1 /* keybox-openpgp.c - OpenPGP key parsing
2 * Copyright (C) 2001, 2003, 2011 Free Software Foundation, Inc.
4 * This file is part of GnuPG.
6 * GnuPG is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * GnuPG is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <https://www.gnu.org/licenses/>.
20 /* This is a simple OpenPGP parser suitable for all OpenPGP key
21 material. It just provides the functionality required to build and
22 parse an KBX OpenPGP key blob. Thus it is not a complete parser.
23 However it is self-contained and optimized for fast in-memory
24 parsing. Note that we don't support old ElGamal v3 keys
34 #include "keybox-defs.h"
38 #include "../common/openpgpdefs.h"
41 /* Assume a valid OpenPGP packet at the address pointed to by BUFBTR
42 which has a maximum length as stored at BUFLEN. Return the header
43 information of that packet and advance the pointer stored at BUFPTR
44 to the next packet; also adjust the length stored at BUFLEN to
45 match the remaining bytes. If there are no more packets, store NULL
46 at BUFPTR. Return an non-zero error code on failure or the
47 following data on success:
49 R_DATAPKT = Pointer to the begin of the packet data.
50 R_DATALEN = Length of this data. This has already been checked to fit
52 R_PKTTYPE = The packet type.
53 R_NTOTAL = The total number of bytes of this packet
55 Note that these values are only updated on success.
58 next_packet (unsigned char const **bufptr, size_t *buflen,
59 unsigned char const **r_data, size_t *r_datalen, int *r_pkttype,
62 const unsigned char *buf = *bufptr;
68 return gpg_error (GPG_ERR_NO_DATA);
72 return gpg_error (GPG_ERR_INV_PACKET); /* Invalid CTB. */
74 if ((ctb & 0x40)) /* New style (OpenPGP) CTB. */
76 pkttype = (ctb & 0x3f);
78 return gpg_error (GPG_ERR_INV_PACKET); /* No 1st length byte. */
80 if (pkttype == PKT_COMPRESSED)
81 return gpg_error (GPG_ERR_UNEXPECTED); /* ... packet in a keyblock. */
86 pktlen = (c - 192) * 256;
88 return gpg_error (GPG_ERR_INV_PACKET); /* No 2nd length byte. */
95 return gpg_error (GPG_ERR_INV_PACKET); /* No length bytes. */
96 pktlen = buf32_to_ulong (buf);
100 else /* Partial length encoding is not allowed for key packets. */
101 return gpg_error (GPG_ERR_UNEXPECTED);
103 else /* Old style CTB. */
108 pkttype = (ctb>>2)&0xf;
109 lenbytes = ((ctb&3)==3)? 0 : (1<<(ctb & 3));
110 if (!lenbytes) /* Not allowed in key packets. */
111 return gpg_error (GPG_ERR_UNEXPECTED);
113 return gpg_error (GPG_ERR_INV_PACKET); /* Not enough length bytes. */
114 for (; lenbytes; lenbytes--)
117 pktlen |= *buf++; len--;
121 /* Do some basic sanity check. */
127 case PKT_SECRET_SUBKEY:
131 case PKT_PUBLIC_SUBKEY:
132 case PKT_OLD_COMMENT:
135 case PKT_GPG_CONTROL:
136 break; /* Okay these are allowed packets. */
138 return gpg_error (GPG_ERR_UNEXPECTED);
141 if (pkttype == 63 && pktlen == 0xFFFFFFFF)
142 /* Sometimes the decompressing layer enters an error state in
143 which it simply outputs 0xff for every byte read. If we have a
144 stream of 0xff bytes, then it will be detected as a new format
145 packet with type 63 and a 4-byte encoded length that is 4G-1.
146 Since packets with type 63 are private and we use them as a
147 control packet, which won't be 4 GB, we reject such packets as
149 return gpg_error (GPG_ERR_INV_PACKET);
152 return gpg_error (GPG_ERR_INV_PACKET); /* Packet length header too long. */
156 *r_pkttype = pkttype;
157 *r_ntotal = (buf - *bufptr) + pktlen;
159 *bufptr = buf + pktlen;
160 *buflen = len - pktlen;
168 /* Parse a key packet and store the information in KI. */
170 parse_key (const unsigned char *data, size_t datalen,
171 struct _keybox_openpgp_key_info *ki)
174 const unsigned char *data_start = data;
175 int i, version, algorithm;
178 unsigned char hashbuffer[768];
179 const unsigned char *mpi_n = NULL;
180 size_t mpi_n_len = 0, mpi_e_len = 0;
185 return gpg_error (GPG_ERR_INV_PACKET);
186 version = *data++; datalen--;
187 if (version < 2 || version > 4 )
188 return gpg_error (GPG_ERR_INV_PACKET); /* Invalid version. */
190 /*timestamp = ((data[0]<<24)|(data[1]<<16)|(data[2]<<8)|(data[3]));*/
191 data +=4; datalen -=4;
196 return gpg_error (GPG_ERR_INV_PACKET);
197 data +=2; datalen -= 2;
201 return gpg_error (GPG_ERR_INV_PACKET);
202 algorithm = *data++; datalen--;
206 case PUBKEY_ALGO_RSA:
207 case PUBKEY_ALGO_RSA_E:
208 case PUBKEY_ALGO_RSA_S:
211 case PUBKEY_ALGO_ELGAMAL_E:
212 case PUBKEY_ALGO_ELGAMAL:
215 case PUBKEY_ALGO_DSA:
218 case PUBKEY_ALGO_ECDH:
222 case PUBKEY_ALGO_ECDSA:
223 case PUBKEY_ALGO_EDDSA:
227 default: /* Unknown algorithm. */
228 return gpg_error (GPG_ERR_UNKNOWN_ALGORITHM);
231 ki->algo = algorithm;
233 for (i=0; i < npkey; i++ )
235 unsigned int nbits, nbytes;
238 return gpg_error (GPG_ERR_INV_PACKET);
240 if (is_ecc && (i == 0 || i == 2))
243 if (nbytes < 2 || nbytes > 254)
244 return gpg_error (GPG_ERR_INV_PACKET);
245 nbytes++; /* The size byte itself. */
246 if (datalen < nbytes)
247 return gpg_error (GPG_ERR_INV_PACKET);
251 nbits = ((data[0]<<8)|(data[1]));
254 nbytes = (nbits+7) / 8;
255 if (datalen < nbytes)
256 return gpg_error (GPG_ERR_INV_PACKET);
257 /* For use by v3 fingerprint calculation we need to know the RSA
258 modulus and exponent. */
268 data += nbytes; datalen -= nbytes;
270 n = data - data_start;
274 /* We do not support any other algorithm than RSA in v3
276 if (algorithm < 1 || algorithm > 3)
277 return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
279 err = gcry_md_open (&md, GCRY_MD_MD5, 0);
281 return err; /* Oops */
282 gcry_md_write (md, mpi_n, mpi_n_len);
283 gcry_md_write (md, mpi_n+mpi_n_len+2, mpi_e_len);
284 memcpy (ki->fpr, gcry_md_read (md, 0), 16);
290 /* Moduli less than 64 bit are out of the specs scope. Zero
291 them out because this is what gpg does too. */
292 memset (ki->keyid, 0, 8);
295 memcpy (ki->keyid, mpi_n + mpi_n_len - 8, 8);
299 /* Its a pitty that we need to prefix the buffer with the tag
300 and a length header: We can't simply pass it to the fast
301 hashing function for that reason. It might be a good idea to
302 have a scatter-gather enabled hash function. What we do here
303 is to use a static buffer if this one is large enough and
304 only use the regular hash functions if this buffer is not
306 if ( 3 + n < sizeof hashbuffer )
308 hashbuffer[0] = 0x99; /* CTB */
309 hashbuffer[1] = (n >> 8); /* 2 byte length header. */
311 memcpy (hashbuffer + 3, data_start, n);
312 gcry_md_hash_buffer (GCRY_MD_SHA1, ki->fpr, hashbuffer, 3 + n);
316 err = gcry_md_open (&md, GCRY_MD_SHA1, 0);
318 return err; /* Oops */
319 gcry_md_putc (md, 0x99 ); /* CTB */
320 gcry_md_putc (md, (n >> 8) ); /* 2 byte length header. */
321 gcry_md_putc (md, n );
322 gcry_md_write (md, data_start, n);
323 memcpy (ki->fpr, gcry_md_read (md, 0), 20);
327 memcpy (ki->keyid, ki->fpr+12, 8);
335 /* The caller must pass the address of an INFO structure which will
336 get filled on success with information pertaining to the OpenPGP
337 keyblock IMAGE of length IMAGELEN. Note that a caller does only
338 need to release this INFO structure if the function returns
339 success. If NPARSED is not NULL the actual number of bytes parsed
340 will be stored at this address. */
342 _keybox_parse_openpgp (const unsigned char *image, size_t imagelen,
343 size_t *nparsed, keybox_openpgp_info_t info)
346 const unsigned char *image_start, *data;
351 struct _keybox_openpgp_key_info *k, **ktail = NULL;
352 struct _keybox_openpgp_uid_info *u, **utail = NULL;
354 memset (info, 0, sizeof *info);
361 err = next_packet (&image, &imagelen, &data, &datalen, &pkttype, &n);
370 if (pkttype == PKT_PUBLIC_KEY)
372 else if (pkttype == PKT_SECRET_KEY)
376 err = gpg_error (GPG_ERR_UNEXPECTED);
383 else if (pkttype == PKT_PUBLIC_KEY || pkttype == PKT_SECRET_KEY)
384 break; /* Next keyblock encountered - ready. */
389 if (pkttype == PKT_SIGNATURE)
391 /* For now we only count the total number of signatures. */
394 else if (pkttype == PKT_USER_ID)
397 if (info->nuids == 1)
399 info->uids.off = data - image_start;
400 info->uids.len = datalen;
401 utail = &info->uids.next;
405 u = xtrycalloc (1, sizeof *u);
408 err = gpg_error_from_syserror ();
411 u->off = data - image_start;
417 else if (pkttype == PKT_PUBLIC_KEY || pkttype == PKT_SECRET_KEY)
419 err = parse_key (data, datalen, &info->primary);
423 else if( pkttype == PKT_PUBLIC_SUBKEY && datalen && *data == '#' )
425 /* Early versions of GnuPG used old PGP comment packets;
426 * luckily all those comments are prefixed by a hash
427 * sign - ignore these packets. */
429 else if (pkttype == PKT_PUBLIC_SUBKEY || pkttype == PKT_SECRET_SUBKEY)
432 if (info->nsubkeys == 1)
434 err = parse_key (data, datalen, &info->subkeys);
438 /* We ignore subkeys with unknown algorithms. */
439 if (gpg_err_code (err) == GPG_ERR_UNKNOWN_ALGORITHM
440 || gpg_err_code (err) == GPG_ERR_UNSUPPORTED_ALGORITHM)
446 ktail = &info->subkeys.next;
450 k = xtrycalloc (1, sizeof *k);
453 err = gpg_error_from_syserror ();
456 err = parse_key (data, datalen, k);
461 /* We ignore subkeys with unknown algorithms. */
462 if (gpg_err_code (err) == GPG_ERR_UNKNOWN_ALGORITHM
463 || gpg_err_code (err) == GPG_ERR_UNSUPPORTED_ALGORITHM)
479 _keybox_destroy_openpgp_info (info);
482 /* Packet parsing worked, thus we should be able to skip the
483 rest of the keyblock. */
486 if (next_packet (&image, &imagelen,
487 &data, &datalen, &pkttype, &n) )
488 break; /* Another error - stop here. */
490 if (pkttype == PKT_PUBLIC_KEY || pkttype == PKT_SECRET_KEY)
491 break; /* Next keyblock encountered - ready. */
503 /* Release any malloced data in INFO but not INFO itself! */
505 _keybox_destroy_openpgp_info (keybox_openpgp_info_t info)
507 struct _keybox_openpgp_key_info *k, *k2;
508 struct _keybox_openpgp_uid_info *u, *u2;
510 assert (!info->primary.next);
511 for (k=info->subkeys.next; k; k = k2)
517 for (u=info->uids.next; u; u = u2)