850
1095
gcry_sexp_release (misc_key_info);
856
1102
gen_elg(int algo, unsigned int nbits,
857
1103
KBNODE pub_root, KBNODE sec_root, DEK *dek,
858
STRING2KEY *s2k, PKT_secret_key **ret_sk, u32 expireval )
1104
STRING2KEY *s2k, PKT_secret_key **ret_sk, u32 expireval,
864
gcry_sexp_t s_parms, s_key;
865
gcry_sexp_t misc_key_info;
867
assert (is_ELGAMAL(algo));
872
log_info (_("keysize invalid; using %u bits\n"), nbits);
877
nbits = ((nbits + 31) / 32) * 32;
878
log_info (_("keysize rounded up to %u bits\n"), nbits);
881
rc = gcry_sexp_build ( &s_parms, NULL,
882
"(genkey(%s(nbits %d)))",
883
algo == GCRY_PK_ELG_E ? "openpgp-elg" :
884
algo == GCRY_PK_ELG ? "elg" : "x-oops" ,
887
log_bug ("gcry_sexp_build failed: %s\n", gpg_strerror (rc));
889
rc = gcry_pk_genkey (&s_key, s_parms);
890
gcry_sexp_release (s_parms);
893
log_error ("gcry_pk_genkey failed: %s\n", gpg_strerror (rc) );
897
sk = xcalloc (1, sizeof *sk);
898
pk = xcalloc (1, sizeof *pk);
899
sk->timestamp = pk->timestamp = make_timestamp();
900
sk->version = pk->version = 4;
902
sk->expiredate = pk->expiredate = sk->timestamp + expireval;
903
sk->pubkey_algo = pk->pubkey_algo = algo;
905
rc = key_from_sexp (pk->pkey, s_key, "public-key", "pgy");
908
log_error ("key_from_sexp failed: %s\n", gpg_strerror (rc) );
909
gcry_sexp_release (s_key);
912
rc = key_from_sexp (sk->skey, s_key, "private-key", "pgyx");
915
log_error("key_from_sexp failed: %s\n", gpg_strerror (rc) );
916
gcry_sexp_release (s_key);
919
misc_key_info = gcry_sexp_find_token (s_key, "misc-key-info", 0);
920
gcry_sexp_release (s_key);
922
sk->is_protected = 0;
923
sk->protect.algo = 0;
925
sk->csum = checksum_mpi (sk->skey[3]);
926
if (ret_sk) /* not a subkey: return an unprotected version of the sk */
927
*ret_sk = copy_secret_key (NULL, sk);
929
rc = genhelp_protect (dek, s2k, sk);
932
free_public_key (pk);
933
free_secret_key (sk);
934
gcry_sexp_release (misc_key_info);
938
pkt = xcalloc (1,sizeof *pkt);
939
pkt->pkttype = ret_sk ? PKT_PUBLIC_KEY : PKT_PUBLIC_SUBKEY;
940
pkt->pkt.public_key = pk;
941
add_kbnode(pub_root, new_kbnode( pkt ));
943
/* don't know whether it makes sense to have the factors, so for now
944
* we store them in the secret keyring (but they are not secret) */
945
pkt = xcalloc (1,sizeof *pkt);
946
pkt->pkttype = ret_sk ? PKT_SECRET_KEY : PKT_SECRET_SUBKEY;
947
pkt->pkt.secret_key = sk;
948
add_kbnode(sec_root, new_kbnode( pkt ));
950
genhelp_factors (misc_key_info, sec_root);
1111
gcry_sexp_t s_parms, s_key;
1112
gcry_sexp_t misc_key_info;
1114
assert( is_ELGAMAL(algo) );
1118
log_info(_("keysize invalid; using %u bits\n"), nbits );
1121
if( (nbits % 32) ) {
1122
nbits = ((nbits + 31) / 32) * 32;
1123
log_info(_("keysize rounded up to %u bits\n"), nbits );
1127
rc = gcry_sexp_build ( &s_parms, NULL,
1128
"(genkey(%s(nbits %d)))",
1129
algo == GCRY_PK_ELG_E ? "openpgp-elg" :
1130
algo == GCRY_PK_ELG ? "elg" : "x-oops" ,
1133
log_bug ("gcry_sexp_build failed: %s\n", gpg_strerror (rc));
1135
rc = gcry_pk_genkey (&s_key, s_parms);
1136
gcry_sexp_release (s_parms);
1139
log_error ("gcry_pk_genkey failed: %s\n", gpg_strerror (rc) );
1143
sk = xmalloc_clear( sizeof *sk );
1144
pk = xmalloc_clear( sizeof *pk );
1145
sk->timestamp = pk->timestamp = make_timestamp();
1146
sk->version = pk->version = 4;
1148
sk->expiredate = pk->expiredate = sk->timestamp + expireval;
1150
sk->pubkey_algo = pk->pubkey_algo = algo;
1151
/* pk->pkey[0] = mpi_copy( skey[0] ); */
1152
/* pk->pkey[1] = mpi_copy( skey[1] ); */
1153
/* pk->pkey[2] = mpi_copy( skey[2] ); */
1154
/* sk->skey[0] = skey[0]; */
1155
/* sk->skey[1] = skey[1]; */
1156
/* sk->skey[2] = skey[2]; */
1157
/* sk->skey[3] = skey[3]; */
1159
rc = key_from_sexp (pk->pkey, s_key, "public-key", "pgy");
1162
log_error ("key_from_sexp failed: %s\n", gpg_strerror (rc) );
1163
gcry_sexp_release (s_key);
1164
free_secret_key (sk);
1165
free_public_key (pk);
1168
rc = key_from_sexp (sk->skey, s_key, "private-key", "pgyx");
1171
log_error("key_from_sexp failed: %s\n", gpg_strerror (rc) );
1172
gcry_sexp_release (s_key);
1173
free_secret_key (sk);
1174
free_public_key (pk);
1177
misc_key_info = gcry_sexp_find_token (s_key, "misc-key-info", 0);
1178
gcry_sexp_release (s_key);
1180
sk->is_protected = 0;
1181
sk->protect.algo = 0;
1183
sk->csum = checksum_mpi( sk->skey[3] );
1184
if( ret_sk ) /* return an unprotected version of the sk */
1185
*ret_sk = copy_secret_key( NULL, sk );
1187
rc = genhelp_protect (dek, s2k, sk);
1190
free_public_key (pk);
1191
free_secret_key (sk);
1192
gcry_sexp_release (misc_key_info);
1196
pkt = xmalloc_clear (sizeof *pkt);
1197
pkt->pkttype = is_subkey ? PKT_PUBLIC_SUBKEY : PKT_PUBLIC_KEY;
1198
pkt->pkt.public_key = pk;
1199
add_kbnode(pub_root, new_kbnode( pkt ));
1201
/* Don't know whether it makes sense to have the factors, so for now
1202
* we store them in the secret keyring (but they are not secret). */
1203
pkt = xmalloc_clear(sizeof *pkt);
1204
pkt->pkttype = is_subkey ? PKT_SECRET_SUBKEY : PKT_SECRET_KEY;
1205
pkt->pkt.secret_key = sk;
1206
add_kbnode(sec_root, new_kbnode( pkt ));
1208
genhelp_factors (misc_key_info, sec_root);
960
1218
gen_dsa (unsigned int nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek,
961
STRING2KEY *s2k, PKT_secret_key **ret_sk, u32 expireval )
1219
STRING2KEY *s2k, PKT_secret_key **ret_sk, u32 expireval, int is_subkey)
967
gcry_sexp_t s_parms, s_key;
968
gcry_sexp_t misc_key_info;
970
if (nbits > 1024 || nbits < 512)
973
log_info(_("keysize invalid; using %u bits\n"), nbits);
978
nbits = ((nbits + 63) / 64) * 64;
979
log_info (_("keysize rounded up to %u bits\n"), nbits);
982
rc = gcry_sexp_build (&s_parms, NULL,
983
"(genkey(dsa(nbits %d)))",
986
log_bug ("gcry_sexp_build failed: %s\n", gpg_strerror (rc));
988
rc = gcry_pk_genkey (&s_key, s_parms);
989
gcry_sexp_release (s_parms);
992
log_error ("gcry_pk_genkey failed: %s\n", gpg_strerror (rc) );
996
sk = xcalloc (1, sizeof *sk );
997
pk = xcalloc (1, sizeof *pk );
998
sk->timestamp = pk->timestamp = make_timestamp();
999
sk->version = pk->version = 4;
1001
sk->expiredate = pk->expiredate = sk->timestamp + expireval;
1002
sk->pubkey_algo = pk->pubkey_algo = PUBKEY_ALGO_DSA;
1004
rc = key_from_sexp (pk->pkey, s_key, "public-key", "pqgy");
1007
log_error ("key_from_sexp failed: %s\n", gpg_strerror (rc));
1008
gcry_sexp_release (s_key);
1011
rc = key_from_sexp (sk->skey, s_key, "private-key", "pqgyx");
1014
log_error ("key_from_sexp failed: %s\n", gpg_strerror (rc) );
1015
gcry_sexp_release (s_key);
1018
misc_key_info = gcry_sexp_find_token (s_key, "misc-key-info", 0);
1019
gcry_sexp_release (s_key);
1021
sk->is_protected = 0;
1022
sk->protect.algo = 0;
1024
sk->csum = checksum_mpi ( sk->skey[4] );
1025
if (ret_sk) /* not a subkey: return an unprotected version of the sk */
1026
*ret_sk = copy_secret_key( NULL, sk );
1028
rc = genhelp_protect (dek, s2k, sk);
1031
free_public_key (pk);
1032
free_secret_key (sk);
1033
gcry_sexp_release (misc_key_info);
1037
pkt = xcalloc (1,sizeof *pkt);
1038
pkt->pkttype = ret_sk ? PKT_PUBLIC_KEY : PKT_PUBLIC_SUBKEY;
1039
pkt->pkt.public_key = pk;
1040
add_kbnode(pub_root, new_kbnode( pkt ));
1042
pkt = xcalloc (1,sizeof *pkt);
1043
pkt->pkttype = ret_sk ? PKT_SECRET_KEY : PKT_SECRET_SUBKEY;
1044
pkt->pkt.secret_key = sk;
1045
add_kbnode(sec_root, new_kbnode( pkt ));
1047
genhelp_factors (misc_key_info, sec_root);
1225
gcry_sexp_t s_parms, s_key;
1226
gcry_sexp_t misc_key_info;
1228
if( nbits > 1024 || nbits < 512 ) {
1230
log_info(_("keysize invalid; using %u bits\n"), nbits );
1233
if( (nbits % 64) ) {
1234
nbits = ((nbits + 63) / 64) * 64;
1235
log_info(_("keysize rounded up to %u bits\n"), nbits );
1238
rc = gcry_sexp_build (&s_parms, NULL,
1239
"(genkey(dsa(nbits %d)))",
1242
log_bug ("gcry_sexp_build failed: %s\n", gpg_strerror (rc));
1244
rc = gcry_pk_genkey (&s_key, s_parms);
1245
gcry_sexp_release (s_parms);
1248
log_error ("gcry_pk_genkey failed: %s\n", gpg_strerror (rc) );
1252
sk = xmalloc_clear( sizeof *sk );
1253
pk = xmalloc_clear( sizeof *pk );
1254
sk->timestamp = pk->timestamp = make_timestamp();
1255
sk->version = pk->version = 4;
1257
sk->expiredate = pk->expiredate = sk->timestamp + expireval;
1259
sk->pubkey_algo = pk->pubkey_algo = PUBKEY_ALGO_DSA;
1261
rc = key_from_sexp (pk->pkey, s_key, "public-key", "pqgy");
1264
log_error ("key_from_sexp failed: %s\n", gpg_strerror (rc));
1265
gcry_sexp_release (s_key);
1266
free_public_key(pk);
1267
free_secret_key(sk);
1270
rc = key_from_sexp (sk->skey, s_key, "private-key", "pqgyx");
1273
log_error ("key_from_sexp failed: %s\n", gpg_strerror (rc) );
1274
gcry_sexp_release (s_key);
1275
free_public_key(pk);
1276
free_secret_key(sk);
1279
misc_key_info = gcry_sexp_find_token (s_key, "misc-key-info", 0);
1280
gcry_sexp_release (s_key);
1282
sk->is_protected = 0;
1283
sk->protect.algo = 0;
1285
sk->csum = checksum_mpi ( sk->skey[4] );
1286
if( ret_sk ) /* return an unprotected version of the sk */
1287
*ret_sk = copy_secret_key( NULL, sk );
1289
rc = genhelp_protect (dek, s2k, sk);
1292
free_public_key (pk);
1293
free_secret_key (sk);
1294
gcry_sexp_release (misc_key_info);
1298
pkt = xmalloc_clear(sizeof *pkt);
1299
pkt->pkttype = is_subkey ? PKT_PUBLIC_SUBKEY : PKT_PUBLIC_KEY;
1300
pkt->pkt.public_key = pk;
1301
add_kbnode(pub_root, new_kbnode( pkt ));
1303
/* Don't know whether it makes sense to have the factors, so for now
1304
* we store them in the secret keyring (but they are not secret)
1305
* p = 2 * q * f1 * f2 * ... * fn
1306
* We store only f1 to f_n-1; fn can be calculated because p and q
1309
pkt = xmalloc_clear(sizeof *pkt);
1310
pkt->pkttype = is_subkey ? PKT_SECRET_SUBKEY : PKT_SECRET_KEY;
1311
pkt->pkt.secret_key = sk;
1312
add_kbnode(sec_root, new_kbnode( pkt ));
1314
genhelp_factors (misc_key_info, sec_root);
1057
1324
gen_rsa(int algo, unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek,
1058
STRING2KEY *s2k, PKT_secret_key **ret_sk, u32 expireval )
1325
STRING2KEY *s2k, PKT_secret_key **ret_sk, u32 expireval, int is_subkey)
1064
gcry_sexp_t s_parms, s_key;
1066
assert (is_RSA(algo));
1071
log_info(_("keysize invalid; using %u bits\n"), nbits);
1076
nbits = ((nbits + 31) / 32) * 32;
1077
log_info (_("keysize rounded up to %u bits\n"), nbits);
1080
rc = gcry_sexp_build (&s_parms, NULL,
1081
"(genkey(rsa(nbits %d)))",
1084
log_bug ("gcry_sexp_build failed: %s\n", gpg_strerror (rc));
1331
gcry_sexp_t s_parms, s_key;
1333
assert( is_RSA(algo) );
1335
if( nbits < 1024 ) {
1337
log_info(_("keysize invalid; using %u bits\n"), nbits );
1340
if( (nbits % 32) ) {
1341
nbits = ((nbits + 31) / 32) * 32;
1342
log_info(_("keysize rounded up to %u bits\n"), nbits );
1345
rc = gcry_sexp_build (&s_parms, NULL,
1346
"(genkey(rsa(nbits %d)))",
1349
log_bug ("gcry_sexp_build failed: %s\n", gpg_strerror (rc));
1086
rc = gcry_pk_genkey (&s_key, s_parms);
1087
gcry_sexp_release (s_parms);
1090
log_error ("gcry_pk_genkey failed: %s\n", gpg_strerror (rc) );
1094
sk = xcalloc (1, sizeof *sk );
1095
pk = xcalloc (1, sizeof *pk );
1096
sk->timestamp = pk->timestamp = make_timestamp();
1097
sk->version = pk->version = 4;
1099
sk->expiredate = pk->expiredate = sk->timestamp + expireval;
1100
sk->pubkey_algo = pk->pubkey_algo = algo;
1102
rc = key_from_sexp (pk->pkey, s_key, "public-key", "ne");
1105
log_error ("key_from_sexp failed: %s\n", gpg_strerror (rc));
1106
gcry_sexp_release (s_key);
1109
rc = key_from_sexp (sk->skey, s_key, "private-key", "nedpqu");
1112
log_error ("key_from_sexp failed: %s\n", gpg_strerror (rc) );
1113
gcry_sexp_release (s_key);
1116
gcry_sexp_release (s_key);
1118
sk->is_protected = 0;
1119
sk->protect.algo = 0;
1121
sk->csum = checksum_mpi (sk->skey[2] );
1122
sk->csum += checksum_mpi (sk->skey[3] );
1123
sk->csum += checksum_mpi (sk->skey[4] );
1124
sk->csum += checksum_mpi (sk->skey[5] );
1125
if (ret_sk) /* not a subkey: return an unprotected version of the sk */
1126
*ret_sk = copy_secret_key (NULL, sk);
1128
rc = genhelp_protect (dek, s2k, sk);
1131
free_public_key (pk);
1132
free_secret_key (sk);
1136
pkt = xcalloc (1,sizeof *pkt);
1137
pkt->pkttype = ret_sk ? PKT_PUBLIC_KEY : PKT_PUBLIC_SUBKEY;
1138
pkt->pkt.public_key = pk;
1139
add_kbnode (pub_root, new_kbnode( pkt ));
1141
pkt = xcalloc (1,sizeof *pkt);
1142
pkt->pkttype = ret_sk ? PKT_SECRET_KEY : PKT_SECRET_SUBKEY;
1143
pkt->pkt.secret_key = sk;
1144
add_kbnode(sec_root, new_kbnode( pkt ));
1351
rc = gcry_pk_genkey (&s_key, s_parms);
1352
gcry_sexp_release (s_parms);
1355
log_error ("gcry_pk_genkey failed: %s\n", gpg_strerror (rc) );
1359
sk = xmalloc_clear( sizeof *sk );
1360
pk = xmalloc_clear( sizeof *pk );
1361
sk->timestamp = pk->timestamp = make_timestamp();
1362
sk->version = pk->version = 4;
1364
sk->expiredate = pk->expiredate = sk->timestamp + expireval;
1366
sk->pubkey_algo = pk->pubkey_algo = algo;
1368
rc = key_from_sexp (pk->pkey, s_key, "public-key", "ne");
1371
log_error ("key_from_sexp failed: %s\n", gpg_strerror (rc));
1372
gcry_sexp_release (s_key);
1373
free_public_key(pk);
1374
free_secret_key(sk);
1377
rc = key_from_sexp (sk->skey, s_key, "private-key", "nedpqu");
1380
log_error ("key_from_sexp failed: %s\n", gpg_strerror (rc) );
1381
gcry_sexp_release (s_key);
1382
free_public_key(pk);
1383
free_secret_key(sk);
1386
gcry_sexp_release (s_key);
1388
sk->is_protected = 0;
1389
sk->protect.algo = 0;
1391
sk->csum = checksum_mpi (sk->skey[2] );
1392
sk->csum += checksum_mpi (sk->skey[3] );
1393
sk->csum += checksum_mpi (sk->skey[4] );
1394
sk->csum += checksum_mpi (sk->skey[5] );
1395
if( ret_sk ) /* return an unprotected version of the sk */
1396
*ret_sk = copy_secret_key( NULL, sk );
1398
rc = genhelp_protect (dek, s2k, sk);
1401
free_public_key (pk);
1402
free_secret_key (sk);
1406
pkt = xmalloc_clear(sizeof *pkt);
1407
pkt->pkttype = is_subkey ? PKT_PUBLIC_SUBKEY : PKT_PUBLIC_KEY;
1408
pkt->pkt.public_key = pk;
1409
add_kbnode(pub_root, new_kbnode( pkt ));
1411
pkt = xmalloc_clear(sizeof *pkt);
1412
pkt->pkttype = is_subkey ? PKT_SECRET_SUBKEY : PKT_SECRET_KEY;
1413
pkt->pkt.secret_key = sk;
1414
add_kbnode(sec_root, new_kbnode( pkt ));
1259
1623
static unsigned
1260
1624
ask_keysize( int algo )
1265
if (algo != PUBKEY_ALGO_DSA && algo != PUBKEY_ALGO_RSA) {
1266
tty_printf (_("About to generate a new %s keypair.\n"
1267
" minimum keysize is 768 bits\n"
1268
" default keysize is 1024 bits\n"
1269
" highest suggested keysize is 2048 bits\n"),
1270
gcry_pk_algo_name (algo) );
1274
answer = cpr_get("keygen.size",
1275
_("What keysize do you want? (1024) "));
1277
nbits = *answer? atoi(answer): 1024;
1279
if( algo == PUBKEY_ALGO_DSA && (nbits < 512 || nbits > 1024) )
1280
tty_printf(_("DSA only allows keysizes from 512 to 1024\n"));
1281
else if( algo == PUBKEY_ALGO_RSA && nbits < 1024 )
1282
tty_printf(_("keysize too small;"
1283
" 1024 is smallest value allowed for RSA.\n"));
1284
else if( nbits < 768 )
1285
tty_printf(_("keysize too small;"
1286
" 768 is smallest value allowed.\n"));
1287
else if( nbits > 4096 ) {
1288
/* It is ridiculous and an annoyance to use larger key sizes!
1289
* GnuPG can handle much larger sizes; but it takes an eternity
1290
* to create such a key (but less than the time the Sirius
1291
* Computer Corporation needs to process one of the usual
1292
* complaints) and {de,en}cryption although needs some time.
1293
* So, before you complain about this limitation, I suggest that
1294
* you start a discussion with Marvin about this theme and then
1295
* do whatever you want. */
1296
tty_printf(_("keysize too large; %d is largest value allowed.\n"),
1299
else if( nbits > 2048 && !cpr_enabled() ) {
1301
_("Keysizes larger than 2048 are not suggested because\n"
1302
"computations take REALLY long!\n"));
1303
if( cpr_get_answer_is_yes("keygen.size.huge.okay",_(
1304
"Are you sure that you want this keysize? ")) ) {
1305
tty_printf(_("Okay, but keep in mind that your monitor "
1306
"and keyboard radiation is also very vulnerable "
1314
tty_printf(_("Requested keysize is %u bits\n"), nbits );
1315
if( algo == PUBKEY_ALGO_DSA && (nbits % 64) ) {
1316
nbits = ((nbits + 63) / 64) * 64;
1317
tty_printf(_("rounded up to %u bits\n"), nbits );
1319
else if( (nbits % 32) ) {
1320
nbits = ((nbits + 31) / 32) * 32;
1321
tty_printf(_("rounded up to %u bits\n"), nbits );
1626
unsigned int nbits, min, def=2048, max=4096;
1635
case PUBKEY_ALGO_DSA:
1643
tty_printf(_("DSA keypair will have %u bits.\n"),1024);
1648
case PUBKEY_ALGO_RSA:
1653
tty_printf(_("%s keys may be between %u and %u bits long.\n"),
1654
gcry_pk_algo_name (algo), min, max);
1658
char *prompt,*answer;
1660
#define PROMPTSTRING _("What keysize do you want? (%u) ")
1662
prompt=xmalloc(strlen(PROMPTSTRING)+20);
1663
sprintf(prompt,PROMPTSTRING,def);
1667
answer = cpr_get("keygen.size",prompt);
1669
nbits = *answer? atoi(answer): def;
1673
if(nbits<min || nbits>max)
1674
tty_printf(_("%s keysizes must be in the range %u-%u\n"),
1675
gcry_pk_algo_name (algo), min, max);
1680
tty_printf(_("Requested keysize is %u bits\n"), nbits );
1682
if( algo == PUBKEY_ALGO_DSA && (nbits % 64) )
1684
nbits = ((nbits + 63) / 64) * 64;
1685
tty_printf(_("rounded up to %u bits\n"), nbits );
1687
else if( (nbits % 32) )
1689
nbits = ((nbits + 31) / 32) * 32;
1690
tty_printf(_("rounded up to %u bits\n"), nbits );
1327
1697
/****************
1328
* Parse an expire string and return it's value in days.
1329
* Returns -1 on error.
1698
* Parse an expire string and return its value in seconds.
1699
* Returns (u32)-1 on error.
1700
* This isn't perfect since scan_isodatestr returns unix time, and
1701
* OpenPGP actually allows a 32-bit time *plus* a 32-bit offset.
1702
* Because of this, we only permit setting expirations up to 2106, but
1703
* OpenPGP could theoretically allow up to 2242. I think we'll all
1704
* just cope for the next few years until we get a 64-bit time_t or
1332
1708
parse_expire_string( const char *string )
1336
u32 curtime = make_timestamp();
1711
u32 seconds,abs_date=0,curtime = make_timestamp();
1341
else if( (abs_date = scan_isodatestr(string)) && abs_date > curtime ) {
1342
/* This calculation is not perfectly okay because we
1343
* are later going to simply multiply by 86400 and don't
1344
* correct for leapseconds. A solution would be to change
1345
* the whole implemenation to work with dates and not intervals
1346
* which are required for v3 keys.
1348
valid_days = abs_date/86400-curtime/86400+1;
1350
else if( (mult=check_valid_days(string)) ) {
1351
valid_days = atoi(string) * mult;
1352
if( valid_days < 0 || valid_days > 39447 )
1715
else if ( !strncmp (string, "seconds=", 8) )
1716
seconds = atoi (string+8);
1717
else if( (abs_date = scan_isodatestr(string)) && abs_date > curtime )
1718
seconds = abs_date - curtime;
1719
else if( (mult=check_valid_days(string)) )
1720
seconds = atoi(string) * 86400L * mult;
1361
1727
/* object == 0 for a key, and 1 for a sig */
1363
ask_expire_interval(int object)
1729
ask_expire_interval(int object,const char *def_expire)
1372
1739
tty_printf(_("Please specify how long the key should be valid.\n"
1373
1740
" 0 = key does not expire\n"
1374
1741
" <n> = key expires in n days\n"
1917
2279
proc_parameter_file( struct para_data_s *para, const char *fname,
1918
2280
struct output_control_s *outctrl, int card )
1920
struct para_data_s *r;
1921
const char *s1, *s2, *s3;
1926
/* check that we have all required parameters */
1927
assert( get_parameter( para, pKEYTYPE ) );
1928
i = get_parameter_algo( para, pKEYTYPE );
1929
if( i < 1 || openpgp_pk_test_algo ( i, PUBKEY_USAGE_SIG ) ) {
1930
r = get_parameter( para, pKEYTYPE );
1931
log_error("%s:%d: invalid algorithm\n", fname, r->lnr );
1935
if (parse_parameter_usage (fname, para, pKEYUSAGE))
1938
i = get_parameter_algo( para, pSUBKEYTYPE );
1939
if( i > 0 && openpgp_pk_test_algo ( i, 0 ) ) {
1940
r = get_parameter( para, pSUBKEYTYPE );
1941
log_error("%s:%d: invalid algorithm\n", fname, r->lnr );
1944
if (i > 0 && parse_parameter_usage (fname, para, pSUBKEYUSAGE))
1948
if( !get_parameter_value( para, pUSERID ) ) {
1949
/* create the formatted user ID */
1950
s1 = get_parameter_value( para, pNAMEREAL );
1951
s2 = get_parameter_value( para, pNAMECOMMENT );
1952
s3 = get_parameter_value( para, pNAMEEMAIL );
1953
if( s1 || s2 || s3 ) {
1954
n = (s1?strlen(s1):0) + (s2?strlen(s2):0) + (s3?strlen(s3):0);
1955
r = xcalloc (1, sizeof *r + n + 20 );
1961
p = stpcpy(stpcpy(stpcpy(p," ("), s2 ),")");
1963
p = stpcpy(stpcpy(stpcpy(p," <"), s3 ),">");
1969
/* Set preferences, if any. */
1970
keygen_set_std_prefs(get_parameter_value( para, pPREFERENCES ), 0);
1972
/* Set revoker, if any. */
1973
if (parse_revocation_key (fname, para, pREVOKER))
1976
/* make DEK and S2K from the Passphrase */
1977
r = get_parameter( para, pPASSPHRASE );
1978
if( r && *r->u.value ) {
1979
/* we have a plain text passphrase - create a DEK from it.
1980
* It is a little bit ridiculous to keep it in secure memory
1981
* but because we do this always, why not here. */
1985
s2k = xmalloc_secure ( sizeof *s2k );
1986
s2k->mode = opt.s2k_mode;
1987
s2k->hash_algo = opt.s2k_digest_algo;
1988
set_next_passphrase( r->u.value );
1989
dek = passphrase_to_dek( NULL, 0, opt.s2k_cipher_algo, s2k, 2,
1991
set_next_passphrase( NULL );
1993
memset( r->u.value, 0, strlen(r->u.value) );
1995
r = xcalloc (1, sizeof *r );
1996
r->key = pPASSPHRASE_S2K;
2000
r = xcalloc (1, sizeof *r );
2001
r->key = pPASSPHRASE_DEK;
2007
/* make KEYEXPIRE from Expire-Date */
2008
r = get_parameter( para, pEXPIREDATE );
2009
if( r && *r->u.value ) {
2010
i = parse_expire_string( r->u.value );
2012
log_error("%s:%d: invalid expire date\n", fname, r->lnr );
2015
r->u.expire = i * 86400L;
2016
r->key = pKEYEXPIRE; /* change hat entry */
2017
/* also set it for the subkey */
2018
r = xcalloc (1, sizeof *r + 20 );
2019
r->key = pSUBKEYEXPIRE;
2020
r->u.expire = i * 86400L;
2025
if( !!outctrl->pub.newfname ^ !!outctrl->sec.newfname ) {
2026
log_error("%s:%d: only one ring name is set\n", fname, outctrl->lnr );
2030
do_generate_keypair( para, outctrl, card);
2282
struct para_data_s *r;
2283
const char *s1, *s2, *s3;
2286
int have_user_id=0,err,algo;
2288
/* Check that we have all required parameters. */
2289
r = get_parameter( para, pKEYTYPE );
2292
algo=get_parameter_algo(para,pKEYTYPE);
2293
if (openpgp_pk_test_algo2 (algo, PUBKEY_USAGE_SIG))
2295
log_error("%s:%d: invalid algorithm\n", fname, r->lnr );
2301
log_error("%s: no Key-Type specified\n",fname);
2305
err=parse_parameter_usage (fname, para, pKEYUSAGE);
2308
/* Default to algo capabilities if key-usage is not provided */
2309
r=xmalloc_clear(sizeof(*r));
2311
r->u.usage=openpgp_pk_algo_usage(algo);
2318
r = get_parameter( para, pSUBKEYTYPE );
2321
algo=get_parameter_algo( para, pSUBKEYTYPE);
2322
if (openpgp_pk_test_algo (algo))
2324
log_error("%s:%d: invalid algorithm\n", fname, r->lnr );
2328
err=parse_parameter_usage (fname, para, pSUBKEYUSAGE);
2331
/* Default to algo capabilities if subkey-usage is not
2333
r=xmalloc_clear(sizeof(*r));
2334
r->key=pSUBKEYUSAGE;
2335
r->u.usage=openpgp_pk_algo_usage(algo);
2343
if( get_parameter_value( para, pUSERID ) )
2347
/* create the formatted user ID */
2348
s1 = get_parameter_value( para, pNAMEREAL );
2349
s2 = get_parameter_value( para, pNAMECOMMENT );
2350
s3 = get_parameter_value( para, pNAMEEMAIL );
2351
if( s1 || s2 || s3 )
2353
n = (s1?strlen(s1):0) + (s2?strlen(s2):0) + (s3?strlen(s3):0);
2354
r = xmalloc_clear( sizeof *r + n + 20 );
2360
p = stpcpy(stpcpy(stpcpy(p," ("), s2 ),")");
2362
p = stpcpy(stpcpy(stpcpy(p," <"), s3 ),">");
2371
log_error("%s: no User-ID specified\n",fname);
2375
/* Set preferences, if any. */
2376
keygen_set_std_prefs(get_parameter_value( para, pPREFERENCES ), 0);
2378
/* Set revoker, if any. */
2379
if (parse_revocation_key (fname, para, pREVOKER))
2382
/* make DEK and S2K from the Passphrase */
2383
r = get_parameter( para, pPASSPHRASE );
2384
if( r && *r->u.value ) {
2385
/* we have a plain text passphrase - create a DEK from it.
2386
* It is a little bit ridiculous to keep it ih secure memory
2387
* but becuase we do this alwasy, why not here */
2391
s2k = xmalloc_secure( sizeof *s2k );
2392
s2k->mode = opt.s2k_mode;
2393
s2k->hash_algo = S2K_DIGEST_ALGO;
2394
set_next_passphrase( r->u.value );
2395
dek = passphrase_to_dek( NULL, 0, opt.s2k_cipher_algo, s2k, 2,
2397
set_next_passphrase( NULL );
2399
memset( r->u.value, 0, strlen(r->u.value) );
2401
r = xmalloc_clear( sizeof *r );
2402
r->key = pPASSPHRASE_S2K;
2406
r = xmalloc_clear( sizeof *r );
2407
r->key = pPASSPHRASE_DEK;
2413
/* make KEYEXPIRE from Expire-Date */
2414
r = get_parameter( para, pEXPIREDATE );
2415
if( r && *r->u.value )
2419
seconds = parse_expire_string( r->u.value );
2420
if( seconds == (u32)-1 )
2422
log_error("%s:%d: invalid expire date\n", fname, r->lnr );
2425
r->u.expire = seconds;
2426
r->key = pKEYEXPIRE; /* change hat entry */
2427
/* also set it for the subkey */
2428
r = xmalloc_clear( sizeof *r + 20 );
2429
r->key = pSUBKEYEXPIRE;
2430
r->u.expire = seconds;
2435
if( !!outctrl->pub.newfname ^ !!outctrl->sec.newfname ) {
2436
log_error("%s:%d: only one ring name is set\n", fname, outctrl->lnr );
2440
do_generate_keypair( para, outctrl, card );
2035
2445
/****************
2036
2446
* Kludge to allow non interactive key generation controlled
2037
* by a parameter file (which currently is only stdin)
2447
* by a parameter file.
2038
2448
* Note, that string parameters are expected to be in UTF-8
2283
2718
strcpy (r->u.value, "encrypt");
2284
2719
r->next = para;
2287
2722
r = xcalloc (1, sizeof *r + 20 );
2288
2723
r->key = pAUTHKEYTYPE;
2289
2724
sprintf( r->u.value, "%d", algo );
2290
2725
r->next = para;
2728
if (backup_encryption_dir)
2730
r = xcalloc (1, sizeof *r + strlen (backup_encryption_dir) );
2731
r->key = pBACKUPENCDIR;
2732
strcpy (r->u.value, backup_encryption_dir);
2736
#endif /*ENABLE_CARD_SUPPORT*/
2295
algo = ask_algo (0, &use);
2740
algo = ask_algo( 0, &use );
2298
2742
{ /* default: DSA with ElG subkey of the specified size */
2300
r = xcalloc (1, sizeof *r + 20 );
2744
r = xmalloc_clear( sizeof *r + 20 );
2301
2745
r->key = pKEYTYPE;
2302
2746
sprintf( r->u.value, "%d", PUBKEY_ALGO_DSA );
2303
2747
r->next = para;
2305
tty_printf(_("DSA keypair will have 1024 bits.\n"));
2306
r = xcalloc (1, sizeof *r + 20 );
2749
tty_printf(_("DSA keypair will have %u bits.\n"),1024);
2750
r = xmalloc_clear( sizeof *r + 20 );
2307
2751
r->key = pKEYLENGTH;
2308
2752
strcpy( r->u.value, "1024" );
2309
2753
r->next = para;
2311
r = xcalloc (1, sizeof *r + 20 );
2755
r = xmalloc_clear( sizeof *r + 20 );
2312
2756
r->key = pKEYUSAGE;
2313
2757
strcpy( r->u.value, "sign" );
2314
2758
r->next = para;
2317
2761
algo = PUBKEY_ALGO_ELGAMAL_E;
2318
r = xcalloc (1, sizeof *r + 20 );
2762
r = xmalloc_clear( sizeof *r + 20 );
2319
2763
r->key = pSUBKEYTYPE;
2320
2764
sprintf( r->u.value, "%d", algo );
2321
2765
r->next = para;
2323
r = xcalloc (1, sizeof *r + 20 );
2767
r = xmalloc_clear( sizeof *r + 20 );
2324
2768
r->key = pSUBKEYUSAGE;
2325
2769
strcpy( r->u.value, "encrypt" );
2326
2770
r->next = para;
2332
r = xcalloc (1, sizeof *r + 20 );
2775
r = xmalloc_clear( sizeof *r + 20 );
2333
2776
r->key = pKEYTYPE;
2334
2777
sprintf( r->u.value, "%d", algo );
2335
2778
r->next = para;
2340
r = xcalloc (1, sizeof *r + 20 );
2783
r = xmalloc_clear( sizeof *r + 25 );
2341
2784
r->key = pKEYUSAGE;
2342
sprintf( r->u.value, "%s%s",
2785
sprintf( r->u.value, "%s%s%s",
2343
2786
(use & PUBKEY_USAGE_SIG)? "sign ":"",
2344
(use & PUBKEY_USAGE_ENC)? "encrypt ":"" );
2787
(use & PUBKEY_USAGE_ENC)? "encrypt ":"",
2788
(use & PUBKEY_USAGE_AUTH)? "auth":"" );
2345
2789
r->next = para;
2350
2795
nbits = ask_keysize( algo );
2351
r = xcalloc (1, sizeof *r + 20 );
2796
r = xmalloc_clear( sizeof *r + 20 );
2352
2797
r->key = both? pSUBKEYLENGTH : pKEYLENGTH;
2353
2798
sprintf( r->u.value, "%u", nbits);
2354
2799
r->next = para;
2358
expire = ask_expire_interval(0);
2359
r = xcalloc (1, sizeof *r + 20 );
2803
expire = ask_expire_interval(0,NULL);
2804
r = xmalloc_clear( sizeof *r + 20 );
2360
2805
r->key = pKEYEXPIRE;
2361
2806
r->u.expire = expire;
2362
2807
r->next = para;
2364
r = xcalloc (1, sizeof *r + 20 );
2809
r = xmalloc_clear( sizeof *r + 20 );
2365
2810
r->key = pSUBKEYEXPIRE;
2366
2811
r->u.expire = expire;
2367
2812
r->next = para;
2370
2815
uid = ask_user_id(0);
2373
2818
log_error(_("Key generation canceled.\n"));
2374
2819
release_parameter_list( para );
2377
r = xcalloc (1, sizeof *r + strlen(uid) );
2822
r = xmalloc_clear( sizeof *r + strlen(uid) );
2378
2823
r->key = pUSERID;
2379
2824
strcpy( r->u.value, uid );
2380
2825
r->next = para;
2383
dek = card_serialno? NULL : ask_passphrase( &s2k );
2828
dek = card_serialno? NULL : do_ask_passphrase( &s2k );
2386
r = xcalloc (1, sizeof *r );
2831
r = xmalloc_clear( sizeof *r );
2387
2832
r->key = pPASSPHRASE_DEK;
2388
2833
r->u.dek = dek;
2389
2834
r->next = para;
2391
r = xcalloc (1, sizeof *r );
2836
r = xmalloc_clear( sizeof *r );
2392
2837
r->key = pPASSPHRASE_S2K;
2393
2838
r->u.s2k = s2k;
2394
2839
r->next = para;
2398
proc_parameter_file (para, "[internal]", &outctrl, !!card_serialno);
2399
release_parameter_list (para);
2404
print_status_key_created (int letter, PKT_public_key *pk)
2406
byte array[MAX_FINGERPRINT_LEN], *s;
2407
char buf[MAX_FINGERPRINT_LEN*2+30], *p;
2413
fingerprint_from_pk (pk, array, &n);
2415
for (i=0; i < n ; i++, s++, p += 2)
2416
sprintf (p, "%02X", *s);
2418
write_status_text (STATUS_KEY_CREATED, buf);
2424
do_generate_keypair (struct para_data_s *para,
2425
struct output_control_s *outctrl, int card)
2427
KBNODE pub_root = NULL;
2428
KBNODE sec_root = NULL;
2843
proc_parameter_file( para, "[internal]", &outctrl, !!card_serialno);
2844
release_parameter_list( para );
2848
#ifdef ENABLE_CARD_SUPPORT
2849
/* Generate a raw key and return it as a secret key packet. The
2850
function will ask for the passphrase and return a protected as well
2851
as an unprotected copy of a new secret key packet. 0 is returned
2852
on success and the caller must then free the returned values. */
2854
generate_raw_key (int algo, unsigned int nbits, u32 created_at,
2855
PKT_secret_key **r_sk_unprotected,
2856
PKT_secret_key **r_sk_protected)
2860
STRING2KEY *s2k = NULL;
2429
2861
PKT_secret_key *sk = NULL;
2431
struct revocation_key *revkey;
2435
if (outctrl->dryrun)
2437
log_info ("dry-run mode - key generation skipped\n");
2442
if (outctrl->use_files)
2444
if (outctrl->pub.newfname)
2446
iobuf_close (outctrl->pub.stream);
2447
outctrl->pub.stream = NULL;
2448
xfree (outctrl->pub.fname);
2449
outctrl->pub.fname = outctrl->pub.newfname;
2450
outctrl->pub.newfname = NULL;
2452
outctrl->pub.stream = iobuf_create (outctrl->pub.fname);
2453
if (!outctrl->pub.stream)
2455
log_error ("can't create `%s': %s\n", outctrl->pub.fname,
2461
outctrl->pub.afx.what = 1;
2462
iobuf_push_filter (outctrl->pub.stream, armor_filter,
2466
if (outctrl->sec.newfname)
2468
iobuf_close (outctrl->sec.stream);
2469
outctrl->sec.stream = NULL;
2470
xfree (outctrl->sec.fname);
2471
outctrl->sec.fname = outctrl->sec.newfname;
2472
outctrl->sec.newfname = NULL;
2474
outctrl->sec.stream = iobuf_create (outctrl->sec.fname);
2475
if (!outctrl->sec.stream)
2477
log_error ("can't create `%s': %s\n", outctrl->sec.fname,
2483
outctrl->sec.afx.what = 5;
2484
iobuf_push_filter (outctrl->sec.stream, armor_filter,
2488
assert (outctrl->pub.stream);
2489
assert (outctrl->sec.stream);
2492
log_info (_("writing public key to `%s'\n"), outctrl->pub.fname);
2494
log_info (_("writing secret key stub to `%s'\n"),
2495
outctrl->sec.fname);
2497
log_info (_("writing secret key to `%s'\n"), outctrl->sec.fname);
2502
/* We create the packets as a tree of kbnodes. Because the structure
2503
* we create is known in advance we simply generate a linked list.
2504
* The first packet is a dummy comment packet which we flag
2505
* as deleted. The very first packet must always be a KEY packet.
2507
pub_root = make_comment_node ("#");
2508
delete_kbnode (pub_root);
2509
sec_root = make_comment_node ("#");
2510
delete_kbnode (sec_root);
2513
rc = do_create (get_parameter_algo (para, pKEYTYPE),
2514
get_parameter_uint (para, pKEYLENGTH),
2516
get_parameter_dek (para, pPASSPHRASE_DEK),
2517
get_parameter_s2k (para, pPASSPHRASE_S2K),
2518
&sk, get_parameter_u32 (para, pKEYEXPIRE));
2522
rc = gen_card_key (PUBKEY_ALGO_RSA, 1, pub_root, sec_root,
2523
get_parameter_u32 (para, pKEYEXPIRE), para);
2526
sk = sec_root->next->pkt->pkt.secret_key;
2532
if (!rc && (revkey = get_parameter_revkey (para, pREVOKER)))
2534
rc = write_direct_sig (pub_root, pub_root, sk, revkey);
2536
write_direct_sig (sec_root, pub_root, sk, revkey);
2539
if (!rc && (s = get_parameter_value (para, pUSERID)))
2541
write_uid (pub_root, s);
2543
write_uid (sec_root, s);
2545
rc = write_selfsig (pub_root, pub_root, sk,
2546
get_parameter_uint (para, pKEYUSAGE));
2548
rc = write_selfsig (sec_root, pub_root, sk,
2549
get_parameter_uint (para, pKEYUSAGE));
2552
if ((! rc) && get_parameter (para, pSUBKEYTYPE))
2556
rc = do_create (get_parameter_algo (para, pSUBKEYTYPE),
2557
get_parameter_uint (para, pSUBKEYLENGTH),
2559
get_parameter_dek (para, pPASSPHRASE_DEK),
2560
get_parameter_s2k (para, pPASSPHRASE_S2K),
2561
NULL, get_parameter_u32 (para, pSUBKEYEXPIRE));
2565
rc = gen_card_key (PUBKEY_ALGO_RSA, 2, pub_root, sec_root,
2566
get_parameter_u32 (para, pKEYEXPIRE), para);
2570
rc = write_keybinding (pub_root, pub_root, sk,
2571
get_parameter_uint (para, pSUBKEYUSAGE));
2573
rc = write_keybinding (sec_root, pub_root, sk,
2574
get_parameter_uint (para, pSUBKEYUSAGE));
2578
if ((! rc) && card && get_parameter (para, pAUTHKEYTYPE))
2580
rc = gen_card_key (PUBKEY_ALGO_RSA, 3, pub_root, sec_root,
2581
get_parameter_u32 (para, pKEYEXPIRE), para);
2584
rc = write_keybinding (pub_root, pub_root, sk, PUBKEY_USAGE_AUTH);
2586
rc = write_keybinding (sec_root, pub_root, sk, PUBKEY_USAGE_AUTH);
2590
if (!rc && outctrl->use_files)
2591
{ /* direct write to specified files */
2592
rc = write_keyblock (outctrl->pub.stream, pub_root);
2594
log_error ("can't write public key: %s\n", gpg_strerror (rc));
2597
rc = write_keyblock (outctrl->sec.stream, sec_root);
2599
log_error ("can't write secret key: %s\n", gpg_strerror (rc));
2604
{ /* write to the standard keyrings */
2605
KEYDB_HANDLE pub_hd = keydb_new (0);
2606
KEYDB_HANDLE sec_hd = keydb_new (1);
2608
/* FIXME: we may have to create the keyring first */
2609
rc = keydb_locate_writable (pub_hd, NULL);
2611
log_error (_("no writable public keyring found: %s\n"),
2616
rc = keydb_locate_writable (sec_hd, NULL);
2618
log_error (_("no writable secret keyring found: %s\n"),
2622
if (!rc && opt.verbose)
2624
log_info (_("writing public key to `%s'\n"),
2625
keydb_get_resource_name (pub_hd));
2627
log_info (_("writing secret key stub to `%s'\n"),
2628
keydb_get_resource_name (sec_hd));
2630
log_info (_("writing secret key to `%s'\n"),
2631
keydb_get_resource_name (sec_hd));
2636
rc = keydb_insert_keyblock (pub_hd, pub_root);
2638
log_error (_("error writing public keyring `%s': %s\n"),
2639
keydb_get_resource_name (pub_hd), gpg_strerror (rc));
2644
rc = keydb_insert_keyblock (sec_hd, sec_root);
2646
log_error (_("error writing secret keyring `%s': %s\n"),
2647
keydb_get_resource_name (pub_hd), gpg_strerror (rc));
2650
keydb_release (pub_hd);
2651
keydb_release (sec_hd);
2656
get_parameter_algo (para, pKEYTYPE) == PUBKEY_ALGO_RSA
2657
&& get_parameter_uint (para, pKEYUSAGE)
2658
&& !(get_parameter_uint (para, pKEYUSAGE) & PUBKEY_USAGE_ENC);
2659
PKT_public_key *pk = find_kbnode (pub_root,
2660
PKT_PUBLIC_KEY)->pkt->pkt.
2663
update_ownertrust (pk,
2664
((get_ownertrust (pk) & ~TRUST_MASK)
2669
tty_printf (_("public and secret key created and signed.\n"));
2670
tty_printf (_("key marked as ultimately trusted.\n"));
2672
list_keyblock (pub_root, 0, 1, NULL);
2677
&& (get_parameter_algo (para, pKEYTYPE) == PUBKEY_ALGO_DSA
2678
|| no_enc_rsa) && !get_parameter (para, pSUBKEYTYPE))
2680
tty_printf (_("Note that this key cannot be used for "
2681
"encryption. You may want to use\n"
2682
"the command \"--edit-key\" to generate a "
2683
"secondary key for this purpose.\n"));
2686
if (!opt.batch && card)
2689
"Please create a revocation certificate now, so that you are able\n"
2690
"to revoke the key if it ever happens that you lose your card or\n"
2691
"the card gets damaged. Use the command \"--gen-revoke\".\n"
2700
log_error ("key generation failed: %s\n", gpg_strerror (rc));
2702
tty_printf (_("Key generation failed: %s\n"), gpg_strerror (rc));
2706
PKT_public_key *pk = find_kbnode (pub_root,
2707
PKT_PUBLIC_KEY)->pkt->pkt.public_key;
2708
print_status_key_created (did_sub ? 'B' : 'P', pk);
2711
release_kbnode (pub_root);
2712
release_kbnode (sec_root);
2713
if (sk && !card) /* The unprotected secret key unless we have */
2714
free_secret_key (sk); /* a shallow copy in card mode. */
2863
size_t nskey, npkey;
2865
npkey = pubkey_get_npkey (algo);
2866
nskey = pubkey_get_nskey (algo);
2867
assert (nskey <= PUBKEY_MAX_NSKEY && npkey < nskey);
2872
log_info (_("keysize invalid; using %u bits\n"), nbits );
2877
nbits = ((nbits + 31) / 32) * 32;
2878
log_info(_("keysize rounded up to %u bits\n"), nbits );
2881
dek = do_ask_passphrase (&s2k);
2883
sk = xmalloc_clear (sizeof *sk);
2884
sk->timestamp = created_at;
2886
sk->pubkey_algo = algo;
2888
if ( !is_RSA (algo) )
2890
log_error ("only RSA is supported for offline generated keys\n");
2891
rc = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
2894
rc = gcry_sexp_build (&s_parms, NULL,
2895
"(genkey(rsa(nbits %d)))",
2898
log_bug ("gcry_sexp_build failed: %s\n", gpg_strerror (rc));
2899
rc = gcry_pk_genkey (&s_key, s_parms);
2900
gcry_sexp_release (s_parms);
2903
log_error ("gcry_pk_genkey failed: %s\n", gpg_strerror (rc) );
2906
rc = key_from_sexp (sk->skey, s_key, "private-key", "nedpqu");
2907
gcry_sexp_release (s_key);
2910
log_error ("key_from_sexp failed: %s\n", gpg_strerror (rc) );
2914
for (i=npkey; i < nskey; i++)
2915
sk->csum += checksum_mpi (sk->skey[i]);
2917
if (r_sk_unprotected)
2918
*r_sk_unprotected = copy_secret_key (NULL, sk);
2920
rc = genhelp_protect (dek, s2k, sk);
2926
*r_sk_protected = sk;
2932
free_secret_key (sk);
2937
#endif /* ENABLE_CARD_SUPPORT */
2939
/* Create and delete a dummy packet to start off a list of kbnodes. */
2941
start_tree(KBNODE *tree)
2945
pkt=xmalloc_clear(sizeof(*pkt));
2946
pkt->pkttype=PKT_NONE;
2947
*tree=new_kbnode(pkt);
2948
delete_kbnode(*tree);
2952
do_generate_keypair( struct para_data_s *para,
2953
struct output_control_s *outctrl, int card )
2955
KBNODE pub_root = NULL;
2956
KBNODE sec_root = NULL;
2957
PKT_secret_key *pri_sk = NULL, *sub_sk = NULL;
2959
struct revocation_key *revkey;
2963
if( outctrl->dryrun )
2965
log_info("dry-run mode - key generation skipped\n");
2969
if( outctrl->use_files ) {
2970
if( outctrl->pub.newfname ) {
2971
iobuf_close(outctrl->pub.stream);
2972
outctrl->pub.stream = NULL;
2973
if (outctrl->pub.fname)
2974
iobuf_ioctl (NULL, 2, 0, (char*)outctrl->pub.fname);
2975
xfree( outctrl->pub.fname );
2976
outctrl->pub.fname = outctrl->pub.newfname;
2977
outctrl->pub.newfname = NULL;
2979
if (is_secured_filename (outctrl->pub.fname) ) {
2980
outctrl->pub.stream = NULL;
2984
outctrl->pub.stream = iobuf_create( outctrl->pub.fname );
2985
if( !outctrl->pub.stream ) {
2986
log_error(_("can't create `%s': %s\n"), outctrl->pub.newfname,
2991
outctrl->pub.afx.what = 1;
2992
iobuf_push_filter( outctrl->pub.stream, armor_filter,
2993
&outctrl->pub.afx );
2996
if( outctrl->sec.newfname ) {
2999
iobuf_close(outctrl->sec.stream);
3000
outctrl->sec.stream = NULL;
3001
if (outctrl->sec.fname)
3002
iobuf_ioctl (NULL, 2, 0, (char*)outctrl->sec.fname);
3003
xfree( outctrl->sec.fname );
3004
outctrl->sec.fname = outctrl->sec.newfname;
3005
outctrl->sec.newfname = NULL;
3007
oldmask = umask (077);
3008
if (is_secured_filename (outctrl->sec.fname) ) {
3009
outctrl->sec.stream = NULL;
3013
outctrl->sec.stream = iobuf_create( outctrl->sec.fname );
3015
if( !outctrl->sec.stream ) {
3016
log_error(_("can't create `%s': %s\n"), outctrl->sec.newfname,
3021
outctrl->sec.afx.what = 5;
3022
iobuf_push_filter( outctrl->sec.stream, armor_filter,
3023
&outctrl->sec.afx );
3026
assert( outctrl->pub.stream );
3027
assert( outctrl->sec.stream );
3029
log_info(_("writing public key to `%s'\n"), outctrl->pub.fname );
3031
log_info (_("writing secret key stub to `%s'\n"),
3032
outctrl->sec.fname);
3034
log_info(_("writing secret key to `%s'\n"), outctrl->sec.fname );
3039
/* we create the packets as a tree of kbnodes. Because the
3040
* structure we create is known in advance we simply generate a
3041
* linked list. The first packet is a dummy packet which we flag
3042
* as deleted. The very first packet must always be a KEY packet.
3045
start_tree(&pub_root);
3046
start_tree(&sec_root);
3050
rc = do_create( get_parameter_algo( para, pKEYTYPE ),
3051
get_parameter_uint( para, pKEYLENGTH ),
3053
get_parameter_dek( para, pPASSPHRASE_DEK ),
3054
get_parameter_s2k( para, pPASSPHRASE_S2K ),
3056
get_parameter_u32( para, pKEYEXPIRE ), 0 );
3060
rc = gen_card_key (PUBKEY_ALGO_RSA, 1, 1, pub_root, sec_root,
3061
get_parameter_u32 (para, pKEYEXPIRE), para);
3064
pri_sk = sec_root->next->pkt->pkt.secret_key;
3069
if(!rc && (revkey=get_parameter_revkey(para,pREVOKER)))
3071
rc=write_direct_sig(pub_root,pub_root,pri_sk,revkey);
3073
write_direct_sig(sec_root,pub_root,pri_sk,revkey);
3076
if( !rc && (s=get_parameter_value(para, pUSERID)) )
3078
write_uid(pub_root, s );
3080
write_uid(sec_root, s );
3083
rc = write_selfsigs(sec_root, pub_root, pri_sk,
3084
get_parameter_uint (para, pKEYUSAGE));
3087
/* Write the auth key to the card before the encryption key. This
3088
is a partial workaround for a PGP bug (as of this writing, all
3089
versions including 8.1), that causes it to try and encrypt to
3090
the most recent subkey regardless of whether that subkey is
3091
actually an encryption type. In this case, the auth key is an
3092
RSA key so it succeeds. */
3094
if (!rc && card && get_parameter (para, pAUTHKEYTYPE))
3096
rc = gen_card_key (PUBKEY_ALGO_RSA, 3, 0, pub_root, sec_root,
3097
get_parameter_u32 (para, pKEYEXPIRE), para);
3100
rc = write_keybinding (pub_root, pub_root, pri_sk, sub_sk, PUBKEY_USAGE_AUTH);
3102
rc = write_keybinding (sec_root, pub_root, pri_sk, sub_sk, PUBKEY_USAGE_AUTH);
3105
if( !rc && get_parameter( para, pSUBKEYTYPE ) )
3109
rc = do_create( get_parameter_algo( para, pSUBKEYTYPE ),
3110
get_parameter_uint( para, pSUBKEYLENGTH ),
3112
get_parameter_dek( para, pPASSPHRASE_DEK ),
3113
get_parameter_s2k( para, pPASSPHRASE_S2K ),
3115
get_parameter_u32( para, pSUBKEYEXPIRE ), 1 );
3119
if ((s = get_parameter_value (para, pBACKUPENCDIR)))
3121
/* A backup of the encryption key has been requested.
3122
Generate the key i software and import it then to
3123
the card. Write a backup file. */
3124
rc = gen_card_key_with_backup (PUBKEY_ALGO_RSA, 2, 0,
3126
get_parameter_u32 (para,
3131
rc = gen_card_key (PUBKEY_ALGO_RSA, 2, 0, pub_root, sec_root,
3132
get_parameter_u32 (para, pKEYEXPIRE), para);
3136
rc = write_keybinding(pub_root, pub_root, pri_sk, sub_sk,
3137
get_parameter_uint (para, pSUBKEYUSAGE));
3139
rc = write_keybinding(sec_root, pub_root, pri_sk, sub_sk,
3140
get_parameter_uint (para, pSUBKEYUSAGE));
3144
if( !rc && outctrl->use_files ) { /* direct write to specified files */
3145
rc = write_keyblock( outctrl->pub.stream, pub_root );
3147
log_error("can't write public key: %s\n", g10_errstr(rc) );
3149
rc = write_keyblock( outctrl->sec.stream, sec_root );
3151
log_error("can't write secret key: %s\n", g10_errstr(rc) );
3155
else if( !rc ) { /* write to the standard keyrings */
3156
KEYDB_HANDLE pub_hd = keydb_new (0);
3157
KEYDB_HANDLE sec_hd = keydb_new (1);
3159
/* FIXME: we may have to create the keyring first */
3160
rc = keydb_locate_writable (pub_hd, NULL);
3162
log_error (_("no writable public keyring found: %s\n"),
3166
rc = keydb_locate_writable (sec_hd, NULL);
3168
log_error (_("no writable secret keyring found: %s\n"),
3172
if (!rc && opt.verbose) {
3173
log_info(_("writing public key to `%s'\n"),
3174
keydb_get_resource_name (pub_hd));
3176
log_info (_("writing secret key stub to `%s'\n"),
3177
keydb_get_resource_name (sec_hd));
3179
log_info(_("writing secret key to `%s'\n"),
3180
keydb_get_resource_name (sec_hd));
3184
rc = keydb_insert_keyblock (pub_hd, pub_root);
3186
log_error (_("error writing public keyring `%s': %s\n"),
3187
keydb_get_resource_name (pub_hd), g10_errstr(rc));
3191
rc = keydb_insert_keyblock (sec_hd, sec_root);
3193
log_error (_("error writing secret keyring `%s': %s\n"),
3194
keydb_get_resource_name (pub_hd), g10_errstr(rc));
3197
keydb_release (pub_hd);
3198
keydb_release (sec_hd);
3202
get_parameter_algo(para, pKEYTYPE) == PUBKEY_ALGO_RSA
3203
&& get_parameter_uint( para, pKEYUSAGE )
3204
&& !(get_parameter_uint( para,pKEYUSAGE) & PUBKEY_USAGE_ENC);
3205
PKT_public_key *pk = find_kbnode (pub_root,
3206
PKT_PUBLIC_KEY)->pkt->pkt.public_key;
3208
keyid_from_pk(pk,pk->main_keyid);
3209
register_trusted_keyid(pk->main_keyid);
3211
update_ownertrust (pk,
3212
((get_ownertrust (pk) & ~TRUST_MASK)
3213
| TRUST_ULTIMATE ));
3216
tty_printf(_("public and secret key created and signed.\n") );
3218
list_keyblock(pub_root,0,1,NULL);
3223
&& ( get_parameter_algo( para, pKEYTYPE ) == PUBKEY_ALGO_DSA
3225
&& !get_parameter( para, pSUBKEYTYPE ) )
3227
tty_printf(_("Note that this key cannot be used for "
3228
"encryption. You may want to use\n"
3229
"the command \"--edit-key\" to generate a "
3230
"subkey for this purpose.\n") );
3237
log_error("key generation failed: %s\n", g10_errstr(rc) );
3239
tty_printf(_("Key generation failed: %s\n"), g10_errstr(rc) );
3240
print_status_key_not_created ( get_parameter_value (para, pHANDLE) );
3243
PKT_public_key *pk = find_kbnode (pub_root,
3244
PKT_PUBLIC_KEY)->pkt->pkt.public_key;
3245
print_status_key_created (did_sub? 'B':'P', pk,
3246
get_parameter_value (para, pHANDLE));
3248
release_kbnode( pub_root );
3249
release_kbnode( sec_root );
3251
if( pri_sk && !card) /* the unprotected secret key unless we have a */
3252
free_secret_key(pri_sk); /* shallow copy in card mode. */
3254
free_secret_key(sub_sk);
2902
3582
pkt = xcalloc (1,sizeof *pkt);
2903
pkt->pkttype = keyno == 1 ? PKT_PUBLIC_KEY : PKT_PUBLIC_SUBKEY;
2904
pkt->pkt.public_key = pk;
2905
add_kbnode(pub_root, new_kbnode( pkt ));
2907
pkt = xcalloc (1,sizeof *pkt);
2908
pkt->pkttype = keyno == 1 ? PKT_SECRET_KEY : PKT_SECRET_SUBKEY;
2909
pkt->pkt.secret_key = sk;
2910
add_kbnode(sec_root, new_kbnode( pkt ));
3583
pkt->pkttype = is_primary ? PKT_PUBLIC_KEY : PKT_PUBLIC_SUBKEY;
3584
pkt->pkt.public_key = pk;
3585
add_kbnode(pub_root, new_kbnode( pkt ));
3587
pkt = xcalloc (1,sizeof *pkt);
3588
pkt->pkttype = is_primary ? PKT_SECRET_KEY : PKT_SECRET_SUBKEY;
3589
pkt->pkt.secret_key = sk;
3590
add_kbnode(sec_root, new_kbnode( pkt ));
3595
#endif /*!ENABLE_CARD_SUPPORT*/
3601
gen_card_key_with_backup (int algo, int keyno, int is_primary,
3602
KBNODE pub_root, KBNODE sec_root,
3603
u32 expireval, struct para_data_s *para,
3604
const char *backup_dir)
3606
#ifdef ENABLE_CARD_SUPPORT
3610
PKT_secret_key *sk, *sk_unprotected, *sk_protected;
3615
rc = generate_raw_key (algo, 1024, make_timestamp (),
3616
&sk_unprotected, &sk_protected);
3620
/* First, store the key to the card. */
3621
rc = save_unprotected_key_to_card (sk_unprotected, keyno);
3624
log_error (_("storing key onto card failed: %s\n"), g10_errstr (rc));
3625
free_secret_key (sk_unprotected);
3626
free_secret_key (sk_protected);
3630
/* Get rid of the secret key parameters and store the serial numer. */
3631
sk = sk_unprotected;
3632
n = pubkey_get_nskey (sk->pubkey_algo);
3633
for (i=pubkey_get_npkey (sk->pubkey_algo); i < n; i++)
3635
mpi_free (sk->skey[i]);
3638
i = pubkey_get_npkey (sk->pubkey_algo);
3639
sk->skey[i] = mpi_set_opaque (NULL, xstrdup ("dummydata"), 10);
3640
sk->is_protected = 1;
3641
sk->protect.s2k.mode = 1002;
3642
s = get_parameter_value (para, pSERIALNO);
3644
for (sk->protect.ivlen=0; sk->protect.ivlen < 16 && *s && s[1];
3645
sk->protect.ivlen++, s += 2)
3646
sk->protect.iv[sk->protect.ivlen] = xtoi_2 (s);
3648
/* Now write the *protected* secret key to the file. */
3650
char name_buffer[50];
3655
keyid_from_sk (sk, NULL);
3656
sprintf (name_buffer,"sk_%08lX%08lX.gpg",
3657
(ulong)sk->keyid[0], (ulong)sk->keyid[1]);
3659
fname = make_filename (backup_dir, name_buffer, NULL);
3660
oldmask = umask (077);
3661
if (is_secured_filename (fname))
3667
fp = iobuf_create (fname);
3671
log_error (_("can't create backup file `%s': %s\n"),
3672
fname, strerror(errno) );
3674
free_secret_key (sk_unprotected);
3675
free_secret_key (sk_protected);
3676
return G10ERR_OPEN_FILE;
3679
pkt = xcalloc (1, sizeof *pkt);
3680
pkt->pkttype = PKT_SECRET_KEY;
3681
pkt->pkt.secret_key = sk_protected;
3682
sk_protected = NULL;
3684
rc = build_packet (fp, pkt);
3687
log_error("build packet failed: %s\n", g10_errstr(rc) );
3692
byte array[MAX_FINGERPRINT_LEN];
3696
iobuf_ioctl (NULL, 2, 0, (char*)fname);
3697
log_info (_("NOTE: backup of card key saved to `%s'\n"), fname);
3699
fingerprint_from_sk (sk, array, &n);
3700
p = fprbuf = xmalloc (MAX_FINGERPRINT_LEN*2 + 1 + 1);
3701
for (i=0; i < n ; i++, p += 2)
3702
sprintf (p, "%02X", array[i]);
3706
write_status_text_and_buffer (STATUS_BACKUP_KEY_CREATED,
3708
fname, strlen (fname),
3717
free_secret_key (sk_unprotected);
3722
/* Create the public key from the secret key. */
3723
pk = xcalloc (1, sizeof *pk );
3724
pk->timestamp = sk->timestamp;
3725
pk->version = sk->version;
3727
pk->expiredate = sk->expiredate = sk->timestamp + expireval;
3728
pk->pubkey_algo = sk->pubkey_algo;
3729
n = pubkey_get_npkey (sk->pubkey_algo);
3730
for (i=0; i < n; i++)
3731
pk->pkey[i] = mpi_copy (sk->skey[i]);
3733
/* Build packets and add them to the node lists. */
3734
pkt = xcalloc (1,sizeof *pkt);
3735
pkt->pkttype = is_primary ? PKT_PUBLIC_KEY : PKT_PUBLIC_SUBKEY;
3736
pkt->pkt.public_key = pk;
3737
add_kbnode(pub_root, new_kbnode( pkt ));
3739
pkt = xcalloc (1,sizeof *pkt);
3740
pkt->pkttype = is_primary ? PKT_SECRET_KEY : PKT_SECRET_SUBKEY;
3741
pkt->pkt.secret_key = sk;
3742
add_kbnode(sec_root, new_kbnode( pkt ));
3747
#endif /*!ENABLE_CARD_SUPPORT*/
3751
#ifdef ENABLE_CARD_SUPPORT
3753
save_unprotected_key_to_card (PKT_secret_key *sk, int keyno)
3756
unsigned char *rsa_n = NULL;
3757
unsigned char *rsa_e = NULL;
3758
unsigned char *rsa_p = NULL;
3759
unsigned char *rsa_q = NULL;
3760
unsigned int rsa_n_len, rsa_e_len, rsa_p_len, rsa_q_len;
3761
unsigned char *sexp = NULL;
3763
char numbuf[55], numbuf2[50];
3765
assert (is_RSA (sk->pubkey_algo));
3766
assert (!sk->is_protected);
3768
/* Copy the parameters into straight buffers. */
3769
rsa_n = mpi_get_secure_buffer (sk->skey[0], &rsa_n_len, NULL);
3770
rsa_e = mpi_get_secure_buffer (sk->skey[1], &rsa_e_len, NULL);
3771
rsa_p = mpi_get_secure_buffer (sk->skey[3], &rsa_p_len, NULL);
3772
rsa_q = mpi_get_secure_buffer (sk->skey[4], &rsa_q_len, NULL);
3773
if (!rsa_n || !rsa_e || !rsa_p || !rsa_q)
3775
rc = G10ERR_INV_ARG;
3779
/* Put the key into an S-expression. */
3780
sexp = p = xmalloc_secure (30
3781
+ rsa_n_len + rsa_e_len + rsa_p_len + rsa_q_len
3782
+ 4*sizeof (numbuf) + 25 + sizeof(numbuf) + 20);
3784
p = stpcpy (p,"(11:private-key(3:rsa(1:n");
3785
sprintf (numbuf, "%u:", rsa_n_len);
3786
p = stpcpy (p, numbuf);
3787
memcpy (p, rsa_n, rsa_n_len);
3790
sprintf (numbuf, ")(1:e%u:", rsa_e_len);
3791
p = stpcpy (p, numbuf);
3792
memcpy (p, rsa_e, rsa_e_len);
3795
sprintf (numbuf, ")(1:p%u:", rsa_p_len);
3796
p = stpcpy (p, numbuf);
3797
memcpy (p, rsa_p, rsa_p_len);
3800
sprintf (numbuf, ")(1:q%u:", rsa_q_len);
3801
p = stpcpy (p, numbuf);
3802
memcpy (p, rsa_q, rsa_q_len);
3805
p = stpcpy (p,"))(10:created-at");
3806
sprintf (numbuf2, "%lu", (unsigned long)sk->timestamp);
3807
sprintf (numbuf, "%lu:", (unsigned long)strlen (numbuf2));
3808
p = stpcpy (stpcpy (stpcpy (p, numbuf), numbuf2), "))");
3810
/* Fixme: Unfortunately we don't have the serialnumber available -
3811
thus we can't pass it down to the agent. */
3812
rc = agent_scd_writekey (keyno, NULL, sexp, p - sexp);
3822
#endif /*ENABLE_CARD_SUPPORT*/