security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

allow for default algorithms in a gpg parameter file

This commit is contained in:
Werner Koch 2009-12-04 19:47:54 +00:00
parent 66a0019120
commit 49b00ffd67
5 changed files with 104 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
NEWS
View File

@ -8,6 +8,9 @@ Noteworthy changes in version 2.1.x (under development)
* The G13 tool for disk encryption key management has been added. * The G13 tool for disk encryption key management has been added.
* The default for --include-cert is now to include all certificates
in the chain except for the root certificate.
* Numerical values may now be used as an alternative to the * Numerical values may now be used as an alternative to the
debug-level keywords. debug-level keywords.

41
doc/DETAILS
View File

@ -823,11 +823,14 @@ The format of this file is as follows:
used. Some syntactically checks may be performed. used. Some syntactically checks may be performed.
The currently defined parameters are: The currently defined parameters are:
Key-Type: <algo-number>|<algo-string> Key-Type: <algo-number>|<algo-string>
Starts a new parameter block by giving the type of the Starts a new parameter block by giving the type of the primary
primary key. The algorithm must be capable of signing. key. The algorithm must be capable of signing. This is a
This is a required parameter. required parameter. It may be "default" to use the default
one; in this case don't give a Key-Usage and use "default" for
the Subkey-Type.
Key-Length: <length-in-bits> Key-Length: <length-in-bits>
Length of the key in bits. Default is 1024. Length of the key in bits. The default is returned by running
the command "gpg --gpgconf-list".
Key-Usage: <usage-list> Key-Usage: <usage-list>
Space or comma delimited list of key usage, allowed values are Space or comma delimited list of key usage, allowed values are
"encrypt", "sign", and "auth". This is used to generate the "encrypt", "sign", and "auth". This is used to generate the
@ -835,13 +838,15 @@ The format of this file is as follows:
this usage. Note that OpenPGP requires that all primary keys this usage. Note that OpenPGP requires that all primary keys
are capable of certification, so no matter what usage is given are capable of certification, so no matter what usage is given
here, the "cert" flag will be on. If no Key-Usage is here, the "cert" flag will be on. If no Key-Usage is
specified, all the allowed usages for that particular specified and the key-type is not "default", all allowed
algorithm are used. usages for that particular algorithm are used; if it is not
given but "default" is used the usage will be "sign".
Subkey-Type: <algo-number>|<algo-string> Subkey-Type: <algo-number>|<algo-string>
This generates a secondary key. Currently only one subkey This generates a secondary key. Currently only one subkey
can be handled. can be handled.
Subkey-Length: <length-in-bits> Subkey-Length: <length-in-bits>
Length of the subkey in bits. Default is 1024. Length of the subkey in bits. The default is returned by running
the command "gpg --gpgconf-list".
Subkey-Usage: <usage-list> Subkey-Usage: <usage-list>
Similar to Key-Usage. Similar to Key-Usage.
Passphrase: <string> Passphrase: <string>
@ -892,9 +897,9 @@ The format of this file is as follows:
keyserver URL for the key. keyserver URL for the key.
Here is an example: Here is an example on how to create a key:
$ cat >foo <<EOF $ cat >foo <<EOF
%echo Generating a standard key %echo Generating a basic OpenPGP key
Key-Type: DSA Key-Type: DSA
Key-Length: 1024 Key-Length: 1024
Subkey-Type: ELG-E Subkey-Type: ELG-E
@ -919,6 +924,24 @@ $ gpg --no-default-keyring --secret-keyring ./foo.sec \
sec 1024D/915A878D 2000-03-09 Joe Tester (with stupid passphrase) <joe@foo.bar> sec 1024D/915A878D 2000-03-09 Joe Tester (with stupid passphrase) <joe@foo.bar>
ssb 1024g/8F70E2C0 2000-03-09 ssb 1024g/8F70E2C0 2000-03-09
If you want to create a key with the default algorithms you would
use these parameters:
%echo Generating a default key
Key-Type: default
Subkey-Type: default
Name-Real: Joe Tester
Name-Comment: with stupid passphrase
Name-Email: joe@foo.bar
Expire-Date: 0
Passphrase: abc
%pubring foo.pub
%secring foo.sec
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
Layout of the TrustDB Layout of the TrustDB

8
g10/ChangeLog
View File

@ -1,3 +1,11 @@
2009-12-04 Werner Koch <wk@g10code.com>
* keygen.c (DEFAULT_STD_ALGO, DEFAULT_STD_KEYSIZE): New.
(ask_keysize): Use new macro.
(gen_rsa): Set default size if NBITS is 0.
(get_parameter_algo): Add algo name "default". Add arg R_DEFAULT.
(proc_parameter_file): Process default flag.
2009-12-03 Werner Koch <wk@g10code.com> 2009-12-03 Werner Koch <wk@g10code.com>
* gpg.c (set_debug): Allow for numerical debug leveles. Print * gpg.c (set_debug): Allow for numerical debug leveles. Print

4
g10/gpg.c
View File

@ -1617,8 +1617,8 @@ gpgconf_list (const char *configfile)
printf ("debug-level:%lu:\"none:\n", GC_OPT_FLAG_DEFAULT); printf ("debug-level:%lu:\"none:\n", GC_OPT_FLAG_DEFAULT);
printf ("group:%lu:\n", GC_OPT_FLAG_NONE); printf ("group:%lu:\n", GC_OPT_FLAG_NONE);
/* The next one is an info only item and should match what /* The next one is an info only item and should match the macros at
keygen:ask_keysize actually implements. */ the top of keygen.c */
printf ("default_pubkey_algo:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT, printf ("default_pubkey_algo:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT,
"RSA-2048"); "RSA-2048");

87
g10/keygen.c
View File

@ -43,6 +43,12 @@
#include "keyserver-internal.h" #include "keyserver-internal.h"
#include "call-agent.h" #include "call-agent.h"
/* The default algorithms. If you change them remember to change them
also in gpg.c:gpgconf_list. You should also check that the value
is inside the bounds enforced by ask_keysize and gen_xxx. */
#define DEFAULT_STD_ALGO GCRY_PK_RSA
#define DEFAULT_STD_KEYSIZE 2048
#define MAX_PREFS 30 #define MAX_PREFS 30
@ -1426,6 +1432,9 @@ gen_rsa (int algo, unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek,
assert (is_RSA(algo)); assert (is_RSA(algo));
if (!nbits)
nbits = DEFAULT_STD_KEYSIZE;
if (nbits < 1024) if (nbits < 1024)
{ {
nbits = 1024; nbits = 1024;
@ -1765,9 +1774,7 @@ ask_algo (int addmode, int *r_subkey_algo, unsigned int *r_usage)
static unsigned static unsigned
ask_keysize (int algo, unsigned int primary_keysize) ask_keysize (int algo, unsigned int primary_keysize)
{ {
/* NOTE: If you change the default key size/algo, remember to change unsigned int nbits, min, def = DEFAULT_STD_KEYSIZE, max=4096;
it also in gpgconf.c:gpgconf_list. */
unsigned int nbits, min, def=2048, max=4096;
int for_subkey = !!primary_keysize; int for_subkey = !!primary_keysize;
int autocomp = 0; int autocomp = 0;
@ -2382,22 +2389,37 @@ get_parameter_value( struct para_data_s *para, enum para_name key )
} }
static int static int
get_parameter_algo( struct para_data_s *para, enum para_name key ) get_parameter_algo( struct para_data_s *para, enum para_name key,
int *r_default)
{ {
int i; int i;
struct para_data_s *r = get_parameter( para, key ); struct para_data_s *r = get_parameter( para, key );
if( !r )
return -1; if (r_default)
if( digitp( r->u.value ) ) *r_default = 0;
i = atoi( r->u.value );
else if ( !strcmp ( r->u.value, "ELG-E") if (!r)
|| !strcmp ( r->u.value, "ELG") ) return -1;
i = GCRY_PK_ELG_E;
else if (!ascii_strcasecmp (r->u.value, "default"))
i = gcry_pk_map_name (r->u.value); {
if (i == PUBKEY_ALGO_RSA_E || i == PUBKEY_ALGO_RSA_S) /* Note: If you change this default algo, remember to change it
i = 0; /* we don't want to allow generation of these algorithms */ also in gpg.c:gpgconf_list. */
return i; i = DEFAULT_STD_ALGO;
if (r_default)
*r_default = 1;
}
else if (digitp (r->u.value))
i = atoi( r->u.value );
else if (!strcmp (r->u.value, "ELG-E")
|| !strcmp (r->u.value, "ELG"))
i = GCRY_PK_ELG_E;
else
i = gcry_pk_map_name (r->u.value);
if (i == PUBKEY_ALGO_RSA_E || i == PUBKEY_ALGO_RSA_S)
i = 0; /* we don't want to allow generation of these algorithms */
return i;
} }
/* /*
@ -2541,13 +2563,15 @@ proc_parameter_file( struct para_data_s *para, const char *fname,
const char *s1, *s2, *s3; const char *s1, *s2, *s3;
size_t n; size_t n;
char *p; char *p;
int have_user_id=0,err,algo; int is_default = 0;
int have_user_id = 0;
int err, algo;
/* Check that we have all required parameters. */ /* Check that we have all required parameters. */
r = get_parameter( para, pKEYTYPE ); r = get_parameter( para, pKEYTYPE );
if(r) if(r)
{ {
algo=get_parameter_algo(para,pKEYTYPE); algo = get_parameter_algo (para, pKEYTYPE, &is_default);
if (openpgp_pk_test_algo2 (algo, PUBKEY_USAGE_SIG)) if (openpgp_pk_test_algo2 (algo, PUBKEY_USAGE_SIG))
{ {
log_error ("%s:%d: invalid algorithm\n", fname, r->lnr ); log_error ("%s:%d: invalid algorithm\n", fname, r->lnr );
@ -2563,10 +2587,13 @@ proc_parameter_file( struct para_data_s *para, const char *fname,
err = parse_parameter_usage (fname, para, pKEYUSAGE); err = parse_parameter_usage (fname, para, pKEYUSAGE);
if (!err) if (!err)
{ {
/* Default to algo capabilities if key-usage is not provided */ /* Default to algo capabilities if key-usage is not provided and
no default algorithm has been requested. */
r = xmalloc_clear(sizeof(*r)); r = xmalloc_clear(sizeof(*r));
r->key = pKEYUSAGE; r->key = pKEYUSAGE;
r->u.usage = openpgp_pk_algo_usage(algo); r->u.usage = (is_default
? (PUBKEY_USAGE_CERT | PUBKEY_USAGE_SIG)
: openpgp_pk_algo_usage(algo));
r->next = para; r->next = para;
para = r; para = r;
} }
@ -2583,10 +2610,11 @@ proc_parameter_file( struct para_data_s *para, const char *fname,
} }
} }
is_default = 0;
r = get_parameter( para, pSUBKEYTYPE ); r = get_parameter( para, pSUBKEYTYPE );
if(r) if(r)
{ {
algo = get_parameter_algo (para, pSUBKEYTYPE); algo = get_parameter_algo (para, pSUBKEYTYPE, &is_default);
if (openpgp_pk_test_algo (algo)) if (openpgp_pk_test_algo (algo))
{ {
log_error ("%s:%d: invalid algorithm\n", fname, r->lnr ); log_error ("%s:%d: invalid algorithm\n", fname, r->lnr );
@ -2600,7 +2628,9 @@ proc_parameter_file( struct para_data_s *para, const char *fname,
provided */ provided */
r = xmalloc_clear (sizeof(*r)); r = xmalloc_clear (sizeof(*r));
r->key = pSUBKEYUSAGE; r->key = pSUBKEYUSAGE;
r->u.usage = openpgp_pk_algo_usage (algo); r->u.usage = (is_default
? PUBKEY_USAGE_ENC
: openpgp_pk_algo_usage (algo));
r->next = para; r->next = para;
para = r; para = r;
} }
@ -3441,7 +3471,7 @@ do_generate_keypair (struct para_data_s *para,
if (!card) if (!card)
{ {
rc = do_create (get_parameter_algo( para, pKEYTYPE ), rc = do_create (get_parameter_algo( para, pKEYTYPE, NULL ),
get_parameter_uint( para, pKEYLENGTH ), get_parameter_uint( para, pKEYLENGTH ),
pub_root, sec_root, pub_root, sec_root,
get_parameter_dek( para, pPASSPHRASE_DEK ), get_parameter_dek( para, pPASSPHRASE_DEK ),
@ -3503,7 +3533,7 @@ do_generate_keypair (struct para_data_s *para,
{ {
if (!card) if (!card)
{ {
rc = do_create( get_parameter_algo( para, pSUBKEYTYPE ), rc = do_create( get_parameter_algo( para, pSUBKEYTYPE, NULL ),
get_parameter_uint( para, pSUBKEYLENGTH ), get_parameter_uint( para, pSUBKEYLENGTH ),
pub_root, sec_root, pub_root, sec_root,
get_parameter_dek( para, pPASSPHRASE_DEK ), get_parameter_dek( para, pPASSPHRASE_DEK ),
@ -3612,7 +3642,8 @@ do_generate_keypair (struct para_data_s *para,
int no_enc_rsa; int no_enc_rsa;
PKT_public_key *pk; PKT_public_key *pk;
no_enc_rsa = (get_parameter_algo (para, pKEYTYPE) == PUBKEY_ALGO_RSA no_enc_rsa = ((get_parameter_algo (para, pKEYTYPE, NULL)
== PUBKEY_ALGO_RSA)
&& get_parameter_uint (para, pKEYUSAGE) && get_parameter_uint (para, pKEYUSAGE)
&& !((get_parameter_uint (para, pKEYUSAGE) && !((get_parameter_uint (para, pKEYUSAGE)
& PUBKEY_USAGE_ENC)) ); & PUBKEY_USAGE_ENC)) );
@ -3634,7 +3665,7 @@ do_generate_keypair (struct para_data_s *para,
if (!opt.batch if (!opt.batch
&& (get_parameter_algo (para, pKEYTYPE) == PUBKEY_ALGO_DSA && (get_parameter_algo (para, pKEYTYPE, NULL) == PUBKEY_ALGO_DSA
|| no_enc_rsa ) || no_enc_rsa )
&& !get_parameter (para, pSUBKEYTYPE) ) && !get_parameter (para, pSUBKEYTYPE) )
{ {