010-06-17 17:44:44 +02:00
|
|
|
|
#include "../common/membuf.h"
|
|
|
|
|
|
#include "minip12.h"
|
|
|
|
|
|
|
|
|
|
|
|
/* The arbitrary limit of one PKCS#12 object. */
|
|
|
|
|
|
#define MAX_P12OBJ_SIZE 128 /*kb*/
|
2009-07-07 18:52:12 +02:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
|
struct stats_s {
|
|
|
|
|
|
unsigned long count;
|
|
|
|
|
|
unsigned long imported;
|
|
|
|
|
|
unsigned long unchanged;
|
|
|
|
|
|
unsigned long not_imported;
|
2004-04-30 17:24:33 +02:00
|
|
|
|
unsigned long secret_read;
|
|
|
|
|
|
unsigned long secret_imported;
|
|
|
|
|
|
unsigned long secret_dups;
|
|
|
|
|
|
};
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
|
|
2011-02-04 12:57:53 +01:00
|
|
|
|
struct rsa_secret_key_s
|
2010-06-17 17:44:44 +02:00
|
|
|
|
{
|
|
|
|
|
|
gcry_mpi_t n; /* public modulus */
|
|
|
|
|
|
gcry_mpi_t e; /* public exponent */
|
|
|
|
|
|
gcry_mpi_t d; /* exponent */
|
|
|
|
|
|
gcry_mpi_t p; /* prime p. */
|
|
|
|
|
|
gcry_mpi_t q; /* prime q. */
|
|
|
|
|
|
gcry_mpi_t u; /* inverse of p mod q. */
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
2010-03-08 13:22:18 +01:00
|
|
|
|
static gpg_error_t parse_p12 (ctrl_t ctrl, ksba_reader_t reader,
|
2010-06-17 17:44:44 +02:00
|
|
|
|
struct stats_s *stats);
|
2004-02-13 13:40:23 +01:00
|
|
|
|
|
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
|
static void
|
2006-09-06 18:35:52 +02:00
|
|
|
|
print_imported_status (ctrl_t ctrl, ksba_cert_t cert, int new_cert)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
|
char *fpr;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
|
2004-02-17 16:05:04 +01:00
|
|
|
|
if (new_cert)
|
|
|
|
|
|
gpgsm_status2 (ctrl, STATUS_IMPORTED, fpr, "[X.509]", NULL);
|
|
|
|
|
|
|
2011-02-04 12:57:53 +01:00
|
|
|
|
gpgsm_status2 (ctrl, STATUS_IMPORT_OK,
|
2004-02-17 16:05:04 +01:00
|
|
|
|
new_cert? "1":"0", fpr, NULL);
|
|
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
xfree (fpr);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Print an IMPORT_PROBLEM status. REASON is one of:
|
|
|
|
|
|
0 := "No specific reason given".
|
|
|
|
|
|
1 := "Invalid Certificate".
|
|
|
|
|
|
2 := "Issuer Certificate missing".
|
|
|
|
|
|
3 := "Certificate Chain too long".
|
|
|
|
|
|
4 := "Error storing certificate".
|
|
|
|
|
|
*/
|
|
|
|
|
|
static void
|
2006-09-06 18:35:52 +02:00
|
|
|
|
print_import_problem (ctrl_t ctrl, ksba_cert_t cert, int reason)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
|
char *fpr = NULL;
|
|
|
|
|
|
char buf[25];
|
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
|
|
sprintf (buf, "%d", reason);
|
|
|
|
|
|
if (cert)
|
|
|
|
|
|
{
|
|
|
|
|
|
fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
|
|
|
|
|
|
/* detetect an error (all high) value */
|
|
|
|
|
|
for (i=0; fpr[i] == 'F'; i++)
|
|
|
|
|
|
;
|
|
|
|
|
|
if (!fpr[i])
|
|
|
|
|
|
{
|
|
|
|
|
|
xfree (fpr);
|
|
|
|
|
|
fpr = NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
gpgsm_status2 (ctrl, STATUS_IMPORT_PROBLEM, buf, fpr, NULL);
|
|
|
|
|
|
xfree (fpr);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void
|
2006-09-06 18:35:52 +02:00
|
|
|
|
print_imported_summary (ctrl_t ctrl, struct stats_s *stats)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
|
char buf[14*25];
|
|
|
|
|
|
|
|
|
|
|
|
if (!opt.quiet)
|
|
|
|
|
|
{
|
|
|
|
|
|
log_info (_("total number processed: %lu\n"), stats->count);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
if (stats->imported)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
|
log_info (_(" imported: %lu"), stats->imported );
|
|
|
|
|
|
log_printf ("\n");
|
|
|
|
|
|
}
|
|
|
|
|
|
if (stats->unchanged)
|
|
|
|
|
|
log_info (_(" unchanged: %lu\n"), stats->unchanged);
|
2004-04-30 17:24:33 +02:00
|
|
|
|
if (stats->secret_read)
|
|
|
|
|
|
log_info (_(" secret keys read: %lu\n"), stats->secret_read );
|
|
|
|
|
|
if (stats->secret_imported)
|
|
|
|
|
|
log_info (_(" secret keys imported: %lu\n"), stats->secret_imported );
|
|
|
|
|
|
if (stats->secret_dups)
|
|
|
|
|
|
log_info (_(" secret keys unchanged: %lu\n"), stats->secret_dups );
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (stats->not_imported)
|
|
|
|
|
|
log_info (_(" not imported: %lu\n"), stats->not_imported);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2004-04-30 17:24:33 +02:00
|
|
|
|
sprintf(buf, "%lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu",
|
|
|
|
|
|
stats->count,
|
|
|
|
|
|
0l /*stats->no_user_id*/,
|
|
|
|
|
|
stats->imported,
|
|
|
|
|
|
0l /*stats->imported_rsa*/,
|
|
|
|
|
|
stats->unchanged,
|
|
|
|
|
|
0l /*stats->n_uids*/,
|
|
|
|
|
|
0l /*stats->n_subk*/,
|
|
|
|
|
|
0l /*stats->n_sigs*/,
|
|
|
|
|
|
0l /*stats->n_revoc*/,
|
|
|
|
|
|
stats->secret_read,
|
|
|
|
|
|
stats->secret_imported,
|
|
|
|
|
|
stats->secret_dups,
|
|
|
|
|
|
0l /*stats->skipped_new_keys*/,
|
|
|
|
|
|
stats->not_imported
|
|
|
|
|
|
);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
gpgsm_status (ctrl, STATUS_IMPORT_RES, buf);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
2007-03-20 17:57:40 +01:00
|
|
|
|
check_and_store (ctrl_t ctrl, struct stats_s *stats,
|
|
|
|
|
|
ksba_cert_t cert, int depth)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
|
int rc;
|
|
|
|
|
|
|
2004-04-30 05:27:10 +02:00
|
|
|
|
if (stats)
|
|
|
|
|
|
stats->count++;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if ( depth >= 50 )
|
|
|
|
|
|
{
|
|
|
|
|
|
log_error (_("certificate chain too long\n"));
|
2004-04-30 05:27:10 +02:00
|
|
|
|
if (stats)
|
|
|
|
|
|
stats->not_imported++;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
print_import_problem (ctrl, cert, 3);
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2004-02-03 17:27:51 +01:00
|
|
|
|
/* Some basic checks, but don't care about missing certificates;
|
|
|
|
|
|
this is so that we are able to import entire certificate chains
|
2004-08-17 17:26:22 +02:00
|
|
|
|
w/o requiring a special order (i.e. root-CA first). This used
|
2004-02-17 16:05:04 +01:00
|
|
|
|
to be different but because gpgsm_verify even imports
|
2004-02-03 17:27:51 +01:00
|
|
|
|
certificates without any checks, it doesn't matter much and the
|
|
|
|
|
|
code gets much cleaner. A housekeeping function to remove
|
2011-02-04 12:57:53 +01:00
|
|
|
|
certificates w/o an anchor would be nice, though.
|
|
|
|
|
|
|
2004-08-17 17:26:22 +02:00
|
|
|
|
Optionally we do a full validation in addition to the basic test.
|
|
|
|
|
|
*/
|
2008-02-13 17:47:14 +01:00
|
|
|
|
rc = gpgsm_basic_cert_check (ctrl, cert);
|
2004-08-17 17:26:22 +02:00
|
|
|
|
if (!rc && ctrl->with_validation)
|
2007-08-10 18:52:05 +02:00
|
|
|
|
rc = gpgsm_validate_chain (ctrl, cert, "", NULL, 0, NULL, 0, NULL);
|
2004-08-17 22:06:24 +02:00
|
|
|
|
if (!rc || (!ctrl->with_validation
|
2010-10-01 22:33:53 +02:00
|
|
|
|
&& (gpg_err_code (rc) == GPG_ERR_MISSING_CERT
|
|
|
|
|
|
|| gpg_err_code (rc) == GPG_ERR_MISSING_ISSUER_CERT)))
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
|
int existed;
|
|
|
|
|
|
|
2016-11-10 17:01:19 +01:00
|
|
|
|
if (!keydb_store_cert (ctrl, cert, 0, &existed))
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2003-12-17 13:28:24 +01:00
|
|
|
|
ksba_cert_t next = NULL;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
|
|
|
|
|
if (!existed)
|
|
|
|
|
|
{
|
2004-02-17 16:05:04 +01:00
|
|
|
|
print_imported_status (ctrl, cert, 1);
|
2004-04-30 05:27:10 +02:00
|
|
|
|
if (stats)
|
|
|
|
|
|
stats->imported++;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
else
|
2004-02-17 16:05:04 +01:00
|
|
|
|
{
|
|
|
|
|
|
print_imported_status (ctrl, cert, 0);
|
2004-04-30 05:27:10 +02:00
|
|
|
|
if (stats)
|
|
|
|
|
|
stats->unchanged++;
|
2004-02-17 16:05:04 +01:00
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (opt.verbose > 1 && existed)
|
|
|
|
|
|
{
|
|
|
|
|
|
if (depth)
|
|
|
|
|
|
log_info ("issuer certificate already in DB\n");
|
|
|
|
|
|
else
|
|
|
|
|
|
log_info ("certificate already in DB\n");
|
|
|
|
|
|
}
|
|
|
|
|
|
else if (opt.verbose && !existed)
|
|
|
|
|
|
{
|
|
|
|
|
|
if (depth)
|
|
|
|
|
|
log_info ("issuer certificate imported\n");
|
|
|
|
|
|
else
|
|
|
|
|
|
log_info ("certificate imported\n");
|
|
|
|
|
|
}
|
2004-02-03 17:27:51 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
/* Now lets walk up the chain and import all certificates up
|
2004-02-03 17:27:51 +01:00
|
|
|
|
the chain. This is required in case we already stored
|
2004-04-30 05:27:10 +02:00
|
|
|
|
parent certificates in the ephemeral keybox. Do not
|
|
|
|
|
|
update the statistics, though. */
|
2008-02-13 17:47:14 +01:00
|
|
|
|
if (!gpgsm_walk_cert_chain (ctrl, cert, &next))
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
2004-04-30 05:27:10 +02:00
|
|
|
|
check_and_store (ctrl, NULL, next, depth+1);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
ksba_cert_release (next);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
log_error (_("error storing certificate\n"));
|
2004-04-30 05:27:10 +02:00
|
|
|
|
if (stats)
|
|
|
|
|
|
stats->not_imported++;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
print_import_problem (ctrl, cert, 4);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
log_error (_("basic certificate checks failed - not imported\n"));
|
2004-04-30 05:27:10 +02:00
|
|
|
|
if (stats)
|
|
|
|
|
|
stats->not_imported++;
|
2010-10-01 22:33:53 +02:00
|
|
|
|
/* We keep the test for GPG_ERR_MISSING_CERT only in case
|
|
|
|
|
|
GPG_ERR_MISSING_CERT has been used instead of the newer
|
|
|
|
|
|
GPG_ERR_MISSING_ISSUER_CERT. */
|
2011-02-04 12:57:53 +01:00
|
|
|
|
print_import_problem
|
2010-10-01 22:33:53 +02:00
|
|
|
|
(ctrl, cert,
|
|
|
|
|
|
gpg_err_code (rc) == GPG_ERR_MISSING_ISSUER_CERT? 2 :
|
|
|
|
|
|
gpg_err_code (rc) == GPG_ERR_MISSING_CERT? 2 :
|
|
|
|
|
|
gpg_err_code (rc) == GPG_ERR_BAD_CERT? 1 : 0);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
�
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
2006-09-06 18:35:52 +02:00
|
|
|
|
import_one (ctrl_t ctrl, struct stats_s *stats, int in_fd)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
|
int rc;
|
2017-02-16 17:11:38 +01:00
|
|
|
|
gnupg_ksba_io_t b64reader = NULL;
|
2003-12-17 13:28:24 +01:00
|
|
|
|
ksba_reader_t reader;
|
|
|
|
|
|
ksba_cert_t cert = NULL;
|
|
|
|
|
|
ksba_cms_t cms = NULL;
|
2010-03-08 13:22:18 +01:00
|
|
|
|
estream_t fp = NULL;
|
2003-12-17 13:28:24 +01:00
|
|
|
|
ksba_content_type_t ct;
|
2004-02-13 13:40:23 +01:00
|
|
|
|
int any = 0;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2010-03-08 13:22:18 +01:00
|
|
|
|
fp = es_fdopen_nc (in_fd, "rb");
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!fp)
|
|
|
|
|
|
{
|
2010-03-08 13:22:18 +01:00
|
|
|
|
rc = gpg_error_from_syserror ();
|
2003-08-05 19:11:04 +02:00
|
|
|
|
log_error ("fdopen() failed: %s\n", strerror (errno));
|
2004-02-04 20:13:16 +01:00
|
|
|
|
goto leave;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2017-02-16 15:16:48 +01:00
|
|
|
|
rc = gnupg_ksba_create_reader
|
|
|
|
|
|
(&b64reader, ((ctrl->is_pem? GNUPG_KSBA_IO_PEM : 0)
|
|
|
|
|
|
| (ctrl->is_base64? GNUPG_KSBA_IO_BASE64 : 0)
|
|
|
|
|
|
| (ctrl->autodetect_encoding? GNUPG_KSBA_IO_AUTODETECT : 0)
|
|
|
|
|
|
| GNUPG_KSBA_IO_MULTIPEM),
|
|
|
|
|
|
fp, &reader);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (rc)
|
|
|
|
|
|
{
|
|
|
|
|
|
log_error ("can't create reader: %s\n", gpg_strerror (rc));
|
|
|
|
|
|
goto leave;
|
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
|
|
|
|
|
|
2004-02-13 13:40:23 +01:00
|
|
|
|
/* We need to loop here to handle multiple PEM objects in one
|
|
|
|
|
|
file. */
|
|
|
|
|
|
do
|
|
|
|
|
|
{
|
|
|
|
|
|
ksba_cms_release (cms); cms = NULL;
|
|
|
|
|
|
ksba_cert_release (cert); cert = NULL;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2004-02-13 13:40:23 +01:00
|
|
|
|
ct = ksba_cms_identify (reader);
|
|
|
|
|
|
if (ct == KSBA_CT_SIGNED_DATA)
|
|
|
|
|
|
{ /* This is probably a signed-only message - import the certs */
|
|
|
|
|
|
ksba_stop_reason_t stopreason;
|
|
|
|
|
|
int i;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2004-02-13 13:40:23 +01:00
|
|
|
|
rc = ksba_cms_new (&cms);
|
|
|
|
|
|
if (rc)
|
|
|
|
|
|
goto leave;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2004-02-13 13:40:23 +01:00
|
|
|
|
rc = ksba_cms_set_reader_writer (cms, reader, NULL);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (rc)
|
|
|
|
|
|
{
|
2004-02-13 13:40:23 +01:00
|
|
|
|
log_error ("ksba_cms_set_reader_writer failed: %s\n",
|
|
|
|
|
|
gpg_strerror (rc));
|
2003-08-05 19:11:04 +02:00
|
|
|
|
goto leave;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2011-02-04 12:57:53 +01:00
|
|
|
|
do
|
2004-02-13 13:40:23 +01:00
|
|
|
|
{
|
|
|
|
|
|
rc = ksba_cms_parse (cms, &stopreason);
|
|
|
|
|
|
if (rc)
|
|
|
|
|
|
{
|
|
|
|
|
|
log_error ("ksba_cms_parse failed: %s\n", gpg_strerror (rc));
|
|
|
|
|
|
goto leave;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (stopreason == KSBA_SR_BEGIN_DATA)
|
|
|
|
|
|
log_info ("not a certs-only message\n");
|
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
while (stopreason != KSBA_SR_READY);
|
|
|
|
|
|
|
2004-02-13 13:40:23 +01:00
|
|
|
|
for (i=0; (cert=ksba_cms_get_cert (cms, i)); i++)
|
|
|
|
|
|
{
|
|
|
|
|
|
check_and_store (ctrl, stats, cert, 0);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
ksba_cert_release (cert);
|
2004-02-13 13:40:23 +01:00
|
|
|
|
cert = NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
if (!i)
|
|
|
|
|
|
log_error ("no certificate found\n");
|
|
|
|
|
|
else
|
|
|
|
|
|
any = 1;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
2004-02-13 13:40:23 +01:00
|
|
|
|
else if (ct == KSBA_CT_PKCS12)
|
2011-02-04 12:57:53 +01:00
|
|
|
|
{
|
2010-06-17 17:44:44 +02:00
|
|
|
|
/* This seems to be a pkcs12 message. */
|
|
|
|
|
|
rc = parse_p12 (ctrl, reader, stats);
|
2004-02-13 13:40:23 +01:00
|
|
|
|
if (!rc)
|
2010-06-17 17:44:44 +02:00
|
|
|
|
any = 1;
|
2004-02-13 13:40:23 +01:00
|
|
|
|
}
|
|
|
|
|
|
else if (ct == KSBA_CT_NONE)
|
|
|
|
|
|
{ /* Failed to identify this message - assume a certificate */
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2004-02-13 13:40:23 +01:00
|
|
|
|
rc = ksba_cert_new (&cert);
|
|
|
|
|
|
if (rc)
|
|
|
|
|
|
goto leave;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2004-02-13 13:40:23 +01:00
|
|
|
|
rc = ksba_cert_read_der (cert, reader);
|
|
|
|
|
|
if (rc)
|
|
|
|
|
|
goto leave;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
|
2004-02-13 13:40:23 +01:00
|
|
|
|
check_and_store (ctrl, stats, cert, 0);
|
|
|
|
|
|
any = 1;
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
log_error ("can't extract certificates from input\n");
|
|
|
|
|
|
rc = gpg_error (GPG_ERR_NO_DATA);
|
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2004-02-13 13:40:23 +01:00
|
|
|
|
ksba_reader_clear (reader, NULL, NULL);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
}
|
2017-02-16 17:11:38 +01:00
|
|
|
|
while (!gnupg_ksba_reader_eof_seen (b64reader));
|
2004-02-13 13:40:23 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
leave:
|
2004-02-13 13:40:23 +01:00
|
|
|
|
if (any && gpg_err_code (rc) == GPG_ERR_EOF)
|
|
|
|
|
|
rc = 0;
|
2003-08-05 19:11:04 +02:00
|
|
|
|
ksba_cms_release (cms);
|
|
|
|
|
|
ksba_cert_release (cert);
|
2017-02-16 17:11:38 +01:00
|
|
|
|
gnupg_ksba_destroy_reader (b64reader);
|
2010-03-08 13:22:18 +01:00
|
|
|
|
es_fclose (fp);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
return rc;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
2009-07-07 18:52:12 +02:00
|
|
|
|
�
|
|
|
|
|
|
/* Re-import certifciates. IN_FD is a list of linefeed delimited
|
|
|
|
|
|
fingerprints t re-import. The actual re-import is done by clearing
|
|
|
|
|
|
the ephemeral flag. */
|
|
|
|
|
|
static int
|
|
|
|
|
|
reimport_one (ctrl_t ctrl, struct stats_s *stats, int in_fd)
|
|
|
|
|
|
{
|
|
|
|
|
|
gpg_error_t err = 0;
|
|
|
|
|
|
estream_t fp = NULL;
|
|
|
|
|
|
char line[100]; /* Sufficient for a fingerprint. */
|
|
|
|
|
|
KEYDB_HANDLE kh;
|
|
|
|
|
|
KEYDB_SEARCH_DESC desc;
|
|
|
|
|
|
ksba_cert_t cert = NULL;
|
|
|
|
|
|
unsigned int flags;
|
|
|
|
|
|
|
2016-11-10 15:38:14 +01:00
|
|
|
|
kh = keydb_new ();
|
2009-07-07 18:52:12 +02:00
|
|
|
|
if (!kh)
|
|
|
|
|
|
{
|
|
|
|
|
|
err = gpg_error (GPG_ERR_ENOMEM);;
|
|
|
|
|
|
log_error (_("failed to allocate keyDB handle\n"));
|
|
|
|
|
|
goto leave;
|
|
|
|
|
|
}
|
|
|
|
|
|
keydb_set_ephemeral (kh, 1);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2009-07-07 18:52:12 +02:00
|
|
|
|
fp = es_fdopen_nc (in_fd, "r");
|
|
|
|
|
|
if (!fp)
|
|
|
|
|
|
{
|
|
|
|
|
|
err = gpg_error_from_syserror ();
|
|
|
|
|
|
log_error ("es_fdopen(%d) failed: %s\n", in_fd, gpg_strerror (err));
|
|
|
|
|
|
goto leave;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
while (es_fgets (line, DIM(line)-1, fp) )
|
|
|
|
|
|
{
|
|
|
|
|
|
if (*line && line[strlen(line)-1] != '\n')
|
|
|
|
|
|
{
|
|
|
|
|
|
err = gpg_error (GPG_ERR_LINE_TOO_LONG);
|
|
|
|
|
|
goto leave;
|
|
|
|
|
|
}
|
|
|
|
|
|
trim_spaces (line);
|
|
|
|
|
|
if (!*line)
|
|
|
|
|
|
continue;
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2009-07-07 18:52:12 +02:00
|
|
|
|
stats->count++;
|
|
|
|
|
|
|
2011-04-25 23:56:47 +02:00
|
|
|
|
err = classify_user_id (line, &desc, 0);
|
2009-07-07 18:52:12 +02:00
|
|
|
|
if (err)
|
|
|
|
|
|
{
|
|
|
|
|
|
print_import_problem (ctrl, NULL, 0);
|
|
|
|
|
|
stats->not_imported++;
|
|
|
|
|
|
continue;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
keydb_search_reset (kh);
|
2016-11-10 17:01:19 +01:00
|
|
|
|
err = keydb_search (ctrl, kh, &desc, 1);
|
2009-07-07 18:52:12 +02:00
|
|
|
|
if (err)
|
|
|
|
|
|
{
|
|
|
|
|
|
print_import_problem (ctrl, NULL, 0);
|
|
|
|
|
|
stats->not_imported++;
|
|
|
|
|
|
continue;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
ksba_cert_release (cert);
|
|
|
|
|
|
cert = NULL;
|
|
|
|
|
|
err = keydb_get_cert (kh, &cert);
|
|
|
|
|
|
if (err)
|
|
|
|
|
|
{
|
|
|
|
|
|
log_error ("keydb_get_cert() failed: %s\n", gpg_strerror (err));
|
|
|
|
|
|
print_import_problem (ctrl, NULL, 1);
|
|
|
|
|
|
stats->not_imported++;
|
|
|
|
|
|
continue;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
err = keydb_get_flags (kh, KEYBOX_FLAG_BLOB, 0, &flags);
|
|
|
|
|
|
if (err)
|
|
|
|
|
|
{
|
|
|
|
|
|
log_error (_("error getting stored flags: %s\n"), gpg_strerror (err));
|
|
|
|
|
|
print_imported_status (ctrl, cert, 0);
|
|
|
|
|
|
stats->not_imported++;
|
|
|
|
|
|
continue;
|
|
|
|
|
|
}
|
|
|
|
|
|
if ( !(flags & KEYBOX_FLAG_BLOB_EPHEMERAL) )
|
|
|
|
|
|
{
|
|
|
|
|
|
print_imported_status (ctrl, cert, 0);
|
|
|
|
|
|
stats->unchanged++;
|
|
|
|
|
|
continue;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2016-11-10 17:01:19 +01:00
|
|
|
|
err = keydb_set_cert_flags (ctrl, cert, 1, KEYBOX_FLAG_BLOB, 0,
|
2009-07-07 18:52:12 +02:00
|
|
|
|
KEYBOX_FLAG_BLOB_EPHEMERAL, 0);
|
|
|
|
|
|
if (err)
|
|
|
|
|
|
{
|
|
|
|
|
|
log_error ("clearing ephemeral flag failed: %s\n",
|
2011-02-04 12:57:53 +01:00
|
|
|
|
gpg_strerror (err));
|
2009-07-07 18:52:12 +02:00
|
|
|
|
print_import_problem (ctrl, cert, 0);
|
|
|
|
|
|
stats->not_imported++;
|
|
|
|
|
|
continue;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
print_imported_status (ctrl, cert, 1);
|
|
|
|
|
|
stats->imported++;
|
|
|
|
|
|
}
|
|
|
|
|
|
err = 0;
|
|
|
|
|
|
if (es_ferror (fp))
|
|
|
|
|
|
{
|
|
|
|
|
|
err = gpg_error_from_syserror ();
|
|
|
|
|
|
log_error ("error reading fd %d: %s\n", in_fd, gpg_strerror (err));
|
|
|
|
|
|
goto leave;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
leave:
|
|
|
|
|
|
ksba_cert_release (cert);
|
|
|
|
|
|
keydb_release (kh);
|
|
|
|
|
|
es_fclose (fp);
|
|
|
|
|
|
return err;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
�
|
2003-08-05 19:11:04 +02:00
|
|
|
|
int
|
2009-07-07 18:52:12 +02:00
|
|
|
|
gpgsm_import (ctrl_t ctrl, int in_fd, int reimport_mode)
|
2003-08-05 19:11:04 +02:00
|
|
|
|
{
|
|
|
|
|
|
int rc;
|
|
|
|
|
|
struct stats_s stats;
|
|
|
|
|
|
|
|
|
|
|
|
memset (&stats, 0, sizeof stats);
|
2009-07-07 18:52:12 +02:00
|
|
|
|
if (reimport_mode)
|
|
|
|
|
|
rc = reimport_one (ctrl, &stats, in_fd);
|
|
|
|
|
|
else
|
|
|
|
|
|
rc = import_one (ctrl, &stats, in_fd);
|
2003-08-05 19:11:04 +02:00
|
|
|
|
print_imported_summary (ctrl, &stats);
|
|
|
|
|
|
/* If we never printed an error message do it now so that a command
|
|
|
|
|
|
line invocation will return with an error (log_error keeps a
|
|
|
|
|
|
global errorcount) */
|
|
|
|
|
|
if (rc && !log_get_errorcount (0))
|
|
|
|
|
|
log_error (_("error importing certificate: %s\n"), gpg_strerror (rc));
|
|
|
|
|
|
return rc;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
int
|
2006-09-06 18:35:52 +02:00
|
|
|
|
gpgsm_import_files (ctrl_t ctrl, int nfiles, char **files,
|
2003-08-05 19:11:04 +02:00
|
|
|
|
int (*of)(const char *fname))
|
|
|
|
|
|
{
|
|
|
|
|
|
int rc = 0;
|
|
|
|
|
|
struct stats_s stats;
|
|
|
|
|
|
|
|
|
|
|
|
memset (&stats, 0, sizeof stats);
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2003-08-05 19:11:04 +02:00
|
|
|
|
if (!nfiles)
|
|
|
|
|
|
rc = import_one (ctrl, &stats, 0);
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
for (; nfiles && !rc ; nfiles--, files++)
|
|
|
|
|
|
{
|
|
|
|
|
|
int fd = of (*files);
|
|
|
|
|
|
rc = import_one (ctrl, &stats, fd);
|
|
|
|
|
|
close (fd);
|
|
|
|
|
|
if (rc == -1)
|
|
|
|
|
|
rc = 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
print_imported_summary (ctrl, &stats);
|
|
|
|
|
|
/* If we never printed an error message do it now so that a command
|
|
|
|
|
|
line invocation will return with an error (log_error keeps a
|
|
|
|
|
|
global errorcount) */
|
|
|
|
|
|
if (rc && !log_get_errorcount (0))
|
|
|
|
|
|
log_error (_("error importing certificate: %s\n"), gpg_strerror (rc));
|
|
|
|
|
|
return rc;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
2010-06-17 17:44:44 +02:00
|
|
|
|
/* Check that the RSA secret key SKEY is valid. Swap parameters to
|
|
|
|
|
|
the libgcrypt standard. */
|
2004-02-13 13:40:23 +01:00
|
|
|
|
static gpg_error_t
|
2010-06-17 17:44:44 +02:00
|
|
|
|
rsa_key_check (struct rsa_secret_key_s *skey)
|
2004-02-13 13:40:23 +01:00
|
|
|
|
{
|
2010-06-17 17:44:44 +02:00
|
|
|
|
int err = 0;
|
|
|
|
|
|
gcry_mpi_t t = gcry_mpi_snew (0);
|
|
|
|
|
|
gcry_mpi_t t1 = gcry_mpi_snew (0);
|
|
|
|
|
|
gcry_mpi_t t2 = gcry_mpi_snew (0);
|
|
|
|
|
|
gcry_mpi_t phi = gcry_mpi_snew (0);
|
|
|
|
|
|
|
|
|
|
|
|
/* Check that n == p * q. */
|
|
|
|
|
|
gcry_mpi_mul (t, skey->p, skey->q);
|
|
|
|
|
|
if (gcry_mpi_cmp( t, skey->n) )
|
|
|
|
|
|
{
|
|
|
|
|
|
log_error ("RSA oops: n != p * q\n");
|
|
|
|
|
|
err++;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Check that p is less than q. */
|
|
|
|
|
|
if (gcry_mpi_cmp (skey->p, skey->q) > 0)
|
|
|
|
|
|
{
|
|
|
|
|
|
gcry_mpi_t tmp;
|
|
|
|
|
|
|
|
|
|
|
|
log_info ("swapping secret primes\n");
|
|
|
|
|
|
tmp = gcry_mpi_copy (skey->p);
|
|
|
|
|
|
gcry_mpi_set (skey->p, skey->q);
|
|
|
|
|
|
gcry_mpi_set (skey->q, tmp);
|
|
|
|
|
|
gcry_mpi_release (tmp);
|
|
|
|
|
|
/* Recompute u. */
|
|
|
|
|
|
gcry_mpi_invm (skey->u, skey->p, skey->q);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Check that e divides neither p-1 nor q-1. */
|
|
|
|
|
|
gcry_mpi_sub_ui (t, skey->p, 1 );
|
|
|
|
|
|
gcry_mpi_div (NULL, t, t, skey->e, 0);
|
|
|
|
|
|
if (!gcry_mpi_cmp_ui( t, 0) )
|
|
|
|
|
|
{
|
|
|
|
|
|
log_error ("RSA oops: e divides p-1\n");
|
|
|
|
|
|
err++;
|
|
|
|
|
|
}
|
|
|
|
|
|
gcry_mpi_sub_ui (t, skey->q, 1);
|
|
|
|
|
|
gcry_mpi_div (NULL, t, t, skey->e, 0);
|
|
|
|
|
|
if (!gcry_mpi_cmp_ui( t, 0))
|
|
|
|
|
|
{
|
|
|
|
|
|
log_info ("RSA oops: e divides q-1\n" );
|
|
|
|
|
|
err++;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Check that d is correct. */
|
|
|
|
|
|
gcry_mpi_sub_ui (t1, skey->p, 1);
|
|
|
|
|
|
gcry_mpi_sub_ui (t2, skey->q, 1);
|
|
|
|
|
|
gcry_mpi_mul (phi, t1, t2);
|
|
|
|
|
|
gcry_mpi_invm (t, skey->e, phi);
|
|
|
|
|
|
if (gcry_mpi_cmp (t, skey->d))
|
2011-02-04 12:57:53 +01:00
|
|
|
|
{
|
2010-06-17 17:44:44 +02:00
|
|
|
|
/* No: try universal exponent. */
|
|
|
|
|
|
gcry_mpi_gcd (t, t1, t2);
|
|
|
|
|
|
gcry_mpi_div (t, NULL, phi, t, 0);
|
|
|
|
|
|
gcry_mpi_invm (t, skey->e, t);
|
|
|
|
|
|
if (gcry_mpi_cmp (t, skey->d))
|
|
|
|
|
|
{
|
|
|
|
|
|
log_error ("RSA oops: bad secret exponent\n");
|
|
|
|
|
|
err++;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Check for correctness of u. */
|
|
|
|
|
|
gcry_mpi_invm (t, skey->p, skey->q);
|
|
|
|
|
|
if (gcry_mpi_cmp (t, skey->u))
|
|
|
|
|
|
{
|
|
|
|
|
|
log_info ("RSA oops: bad u parameter\n");
|
|
|
|
|
|
err++;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (err)
|
|
|
|
|
|
log_info ("RSA secret key check failed\n");
|
|
|
|
|
|
|
|
|
|
|
|
gcry_mpi_release (t);
|
|
|
|
|
|
gcry_mpi_release (t1);
|
|
|
|
|
|
gcry_mpi_release (t2);
|
|
|
|
|
|
gcry_mpi_release (phi);
|
|
|
|
|
|
|
|
|
|
|
|
return err? gpg_error (GPG_ERR_BAD_SECKEY):0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Object passed to store_cert_cb. */
|
|
|
|
|
|
struct store_cert_parm_s
|
|
|
|
|
|
{
|
|
|
|
|
|
gpg_error_t err; /* First error seen. */
|
|
|
|
|
|
struct stats_s *stats; /* The stats object. */
|
|
|
|
|
|
ctrl_t ctrl; /* The control object. */
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
/* Helper to store the DER encoded certificate CERTDATA of length
|
2011-02-04 12:57:53 +01:00
|
|
|
|
CERTDATALEN. */
|
2010-06-17 17:44:44 +02:00
|
|
|
|
static void
|
|
|
|
|
|
store_cert_cb (void *opaque,
|
|
|
|
|
|
const unsigned char *certdata, size_t certdatalen)
|
|
|
|
|
|
{
|
|
|
|
|
|
struct store_cert_parm_s *parm = opaque;
|
|
|
|
|
|
gpg_error_t err;
|
|
|
|
|
|
ksba_cert_t cert;
|
|
|
|
|
|
|
|
|
|
|
|
err = ksba_cert_new (&cert);
|
|
|
|
|
|
if (err)
|
|
|
|
|
|
{
|
|
|
|
|
|
if (!parm->err)
|
|
|
|
|
|
parm->err = err;
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
err = ksba_cert_init_from_mem (cert, certdata, certdatalen);
|
|
|
|
|
|
if (err)
|
|
|
|
|
|
{
|
|
|
|
|
|
log_error ("failed to parse a certificate: %s\n", gpg_strerror (err));
|
|
|
|
|
|
if (!parm->err)
|
|
|
|
|
|
parm->err = err;
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
check_and_store (parm->ctrl, parm->stats, cert, 0);
|
|
|
|
|
|
ksba_cert_release (cert);
|
2004-02-13 13:40:23 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Assume that the reader is at a pkcs#12 message and try to import
|
2010-06-17 17:44:44 +02:00
|
|
|
|
certificates from that stupid format. We will transfer secret
|
|
|
|
|
|
keys to the agent. */
|
2004-02-13 13:40:23 +01:00
|
|
|
|
static gpg_error_t
|
2010-06-17 17:44:44 +02:00
|
|
|
|
parse_p12 (ctrl_t ctrl, ksba_reader_t reader, struct stats_s *stats)
|
2004-02-13 13:40:23 +01:00
|
|
|
|
{
|
2010-06-17 17:44:44 +02:00
|
|
|
|
gpg_error_t err = 0;
|
2004-02-13 13:40:23 +01:00
|
|
|
|
char buffer[1024];
|
2010-06-17 17:44:44 +02:00
|
|
|
|
size_t ntotal, nread;
|
|
|
|
|
|
membuf_t p12mbuf;
|
|
|
|
|
|
char *p12buffer = NULL;
|
|
|
|
|
|
size_t p12buflen;
|
|
|
|
|
|
size_t p12bufoff;
|
|
|
|
|
|
gcry_mpi_t *kparms = NULL;
|
|
|
|
|
|
struct rsa_secret_key_s sk;
|
|
|
|
|
|
char *passphrase = NULL;
|
|
|
|
|
|
unsigned char *key = NULL;
|
|
|
|
|
|
size_t keylen;
|
|
|
|
|
|
void *kek = NULL;
|
|
|
|
|
|
size_t keklen;
|
|
|
|
|
|
unsigned char *wrappedkey = NULL;
|
|
|
|
|
|
size_t wrappedkeylen;
|
|
|
|
|
|
gcry_cipher_hd_t cipherhd = NULL;
|
|
|
|
|
|
gcry_sexp_t s_key = NULL;
|
|
|
|
|
|
unsigned char grip[20];
|
2004-09-29 15:50:31 +02:00
|
|
|
|
int bad_pass = 0;
|
2010-06-17 17:44:44 +02:00
|
|
|
|
int i;
|
|
|
|
|
|
struct store_cert_parm_s store_cert_parm;
|
2004-02-13 13:40:23 +01:00
|
|
|
|
|
2010-06-17 17:44:44 +02:00
|
|
|
|
memset (&store_cert_parm, 0, sizeof store_cert_parm);
|
|
|
|
|
|
store_cert_parm.ctrl = ctrl;
|
|
|
|
|
|
store_cert_parm.stats = stats;
|
2004-02-13 13:40:23 +01:00
|
|
|
|
|
2010-06-17 17:44:44 +02:00
|
|
|
|
init_membuf (&p12mbuf, 4096);
|
|
|
|
|
|
ntotal = 0;
|
2004-02-13 13:40:23 +01:00
|
|
|
|
while (!(err = ksba_reader_read (reader, buffer, sizeof buffer, &nread)))
|
|
|
|
|
|
{
|
2010-06-17 17:44:44 +02:00
|
|
|
|
if (ntotal >= MAX_P12OBJ_SIZE*1024)
|
2004-02-13 13:40:23 +01:00
|
|
|
|
{
|
2010-06-17 17:44:44 +02:00
|
|
|
|
/* Arbitrary limit to avoid DoS attacks. */
|
|
|
|
|
|
err = gpg_error (GPG_ERR_TOO_LARGE);
|
|
|
|
|
|
log_error ("pkcs#12 object is larger than %dk\n", MAX_P12OBJ_SIZE);
|
|
|
|
|
|
break;
|
2004-02-13 13:40:23 +01:00
|
|
|
|
}
|
2010-06-17 17:44:44 +02:00
|
|
|
|
put_membuf (&p12mbuf, buffer, nread);
|
|
|
|
|
|
ntotal += nread;
|
2004-02-13 13:40:23 +01:00
|
|
|
|
}
|
|
|
|
|
|
if (gpg_err_code (err) == GPG_ERR_EOF)
|
|
|
|
|
|
err = 0;
|
2010-06-17 17:44:44 +02:00
|
|
|
|
if (!err)
|
|
|
|
|
|
{
|
|
|
|
|
|
p12buffer = get_membuf (&p12mbuf, &p12buflen);
|
|
|
|
|
|
if (!p12buffer)
|
|
|
|
|
|
err = gpg_error_from_syserror ();
|
|
|
|
|
|
}
|
2004-02-13 13:40:23 +01:00
|
|
|
|
if (err)
|
|
|
|
|
|
{
|
|
|
|
|
|
log_error (_("error reading input: %s\n"), gpg_strerror (err));
|
2010-06-17 17:44:44 +02:00
|
|
|
|
goto leave;
|
2004-02-13 13:40:23 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2015-11-16 12:41:46 +01:00
|
|
|
|
/* GnuPG 2.0.4 accidentally created binary P12 files with the string
|
2010-06-17 17:44:44 +02:00
|
|
|
|
"The passphrase is %s encoded.\n\n" prepended to the ASN.1 data.
|
|
|
|
|
|
We fix that here. */
|
|
|
|
|
|
if (p12buflen > 29 && !memcmp (p12buffer, "The passphrase is ", 18))
|
2004-02-13 13:40:23 +01:00
|
|
|
|
{
|
2010-06-17 17:44:44 +02:00
|
|
|
|
for (p12bufoff=18;
|
|
|
|
|
|
p12bufoff < p12buflen && p12buffer[p12bufoff] != '\n';
|
|
|
|
|
|
p12bufoff++)
|
|
|
|
|
|
;
|
|
|
|
|
|
p12bufoff++;
|
|
|
|
|
|
if (p12bufoff < p12buflen && p12buffer[p12bufoff] == '\n')
|
|
|
|
|
|
p12bufoff++;
|
2004-02-13 13:40:23 +01:00
|
|
|
|
}
|
2010-06-17 17:44:44 +02:00
|
|
|
|
else
|
|
|
|
|
|
p12bufoff = 0;
|
2004-02-13 13:40:23 +01:00
|
|
|
|
|
2010-06-17 17:44:44 +02:00
|
|
|
|
|
|
|
|
|
|
err = gpgsm_agent_ask_passphrase
|
2010-06-21 12:01:24 +02:00
|
|
|
|
(ctrl,
|
2021-05-17 19:27:54 +02:00
|
|
|
|
i18n_utf8 (N_("Please enter the passphrase to unprotect the PKCS#12 object.")),
|
2010-06-21 12:01:24 +02:00
|
|
|
|
0, &passphrase);
|
2004-02-13 13:40:23 +01:00
|
|
|
|
if (err)
|
2010-06-17 17:44:44 +02:00
|
|
|
|
goto leave;
|
|
|
|
|
|
|
|
|
|
|
|
kparms = p12_parse (p12buffer + p12bufoff, p12buflen - p12bufoff,
|
2022-06-21 18:18:39 +02:00
|
|
|
|
passphrase, store_cert_cb, &store_cert_parm,
|
|
|
|
|
|
&bad_pass, NULL);
|
2010-06-17 17:44:44 +02:00
|
|
|
|
|
|
|
|
|
|
xfree (passphrase);
|
|
|
|
|
|
passphrase = NULL;
|
|
|
|
|
|
|
|
|
|
|
|
if (!kparms)
|
2004-02-13 13:40:23 +01:00
|
|
|
|
{
|
2010-06-17 17:44:44 +02:00
|
|
|
|
log_error ("error parsing or decrypting the PKCS#12 file\n");
|
|
|
|
|
|
err = gpg_error (GPG_ERR_INV_OBJ);
|
|
|
|
|
|
goto leave;
|
2004-02-13 13:40:23 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2010-06-17 17:44:44 +02:00
|
|
|
|
/* print_mpi (" n", kparms[0]); */
|
|
|
|
|
|
/* print_mpi (" e", kparms[1]); */
|
|
|
|
|
|
/* print_mpi (" d", kparms[2]); */
|
|
|
|
|
|
/* print_mpi (" p", kparms[3]); */
|
|
|
|
|
|
/* print_mpi (" q", kparms[4]); */
|
|
|
|
|
|
/* print_mpi ("dmp1", kparms[5]); */
|
|
|
|
|
|
/* print_mpi ("dmq1", kparms[6]); */
|
|
|
|
|
|
/* print_mpi (" u", kparms[7]); */
|
|
|
|
|
|
|
|
|
|
|
|
sk.n = kparms[0];
|
|
|
|
|
|
sk.e = kparms[1];
|
|
|
|
|
|
sk.d = kparms[2];
|
|
|
|
|
|
sk.q = kparms[3];
|
|
|
|
|
|
sk.p = kparms[4];
|
|
|
|
|
|
sk.u = kparms[7];
|
|
|
|
|
|
err = rsa_key_check (&sk);
|
|
|
|
|
|
if (err)
|
|
|
|
|
|
goto leave;
|
|
|
|
|
|
/* print_mpi (" n", sk.n); */
|
|
|
|
|
|
/* print_mpi (" e", sk.e); */
|
|
|
|
|
|
/* print_mpi (" d", sk.d); */
|
|
|
|
|
|
/* print_mpi (" p", sk.p); */
|
|
|
|
|
|
/* print_mpi (" q", sk.q); */
|
|
|
|
|
|
/* print_mpi (" u", sk.u); */
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2017-04-28 03:06:33 +02:00
|
|
|
|
/* Create an S-expression from the parameters. */
|
2010-06-17 17:44:44 +02:00
|
|
|
|
err = gcry_sexp_build (&s_key, NULL,
|
|
|
|
|
|
"(private-key(rsa(n%m)(e%m)(d%m)(p%m)(q%m)(u%m)))",
|
|
|
|
|
|
sk.n, sk.e, sk.d, sk.p, sk.q, sk.u, NULL);
|
|
|
|
|
|
for (i=0; i < 8; i++)
|
|
|
|
|
|
gcry_mpi_release (kparms[i]);
|
|
|
|
|
|
gcry_free (kparms);
|
|
|
|
|
|
kparms = NULL;
|
|
|
|
|
|
if (err)
|
2004-02-13 13:40:23 +01:00
|
|
|
|
{
|
2010-06-21 12:01:24 +02:00
|
|
|
|
log_error ("failed to create S-expression from key: %s\n",
|
2010-06-17 17:44:44 +02:00
|
|
|
|
gpg_strerror (err));
|
|
|
|
|
|
goto leave;
|
2004-02-13 13:40:23 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2010-06-17 17:44:44 +02:00
|
|
|
|
/* Compute the keygrip. */
|
|
|
|
|
|
if (!gcry_pk_get_keygrip (s_key, grip))
|
2004-02-13 13:40:23 +01:00
|
|
|
|
{
|
2010-06-17 17:44:44 +02:00
|
|
|
|
err = gpg_error (GPG_ERR_GENERAL);
|
|
|
|
|
|
log_error ("can't calculate keygrip\n");
|
|
|
|
|
|
goto leave;
|
2004-02-13 13:40:23 +01:00
|
|
|
|
}
|
2021-02-24 08:38:13 +01:00
|
|
|
|
if (DBG_X509)
|
|
|
|
|
|
log_printhex (grip, 20, "keygrip=");
|
2004-02-13 13:40:23 +01:00
|
|
|
|
|
2010-06-17 17:44:44 +02:00
|
|
|
|
/* Convert to canonical encoding using a function which pads it to a
|
|
|
|
|
|
multiple of 64 bits. We need this padding for AESWRAP. */
|
2010-06-21 12:01:24 +02:00
|
|
|
|
err = make_canon_sexp_pad (s_key, 1, &key, &keylen);
|
2010-06-17 17:44:44 +02:00
|
|
|
|
if (err)
|
|
|
|
|
|
{
|
|
|
|
|
|
log_error ("error creating canonical S-expression\n");
|
|
|
|
|
|
goto leave;
|
|
|
|
|
|
}
|
|
|
|
|
|
gcry_sexp_release (s_key);
|
|
|
|
|
|
s_key = NULL;
|
2004-09-29 15:50:31 +02:00
|
|
|
|
|
2010-06-17 17:44:44 +02:00
|
|
|
|
/* Get the current KEK. */
|
|
|
|
|
|
err = gpgsm_agent_keywrap_key (ctrl, 0, &kek, &keklen);
|
|
|
|
|
|
if (err)
|
|
|
|
|
|
{
|
|
|
|
|
|
log_error ("error getting the KEK: %s\n", gpg_strerror (err));
|
|
|
|
|
|
goto leave;
|
|
|
|
|
|
}
|
2004-02-13 13:40:23 +01:00
|
|
|
|
|
2010-06-17 17:44:44 +02:00
|
|
|
|
/* Wrap the key. */
|
|
|
|
|
|
err = gcry_cipher_open (&cipherhd, GCRY_CIPHER_AES128,
|
|
|
|
|
|
GCRY_CIPHER_MODE_AESWRAP, 0);
|
|
|
|
|
|
if (err)
|
|
|
|
|
|
goto leave;
|
|
|
|
|
|
err = gcry_cipher_setkey (cipherhd, kek, keklen);
|
|
|
|
|
|
if (err)
|
|
|
|
|
|
goto leave;
|
|
|
|
|
|
xfree (kek);
|
|
|
|
|
|
kek = NULL;
|
|
|
|
|
|
|
|
|
|
|
|
wrappedkeylen = keylen + 8;
|
|
|
|
|
|
wrappedkey = xtrymalloc (wrappedkeylen);
|
|
|
|
|
|
if (!wrappedkey)
|
2004-02-13 13:40:23 +01:00
|
|
|
|
{
|
2010-06-17 17:44:44 +02:00
|
|
|
|
err = gpg_error_from_syserror ();
|
|
|
|
|
|
goto leave;
|
2004-02-13 13:40:23 +01:00
|
|
|
|
}
|
2010-06-17 17:44:44 +02:00
|
|
|
|
|
|
|
|
|
|
err = gcry_cipher_encrypt (cipherhd, wrappedkey, wrappedkeylen, key, keylen);
|
2004-02-13 13:40:23 +01:00
|
|
|
|
if (err)
|
2010-06-17 17:44:44 +02:00
|
|
|
|
goto leave;
|
|
|
|
|
|
xfree (key);
|
|
|
|
|
|
key = NULL;
|
|
|
|
|
|
gcry_cipher_close (cipherhd);
|
|
|
|
|
|
cipherhd = NULL;
|
|
|
|
|
|
|
|
|
|
|
|
/* Send the wrapped key to the agent. */
|
|
|
|
|
|
err = gpgsm_agent_import_key (ctrl, wrappedkey, wrappedkeylen);
|
|
|
|
|
|
if (!err)
|
2004-02-13 13:40:23 +01:00
|
|
|
|
{
|
2010-06-17 17:44:44 +02:00
|
|
|
|
stats->count++;
|
|
|
|
|
|
stats->secret_read++;
|
|
|
|
|
|
stats->secret_imported++;
|
2004-02-13 13:40:23 +01:00
|
|
|
|
}
|
2010-06-17 17:44:44 +02:00
|
|
|
|
else if ( gpg_err_code (err) == GPG_ERR_EEXIST )
|
|
|
|
|
|
{
|
|
|
|
|
|
err = 0;
|
|
|
|
|
|
stats->count++;
|
|
|
|
|
|
stats->secret_read++;
|
|
|
|
|
|
stats->secret_dups++;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* If we did not get an error from storing the secret key we return
|
|
|
|
|
|
a possible error from parsing the certificates. We do this after
|
|
|
|
|
|
storing the secret keys so that a bad certificate does not
|
|
|
|
|
|
inhibit our chance to store the secret key. */
|
|
|
|
|
|
if (!err && store_cert_parm.err)
|
|
|
|
|
|
err = store_cert_parm.err;
|
|
|
|
|
|
|
|
|
|
|
|
leave:
|
|
|
|
|
|
if (kparms)
|
|
|
|
|
|
{
|
|
|
|
|
|
for (i=0; i < 8; i++)
|
|
|
|
|
|
gcry_mpi_release (kparms[i]);
|
|
|
|
|
|
gcry_free (kparms);
|
|
|
|
|
|
kparms = NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
xfree (key);
|
|
|
|
|
|
gcry_sexp_release (s_key);
|
|
|
|
|
|
xfree (passphrase);
|
|
|
|
|
|
gcry_cipher_close (cipherhd);
|
|
|
|
|
|
xfree (wrappedkey);
|
|
|
|
|
|
xfree (kek);
|
|
|
|
|
|
xfree (get_membuf (&p12mbuf, NULL));
|
|
|
|
|
|
xfree (p12buffer);
|
2004-09-29 15:50:31 +02:00
|
|
|
|
|
|
|
|
|
|
if (bad_pass)
|
|
|
|
|
|
{
|
|
|
|
|
|
/* We only write a plain error code and not direct
|
|
|
|
|
|
BAD_PASSPHRASE because the pkcs12 parser might issue this
|
2008-05-20 10:00:40 +02:00
|
|
|
|
message multiple times, BAD_PASSPHRASE in general requires a
|
2004-09-29 15:50:31 +02:00
|
|
|
|
keyID and parts of the import might actually succeed so that
|
|
|
|
|
|
IMPORT_PROBLEM is also not appropriate. */
|
|
|
|
|
|
gpgsm_status_with_err_code (ctrl, STATUS_ERROR,
|
|
|
|
|
|
"import.parsep12", GPG_ERR_BAD_PASSPHRASE);
|
|
|
|
|
|
}
|
2011-02-04 12:57:53 +01:00
|
|
|
|
|
2004-02-13 13:40:23 +01:00
|
|
|
|
return err;
|
|
|
|
|
|
}
|
