2
* Copyright (C) 2002, 2003, 2004 Free Software Foundation, Inc.
4
* This file is part of GnuPG.
6
* GnuPG is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License as published by
8
* the Free Software Foundation; either version 2 of the License, or
9
* (at your option) any later version.
11
* GnuPG is distributed in the hope that it will be useful,
12
* but WITHOUT ANY WARRANTY; without even the implied warranty of
13
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
* GNU General Public License for more details.
16
* You should have received a copy of the GNU General Public License
17
* along with this program; if not, write to the Free Software
18
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
39
/* A table to store a fingerprint as used in a duplicates table. We
40
don't need to hash here because a fingerprint is alrady a perfect
41
hash value. This we use the most significant bits to index the
42
table and then use a linked list for the overflow. Possible
43
enhancement for very large number of certictates: Add a second
44
level table and then resort to a linked list. */
47
struct duptable_s *next;
49
/* Note that we only need to store 19 bytes because the first byte
50
is implictly given by the table index (we require at least 8
52
unsigned char fpr[19];
54
typedef struct duptable_s *duptable_t;
55
#define DUPTABLE_BITS 12
56
#define DUPTABLE_SIZE (1 << DUPTABLE_BITS)
59
static void print_short_info (ksba_cert_t cert, FILE *fp);
60
static gpg_error_t export_p12 (ctrl_t ctrl,
61
const unsigned char *certimg, size_t certimglen,
62
const char *prompt, const char *keygrip,
66
/* Create a table used to indetify duplicated certificates. */
68
create_duptable (void)
70
return xtrycalloc (DUPTABLE_SIZE, sizeof (duptable_t));
74
destroy_duptable (duptable_t *table)
81
for (idx=0; idx < DUPTABLE_SIZE; idx++)
82
for (t = table[idx]; t; t = t2)
91
/* Insert the 20 byte fingerprint FPR into TABLE. Sets EXITS to true
92
if the fingerprint already exists in the table. */
94
insert_duptable (duptable_t *table, unsigned char *fpr, int *exists)
101
#if DUPTABLE_BITS > 16 || DUPTABLE_BITS < 8
102
#error cannot handle a table larger than 16 bits or smaller than 8 bits
103
#elif DUPTABLE_BITS > 8
104
idx <<= (DUPTABLE_BITS - 8);
105
idx |= (fpr[1] & ~(~0 << 4));
108
for (t = table[idx]; t; t = t->next)
109
if (!memcmp (t->fpr, fpr+1, 19))
116
/* Insert that fingerprint. */
117
t = xtrymalloc (sizeof *t);
119
return gpg_error_from_errno (errno);
120
memcpy (t->fpr, fpr+1, 19);
121
t->next = table[idx];
129
/* Export all certificates or just those given in NAMES. */
131
gpgsm_export (CTRL ctrl, STRLIST names, FILE *fp)
133
KEYDB_HANDLE hd = NULL;
134
KEYDB_SEARCH_DESC *desc = NULL;
136
Base64Context b64writer = NULL;
137
ksba_writer_t writer;
139
ksba_cert_t cert = NULL;
146
dtable = create_duptable ();
149
log_error ("creating duplicates table failed: %s\n", strerror (errno));
156
log_error ("keydb_new failed\n");
164
for (sl=names, ndesc=0; sl; sl = sl->next, ndesc++)
168
desc = xtrycalloc (ndesc, sizeof *desc);
171
log_error ("allocating memory for export failed: %s\n",
172
gpg_strerror (OUT_OF_CORE (errno)));
177
desc[0].mode = KEYDB_SEARCH_MODE_FIRST;
180
for (ndesc=0, sl=names; sl; sl = sl->next)
182
rc = keydb_classify_name (sl->d, desc+ndesc);
185
log_error ("key `%s' not found: %s\n",
186
sl->d, gpg_strerror (rc));
194
/* If all specifications are done by fingerprint, we switch to
195
ephemeral mode so that _all_ currently available and matching
196
certificates are exported.
198
fixme: we should in this case keep a list of certificates to
199
avoid accidential export of duplicate certificates. */
203
&& (desc[i].mode == KEYDB_SEARCH_MODE_FPR
204
|| desc[i].mode == KEYDB_SEARCH_MODE_FPR20
205
|| desc[i].mode == KEYDB_SEARCH_MODE_FPR16)); i++)
208
keydb_set_ephemeral (hd, 1);
211
while (!(rc = keydb_search (hd, desc, ndesc)))
213
unsigned char fpr[20];
217
desc[0].mode = KEYDB_SEARCH_MODE_NEXT;
219
rc = keydb_get_cert (hd, &cert);
222
log_error ("keydb_get_cert failed: %s\n", gpg_strerror (rc));
226
gpgsm_get_fingerprint (cert, 0, fpr, NULL);
227
rc = insert_duptable (dtable, fpr, &exists);
230
log_error ("inserting into duplicates table fauiled: %s\n",
235
if (!exists && count && !ctrl->create_pem)
237
log_info ("exporting more than one certificate "
238
"is not possible in binary mode\n");
239
log_info ("ignoring other certificates\n");
245
const unsigned char *image;
248
image = ksba_cert_get_image (cert, &imagelen);
251
log_error ("ksba_cert_get_image failed\n");
256
if (ctrl->create_pem)
260
print_short_info (cert, fp);
267
ctrl->pem_name = "CERTIFICATE";
268
rc = gpgsm_create_writer (&b64writer, ctrl, fp, &writer);
271
log_error ("can't create writer: %s\n", gpg_strerror (rc));
276
rc = ksba_writer_write (writer, image, imagelen);
279
log_error ("write error: %s\n", gpg_strerror (rc));
283
if (ctrl->create_pem)
285
/* We want one certificate per PEM block */
286
rc = gpgsm_finish_writer (b64writer);
289
log_error ("write failed: %s\n", gpg_strerror (rc));
292
gpgsm_destroy_writer (b64writer);
297
ksba_cert_release (cert);
301
log_error ("keydb_search failed: %s\n", gpg_strerror (rc));
304
rc = gpgsm_finish_writer (b64writer);
307
log_error ("write failed: %s\n", gpg_strerror (rc));
313
gpgsm_destroy_writer (b64writer);
314
ksba_cert_release (cert);
317
destroy_duptable (dtable);
321
/* Export a certificates and its private key. */
323
gpgsm_p12_export (ctrl_t ctrl, const char *name, FILE *fp)
326
KEYDB_SEARCH_DESC *desc = NULL;
327
Base64Context b64writer = NULL;
328
ksba_writer_t writer;
329
ksba_cert_t cert = NULL;
331
const unsigned char *image;
333
char *keygrip = NULL;
343
log_error ("keydb_new failed\n");
347
desc = xtrycalloc (1, sizeof *desc);
350
log_error ("allocating memory for export failed: %s\n",
351
gpg_strerror (OUT_OF_CORE (errno)));
355
rc = keydb_classify_name (name, desc);
358
log_error ("key `%s' not found: %s\n",
359
name, gpg_strerror (rc));
363
/* Lookup the certificate an make sure that it is unique. */
364
rc = keydb_search (hd, desc, 1);
367
rc = keydb_get_cert (hd, &cert);
370
log_error ("keydb_get_cert failed: %s\n", gpg_strerror (rc));
374
rc = keydb_search (hd, desc, 1);
376
rc = gpg_error (GPG_ERR_AMBIGUOUS_NAME);
377
else if (rc == -1 || gpg_err_code (rc) == GPG_ERR_EOF)
381
log_error ("key `%s' not found: %s\n",
382
name, gpg_strerror (rc));
387
keygrip = gpgsm_get_keygrip_hexstring (cert);
388
if (!keygrip || gpgsm_agent_havekey (ctrl, keygrip))
390
/* Note, that the !keygrip case indicates a bad certificate. */
391
rc = gpg_error (GPG_ERR_NO_SECKEY);
392
log_error ("can't export key `%s': %s\n", name, gpg_strerror (rc));
396
image = ksba_cert_get_image (cert, &imagelen);
399
log_error ("ksba_cert_get_image failed\n");
403
if (ctrl->create_pem)
405
print_short_info (cert, fp);
409
ctrl->pem_name = "PKCS12";
410
rc = gpgsm_create_writer (&b64writer, ctrl, fp, &writer);
413
log_error ("can't create writer: %s\n", gpg_strerror (rc));
418
prompt = gpgsm_format_keydesc (cert);
419
rc = export_p12 (ctrl, image, imagelen, prompt, keygrip, &datafp);
424
while ( (nread = fread (buffer, 1, sizeof buffer, datafp)) > 0 )
425
if ((rc = ksba_writer_write (writer, buffer, nread)))
427
log_error ("write failed: %s\n", gpg_strerror (rc));
432
rc = gpg_error_from_errno (rc);
433
log_error ("error reading temporary file: %s\n", gpg_strerror (rc));
437
if (ctrl->create_pem)
439
/* We want one certificate per PEM block */
440
rc = gpgsm_finish_writer (b64writer);
443
log_error ("write failed: %s\n", gpg_strerror (rc));
446
gpgsm_destroy_writer (b64writer);
450
ksba_cert_release (cert);
456
gpgsm_destroy_writer (b64writer);
457
ksba_cert_release (cert);
463
/* Print some info about the certifciate CERT to FP */
465
print_short_info (ksba_cert_t cert, FILE *fp)
471
for (idx=0; (p = ksba_cert_get_issuer (cert, idx)); idx++)
473
fputs (!idx? "Issuer ...: "
474
: "\n aka ...: ", fp);
475
gpgsm_print_name (fp, p);
480
fputs ("Serial ...: ", fp);
481
sexp = ksba_cert_get_serial (cert);
485
const unsigned char *s = sexp;
490
for (len=0; *s && *s != ':' && digitp (s); s++)
491
len = len*10 + atoi_1 (s);
493
for (s++; len; len--, s++)
494
fprintf (fp, "%02X", *s);
500
for (idx=0; (p = ksba_cert_get_subject (cert, idx)); idx++)
502
fputs (!idx? "Subject ..: "
503
: "\n aka ..: ", fp);
504
gpgsm_print_name (fp, p);
512
popen_protect_tool (const char *pgmname,
513
FILE *infile, FILE *outfile, FILE **statusfile,
514
const char *prompt, const char *keygrip,
517
const char *argv[20];
520
argv[i++] = "--homedir";
521
argv[i++] = opt.homedir;
522
argv[i++] = "--p12-export";
523
argv[i++] = "--prompt";
524
argv[i++] = prompt?prompt:"";
525
argv[i++] = "--enable-status-msg";
529
assert (i < sizeof argv);
531
return gnupg_spawn_process (pgmname, argv, infile, outfile,
538
export_p12 (ctrl_t ctrl, const unsigned char *certimg, size_t certimglen,
539
const char *prompt, const char *keygrip,
543
gpg_error_t err = 0, child_err = 0;
546
FILE *infp = NULL, *outfp = NULL, *fp = NULL;
551
if (!opt.protect_tool_program || !*opt.protect_tool_program)
552
pgmname = GNUPG_DEFAULT_PROTECT_TOOL;
554
pgmname = opt.protect_tool_program;
559
err = gpg_error_from_errno (errno);
560
log_error (_("error creating temporary file: %s\n"), strerror (errno));
564
if (fwrite (certimg, certimglen, 1, infp) != 1)
566
err = gpg_error_from_errno (errno);
567
log_error (_("error writing to temporary file: %s\n"),
575
err = gpg_error_from_errno (errno);
576
log_error (_("error creating temporary file: %s\n"), strerror (errno));
580
err = popen_protect_tool (pgmname, infp, outfp, &fp, prompt, keygrip, &pid);
589
/* Read stderr of the protect tool. */
592
while ((c=getc (fp)) != EOF)
594
/* fixme: We could here grep for status information of the
595
protect tool to figure out better error codes for
598
if (pos >= sizeof buffer - 5 || c == '\n')
600
buffer[pos - (c == '\n')] = 0;
602
log_printf ("%s", buffer);
605
if (!strncmp (buffer, "gpg-protect-tool: [PROTECT-TOOL:] ",34))
610
pend = strchr (p, ' ');
613
if ( !strcmp (p, "bad-passphrase"))
617
log_info ("%s", buffer);
620
cont_line = (c != '\n');
628
log_printf ("%s\n", buffer);
630
log_info ("%s\n", buffer);
635
/* If we found no error in the output of the child, setup a suitable
636
error code, which will later be reset if the exit status of the
639
child_err = gpg_error (GPG_ERR_DECRYPT_FAILED);
648
if (!gnupg_wait_process (pgmname, pid))
662
/* During export this is the passphrase used to unprotect the
663
key and not the pkcs#12 thing as in export. Therefore we can
664
issue the regular passphrase status. FIXME: replace the all
665
zero keyid by a regular one. */
666
gpgsm_status (ctrl, STATUS_BAD_PASSPHRASE, "0000000000000000");