1 /* certreqgen.c - Generate a key and a certification [request]
2 * Copyright (C) 2002, 2003, 2005, 2007, 2010,
3 * 2011 Free Software Foundation, Inc.
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 The format of the parameter file is described in the manual under
27 %echo Generating a standard key
30 Name-DN: CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Ddorf,C=DE
31 Name-Email: joe@foo.bar
32 # Do a commit here, so that we can later print a "done"
37 This parameter file was used to create the STEED CA:
40 Key-Grip: 68A638998DFABAC510EA645CE34F9686B2EDF7EA
43 Name-DN: CN=The STEED Self-Signing Nonthority
44 Not-Before: 2011-11-11
46 Subject-Key-Id: 68A638998DFABAC510EA645CE34F9686B2EDF7EA
47 Extension: 2.5.29.19 c 30060101ff020101
48 Extension: 1.3.6.1.4.1.11591.2.2.2 n 0101ff
49 Signing-Key: 68A638998DFABAC510EA645CE34F9686B2EDF7EA
95 struct para_data_s *next;
111 static const char oidstr_authorityKeyIdentifier[] = "2.5.29.35";
112 static const char oidstr_subjectKeyIdentifier[] = "2.5.29.14";
113 static const char oidstr_keyUsage[] = "2.5.29.15";
114 static const char oidstr_basicConstraints[] = "2.5.29.19";
115 static const char oidstr_standaloneCertificate[] = "1.3.6.1.4.1.11591.2.2.1";
118 static int proc_parameters (ctrl_t ctrl,
119 struct para_data_s *para,
121 struct reqgen_ctrl_s *outctrl);
122 static int create_request (ctrl_t ctrl,
123 struct para_data_s *para,
124 const char *carddirect,
125 ksba_const_sexp_t public,
126 ksba_const_sexp_t sigkey,
127 ksba_writer_t writer);
132 release_parameter_list (struct para_data_s *r)
134 struct para_data_s *r2;
143 static struct para_data_s *
144 get_parameter (struct para_data_s *para, enum para_name key, int seq)
146 struct para_data_s *r;
148 for (r = para; r ; r = r->next)
149 if ( r->key == key && !seq--)
155 get_parameter_value (struct para_data_s *para, enum para_name key, int seq)
157 struct para_data_s *r = get_parameter (para, key, seq);
158 return (r && *r->u.value)? r->u.value : NULL;
162 get_parameter_algo (struct para_data_s *para, enum para_name key)
164 struct para_data_s *r = get_parameter (para, key, 0);
167 if (digitp (r->u.value))
168 return atoi( r->u.value );
169 return gcry_pk_map_name (r->u.value);
172 /* Parse the usage parameter. Returns 0 on success. Note that we
173 only care about sign and encrypt and don't (yet) allow all the
174 other X.509 usage to be specified; instead we will use a fixed
175 mapping to the X.509 usage flags. */
177 parse_parameter_usage (struct para_data_s *para, enum para_name key)
179 struct para_data_s *r = get_parameter (para, key, 0);
184 return 0; /* none (this is an optional parameter)*/
188 while ( (p = strsep (&pn, " \t,")) )
192 else if ( !ascii_strcasecmp (p, "sign") )
193 use |= GCRY_PK_USAGE_SIGN;
194 else if ( !ascii_strcasecmp (p, "encrypt")
195 || !ascii_strcasecmp (p, "encr") )
196 use |= GCRY_PK_USAGE_ENCR;
197 else if ( !ascii_strcasecmp (p, "cert") )
198 use |= GCRY_PK_USAGE_CERT;
201 log_error ("line %d: invalid usage list\n", r->lnr);
202 return -1; /* error */
211 get_parameter_uint (struct para_data_s *para, enum para_name key)
213 struct para_data_s *r = get_parameter (para, key, 0);
218 if (r->key == pKEYUSAGE)
221 return (unsigned int)strtoul (r->u.value, NULL, 10);
226 /* Read the certificate generation parameters from FP and generate
227 (all) certificate requests. */
229 read_parameters (ctrl_t ctrl, estream_t fp, estream_t out_fp)
236 { "Key-Type", pKEYTYPE},
237 { "Key-Length", pKEYLENGTH },
238 { "Key-Grip", pKEYGRIP },
239 { "Key-Usage", pKEYUSAGE },
240 { "Name-DN", pNAMEDN },
241 { "Name-Email", pNAMEEMAIL, 1 },
242 { "Name-DNS", pNAMEDNS, 1 },
243 { "Name-URI", pNAMEURI, 1 },
244 { "Serial", pSERIAL },
245 { "Issuer-DN", pISSUERDN },
246 { "Creation-Date", pNOTBEFORE },
247 { "Not-Before", pNOTBEFORE },
248 { "Expire-Date", pNOTAFTER },
249 { "Not-After", pNOTAFTER },
250 { "Signing-Key", pSIGNINGKEY },
251 { "Hash-Algo", pHASHALGO },
252 { "Authority-Key-Id", pAUTHKEYID },
253 { "Subject-Key-Id", pSUBJKEYID },
254 { "Extension", pEXTENSION, 1 },
258 const char *err = NULL;
259 struct para_data_s *para, *r;
260 int i, rc = 0, any = 0;
261 struct reqgen_ctrl_s outctrl;
263 memset (&outctrl, 0, sizeof (outctrl));
267 while (es_fgets (line, DIM(line)-1, fp) )
269 char *keyword, *value;
272 if (*line && line[strlen(line)-1] != '\n')
274 err = "line too long";
277 for (p=line; spacep (p); p++)
279 if (!*p || *p == '#')
285 for (; *p && !ascii_isspace (*p); p++)
289 for (; ascii_isspace (*p); p++)
292 trim_trailing_spaces (value);
294 if (!ascii_strcasecmp (keyword, "%echo"))
295 log_info ("%s\n", value);
296 else if (!ascii_strcasecmp (keyword, "%dry-run"))
298 else if (!ascii_strcasecmp( keyword, "%commit"))
300 rc = proc_parameters (ctrl, para, out_fp, &outctrl);
304 release_parameter_list (para);
308 log_info ("skipping control '%s' (%s)\n", keyword, value);
314 if (!(p = strchr (p, ':')) || p == keyword)
316 err = "missing colon";
321 for (; spacep (p); p++)
325 err = "missing argument";
329 trim_trailing_spaces (value);
331 for (i=0; (keywords[i].name
332 && ascii_strcasecmp (keywords[i].name, keyword)); i++)
334 if (!keywords[i].name)
336 err = "unknown keyword";
339 if (keywords[i].key != pKEYTYPE && !para)
341 err = "parameter block does not start with \"Key-Type\"";
345 if (keywords[i].key == pKEYTYPE && para)
347 rc = proc_parameters (ctrl, para, out_fp, &outctrl);
351 release_parameter_list (para);
354 else if (!keywords[i].allow_dups)
356 for (r = para; r && r->key != keywords[i].key; r = r->next)
360 err = "duplicate keyword";
365 r = xtrycalloc (1, sizeof *r + strlen( value ));
371 r->lnr = outctrl.lnr;
372 r->key = keywords[i].key;
373 strcpy (r->u.value, value);
380 log_error ("line %d: %s\n", outctrl.lnr, err);
381 rc = gpg_error (GPG_ERR_GENERAL);
383 else if (es_ferror(fp))
385 log_error ("line %d: read error: %s\n", outctrl.lnr, strerror(errno) );
386 rc = gpg_error (GPG_ERR_GENERAL);
390 rc = proc_parameters (ctrl, para, out_fp, &outctrl);
397 rc = gpg_error (GPG_ERR_NO_DATA);
400 release_parameter_list (para);
404 /* check whether there are invalid characters in the email address S */
406 has_invalid_email_chars (const char *s)
409 static char valid_chars[] = "01234567890_-."
410 "abcdefghijklmnopqrstuvwxyz"
411 "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
418 else if (!at_seen && !( !!strchr (valid_chars, *s) || *s == '+'))
420 else if (at_seen && !strchr (valid_chars, *s))
427 /* Check that all required parameters are given and perform the action */
429 proc_parameters (ctrl_t ctrl, struct para_data_s *para,
430 estream_t out_fp, struct reqgen_ctrl_s *outctrl)
433 struct para_data_s *r;
434 const char *s, *string;
438 unsigned char keyparms[100];
441 ksba_sexp_t sigkey = NULL;
443 size_t erroff, errlen;
444 char *cardkeyid = NULL;
446 /* Check that we have all required parameters; */
447 assert (get_parameter (para, pKEYTYPE, 0));
449 /* We can only use RSA for now. There is a problem with pkcs-10 on
450 how to use ElGamal because it is expected that a PK algorithm can
451 always be used for signing. Another problem is that on-card
452 generated encryption keys may not be used for signing. */
453 i = get_parameter_algo (para, pKEYTYPE);
454 if (!i && (s = get_parameter_value (para, pKEYTYPE, 0)) && *s)
456 /* Hack to allow creation of certificates directly from a smart
457 card. For example: "Key-Type: card:OPENPGP.3". */
458 if (!strncmp (s, "card:", 5) && s[5])
459 cardkeyid = xtrystrdup (s+5);
461 if ( (i < 1 || i != GCRY_PK_RSA) && !cardkeyid )
463 r = get_parameter (para, pKEYTYPE, 0);
464 log_error (_("line %d: invalid algorithm\n"), r->lnr);
465 return gpg_error (GPG_ERR_INV_PARAMETER);
468 /* Check the keylength. NOTE: If you change this make sure that it
469 macthes the gpgconflist item in gpgsm.c */
470 if (!get_parameter (para, pKEYLENGTH, 0))
473 nbits = get_parameter_uint (para, pKEYLENGTH);
474 if ((nbits < 1024 || nbits > 4096) && !cardkeyid)
476 /* The BSI specs dated 2002-11-25 don't allow lengths below 1024. */
477 r = get_parameter (para, pKEYLENGTH, 0);
478 log_error (_("line %d: invalid key length %u (valid are %d to %d)\n"),
479 r->lnr, nbits, 1024, 4096);
481 return gpg_error (GPG_ERR_INV_PARAMETER);
484 /* Check the usage. */
485 if (parse_parameter_usage (para, pKEYUSAGE))
488 return gpg_error (GPG_ERR_INV_PARAMETER);
491 /* Check that there is a subject name and that this DN fits our
493 if (!(s=get_parameter_value (para, pNAMEDN, 0)))
495 r = get_parameter (para, pNAMEDN, 0);
496 log_error (_("line %d: no subject name given\n"), r->lnr);
498 return gpg_error (GPG_ERR_INV_PARAMETER);
500 err = ksba_dn_teststr (s, 0, &erroff, &errlen);
503 r = get_parameter (para, pNAMEDN, 0);
504 if (gpg_err_code (err) == GPG_ERR_UNKNOWN_NAME)
505 log_error (_("line %d: invalid subject name label '%.*s'\n"),
506 r->lnr, (int)errlen, s+erroff);
508 log_error (_("line %d: invalid subject name '%s' at pos %d\n"),
509 r->lnr, s, (int)erroff);
512 return gpg_error (GPG_ERR_INV_PARAMETER);
515 /* Check that the optional email address is okay. */
516 for (seq=0; (s=get_parameter_value (para, pNAMEEMAIL, seq)); seq++)
518 if (has_invalid_email_chars (s)
520 || s[strlen(s)-1] == '@'
521 || s[strlen(s)-1] == '.'
524 r = get_parameter (para, pNAMEEMAIL, seq);
525 log_error (_("line %d: not a valid email address\n"), r->lnr);
527 return gpg_error (GPG_ERR_INV_PARAMETER);
531 /* Check the optional serial number. */
532 string = get_parameter_value (para, pSERIAL, 0);
535 if (!strcmp (string, "random"))
539 for (s=string, i=0; hexdigitp (s); s++, i++)
543 r = get_parameter (para, pSERIAL, 0);
544 log_error (_("line %d: invalid serial number\n"), r->lnr);
546 return gpg_error (GPG_ERR_INV_PARAMETER);
551 /* Check the optional issuer DN. */
552 string = get_parameter_value (para, pISSUERDN, 0);
555 err = ksba_dn_teststr (string, 0, &erroff, &errlen);
558 r = get_parameter (para, pISSUERDN, 0);
559 if (gpg_err_code (err) == GPG_ERR_UNKNOWN_NAME)
560 log_error (_("line %d: invalid issuer name label '%.*s'\n"),
561 r->lnr, (int)errlen, string+erroff);
563 log_error (_("line %d: invalid issuer name '%s' at pos %d\n"),
564 r->lnr, string, (int)erroff);
566 return gpg_error (GPG_ERR_INV_PARAMETER);
570 /* Check the optional creation date. */
571 string = get_parameter_value (para, pNOTBEFORE, 0);
572 if (string && !string2isotime (NULL, string))
574 r = get_parameter (para, pNOTBEFORE, 0);
575 log_error (_("line %d: invalid date given\n"), r->lnr);
577 return gpg_error (GPG_ERR_INV_PARAMETER);
581 /* Check the optional expire date. */
582 string = get_parameter_value (para, pNOTAFTER, 0);
583 if (string && !string2isotime (NULL, string))
585 r = get_parameter (para, pNOTAFTER, 0);
586 log_error (_("line %d: invalid date given\n"), r->lnr);
588 return gpg_error (GPG_ERR_INV_PARAMETER);
591 /* Get the optional signing key. */
592 string = get_parameter_value (para, pSIGNINGKEY, 0);
595 rc = gpgsm_agent_readkey (ctrl, 0, string, &sigkey);
598 r = get_parameter (para, pKEYTYPE, 0);
599 log_error (_("line %d: error getting signing key by keygrip '%s'"
600 ": %s\n"), r->lnr, s, gpg_strerror (rc));
606 /* Check the optional hash-algo. */
610 string = get_parameter_value (para, pHASHALGO, 0);
611 if (string && !((mdalgo = gcry_md_map_name (string))
612 && (mdalgo == GCRY_MD_SHA1
613 || mdalgo == GCRY_MD_SHA256
614 || mdalgo == GCRY_MD_SHA384
615 || mdalgo == GCRY_MD_SHA512)))
617 r = get_parameter (para, pHASHALGO, 0);
618 log_error (_("line %d: invalid hash algorithm given\n"), r->lnr);
620 return gpg_error (GPG_ERR_INV_PARAMETER);
624 /* Check the optional AuthorityKeyId. */
625 string = get_parameter_value (para, pAUTHKEYID, 0);
628 for (s=string, i=0; hexdigitp (s); s++, i++)
632 r = get_parameter (para, pAUTHKEYID, 0);
633 log_error (_("line %d: invalid authority-key-id\n"), r->lnr);
635 return gpg_error (GPG_ERR_INV_PARAMETER);
639 /* Check the optional SubjectKeyId. */
640 string = get_parameter_value (para, pSUBJKEYID, 0);
643 for (s=string, i=0; hexdigitp (s); s++, i++)
647 r = get_parameter (para, pSUBJKEYID, 0);
648 log_error (_("line %d: invalid subject-key-id\n"), r->lnr);
650 return gpg_error (GPG_ERR_INV_PARAMETER);
654 /* Check the optional extensions. */
655 for (seq=0; (string=get_parameter_value (para, pEXTENSION, seq)); seq++)
659 s = strpbrk (string, " \t:");
665 if (*s && strchr ("nNcC", *s))
676 for (i=0; hexdigitp (s); s++, i++)
678 if (!((*s && *s != ':') || !i || (i&1)))
685 r = get_parameter (para, pEXTENSION, seq);
686 log_error (_("line %d: invalid extension syntax\n"), r->lnr);
688 return gpg_error (GPG_ERR_INV_PARAMETER);
692 /* Create or retrieve the public key. */
693 if (cardkeyid) /* Take the key from the current smart card. */
695 rc = gpgsm_agent_readkey (ctrl, 1, cardkeyid, &public);
698 r = get_parameter (para, pKEYTYPE, 0);
699 log_error (_("line %d: error reading key '%s' from card: %s\n"),
700 r->lnr, cardkeyid, gpg_strerror (rc));
706 else if ((s=get_parameter_value (para, pKEYGRIP, 0))) /* Use existing key.*/
708 rc = gpgsm_agent_readkey (ctrl, 0, s, &public);
711 r = get_parameter (para, pKEYTYPE, 0);
712 log_error (_("line %d: error getting key by keygrip '%s': %s\n"),
713 r->lnr, s, gpg_strerror (rc));
719 else if (!outctrl->dryrun) /* Generate new key. */
721 sprintf (numbuf, "%u", nbits);
722 snprintf ((char*)keyparms, DIM (keyparms)-1,
723 "(6:genkey(3:rsa(5:nbits%d:%s)))",
724 (int)strlen (numbuf), numbuf);
725 rc = gpgsm_agent_genkey (ctrl, keyparms, &public);
728 r = get_parameter (para, pKEYTYPE, 0);
729 log_error (_("line %d: key generation failed: %s <%s>\n"),
730 r->lnr, gpg_strerror (rc), gpg_strsource (rc));
738 if (!outctrl->dryrun)
740 Base64Context b64writer = NULL;
741 ksba_writer_t writer;
744 create_cert = !!get_parameter_value (para, pSERIAL, 0);
746 ctrl->pem_name = create_cert? "CERTIFICATE" : "CERTIFICATE REQUEST";
747 rc = gpgsm_create_writer (&b64writer, ctrl, out_fp, &writer);
749 log_error ("can't create writer: %s\n", gpg_strerror (rc));
752 rc = create_request (ctrl, para, cardkeyid, public, sigkey, writer);
755 rc = gpgsm_finish_writer (b64writer);
757 log_error ("write failed: %s\n", gpg_strerror (rc));
760 gpgsm_status (ctrl, STATUS_KEY_CREATED, "P");
761 log_info ("certificate%s created\n",
762 create_cert?"":" request");
765 gpgsm_destroy_writer (b64writer);
777 /* Parameters are checked, the key pair has been created. Now
778 generate the request and write it out */
780 create_request (ctrl_t ctrl,
781 struct para_data_s *para,
782 const char *carddirect,
783 ksba_const_sexp_t public,
784 ksba_const_sexp_t sigkey,
785 ksba_writer_t writer)
790 ksba_stop_reason_t stopreason;
792 const char *s, *string;
798 ksba_isotime_t atime;
802 err = ksba_certreq_new (&cr);
806 string = get_parameter_value (para, pHASHALGO, 0);
808 mdalgo = gcry_md_map_name (string);
810 mdalgo = GCRY_MD_SHA1;
811 rc = gcry_md_open (&md, mdalgo, 0);
814 log_error ("md_open failed: %s\n", gpg_strerror (rc));
818 gcry_md_debug (md, "cr.cri");
820 ksba_certreq_set_hash_function (cr, HASH_FNC, md);
821 ksba_certreq_set_writer (cr, writer);
823 err = ksba_certreq_add_subject (cr, get_parameter_value (para, pNAMEDN, 0));
826 log_error ("error setting the subject's name: %s\n",
832 for (seq=0; (s = get_parameter_value (para, pNAMEEMAIL, seq)); seq++)
834 buf = xtrymalloc (strlen (s) + 3);
843 err = ksba_certreq_add_subject (cr, buf);
847 log_error ("error setting the subject's alternate name: %s\n",
854 for (seq=0; (s = get_parameter_value (para, pNAMEDNS, seq)); seq++)
858 snprintf (numbuf, DIM(numbuf), "%u:", (unsigned int)len);
859 buf = p = xtrymalloc (11 + strlen (numbuf) + len + 3);
865 p = stpcpy (p, "(8:dns-name");
866 p = stpcpy (p, numbuf);
870 err = ksba_certreq_add_subject (cr, buf);
874 log_error ("error setting the subject's alternate name: %s\n",
881 for (seq=0; (s = get_parameter_value (para, pNAMEURI, seq)); seq++)
885 snprintf (numbuf, DIM(numbuf), "%u:", (unsigned int)len);
886 buf = p = xtrymalloc (6 + strlen (numbuf) + len + 3);
892 p = stpcpy (p, "(3:uri");
893 p = stpcpy (p, numbuf);
897 err = ksba_certreq_add_subject (cr, buf);
901 log_error ("error setting the subject's alternate name: %s\n",
909 err = ksba_certreq_set_public_key (cr, public);
912 log_error ("error setting the public key: %s\n",
918 /* Set key usage flags. */
919 use = get_parameter_uint (para, pKEYUSAGE);
920 if (use == GCRY_PK_USAGE_SIGN)
922 /* For signing only we encode the bits:
923 KSBA_KEYUSAGE_DIGITAL_SIGNATURE
924 KSBA_KEYUSAGE_NON_REPUDIATION */
925 err = ksba_certreq_add_extension (cr, oidstr_keyUsage, 1,
926 "\x03\x02\x06\xC0", 4);
928 else if (use == GCRY_PK_USAGE_ENCR)
930 /* For encrypt only we encode the bits:
931 KSBA_KEYUSAGE_KEY_ENCIPHERMENT
932 KSBA_KEYUSAGE_DATA_ENCIPHERMENT */
933 err = ksba_certreq_add_extension (cr, oidstr_keyUsage, 1,
934 "\x03\x02\x04\x30", 4);
936 else if (use == GCRY_PK_USAGE_CERT)
938 /* For certify only we encode the bits:
939 KSBA_KEYUSAGE_KEY_CERT_SIGN
940 KSBA_KEYUSAGE_CRL_SIGN */
941 err = ksba_certreq_add_extension (cr, oidstr_keyUsage, 1,
942 "\x03\x02\x01\x06", 4);
945 err = 0; /* Both or none given: don't request one. */
948 log_error ("error setting the key usage: %s\n",
955 /* See whether we want to create an X.509 certificate. */
956 string = get_parameter_value (para, pSERIAL, 0);
961 /* Store the serial number. */
962 if (!strcmp (string, "random"))
966 memcpy (snbuf, "(8:", 3);
967 gcry_create_nonce (snbuf+3, 8);
968 /* Clear high bit to guarantee a positive integer. */
971 err = ksba_certreq_set_serial (cr, snbuf);
977 /* Allocate a buffer large enough to prefix the string with
978 a '0' so to have an even number of digits. Prepend two
979 further '0' so that the binary result will have a leading
980 0 byte and thus can't be the representation of a negative
981 number. Note that ksba_certreq_set_serial strips all
982 unneeded leading 0 bytes. */
983 hexbuf = p = xtrymalloc (2 + 1 + strlen (string) + 1);
986 err = gpg_error_from_syserror ();
989 if ((strlen (string) & 1))
994 for (p=hexbuf, len=0; p[0] && p[1]; p += 2)
995 ((unsigned char*)hexbuf)[len++] = xtoi_2 (p);
996 /* Now build the S-expression. */
997 snprintf (numbuf, DIM(numbuf), "%u:", (unsigned int)len);
998 buf = p = xtrymalloc (1 + strlen (numbuf) + len + 1 + 1);
1001 err = gpg_error_from_syserror ();
1005 p = stpcpy (stpcpy (buf, "("), numbuf);
1006 memcpy (p, hexbuf, len);
1010 err = ksba_certreq_set_serial (cr, buf);
1015 log_error ("error setting the serial number: %s\n",
1016 gpg_strerror (err));
1021 /* Store the issuer DN. If no issuer DN is given and no signing
1022 key has been set we add the standalone extension and the
1023 basic constraints to mark it as a self-signed CA
1025 string = get_parameter_value (para, pISSUERDN, 0);
1028 /* Issuer DN given. Note that this may be the same as the
1029 subject DN and thus this could as well be a self-signed
1030 certificate. However the caller needs to explicitly
1031 specify basicConstraints and so forth. */
1032 err = ksba_certreq_set_issuer (cr, string);
1035 log_error ("error setting the issuer DN: %s\n",
1036 gpg_strerror (err));
1041 else if (!string && !sigkey)
1043 /* Self-signed certificate requested. Add basicConstraints
1044 and the custom GnuPG standalone extension. */
1045 err = ksba_certreq_add_extension (cr, oidstr_basicConstraints, 1,
1046 "\x30\x03\x01\x01\xff", 5);
1049 err = ksba_certreq_add_extension (cr, oidstr_standaloneCertificate, 0,
1055 /* Store the creation date. */
1056 string = get_parameter_value (para, pNOTBEFORE, 0);
1059 if (!string2isotime (atime, string))
1060 BUG (); /* We already checked the value. */
1063 gnupg_get_isotime (atime);
1064 err = ksba_certreq_set_validity (cr, 0, atime);
1067 log_error ("error setting the creation date: %s\n",
1068 gpg_strerror (err));
1073 /* Store the expire date. If it is not given, libksba inserts a
1075 string = get_parameter_value (para, pNOTAFTER, 0);
1078 if (!string2isotime (atime, string))
1079 BUG (); /* We already checked the value. */
1080 err = ksba_certreq_set_validity (cr, 1, atime);
1083 log_error ("error setting the expire date: %s\n",
1084 gpg_strerror (err));
1090 /* Figure out the signing algorithm. If no sigkey has been
1091 given we set it to the public key to create a self-signed
1097 unsigned char *siginfo;
1099 err = transform_sigval (sigkey,
1100 gcry_sexp_canon_len (sigkey, 0, NULL, NULL),
1101 mdalgo, &siginfo, NULL);
1104 err = ksba_certreq_set_siginfo (cr, siginfo);
1109 log_error ("error setting the siginfo: %s\n",
1110 gpg_strerror (err));
1116 /* Insert the AuthorityKeyId. */
1117 string = get_parameter_value (para, pAUTHKEYID, 0);
1122 /* Allocate a buffer for in-place conversion. We also add 4
1123 extra bytes space for the tags and lengths fields. */
1124 hexbuf = xtrymalloc (4 + strlen (string) + 1);
1127 err = gpg_error_from_syserror ();
1130 strcpy (hexbuf+4, string);
1131 for (p=hexbuf+4, len=0; p[0] && p[1]; p += 2)
1132 ((unsigned char*)hexbuf)[4+len++] = xtoi_2 (p);
1135 err = gpg_error (GPG_ERR_TOO_LARGE);
1139 hexbuf[0] = 0x30; /* Tag for a Sequence. */
1141 hexbuf[2] = 0x80; /* Context tag for an implicit Octet string. */
1143 err = ksba_certreq_add_extension (cr, oidstr_authorityKeyIdentifier,
1149 log_error ("error setting the authority-key-id: %s\n",
1150 gpg_strerror (err));
1155 /* Insert the SubjectKeyId. */
1156 string = get_parameter_value (para, pSUBJKEYID, 0);
1161 /* Allocate a buffer for in-place conversion. We also add 2
1162 extra bytes space for the tag and length field. */
1163 hexbuf = xtrymalloc (2 + strlen (string) + 1);
1166 err = gpg_error_from_syserror ();
1169 strcpy (hexbuf+2, string);
1170 for (p=hexbuf+2, len=0; p[0] && p[1]; p += 2)
1171 ((unsigned char*)hexbuf)[2+len++] = xtoi_2 (p);
1174 err = gpg_error (GPG_ERR_TOO_LARGE);
1178 hexbuf[0] = 0x04; /* Tag for an Octet string. */
1180 err = ksba_certreq_add_extension (cr, oidstr_subjectKeyIdentifier, 0,
1185 log_error ("error setting the subject-key-id: %s\n",
1186 gpg_strerror (err));
1191 /* Insert additional extensions. */
1192 for (seq=0; (string = get_parameter_value (para, pEXTENSION, seq)); seq++)
1198 s = strpbrk (string, " \t:");
1201 err = gpg_error (GPG_ERR_INTERNAL);
1205 oidstr = xtrymalloc (s - string + 1);
1208 err = gpg_error_from_syserror ();
1211 memcpy (oidstr, string, (s-string));
1212 oidstr[(s-string)] = 0;
1219 err = gpg_error (GPG_ERR_INTERNAL);
1224 if (strchr ("cC", *s))
1234 hexbuf = xtrystrdup (s);
1237 err = gpg_error_from_syserror ();
1241 for (p=hexbuf, len=0; p[0] && p[1]; p += 2)
1242 ((unsigned char*)hexbuf)[len++] = xtoi_2 (p);
1243 err = ksba_certreq_add_extension (cr, oidstr, crit,
1254 err = ksba_certreq_build (cr, &stopreason);
1257 log_error ("ksba_certreq_build failed: %s\n", gpg_strerror (err));
1261 if (stopreason == KSBA_SR_NEED_SIG)
1265 unsigned char grip[20];
1267 unsigned char *sigval, *newsigval;
1270 n = gcry_sexp_canon_len (sigkey, 0, NULL, NULL);
1273 log_error ("libksba did not return a proper S-Exp\n");
1274 rc = gpg_error (GPG_ERR_BUG);
1277 rc = gcry_sexp_sscan (&s_pkey, NULL, (const char*)sigkey, n);
1280 log_error ("gcry_sexp_scan failed: %s\n", gpg_strerror (rc));
1283 if ( !gcry_pk_get_keygrip (s_pkey, grip) )
1285 rc = gpg_error (GPG_ERR_GENERAL);
1286 log_error ("can't figure out the keygrip\n");
1287 gcry_sexp_release (s_pkey);
1290 gcry_sexp_release (s_pkey);
1291 bin2hex (grip, 20, hexgrip);
1293 log_info ("about to sign the %s for key: &%s\n",
1294 certmode? "certificate":"CSR", hexgrip);
1297 rc = gpgsm_scd_pksign (ctrl, carddirect, NULL,
1298 gcry_md_read (md, mdalgo),
1299 gcry_md_get_algo_dlen (mdalgo),
1307 orig_codeset = i18n_switchto_utf8 ();
1308 desc = percent_plus_escape
1309 (_("To complete this certificate request please enter"
1310 " the passphrase for the key you just created once"
1312 i18n_switchback (orig_codeset);
1313 rc = gpgsm_agent_pksign (ctrl, hexgrip, desc,
1314 gcry_md_read(md, mdalgo),
1315 gcry_md_get_algo_dlen (mdalgo),
1322 log_error ("signing failed: %s\n", gpg_strerror (rc));
1326 err = transform_sigval (sigval, siglen, mdalgo,
1331 err = ksba_certreq_set_sig_val (cr, newsigval);
1336 log_error ("failed to store the sig_val: %s\n",
1337 gpg_strerror (err));
1343 while (stopreason != KSBA_SR_READY);
1348 ksba_certreq_release (cr);
1354 /* Create a new key by reading the parameters from IN_FP. Multiple
1355 keys may be created */
1357 gpgsm_genkey (ctrl_t ctrl, estream_t in_stream, estream_t out_stream)
1361 rc = read_parameters (ctrl, in_stream, out_stream);
1364 log_error ("error creating certificate request: %s <%s>\n",
1365 gpg_strerror (rc), gpg_strsource (rc));
projects / gnupg.git / blob