1 /* pksign.c - public key signing (well, actually using a secret key)
2 * Copyright (C) 2001-2004, 2010 Free Software Foundation, Inc.
3 * Copyright (C) 2001-2004, 2010, 2013 Werner Koch
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <https://www.gnu.org/licenses/>.
36 do_encode_md (const byte * md, size_t mdlen, int algo, gcry_sexp_t * r_hash,
48 s = gcry_md_algo_name (algo);
49 if (s && strlen (s) < 16)
51 for (i=0; i < strlen (s); i++)
52 tmp[i] = tolower (s[i]);
56 rc = gcry_sexp_build (&hash, NULL,
57 "(data (flags pkcs1) (hash %s %b))",
64 rc = gcry_mpi_scan (&mpi, GCRYMPI_FMT_USG, md, mdlen, NULL);
67 rc = gcry_sexp_build (&hash, NULL,
68 "(data (flags raw) (value %m))",
70 gcry_mpi_release (mpi);
82 /* Return the number of bits of the Q parameter from the DSA key
85 get_dsa_qbits (gcry_sexp_t key)
91 l1 = gcry_sexp_find_token (key, "private-key", 0);
93 l1 = gcry_sexp_find_token (key, "protected-private-key", 0);
95 l1 = gcry_sexp_find_token (key, "shadowed-private-key", 0);
97 l1 = gcry_sexp_find_token (key, "public-key", 0);
99 return 0; /* Does not contain a key object. */
100 l2 = gcry_sexp_cadr (l1);
101 gcry_sexp_release (l1);
102 l1 = gcry_sexp_find_token (l2, "q", 1);
103 gcry_sexp_release (l2);
105 return 0; /* Invalid object. */
106 q = gcry_sexp_nth_mpi (l1, 1, GCRYMPI_FMT_USG);
107 gcry_sexp_release (l1);
109 return 0; /* Missing value. */
110 nbits = gcry_mpi_get_nbits (q);
111 gcry_mpi_release (q);
117 /* Return an appropriate hash algorithm to be used with RFC-6979 for a
118 message digest of length MDLEN. Although a fallback of SHA-256 is
119 used the current implementation in Libgcrypt will reject a hash
120 algorithm which does not match the length of the message. */
122 rfc6979_hash_algo_string (size_t mdlen)
126 case 20: return "sha1";
127 case 28: return "sha224";
128 case 32: return "sha256";
129 case 48: return "sha384";
130 case 64: return "sha512";
131 default: return "sha256";
136 /* Encode a message digest for use with the EdDSA algorithm
137 (i.e. curve Ed25519). */
139 do_encode_eddsa (const byte *md, size_t mdlen, gcry_sexp_t *r_hash)
145 err = gcry_sexp_build (&hash, NULL,
146 "(data(flags eddsa)(hash-algo sha512)(value %b))",
154 /* Encode a message digest for use with an DSA algorithm. */
156 do_encode_dsa (const byte *md, size_t mdlen, int pkalgo, gcry_sexp_t pkey,
165 if (pkalgo == GCRY_PK_ECDSA)
166 qbits = gcry_pk_get_nbits (pkey);
167 else if (pkalgo == GCRY_PK_DSA)
168 qbits = get_dsa_qbits (pkey);
170 return gpg_error (GPG_ERR_WRONG_PUBKEY_ALGO);
172 if (pkalgo == GCRY_PK_DSA && (qbits%8))
174 /* FIXME: We check the QBITS but print a message about the hash
176 log_error (_("DSA requires the hash length to be a"
177 " multiple of 8 bits\n"));
178 return gpg_error (GPG_ERR_INV_LENGTH);
181 /* Don't allow any Q smaller than 160 bits. We don't want someone
182 to issue signatures from a key with a 16-bit Q or something like
183 that, which would look correct but allow trivial forgeries. Yes,
184 I know this rules out using MD5 with DSA. ;) */
187 log_error (_("%s key uses an unsafe (%u bit) hash\n"),
188 gcry_pk_algo_name (pkalgo), qbits);
189 return gpg_error (GPG_ERR_INV_LENGTH);
192 /* ECDSA 521 is special has it is larger than the largest hash
193 we have (SHA-512). Thus we chnage the size for further
194 processing to 512. */
195 if (pkalgo == GCRY_PK_ECDSA && qbits > 512)
198 /* Check if we're too short. Too long is safe as we'll
199 automatically left-truncate. */
202 log_error (_("a %zu bit hash is not valid for a %u bit %s key\n"),
204 gcry_pk_get_nbits (pkey),
205 gcry_pk_algo_name (pkalgo));
206 return gpg_error (GPG_ERR_INV_LENGTH);
213 /* Create the S-expression. */
214 err = gcry_sexp_build (&hash, NULL,
215 "(data (flags rfc6979) (hash %s %b))",
216 rfc6979_hash_algo_string (mdlen),
224 /* Special version of do_encode_md to take care of pkcs#1 padding.
225 For TLS-MD5SHA1 we need to do the padding ourself as Libgrypt does
226 not know about this special scheme. Fixme: We should have a
227 pkcs1-only-padding flag for Libgcrypt. */
229 do_encode_raw_pkcs1 (const byte *md, size_t mdlen, unsigned int nbits,
234 unsigned char *frame;
237 nframe = (nbits+7) / 8;
238 if ( !mdlen || mdlen + 8 + 4 > nframe )
240 /* Can't encode this hash into a frame of size NFRAME. */
241 return gpg_error (GPG_ERR_TOO_SHORT);
244 frame = xtrymalloc (nframe);
246 return gpg_error_from_syserror ();
248 /* Assemble the pkcs#1 block type 1. */
251 frame[n++] = 1; /* Block type. */
252 i = nframe - mdlen - 3 ;
253 assert (i >= 8); /* At least 8 bytes of padding. */
254 memset (frame+n, 0xff, i );
257 memcpy (frame+n, md, mdlen );
259 assert (n == nframe);
261 /* Create the S-expression. */
262 rc = gcry_sexp_build (&hash, NULL,
263 "(data (flags raw) (value %b))",
273 /* SIGN whatever information we have accumulated in CTRL and return
274 the signature S-expression. LOOKUP is an optional function to
275 provide a way for lower layers to ask for the caching TTL. If a
276 CACHE_NONCE is given that cache item is first tried to get a
277 passphrase. If OVERRIDEDATA is not NULL, OVERRIDEDATALEN bytes
278 from this buffer are used instead of the data in CTRL. The
279 override feature is required to allow the use of Ed25519 with ssh
280 because Ed25519 does the hashing itself. */
282 agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
283 const char *desc_text,
284 gcry_sexp_t *signature_sexp,
285 cache_mode_t cache_mode, lookup_ttl_t lookup_ttl,
286 const void *overridedata, size_t overridedatalen)
288 gcry_sexp_t s_skey = NULL, s_sig = NULL;
289 gcry_sexp_t s_hash = NULL;
290 gcry_sexp_t s_pkey = NULL;
291 unsigned char *shadow_info = NULL;
292 unsigned int rc = 0; /* FIXME: gpg-error? */
293 const unsigned char *data;
295 int check_signature = 0;
300 datalen = overridedatalen;
304 data = ctrl->digest.value;
305 datalen = ctrl->digest.valuelen;
308 if (!ctrl->have_keygrip)
309 return gpg_error (GPG_ERR_NO_SECKEY);
311 rc = agent_key_from_file (ctrl, cache_nonce, desc_text, ctrl->keygrip,
312 &shadow_info, cache_mode, lookup_ttl,
316 if (gpg_err_code (rc) != GPG_ERR_NO_SECKEY)
317 log_error ("failed to read the secret key\n");
323 /* Divert operation to the smartcard */
325 unsigned char *buf = NULL;
331 rc = agent_public_key_from_file (ctrl, ctrl->keygrip, &s_pkey);
334 log_error ("failed to read the public key\n");
338 if (agent_is_eddsa_key (s_skey))
342 key_type = agent_is_dsa_key (s_skey);
345 else if (key_type == GCRY_PK_ECDSA)
349 rc = divert_pksign (ctrl,
352 shadow_info, &buf, &len);
355 log_error ("smartcard signing failed: %s\n", gpg_strerror (rc));
365 buf = xtryrealloc (buf, len);
369 memmove (buf + 1, buf, len - 1);
373 rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(rsa(s%b)))",
378 rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(eddsa(r%b)(s%b)))",
379 (int)len/2, buf, (int)len/2, buf + len/2);
383 unsigned char *r_buf_allocated = NULL;
384 unsigned char *s_buf_allocated = NULL;
385 unsigned char *r_buf, *s_buf;
386 int r_buflen, s_buflen;
388 r_buflen = s_buflen = len/2;
393 r_buf_allocated = xtrymalloc (r_buflen);
394 if (!r_buf_allocated)
397 r_buf = r_buf_allocated;
398 memcpy (r_buf + 1, buf, len/2);
404 if (*(buf + len/2) & 0x80)
407 s_buf_allocated = xtrymalloc (s_buflen);
408 if (!s_buf_allocated)
410 xfree (r_buf_allocated);
414 s_buf = s_buf_allocated;
415 memcpy (s_buf + 1, buf + len/2, len/2);
421 rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(ecdsa(r%b)(s%b)))",
424 xfree (r_buf_allocated);
425 xfree (s_buf_allocated);
428 rc = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
433 log_error ("failed to convert sigbuf returned by divert_pksign "
434 "into S-Exp: %s", gpg_strerror (rc));
440 /* No smartcard, but a private key */
443 /* Put the hash into a sexp */
444 if (agent_is_eddsa_key (s_skey))
445 rc = do_encode_eddsa (data, datalen,
447 else if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1)
448 rc = do_encode_raw_pkcs1 (data, datalen,
449 gcry_pk_get_nbits (s_skey),
451 else if ( (dsaalgo = agent_is_dsa_key (s_skey)) )
452 rc = do_encode_dsa (data, datalen,
456 rc = do_encode_md (data, datalen,
459 ctrl->digest.raw_value);
463 if (dsaalgo == 0 && GCRYPT_VERSION_NUMBER < 0x010700)
464 /* It's RSA and Libgcrypt < 1.7 */
469 gcry_log_debugsxp ("skey", s_skey);
470 gcry_log_debugsxp ("hash", s_hash);
474 rc = gcry_pk_sign (&s_sig, s_hash, s_skey);
477 log_error ("signing failed: %s\n", gpg_strerror (rc));
482 gcry_log_debugsxp ("rslt", s_sig);
485 /* Check that the signature verification worked and nothing is
486 * fooling us e.g. by a bug in the signature create code or by
487 * deliberately introduced faults. Because Libgcrypt 1.7 does this
488 * for RSA internally there is no need to do it here again. */
491 gcry_sexp_t sexp_key = s_pkey? s_pkey: s_skey;
495 if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1)
496 rc = do_encode_raw_pkcs1 (data, datalen,
497 gcry_pk_get_nbits (sexp_key), &s_hash);
499 rc = do_encode_md (data, datalen, ctrl->digest.algo, &s_hash,
500 ctrl->digest.raw_value);
504 rc = gcry_pk_verify (s_sig, s_hash, sexp_key);
508 log_error (_("checking created signature failed: %s\n"),
510 gcry_sexp_release (s_sig);
517 *signature_sexp = s_sig;
519 gcry_sexp_release (s_pkey);
520 gcry_sexp_release (s_skey);
521 gcry_sexp_release (s_hash);
527 /* SIGN whatever information we have accumulated in CTRL and write it
528 back to OUTFP. If a CACHE_NONCE is given that cache item is first
529 tried to get a passphrase. */
531 agent_pksign (ctrl_t ctrl, const char *cache_nonce, const char *desc_text,
532 membuf_t *outbuf, cache_mode_t cache_mode)
534 gcry_sexp_t s_sig = NULL;
539 rc = agent_pksign_do (ctrl, cache_nonce, desc_text, &s_sig, cache_mode, NULL,
544 len = gcry_sexp_sprint (s_sig, GCRYSEXP_FMT_CANON, NULL, 0);
547 len = gcry_sexp_sprint (s_sig, GCRYSEXP_FMT_CANON, buf, len);
550 put_membuf (outbuf, buf, len);
553 gcry_sexp_release (s_sig);