gpgsm: Print the key types as standard key algorithm strings.

* sm/fingerprint.c (gpgsm_get_key_algo_info): Factor code out to ... (gpgsm_get_key_algo_info2): new. * sm/keylist.c (list_cert_colon): Put curve into field 17 (list_cert_raw): Print the unified key algotithm string instead of the algo and size. (list_cert_std): Ditto. -- It is important to known whether a 256 bit ECC uses a NIST or a Brainpool curve. Signed-off-by: Werner Koch <wk@gnupg.org> Backported-from-master: 5c29d25e6c7c0a5a63ab4c46d4624217307adb78 GnuPG-bug-id: 6253
2025-03-24 22:09:57 +01:00 · 2020-05-07 09:45:49 +02:00 · 2020-05-07 09:45:49 +02:00 · 9f1181e1a7
commit 9f1181e1a7
parent 5ae2632002
3 changed files with 49 additions and 16 deletions
--- a/sm/fingerprint.c
+++ b/sm/fingerprint.c
@ -219,20 +219,25 @@ gpgsm_get_keygrip_hexstring (ksba_cert_t cert)


 /* Return the PK algorithm used by CERT as well as the length in bits
-   of the public key at NBITS. */
+ * of the public key at NBITS.  If R_CURVE is not NULL and an ECC
+ * algorithm is used the name or OID of the curve is stored there; the
+ * caller needs to free this value.  */
 int
-gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits)
+gpgsm_get_key_algo_info2 (ksba_cert_t cert, unsigned int *nbits, char **r_curve)
 {
  gcry_sexp_t s_pkey;
  int rc;
  ksba_sexp_t p;
  size_t n;
  gcry_sexp_t l1, l2;
+  const char *curve;
  const char *name;
  char namebuf[128];

  if (nbits)
    *nbits = 0;
+  if (r_curve)
+    *r_curve = NULL;

  p = ksba_cert_get_public_key (cert);
  if (!p)
@ -258,6 +263,24 @@ gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits)
      gcry_sexp_release (s_pkey);
      return 0;
    }
+
+  if (r_curve)
+    {
+      curve = gcry_pk_get_curve (l1, 0, NULL);
+      if (curve)
+        {
+          name = openpgp_oid_to_curve (openpgp_curve_to_oid (curve,
+                                                             NULL, NULL), 0);
+          *r_curve = xtrystrdup (name? name : curve);
+          if (!*r_curve)
+            {
+              gcry_sexp_release (l1);
+              gcry_sexp_release (s_pkey);
+              return 0;  /* Out of core.  */
+            }
+        }
+    }
+
  l2 = gcry_sexp_cadr (l1);
  gcry_sexp_release (l1);
  l1 = l2;
@ -277,8 +300,15 @@ gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits)
 }


-/* This is a wrapper around pubkey_algo_string which takes a KSBA
- * certificate instead of a Gcrypt public key.  Note that this
+int
+gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits)
+{
+  return gpgsm_get_key_algo_info2 (cert, nbits, NULL);
+}
+
+
+/* This is a wrapper around pubkey_algo_string which takesa KSA
+ * certitificate instead of a Gcrypt public key.  Note that this
 * function may return NULL on error.  */
 char *
 gpgsm_pubkey_algo_string (ksba_cert_t cert, int *r_algoid)
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@ -281,6 +281,8 @@ unsigned long gpgsm_get_short_fingerprint (ksba_cert_t cert,
 unsigned char *gpgsm_get_keygrip (ksba_cert_t cert, unsigned char *array);
 char *gpgsm_get_keygrip_hexstring (ksba_cert_t cert);
 int  gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits);
+int  gpgsm_get_key_algo_info2 (ksba_cert_t cert, unsigned int *nbits,
+                               char **r_curve);
 char *gpgsm_pubkey_algo_string (ksba_cert_t cert, int *r_algoid);
 char *gpgsm_get_certid (ksba_cert_t cert);

--- a/sm/keylist.c
+++ b/sm/keylist.c
@ -408,6 +408,7 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
  gpg_error_t valerr;
  int algo;
  unsigned int nbits;
+  char *curve = NULL;
  const char *chain_id;
  char *chain_id_buffer = NULL;
  int is_root = 0;
@ -499,7 +500,7 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
  if (*truststring)
    es_fputs (truststring, fp);

-  algo = gpgsm_get_key_algo_info (cert, &nbits);
+  algo = gpgsm_get_key_algo_info2 (cert, &nbits, &curve);
  es_fprintf (fp, ":%u:%d:%s:", nbits, algo, fpr+24);

  ksba_cert_get_validity (cert, 0, t);
@ -563,6 +564,8 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
    }
  es_putc (':', fp);  /* End of field 15. */
  es_putc (':', fp);  /* End of field 16. */
+  if (curve)
+    es_fputs (curve, fp);
  es_putc (':', fp);  /* End of field 17. */
  print_compliance_flags (cert, algo, nbits, fp);
  es_putc (':', fp);  /* End of field 18. */
@ -626,6 +629,7 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
      xfree (p);
    }
  xfree (kludge_uid);
+  xfree (curve);
 }


@ -829,12 +833,11 @@ list_cert_raw (ctrl_t ctrl, KEYDB_HANDLE hd,
  es_fprintf (fp, "     hashAlgo: %s%s%s%s\n", oid, s?" (":"",s?s:"",s?")":"");

  {
-    const char *algoname;
-    unsigned int nbits;
+    char *algostr;

-    algoname = gcry_pk_algo_name (gpgsm_get_key_algo_info (cert, &nbits));
-    es_fprintf (fp, "      keyType: %u bit %s\n",
-                nbits, algoname? algoname:"?");
+    algostr = gpgsm_pubkey_algo_string (cert, NULL);
+    es_fprintf (fp, "      keyType: %s\n", algostr? algostr : "[error]");
+    xfree (algostr);
  }

  /* subjectKeyIdentifier */
@ -1192,15 +1195,13 @@ list_cert_std (ctrl_t ctrl, ksba_cert_t cert, estream_t fp, int have_secret,


  {
-    const char *algoname;
-    unsigned int nbits;
+    char *algostr;

-    algoname = gcry_pk_algo_name (gpgsm_get_key_algo_info (cert, &nbits));
-    es_fprintf (fp, "     key type: %u bit %s\n",
-                nbits, algoname? algoname:"?");
+    algostr = gpgsm_pubkey_algo_string (cert, NULL);
+    es_fprintf (fp, "     key type: %s\n", algostr? algostr : "[error]");
+    xfree (algostr);
  }

-
  err = ksba_cert_get_key_usage (cert, &kusage);
  if (gpg_err_code (err) != GPG_ERR_NO_DATA)
    {