Signing does now work. There is no secret key management yet, so you

should set GPGSM_FAKE_KEY=1 before you try to verify a signature created by gpgsm --sign or the SIGN server command.
2024-12-22 10:19:57 +01:00 · 2001-11-24 14:26:27 +00:00 · 2001-11-24 14:26:27 +00:00 · 8e58435312
commit 8e58435312
parent 757c13a171
6 changed files with 148 additions and 19 deletions
--- a/assuan/assuan.h
+++ b/assuan/assuan.h
@ -49,6 +49,7 @@ typedef enum {
  ASSUAN_Line_Not_Terminated = 108,
  ASSUAN_No_Input = 109,
  ASSUAN_No_Output = 110,
+  ASSUAN_Canceled = 111,

  ASSUAN_Cert_Revoked = 301,
  ASSUAN_No_CRL_For_Cert = 302,
--- a/sm/certcheck.c
+++ b/sm/certcheck.c
@ -178,8 +178,8 @@ gpgsm_check_cms_signature (KsbaCert cert, const char *sigval,
                           GCRY_MD_HD md, int algo)
 {
  int rc;
-  GCRY_MPI frame;
  char *p;
+  GCRY_MPI frame;
  GCRY_SEXP s_sig, s_hash, s_pkey;

  rc = gcry_sexp_sscan (&s_sig, NULL, sigval, strlen(sigval));
@ -189,17 +189,37 @@ gpgsm_check_cms_signature (KsbaCert cert, const char *sigval,
      return map_gcry_err (rc);
    }

-  p = ksba_cert_get_public_key (cert);
+  if (getenv ("GPGSM_FAKE_KEY"))
+    {
+      const char n[] = "#8732A669BB7C5057AD070EFA54E035C86DF474F7A7EBE2435"
+        "3DADEB86FFE74C32AEEF9E5C6BD7584CB572520167B3E8C89A1FA75C74FF9E938"
+        "2710F3B270B638EB96E7486491D81C53CA8A50B4E840B1C7458A4A1E52EC18D681"
+        "8A2805C9165827F77EF90D55014E4B2AF9386AE8F6462F46A547CB593ABD509311"
+        "4D3D16375F#";
+      const char e[] = "#11#";
+      char *tmp;
+
+      log_debug ("Using HARDWIRED public key\n");
+      asprintf (&tmp, "(public-key(rsa(n %s)(e %s)))", n, e);
+      /* asprintf does not use our allocation fucntions, so we can't
+         use our free */
+      p = xstrdup (tmp);
+      free (tmp);
+    }
+  else
+    {
+      p = ksba_cert_get_public_key (cert);
+    }
+
  if (DBG_X509)
    log_debug ("public key: %s\n", p);
-
  rc = gcry_sexp_sscan ( &s_pkey, NULL, p, strlen(p));
  if (rc)
    {
      log_error ("gcry_sexp_scan failed: %s\n", gcry_strerror (rc));
      return map_gcry_err (rc);
    }
-  
+

  rc = do_encode_md (md, algo, gcry_pk_get_nbits (s_pkey), &frame);
  if (rc)
@ -218,3 +238,82 @@ gpgsm_check_cms_signature (KsbaCert cert, const char *sigval,
  return map_gcry_err (rc);
 }

+
+
+int
+gpgsm_create_cms_signature (KsbaCert cert, GCRY_MD_HD md, int mdalgo,
+                            char **r_sigval)
+{
+  /* our sample key */
+  const char n[] = "#8732A669BB7C5057AD070EFA54E035C86DF474F7A7EBE2435"
+    "3DADEB86FFE74C32AEEF9E5C6BD7584CB572520167B3E8C89A1FA75C74FF9E938"
+    "2710F3B270B638EB96E7486491D81C53CA8A50B4E840B1C7458A4A1E52EC18D681"
+    "8A2805C9165827F77EF90D55014E4B2AF9386AE8F6462F46A547CB593ABD509311"
+    "4D3D16375F#";
+  const char e[] = "#11#";
+  const char d[] = "#07F3EBABDDDA22D7FB1E8869140D30571586D9B4370DE02213F"
+    "DD0DDAC3C24FC6BEFF0950BB0CAAD755F7AA788DA12BCF90987341AC8781CC7115"
+    "B59A115B05D9D99B3D7AF77854DC2EE6A36154512CC0EAD832601038A88E837112"
+    "AB2A39FD9FBE05E30D6FFA6F43D71C59F423CA43BC91C254A8C89673AB61F326B0"
+    "762FBC9#";
+  const char p[] = "#B2ABAD4328E66303E206C53CFBED17F18F712B1C47C966EE13DD"
+    "AA9AD3616A610ADF513F8376FA48BAE12FED64CECC1E73091A77B45119AF0FC1286A"
+    "85BD9BBD#";
+  const char q[] = "#C1B648B294BB9AEE7FEEB77C4F64E9333E4EA9A7C54D521356FB"
+    "BBB7558A0E7D6331EC7B42E3F0CD7BBBA9B7A013422F615F10DCC1E8462828BF8FC7"
+    "39C5E34B#";
+  const char  u[] = "#A9B5EFF9C80A4A356B9A95EB63E381B262071E5CE9C1F32FF03"
+    "83AD8289BED8BC690555E54411FA2FDB9B49638A21B2046C325F5633B4B1ECABEBFD"
+    "1B3519072#";
+
+  GCRY_SEXP s_skey, s_hash, s_sig;
+  GCRY_MPI frame;
+  int rc;
+  char *buf;
+  size_t len;
+
+  /* create a secret key as an sexp */
+  log_debug ("Using HARDWIRED secret key\n");
+  asprintf (&buf, "(private-key(oid.1.2.840.113549.1.1.1"
+           "(n %s)(e %s)(d %s)(p %s)(q %s)(u %s)))",
+           n, e, d, p, q, u);
+  /* asprintf does not use our allocation fucntions, so we can't
+     use our free */
+  rc = gcry_sexp_sscan (&s_skey, NULL, buf, strlen(buf));
+  free (buf);
+  if (rc)
+    {
+      log_error ("failed to build S-Exp: %s\n", gcry_strerror (rc));
+      return map_gcry_err (rc);
+    }
+  
+  /* put the hash into a sexp */
+  rc = do_encode_md (md, mdalgo, gcry_pk_get_nbits (s_skey), &frame);
+  if (rc)
+    {
+      /* fixme: clean up some things */
+      return rc;
+    }
+  if ( gcry_sexp_build (&s_hash, NULL, "%m", frame) )
+    BUG ();
+
+
+  /* sign */
+  rc = gcry_pk_sign (&s_sig, s_hash, s_skey);
+  if (rc)
+    {
+      log_error ("signing failed: %s\n", gcry_strerror (rc));
+      return map_gcry_err (rc);
+    }
+
+  len = gcry_sexp_sprint (s_sig, GCRYSEXP_FMT_CANON, NULL, 0);
+  assert (len);
+  buf = xmalloc (len);
+  len = gcry_sexp_sprint (s_sig, GCRYSEXP_FMT_CANON, buf, len);
+  assert (len);
+
+  *r_sigval = buf;
+  return 0;
+}
+
+
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@ -200,6 +200,9 @@ void gpgsm_dump_cert (const char *text, KsbaCert cert);
 int gpgsm_check_cert_sig (KsbaCert issuer_cert, KsbaCert cert);
 int gpgsm_check_cms_signature (KsbaCert cert, const char *sigval,
                               GCRY_MD_HD md, int hash_algo);
+/* fixme: move create functions to another file */
+int gpgsm_create_cms_signature (KsbaCert cert, GCRY_MD_HD md, int mdalgo,
+                                char **r_sigval);


 /*-- certpath.c --*/
--- a/sm/server.c
+++ b/sm/server.c
@ -128,15 +128,34 @@ cmd_verify (ASSUAN_CONTEXT ctx, char *line)
 }


-/* SIGN
+/* SIGN [--detached]

-   FIXME */
+  Sign the data set with the INPUT command and write it to the sink
+  set by OUTPUT.  with "--detached" specified, a detached signature is
+  created (surprise).  */
 static int 
 cmd_sign (ASSUAN_CONTEXT ctx, char *line)
 {
-  
+  int inp_fd, out_fd;
+  FILE *out_fp;
+  int detached;

-  return set_error (Not_Implemented, "fixme");
+  inp_fd = assuan_get_input_fd (ctx);
+  if (inp_fd == -1)
+    return set_error (No_Input, NULL);
+  out_fd = assuan_get_output_fd (ctx);
+  if (out_fd == -1)
+    return set_error (No_Output, NULL);
+
+  detached = !!strstr (line, "--detached");  /* fixme: this is ambiguous */
+
+  out_fp = fdopen ( dup(out_fd), "w");
+  if (!out_fp)
+    return set_error (General_Error, "fdopen() failed");
+  gpgsm_sign (assuan_get_pointer (ctx), inp_fd, detached, out_fp);
+  fclose (out_fp);
+
+  return 0;
 }


--- a/sm/sign.c
+++ b/sm/sign.c
@ -34,18 +34,14 @@
 #include "keydb.h"
 #include "i18n.h"

+
+
+
 struct reader_cb_parm_s {
  FILE *fp;
 };


-static int
-do_sign(KsbaCert cert, GCRY_MD_HD md, int algo, char **r_sigval)
-{
-  return 0;
-}
-
-

 static void
 hash_data (int fd, GCRY_MD_HD md)
@ -329,15 +325,22 @@ gpgsm_sign (CTRL ctrl, int data_fd, int detached, FILE *out_fp)
              }

            sigval = NULL;
-            rc = do_sign (cert, md, algo, &sigval);
+            rc = gpgsm_create_cms_signature (cert, md, algo, &sigval);
            if (rc)
              {
                ksba_cert_release (cert);
                goto leave;
              }

-            log_debug ("sigval=`%s'\n", sigval);
+            err = ksba_cms_set_sig_val (cms, signer, sigval);
            xfree (sigval);
+            if (err)
+              {
+                log_error ("failed to store the signature: %s\n",
+                           ksba_strerror (err));
+                rc = map_ksba_err (err);
+                goto leave;
+              }
          }
        }
    }
--- a/sm/verify.c
+++ b/sm/verify.c
@ -344,8 +344,12 @@ gpgsm_verify (CTRL ctrl, int in_fd, int data_fd)
        }

      sigval = ksba_cms_get_sig_val (cms, signer);
-      log_debug ("signer %d - signature: `%s'\n",
-                 signer, sigval? sigval: "[ERROR]");
+      if (!sigval)
+        {
+          log_error ("no signature value available\n");
+          goto next_signer;
+        }
+      log_debug ("signer %d - signature: `%s'\n", signer, sigval);

      /* Find the certificate of the signer */
      keydb_search_reset (kh);