diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi index 3f86d0c44..b6bf74d3b 100644 --- a/doc/gpgsm.texi +++ b/doc/gpgsm.texi @@ -271,7 +271,8 @@ Export the private key and the certificate identified by @var{key-id} using the PKCS#12 format. When used with the @code{--armor} option a few informational lines are prepended to the output. Note, that the PKCS#12 format is not very secure and proper transport security should be used -to convey the exported key. (@xref{option --p12-charset}.) +to convey the exported key. The option @code{--no-protection} can be +used to export without passphrase protection. (@xref{option --p12-charset}.) @item --export-secret-key-p8 @var{key-id} @itemx --export-secret-key-raw @var{key-id} @@ -887,6 +888,13 @@ are: Pinentry the user is not prompted again if he enters a bad password. @end table +@item --no-protection +@opindex no-protection +When exporting a private key in the PKCS#12 format do not use a +passphrase to protect the key. Please use this option only along with +a PKCS#12 export becuase it may eventually also have an effect for +other commands. + @item --request-origin @var{origin} @opindex request-origin Tell gpgsm to assume that the operation ultimately originated at @@ -1784,6 +1792,11 @@ encrypt operation. Note that this option is ignored if @item input-size-hint This is the same as the @option{--input-size-hint} command line option. +@item no-protection +If @var{value} is true exported keys are not protected by a +passphrase. This can be reset with a value of 0 or a RESET command. +This is the same as the command line option @option{--no-protection}. + @end table @mansect see also diff --git a/sm/export.c b/sm/export.c index bee22e97a..890d7d1af 100644 --- a/sm/export.c +++ b/sm/export.c @@ -316,11 +316,12 @@ gpgsm_export (ctrl_t ctrl, strlist_t names, estream_t stream) /* Export a certificate and its private key. RAWMODE controls the - actual output: - 0 - Private key and certificate in PKCS#12 format - 1 - Only unencrypted private key in PKCS#8 format - 2 - Only unencrypted private key in PKCS#1 format - */ + * actual output: + * 0 - Private key and certificate in PKCS#12 format + * (With --no-protection no PKSC#12 passphrase is used) + * 1 - Only unencrypted private key in PKCS#8 format + * 2 - Only unencrypted private key in PKCS#1 format + */ void gpgsm_p12_export (ctrl_t ctrl, const char *name, estream_t stream, int rawmode) { @@ -714,22 +715,27 @@ export_p12 (ctrl_t ctrl, const unsigned char *certimg, size_t certimglen, if (rawmode) { - /* Export in raw mode, that is only the pkcs#1/#8 private key. */ + /* Export in raw mode, that is only the pkcs#1/#8 unprotected + * private key. */ result = p12_raw_build (kparms, rawmode, &resultlen); if (!result) err = gpg_error (GPG_ERR_GENERAL); } else { - err = gpgsm_agent_ask_passphrase - (ctrl, - i18n_utf8 (N_("Please enter the passphrase to protect the " - "new PKCS#12 object.")), - 1, &passphrase); - if (err) - goto leave; + if (!ctrl->no_protection) + { + err = gpgsm_agent_ask_passphrase + (ctrl, + i18n_utf8 (N_("Please enter the passphrase to protect the " + "new PKCS#12 object.")), + 1, &passphrase); + if (err) + goto leave; + } - result = p12_build (kparms, certimg, certimglen, passphrase, + result = p12_build (kparms, certimg, certimglen, + ctrl->no_protection? "" : passphrase, opt.p12_charset, &resultlen); xfree (passphrase); passphrase = NULL; diff --git a/sm/gpgsm.c b/sm/gpgsm.c index bea0184e3..b60f0bb46 100644 --- a/sm/gpgsm.c +++ b/sm/gpgsm.c @@ -135,6 +135,7 @@ enum cmd_and_opt_values { oPassphraseFD, oPinentryMode, + oNoProtection, oRequestOrigin, oAssumeArmor, @@ -436,6 +437,7 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_n (oDisableFdTranslation, "disable-fd-translation", "@"), ARGPARSE_s_i (oPassphraseFD, "passphrase-fd", "@"), ARGPARSE_s_s (oPinentryMode, "pinentry-mode", "@"), + ARGPARSE_s_n (oNoProtection, "no-protection", "@"), ARGPARSE_header (NULL, N_("Other options")), @@ -1178,6 +1180,10 @@ main ( int argc, char **argv) log_error (_("invalid pinentry mode '%s'\n"), pargs.r.ret_str); break; + case oNoProtection: + ctrl.no_protection = 1; + break; + case oRequestOrigin: opt.request_origin = parse_request_origin (pargs.r.ret_str); if (opt.request_origin == -1) diff --git a/sm/gpgsm.h b/sm/gpgsm.h index be5e79c9a..23cba59e1 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -284,6 +284,8 @@ struct server_control_s * progress info and to decide on how to allocate buffers. */ uint64_t input_size_hint; + int no_protection; /* No passphrase for PKCS#12 export. */ + int create_base64; /* Create base64 encoded output */ int create_pem; /* create PEM output */ const char *pem_name; /* PEM name to use */ diff --git a/sm/server.c b/sm/server.c index 345c3167b..c0542dc9a 100644 --- a/sm/server.c +++ b/sm/server.c @@ -318,6 +318,11 @@ option_handler (assuan_context_t ctx, const char *key, const char *value) { ctrl->input_size_hint = string_to_u64 (value); } + else if (!strcmp (key, "no-protection")) + { + int i = *value? atoi (value) : 0; + ctrl->no_protection = !!i; + } else err = gpg_error (GPG_ERR_UNKNOWN_OPTION); @@ -338,6 +343,7 @@ reset_notify (assuan_context_t ctx, char *line) ctrl->server_local->recplist = NULL; ctrl->server_local->signerlist = NULL; ctrl->always_trust = 0; + ctrl->no_protection = 0; close_message_fp (ctrl); assuan_close_input_fd (ctx); assuan_close_output_fd (ctx);