1 /* keybox-openpgp.c - OpenPGP key parsing
2 * Copyright (C) 2001, 2003, 2011 Free Software Foundation, Inc.
4 * This file is part of GnuPG.
6 * GnuPG is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * GnuPG is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
20 /* This is a simple OpenPGP parser suitable for all OpenPGP key
21 material. It just provides the functionality required to build and
22 parse an KBX OpenPGP key blob. Thus it is not a complete parser.
23 However it is self-contained and optimized for fast in-memory
24 parsing. Note that we don't support old ElGamal v3 keys
34 #include "keybox-defs.h"
38 #include "../common/openpgpdefs.h"
41 /* Assume a valid OpenPGP packet at the address pointed to by BUFBTR
42 which has a maximum length as stored at BUFLEN. Return the header
43 information of that packet and advance the pointer stored at BUFPTR
44 to the next packet; also adjust the length stored at BUFLEN to
45 match the remaining bytes. If there are no more packets, store NULL
46 at BUFPTR. Return an non-zero error code on failure or the
47 following data on success:
49 R_DATAPKT = Pointer to the begin of the packet data.
50 R_DATALEN = Length of this data. This has already been checked to fit
52 R_PKTTYPE = The packet type.
53 R_NTOTAL = The total number of bytes of this packet
55 Note that these values are only updated on success.
58 next_packet (unsigned char const **bufptr, size_t *buflen,
59 unsigned char const **r_data, size_t *r_datalen, int *r_pkttype,
62 const unsigned char *buf = *bufptr;
68 return gpg_error (GPG_ERR_NO_DATA);
72 return gpg_error (GPG_ERR_INV_PACKET); /* Invalid CTB. */
75 if ((ctb & 0x40)) /* New style (OpenPGP) CTB. */
77 pkttype = (ctb & 0x3f);
79 return gpg_error (GPG_ERR_INV_PACKET); /* No 1st length byte. */
81 if (pkttype == PKT_COMPRESSED)
82 return gpg_error (GPG_ERR_UNEXPECTED); /* ... packet in a keyblock. */
87 pktlen = (c - 192) * 256;
89 return gpg_error (GPG_ERR_INV_PACKET); /* No 2nd length byte. */
96 return gpg_error (GPG_ERR_INV_PACKET); /* No length bytes. */
97 pktlen = buf32_to_ulong (buf);
101 else /* Partial length encoding is not allowed for key packets. */
102 return gpg_error (GPG_ERR_UNEXPECTED);
104 else /* Old style CTB. */
109 pkttype = (ctb>>2)&0xf;
110 lenbytes = ((ctb&3)==3)? 0 : (1<<(ctb & 3));
111 if (!lenbytes) /* Not allowed in key packets. */
112 return gpg_error (GPG_ERR_UNEXPECTED);
114 return gpg_error (GPG_ERR_INV_PACKET); /* Not enough length bytes. */
115 for (; lenbytes; lenbytes--)
118 pktlen |= *buf++; len--;
122 /* Do some basic sanity check. */
128 case PKT_SECRET_SUBKEY:
132 case PKT_PUBLIC_SUBKEY:
133 case PKT_OLD_COMMENT:
136 case PKT_GPG_CONTROL:
137 break; /* Okay these are allowed packets. */
139 return gpg_error (GPG_ERR_UNEXPECTED);
142 if (pkttype == 63 && pktlen == 0xFFFFFFFF)
143 /* Sometimes the decompressing layer enters an error state in
144 which it simply outputs 0xff for every byte read. If we have a
145 stream of 0xff bytes, then it will be detected as a new format
146 packet with type 63 and a 4-byte encoded length that is 4G-1.
147 Since packets with type 63 are private and we use them as a
148 control packet, which won't be 4 GB, we reject such packets as
150 return gpg_error (GPG_ERR_INV_PACKET);
153 return gpg_error (GPG_ERR_INV_PACKET); /* Packet length header too long. */
157 *r_pkttype = pkttype;
158 *r_ntotal = (buf - *bufptr) + pktlen;
160 *bufptr = buf + pktlen;
161 *buflen = len - pktlen;
169 /* Parse a key packet and store the information in KI. */
171 parse_key (const unsigned char *data, size_t datalen,
172 struct _keybox_openpgp_key_info *ki)
175 const unsigned char *data_start = data;
176 int i, version, algorithm;
179 unsigned char hashbuffer[768];
180 const unsigned char *mpi_n = NULL;
181 size_t mpi_n_len = 0, mpi_e_len = 0;
186 return gpg_error (GPG_ERR_INV_PACKET);
187 version = *data++; datalen--;
188 if (version < 2 || version > 4 )
189 return gpg_error (GPG_ERR_INV_PACKET); /* Invalid version. */
191 /*timestamp = ((data[0]<<24)|(data[1]<<16)|(data[2]<<8)|(data[3]));*/
192 data +=4; datalen -=4;
197 return gpg_error (GPG_ERR_INV_PACKET);
198 data +=2; datalen -= 2;
202 return gpg_error (GPG_ERR_INV_PACKET);
203 algorithm = *data++; datalen--;
207 case PUBKEY_ALGO_RSA:
208 case PUBKEY_ALGO_RSA_E:
209 case PUBKEY_ALGO_RSA_S:
212 case PUBKEY_ALGO_ELGAMAL_E:
213 case PUBKEY_ALGO_ELGAMAL:
216 case PUBKEY_ALGO_DSA:
219 case PUBKEY_ALGO_ECDH:
223 case PUBKEY_ALGO_ECDSA:
224 case PUBKEY_ALGO_EDDSA:
228 default: /* Unknown algorithm. */
229 return gpg_error (GPG_ERR_UNKNOWN_ALGORITHM);
232 ki->algo = algorithm;
234 for (i=0; i < npkey; i++ )
236 unsigned int nbits, nbytes;
239 return gpg_error (GPG_ERR_INV_PACKET);
241 if (is_ecc && (i == 0 || i == 2))
244 if (nbytes < 2 || nbytes > 254)
245 return gpg_error (GPG_ERR_INV_PACKET);
246 nbytes++; /* The size byte itself. */
247 if (datalen < nbytes)
248 return gpg_error (GPG_ERR_INV_PACKET);
252 nbits = ((data[0]<<8)|(data[1]));
255 nbytes = (nbits+7) / 8;
256 if (datalen < nbytes)
257 return gpg_error (GPG_ERR_INV_PACKET);
258 /* For use by v3 fingerprint calculation we need to know the RSA
259 modulus and exponent. */
269 data += nbytes; datalen -= nbytes;
271 n = data - data_start;
275 /* We do not support any other algorithm than RSA in v3
277 if (algorithm < 1 || algorithm > 3)
278 return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
280 err = gcry_md_open (&md, GCRY_MD_MD5, 0);
282 return err; /* Oops */
283 gcry_md_write (md, mpi_n, mpi_n_len);
284 gcry_md_write (md, mpi_n+mpi_n_len+2, mpi_e_len);
285 memcpy (ki->fpr, gcry_md_read (md, 0), 16);
291 /* Moduli less than 64 bit are out of the specs scope. Zero
292 them out because this is what gpg does too. */
293 memset (ki->keyid, 0, 8);
296 memcpy (ki->keyid, mpi_n + mpi_n_len - 8, 8);
300 /* Its a pitty that we need to prefix the buffer with the tag
301 and a length header: We can't simply pass it to the fast
302 hashing function for that reason. It might be a good idea to
303 have a scatter-gather enabled hash function. What we do here
304 is to use a static buffer if this one is large enough and
305 only use the regular hash functions if this buffer is not
307 if ( 3 + n < sizeof hashbuffer )
309 hashbuffer[0] = 0x99; /* CTB */
310 hashbuffer[1] = (n >> 8); /* 2 byte length header. */
312 memcpy (hashbuffer + 3, data_start, n);
313 gcry_md_hash_buffer (GCRY_MD_SHA1, ki->fpr, hashbuffer, 3 + n);
317 err = gcry_md_open (&md, GCRY_MD_SHA1, 0);
319 return err; /* Oops */
320 gcry_md_putc (md, 0x99 ); /* CTB */
321 gcry_md_putc (md, (n >> 8) ); /* 2 byte length header. */
322 gcry_md_putc (md, n );
323 gcry_md_write (md, data_start, n);
324 memcpy (ki->fpr, gcry_md_read (md, 0), 20);
328 memcpy (ki->keyid, ki->fpr+12, 8);
336 /* The caller must pass the address of an INFO structure which will
337 get filled on success with information pertaining to the OpenPGP
338 keyblock IMAGE of length IMAGELEN. Note that a caller does only
339 need to release this INFO structure if the function returns
340 success. If NPARSED is not NULL the actual number of bytes parsed
341 will be stored at this address. */
343 _keybox_parse_openpgp (const unsigned char *image, size_t imagelen,
344 size_t *nparsed, keybox_openpgp_info_t info)
347 const unsigned char *image_start, *data;
352 struct _keybox_openpgp_key_info *k, **ktail = NULL;
353 struct _keybox_openpgp_uid_info *u, **utail = NULL;
355 memset (info, 0, sizeof *info);
362 err = next_packet (&image, &imagelen, &data, &datalen, &pkttype, &n);
371 if (pkttype == PKT_PUBLIC_KEY)
373 else if (pkttype == PKT_SECRET_KEY)
377 err = gpg_error (GPG_ERR_UNEXPECTED);
384 else if (pkttype == PKT_PUBLIC_KEY || pkttype == PKT_SECRET_KEY)
385 break; /* Next keyblock encountered - ready. */
390 if (pkttype == PKT_SIGNATURE)
392 /* For now we only count the total number of signatures. */
395 else if (pkttype == PKT_USER_ID)
398 if (info->nuids == 1)
400 info->uids.off = data - image_start;
401 info->uids.len = datalen;
402 utail = &info->uids.next;
406 u = xtrycalloc (1, sizeof *u);
409 err = gpg_error_from_syserror ();
412 u->off = data - image_start;
418 else if (pkttype == PKT_PUBLIC_KEY || pkttype == PKT_SECRET_KEY)
420 err = parse_key (data, datalen, &info->primary);
424 else if( pkttype == PKT_PUBLIC_SUBKEY && datalen && *data == '#' )
426 /* Early versions of GnuPG used old PGP comment packets;
427 * luckily all those comments are prefixed by a hash
428 * sign - ignore these packets. */
430 else if (pkttype == PKT_PUBLIC_SUBKEY || pkttype == PKT_SECRET_SUBKEY)
433 if (info->nsubkeys == 1)
435 err = parse_key (data, datalen, &info->subkeys);
439 /* We ignore subkeys with unknown algorithms. */
440 if (gpg_err_code (err) == GPG_ERR_UNKNOWN_ALGORITHM
441 || gpg_err_code (err) == GPG_ERR_UNSUPPORTED_ALGORITHM)
447 ktail = &info->subkeys.next;
451 k = xtrycalloc (1, sizeof *k);
454 err = gpg_error_from_syserror ();
457 err = parse_key (data, datalen, k);
462 /* We ignore subkeys with unknown algorithms. */
463 if (gpg_err_code (err) == GPG_ERR_UNKNOWN_ALGORITHM
464 || gpg_err_code (err) == GPG_ERR_UNSUPPORTED_ALGORITHM)
480 _keybox_destroy_openpgp_info (info);
483 /* Packet parsing worked, thus we should be able to skip the
484 rest of the keyblock. */
487 if (next_packet (&image, &imagelen,
488 &data, &datalen, &pkttype, &n) )
489 break; /* Another error - stop here. */
491 if (pkttype == PKT_PUBLIC_KEY || pkttype == PKT_SECRET_KEY)
492 break; /* Next keyblock encountered - ready. */
504 /* Release any malloced data in INFO but not INFO itself! */
506 _keybox_destroy_openpgp_info (keybox_openpgp_info_t info)
508 struct _keybox_openpgp_key_info *k, *k2;
509 struct _keybox_openpgp_uid_info *u, *u2;
511 assert (!info->primary.next);
512 for (k=info->subkeys.next; k; k = k2)
518 for (u=info->uids.next; u; u = u2)