1
1
/* certreqgen.c - Generate a key and a certification request
2
* Copyright (C) 2002, 2003, 2005 Free Software Foundation, Inc.
2
* Copyright (C) 2002, 2003, 2005, 2007 Free Software Foundation, Inc.
4
4
* This file is part of GnuPG.
6
6
* GnuPG is free software; you can redistribute it and/or modify
7
7
* it under the terms of the GNU General Public License as published by
8
* the Free Software Foundation; either version 2 of the License, or
8
* the Free Software Foundation; either version 3 of the License, or
9
9
* (at your option) any later version.
11
11
* GnuPG is distributed in the hope that it will be useful,
450
451
ksba_sexp_t public;
453
/* check that we have all required parameters */
453
size_t erroff, errlen;
454
char *cardkeyid = NULL;
456
/* Check that we have all required parameters; */
454
457
assert (get_parameter (para, pKEYTYPE, 0));
456
/* We can only use RSA for now. There is a with pkcs-10 on how to
457
use ElGamal because it is expected that a PK algorithm can always
458
be used for signing. */
459
/* We can only use RSA for now. There is a problem with pkcs-10 on
460
how to use ElGamal because it is expected that a PK algorithm can
461
always be used for signing. Another problem is that on-card
462
generated encryption keys may not be used for signing. */
459
463
i = get_parameter_algo (para, pKEYTYPE);
460
if (i < 1 || i != GCRY_PK_RSA )
464
if (!i && (s = get_parameter_value (para, pKEYTYPE, 0)) && *s)
466
/* Hack to allow creation of certificates directly from a smart
467
card. For example: "Key-Type: card:OPENPGP.3". */
468
if (!strncmp (s, "card:", 5) && s[5])
469
cardkeyid = xtrystrdup (s+5);
471
if ( (i < 1 || i != GCRY_PK_RSA) && !cardkeyid )
462
473
r = get_parameter (para, pKEYTYPE, 0);
463
474
log_error (_("line %d: invalid algorithm\n"), r->lnr);
464
475
return gpg_error (GPG_ERR_INV_PARAMETER);
467
/* check the keylength */
478
/* Check the keylength. */
468
479
if (!get_parameter (para, pKEYLENGTH, 0))
471
482
nbits = get_parameter_uint (para, pKEYLENGTH);
472
if (nbits < 1024 || nbits > 4096)
483
if ((nbits < 1024 || nbits > 4096) && !cardkeyid)
474
485
/* The BSI specs dated 2002-11-25 don't allow lengths below 1024. */
475
486
r = get_parameter (para, pKEYLENGTH, 0);
476
487
log_error (_("line %d: invalid key length %u (valid are %d to %d)\n"),
477
488
r->lnr, nbits, 1024, 4096);
478
490
return gpg_error (GPG_ERR_INV_PARAMETER);
481
/* check the usage */
493
/* Check the usage. */
482
494
if (parse_parameter_usage (para, pKEYUSAGE))
483
return gpg_error (GPG_ERR_INV_PARAMETER);
497
return gpg_error (GPG_ERR_INV_PARAMETER);
485
/* check that there is a subject name and that this DN fits our
500
/* Check that there is a subject name and that this DN fits our
487
502
if (!(s=get_parameter_value (para, pNAMEDN, 0)))
489
r = get_parameter (para, pKEYTYPE, 0);
504
r = get_parameter (para, pNAMEDN, 0);
490
505
log_error (_("line %d: no subject name given\n"), r->lnr);
491
return gpg_error (GPG_ERR_INV_PARAMETER);
495
/* check that the optional email address is okay */
507
return gpg_error (GPG_ERR_INV_PARAMETER);
509
err = ksba_dn_teststr (s, 0, &erroff, &errlen);
512
r = get_parameter (para, pNAMEDN, 0);
513
if (gpg_err_code (err) == GPG_ERR_UNKNOWN_NAME)
514
log_error (_("line %d: invalid subject name label `%.*s'\n"),
515
r->lnr, (int)errlen, s+erroff);
517
log_error (_("line %d: invalid subject name `%s' at pos %d\n"),
518
r->lnr, s, (int)erroff);
521
return gpg_error (GPG_ERR_INV_PARAMETER);
524
/* Check that the optional email address is okay. */
496
525
for (seq=0; (s=get_parameter_value (para, pNAMEEMAIL, seq)); seq++)
498
527
if (has_invalid_email_chars (s)
504
533
r = get_parameter (para, pNAMEEMAIL, seq);
505
534
log_error (_("line %d: not a valid email address\n"), r->lnr);
506
536
return gpg_error (GPG_ERR_INV_PARAMETER);
510
s = get_parameter_value (para, pKEYGRIP, 0);
511
if (s) /* Use existing key. */
513
rc = gpgsm_agent_readkey (ctrl, s, &public);
540
if (cardkeyid) /* Take the key from the current smart card. */
542
rc = gpgsm_agent_readkey (ctrl, 1, cardkeyid, &public);
545
r = get_parameter (para, pKEYTYPE, 0);
546
log_error (_("line %d: error reading key `%s' from card: %s\n"),
547
r->lnr, cardkeyid, gpg_strerror (rc));
552
else if ((s=get_parameter_value (para, pKEYGRIP, 0))) /* Use existing key.*/
554
rc = gpgsm_agent_readkey (ctrl, 0, s, &public);
516
557
r = get_parameter (para, pKEYTYPE, 0);
517
558
log_error (_("line %d: error getting key by keygrip `%s': %s\n"),
518
559
r->lnr, s, gpg_strerror (rc));
531
573
r = get_parameter (para, pKEYTYPE, 0);
532
log_error (_("line %d: key generation failed: %s\n"),
533
r->lnr, gpg_strerror (rc));
574
log_error (_("line %d: key generation failed: %s <%s>\n"),
575
r->lnr, gpg_strerror (rc), gpg_strsource (rc));
538
rc = create_request (ctrl, para, public, outctrl);
581
rc = create_request (ctrl, para, cardkeyid, public, outctrl);
545
589
/* Parameters are checked, the key pair has been created. Now
546
590
generate the request and write it out */
548
create_request (ctrl_t ctrl,
549
struct para_data_s *para, ksba_const_sexp_t public,
592
create_request (ctrl_t ctrl,
593
struct para_data_s *para,
594
const char *carddirect,
595
ksba_const_sexp_t public,
550
596
struct reqgen_ctrl_s *outctrl)
552
598
ksba_certreq_t cr;
742
788
gcry_sexp_release (s_pkey);
743
for (n=0; n < 20; n++)
744
sprintf (hexgrip+n*2, "%02X", grip[n]);
789
bin2hex (grip, 20, hexgrip);
746
rc = gpgsm_agent_pksign (ctrl, hexgrip, NULL,
747
gcry_md_read(md, GCRY_MD_SHA1),
748
gcry_md_get_algo_dlen (GCRY_MD_SHA1),
792
rc = gpgsm_scd_pksign (ctrl, carddirect, NULL,
793
gcry_md_read(md, GCRY_MD_SHA1),
794
gcry_md_get_algo_dlen (GCRY_MD_SHA1),
798
rc = gpgsm_agent_pksign (ctrl, hexgrip, NULL,
799
gcry_md_read(md, GCRY_MD_SHA1),
800
gcry_md_get_algo_dlen (GCRY_MD_SHA1),
753
805
log_error ("signing failed: %s\n", gpg_strerror (rc));
779
/* Create a new key by reading the parameters from in_fd. Multiple
831
/* Create a new key by reading the parameters from IN_FP. Multiple
780
832
keys may be created */
782
gpgsm_genkey (ctrl_t ctrl, int in_fd, FILE *out_fp)
834
gpgsm_genkey (ctrl_t ctrl, estream_t in_stream, FILE *out_fp)
786
837
Base64Context b64writer = NULL;
787
838
ksba_writer_t writer;
789
in_fp = fdopen (dup (in_fd), "rb");
792
gpg_error_t tmperr = gpg_error (gpg_err_code_from_errno (errno));
793
log_error ("fdopen() failed: %s\n", strerror (errno));
797
840
ctrl->pem_name = "CERTIFICATE REQUEST";
798
rc = gpgsm_create_writer (&b64writer, ctrl, out_fp, &writer);
841
rc = gpgsm_create_writer (&b64writer, ctrl, out_fp, NULL, &writer);
801
844
log_error ("can't create writer: %s\n", gpg_strerror (rc));
805
rc = read_parameters (ctrl, in_fp, writer);
848
rc = read_parameters (ctrl, in_stream, writer);
808
log_error ("error creating certificate request: %s\n",
851
log_error ("error creating certificate request: %s <%s>\n",
852
gpg_strerror (rc), gpg_strsource (rc));