/* -*-c-*-
*
- * $Id: keyutil.c,v 1.2 1999/10/15 21:05:28 mdw Exp $
+ * $Id$
*
* Simple key manager program
*
- * (c) 1999 Mark Wooding
+ * (c) 1999 Straylight/Edgeware
*/
-/*----- Licensing notice --------------------------------------------------*
+/*----- Licensing notice --------------------------------------------------*
*
* This file is part of Catacomb.
*
* it under the terms of the GNU Library General Public License as
* published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
- *
+ *
* Catacomb is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Library General Public License for more details.
- *
+ *
* You should have received a copy of the GNU Library General Public
* License along with Catacomb; if not, write to the Free
* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
* MA 02111-1307, USA.
*/
-/*----- Revision history --------------------------------------------------*
- *
- * $Log: keyutil.c,v $
- * Revision 1.2 1999/10/15 21:05:28 mdw
- * In `key list', show timezone for local times, and support `-u' option
- * for UTC output.
- *
- * Revision 1.1 1999/09/03 08:41:12 mdw
- * Initial import.
- *
- */
-
/*----- Header files ------------------------------------------------------*/
+#define _FILE_OFFSET_BITS 64
+
#include "config.h"
+#include <ctype.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
+#include <mLib/base64.h>
#include <mLib/mdwopt.h>
#include <mLib/quis.h>
#include <mLib/report.h>
#include <noise.h>
#include <rand.h>
+#include "bintab.h"
+#include "bbs.h"
+#include "dh.h"
+#include "dsa.h"
+#include "dsarand.h"
+#include "ec.h"
+#include "ec-keys.h"
+#include "ectab.h"
+#include "fibrand.h"
#include "getdate.h"
+#include "gfreduce.h"
#include "key.h"
+#include "mp.h"
+#include "mpmont.h"
+#include "mprand.h"
+#include "mptext.h"
+#include "pgen.h"
+#include "ptab.h"
+#include "rsa.h"
+
+#include "cc.h"
+#include "sha-mgf.h"
+#include "sha256-mgf.h"
+#include "sha224-mgf.h"
+#include "sha384-mgf.h"
+#include "sha512-mgf.h"
+#include "tiger-mgf.h"
+#include "rmd128-mgf.h"
+#include "rmd160-mgf.h"
+#include "rmd256-mgf.h"
+#include "rmd320-mgf.h"
+#include "md5-mgf.h"
+#include "dsarand.h"
/*----- Handy global state ------------------------------------------------*/
static void doopen(key_file *f, unsigned how)
{
- if (key_open(f, keyfile, how))
- die(1, "couldn't open file `%s': %s", keyfile, strerror(errno));
+ if (key_open(f, keyfile, how, key_moan, 0))
+ die(1, "couldn't open keyring `%s': %s", keyfile, strerror(errno));
}
/* --- @doclose@ --- *
die(EXIT_FAILURE, "keyring file `%s' broken: %s (repair manually)",
keyfile, strerror(errno));
}
-}
+}
+
+/* --- @setattr@ --- *
+ *
+ * Arguments: @key_file *f@ = pointer to key file block
+ * @key *k@ = pointer to key block
+ * @char *v[]@ = array of assignments (overwritten!)
+ *
+ * Returns: ---
+ *
+ * Use: Applies the attribute assignments to the key.
+ */
+
+static void setattr(key_file *f, key *k, char *v[])
+{
+ while (*v) {
+ int err;
+ char *p = *v;
+ size_t eq = strcspn(p, "=");
+ if (!p[eq]) {
+ moan("invalid assignment: `%s' (ignored)", p);
+ v++;
+ continue;
+ }
+ p[eq] = 0;
+ p += eq + 1;
+ if ((err = key_putattr(f, k, *v, *p ? p : 0)) != 0)
+ die(EXIT_FAILURE, "couldn't set attributes: %s", key_strerror(err));
+ v++;
+ }
+}
+
+/*----- Seeding -----------------------------------------------------------*/
+
+const struct seedalg { const char *p; grand *(*gen)(const void *, size_t); }
+seedtab[] = {
+ { "dsarand", dsarand_create },
+ { "rmd128-mgf", rmd128_mgfrand },
+ { "rmd160-mgf", rmd160_mgfrand },
+ { "rmd256-mgf", rmd256_mgfrand },
+ { "rmd320-mgf", rmd320_mgfrand },
+ { "sha-mgf", sha_mgfrand },
+ { "sha224-mgf", sha224_mgfrand },
+ { "sha256-mgf", sha256_mgfrand },
+ { "sha384-mgf", sha384_mgfrand },
+ { "sha512-mgf", sha512_mgfrand },
+ { "tiger-mgf", tiger_mgfrand },
+ { 0, 0 }
+};
+
+#define SEEDALG_DEFAULT (seedtab + 2)
+
+/*----- Key generation ----------------------------------------------------*/
+
+/* --- Key generation parameters --- */
+
+typedef struct keyopts {
+ key_file *kf; /* Pointer to key file */
+ key *k; /* Pointer to the actual key */
+ dstr tag; /* Full tag name for the key */
+ unsigned f; /* Flags for the new key */
+ unsigned bits, qbits; /* Bit length for the new key */
+ const char *curve; /* Elliptic curve name/info */
+ grand *r; /* Random number source */
+ key *p; /* Parameters key-data */
+} keyopts;
+
+#define f_bogus 1u /* Error in parsing */
+#define f_lock 2u /* Passphrase-lock private key */
+#define f_quiet 4u /* Don't show a progress indicator */
+#define f_limlee 8u /* Generate Lim-Lee primes */
+#define f_subgroup 16u /* Generate a subgroup */
+#define f_retag 32u /* Remove any existing tag */
+#define f_kcdsa 64u /* Generate KCDSA primes */
+
+/* --- @dolock@ --- *
+ *
+ * Arguments: @keyopts *k@ = key generation options
+ * @key_data **kd@ = pointer to key data to lock
+ * @const char *t@ = tag suffix or null
+ *
+ * Returns: ---
+ *
+ * Use: Does passphrase locking on new keys.
+ */
+
+static void dolock(keyopts *k, key_data **kd, const char *t)
+{
+ if (!(k->f & f_lock))
+ return;
+ if (t)
+ dstr_putf(&k->tag, ".%s", t);
+ if (key_plock(kd, 0, k->tag.buf))
+ die(EXIT_FAILURE, "couldn't lock key");
+}
+
+/* --- @copyparam@ --- *
+ *
+ * Arguments: @keyopts *k@ = pointer to key options
+ * @const char **pp@ = checklist of parameters
+ *
+ * Returns: Nonzero if parameters copied; zero if you have to generate
+ * them.
+ *
+ * Use: Copies parameters from a source key to the current one.
+ */
+
+static int copyparam(keyopts *k, const char **pp)
+{
+ key_filter kf;
+ key_attriter i;
+ key_data *kd;
+ const char *n, *v;
+
+ kf.f = KCAT_SHARE;
+ kf.m = KF_CATMASK;
+
+ /* --- Quick check if no parameters supplied --- */
+
+ if (!k->p)
+ return (0);
+
+ /* --- Run through the checklist --- */
+
+ while (*pp) {
+ key_data *kd = key_structfind(k->p->k, *pp);
+ if (!kd)
+ die(EXIT_FAILURE, "bad parameter key: parameter `%s' not found", *pp);
+ if (!KEY_MATCH(kd, &kf))
+ die(EXIT_FAILURE, "bad parameter key: subkey `%s' is not shared", *pp);
+ pp++;
+ }
+
+ /* --- Copy over the parameters --- */
+
+ kd = key_copydata(k->p->k, &kf);
+ assert(kd);
+ key_setkeydata(k->kf, k->k, kd);
+ key_drop(kd);
+
+ /* --- Copy over attributes --- */
+
+ for (key_mkattriter(&i, k->p); key_nextattr(&i, &n, &v); )
+ key_putattr(k->kf, k->k, n, v);
+
+ /* --- Done --- */
+
+ return (1);
+}
+
+/* --- @getmp@ --- *
+ *
+ * Arguments: @key_data *k@ = pointer to key data block
+ * @const char *tag@ = tag string to use
+ *
+ * Returns: Pointer to multiprecision integer key item.
+ *
+ * Use: Fetches an MP key component.
+ */
+
+static mp *getmp(key_data *k, const char *tag)
+{
+ k = key_structfind(k, tag);
+ if (!k)
+ die(EXIT_FAILURE, "unexpected failure looking up subkey `%s'", tag);
+ if ((k->e & KF_ENCMASK) != KENC_MP)
+ die(EXIT_FAILURE, "subkey `%s' has an incompatible type");
+ return (k->u.m);
+}
+
+/* --- @keyrand@ --- *
+ *
+ * Arguments: @key_file *kf@ = pointer to key file
+ * @const char *id@ = pointer to key id (or null)
+ *
+ * Returns: ---
+ *
+ * Use: Keys the random number generator.
+ */
+
+static void keyrand(key_file *kf, const char *id)
+{
+ key *k;
+
+ /* --- Find the key --- */
+
+ if (id) {
+ if ((k = key_bytag(kf, id)) == 0)
+ die(EXIT_FAILURE, "key `%s' not found", id);
+ } else
+ k = key_bytype(kf, "catacomb-rand");
+
+ if (k) {
+ key_data *kd = k->k, *kkd;
+ key_incref(kd);
+
+ again:
+ switch (kd->e & KF_ENCMASK) {
+ case KENC_BINARY:
+ break;
+ case KENC_ENCRYPT: {
+ dstr d = DSTR_INIT;
+ key_fulltag(k, &d);
+ if (key_punlock(&kkd, kd, d.buf))
+ die(EXIT_FAILURE, "error unlocking key `%s'", d.buf);
+ dstr_destroy(&d);
+ key_drop(kd);
+ kd = kkd;
+ } goto again;
+ default: {
+ dstr d = DSTR_INIT;
+ key_fulltag(k, &d);
+ die(EXIT_FAILURE, "bad encoding type for key `%s'", d.buf);
+ } break;
+ }
+
+ /* --- Key the generator --- */
+
+ rand_key(RAND_GLOBAL, kd->u.k.k, kd->u.k.sz);
+ key_drop(kd);
+ }
+}
+
+/* --- Key generation algorithms --- */
+
+static void alg_binary(keyopts *k)
+{
+ unsigned sz;
+ unsigned m;
+ key_data *kd;
+ octet *p;
+
+ if (!k->bits)
+ k->bits = 128;
+ if (k->p)
+ die(EXIT_FAILURE, "no shared parameters for binary keys");
+
+ sz = (k->bits + 7) >> 3;
+ p = sub_alloc(sz);
+ m = (1 << (((k->bits - 1) & 7) + 1)) - 1;
+ k->r->ops->fill(k->r, p, sz);
+ *p &= m;
+ kd = key_newbinary(KCAT_SYMM | KF_BURN, p, sz);
+ memset(p, 0, sz);
+ dolock(k, &kd, 0);
+ key_setkeydata(k->kf, k->k, kd);
+ key_drop(kd);
+ sub_free(p, sz);
+}
+
+static void alg_des(keyopts *k)
+{
+ unsigned sz;
+ octet *p;
+ key_data *kd;
+ int i;
+
+ if (!k->bits)
+ k->bits = 168;
+ if (k->p)
+ die(EXIT_FAILURE, "no shared parameters for DES keys");
+ if (k->bits % 56 || k->bits > 168)
+ die(EXIT_FAILURE, "DES keys must be 56, 112 or 168 bits long");
+
+ sz = k->bits / 7;
+ p = sub_alloc(sz);
+ k->r->ops->fill(k->r, p, sz);
+ for (i = 0; i < sz; i++) {
+ octet x = p[i] | 0x01;
+ x = x ^ (x >> 4);
+ x = x ^ (x >> 2);
+ x = x ^ (x >> 1);
+ p[i] = (p[i] & 0xfe) | (x & 0x01);
+ }
+ kd = key_newbinary(KCAT_SYMM | KF_BURN, p, sz);
+ memset(p, 0, sz);
+ dolock(k, &kd, 0);
+ key_setkeydata(k->kf, k->k, kd);
+ key_drop(kd);
+ sub_free(p, sz);
+}
+
+static void alg_rsa(keyopts *k)
+{
+ rsa_priv rp;
+ key_data *kd, *kkd;
+
+ /* --- Sanity checking --- */
+
+ if (k->p)
+ die(EXIT_FAILURE, "no shared parameters for RSA keys");
+ if (!k->bits)
+ k->bits = 1024;
+
+ /* --- Generate the RSA parameters --- */
+
+ if (rsa_gen(&rp, k->bits, k->r, 0,
+ (k->f & f_quiet) ? 0 : pgen_ev, 0))
+ die(EXIT_FAILURE, "RSA key generation failed");
+
+ /* --- Run a test encryption --- */
+
+ {
+ grand *g = fibrand_create(k->r->ops->word(k->r));
+ rsa_pub rpp;
+ mp *m = mprand_range(MP_NEW, rp.n, g, 0);
+ mp *c;
+
+ rpp.n = rp.n;
+ rpp.e = rp.e;
+ c = rsa_qpubop(&rpp, MP_NEW, m);
+ c = rsa_qprivop(&rp, c, c, g);
+
+ if (!MP_EQ(c, m))
+ die(EXIT_FAILURE, "test encryption failed");
+ mp_drop(c);
+ mp_drop(m);
+ g->ops->destroy(g);
+ }
+
+ /* --- Allrighty then --- */
+
+ kd = key_newstruct();
+ key_structsteal(kd, "n", key_newmp(KCAT_PUB, rp.n));
+ key_structsteal(kd, "e", key_newmp(KCAT_PUB, rp.e));
+
+ kkd = key_newstruct();
+ key_structsteal(kkd, "d", key_newmp(KCAT_PRIV | KF_BURN, rp.d));
+ key_structsteal(kkd, "p", key_newmp(KCAT_PRIV | KF_BURN, rp.p));
+ key_structsteal(kkd, "q", key_newmp(KCAT_PRIV | KF_BURN, rp.q));
+ key_structsteal(kkd, "q-inv", key_newmp(KCAT_PRIV | KF_BURN, rp.q_inv));
+ key_structsteal(kkd, "d-mod-p", key_newmp(KCAT_PRIV | KF_BURN, rp.dp));
+ key_structsteal(kkd, "d-mod-q", key_newmp(KCAT_PRIV | KF_BURN, rp.dq));
+ dolock(k, &kkd, "private");
+ key_structsteal(kd, "private", kkd);
+ key_setkeydata(k->kf, k->k, kd);
+ key_drop(kd);
+ rsa_privfree(&rp);
+}
+
+static void alg_dsaparam(keyopts *k)
+{
+ static const char *pl[] = { "q", "p", "g", 0 };
+ if (!copyparam(k, pl)) {
+ dsa_param dp;
+ octet *p;
+ size_t sz;
+ dstr d = DSTR_INIT;
+ base64_ctx c;
+ key_data *kd;
+ dsa_seed ds;
+
+ /* --- Choose appropriate bit lengths if necessary --- */
+
+ if (!k->qbits)
+ k->qbits = 160;
+ if (!k->bits)
+ k->bits = 1024;
+
+ /* --- Allocate a seed block --- */
+
+ sz = (k->qbits + 7) >> 3;
+ p = sub_alloc(sz);
+ k->r->ops->fill(k->r, p, sz);
+
+ /* --- Allocate the parameters --- */
+
+ if (dsa_gen(&dp, k->qbits, k->bits, 0, p, sz, &ds,
+ (k->f & f_quiet) ? 0 : pgen_ev, 0))
+ die(EXIT_FAILURE, "DSA parameter generation failed");
+
+ /* --- Store the parameters --- */
+
+ kd = key_newstruct();
+ key_structsteal(kd, "q", key_newmp(KCAT_SHARE, dp.q));
+ key_structsteal(kd, "p", key_newmp(KCAT_SHARE, dp.p));
+ key_structsteal(kd, "g", key_newmp(KCAT_SHARE, dp.g));
+ mp_drop(dp.q);
+ mp_drop(dp.p);
+ mp_drop(dp.g);
+ key_setkeydata(k->kf, k->k, kd);
+ key_drop(kd);
+
+ /* --- Store the seed for future verification --- */
+
+ base64_init(&c);
+ c.maxline = 0;
+ c.indent = "";
+ base64_encode(&c, ds.p, ds.sz, &d);
+ base64_encode(&c, 0, 0, &d);
+ DPUTZ(&d);
+ key_putattr(k->kf, k->k, "seed", d.buf);
+ DRESET(&d);
+ dstr_putf(&d, "%u", ds.count);
+ key_putattr(k->kf, k->k, "count", d.buf);
+ xfree(ds.p);
+ sub_free(p, sz);
+ dstr_destroy(&d);
+ }
+}
+
+static void alg_dsa(keyopts *k)
+{
+ mp *q, *p, *g;
+ mp *x, *y;
+ mpmont mm;
+ key_data *kd, *kkd;
+
+ /* --- Get the shared parameters --- */
+
+ alg_dsaparam(k);
+ key_split(&k->k->k); kd = k->k->k;
+ q = getmp(kd, "q");
+ p = getmp(kd, "p");
+ g = getmp(kd, "g");
+
+ /* --- Choose a private key --- */
+
+ x = mprand_range(MP_NEWSEC, q, k->r, 0);
+ mpmont_create(&mm, p);
+ y = mpmont_exp(&mm, MP_NEW, g, x);
+
+ /* --- Store everything away --- */
+
+ key_structsteal(kd, "y", key_newmp(KCAT_PUB, y));
+
+ kkd = key_newstruct();
+ key_structsteal(kkd, "x", key_newmp(KCAT_PRIV | KF_BURN, x));
+ dolock(k, &kkd, "private");
+ key_structsteal(kd, "private", kkd);
+
+ mp_drop(x); mp_drop(y);
+}
+
+static void alg_dhparam(keyopts *k)
+{
+ static const char *pl[] = { "p", "q", "g", 0 };
+ key_data *kd;
+ if (!copyparam(k, pl)) {
+ dh_param dp;
+ int rc;
+
+ if (k->curve) {
+ qd_parse qd;
+ group *g;
+ const char *e;
+
+ if (strcmp(k->curve, "list") == 0) {
+ unsigned i, w;
+ LIST("Built-in prime fields", stdout, ptab[i].name, ptab[i].name);
+ exit(0);
+ }
+ qd.p = k->curve;
+ if (dh_parse(&qd, &dp))
+ die(EXIT_FAILURE, "error in field spec: %s", qd.e);
+ if (!qd_eofp(&qd))
+ die(EXIT_FAILURE, "junk at end of field spec");
+ if ((g = group_prime(&dp)) == 0)
+ die(EXIT_FAILURE, "invalid prime field");
+ if (!(k->f & f_quiet) && (e = G_CHECK(g, &rand_global)) != 0)
+ moan("WARNING! group check failed: %s", e);
+ G_DESTROYGROUP(g);
+ goto done;
+ }
+
+ if (!k->bits)
+ k->bits = 1024;
+
+ /* --- Choose a large safe prime number --- */
+
+ if (k->f & f_limlee) {
+ mp **f;
+ size_t nf;
+ if (!k->qbits)
+ k->qbits = 256;
+ rc = dh_limlee(&dp, k->qbits, k->bits,
+ (k->f & f_subgroup) ? DH_SUBGROUP : 0,
+ 0, k->r, (k->f & f_quiet) ? 0 : pgen_ev, 0,
+ (k->f & f_quiet) ? 0 : pgen_evspin, 0, &nf, &f);
+ if (!rc) {
+ dstr d = DSTR_INIT;
+ size_t i;
+ for (i = 0; i < nf; i++) {
+ if (i)
+ dstr_puts(&d, ", ");
+ mp_writedstr(f[i], &d, 10);
+ mp_drop(f[i]);
+ }
+ key_putattr(k->kf, k->k, "factors", d.buf);
+ dstr_destroy(&d);
+ }
+ } else if (k->f & f_kcdsa) {
+ if (!k->qbits)
+ k->qbits = 256;
+ rc = dh_kcdsagen(&dp, k->qbits, k->bits, 0,
+ 0, k->r, (k->f & f_quiet) ? 0 : pgen_ev, 0);
+ if (!rc) {
+ dstr d = DSTR_INIT;
+ mp *v = MP_NEW;
+
+ mp_writedstr(dp.q, &d, 10);
+ mp_div(&v, 0, dp.p, dp.q);
+ v = mp_lsr(v, v, 1);
+ dstr_puts(&d, ", ");
+ mp_writedstr(v, &d, 10);
+ mp_drop(v);
+ key_putattr(k->kf, k->k, "factors", d.buf);
+ dstr_destroy(&d);
+ }
+ } else
+ rc = dh_gen(&dp, k->qbits, k->bits, 0, k->r,
+ (k->f & f_quiet) ? 0 : pgen_ev, 0);
+
+ if (rc)
+ die(EXIT_FAILURE, "Diffie-Hellman parameter generation failed");
+
+ done:
+ kd = key_newstruct();
+ key_structsteal(kd, "p", key_newmp(KCAT_SHARE, dp.p));
+ key_structsteal(kd, "q", key_newmp(KCAT_SHARE, dp.q));
+ key_structsteal(kd, "g", key_newmp(KCAT_SHARE, dp.g));
+ mp_drop(dp.q);
+ mp_drop(dp.p);
+ mp_drop(dp.g);
+ key_setkeydata(k->kf, k->k, kd);
+ key_drop(kd);
+ }
+}
+
+static void alg_dh(keyopts *k)
+{
+ mp *x, *y;
+ mp *p, *q, *g;
+ mpmont mm;
+ key_data *kd, *kkd;
+
+ /* --- Get the shared parameters --- */
+
+ alg_dhparam(k);
+ key_split(&k->k->k); kd = k->k->k;
+ p = getmp(kd, "p");
+ q = getmp(kd, "q");
+ g = getmp(kd, "g");
+
+ /* --- Choose a suitable private key --- *
+ *
+ * Since %$g$% has order %$q$%, choose %$x < q$%.
+ */
+
+ x = mprand_range(MP_NEWSEC, q, k->r, 0);
+
+ /* --- Compute the public key %$y = g^x \bmod p$% --- */
+
+ mpmont_create(&mm, p);
+ y = mpmont_exp(&mm, MP_NEW, g, x);
+ mpmont_destroy(&mm);
+
+ /* --- Store everything away --- */
+
+ key_structsteal(kd, "y", key_newmp(KCAT_PUB, y));
+
+ kkd = key_newstruct();
+ key_structsteal(kkd, "x", key_newmp(KCAT_PRIV | KF_BURN, x));
+ dolock(k, &kkd, "private");
+ key_structsteal(kd, "private", kkd);
+
+ mp_drop(x); mp_drop(y);
+}
+
+static void alg_bbs(keyopts *k)
+{
+ bbs_priv bp;
+ key_data *kd, *kkd;
+
+ /* --- Sanity checking --- */
+
+ if (k->p)
+ die(EXIT_FAILURE, "no shared parameters for Blum-Blum-Shub keys");
+ if (!k->bits)
+ k->bits = 1024;
+
+ /* --- Generate the BBS parameters --- */
+
+ if (bbs_gen(&bp, k->bits, k->r, 0,
+ (k->f & f_quiet) ? 0 : pgen_ev, 0))
+ die(EXIT_FAILURE, "Blum-Blum-Shub key generation failed");
+
+ /* --- Allrighty then --- */
+
+ kd = key_newstruct();
+ key_structsteal(kd, "n", key_newmp(KCAT_PUB, bp.n));
+
+ kkd = key_newstruct();
+ key_structsteal(kkd, "p", key_newmp(KCAT_PRIV | KF_BURN, bp.p));
+ key_structsteal(kkd, "q", key_newmp(KCAT_PRIV | KF_BURN, bp.q));
+ dolock(k, &kkd, "private");
+ key_structsteal(kd, "private", kkd);
+ key_setkeydata(k->kf, k->k, kd);
+ key_drop(kd);
+
+ bbs_privfree(&bp);
+}
+
+static void alg_binparam(keyopts *k)
+{
+ static const char *pl[] = { "p", "q", "g", 0 };
+ if (!copyparam(k, pl)) {
+ gbin_param gb;
+ qd_parse qd;
+ group *g;
+ const char *e;
+ key_data *kd;
+
+ /* --- Decide on a field --- */
+
+ if (!k->bits) k->bits = 128;
+ if (k->curve && strcmp(k->curve, "list") == 0) {
+ unsigned i, w;
+ LIST("Built-in binary fields", stdout,
+ bintab[i].name, bintab[i].name);
+ exit(0);
+ }
+ if (!k->curve) {
+ if (k->bits <= 40) k->curve = "p1363-40";
+ else if (k->bits <= 56) k->curve = "p1363-56";
+ else if (k->bits <= 64) k->curve = "p1363-64";
+ else if (k->bits <= 80) k->curve = "p1363-80";
+ else if (k->bits <= 112) k->curve = "p1363-112";
+ else if (k->bits <= 128) k->curve = "p1363-128";
+ else {
+ die(EXIT_FAILURE,
+ "no built-in binary fields provide %u-bit security",
+ k->bits);
+ }
+ }
+
+ /* --- Check it --- */
+
+ qd.e = 0;
+ qd.p = k->curve;
+ if (dhbin_parse(&qd, &gb))
+ die(EXIT_FAILURE, "error in field spec: %s", qd.e);
+ if (!qd_eofp(&qd))
+ die(EXIT_FAILURE, "junk at end of field spec");
+ if ((g = group_binary(&gb)) == 0)
+ die(EXIT_FAILURE, "invalid binary field");
+ if (!(k->f & f_quiet) && (e = G_CHECK(g, &rand_global)) != 0)
+ moan("WARNING! group check failed: %s", e);
+ G_DESTROYGROUP(g);
+
+ /* --- Write out the answer --- */
+
+ kd = key_newstruct();
+ key_structsteal(kd, "p", key_newmp(KCAT_SHARE, gb.p));
+ key_structsteal(kd, "q", key_newmp(KCAT_SHARE, gb.q));
+ key_structsteal(kd, "g", key_newmp(KCAT_SHARE, gb.g));
+ mp_drop(gb.q);
+ mp_drop(gb.p);
+ mp_drop(gb.g);
+ key_setkeydata(k->kf, k->k, kd);
+ key_drop(kd);
+ }
+}
+
+static void alg_bin(keyopts *k)
+{
+ mp *x, *y;
+ mp *p, *q, *g;
+ gfreduce r;
+ key_data *kd, *kkd;
+
+ /* --- Get the shared parameters --- */
+
+ alg_binparam(k);
+ key_split(&k->k->k); kd = k->k->k;
+ p = getmp(kd, "p");
+ q = getmp(kd, "q");
+ g = getmp(kd, "g");
+
+ /* --- Choose a suitable private key --- *
+ *
+ * Since %$g$% has order %$q$%, choose %$x < q$%.
+ */
+
+ x = mprand_range(MP_NEWSEC, q, k->r, 0);
+
+ /* --- Compute the public key %$y = g^x \bmod p$% --- */
+
+ gfreduce_create(&r, p);
+ y = gfreduce_exp(&r, MP_NEW, g, x);
+ gfreduce_destroy(&r);
+
+ /* --- Store everything away --- */
+
+ key_structsteal(kd, "y", key_newmp(KCAT_PUB, y));
+
+ kkd = key_newstruct();
+ key_structsteal(kkd, "x", key_newmp(KCAT_PRIV | KF_BURN, x));
+ dolock(k, &kkd, "private");
+ key_structsteal(kd, "private", kkd);
+
+ mp_drop(x); mp_drop(y);
+}
+
+static void alg_ecparam(keyopts *k)
+{
+ static const char *pl[] = { "curve", 0 };
+ if (!copyparam(k, pl)) {
+ ec_info ei;
+ const char *e;
+ key_data *kd;
+
+ /* --- Decide on a curve --- */
+
+ if (!k->bits) k->bits = 256;
+ if (k->curve && strcmp(k->curve, "list") == 0) {
+ unsigned i, w;
+ LIST("Built-in elliptic curves", stdout,
+ ectab[i].name, ectab[i].name);
+ exit(0);
+ }
+ if (!k->curve) {
+ if (k->bits <= 56) k->curve = "secp112r1";
+ else if (k->bits <= 64) k->curve = "secp128r1";
+ else if (k->bits <= 80) k->curve = "secp160r1";
+ else if (k->bits <= 96) k->curve = "secp192r1";
+ else if (k->bits <= 112) k->curve = "secp224r1";
+ else if (k->bits <= 128) k->curve = "secp256r1";
+ else if (k->bits <= 192) k->curve = "secp384r1";
+ else if (k->bits <= 256) k->curve = "secp521r1";
+ else
+ die(EXIT_FAILURE, "no built-in curves provide %u-bit security",
+ k->bits);
+ }
+
+ /* --- Check it --- */
+
+ if ((e = ec_getinfo(&ei, k->curve)) != 0)
+ die(EXIT_FAILURE, "error in curve spec: %s", e);
+ if (!(k->f & f_quiet) && (e = ec_checkinfo(&ei, k->r)) != 0)
+ moan("WARNING! curve check failed: %s", e);
+ ec_freeinfo(&ei);
+
+ /* --- Write out the answer --- */
+
+ kd = key_newstruct();
+ key_structsteal(kd, "curve", key_newstring(KCAT_SHARE, k->curve));
+ key_setkeydata(k->kf, k->k, kd);
+ key_drop(kd);
+ }
+}
+
+static void alg_ec(keyopts *k)
+{
+ key_data *kd;
+ key_data *kkd;
+ mp *x = MP_NEW;
+ ec p = EC_INIT;
+ const char *e;
+ ec_info ei;
+
+ /* --- Get the curve --- */
+
+ alg_ecparam(k);
+ key_split(&k->k->k); kd = k->k->k;
+ if ((kkd = key_structfind(kd, "curve")) == 0)
+ die(EXIT_FAILURE, "unexpected failure looking up subkey `curve')");
+ if ((kkd->e & KF_ENCMASK) != KENC_STRING)
+ die(EXIT_FAILURE, "subkey `curve' is not a string");
+ if ((e = ec_getinfo(&ei, kkd->u.p)) != 0)
+ die(EXIT_FAILURE, "error in curve spec: %s", e);
+
+ /* --- Invent a private exponent and compute the public key --- */
+
+ x = mprand_range(MP_NEWSEC, ei.r, k->r, 0);
+ ec_mul(ei.c, &p, &ei.g, x);
+
+ /* --- Store everything away --- */
+
+ key_structsteal(kd, "p", key_newec(KCAT_PUB, &p));
+
+ kkd = key_newstruct();
+ key_structsteal(kkd, "x", key_newmp(KCAT_PRIV | KF_BURN, x));
+ dolock(k, &kkd, "private");
+ key_structsteal(kd, "private", kkd);
+
+ /* --- Done --- */
+
+ ec_freeinfo(&ei);
+ mp_drop(x);
+}
+
+/* --- The algorithm tables --- */
+
+typedef struct keyalg {
+ const char *name;
+ void (*proc)(keyopts *o);
+ const char *help;
+} keyalg;
+
+static keyalg algtab[] = {
+ { "binary", alg_binary, "Plain binary data" },
+ { "des", alg_des, "Binary with DES-style parity" },
+ { "rsa", alg_rsa, "RSA public-key encryption" },
+ { "bbs", alg_bbs, "Blum-Blum-Shub generator" },
+ { "dsa", alg_dsa, "DSA digital signatures" },
+ { "dsa-param", alg_dsaparam, "DSA shared parameters" },
+ { "dh", alg_dh, "Diffie-Hellman key exchange" },
+ { "dh-param", alg_dhparam, "Diffie-Hellman parameters" },
+ { "bindh", alg_bin, "DH over a binary field" },
+ { "bindh-param", alg_binparam, "Binary-field DH parameters" },
+ { "ec-param", alg_ecparam, "Elliptic curve parameters" },
+ { "ec", alg_ec, "Elliptic curve crypto" },
+ { 0, 0 }
+};
+
+/* --- @cmd_add@ --- */
+
+static int cmd_add(int argc, char *argv[])
+{
+ key_file f;
+ time_t exp = KEXP_EXPIRE;
+ uint32 kid = rand_global.ops->word(&rand_global);
+ const char *tag = 0, *ptag = 0;
+ const char *c = 0;
+ keyalg *alg = algtab;
+ const char *rtag = 0;
+ const struct seedalg *sa = SEEDALG_DEFAULT;
+ keyopts k = { 0, 0, DSTR_INIT, 0, 0, 0, 0, 0 };
+ const char *seed = 0;
+ k.r = &rand_global;
+
+ /* --- Parse options for the subcommand --- */
+
+ for (;;) {
+ static struct option opt[] = {
+ { "algorithm", OPTF_ARGREQ, 0, 'a' },
+ { "bits", OPTF_ARGREQ, 0, 'b' },
+ { "qbits", OPTF_ARGREQ, 0, 'B' },
+ { "parameters", OPTF_ARGREQ, 0, 'p' },
+ { "expire", OPTF_ARGREQ, 0, 'e' },
+ { "comment", OPTF_ARGREQ, 0, 'c' },
+ { "tag", OPTF_ARGREQ, 0, 't' },
+ { "rand-id", OPTF_ARGREQ, 0, 'R' },
+ { "key-id", OPTF_ARGREQ, 0, 'I' },
+ { "curve", OPTF_ARGREQ, 0, 'C' },
+ { "seedalg", OPTF_ARGREQ, 0, 'A' },
+ { "seed", OPTF_ARGREQ, 0, 's' },
+ { "newseed", OPTF_ARGREQ, 0, 'n' },
+ { "lock", 0, 0, 'l' },
+ { "quiet", 0, 0, 'q' },
+ { "lim-lee", 0, 0, 'L' },
+ { "subgroup", 0, 0, 'S' },
+ { "kcdsa", 0, 0, 'K' },
+ { 0, 0, 0, 0 }
+ };
+ int i = mdwopt(argc, argv, "+a:b:B:p:e:c:t:R:I:C:A:s:n:lqrLKS",
+ opt, 0, 0, 0);
+ if (i < 0)
+ break;
+
+ /* --- Handle the various options --- */
+
+ switch (i) {
+
+ /* --- Read an algorithm name --- */
+
+ case 'a': {
+ keyalg *a;
+ size_t sz = strlen(optarg);
+
+ if (strcmp(optarg, "list") == 0) {
+ for (a = algtab; a->name; a++)
+ printf("%-10s %s\n", a->name, a->help);
+ return (0);
+ }
+
+ alg = 0;
+ for (a = algtab; a->name; a++) {
+ if (strncmp(optarg, a->name, sz) == 0) {
+ if (a->name[sz] == 0) {
+ alg = a;
+ break;
+ } else if (alg)
+ die(EXIT_FAILURE, "ambiguous algorithm name `%s'", optarg);
+ else
+ alg = a;
+ }
+ }
+ if (!alg)
+ die(EXIT_FAILURE, "unknown algorithm name `%s'", optarg);
+ } break;
+
+ /* --- Bits must be nonzero and a multiple of 8 --- */
+
+ case 'b': {
+ char *p;
+ k.bits = strtoul(optarg, &p, 0);
+ if (k.bits == 0 || *p != 0)
+ die(EXIT_FAILURE, "bad bitlength `%s'", optarg);
+ } break;
+
+ case 'B': {
+ char *p;
+ k.qbits = strtoul(optarg, &p, 0);
+ if (k.qbits == 0 || *p != 0)
+ die(EXIT_FAILURE, "bad bitlength `%s'", optarg);
+ } break;
+
+ /* --- Parameter selection --- */
+
+ case 'p':
+ ptag = optarg;
+ break;
+
+ /* --- Expiry dates get passed to @get_date@ for parsing --- */
+
+ case 'e':
+ if (strcmp(optarg, "forever") == 0)
+ exp = KEXP_FOREVER;
+ else {
+ exp = get_date(optarg, 0);
+ if (exp == -1)
+ die(EXIT_FAILURE, "bad expiry date `%s'", optarg);
+ }
+ break;
+
+ /* --- Store comments without interpretation --- */
+
+ case 'c':
+ if (key_chkcomment(optarg))
+ die(EXIT_FAILURE, "bad comment string `%s'", optarg);
+ c = optarg;
+ break;
+
+ /* --- Elliptic curve parameters --- */
+
+ case 'C':
+ k.curve = optarg;
+ break;
+
+ /* --- Store tags --- */
+
+ case 't':
+ if (key_chkident(optarg))
+ die(EXIT_FAILURE, "bad tag string `%s'", optarg);
+ tag = optarg;
+ break;
+ case 'r':
+ k.f |= f_retag;
+ break;
+
+ /* --- Seeding --- */
+
+ case 'A': {
+ const struct seedalg *ss;
+ if (strcmp(optarg, "list") == 0) {
+ printf("Seed algorithms:\n");
+ for (ss = seedtab; ss->p; ss++)
+ printf(" %s\n", ss->p);
+ exit(0);
+ }
+ if (seed) die(EXIT_FAILURE, "seed already set -- put -A first");
+ sa = 0;
+ for (ss = seedtab; ss->p; ss++) {
+ if (strcmp(optarg, ss->p) == 0)
+ sa = ss;
+ }
+ if (!sa)
+ die(EXIT_FAILURE, "seed algorithm `%s' not known", optarg);
+ } break;
+
+ case 's': {
+ base64_ctx b;
+ dstr d = DSTR_INIT;
+ if (seed) die(EXIT_FAILURE, "seed already set");
+ base64_init(&b);
+ base64_decode(&b, optarg, strlen(optarg), &d);
+ base64_decode(&b, 0, 0, &d);
+ k.r = sa->gen(d.buf, d.len);
+ seed = optarg;
+ dstr_destroy(&d);
+ } break;
+
+ case 'n': {
+ base64_ctx b;
+ dstr d = DSTR_INIT;
+ char *p;
+ unsigned n = strtoul(optarg, &p, 0);
+ if (n == 0 || *p != 0 || n % 8 != 0)
+ die(EXIT_FAILURE, "bad seed length `%s'", optarg);
+ if (seed) die(EXIT_FAILURE, "seed already set");
+ n /= 8;
+ p = xmalloc(n);
+ rand_get(RAND_GLOBAL, p, n);
+ base64_init(&b);
+ base64_encode(&b, p, n, &d);
+ base64_encode(&b, 0, 0, &d);
+ seed = d.buf;
+ k.r = sa->gen(p, n);
+ } break;
+
+ /* --- Key id --- */
+
+ case 'I': {
+ char *p;
+ unsigned long id;
+
+ errno = 0;
+ id = strtoul(optarg, &p, 16);
+ if (errno || *p || id > MASK32)
+ die(EXIT_FAILURE, "bad key-id `%s'", optarg);
+ kid = id;
+ } break;
+
+ /* --- Other flags --- */
+
+ case 'R':
+ rtag = optarg;
+ break;
+ case 'l':
+ k.f |= f_lock;
+ break;
+ case 'q':
+ k.f |= f_quiet;
+ break;
+ case 'L':
+ k.f |= f_limlee;
+ break;
+ case 'K':
+ k.f |= f_kcdsa;
+ break;
+ case 'S':
+ k.f |= f_subgroup;
+ break;
+
+ /* --- Other things are bogus --- */
+
+ default:
+ k.f |= f_bogus;
+ break;
+ }
+ }
+
+ /* --- Various sorts of bogosity --- */
+
+ if ((k.f & f_bogus) || optind + 1 > argc) {
+ die(EXIT_FAILURE,
+ "Usage: add [OPTIONS] TYPE [ATTR...]");
+ }
+ if (key_chkident(argv[optind]))
+ die(EXIT_FAILURE, "bad key type `%s'", argv[optind]);
+
+ /* --- Set up various bits of the state --- */
+
+ if (exp == KEXP_EXPIRE)
+ exp = time(0) + 14 * 24 * 60 * 60;
+
+ /* --- Open the file and create the basic key block --- *
+ *
+ * Keep on generating keyids until one of them doesn't collide.
+ */
+
+ doopen(&f, KOPEN_WRITE);
+ k.kf = &f;
+
+ /* --- Key the generator --- */
+
+ keyrand(&f, rtag);
+
+ for (;;) {
+ int err;
+ if ((err = key_new(&f, kid, argv[optind], exp, &k.k)) == 0)
+ break;
+ else if (err != KERR_DUPID)
+ die(EXIT_FAILURE, "error adding new key: %s", key_strerror(err));
+ }
+
+ /* --- Set various simple attributes --- */
+
+ if (tag) {
+ int err;
+ key *kk;
+ if (k.f & f_retag) {
+ if ((kk = key_bytag(&f, tag)) != 0 &&
+ kk->tag &&
+ strcmp(kk->tag, tag) == 0)
+ key_settag(&f, kk, 0);
+ }
+ if ((err = key_settag(&f, k.k, tag)) != 0)
+ die(EXIT_FAILURE, "error setting key tag: %s", key_strerror(err));
+ }
+
+ if (c) {
+ int err = key_setcomment(&f, k.k, c);
+ if (err)
+ die(EXIT_FAILURE, "error setting key comment: %s", key_strerror(err));
+ }
+
+ setattr(&f, k.k, argv + optind + 1);
+ if (seed) {
+ key_putattr(&f, k.k, "genseed", seed);
+ key_putattr(&f, k.k, "seedalg", sa->p);
+ }
+
+ key_fulltag(k.k, &k.tag);
+
+ /* --- Find the parameter key --- */
+
+ if (ptag) {
+ if ((k.p = key_bytag(&f, ptag)) == 0)
+ die(EXIT_FAILURE, "parameter key `%s' not found", ptag);
+ if ((k.p->k->e & KF_ENCMASK) != KENC_STRUCT)
+ die(EXIT_FAILURE, "parameter key `%s' is not structured", ptag);
+ }
+
+ /* --- Now generate the actual key data --- */
+
+ alg->proc(&k);
+
+ /* --- Done --- */
+
+ dstr_destroy(&k.tag);
+ doclose(&f);
+ return (0);
+}
+
+/*----- Key listing -------------------------------------------------------*/
+
+/* --- Listing options --- */
+
+typedef struct listopts {
+ const char *tfmt; /* Date format (@strftime@-style) */
+ int v; /* Verbosity level */
+ unsigned f; /* Various flags */
+ time_t t; /* Time now (for key expiry) */
+ key_filter kf; /* Filter for matching keys */
+} listopts;
+
+/* --- Listing flags --- */
+
+#define f_newline 2u /* Write newline before next entry */
+#define f_attr 4u /* Written at least one attribute */
+#define f_utc 8u /* Emit UTC time, not local time */
+
+/* --- @showkeydata@ --- *
+ *
+ * Arguments: @key_data *k@ = pointer to key to write
+ * @int ind@ = indentation level
+ * @listopts *o@ = listing options
+ * @dstr *d@ = tag string for this subkey
+ *
+ * Returns: ---
+ *
+ * Use: Emits a piece of key data in a human-readable format.
+ */
+
+static void showkeydata(key_data *k, int ind, listopts *o, dstr *d)
+{
+#define INDENT(i) do { \
+ int _i; \
+ for (_i = 0; _i < (i); _i++) { \
+ putchar(' '); \
+ } \
+} while (0)
+
+ switch (k->e & KF_ENCMASK) {
+
+ /* --- Binary key data --- *
+ *
+ * Emit as a simple hex dump.
+ */
+
+ case KENC_BINARY: {
+ const octet *p = k->u.k.k;
+ const octet *l = p + k->u.k.sz;
+ size_t sz = 0;
+
+ fputs(" {", stdout);
+ while (p < l) {
+ if (sz % 16 == 0) {
+ putchar('\n');
+ INDENT(ind + 2);
+ } else if (sz % 8 == 0)
+ fputs(" ", stdout);
+ else
+ putc(' ', stdout);
+ printf("%02x", *p++);
+ sz++;
+ }
+ putchar('\n');
+ INDENT(ind);
+ fputs("}\n", stdout);
+ } break;
+
+ /* --- Encrypted data --- *
+ *
+ * If the user is sufficiently keen, ask for a passphrase and decrypt the
+ * key. Otherwise just say that it's encrypted and move on.
+ */
+
+ case KENC_ENCRYPT:
+ if (o->v <= 3)
+ fputs(" encrypted\n", stdout);
+ else {
+ key_data *kd;
+ if (key_punlock(&kd, k, d->buf))
+ printf(" <failed to unlock %s>\n", d->buf);
+ else {
+ fputs(" encrypted", stdout);
+ showkeydata(kd, ind, o, d);
+ key_drop(kd);
+ }
+ }
+ break;
+
+ /* --- Integer keys --- *
+ *
+ * Emit as a large integer in decimal. This makes using the key in
+ * `calc' or whatever easier.
+ */
+
+ case KENC_MP:
+ putchar(' ');
+ mp_writefile(k->u.m, stdout, 10);
+ putchar('\n');
+ break;
+
+ /* --- Strings --- */
+
+ case KENC_STRING:
+ printf(" `%s'\n", k->u.p);
+ break;
+
+ /* --- Elliptic curve points --- */
+
+ case KENC_EC:
+ if (EC_ATINF(&k->u.e))
+ fputs(" inf\n", stdout);
+ else {
+ fputs(" 0x", stdout); mp_writefile(k->u.e.x, stdout, 16);
+ fputs(", 0x", stdout); mp_writefile(k->u.e.y, stdout, 16);
+ putchar('\n');
+ }
+ break;
+
+ /* --- Structured keys --- *
+ *
+ * Just iterate over the subkeys.
+ */
+
+ case KENC_STRUCT: {
+ key_subkeyiter i;
+ const char *tag;
+ size_t n = d->len;
+
+ fputs(" {\n", stdout);
+ for (key_mksubkeyiter(&i, k); key_nextsubkey(&i, &tag, &k); ) {
+ if (!key_match(k, &o->kf))
+ continue;
+ INDENT(ind + 2);
+ printf("%s =", tag);
+ d->len = n;
+ dstr_putf(d, ".%s", tag);
+ showkeydata(k, ind + 2, o, d);
+ }
+ INDENT(ind);
+ fputs("}\n", stdout);
+ } break;
+ }
+
+#undef INDENT
+}
+
+/* --- @showkey@ --- *
+ *
+ * Arguments: @key *k@ = pointer to key to show
+ * @listopts *o@ = pointer to listing options
+ *
+ * Returns: ---
+ *
+ * Use: Emits a listing of a particular key.
+ */
+
+static void showkey(key *k, listopts *o)
+{
+ char ebuf[24], dbuf[24];
+ struct tm *tm;
+
+ /* --- Skip the key if the filter doesn't match --- */
+
+ if (!key_match(k->k, &o->kf))
+ return;
+
+ /* --- Sort out the expiry and deletion times --- */
+
+ if (KEY_EXPIRED(o->t, k->exp))
+ strcpy(ebuf, "expired");
+ else if (k->exp == KEXP_FOREVER)
+ strcpy(ebuf, "forever");
+ else {
+ tm = (o->f & f_utc) ? gmtime(&k->exp) : localtime(&k->exp);
+ strftime(ebuf, sizeof(ebuf), o->tfmt, tm);
+ }
+
+ if (KEY_EXPIRED(o->t, k->del))
+ strcpy(dbuf, "deleted");
+ else if (k->del == KEXP_FOREVER)
+ strcpy(dbuf, "forever");
+ else {
+ tm = (o->f & f_utc) ? gmtime(&k->del) : localtime(&k->del);
+ strftime(dbuf, sizeof(dbuf), o->tfmt, tm);
+ }
+
+ /* --- If in compact format, just display and quit --- */
+
+ if (!o->v) {
+ if (!(o->f & f_newline)) {
+ printf("%8s %-20s %-20s %-10s %s\n",
+ "Id", "Tag", "Type", "Expire", "Delete");
+ }
+ printf("%08lx %-20s %-20s %-10s %s\n",
+ (unsigned long)k->id, k->tag ? k->tag : "<none>",
+ k->type, ebuf, dbuf);
+ o->f |= f_newline;
+ return;
+ }
+
+ /* --- Display the standard header --- */
+
+ if (o->f & f_newline)
+ fputc('\n', stdout);
+ printf("keyid: %08lx\n", (unsigned long)k->id);
+ printf("tag: %s\n", k->tag ? k->tag : "<none>");
+ printf("type: %s\n", k->type);
+ printf("expiry: %s\n", ebuf);
+ printf("delete: %s\n", dbuf);
+ printf("comment: %s\n", k->c ? k->c : "<none>");
+
+ /* --- Display the attributes --- */
+
+ if (o->v > 1) {
+ key_attriter i;
+ const char *av, *an;
+
+ o->f &= ~f_attr;
+ printf("attributes:");
+ for (key_mkattriter(&i, k); key_nextattr(&i, &an, &av); ) {
+ printf("\n %s = %s", an, av);
+ o->f |= f_attr;
+ }
+ if (o->f & f_attr)
+ fputc('\n', stdout);
+ else
+ puts(" <none>");
+ }
-/* --- @setattr@ --- *
- *
- * Arguments: @key_file *f@ = pointer to key file block
- * @key *k@ = pointer to key block
- * @char *v[]@ = array of assignments (overwritten!)
- *
- * Returns: ---
- *
- * Use: Applies the attribute assignments to the key.
- */
+ /* --- If dumping requested, dump the raw key data --- */
-static void setattr(key_file *f, key *k, char *v[])
-{
- while (*v) {
- char *p = *v;
- size_t eq = strcspn(p, "=");
- if (p[eq] == 0)
- moan("invalid assignment: `%s'", p);
- p[eq] = 0;
- p += eq + 1;
- key_putattr(f, k, *v, *p ? p : 0);
- v++;
+ if (o->v > 2) {
+ dstr d = DSTR_INIT;
+ fputs("key:", stdout);
+ key_fulltag(k, &d);
+ showkeydata(k->k, 0, o, &d);
+ dstr_destroy(&d);
}
-}
-/*----- Command implementation --------------------------------------------*/
+ o->f |= f_newline;
+}
-/* --- @cmd_add@ --- */
+/* --- @cmd_list@ --- */
-static int cmd_add(int argc, char *argv[])
+static int cmd_list(int argc, char *argv[])
{
key_file f;
key *k;
- int bits = 128;
- time_t exp = KEXP_EXPIRE;
- unsigned fl = 0;
- unsigned char *p;
- size_t sz;
- const char *c = 0;
-
- /* --- Various useful flag bits --- */
+ listopts o = { 0, 0, 0, 0, { 0, 0 } };
- enum {
- f_bogus = 1
- };
-
- /* --- Parse options for the subcommand --- */
+ /* --- Parse subcommand options --- */
for (;;) {
static struct option opt[] = {
- { "bits", OPTF_ARGREQ, 0, 'b' },
- { "expire", OPTF_ARGREQ, 0, 'e' },
- { "comment", OPTF_ARGREQ, 0, 'c' },
+ { "quiet", 0, 0, 'q' },
+ { "verbose", 0, 0, 'v' },
+ { "utc", 0, 0, 'u' },
+ { "filter", OPTF_ARGREQ, 0, 'f' },
{ 0, 0, 0, 0 }
};
- int i = mdwopt(argc, argv, "+b:e:c:", opt, 0, 0, 0);
+ int i = mdwopt(argc, argv, "+uqvf:", opt, 0, 0, 0);
if (i < 0)
break;
- /* --- Handle the various options --- */
-
switch (i) {
-
- /* --- Bits must be nonzero and a multiple of 8 --- */
-
- case 'b':
- if (!(bits = atoi(optarg)) || bits % 8)
- die(EXIT_FAILURE, "bad number of bits: `%s'", optarg);
+ case 'u':
+ o.f |= f_utc;
break;
-
- /* --- Expiry dates get passed to @get_date@ for parsing --- */
-
- case 'e':
- if (strcmp(optarg, "forever") == 0)
- exp = KEXP_FOREVER;
- else {
- exp = get_date(optarg, 0);
- if (exp == -1)
- die(EXIT_FAILURE, "bad expiry date: `%s'", optarg);
- }
+ case 'q':
+ if (o.v)
+ o.v--;
break;
-
- /* --- Store comments without interpretation --- */
-
- case 'c':
- if (key_chkcomment(c))
- die(EXIT_FAILURE, "bad comment string: `%s'", optarg);
- c = optarg;
+ case 'v':
+ o.v++;
break;
-
- /* --- Other things are bogus --- */
-
+ case 'f': {
+ char *p;
+ int e = key_readflags(optarg, &p, &o.kf.f, &o.kf.m);
+ if (e || *p)
+ die(EXIT_FAILURE, "bad filter string `%s'", optarg);
+ } break;
default:
- fl |= f_bogus;
+ o.f |= f_bogus;
break;
}
}
- /* --- Various sorts of bogusity --- */
-
- if (fl & f_bogus || optind + 1 > argc) {
- die(EXIT_FAILURE,
- "Usage: add [-b BITS] [-e EXPIRE] [-c COMMENT] TYPE [ATTR...]");
- }
- if (key_chktype(argv[optind]))
- die(EXIT_FAILURE, "bad key type: `%s'", argv[optind]);
- if (exp == KEXP_EXPIRE)
- exp = time(0) + 14 * 24 * 60 * 60;
+ if (o.f & f_bogus)
+ die(EXIT_FAILURE, "Usage: list [-uqv] [-f FILTER] [TAG...]");
- /* --- Initialize the Catacomb random number generator --- */
+ /* --- Open the key file --- */
- rand_init(RAND_GLOBAL);
- rand_noisesrc(RAND_GLOBAL, &noise_source);
+ doopen(&f, KOPEN_READ);
+ o.t = time(0);
- /* --- Extract the key data from the generator --- */
+ /* --- Set up the time format --- */
- sz = bits / 8;
- p = xmalloc(sz);
- rand_getgood(RAND_GLOBAL, p, sz);
+ if (!o.v)
+ o.tfmt = "%Y-%m-%d";
+ else if (o.f & f_utc)
+ o.tfmt = "%Y-%m-%d %H:%M:%S UTC";
+ else
+ o.tfmt = "%Y-%m-%d %H:%M:%S %Z";
+
+ /* --- If specific keys were requested use them, otherwise do all --- *
+ *
+ * Some day, this might turn into a wildcard match.
+ */
+
+ if (optind < argc) {
+ do {
+ if ((k = key_bytag(&f, argv[optind])) != 0)
+ showkey(k, &o);
+ else {
+ moan("key `%s' not found", argv[optind]);
+ o.f |= f_bogus;
+ }
+ optind++;
+ } while (optind < argc);
+ } else {
+ key_iter i;
+ for (key_mkiter(&i, &f); (k = key_next(&i)) != 0; )
+ showkey(k, &o);
+ }
- /* --- Open the file, add the key, set attributes, close, return --- */
+ /* --- Done --- */
- doopen(&f, KOPEN_WRITE);
- if (!(k = key_new(&f, argv[optind], p, sz, exp, c)))
- moan("key not added: expiry date in past?");
- setattr(&f, k, argv + optind + 1);
doclose(&f);
- return (0);
+ if (o.f & f_bogus)
+ return (EXIT_FAILURE);
+ else
+ return (0);
}
+/*----- Command implementation --------------------------------------------*/
+
/* --- @cmd_expire@ --- */
static int cmd_expire(int argc, char *argv[])
{
key_file f;
key *k;
- uint32 id;
int i;
int rc = 0;
if (argc < 2)
- die(EXIT_FAILURE, "Usage: expire KEYID...");
+ die(EXIT_FAILURE, "Usage: expire TAG...");
doopen(&f, KOPEN_WRITE);
for (i = 1; i < argc; i++) {
- id = (uint32)strtoul(argv[i], 0, 16);
- if ((k = key_byid(&f, id)) != 0)
+ if ((k = key_bytag(&f, argv[i])) != 0)
key_expire(&f, k);
else {
- moan("keyid %lx not found", (unsigned long)id);
+ moan("key `%s' not found", argv[i]);
rc = 1;
}
}
{
key_file f;
key *k;
- uint32 id;
int i;
int rc = 0;
if (argc < 2)
- die(EXIT_FAILURE, "Usage: delete KEYID...");
+ die(EXIT_FAILURE, "Usage: delete TAG...");
doopen(&f, KOPEN_WRITE);
for (i = 1; i < argc; i++) {
- id = (uint32)strtoul(argv[i], 0, 16);
- if ((k = key_byid(&f, id)) != 0)
+ if ((k = key_bytag(&f, argv[i])) != 0)
key_delete(&f, k);
else {
- moan("keyid %lx not found", (unsigned long)id);
+ moan("key `%s' not found", argv[i]);
rc = 1;
}
}
{
key_file f;
key *k;
- uint32 id;
if (argc < 3)
- die(EXIT_FAILURE, "Usage: setattr KEYID ATTR...");
+ die(EXIT_FAILURE, "Usage: setattr TAG ATTR...");
doopen(&f, KOPEN_WRITE);
- id = (uint32)strtoul(argv[1], 0, 16);
- if ((k = key_byid(&f, id)) == 0)
- die(EXIT_FAILURE, "keyid %lx not found", (unsigned long)id);
+ if ((k = key_bytag(&f, argv[1])) == 0)
+ die(EXIT_FAILURE, "key `%s' not found", argv[1]);
setattr(&f, k, argv + 2);
doclose(&f);
return (0);
}
-/* --- @cmd_comment@ --- */
+/* --- @cmd_getattr@ --- */
-static int cmd_comment(int argc, char *argv[])
+static int cmd_getattr(int argc, char *argv[])
{
- uint32 id;
key_file f;
key *k;
+ dstr d = DSTR_INIT;
+ const char *p;
- if (argc < 2 || argc > 3)
- die(EXIT_FAILURE, "Usage: comment KEYID [COMMENT]");
- doopen(&f, KOPEN_WRITE);
- id = (uint32)strtoul(argv[1], 0, 16);
- if ((k = key_byid(&f, id)) == 0)
- die(EXIT_FAILURE, "keyid %lx not found", (unsigned long)id);
- if (key_chkcomment(argv[2]))
- die(EXIT_FAILURE, "bad comment: `%s'", argv[2]);
- key_setcomment(&f, k, argv[2]);
+ if (argc != 3)
+ die(EXIT_FAILURE, "Usage: getattr TAG ATTR");
+ doopen(&f, KOPEN_READ);
+ if ((k = key_bytag(&f, argv[1])) == 0)
+ die(EXIT_FAILURE, "key `%s' not found", argv[1]);
+ key_fulltag(k, &d);
+ if ((p = key_getattr(&f, k, argv[2])) == 0)
+ die(EXIT_FAILURE, "no attribute `%s' for key `%s'", argv[2], d.buf);
+ puts(p);
+ dstr_destroy(&d);
doclose(&f);
return (0);
}
-/* --- @cmd_list@ --- */
+/* --- @cmd_finger@ --- */
-static int cmd_list(int argc, char *argv[])
+static void fingerprint(key *k, const gchash *ch, const key_filter *kf)
{
- key_file f;
- key *k;
- key_iter i;
- unsigned fl = 0;
- const char *tfmt;
- int v = 0;
- time_t t;
-
- enum {
- f_bogus = 1,
- f_newline = 2,
- f_attr = 4,
- f_utc = 8
- };
+ ghash *h;
+ dstr d = DSTR_INIT;
+ const octet *p;
+ size_t i;
+
+ h = GH_INIT(ch);
+ if (key_fingerprint(k, h, kf)) {
+ p = GH_DONE(h, 0);
+ key_fulltag(k, &d);
+ for (i = 0; i < ch->hashsz; i++) {
+ if (i && i % 4 == 0)
+ putchar('-');
+ printf("%02x", p[i]);
+ }
+ printf(" %s\n", d.buf);
+ }
+ dstr_destroy(&d);
+ GH_DESTROY(h);
+}
- /* --- Parse subcommand options --- */
+static int cmd_finger(int argc, char *argv[])
+{
+ key_file f;
+ int rc = 0;
+ const gchash *ch = &rmd160;
+ key_filter kf = { KF_NONSECRET, KF_NONSECRET };
for (;;) {
static struct option opt[] = {
- { "quiet", 0, 0, 'q' },
- { "verbose", 0, 0, 'v' },
- { "utc", 0, 0, 'u' },
- { 0, 0, 0, 0 }
+ { "filter", OPTF_ARGREQ, 0, 'f' },
+ { "algorithm", OPTF_ARGREQ, 0, 'a' },
+ { 0, 0, 0, 0 }
};
- int i = mdwopt(argc, argv, "+uqv", opt, 0, 0, 0);
+ int i = mdwopt(argc, argv, "+f:a:", opt, 0, 0, 0);
if (i < 0)
break;
-
switch (i) {
- case 'u':
- fl |= f_utc;
- break;
- case 'q':
- if (v)
- v--;
- break;
- case 'v':
- v++;
+ case 'f': {
+ char *p;
+ int err = key_readflags(optarg, &p, &kf.f, &kf.m);
+ if (err || *p)
+ die(EXIT_FAILURE, "bad filter string `%s'", optarg);
+ } break;
+ case 'a':
+ if ((ch = ghash_byname(optarg)) == 0)
+ die(EXIT_FAILURE, "unknown hash algorithm `%s'", optarg);
break;
default:
- fl |= f_bogus;
+ rc = 1;
break;
}
}
- if (fl & f_bogus || optind != argc)
- die(EXIT_FAILURE, "Usage: list [-uqv]");
-
- /* --- Open the key file --- */
+ argv += optind; argc -= optind;
+ if (rc)
+ die(EXIT_FAILURE, "Usage: fingerprint [-f FILTER] [TAG...]");
doopen(&f, KOPEN_READ);
- t = time(0);
- /* --- Write the header --- */
-
- if (!v)
- tfmt = "%Y-%m-%d";
- else if (fl & f_utc)
- tfmt = "%Y-%m-%d %H:%M:%S UTC";
- else
- tfmt = "%Y-%m-%d %H:%M:%S %Z";
+ if (argc) {
+ int i;
+ for (i = 0; i < argc; i++) {
+ key *k = key_bytag(&f, argv[i]);
+ if (k)
+ fingerprint(k, ch, &kf);
+ else {
+ rc = 1;
+ moan("key `%s' not found", argv[i]);
+ }
+ }
+ } else {
+ key_iter i;
+ key *k;
+ for (key_mkiter(&i, &f); (k = key_next(&i)) != 0; )
+ fingerprint(k, ch, &kf);
+ }
+ return (rc);
+}
- /* --- Now iterate through the keys --- */
+/* --- @cmd_verify@ --- */
- for (key_mkiter(&i, &f); (k = key_next(&i)) != 0; ) {
- char ebuf[24], dbuf[24];
- struct tm *tm;
+static unsigned xdigit(char c)
+{
+ if ('A' <= c && c <= 'Z') return (c + 10 - 'A');
+ if ('a' <= c && c <= 'z') return (c + 10 - 'a');
+ if ('0' <= c && c <= '9') return (c - '0');
+ return (~0u);
+}
- /* --- Sort out the expiry times --- */
+static void unhexify(octet *q, char *p, size_t n)
+{
+ unsigned a = 0;
+ int i = 0;
- if (KEY_EXPIRED(t, k->exp)) {
- strcpy(ebuf, "expired");
- if (KEY_DELETED(t, k->del)) {
- strcpy(dbuf, "deleted");
- goto donetime;
- } else
- goto deltime;
+ for (;;) {
+ if (*p == '-' || *p == ':' || isspace((unsigned char)*p)) {
+ p++;
+ continue;
}
-
- if (k->exp == KEXP_FOREVER)
- strcpy(ebuf, "forever");
- else {
- tm = (fl & f_utc) ? gmtime(&k->exp) : localtime(&k->exp);
- strftime(ebuf, sizeof(ebuf), tfmt, tm);
+ if (!n && !*p)
+ break;
+ if (!*p)
+ die(EXIT_FAILURE, "hex string too short");
+ if (!isxdigit((unsigned char)*p))
+ die(EXIT_FAILURE, "bad hex string");
+ if (!n)
+ die(EXIT_FAILURE, "hex string too long");
+ a = (a << 4) | xdigit(*p++);
+ i++;
+ if (i == 2) {
+ *q++ = U8(a);
+ a = 0;
+ i = 0;
+ n--;
}
+ }
+}
- /* --- Sort out the delete times --- */
+static int cmd_verify(int argc, char *argv[])
+{
+ key_file f;
+ int rc = 0;
+ const gchash *ch = &rmd160;
+ ghash *h;
+ key *k;
+ octet *buf;
+ const octet *fpr;
+ key_filter kf = { KF_NONSECRET, KF_NONSECRET };
- deltime:
- if (k->del == KEXP_UNUSED)
- strcpy(dbuf, "on expiry");
- else if (k->del == KEXP_FOREVER)
- strcpy(dbuf, "forever");
- else {
- tm = localtime(&k->del);
- strftime(dbuf, sizeof(dbuf), tfmt, tm);
+ for (;;) {
+ static struct option opt[] = {
+ { "filter", OPTF_ARGREQ, 0, 'f' },
+ { "algorithm", OPTF_ARGREQ, 0, 'a' },
+ { 0, 0, 0, 0 }
+ };
+ int i = mdwopt(argc, argv, "+f:a:", opt, 0, 0, 0);
+ if (i < 0)
+ break;
+ switch (i) {
+ case 'f': {
+ char *p;
+ int err = key_readflags(optarg, &p, &kf.f, &kf.m);
+ if (err || *p)
+ die(EXIT_FAILURE, "bad filter string `%s'", optarg);
+ } break;
+ case 'a':
+ if ((ch = ghash_byname(optarg)) == 0)
+ die(EXIT_FAILURE, "unknown hash algorithm `%s'", optarg);
+ break;
+ default:
+ rc = 1;
+ break;
}
+ }
- donetime:;
+ argv += optind; argc -= optind;
+ if (rc || argc != 2)
+ die(EXIT_FAILURE, "Usage: verify [-f FILTER] TAG FINGERPRINT");
- /* --- Display the data obtained so far --- */
+ doopen(&f, KOPEN_READ);
- if (!v) {
- if (!(fl & f_newline)) {
- printf("%8s %-20s %-10s %-10s %-23s\n",
- "Id", "Type", "Expire", "Delete", "Comment");
- }
- printf("%08lx %-20s %-10s %-10s %-23s\n",
- (unsigned long)k->id, k->type, ebuf, dbuf,
- k->c ? k->c : "<none>");
- fl |= f_newline;
- } else {
-
- /* --- Display the standard header --- */
-
- if (fl & f_newline)
- fputc('\n', stdout);
- printf("keyid: %08lx\n", (unsigned long)k->id);
- printf("type: %s\n", k->type);
- printf("expiry: %s\n", ebuf);
- printf("delete: %s\n", dbuf);
- printf("comment: %s\n", k->c ? k->c : "<none>");
-
- /* --- Display the attributes --- */
-
- if (v > 1) {
- key_attriter i;
- const char *av, *an;
-
- fl &= ~f_attr;
- printf("attributes:");
- for (key_mkattriter(&i, &f, k); key_nextattr(&i, &an, &av); ) {
- printf("\n\t%s = %s", an, av);
- fl |= f_attr;
- }
- if (fl & f_attr)
- fputc('\n', stdout);
- else
- puts(" <none>");
- }
+ if ((k = key_bytag(&f, argv[0])) == 0)
+ die(EXIT_FAILURE, "key `%s' not found", argv[0]);
+ buf = xmalloc(ch->hashsz);
+ unhexify(buf, argv[1], ch->hashsz);
+ h = GH_INIT(ch);
+ if (!key_fingerprint(k, h, &kf))
+ die(EXIT_FAILURE, "key has no fingerprintable components (as filtered)");
+ fpr = GH_DONE(h, 0);
+ if (memcmp(fpr, buf, ch->hashsz) != 0)
+ die(EXIT_FAILURE, "key fingerprint mismatch");
+ doclose(&f);
+ return (0);
+}
- /* --- If dumping requested, dump the raw key data in hex --- */
-
- if (v > 2) {
- unsigned char *p = k->k;
- unsigned char *l = p + k->ksz;
- size_t sz = 0;
-
- fputs("key:", stdout);
- while (p < l) {
- if (sz % 16 == 0)
- fputs("\n\t", stdout);
- else if (sz % 8 == 0)
- fputs(" ", stdout);
- else
- fputc(' ', stdout);
- printf("%02x", *p++);
- sz++;
- }
- fputc('\n', stdout);
- }
+/* --- @cmd_comment@ --- */
+
+static int cmd_comment(int argc, char *argv[])
+{
+ key_file f;
+ key *k;
+ int err;
+
+ if (argc < 2 || argc > 3)
+ die(EXIT_FAILURE, "Usage: comment TAG [COMMENT]");
+ doopen(&f, KOPEN_WRITE);
+ if ((k = key_bytag(&f, argv[1])) == 0)
+ die(EXIT_FAILURE, "key `%s' not found", argv[1]);
+ if ((err = key_setcomment(&f, k, argv[2])) != 0)
+ die(EXIT_FAILURE, "bad comment `%s': %s", argv[2], key_strerror(err));
+ doclose(&f);
+ return (0);
+}
+
+/* --- @cmd_tag@ --- */
+
+static int cmd_tag(int argc, char *argv[])
+{
+ key_file f;
+ key *k;
+ int err;
+ unsigned flags = 0;
+ int rc = 0;
+
+ for (;;) {
+ static struct option opt[] = {
+ { "retag", 0, 0, 'r' },
+ { 0, 0, 0, 0 }
+ };
+ int i = mdwopt(argc, argv, "+r", opt, 0, 0, 0);
+ if (i < 0)
+ break;
+ switch (i) {
+ case 'r':
+ flags |= f_retag;
+ break;
+ default:
+ rc = 1;
+ break;
}
}
+ argv += optind; argc -= optind;
+ if (argc < 1 || argc > 2 || rc)
+ die(EXIT_FAILURE, "Usage: tag [-r] TAG [NEW-TAG]");
+ doopen(&f, KOPEN_WRITE);
+ if (flags & f_retag) {
+ if ((k = key_bytag(&f, argv[1])) != 0 && strcmp(k->tag, argv[1]) == 0)
+ key_settag(&f, k, 0);
+ }
+ if ((k = key_bytag(&f, argv[0])) == 0)
+ die(EXIT_FAILURE, "key `%s' not found", argv[0]);
+ if ((err = key_settag(&f, k, argv[1])) != 0)
+ die(EXIT_FAILURE, "bad tag `%s': %s", argv[1], key_strerror(err));
+ doclose(&f);
+ return (0);
+}
+
+/* --- @cmd_lock@ --- */
+
+static int cmd_lock(int argc, char *argv[])
+{
+ key_file f;
+ key *k;
+ key_data **kd;
+ dstr d = DSTR_INIT;
+
+ if (argc != 2)
+ die(EXIT_FAILURE, "Usage: lock QTAG");
+ doopen(&f, KOPEN_WRITE);
+ if (key_qtag(&f, argv[1], &d, &k, &kd))
+ die(EXIT_FAILURE, "key `%s' not found", argv[1]);
+ if ((*kd)->e == KENC_ENCRYPT && key_punlock(kd, 0, d.buf))
+ die(EXIT_FAILURE, "couldn't unlock key `%s'", d.buf);
+ if (key_plock(kd, 0, d.buf))
+ die(EXIT_FAILURE, "failed to lock key `%s'", d.buf);
+ f.f |= KF_MODIFIED;
+ doclose(&f);
+ return (0);
+}
+
+/* --- @cmd_unlock@ --- */
+
+static int cmd_unlock(int argc, char *argv[])
+{
+ key_file f;
+ key *k;
+ key_data **kd;
+ dstr d = DSTR_INIT;
+
+ if (argc != 2)
+ die(EXIT_FAILURE, "Usage: unlock QTAG");
+ doopen(&f, KOPEN_WRITE);
+ if (key_qtag(&f, argv[1], &d, &k, &kd))
+ die(EXIT_FAILURE, "key `%s' not found", argv[1]);
+ if ((*kd)->e != KENC_ENCRYPT)
+ die(EXIT_FAILURE, "key `%s' is not encrypted", d.buf);
+ if (key_punlock(kd, 0, d.buf))
+ die(EXIT_FAILURE, "couldn't unlock key `%s'", d.buf);
+ f.f |= KF_MODIFIED;
doclose(&f);
return (0);
}
{
key_file f;
key *k;
- uint32 id;
int i;
int rc = 0;
+ key_filter kf = { 0, 0 };
+ dstr d = DSTR_INIT;
+ const char *outfile = 0;
FILE *fp;
- if (argc < 3)
- die(EXIT_FAILURE, "Usage: extract FILE KEYID...");
- if (strcmp(argv[1], "-") == 0)
+ for (;;) {
+ static struct option opt[] = {
+ { "filter", OPTF_ARGREQ, 0, 'f' },
+ { 0, 0, 0, 0 }
+ };
+ int i = mdwopt(argc, argv, "f:", opt, 0, 0, 0);
+ if (i < 0)
+ break;
+ switch (i) {
+ case 'f': {
+ char *p;
+ int err = key_readflags(optarg, &p, &kf.f, &kf.m);
+ if (err || *p)
+ die(EXIT_FAILURE, "bad filter string `%s'", optarg);
+ } break;
+ default:
+ rc = 1;
+ break;
+ }
+ }
+
+ argv += optind; argc -= optind;
+ if (rc || argc < 1)
+ die(EXIT_FAILURE, "Usage: extract [-f FILTER] FILE [TAG...]");
+ if (strcmp(*argv, "-") == 0)
fp = stdout;
- else if (!(fp = fopen(argv[1], "w"))) {
- die(EXIT_FAILURE, "couldn't open `%s' for writing: %s",
- argv[1], strerror(errno));
+ else {
+ outfile = *argv;
+ dstr_putf(&d, "%s.new", outfile);
+ if (!(fp = fopen(d.buf, "w"))) {
+ die(EXIT_FAILURE, "couldn't open `%s' for writing: %s",
+ d.buf, strerror(errno));
+ }
}
- doopen(&f, KOPEN_WRITE);
- for (i = 2; i < argc; i++) {
- id = (uint32)strtoul(argv[i], 0, 16);
- if ((k = key_byid(&f, id)) != 0)
- key_extract(&f, k, fp);
- else {
- moan("keyid %lx not found", (unsigned long)id);
- rc = 1;
+ doopen(&f, KOPEN_READ);
+ if (argc < 2) {
+ key_iter i;
+ key *k;
+ for (key_mkiter(&i, &f); (k = key_next(&i)) != 0; )
+ key_extract(&f, k, fp, &kf);
+ } else {
+ for (i = 1; i < argc; i++) {
+ if ((k = key_bytag(&f, argv[i])) != 0)
+ key_extract(&f, k, fp, &kf);
+ else {
+ moan("key `%s' not found", argv[i]);
+ rc = 1;
+ }
}
}
+ if (fclose(fp) || (outfile && rename(d.buf, outfile)))
+ die(EXIT_FAILURE, "error writing file: %s", strerror(errno));
+ dstr_destroy(&d);
doclose(&f);
return (rc);
}
{
key_file f;
if (argc != 1)
- die(EXIT_FAILURE, "usage: tidy");
+ die(EXIT_FAILURE, "Usage: tidy");
doopen(&f, KOPEN_WRITE);
f.f |= KF_MODIFIED; /* Nasty hack */
doclose(&f);
if (strcmp(argv[1], "-") == 0)
fp = stdin;
else if (!(fp = fopen(argv[1], "r"))) {
- die(EXIT_FAILURE, "couldn't open `%s' for writing: %s",
+ die(EXIT_FAILURE, "couldn't open `%s' for reading: %s",
argv[1], strerror(errno));
}
doopen(&f, KOPEN_WRITE);
- key_merge(&f, argv[1], fp);
+ key_merge(&f, argv[1], fp, key_moan, 0);
doclose(&f);
return (0);
}
+/* --- @cmd_show@ --- */
+
+#define LISTS(LI) \
+ LI("Lists", list, \
+ listtab[i].name, listtab[i].name) \
+ LI("Hash functions", hash, \
+ ghashtab[i], ghashtab[i]->name) \
+ LI("Elliptic curves", ec, \
+ ectab[i].name, ectab[i].name) \
+ LI("Prime Diffie-Hellman groups", dh, \
+ ptab[i].name, ptab[i].name) \
+ LI("Binary Diffie-Hellman groups", bindh, \
+ bintab[i].name, bintab[i].name) \
+ LI("Key-generation algorithms", keygen, \
+ algtab[i].name, algtab[i].name) \
+ LI("Random seeding algorithms", seed, \
+ seedtab[i].p, seedtab[i].p)
+
+MAKELISTTAB(listtab, LISTS)
+
+static int cmd_show(int argc, char *argv[])
+{
+ return (displaylists(listtab, argv + 1));
+}
+
/*----- Main command table ------------------------------------------------*/
-static struct cmd {
- const char *name;
- int (*cmd)(int /*argc*/, char */*argv*/[]);
- const char *help;
-} cmds[] = {
- { "add", cmd_add,
- "add [-b BITS] [-e EXPIRE] [-c COMMENT] TYPE [ATTR...]" },
- { "expire", cmd_expire, "expire KEYID..." },
- { "delete", cmd_delete, "delete KEYID..." },
- { "setattr", cmd_setattr, "setattr KEYID ATTR..." },
- { "comment", cmd_comment, "comment KEYID [COMMENT]" },
- { "list", cmd_list, "list [-uqv]" },
- { "tidy", cmd_tidy, "tidy" },
- { "extract", cmd_extract, "extract FILE KEYID..." },
+static int cmd_help(int argc, char *argv[]);
+
+static cmd cmds[] = {
+ { "help", cmd_help, "help [COMMAND...]" },
+ { "show", cmd_show, "show [ITEM...]" },
+ { "list", cmd_list, "list [-uqv] [-f FILTER] [TAG...]", "\
+Options:\n\
+\n\
+-u, --utc Display expiry times etc. in UTC, not local time.\n\
+-q, --quiet Show less information.\n\
+-v, --verbose Show more information.\n\
+" },
+ { "fingerprint", cmd_finger, "fingerprint [-f FILTER] [TAG...]", "\
+Options:\n\
+\n\
+-f, --filter=FILT Only hash key components matching FILT.\n\
+-a, --algorithm=HASH Use the named HASH algorithm.\n\
+ ($ show hash for list.)\n\
+" },
+ { "verify", cmd_verify, "verify [-f FILTER] TAG FINGERPRINT", "\
+Options:\n\
+\n\
+-f, --filter=FILT Only hash key components matching FILT.\n\
+-a, --algorithm=HASH Use the named HASH algorithm.\n\
+ ($ show hash for list.)\n\
+" },
+ { "extract", cmd_extract, "extract [-f FILTER] FILE [TAG...]", "\
+Options:\n\
+\n\
+-f, --filter=FILT Only extract key components matching FILT.\n\
+" },
{ "merge", cmd_merge, "merge FILE" },
+ { "expire", cmd_expire, "expire TAG..." },
+ { "delete", cmd_delete, "delete TAG..." },
+ { "setattr", cmd_setattr, "setattr TAG ATTR..." },
+ { "getattr", cmd_getattr, "getattr TAG ATTR" },
+ { "comment", cmd_comment, "comment TAG [COMMENT]" },
+ { "lock", cmd_lock, "lock QTAG" },
+ { "unlock", cmd_unlock, "unlock QTAG" },
+ { "tag", cmd_tag, "tag [-r] TAG [NEW-TAG]", "\
+Options:\n\
+\n\
+-r, --retag Untag any key currently called new-tag.\n\
+" },
+ { "tidy", cmd_tidy, "tidy" },
+ { "add", cmd_add,
+ "add [-OPTIONS] TYPE [ATTR...]\n\
+ Options: [-lqrLKS] [-a ALG] [-bB BITS] [-p PARAM] [-R TAG]\n\
+ [-A SEEDALG] [-s SEED] [-n BITS] [-I KEYID]\n\
+ [-e EXPIRE] [-t TAG] [-c COMMENT]", "\
+Options:\n\
+\n\
+-a, --algorithm=ALG Generate keys suitable for ALG.\n\
+ ($ show keygen for list.)\n\
+-b, --bits=N Generate an N-bit key.\n\
+-B, --qbits=N Use an N-bit subgroup or factors.\n\
+-p, --parameters=TAG Get group parameters from TAG.\n\
+-C, --curve=NAME Use elliptic curve or DH group NAME.\n\
+ ($ show ec or $ show dh for list.)\n\
+-A, --seedalg=ALG Use pseudorandom generator ALG to generate key.\n\
+ ($ show seed for list.)\n\
+-s, --seed=BASE64 Use Base64-encoded string BASE64 as seed.\n\
+-n, --newseed=COUNT Generate new COUNT-bit seed.\n\
+-e, --expire=TIME Make the key expire after TIME.\n\
+-c, --comment=STRING Attach the command STRING to the key.\n\
+-t, --tag=TAG Tag the key with the name TAG.\n\
+-r, --retag Untag any key currently with that tag.\n\
+-R, --rand-id=TAG Use key named TAG for the random number generator.\n\
+-I, --key-id=ID Force the key-id for the new key.\n\
+-l, --lock Lock the generated key with a passphrase.\n\
+-q, --quiet Don't give progress indicators while working.\n\
+-L, --lim-lee Generate Lim-Lee primes for Diffie-Hellman groups.\n\
+-K, --kcdsa Generate KCDSA-style Lim-Lee primes for DH groups.\n\
+-S, --subgroup Use a prime-order subgroup for Diffie-Hellman.\n\
+" },
{ 0, 0, 0 }
};
-typedef struct cmd cmd;
+static int cmd_help(int argc, char *argv[])
+{
+ sc_help(cmds, stdout, argv + 1);
+ return (0);
+}
/*----- Main code ---------------------------------------------------------*/
/* --- Helpful GNUy functions --- */
-void usage(FILE *fp)
+static void usage(FILE *fp)
{
- fprintf(fp, "Usage: %s [-k file] command [args]\n", QUIS);
+ pquis(fp, "Usage: $ [-k KEYRING] COMMAND [ARGS]\n");
}
void version(FILE *fp)
{
- fprintf(fp, "%s, Catacomb version " VERSION "\n", QUIS);
+ pquis(fp, "$, Catacomb version " VERSION "\n");
}
-void help(FILE *fp)
+void help_global(FILE *fp)
{
- cmd *c;
- version(fp);
- fputc('\n', fp);
usage(fp);
fputs("\n\
-Performs various simple key management operations. Command line options\n\
-recognized are:\n\
+Performs various simple key management operations.\n\
+\n\
+Global command line options:\n\
\n\
--h, --help Display this help text.\n\
+-h, --help [COMMAND...] Display this help text (or help for COMMANDs).\n\
-v, --version Display version number.\n\
-u, --usage Display short usage summary.\n\
\n\
--k, --keyring=FILE Read and write keys in FILE.\n\
-\n\
-The following commands are understood:\n\n",
+-k, --keyring=FILE Read and write keys in FILE.\n",
fp);
- for (c = cmds; c->name; c++)
- fprintf(fp, "%s\n", c->help);
}
/* --- @main@ --- *
{
unsigned f = 0;
- enum {
- f_bogus = 1
- };
+#define f_bogus 1u
/* --- Initialization --- */
switch (i) {
/* --- GNU help options --- */
+
case 'h':
- help(stdout);
+ sc_help(cmds, stdout, argv + optind);
exit(0);
case 'v':
version(stdout);
exit(1);
}
+ /* --- Initialize the Catacomb random number generator --- */
+
+ rand_noisesrc(RAND_GLOBAL, &noise_source);
+ rand_seed(RAND_GLOBAL, 160);
+
/* --- Dispatch to appropriate command handler --- */
argc -= optind;
argv += optind;
optind = 0;
-
- {
- cmd *c, *chosen = 0;
- size_t sz = strlen(argv[0]);
-
- for (c = cmds; c->name; c++) {
- if (strncmp(argv[0], c->name, sz) == 0) {
- if (c->name[sz] == 0) {
- chosen = c;
- break;
- } else if (chosen)
- die(EXIT_FAILURE, "ambiguous command name `%s'", argv[0]);
- else
- chosen = c;
- }
- }
- if (!chosen)
- die(EXIT_FAILURE, "unknown command name `%s'", argv[0]);
- return (chosen->cmd(argc, argv));
- }
+ return (findcmd(cmds, argv[0])->cmd(argc, argv));
}
/*----- That's all, folks -------------------------------------------------*/