sm: Support creation of EdDSA certificates.

* sm/misc.c (transform_sigval): Support EdDSA. * sm/certreqgen.c (create_request): Support EdDSA cert creation. * sm/certcheck.c (gpgsm_check_cert_sig): Map some ECC algo OIDs to hash algos. * sm/call-agent.c (struct sethash_inq_parm_s): New. (sethash_inq_cb): New. (gpgsm_agent_pksign): Add mode to pass plain data for EdDSA. -- Tested using a parameter file Key-Type: EdDSA Key-Length: 1024 Key-Grip: 09D9AE3D494F7888C93BE5106AD8A734A87617F0 Key-Usage: sign Serial: random Name-DN: CN=dummy test ed25519 where the keygrip is from a gpg generated Ed25519 key. ECDSA was tested using Key-Type: ECDSA Key-Length: 1024 Key-Grip: 8E06A180EFFE4C65B812150CAF19BF30C0689A4C Key-Usage: sign Serial: random Name-DN: CN=dummy test nistp256 and RSA using Key-Type: RSA Key-Length: 2048 Key-Grip: C6A6390E9388CDBAD71EAEA698233FE5E04F001E Key-Usage: sign Serial: random Name-DN: CN=dummy test rsa The command used in all cases is gpgsm -v --gen-key --batch a.parm >a.crt gpgsm -v --import <a.crt More support, in particular in the user interface, is required and will follow soon. GnuPG-bug-id: 4888 Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-03 22:56:33 +02:00 · 2020-05-18 19:32:30 +02:00 · 2020-05-18 19:32:30 +02:00 · 6dc3846d78
commit 6dc3846d78
parent b18fb0264a
4 changed files with 184 additions and 64 deletions
--- a/sm/call-agent.c
+++ b/sm/call-agent.c
@ -76,6 +76,13 @@ struct import_key_parm_s
  size_t keylen;
 };

+struct sethash_inq_parm_s
+{
+  assuan_context_t ctx;
+  const void *data;
+  size_t datalen;
+};
+
 struct default_inq_parm_s
 {
  ctrl_t ctrl;
@ -257,8 +264,29 @@ default_inq_cb (void *opaque, const char *line)



+/* This is the inquiry callback required by the SETHASH command.  */
+static gpg_error_t
+sethash_inq_cb (void *opaque, const char *line)
+{
+  gpg_error_t err = 0;
+  struct sethash_inq_parm_s *parm = opaque;
+
+  if (has_leading_keyword (line, "TBSDATA"))
+    {
+      err = assuan_send_data (parm->ctx, parm->data, parm->datalen);
+    }
+  else
+    log_error ("ignoring gpg-agent inquiry '%s'\n", line);
+
+  return err;
+}
+
+
 /* Call the agent to do a sign operation using the key identified by
-   the hex string KEYGRIP. */
+ * the hex string KEYGRIP.  If DIGESTALGO is given (DIGEST,DIGESTLEN)
+ * gives the to be signed hash created using the given algo.  If
+ * DIGESTALGO is not given (i.e. zero) (DIGEST,DIGESTALGO) give the
+ * entire data to-be-signed. */
 int
 gpgsm_agent_pksign (ctrl_t ctrl, const char *keygrip, const char *desc,
                    unsigned char *digest, size_t digestlen, int digestalgo,
@ -277,7 +305,7 @@ gpgsm_agent_pksign (ctrl_t ctrl, const char *keygrip, const char *desc,
  inq_parm.ctrl = ctrl;
  inq_parm.ctx = agent_ctx;

-  if (digestlen*2 + 50 > DIM(line))
+  if (digestalgo && digestlen*2 + 50 > DIM(line))
    return gpg_error (GPG_ERR_GENERAL);

  rc = assuan_transact (agent_ctx, "RESET", NULL, NULL, NULL, NULL, NULL, NULL);
@ -298,11 +326,26 @@ gpgsm_agent_pksign (ctrl_t ctrl, const char *keygrip, const char *desc,
        return rc;
    }

-  sprintf (line, "SETHASH %d ", digestalgo);
-  p = line + strlen (line);
-  for (i=0; i < digestlen ; i++, p += 2 )
-    sprintf (p, "%02X", digest[i]);
-  rc = assuan_transact (agent_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
+  if (!digestalgo)
+    {
+      struct sethash_inq_parm_s sethash_inq_parm;
+
+      sethash_inq_parm.ctx = agent_ctx;
+      sethash_inq_parm.data = digest;
+      sethash_inq_parm.datalen = digestlen;
+      rc = assuan_transact (agent_ctx, "SETHASH --inquire",
+                            NULL, NULL, sethash_inq_cb, &sethash_inq_parm,
+                            NULL, NULL);
+    }
+  else
+    {
+      snprintf (line, sizeof line, "SETHASH %d ", digestalgo);
+      p = line + strlen (line);
+      for (i=0; i < digestlen ; i++, p += 2 )
+        sprintf (p, "%02X", digest[i]);
+      rc = assuan_transact (agent_ctx, line,
+                            NULL, NULL, NULL, NULL, NULL, NULL);
+    }
  if (rc)
    return rc;