1 /* gpgsm.h - Global definitions for GpgSM
2 * Copyright (C) 2001, 2003, 2004, 2007, 2009,
3 * 2010 Free Software Foundation, Inc.
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <https://www.gnu.org/licenses/>.
24 #ifdef GPG_ERR_SOURCE_DEFAULT
25 #error GPG_ERR_SOURCE_DEFAULT already defined
27 #define GPG_ERR_SOURCE_DEFAULT GPG_ERR_SOURCE_GPGSM
28 #include <gpg-error.h>
32 #include "../common/util.h"
33 #include "../common/status.h"
34 #include "../common/audit.h"
35 #include "../common/session-env.h"
36 #include "../common/ksba-io-support.h"
37 #include "../common/compliance.h"
39 /* The maximum length of a binary fingerprints. This is used to
40 * provide a static buffer and will be increased if we need to support
41 * longer fingerprints. */
42 #define MAX_FINGERPRINT_LEN 32
44 /* The maximum length of a binary digest. */
45 #define MAX_DIGEST_LEN 64 /* Fits for SHA-512 */
50 struct keyserver_spec *next;
57 unsigned int use_ldaps:1;
61 /* A large struct named "opt" to keep global flags. */
62 EXTERN_UNLESS_MAIN_MODULE
65 unsigned int debug; /* debug flags (DBG_foo_VALUE) */
66 int verbose; /* verbosity level */
67 int quiet; /* be as quiet as possible */
68 int batch; /* run in batch mode, i.e w/o any user interaction */
69 int answer_yes; /* assume yes on most questions */
70 int answer_no; /* assume no on most questions */
71 int dry_run; /* don't change any persistent data */
72 int no_homedir_creation;
73 int use_keyboxd; /* Use the external keyboxd as storage backend. */
75 const char *config_filename; /* Name of the used config file. */
76 const char *agent_program;
78 const char *keyboxd_program;
80 session_env_t session_env;
85 const char *dirmngr_program;
86 int disable_dirmngr; /* Do not do any dirmngr calls. */
87 const char *protect_tool_program;
88 char *outfile; /* name of output file */
90 int with_key_data;/* include raw key in the column delimited output */
92 int fingerprint; /* list fingerprints in all key listings */
94 int with_md5_fingerprint; /* Also print an MD5 fingerprint for
95 standard key listings. */
97 int with_keygrip; /* Option --with-keygrip active. */
99 int with_key_screening; /* Option --with-key-screening active. */
104 int armor; /* force base64 armoring (see also ctrl.with_base64) */
105 int no_armor; /* don't try to figure out whether data is base64 armored*/
107 const char *p12_charset; /* Use this charset for encoding the
108 pkcs#12 passphrase. */
111 const char *def_cipher_algoid; /* cipher algorithm to use if
112 nothing else is specified */
114 int def_compress_algo; /* Ditto for compress algorithm */
116 int forced_digest_algo; /* User forced hash algorithm. */
118 int force_ecdh_sha1kdf; /* Only for debugging and testing. */
120 char *def_recipient; /* userID of the default recipient */
121 int def_recipient_self; /* The default recipient is the default key */
123 int no_encrypt_to; /* Ignore all as encrypt to marked recipients. */
125 char *local_user; /* NULL or argument to -u */
127 int extra_digest_algo; /* A digest algorithm also used for
128 verification of signatures. */
130 int always_trust; /* Trust the given keys even if there is no
131 valid certification chain */
132 int skip_verify; /* do not check signatures on data */
134 int lock_once; /* Keep lock once they are set */
136 int ignore_time_conflict; /* Ignore certain time conflicts */
138 int no_crl_check; /* Don't do a CRL check */
139 int no_trusted_cert_crl_check; /* Don't run a CRL check for trusted certs. */
140 int force_crl_refresh; /* Force refreshing the CRL. */
141 int enable_issuer_based_crl_check; /* Backward compatibility hack. */
142 int enable_ocsp; /* Default to use OCSP checks. */
144 char *policy_file; /* full pathname of policy file */
145 int no_policy_check; /* ignore certificate policies */
146 int no_chain_validation; /* Bypass all cert chain validity tests */
147 int ignore_expiration; /* Ignore the notAfter validity checks. */
149 int auto_issuer_key_retrieve; /* try to retrieve a missing issuer key. */
151 int qualsig_approval; /* Set to true if this software has
152 officially been approved to create an
153 verify qualified signatures. This is a
154 runtime option in case we want to check
155 the integrity of the software at
158 struct keyserver_spec *keyserver;
160 /* A list of certificate extension OIDs which are ignored so that
161 one can claim that a critical extension has been handled. One
163 strlist_t ignored_cert_extensions;
165 enum gnupg_compliance_mode compliance;
167 /* Enable creation of authenticode signatures. */
170 /* A list of extra attributes put into a signed data object. For a
171 * signed each attribute each string has the format:
172 * <oid>:s:<hex_or_filename>
173 * and for an unsigned attribute
174 * <oid>:u:<hex_or_filename>
175 * The OID is in the usual dotted decimal for. The HEX_OR_FILENAME
176 * is either a list of hex digits or a filename with the DER encoded
177 * value. A filename is detected by the presence of a slash in the
178 * HEX_OR_FILENAME. The actual value needs to be encoded as a SET OF
179 * attribute values. */
180 strlist_t attributes;
183 /* Debug values and macros. */
184 #define DBG_X509_VALUE 1 /* debug x.509 data reading/writing */
185 #define DBG_MPI_VALUE 2 /* debug mpi details */
186 #define DBG_CRYPTO_VALUE 4 /* debug low level crypto */
187 #define DBG_MEMORY_VALUE 32 /* debug memory allocation stuff */
188 #define DBG_CACHE_VALUE 64 /* debug the caching */
189 #define DBG_MEMSTAT_VALUE 128 /* show memory statistics */
190 #define DBG_HASHING_VALUE 512 /* debug hashing operations */
191 #define DBG_IPC_VALUE 1024 /* debug assuan communication */
192 #define DBG_CLOCK_VALUE 4096
193 #define DBG_LOOKUP_VALUE 8192 /* debug the key lookup */
195 #define DBG_X509 (opt.debug & DBG_X509_VALUE)
196 #define DBG_CRYPTO (opt.debug & DBG_CRYPTO_VALUE)
197 #define DBG_MEMORY (opt.debug & DBG_MEMORY_VALUE)
198 #define DBG_CACHE (opt.debug & DBG_CACHE_VALUE)
199 #define DBG_HASHING (opt.debug & DBG_HASHING_VALUE)
200 #define DBG_IPC (opt.debug & DBG_IPC_VALUE)
201 #define DBG_CLOCK (opt.debug & DBG_CLOCK_VALUE)
202 #define DBG_LOOKUP (opt.debug & DBG_LOOKUP_VALUE)
204 /* Forward declaration for an object defined in server.c */
205 struct server_local_s;
207 /* Object used to keep state locally in keydb.c */
208 struct keydb_local_s;
209 typedef struct keydb_local_s *keydb_local_t;
212 /* Session control object. This object is passed down to most
213 functions. Note that the default values for it are set by
214 gpgsm_init_default_ctrl(). */
215 struct server_control_s
217 int no_server; /* We are not running under server control */
218 int status_fd; /* Only for non-server mode */
219 struct server_local_s *server_local;
221 keydb_local_t keydb_local; /* Local data for call-keyboxd.c */
223 audit_ctx_t audit; /* NULL or a context for the audit subsystem. */
224 int agent_seen; /* Flag indicating that the gpg-agent has been
227 int with_colons; /* Use column delimited output format */
228 int with_secret; /* Mark secret keys in a public key listing. */
229 int with_chain; /* Include the certifying certs in a listing */
230 int with_validation;/* Validate each key while listing. */
231 int with_ephemeral_keys; /* Include ephemeral flagged keys in the
234 int autodetect_encoding; /* Try to detect the input encoding */
235 int is_pem; /* Is in PEM format */
236 int is_base64; /* is in plain base-64 format */
238 int create_base64; /* Create base64 encoded output */
239 int create_pem; /* create PEM output */
240 const char *pem_name; /* PEM name to use */
242 int include_certs; /* -1 to send all certificates in the chain
243 along with a signature or the number of
244 certificates up the chain (0 = none, 1 = only
246 int use_ocsp; /* Set to true if OCSP should be used. */
247 int validation_model; /* 0 := standard model (shell),
250 int offline; /* If true gpgsm won't do any network access. */
252 /* The current time. Used as a helper in certchain.c. */
253 ksba_isotime_t current_time;
257 /* An object to keep a list of certificates. */
260 struct certlist_s *next;
262 int is_encrypt_to; /* True if the certificate has been set through
263 the --encrypto-to option. */
264 int pk_algo; /* The PK_ALGO from CERT or 0 if not yet known. */
265 int hash_algo; /* Used to track the hash algorithm to use. */
266 const char *hash_algo_oid; /* And the corresponding OID. */
268 typedef struct certlist_s *certlist_t;
271 /* A structure carrying information about trusted root certificates. */
272 struct rootca_flags_s
274 unsigned int valid:1; /* The rest of the structure has valid
276 unsigned int relax:1; /* Relax checking of root certificates. */
277 unsigned int chain_model:1; /* Root requires the use of the chain model. */
283 void gpgsm_exit (int rc);
284 void gpgsm_init_default_ctrl (struct server_control_s *ctrl);
285 void gpgsm_deinit_default_ctrl (ctrl_t ctrl);
286 int gpgsm_parse_validation_model (const char *model);
289 void gpgsm_server (certlist_t default_recplist);
290 gpg_error_t gpgsm_status (ctrl_t ctrl, int no, const char *text);
291 gpg_error_t gpgsm_status2 (ctrl_t ctrl, int no, ...) GPGRT_ATTR_SENTINEL(0);
292 gpg_error_t gpgsm_status_with_err_code (ctrl_t ctrl, int no, const char *text,
294 gpg_error_t gpgsm_status_with_error (ctrl_t ctrl, int no, const char *text,
296 gpg_error_t gpgsm_proxy_pinentry_notify (ctrl_t ctrl,
297 const unsigned char *line);
299 /*-- fingerprint --*/
300 unsigned char *gpgsm_get_fingerprint (ksba_cert_t cert, int algo,
301 unsigned char *array, int *r_len);
302 char *gpgsm_get_fingerprint_string (ksba_cert_t cert, int algo);
303 char *gpgsm_get_fingerprint_hexstring (ksba_cert_t cert, int algo);
304 unsigned long gpgsm_get_short_fingerprint (ksba_cert_t cert,
305 unsigned long *r_high);
306 unsigned char *gpgsm_get_keygrip (ksba_cert_t cert, unsigned char *array);
307 char *gpgsm_get_keygrip_hexstring (ksba_cert_t cert);
308 int gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits);
309 int gpgsm_get_key_algo_info2 (ksba_cert_t cert, unsigned int *nbits,
311 char *gpgsm_pubkey_algo_string (ksba_cert_t cert, int *r_algoid);
312 gcry_mpi_t gpgsm_get_rsa_modulus (ksba_cert_t cert);
313 char *gpgsm_get_certid (ksba_cert_t cert);
317 const void *gpgsm_get_serial (ksba_const_sexp_t sn, size_t *r_length);
318 void gpgsm_print_serial (estream_t fp, ksba_const_sexp_t p);
319 void gpgsm_print_serial_decimal (estream_t fp, ksba_const_sexp_t sn);
320 void gpgsm_print_time (estream_t fp, ksba_isotime_t t);
321 void gpgsm_print_name2 (FILE *fp, const char *string, int translate);
322 void gpgsm_print_name (FILE *fp, const char *string);
323 void gpgsm_es_print_name (estream_t fp, const char *string);
324 void gpgsm_es_print_name2 (estream_t fp, const char *string, int translate);
326 void gpgsm_cert_log_name (const char *text, ksba_cert_t cert);
328 void gpgsm_dump_cert (const char *text, ksba_cert_t cert);
329 void gpgsm_dump_serial (ksba_const_sexp_t p);
330 void gpgsm_dump_time (ksba_isotime_t t);
331 void gpgsm_dump_string (const char *string);
333 char *gpgsm_format_serial (ksba_const_sexp_t p);
334 char *gpgsm_format_name2 (const char *name, int translate);
335 char *gpgsm_format_name (const char *name);
336 char *gpgsm_format_sn_issuer (ksba_sexp_t sn, const char *issuer);
338 char *gpgsm_fpr_and_name_for_status (ksba_cert_t cert);
340 char *gpgsm_format_keydesc (ksba_cert_t cert);
343 /*-- certcheck.c --*/
344 int gpgsm_check_cert_sig (ksba_cert_t issuer_cert, ksba_cert_t cert);
345 int gpgsm_check_cms_signature (ksba_cert_t cert, gcry_sexp_t sigval,
347 int hash_algo, unsigned int pkalgoflags,
349 /* fixme: move create functions to another file */
350 int gpgsm_create_cms_signature (ctrl_t ctrl,
351 ksba_cert_t cert, gcry_md_hd_t md, int mdalgo,
352 unsigned char **r_sigval);
355 /*-- certchain.c --*/
357 /* Flags used with gpgsm_validate_chain. */
358 #define VALIDATE_FLAG_NO_DIRMNGR 1
359 #define VALIDATE_FLAG_CHAIN_MODEL 2
360 #define VALIDATE_FLAG_STEED 4
362 gpg_error_t gpgsm_walk_cert_chain (ctrl_t ctrl,
363 ksba_cert_t start, ksba_cert_t *r_next);
364 int gpgsm_is_root_cert (ksba_cert_t cert);
365 int gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert,
366 ksba_isotime_t checktime,
367 ksba_isotime_t r_exptime,
368 int listmode, estream_t listfp,
369 unsigned int flags, unsigned int *retflags);
370 int gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert);
373 int gpgsm_cert_use_sign_p (ksba_cert_t cert, int silent);
374 int gpgsm_cert_use_encrypt_p (ksba_cert_t cert);
375 int gpgsm_cert_use_verify_p (ksba_cert_t cert);
376 int gpgsm_cert_use_decrypt_p (ksba_cert_t cert);
377 int gpgsm_cert_use_cert_p (ksba_cert_t cert);
378 int gpgsm_cert_use_ocsp_p (ksba_cert_t cert);
379 int gpgsm_cert_has_well_known_private_key (ksba_cert_t cert);
380 int gpgsm_certs_identical_p (ksba_cert_t cert_a, ksba_cert_t cert_b);
381 int gpgsm_add_cert_to_certlist (ctrl_t ctrl, ksba_cert_t cert,
382 certlist_t *listaddr, int is_encrypt_to);
383 int gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
384 certlist_t *listaddr, int is_encrypt_to);
385 void gpgsm_release_certlist (certlist_t list);
386 int gpgsm_find_cert (ctrl_t ctrl, const char *name, ksba_sexp_t keyid,
387 ksba_cert_t *r_cert, int allow_ambiguous);
390 gpg_error_t gpgsm_list_keys (ctrl_t ctrl, strlist_t names,
391 estream_t fp, unsigned int mode);
392 gpg_error_t gpgsm_show_certs (ctrl_t ctrl, int nfiles, char **files,
396 int gpgsm_import (ctrl_t ctrl, int in_fd, int reimport_mode);
397 int gpgsm_import_files (ctrl_t ctrl, int nfiles, char **files,
398 int (*of)(const char *fname));
401 void gpgsm_export (ctrl_t ctrl, strlist_t names, estream_t stream);
402 void gpgsm_p12_export (ctrl_t ctrl, const char *name, estream_t stream,
406 int gpgsm_delete (ctrl_t ctrl, strlist_t names);
409 int gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp);
412 int gpgsm_get_default_cert (ctrl_t ctrl, ksba_cert_t *r_cert);
413 int gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
414 int data_fd, int detached, estream_t out_fp);
417 int gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist,
418 int in_fd, estream_t out_fp);
421 gpg_error_t ecdh_derive_kek (unsigned char *key, unsigned int keylen,
422 int hash_algo, const char *wrap_algo_str,
423 const void *secret, unsigned int secretlen,
424 const void *ukm, unsigned int ukmlen);
425 int gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp);
427 /*-- certreqgen.c --*/
428 int gpgsm_genkey (ctrl_t ctrl, estream_t in_stream, estream_t out_stream);
430 /*-- certreqgen-ui.c --*/
431 void gpgsm_gencertreq_tty (ctrl_t ctrl, estream_t out_stream);
434 /*-- qualified.c --*/
435 gpg_error_t gpgsm_is_in_qualified_list (ctrl_t ctrl, ksba_cert_t cert,
437 gpg_error_t gpgsm_qualified_consent (ctrl_t ctrl, ksba_cert_t cert);
438 gpg_error_t gpgsm_not_qualified_warning (ctrl_t ctrl, ksba_cert_t cert);
440 /*-- call-agent.c --*/
441 int gpgsm_agent_pksign (ctrl_t ctrl, const char *keygrip, const char *desc,
442 unsigned char *digest,
445 unsigned char **r_buf, size_t *r_buflen);
446 int gpgsm_scd_pksign (ctrl_t ctrl, const char *keyid, const char *desc,
447 unsigned char *digest, size_t digestlen, int digestalgo,
448 unsigned char **r_buf, size_t *r_buflen);
449 int gpgsm_agent_pkdecrypt (ctrl_t ctrl, const char *keygrip, const char *desc,
450 ksba_const_sexp_t ciphertext,
451 char **r_buf, size_t *r_buflen);
452 int gpgsm_agent_genkey (ctrl_t ctrl,
453 ksba_const_sexp_t keyparms, ksba_sexp_t *r_pubkey);
454 int gpgsm_agent_readkey (ctrl_t ctrl, int fromcard, const char *hexkeygrip,
455 ksba_sexp_t *r_pubkey);
456 int gpgsm_agent_scd_serialno (ctrl_t ctrl, char **r_serialno);
457 int gpgsm_agent_scd_keypairinfo (ctrl_t ctrl, strlist_t *r_list);
458 int gpgsm_agent_istrusted (ctrl_t ctrl, ksba_cert_t cert, const char *hexfpr,
459 struct rootca_flags_s *rootca_flags);
460 int gpgsm_agent_havekey (ctrl_t ctrl, const char *hexkeygrip);
461 int gpgsm_agent_marktrusted (ctrl_t ctrl, ksba_cert_t cert);
462 int gpgsm_agent_learn (ctrl_t ctrl);
463 int gpgsm_agent_passwd (ctrl_t ctrl, const char *hexkeygrip, const char *desc);
464 gpg_error_t gpgsm_agent_get_confirmation (ctrl_t ctrl, const char *desc);
465 gpg_error_t gpgsm_agent_send_nop (ctrl_t ctrl);
466 gpg_error_t gpgsm_agent_keyinfo (ctrl_t ctrl, const char *hexkeygrip,
468 gpg_error_t gpgsm_agent_ask_passphrase (ctrl_t ctrl, const char *desc_msg,
469 int repeat, char **r_passphrase);
470 gpg_error_t gpgsm_agent_keywrap_key (ctrl_t ctrl, int forexport,
471 void **r_kek, size_t *r_keklen);
472 gpg_error_t gpgsm_agent_import_key (ctrl_t ctrl,
473 const void *key, size_t keylen);
474 gpg_error_t gpgsm_agent_export_key (ctrl_t ctrl, const char *keygrip,
476 unsigned char **r_result,
477 size_t *r_resultlen);
479 /*-- call-dirmngr.c --*/
480 int gpgsm_dirmngr_isvalid (ctrl_t ctrl,
481 ksba_cert_t cert, ksba_cert_t issuer_cert,
483 int gpgsm_dirmngr_lookup (ctrl_t ctrl, strlist_t names, const char *uri,
485 void (*cb)(void*, ksba_cert_t), void *cb_value);
486 int gpgsm_dirmngr_run_command (ctrl_t ctrl, const char *command,
487 int argc, char **argv);
491 void setup_pinentry_env (void);
492 gpg_error_t transform_sigval (const unsigned char *sigval, size_t sigvallen,
494 unsigned char **r_newsigval,
495 size_t *r_newsigvallen);
496 gcry_sexp_t gpgsm_ksba_cms_get_sig_val (ksba_cms_t cms, int idx);
497 int gpgsm_get_hash_algo_from_sigval (gcry_sexp_t sigval,
498 unsigned int *r_pkalgo_flags);