[RFC v2 1/5] agent: expose shadow key type
James Bottomley
James.Bottomley at HansenPartnership.com
Mon Mar 5 20:13:25 CET 2018
For TPM support it is necessary to indroduce another type of shadow
key, so allow other agent functions to extract the type so they can
make the right decisions based on it.
Signed-off-by: James Bottomley <James.Bottomley at HansenPartnership.com>
---
agent/agent.h | 10 +++++++-
agent/command.c | 21 +++++++++++++----
agent/findkey.c | 5 ++--
agent/protect.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++--------
4 files changed, 90 insertions(+), 18 deletions(-)
diff --git a/agent/agent.h b/agent/agent.h
index 687635dc7..2df2fde53 100644
--- a/agent/agent.h
+++ b/agent/agent.h
@@ -420,7 +420,8 @@ int agent_is_eddsa_key (gcry_sexp_t s_key);
int agent_key_available (const unsigned char *grip);
gpg_error_t agent_key_info_from_file (ctrl_t ctrl, const unsigned char *grip,
int *r_keytype,
- unsigned char **r_shadow_info);
+ unsigned char **r_shadow_info,
+ unsigned char **r_shadow_info_type);
gpg_error_t agent_delete_key (ctrl_t ctrl, const char *desc_text,
const unsigned char *grip,
int force, int only_stubs);
@@ -502,8 +503,15 @@ unsigned char *make_shadow_info (const char *serialno, const char *idstring);
int agent_shadow_key (const unsigned char *pubkey,
const unsigned char *shadow_info,
unsigned char **result);
+int agent_shadow_key_type (const unsigned char *pubkey,
+ const unsigned char *shadow_info,
+ const unsigned char *type,
+ unsigned char **result);
gpg_error_t agent_get_shadow_info (const unsigned char *shadowkey,
unsigned char const **shadow_info);
+gpg_error_t agent_get_shadow_info_type (const unsigned char *shadowkey,
+ unsigned char const **shadow_info,
+ unsigned char **shadow_type);
gpg_error_t parse_shadow_info (const unsigned char *shadow_info,
char **r_hexsn, char **r_idstr, int *r_pinlen);
gpg_error_t s2k_hash_passphrase (const char *passphrase, int hashalgo,
diff --git a/agent/command.c b/agent/command.c
index e2486a556..32c12d93f 100644
--- a/agent/command.c
+++ b/agent/command.c
@@ -1104,7 +1104,7 @@ do_one_keyinfo (ctrl_t ctrl, const unsigned char *grip, assuan_context_t ctx,
char hexgrip[40+1];
char *fpr = NULL;
int keytype;
- unsigned char *shadow_info = NULL;
+ unsigned char *shadow_info = NULL, *shadow_info_type = NULL;
char *serialno = NULL;
char *idstr = NULL;
const char *keytypestr;
@@ -1115,7 +1115,8 @@ do_one_keyinfo (ctrl_t ctrl, const unsigned char *grip, assuan_context_t ctx,
char ttlbuf[20];
char flagsbuf[5];
- err = agent_key_info_from_file (ctrl, grip, &keytype, &shadow_info);
+ err = agent_key_info_from_file (ctrl, grip, &keytype, &shadow_info,
+ &shadow_info_type);
if (err)
{
if (in_ssh && gpg_err_code (err) == GPG_ERR_NOT_FOUND)
@@ -1185,9 +1186,18 @@ do_one_keyinfo (ctrl_t ctrl, const unsigned char *grip, assuan_context_t ctx,
if (shadow_info)
{
- err = parse_shadow_info (shadow_info, &serialno, &idstr, NULL);
- if (err)
- goto leave;
+ if (strcmp (shadow_info_type, "t1-v1") == 0)
+ {
+ err = parse_shadow_info (shadow_info, &serialno, &idstr, NULL);
+ if (err)
+ goto leave;
+ }
+ else
+ {
+ log_error ("Unrecognised shadow key type %s\n", shadow_info_type);
+ err = GPG_ERR_BAD_KEY;
+ goto leave;
+ }
}
if (!data)
@@ -1222,6 +1232,7 @@ do_one_keyinfo (ctrl_t ctrl, const unsigned char *grip, assuan_context_t ctx,
leave:
xfree (fpr);
+ xfree (shadow_info_type);
xfree (shadow_info);
xfree (serialno);
xfree (idstr);
diff --git a/agent/findkey.c b/agent/findkey.c
index e3e9a123f..d6c600e71 100644
--- a/agent/findkey.c
+++ b/agent/findkey.c
@@ -1359,7 +1359,8 @@ agent_key_available (const unsigned char *grip)
S-expression. */
gpg_error_t
agent_key_info_from_file (ctrl_t ctrl, const unsigned char *grip,
- int *r_keytype, unsigned char **r_shadow_info)
+ int *r_keytype, unsigned char **r_shadow_info,
+ unsigned char **r_shadow_info_type)
{
gpg_error_t err;
unsigned char *buf;
@@ -1406,7 +1407,7 @@ agent_key_info_from_file (ctrl_t ctrl, const unsigned char *grip,
const unsigned char *s;
size_t n;
- err = agent_get_shadow_info (buf, &s);
+ err = agent_get_shadow_info_type (buf, &s, r_shadow_info_type);
if (!err)
{
n = gcry_sexp_canon_len (s, 0, NULL, NULL);
diff --git a/agent/protect.c b/agent/protect.c
index 16ae715e1..0920667d1 100644
--- a/agent/protect.c
+++ b/agent/protect.c
@@ -1499,9 +1499,10 @@ make_shadow_info (const char *serialno, const char *idstring)
to. The input parameters are expected to be valid canonicalized
S-expressions */
int
-agent_shadow_key (const unsigned char *pubkey,
- const unsigned char *shadow_info,
- unsigned char **result)
+agent_shadow_key_type (const unsigned char *pubkey,
+ const unsigned char *shadow_info,
+ const unsigned char *type,
+ unsigned char **result)
{
const unsigned char *s;
const unsigned char *point;
@@ -1557,7 +1558,7 @@ agent_shadow_key (const unsigned char *pubkey,
assert (depth == 1);
/* Calculate required length by taking in account: the "shadowed-"
- prefix, the "shadowed", "t1-v1" as well as some parenthesis */
+ prefix, the "shadowed", shadow type as well as some parenthesis */
n = 12 + pubkey_len + 1 + 3+8 + 2+5 + shadow_info_len + 1;
*result = xtrymalloc (n);
p = (char*)*result;
@@ -1567,7 +1568,7 @@ agent_shadow_key (const unsigned char *pubkey,
/* (10:public-key ...)*/
memcpy (p, pubkey+14, point - (pubkey+14));
p += point - (pubkey+14);
- p = stpcpy (p, "(8:shadowed5:t1-v1");
+ p += sprintf (p, "(8:shadowed%d:%s", (int)strlen(type), type);
memcpy (p, shadow_info, shadow_info_len);
p += shadow_info_len;
*p++ = ')';
@@ -1577,11 +1578,20 @@ agent_shadow_key (const unsigned char *pubkey,
return 0;
}
+int
+agent_shadow_key (const unsigned char *pubkey,
+ const unsigned char *shadow_info,
+ unsigned char **result)
+{
+ return agent_shadow_key_type (pubkey, shadow_info, "t1-v1", result);
+}
+
/* Parse a canonical encoded shadowed key and return a pointer to the
- inner list with the shadow_info */
+ inner list with the shadow_info and the shadow type */
gpg_error_t
-agent_get_shadow_info (const unsigned char *shadowkey,
- unsigned char const **shadow_info)
+agent_get_shadow_info_type (const unsigned char *shadowkey,
+ unsigned char const **shadow_info,
+ unsigned char **shadow_type)
{
const unsigned char *s;
size_t n;
@@ -1633,17 +1643,59 @@ agent_get_shadow_info (const unsigned char *shadowkey,
n = snext (&s);
if (!n)
return gpg_error (GPG_ERR_INV_SEXP);
- if (smatch (&s, n, "t1-v1"))
+ if (shadow_type) {
+ char *buf = xtrymalloc(n+1);
+ memcpy(buf, s, n);
+ buf[n] = '\0';
+ *shadow_type = buf;
+ }
+
+ if (smatch (&s, n, "t1-v1") || smatch(&s, n, "tpm2-v1"))
{
if (*s != '(')
return gpg_error (GPG_ERR_INV_SEXP);
- *shadow_info = s;
+ if (shadow_info)
+ *shadow_info = s;
}
else
return gpg_error (GPG_ERR_UNSUPPORTED_PROTOCOL);
return 0;
}
+gpg_error_t
+agent_get_shadow_info(const unsigned char *shadowkey,
+ unsigned char const **shadow_info)
+{
+ return agent_get_shadow_info_type(shadowkey, shadow_info, NULL);
+}
+
+int
+agent_is_tpm2_key(gcry_sexp_t s_skey)
+{
+ unsigned char *buf;
+ unsigned char *type;
+ size_t len;
+ gpg_error_t err;
+
+ err = make_canon_sexp(s_skey, &buf, &len);
+ if (err)
+ return 0;
+
+ err = agent_get_shadow_info_type(buf, NULL, &type);
+ if (err)
+ return 0;
+
+ err = strcmp(type, "tpm2-v1") == 0;
+ xfree(type);
+ return err;
+}
+
+gpg_error_t
+agent_get_shadow_type(const unsigned char *shadowkey,
+ unsigned char **shadow_type)
+{
+ return agent_get_shadow_info_type(shadowkey, NULL, shadow_type);
+}
/* Parse the canonical encoded SHADOW_INFO S-expression. On success
the hex encoded serial number is returned as a malloced strings at
--
2.12.3
More information about the Gnupg-devel
mailing list