diff --git a/assuan/assuan.h b/assuan/assuan.h index 97462fb99..7500da1f3 100644 --- a/assuan/assuan.h +++ b/assuan/assuan.h @@ -49,6 +49,7 @@ typedef enum { ASSUAN_Line_Not_Terminated = 108, ASSUAN_No_Input = 109, ASSUAN_No_Output = 110, + ASSUAN_Canceled = 111, ASSUAN_Cert_Revoked = 301, ASSUAN_No_CRL_For_Cert = 302, diff --git a/sm/certcheck.c b/sm/certcheck.c index 0e609a2df..2d5448e66 100644 --- a/sm/certcheck.c +++ b/sm/certcheck.c @@ -178,8 +178,8 @@ gpgsm_check_cms_signature (KsbaCert cert, const char *sigval, GCRY_MD_HD md, int algo) { int rc; - GCRY_MPI frame; char *p; + GCRY_MPI frame; GCRY_SEXP s_sig, s_hash, s_pkey; rc = gcry_sexp_sscan (&s_sig, NULL, sigval, strlen(sigval)); @@ -189,17 +189,37 @@ gpgsm_check_cms_signature (KsbaCert cert, const char *sigval, return map_gcry_err (rc); } - p = ksba_cert_get_public_key (cert); + if (getenv ("GPGSM_FAKE_KEY")) + { + const char n[] = "#8732A669BB7C5057AD070EFA54E035C86DF474F7A7EBE2435" + "3DADEB86FFE74C32AEEF9E5C6BD7584CB572520167B3E8C89A1FA75C74FF9E938" + "2710F3B270B638EB96E7486491D81C53CA8A50B4E840B1C7458A4A1E52EC18D681" + "8A2805C9165827F77EF90D55014E4B2AF9386AE8F6462F46A547CB593ABD509311" + "4D3D16375F#"; + const char e[] = "#11#"; + char *tmp; + + log_debug ("Using HARDWIRED public key\n"); + asprintf (&tmp, "(public-key(rsa(n %s)(e %s)))", n, e); + /* asprintf does not use our allocation fucntions, so we can't + use our free */ + p = xstrdup (tmp); + free (tmp); + } + else + { + p = ksba_cert_get_public_key (cert); + } + if (DBG_X509) log_debug ("public key: %s\n", p); - rc = gcry_sexp_sscan ( &s_pkey, NULL, p, strlen(p)); if (rc) { log_error ("gcry_sexp_scan failed: %s\n", gcry_strerror (rc)); return map_gcry_err (rc); } - + rc = do_encode_md (md, algo, gcry_pk_get_nbits (s_pkey), &frame); if (rc) @@ -218,3 +238,82 @@ gpgsm_check_cms_signature (KsbaCert cert, const char *sigval, return map_gcry_err (rc); } + + +int +gpgsm_create_cms_signature (KsbaCert cert, GCRY_MD_HD md, int mdalgo, + char **r_sigval) +{ + /* our sample key */ + const char n[] = "#8732A669BB7C5057AD070EFA54E035C86DF474F7A7EBE2435" + "3DADEB86FFE74C32AEEF9E5C6BD7584CB572520167B3E8C89A1FA75C74FF9E938" + "2710F3B270B638EB96E7486491D81C53CA8A50B4E840B1C7458A4A1E52EC18D681" + "8A2805C9165827F77EF90D55014E4B2AF9386AE8F6462F46A547CB593ABD509311" + "4D3D16375F#"; + const char e[] = "#11#"; + const char d[] = "#07F3EBABDDDA22D7FB1E8869140D30571586D9B4370DE02213F" + "DD0DDAC3C24FC6BEFF0950BB0CAAD755F7AA788DA12BCF90987341AC8781CC7115" + "B59A115B05D9D99B3D7AF77854DC2EE6A36154512CC0EAD832601038A88E837112" + "AB2A39FD9FBE05E30D6FFA6F43D71C59F423CA43BC91C254A8C89673AB61F326B0" + "762FBC9#"; + const char p[] = "#B2ABAD4328E66303E206C53CFBED17F18F712B1C47C966EE13DD" + "AA9AD3616A610ADF513F8376FA48BAE12FED64CECC1E73091A77B45119AF0FC1286A" + "85BD9BBD#"; + const char q[] = "#C1B648B294BB9AEE7FEEB77C4F64E9333E4EA9A7C54D521356FB" + "BBB7558A0E7D6331EC7B42E3F0CD7BBBA9B7A013422F615F10DCC1E8462828BF8FC7" + "39C5E34B#"; + const char u[] = "#A9B5EFF9C80A4A356B9A95EB63E381B262071E5CE9C1F32FF03" + "83AD8289BED8BC690555E54411FA2FDB9B49638A21B2046C325F5633B4B1ECABEBFD" + "1B3519072#"; + + GCRY_SEXP s_skey, s_hash, s_sig; + GCRY_MPI frame; + int rc; + char *buf; + size_t len; + + /* create a secret key as an sexp */ + log_debug ("Using HARDWIRED secret key\n"); + asprintf (&buf, "(private-key(oid.1.2.840.113549.1.1.1" + "(n %s)(e %s)(d %s)(p %s)(q %s)(u %s)))", + n, e, d, p, q, u); + /* asprintf does not use our allocation fucntions, so we can't + use our free */ + rc = gcry_sexp_sscan (&s_skey, NULL, buf, strlen(buf)); + free (buf); + if (rc) + { + log_error ("failed to build S-Exp: %s\n", gcry_strerror (rc)); + return map_gcry_err (rc); + } + + /* put the hash into a sexp */ + rc = do_encode_md (md, mdalgo, gcry_pk_get_nbits (s_skey), &frame); + if (rc) + { + /* fixme: clean up some things */ + return rc; + } + if ( gcry_sexp_build (&s_hash, NULL, "%m", frame) ) + BUG (); + + + /* sign */ + rc = gcry_pk_sign (&s_sig, s_hash, s_skey); + if (rc) + { + log_error ("signing failed: %s\n", gcry_strerror (rc)); + return map_gcry_err (rc); + } + + len = gcry_sexp_sprint (s_sig, GCRYSEXP_FMT_CANON, NULL, 0); + assert (len); + buf = xmalloc (len); + len = gcry_sexp_sprint (s_sig, GCRYSEXP_FMT_CANON, buf, len); + assert (len); + + *r_sigval = buf; + return 0; +} + + diff --git a/sm/gpgsm.h b/sm/gpgsm.h index 3444a27c3..a00e11d45 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -200,6 +200,9 @@ void gpgsm_dump_cert (const char *text, KsbaCert cert); int gpgsm_check_cert_sig (KsbaCert issuer_cert, KsbaCert cert); int gpgsm_check_cms_signature (KsbaCert cert, const char *sigval, GCRY_MD_HD md, int hash_algo); +/* fixme: move create functions to another file */ +int gpgsm_create_cms_signature (KsbaCert cert, GCRY_MD_HD md, int mdalgo, + char **r_sigval); /*-- certpath.c --*/ diff --git a/sm/server.c b/sm/server.c index 69287e06a..e2f7ec086 100644 --- a/sm/server.c +++ b/sm/server.c @@ -128,15 +128,34 @@ cmd_verify (ASSUAN_CONTEXT ctx, char *line) } -/* SIGN +/* SIGN [--detached] - FIXME */ + Sign the data set with the INPUT command and write it to the sink + set by OUTPUT. with "--detached" specified, a detached signature is + created (surprise). */ static int cmd_sign (ASSUAN_CONTEXT ctx, char *line) { - + int inp_fd, out_fd; + FILE *out_fp; + int detached; - return set_error (Not_Implemented, "fixme"); + inp_fd = assuan_get_input_fd (ctx); + if (inp_fd == -1) + return set_error (No_Input, NULL); + out_fd = assuan_get_output_fd (ctx); + if (out_fd == -1) + return set_error (No_Output, NULL); + + detached = !!strstr (line, "--detached"); /* fixme: this is ambiguous */ + + out_fp = fdopen ( dup(out_fd), "w"); + if (!out_fp) + return set_error (General_Error, "fdopen() failed"); + gpgsm_sign (assuan_get_pointer (ctx), inp_fd, detached, out_fp); + fclose (out_fp); + + return 0; } diff --git a/sm/sign.c b/sm/sign.c index 0949d0680..98e3dbf81 100644 --- a/sm/sign.c +++ b/sm/sign.c @@ -34,18 +34,14 @@ #include "keydb.h" #include "i18n.h" + + + struct reader_cb_parm_s { FILE *fp; }; -static int -do_sign(KsbaCert cert, GCRY_MD_HD md, int algo, char **r_sigval) -{ - return 0; -} - - static void hash_data (int fd, GCRY_MD_HD md) @@ -329,15 +325,22 @@ gpgsm_sign (CTRL ctrl, int data_fd, int detached, FILE *out_fp) } sigval = NULL; - rc = do_sign (cert, md, algo, &sigval); + rc = gpgsm_create_cms_signature (cert, md, algo, &sigval); if (rc) { ksba_cert_release (cert); goto leave; } - log_debug ("sigval=`%s'\n", sigval); + err = ksba_cms_set_sig_val (cms, signer, sigval); xfree (sigval); + if (err) + { + log_error ("failed to store the signature: %s\n", + ksba_strerror (err)); + rc = map_ksba_err (err); + goto leave; + } } } } diff --git a/sm/verify.c b/sm/verify.c index 325c75935..26bb8cfcd 100644 --- a/sm/verify.c +++ b/sm/verify.c @@ -344,8 +344,12 @@ gpgsm_verify (CTRL ctrl, int in_fd, int data_fd) } sigval = ksba_cms_get_sig_val (cms, signer); - log_debug ("signer %d - signature: `%s'\n", - signer, sigval? sigval: "[ERROR]"); + if (!sigval) + { + log_error ("no signature value available\n"); + goto next_signer; + } + log_debug ("signer %d - signature: `%s'\n", signer, sigval); /* Find the certificate of the signer */ keydb_search_reset (kh);