1 /* certreqgen.c - Generate a key and a certification [request]
2 * Copyright (C) 2002, 2003, 2005, 2007, 2010,
3 * 2011 Free Software Foundation, Inc.
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <https://www.gnu.org/licenses/>.
22 The format of the parameter file is described in the manual under
27 %echo Generating a standard key
30 Name-DN: CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Ddorf,C=DE
31 Name-Email: joe@foo.bar
32 # Do a commit here, so that we can later print a "done"
37 This parameter file was used to create the STEED CA:
40 Key-Grip: 68A638998DFABAC510EA645CE34F9686B2EDF7EA
43 Name-DN: CN=The STEED Self-Signing Nonthority
44 Not-Before: 2011-11-11
46 Subject-Key-Id: 68A638998DFABAC510EA645CE34F9686B2EDF7EA
47 Extension: 2.5.29.19 c 30060101ff020101
48 Extension: 1.3.6.1.4.1.11591.2.2.2 n 0101ff
49 Signing-Key: 68A638998DFABAC510EA645CE34F9686B2EDF7EA
95 struct para_data_s *next;
111 static const char oidstr_authorityKeyIdentifier[] = "2.5.29.35";
112 static const char oidstr_subjectKeyIdentifier[] = "2.5.29.14";
113 static const char oidstr_keyUsage[] = "2.5.29.15";
114 static const char oidstr_basicConstraints[] = "2.5.29.19";
115 static const char oidstr_standaloneCertificate[] = "1.3.6.1.4.1.11591.2.2.1";
118 static int proc_parameters (ctrl_t ctrl,
119 struct para_data_s *para,
121 struct reqgen_ctrl_s *outctrl);
122 static int create_request (ctrl_t ctrl,
123 struct para_data_s *para,
124 const char *carddirect,
125 ksba_const_sexp_t public,
126 ksba_const_sexp_t sigkey,
127 ksba_writer_t writer);
132 release_parameter_list (struct para_data_s *r)
134 struct para_data_s *r2;
143 static struct para_data_s *
144 get_parameter (struct para_data_s *para, enum para_name key, int seq)
146 struct para_data_s *r;
148 for (r = para; r ; r = r->next)
149 if ( r->key == key && !seq--)
155 get_parameter_value (struct para_data_s *para, enum para_name key, int seq)
157 struct para_data_s *r = get_parameter (para, key, seq);
158 return (r && *r->u.value)? r->u.value : NULL;
162 get_parameter_algo (struct para_data_s *para, enum para_name key)
164 struct para_data_s *r = get_parameter (para, key, 0);
167 if (digitp (r->u.value))
168 return atoi( r->u.value );
169 return gcry_pk_map_name (r->u.value);
172 /* Parse the usage parameter. Returns 0 on success. Note that we
173 only care about sign and encrypt and don't (yet) allow all the
174 other X.509 usage to be specified; instead we will use a fixed
175 mapping to the X.509 usage flags. */
177 parse_parameter_usage (struct para_data_s *para, enum para_name key)
179 struct para_data_s *r = get_parameter (para, key, 0);
184 return 0; /* none (this is an optional parameter)*/
188 while ( (p = strsep (&pn, " \t,")) )
192 else if ( !ascii_strcasecmp (p, "sign") )
193 use |= GCRY_PK_USAGE_SIGN;
194 else if ( !ascii_strcasecmp (p, "encrypt")
195 || !ascii_strcasecmp (p, "encr") )
196 use |= GCRY_PK_USAGE_ENCR;
197 else if ( !ascii_strcasecmp (p, "cert") )
198 use |= GCRY_PK_USAGE_CERT;
201 log_error ("line %d: invalid usage list\n", r->lnr);
202 return -1; /* error */
211 get_parameter_uint (struct para_data_s *para, enum para_name key)
213 struct para_data_s *r = get_parameter (para, key, 0);
218 if (r->key == pKEYUSAGE)
221 return (unsigned int)strtoul (r->u.value, NULL, 10);
226 /* Read the certificate generation parameters from FP and generate
227 (all) certificate requests. */
229 read_parameters (ctrl_t ctrl, estream_t fp, estream_t out_fp)
236 { "Key-Type", pKEYTYPE},
237 { "Key-Length", pKEYLENGTH },
238 { "Key-Grip", pKEYGRIP },
239 { "Key-Usage", pKEYUSAGE },
240 { "Name-DN", pNAMEDN },
241 { "Name-Email", pNAMEEMAIL, 1 },
242 { "Name-DNS", pNAMEDNS, 1 },
243 { "Name-URI", pNAMEURI, 1 },
244 { "Serial", pSERIAL },
245 { "Issuer-DN", pISSUERDN },
246 { "Creation-Date", pNOTBEFORE },
247 { "Not-Before", pNOTBEFORE },
248 { "Expire-Date", pNOTAFTER },
249 { "Not-After", pNOTAFTER },
250 { "Signing-Key", pSIGNINGKEY },
251 { "Hash-Algo", pHASHALGO },
252 { "Authority-Key-Id", pAUTHKEYID },
253 { "Subject-Key-Id", pSUBJKEYID },
254 { "Extension", pEXTENSION, 1 },
258 const char *err = NULL;
259 struct para_data_s *para, *r;
260 int i, rc = 0, any = 0;
261 struct reqgen_ctrl_s outctrl;
263 memset (&outctrl, 0, sizeof (outctrl));
267 while (es_fgets (line, DIM(line)-1, fp) )
269 char *keyword, *value;
272 if (*line && line[strlen(line)-1] != '\n')
274 err = "line too long";
277 for (p=line; spacep (p); p++)
279 if (!*p || *p == '#')
285 for (; *p && !ascii_isspace (*p); p++)
289 for (; ascii_isspace (*p); p++)
292 trim_trailing_spaces (value);
294 if (!ascii_strcasecmp (keyword, "%echo"))
295 log_info ("%s\n", value);
296 else if (!ascii_strcasecmp (keyword, "%dry-run"))
298 else if (!ascii_strcasecmp( keyword, "%commit"))
300 rc = proc_parameters (ctrl, para, out_fp, &outctrl);
304 release_parameter_list (para);
308 log_info ("skipping control '%s' (%s)\n", keyword, value);
314 if (!(p = strchr (p, ':')) || p == keyword)
316 err = "missing colon";
321 for (; spacep (p); p++)
325 err = "missing argument";
329 trim_trailing_spaces (value);
331 for (i=0; (keywords[i].name
332 && ascii_strcasecmp (keywords[i].name, keyword)); i++)
334 if (!keywords[i].name)
336 err = "unknown keyword";
339 if (keywords[i].key != pKEYTYPE && !para)
341 err = "parameter block does not start with \"Key-Type\"";
345 if (keywords[i].key == pKEYTYPE && para)
347 rc = proc_parameters (ctrl, para, out_fp, &outctrl);
351 release_parameter_list (para);
354 else if (!keywords[i].allow_dups)
356 for (r = para; r && r->key != keywords[i].key; r = r->next)
360 err = "duplicate keyword";
365 r = xtrycalloc (1, sizeof *r + strlen( value ));
371 r->lnr = outctrl.lnr;
372 r->key = keywords[i].key;
373 strcpy (r->u.value, value);
380 log_error ("line %d: %s\n", outctrl.lnr, err);
381 rc = gpg_error (GPG_ERR_GENERAL);
383 else if (es_ferror(fp))
385 log_error ("line %d: read error: %s\n", outctrl.lnr, strerror(errno) );
386 rc = gpg_error (GPG_ERR_GENERAL);
390 rc = proc_parameters (ctrl, para, out_fp, &outctrl);
397 rc = gpg_error (GPG_ERR_NO_DATA);
400 release_parameter_list (para);
404 /* check whether there are invalid characters in the email address S */
406 has_invalid_email_chars (const char *s)
409 static char valid_chars[] = "01234567890_-."
410 "abcdefghijklmnopqrstuvwxyz"
411 "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
418 else if (!at_seen && !( !!strchr (valid_chars, *s) || *s == '+'))
420 else if (at_seen && !strchr (valid_chars, *s))
427 /* Check that all required parameters are given and perform the action */
429 proc_parameters (ctrl_t ctrl, struct para_data_s *para,
430 estream_t out_fp, struct reqgen_ctrl_s *outctrl)
433 struct para_data_s *r;
434 const char *s, *string;
438 unsigned char keyparms[100];
440 ksba_sexp_t public = NULL;
441 ksba_sexp_t sigkey = NULL;
443 size_t erroff, errlen;
444 char *cardkeyid = NULL;
446 /* Check that we have all required parameters; */
447 assert (get_parameter (para, pKEYTYPE, 0));
449 /* We can only use RSA for now. There is a problem with pkcs-10 on
450 how to use ElGamal because it is expected that a PK algorithm can
451 always be used for signing. Another problem is that on-card
452 generated encryption keys may not be used for signing. */
453 i = get_parameter_algo (para, pKEYTYPE);
454 if (!i && (s = get_parameter_value (para, pKEYTYPE, 0)) && *s)
456 /* Hack to allow creation of certificates directly from a smart
457 card. For example: "Key-Type: card:OPENPGP.3". */
458 if (!strncmp (s, "card:", 5) && s[5])
459 cardkeyid = xtrystrdup (s+5);
461 if ( (i < 1 || i != GCRY_PK_RSA) && !cardkeyid )
463 r = get_parameter (para, pKEYTYPE, 0);
464 log_error (_("line %d: invalid algorithm\n"), r->lnr);
465 return gpg_error (GPG_ERR_INV_PARAMETER);
468 /* Check the keylength. NOTE: If you change this make sure that it
469 macthes the gpgconflist item in gpgsm.c */
470 if (!get_parameter (para, pKEYLENGTH, 0))
473 nbits = get_parameter_uint (para, pKEYLENGTH);
474 if ((nbits < 1024 || nbits > 4096) && !cardkeyid)
476 /* The BSI specs dated 2002-11-25 don't allow lengths below 1024. */
477 r = get_parameter (para, pKEYLENGTH, 0);
478 log_error (_("line %d: invalid key length %u (valid are %d to %d)\n"),
479 r->lnr, nbits, 1024, 4096);
481 return gpg_error (GPG_ERR_INV_PARAMETER);
484 /* Check the usage. */
485 if (parse_parameter_usage (para, pKEYUSAGE))
488 return gpg_error (GPG_ERR_INV_PARAMETER);
491 /* Check that there is a subject name and that this DN fits our
493 if (!(s=get_parameter_value (para, pNAMEDN, 0)))
495 r = get_parameter (para, pNAMEDN, 0);
496 log_error (_("line %d: no subject name given\n"), r->lnr);
498 return gpg_error (GPG_ERR_INV_PARAMETER);
500 err = ksba_dn_teststr (s, 0, &erroff, &errlen);
503 r = get_parameter (para, pNAMEDN, 0);
504 if (gpg_err_code (err) == GPG_ERR_UNKNOWN_NAME)
505 log_error (_("line %d: invalid subject name label '%.*s'\n"),
506 r->lnr, (int)errlen, s+erroff);
508 log_error (_("line %d: invalid subject name '%s' at pos %d\n"),
509 r->lnr, s, (int)erroff);
512 return gpg_error (GPG_ERR_INV_PARAMETER);
515 /* Check that the optional email address is okay. */
516 for (seq=0; (s=get_parameter_value (para, pNAMEEMAIL, seq)); seq++)
518 if (has_invalid_email_chars (s)
520 || s[strlen(s)-1] == '@'
521 || s[strlen(s)-1] == '.'
524 r = get_parameter (para, pNAMEEMAIL, seq);
525 log_error (_("line %d: not a valid email address\n"), r->lnr);
527 return gpg_error (GPG_ERR_INV_PARAMETER);
531 /* Check the optional serial number. */
532 string = get_parameter_value (para, pSERIAL, 0);
535 if (!strcmp (string, "random"))
539 for (s=string, i=0; hexdigitp (s); s++, i++)
543 r = get_parameter (para, pSERIAL, 0);
544 log_error (_("line %d: invalid serial number\n"), r->lnr);
546 return gpg_error (GPG_ERR_INV_PARAMETER);
551 /* Check the optional issuer DN. */
552 string = get_parameter_value (para, pISSUERDN, 0);
555 err = ksba_dn_teststr (string, 0, &erroff, &errlen);
558 r = get_parameter (para, pISSUERDN, 0);
559 if (gpg_err_code (err) == GPG_ERR_UNKNOWN_NAME)
560 log_error (_("line %d: invalid issuer name label '%.*s'\n"),
561 r->lnr, (int)errlen, string+erroff);
563 log_error (_("line %d: invalid issuer name '%s' at pos %d\n"),
564 r->lnr, string, (int)erroff);
566 return gpg_error (GPG_ERR_INV_PARAMETER);
570 /* Check the optional creation date. */
571 string = get_parameter_value (para, pNOTBEFORE, 0);
572 if (string && !string2isotime (NULL, string))
574 r = get_parameter (para, pNOTBEFORE, 0);
575 log_error (_("line %d: invalid date given\n"), r->lnr);
577 return gpg_error (GPG_ERR_INV_PARAMETER);
581 /* Check the optional expire date. */
582 string = get_parameter_value (para, pNOTAFTER, 0);
583 if (string && !string2isotime (NULL, string))
585 r = get_parameter (para, pNOTAFTER, 0);
586 log_error (_("line %d: invalid date given\n"), r->lnr);
588 return gpg_error (GPG_ERR_INV_PARAMETER);
591 /* Get the optional signing key. */
592 string = get_parameter_value (para, pSIGNINGKEY, 0);
595 rc = gpgsm_agent_readkey (ctrl, 0, string, &sigkey);
598 r = get_parameter (para, pKEYTYPE, 0);
599 log_error (_("line %d: error getting signing key by keygrip '%s'"
600 ": %s\n"), r->lnr, s, gpg_strerror (rc));
606 /* Check the optional hash-algo. */
610 string = get_parameter_value (para, pHASHALGO, 0);
611 if (string && !((mdalgo = gcry_md_map_name (string))
612 && (mdalgo == GCRY_MD_SHA1
613 || mdalgo == GCRY_MD_SHA256
614 || mdalgo == GCRY_MD_SHA384
615 || mdalgo == GCRY_MD_SHA512)))
617 r = get_parameter (para, pHASHALGO, 0);
618 log_error (_("line %d: invalid hash algorithm given\n"), r->lnr);
620 return gpg_error (GPG_ERR_INV_PARAMETER);
624 /* Check the optional AuthorityKeyId. */
625 string = get_parameter_value (para, pAUTHKEYID, 0);
628 for (s=string, i=0; hexdigitp (s); s++, i++)
632 r = get_parameter (para, pAUTHKEYID, 0);
633 log_error (_("line %d: invalid authority-key-id\n"), r->lnr);
635 return gpg_error (GPG_ERR_INV_PARAMETER);
639 /* Check the optional SubjectKeyId. */
640 string = get_parameter_value (para, pSUBJKEYID, 0);
643 for (s=string, i=0; hexdigitp (s); s++, i++)
647 r = get_parameter (para, pSUBJKEYID, 0);
648 log_error (_("line %d: invalid subject-key-id\n"), r->lnr);
650 return gpg_error (GPG_ERR_INV_PARAMETER);
654 /* Check the optional extensions. */
655 for (seq=0; (string=get_parameter_value (para, pEXTENSION, seq)); seq++)
659 s = strpbrk (string, " \t:");
665 if (*s && strchr ("nNcC", *s))
676 for (i=0; hexdigitp (s); s++, i++)
678 if (!((*s && *s != ':') || !i || (i&1)))
685 r = get_parameter (para, pEXTENSION, seq);
686 log_error (_("line %d: invalid extension syntax\n"), r->lnr);
688 return gpg_error (GPG_ERR_INV_PARAMETER);
692 /* Create or retrieve the public key. */
693 if (cardkeyid) /* Take the key from the current smart card. */
695 rc = gpgsm_agent_readkey (ctrl, 1, cardkeyid, &public);
698 r = get_parameter (para, pKEYTYPE, 0);
699 log_error (_("line %d: error reading key '%s' from card: %s\n"),
700 r->lnr, cardkeyid, gpg_strerror (rc));
706 else if ((s=get_parameter_value (para, pKEYGRIP, 0))) /* Use existing key.*/
708 rc = gpgsm_agent_readkey (ctrl, 0, s, &public);
711 r = get_parameter (para, pKEYTYPE, 0);
712 log_error (_("line %d: error getting key by keygrip '%s': %s\n"),
713 r->lnr, s, gpg_strerror (rc));
719 else if (!outctrl->dryrun) /* Generate new key. */
721 sprintf (numbuf, "%u", nbits);
722 snprintf ((char*)keyparms, DIM (keyparms),
723 "(6:genkey(3:rsa(5:nbits%d:%s)))",
724 (int)strlen (numbuf), numbuf);
725 rc = gpgsm_agent_genkey (ctrl, keyparms, &public);
728 r = get_parameter (para, pKEYTYPE, 0);
729 log_error (_("line %d: key generation failed: %s <%s>\n"),
730 r->lnr, gpg_strerror (rc), gpg_strsource (rc));
738 if (!outctrl->dryrun)
740 Base64Context b64writer = NULL;
741 ksba_writer_t writer;
744 create_cert = !!get_parameter_value (para, pSERIAL, 0);
746 ctrl->pem_name = create_cert? "CERTIFICATE" : "CERTIFICATE REQUEST";
747 rc = gpgsm_create_writer (&b64writer, ctrl, out_fp, &writer);
749 log_error ("can't create writer: %s\n", gpg_strerror (rc));
752 rc = create_request (ctrl, para, cardkeyid, public, sigkey, writer);
755 rc = gpgsm_finish_writer (b64writer);
757 log_error ("write failed: %s\n", gpg_strerror (rc));
760 gpgsm_status (ctrl, STATUS_KEY_CREATED, "P");
761 log_info ("certificate%s created\n",
762 create_cert?"":" request");
765 gpgsm_destroy_writer (b64writer);
777 /* Parameters are checked, the key pair has been created. Now
778 generate the request and write it out */
780 create_request (ctrl_t ctrl,
781 struct para_data_s *para,
782 const char *carddirect,
783 ksba_const_sexp_t public,
784 ksba_const_sexp_t sigkey,
785 ksba_writer_t writer)
790 ksba_stop_reason_t stopreason;
792 const char *s, *string;
798 ksba_isotime_t atime;
802 err = ksba_certreq_new (&cr);
806 string = get_parameter_value (para, pHASHALGO, 0);
808 mdalgo = gcry_md_map_name (string);
810 mdalgo = GCRY_MD_SHA256;
811 rc = gcry_md_open (&md, mdalgo, 0);
814 log_error ("md_open failed: %s\n", gpg_strerror (rc));
818 gcry_md_debug (md, "cr.cri");
820 ksba_certreq_set_hash_function (cr, HASH_FNC, md);
821 ksba_certreq_set_writer (cr, writer);
823 err = ksba_certreq_add_subject (cr, get_parameter_value (para, pNAMEDN, 0));
826 log_error ("error setting the subject's name: %s\n",
832 for (seq=0; (s = get_parameter_value (para, pNAMEEMAIL, seq)); seq++)
834 buf = xtrymalloc (strlen (s) + 3);
843 err = ksba_certreq_add_subject (cr, buf);
847 log_error ("error setting the subject's alternate name: %s\n",
854 for (seq=0; (s = get_parameter_value (para, pNAMEDNS, seq)); seq++)
858 snprintf (numbuf, DIM(numbuf), "%u:", (unsigned int)len);
859 buf = p = xtrymalloc (11 + strlen (numbuf) + len + 3);
865 p = stpcpy (p, "(8:dns-name");
866 p = stpcpy (p, numbuf);
870 err = ksba_certreq_add_subject (cr, buf);
874 log_error ("error setting the subject's alternate name: %s\n",
881 for (seq=0; (s = get_parameter_value (para, pNAMEURI, seq)); seq++)
885 snprintf (numbuf, DIM(numbuf), "%u:", (unsigned int)len);
886 buf = p = xtrymalloc (6 + strlen (numbuf) + len + 3);
892 p = stpcpy (p, "(3:uri");
893 p = stpcpy (p, numbuf);
897 err = ksba_certreq_add_subject (cr, buf);
901 log_error ("error setting the subject's alternate name: %s\n",
909 err = ksba_certreq_set_public_key (cr, public);
912 log_error ("error setting the public key: %s\n",
918 /* Set key usage flags. */
919 use = get_parameter_uint (para, pKEYUSAGE);
922 unsigned int mask, pos;
923 unsigned char der[4];
929 if ((use & GCRY_PK_USAGE_SIGN))
931 /* For signing only we encode the bits:
932 KSBA_KEYUSAGE_DIGITAL_SIGNATURE
933 KSBA_KEYUSAGE_NON_REPUDIATION = 0b11 -> 0b11000000 */
936 if ((use & GCRY_PK_USAGE_ENCR))
938 /* For encrypt only we encode the bits:
939 KSBA_KEYUSAGE_KEY_ENCIPHERMENT
940 KSBA_KEYUSAGE_DATA_ENCIPHERMENT = 0b1100 -> 0b00110000 */
943 if ((use & GCRY_PK_USAGE_CERT))
945 /* For certify only we encode the bits:
946 KSBA_KEYUSAGE_KEY_CERT_SIGN
947 KSBA_KEYUSAGE_CRL_SIGN = 0b1100000 -> 0b00000110 */
951 /* Count number of unused bits. */
952 for (mask=1, pos=0; pos < 8 * sizeof mask; pos++, mask <<= 1)
959 err = ksba_certreq_add_extension (cr, oidstr_keyUsage, 1, der, 4);
962 log_error ("error setting the key usage: %s\n",
970 /* See whether we want to create an X.509 certificate. */
971 string = get_parameter_value (para, pSERIAL, 0);
976 /* Store the serial number. */
977 if (!strcmp (string, "random"))
981 memcpy (snbuf, "(8:", 3);
982 gcry_create_nonce (snbuf+3, 8);
983 /* Clear high bit to guarantee a positive integer. */
986 err = ksba_certreq_set_serial (cr, snbuf);
992 /* Allocate a buffer large enough to prefix the string with
993 a '0' so to have an even number of digits. Prepend two
994 further '0' so that the binary result will have a leading
995 0 byte and thus can't be the representation of a negative
996 number. Note that ksba_certreq_set_serial strips all
997 unneeded leading 0 bytes. */
998 hexbuf = p = xtrymalloc (2 + 1 + strlen (string) + 1);
1001 err = gpg_error_from_syserror ();
1004 if ((strlen (string) & 1))
1009 for (p=hexbuf, len=0; p[0] && p[1]; p += 2)
1010 ((unsigned char*)hexbuf)[len++] = xtoi_2 (p);
1011 /* Now build the S-expression. */
1012 snprintf (numbuf, DIM(numbuf), "%u:", (unsigned int)len);
1013 buf = p = xtrymalloc (1 + strlen (numbuf) + len + 1 + 1);
1016 err = gpg_error_from_syserror ();
1020 p = stpcpy (stpcpy (buf, "("), numbuf);
1021 memcpy (p, hexbuf, len);
1025 err = ksba_certreq_set_serial (cr, buf);
1030 log_error ("error setting the serial number: %s\n",
1031 gpg_strerror (err));
1036 /* Store the issuer DN. If no issuer DN is given and no signing
1037 key has been set we add the standalone extension and the
1038 basic constraints to mark it as a self-signed CA
1040 string = get_parameter_value (para, pISSUERDN, 0);
1043 /* Issuer DN given. Note that this may be the same as the
1044 subject DN and thus this could as well be a self-signed
1045 certificate. However the caller needs to explicitly
1046 specify basicConstraints and so forth. */
1047 err = ksba_certreq_set_issuer (cr, string);
1050 log_error ("error setting the issuer DN: %s\n",
1051 gpg_strerror (err));
1056 else if (!string && !sigkey)
1058 /* Self-signed certificate requested. Add basicConstraints
1059 and the custom GnuPG standalone extension. */
1060 err = ksba_certreq_add_extension (cr, oidstr_basicConstraints, 1,
1061 "\x30\x03\x01\x01\xff", 5);
1064 err = ksba_certreq_add_extension (cr, oidstr_standaloneCertificate, 0,
1070 /* Store the creation date. */
1071 string = get_parameter_value (para, pNOTBEFORE, 0);
1074 if (!string2isotime (atime, string))
1075 BUG (); /* We already checked the value. */
1078 gnupg_get_isotime (atime);
1079 err = ksba_certreq_set_validity (cr, 0, atime);
1082 log_error ("error setting the creation date: %s\n",
1083 gpg_strerror (err));
1088 /* Store the expire date. If it is not given, libksba inserts a
1090 string = get_parameter_value (para, pNOTAFTER, 0);
1093 if (!string2isotime (atime, string))
1094 BUG (); /* We already checked the value. */
1095 err = ksba_certreq_set_validity (cr, 1, atime);
1098 log_error ("error setting the expire date: %s\n",
1099 gpg_strerror (err));
1105 /* Figure out the signing algorithm. If no sigkey has been
1106 given we set it to the public key to create a self-signed
1112 unsigned char *siginfo;
1114 err = transform_sigval (sigkey,
1115 gcry_sexp_canon_len (sigkey, 0, NULL, NULL),
1116 mdalgo, &siginfo, NULL);
1119 err = ksba_certreq_set_siginfo (cr, siginfo);
1124 log_error ("error setting the siginfo: %s\n",
1125 gpg_strerror (err));
1131 /* Insert the AuthorityKeyId. */
1132 string = get_parameter_value (para, pAUTHKEYID, 0);
1137 /* Allocate a buffer for in-place conversion. We also add 4
1138 extra bytes space for the tags and lengths fields. */
1139 hexbuf = xtrymalloc (4 + strlen (string) + 1);
1142 err = gpg_error_from_syserror ();
1145 strcpy (hexbuf+4, string);
1146 for (p=hexbuf+4, len=0; p[0] && p[1]; p += 2)
1147 ((unsigned char*)hexbuf)[4+len++] = xtoi_2 (p);
1150 err = gpg_error (GPG_ERR_TOO_LARGE);
1154 hexbuf[0] = 0x30; /* Tag for a Sequence. */
1156 hexbuf[2] = 0x80; /* Context tag for an implicit Octet string. */
1158 err = ksba_certreq_add_extension (cr, oidstr_authorityKeyIdentifier,
1164 log_error ("error setting the authority-key-id: %s\n",
1165 gpg_strerror (err));
1170 /* Insert the SubjectKeyId. */
1171 string = get_parameter_value (para, pSUBJKEYID, 0);
1176 /* Allocate a buffer for in-place conversion. We also add 2
1177 extra bytes space for the tag and length field. */
1178 hexbuf = xtrymalloc (2 + strlen (string) + 1);
1181 err = gpg_error_from_syserror ();
1184 strcpy (hexbuf+2, string);
1185 for (p=hexbuf+2, len=0; p[0] && p[1]; p += 2)
1186 ((unsigned char*)hexbuf)[2+len++] = xtoi_2 (p);
1189 err = gpg_error (GPG_ERR_TOO_LARGE);
1193 hexbuf[0] = 0x04; /* Tag for an Octet string. */
1195 err = ksba_certreq_add_extension (cr, oidstr_subjectKeyIdentifier, 0,
1200 log_error ("error setting the subject-key-id: %s\n",
1201 gpg_strerror (err));
1206 /* Insert additional extensions. */
1207 for (seq=0; (string = get_parameter_value (para, pEXTENSION, seq)); seq++)
1213 s = strpbrk (string, " \t:");
1216 err = gpg_error (GPG_ERR_INTERNAL);
1220 oidstr = xtrymalloc (s - string + 1);
1223 err = gpg_error_from_syserror ();
1226 memcpy (oidstr, string, (s-string));
1227 oidstr[(s-string)] = 0;
1234 err = gpg_error (GPG_ERR_INTERNAL);
1239 if (strchr ("cC", *s))
1249 hexbuf = xtrystrdup (s);
1252 err = gpg_error_from_syserror ();
1256 for (p=hexbuf, len=0; p[0] && p[1]; p += 2)
1257 ((unsigned char*)hexbuf)[len++] = xtoi_2 (p);
1258 err = ksba_certreq_add_extension (cr, oidstr, crit,
1269 err = ksba_certreq_build (cr, &stopreason);
1272 log_error ("ksba_certreq_build failed: %s\n", gpg_strerror (err));
1276 if (stopreason == KSBA_SR_NEED_SIG)
1280 unsigned char grip[20];
1282 unsigned char *sigval, *newsigval;
1285 n = gcry_sexp_canon_len (sigkey, 0, NULL, NULL);
1288 log_error ("libksba did not return a proper S-Exp\n");
1289 rc = gpg_error (GPG_ERR_BUG);
1292 rc = gcry_sexp_sscan (&s_pkey, NULL, (const char*)sigkey, n);
1295 log_error ("gcry_sexp_scan failed: %s\n", gpg_strerror (rc));
1298 if ( !gcry_pk_get_keygrip (s_pkey, grip) )
1300 rc = gpg_error (GPG_ERR_GENERAL);
1301 log_error ("can't figure out the keygrip\n");
1302 gcry_sexp_release (s_pkey);
1305 gcry_sexp_release (s_pkey);
1306 bin2hex (grip, 20, hexgrip);
1308 log_info ("about to sign the %s for key: &%s\n",
1309 certmode? "certificate":"CSR", hexgrip);
1312 rc = gpgsm_scd_pksign (ctrl, carddirect, NULL,
1313 gcry_md_read (md, mdalgo),
1314 gcry_md_get_algo_dlen (mdalgo),
1322 orig_codeset = i18n_switchto_utf8 ();
1323 desc = percent_plus_escape
1324 (_("To complete this certificate request please enter"
1325 " the passphrase for the key you just created once"
1327 i18n_switchback (orig_codeset);
1328 rc = gpgsm_agent_pksign (ctrl, hexgrip, desc,
1329 gcry_md_read(md, mdalgo),
1330 gcry_md_get_algo_dlen (mdalgo),
1337 log_error ("signing failed: %s\n", gpg_strerror (rc));
1341 err = transform_sigval (sigval, siglen, mdalgo,
1346 err = ksba_certreq_set_sig_val (cr, newsigval);
1351 log_error ("failed to store the sig_val: %s\n",
1352 gpg_strerror (err));
1358 while (stopreason != KSBA_SR_READY);
1363 ksba_certreq_release (cr);
1369 /* Create a new key by reading the parameters from IN_FP. Multiple
1370 keys may be created */
1372 gpgsm_genkey (ctrl_t ctrl, estream_t in_stream, estream_t out_stream)
1376 rc = read_parameters (ctrl, in_stream, out_stream);
1379 log_error ("error creating certificate request: %s <%s>\n",
1380 gpg_strerror (rc), gpg_strsource (rc));