summaryrefslogtreecommitdiffstats
path: root/sm/gpgsm.h
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 16:14:06 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 16:14:06 +0000
commiteee068778cb28ecf3c14e1bf843a95547d72c42d (patch)
tree0e07b30ddc5ea579d682d5dbe57998200d1c9ab7 /sm/gpgsm.h
parentInitial commit. (diff)
downloadgnupg2-eee068778cb28ecf3c14e1bf843a95547d72c42d.tar.xz
gnupg2-eee068778cb28ecf3c14e1bf843a95547d72c42d.zip
Adding upstream version 2.2.40.upstream/2.2.40upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'sm/gpgsm.h')
-rw-r--r--sm/gpgsm.h467
1 files changed, 467 insertions, 0 deletions
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
new file mode 100644
index 0000000..53ef165
--- /dev/null
+++ b/sm/gpgsm.h
@@ -0,0 +1,467 @@
+/* gpgsm.h - Global definitions for GpgSM
+ * Copyright (C) 2001, 2003, 2004, 2007, 2009,
+ * 2010 Free Software Foundation, Inc.
+ *
+ * This file is part of GnuPG.
+ *
+ * GnuPG is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuPG is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <https://www.gnu.org/licenses/>.
+ */
+
+#ifndef GPGSM_H
+#define GPGSM_H
+
+#ifdef GPG_ERR_SOURCE_DEFAULT
+#error GPG_ERR_SOURCE_DEFAULT already defined
+#endif
+#define GPG_ERR_SOURCE_DEFAULT GPG_ERR_SOURCE_GPGSM
+#include <gpg-error.h>
+
+
+#include <ksba.h>
+#include "../common/util.h"
+#include "../common/status.h"
+#include "../common/audit.h"
+#include "../common/session-env.h"
+#include "../common/ksba-io-support.h"
+#include "../common/compliance.h"
+
+
+#define MAX_DIGEST_LEN 64
+
+
+/* A large struct named "opt" to keep global flags. */
+EXTERN_UNLESS_MAIN_MODULE
+struct
+{
+ unsigned int debug; /* debug flags (DBG_foo_VALUE) */
+ int verbose; /* verbosity level */
+ int quiet; /* be as quiet as possible */
+ int batch; /* run in batch mode, i.e w/o any user interaction */
+ int answer_yes; /* assume yes on most questions */
+ int answer_no; /* assume no on most questions */
+ int dry_run; /* don't change any persistent data */
+ int no_homedir_creation;
+
+ const char *config_filename; /* Name of the used config file. */
+ const char *agent_program;
+
+ session_env_t session_env;
+ char *lc_ctype;
+ char *lc_messages;
+
+ int autostart;
+ const char *dirmngr_program;
+ int disable_dirmngr; /* Do not do any dirmngr calls. */
+ const char *protect_tool_program;
+ char *outfile; /* name of output file */
+
+ int with_key_data;/* include raw key in the column delimted output */
+
+ int fingerprint; /* list fingerprints in all key listings */
+
+ int with_md5_fingerprint; /* Also print an MD5 fingerprint for
+ standard key listings. */
+
+ int with_keygrip; /* Option --with-keygrip active. */
+
+ int pinentry_mode;
+ int request_origin;
+
+ int armor; /* force base64 armoring (see also ctrl.with_base64) */
+ int no_armor; /* don't try to figure out whether data is base64 armored*/
+
+ const char *p12_charset; /* Use this charset for encoding the
+ pkcs#12 passphrase. */
+
+
+ const char *def_cipher_algoid; /* cipher algorithm to use if
+ nothing else is specified */
+
+ int def_compress_algo; /* Ditto for compress algorithm */
+
+ int forced_digest_algo; /* User forced hash algorithm. */
+
+ char *def_recipient; /* userID of the default recipient */
+ int def_recipient_self; /* The default recipient is the default key */
+
+ int no_encrypt_to; /* Ignore all as encrypt to marked recipients. */
+
+ char *local_user; /* NULL or argument to -u */
+
+ int extra_digest_algo; /* A digest algorithm also used for
+ verification of signatures. */
+
+ int always_trust; /* Trust the given keys even if there is no
+ valid certification chain */
+ int skip_verify; /* do not check signatures on data */
+
+ int lock_once; /* Keep lock once they are set */
+
+ int ignore_time_conflict; /* Ignore certain time conflicts */
+
+ int no_crl_check; /* Don't do a CRL check */
+ int no_trusted_cert_crl_check; /* Don't run a CRL check for trusted certs. */
+ int force_crl_refresh; /* Force refreshing the CRL. */
+ int enable_issuer_based_crl_check; /* Backward compatibility hack. */
+ int enable_ocsp; /* Default to use OCSP checks. */
+
+ char *policy_file; /* full pathname of policy file */
+ int no_policy_check; /* ignore certificate policies */
+ int no_chain_validation; /* Bypass all cert chain validity tests */
+ int ignore_expiration; /* Ignore the notAfter validity checks. */
+
+ int auto_issuer_key_retrieve; /* try to retrieve a missing issuer key. */
+
+ int qualsig_approval; /* Set to true if this software has
+ officially been approved to create an
+ verify qualified signatures. This is a
+ runtime option in case we want to check
+ the integrity of the software at
+ runtime. */
+
+ unsigned int min_rsa_length; /* Used for compliance checks. */
+
+ strlist_t keyserver;
+
+ /* A list of certificate extension OIDs which are ignored so that
+ one can claim that a critical extension has been handled. One
+ OID per string. */
+ strlist_t ignored_cert_extensions;
+
+ /* A list of OIDs which will be used to ignore certificates with
+ * sunch an OID during --learn-card. */
+ strlist_t ignore_cert_with_oid;
+
+ /* The current compliance mode. */
+ enum gnupg_compliance_mode compliance;
+
+ /* Fail if an operation can't be done in the requested compliance
+ * mode. */
+ int require_compliance;
+
+ /* Compatibility flags (COMPAT_FLAG_xxxx). */
+ unsigned int compat_flags;
+} opt;
+
+/* Debug values and macros. */
+#define DBG_X509_VALUE 1 /* debug x.509 data reading/writing */
+#define DBG_MPI_VALUE 2 /* debug mpi details */
+#define DBG_CRYPTO_VALUE 4 /* debug low level crypto */
+#define DBG_MEMORY_VALUE 32 /* debug memory allocation stuff */
+#define DBG_CACHE_VALUE 64 /* debug the caching */
+#define DBG_MEMSTAT_VALUE 128 /* show memory statistics */
+#define DBG_HASHING_VALUE 512 /* debug hashing operations */
+#define DBG_IPC_VALUE 1024 /* debug assuan communication */
+
+#define DBG_X509 (opt.debug & DBG_X509_VALUE)
+#define DBG_CRYPTO (opt.debug & DBG_CRYPTO_VALUE)
+#define DBG_MEMORY (opt.debug & DBG_MEMORY_VALUE)
+#define DBG_CACHE (opt.debug & DBG_CACHE_VALUE)
+#define DBG_HASHING (opt.debug & DBG_HASHING_VALUE)
+#define DBG_IPC (opt.debug & DBG_IPC_VALUE)
+
+
+/* Compatibility flags */
+/* Telesec RSA cards produced for NRW in 2022 came with only the
+ * keyAgreement bit set. This flag allows there use for encryption
+ * anyway. Example cert:
+ * Issuer: /CN=DOI CA 10a/OU=DOI/O=PKI-1-Verwaltung/C=DE
+ * key usage: digitalSignature nonRepudiation keyAgreement
+ * policies: 1.3.6.1.4.1.7924.1.1:N:
+ */
+#define COMPAT_ALLOW_KA_TO_ENCR 1
+
+
+/* Forward declaration for an object defined in server.c */
+struct server_local_s;
+
+/* Session control object. This object is passed down to most
+ functions. Note that the default values for it are set by
+ gpgsm_init_default_ctrl(). */
+struct server_control_s
+{
+ int no_server; /* We are not running under server control */
+ int status_fd; /* Only for non-server mode */
+ struct server_local_s *server_local;
+
+ audit_ctx_t audit; /* NULL or a context for the audit subsystem. */
+ int agent_seen; /* Flag indicating that the gpg-agent has been
+ accessed. */
+
+ int with_colons; /* Use column delimited output format */
+ int with_secret; /* Mark secret keys in a public key listing. */
+ int with_chain; /* Include the certifying certs in a listing */
+ int with_validation;/* Validate each key while listing. */
+ int with_ephemeral_keys; /* Include ephemeral flagged keys in the
+ keylisting. */
+
+ int autodetect_encoding; /* Try to detect the input encoding */
+ int is_pem; /* Is in PEM format */
+ int is_base64; /* is in plain base-64 format */
+
+ int create_base64; /* Create base64 encoded output */
+ int create_pem; /* create PEM output */
+ const char *pem_name; /* PEM name to use */
+
+ int include_certs; /* -1 to send all certificates in the chain
+ along with a signature or the number of
+ certificates up the chain (0 = none, 1 = only
+ signer) */
+ int use_ocsp; /* Set to true if OCSP should be used. */
+ int validation_model; /* 0 := standard model (shell),
+ 1 := chain model,
+ 2 := STEED model. */
+ int offline; /* If true gpgsm won't do any network access. */
+
+ /* The current time. Used as a helper in certchain.c. */
+ ksba_isotime_t current_time;
+};
+
+
+/* An object to keep a list of certificates. */
+struct certlist_s
+{
+ struct certlist_s *next;
+ ksba_cert_t cert;
+ int is_encrypt_to; /* True if the certificate has been set through
+ the --encrypto-to option. */
+ int hash_algo; /* Used to track the hash algorithm to use. */
+ const char *hash_algo_oid; /* And the corresponding OID. */
+};
+typedef struct certlist_s *certlist_t;
+
+
+/* A structure carrying information about trusted root certificates. */
+struct rootca_flags_s
+{
+ unsigned int valid:1; /* The rest of the structure has valid
+ information. */
+ unsigned int relax:1; /* Relax checking of root certificates. */
+ unsigned int chain_model:1; /* Root requires the use of the chain model. */
+};
+
+
+
+/*-- gpgsm.c --*/
+extern int gpgsm_errors_seen;
+
+void gpgsm_exit (int rc);
+void gpgsm_init_default_ctrl (struct server_control_s *ctrl);
+int gpgsm_parse_validation_model (const char *model);
+
+/*-- server.c --*/
+void gpgsm_server (certlist_t default_recplist);
+gpg_error_t gpgsm_status (ctrl_t ctrl, int no, const char *text);
+gpg_error_t gpgsm_status2 (ctrl_t ctrl, int no, ...) GPGRT_ATTR_SENTINEL(0);
+gpg_error_t gpgsm_status_with_err_code (ctrl_t ctrl, int no, const char *text,
+ gpg_err_code_t ec);
+gpg_error_t gpgsm_status_with_error (ctrl_t ctrl, int no, const char *text,
+ gpg_error_t err);
+gpg_error_t gpgsm_proxy_pinentry_notify (ctrl_t ctrl,
+ const unsigned char *line);
+
+/*-- fingerprint --*/
+unsigned char *gpgsm_get_fingerprint (ksba_cert_t cert, int algo,
+ unsigned char *array, int *r_len);
+char *gpgsm_get_fingerprint_string (ksba_cert_t cert, int algo);
+char *gpgsm_get_fingerprint_hexstring (ksba_cert_t cert, int algo);
+unsigned long gpgsm_get_short_fingerprint (ksba_cert_t cert,
+ unsigned long *r_high);
+unsigned char *gpgsm_get_keygrip (ksba_cert_t cert, unsigned char *array);
+char *gpgsm_get_keygrip_hexstring (ksba_cert_t cert);
+int gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits);
+char *gpgsm_pubkey_algo_string (ksba_cert_t cert, int *r_algoid);
+char *gpgsm_get_certid (ksba_cert_t cert);
+
+
+/*-- certdump.c --*/
+void gpgsm_print_serial (estream_t fp, ksba_const_sexp_t p);
+void gpgsm_print_serial_decimal (estream_t fp, ksba_const_sexp_t sn);
+void gpgsm_print_time (estream_t fp, ksba_isotime_t t);
+void gpgsm_print_name2 (FILE *fp, const char *string, int translate);
+void gpgsm_print_name (FILE *fp, const char *string);
+void gpgsm_es_print_name (estream_t fp, const char *string);
+void gpgsm_es_print_name2 (estream_t fp, const char *string, int translate);
+
+void gpgsm_cert_log_name (const char *text, ksba_cert_t cert);
+
+void gpgsm_dump_cert (const char *text, ksba_cert_t cert);
+void gpgsm_dump_serial (ksba_const_sexp_t p);
+void gpgsm_dump_time (ksba_isotime_t t);
+void gpgsm_dump_string (const char *string);
+
+char *gpgsm_format_serial (ksba_const_sexp_t p);
+char *gpgsm_format_name2 (const char *name, int translate);
+char *gpgsm_format_name (const char *name);
+char *gpgsm_format_sn_issuer (ksba_sexp_t sn, const char *issuer);
+
+char *gpgsm_fpr_and_name_for_status (ksba_cert_t cert);
+
+char *gpgsm_format_keydesc (ksba_cert_t cert);
+
+
+/*-- certcheck.c --*/
+int gpgsm_check_cert_sig (ksba_cert_t issuer_cert, ksba_cert_t cert);
+int gpgsm_check_cms_signature (ksba_cert_t cert, gcry_sexp_t sigval,
+ gcry_md_hd_t md,
+ int hash_algo, unsigned int pkalgoflags,
+ int *r_pkalgo);
+/* fixme: move create functions to another file */
+int gpgsm_create_cms_signature (ctrl_t ctrl,
+ ksba_cert_t cert, gcry_md_hd_t md, int mdalgo,
+ unsigned char **r_sigval);
+
+
+/*-- certchain.c --*/
+
+/* Flags used with gpgsm_validate_chain. */
+#define VALIDATE_FLAG_NO_DIRMNGR 1
+#define VALIDATE_FLAG_CHAIN_MODEL 2
+#define VALIDATE_FLAG_STEED 4
+
+int gpgsm_walk_cert_chain (ctrl_t ctrl,
+ ksba_cert_t start, ksba_cert_t *r_next);
+int gpgsm_is_root_cert (ksba_cert_t cert);
+int gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert,
+ ksba_isotime_t checktime,
+ ksba_isotime_t r_exptime,
+ int listmode, estream_t listfp,
+ unsigned int flags, unsigned int *retflags);
+int gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert);
+
+/*-- certlist.c --*/
+int gpgsm_cert_use_sign_p (ksba_cert_t cert, int silent);
+int gpgsm_cert_use_encrypt_p (ksba_cert_t cert);
+int gpgsm_cert_use_verify_p (ksba_cert_t cert);
+int gpgsm_cert_use_decrypt_p (ksba_cert_t cert);
+int gpgsm_cert_use_cert_p (ksba_cert_t cert);
+int gpgsm_cert_use_ocsp_p (ksba_cert_t cert);
+int gpgsm_cert_has_well_known_private_key (ksba_cert_t cert);
+int gpgsm_certs_identical_p (ksba_cert_t cert_a, ksba_cert_t cert_b);
+int gpgsm_add_cert_to_certlist (ctrl_t ctrl, ksba_cert_t cert,
+ certlist_t *listaddr, int is_encrypt_to);
+int gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
+ certlist_t *listaddr, int is_encrypt_to);
+void gpgsm_release_certlist (certlist_t list);
+int gpgsm_find_cert (ctrl_t ctrl, const char *name, ksba_sexp_t keyid,
+ ksba_cert_t *r_cert, int allow_ambiguous);
+
+/*-- keylist.c --*/
+gpg_error_t gpgsm_list_keys (ctrl_t ctrl, strlist_t names,
+ estream_t fp, unsigned int mode);
+
+/*-- import.c --*/
+int gpgsm_import (ctrl_t ctrl, int in_fd, int reimport_mode);
+int gpgsm_import_files (ctrl_t ctrl, int nfiles, char **files,
+ int (*of)(const char *fname));
+
+/*-- export.c --*/
+void gpgsm_export (ctrl_t ctrl, strlist_t names, estream_t stream);
+void gpgsm_p12_export (ctrl_t ctrl, const char *name, estream_t stream,
+ int rawmode);
+
+/*-- delete.c --*/
+int gpgsm_delete (ctrl_t ctrl, strlist_t names);
+
+/*-- verify.c --*/
+int gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp);
+
+/*-- sign.c --*/
+int gpgsm_get_default_cert (ctrl_t ctrl, ksba_cert_t *r_cert);
+int gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
+ int data_fd, int detached, estream_t out_fp);
+
+/*-- encrypt.c --*/
+int gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist,
+ int in_fd, estream_t out_fp);
+
+/*-- decrypt.c --*/
+int gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp);
+
+/*-- certreqgen.c --*/
+int gpgsm_genkey (ctrl_t ctrl, estream_t in_stream, estream_t out_stream);
+
+/*-- certreqgen-ui.c --*/
+void gpgsm_gencertreq_tty (ctrl_t ctrl, estream_t out_stream);
+
+
+/*-- qualified.c --*/
+gpg_error_t gpgsm_is_in_qualified_list (ctrl_t ctrl, ksba_cert_t cert,
+ char *country);
+gpg_error_t gpgsm_qualified_consent (ctrl_t ctrl, ksba_cert_t cert);
+gpg_error_t gpgsm_not_qualified_warning (ctrl_t ctrl, ksba_cert_t cert);
+
+/*-- call-agent.c --*/
+int gpgsm_agent_pksign (ctrl_t ctrl, const char *keygrip, const char *desc,
+ unsigned char *digest,
+ size_t digestlen,
+ int digestalgo,
+ unsigned char **r_buf, size_t *r_buflen);
+int gpgsm_scd_pksign (ctrl_t ctrl, const char *keyid, const char *desc,
+ unsigned char *digest, size_t digestlen, int digestalgo,
+ unsigned char **r_buf, size_t *r_buflen);
+int gpgsm_agent_pkdecrypt (ctrl_t ctrl, const char *keygrip, const char *desc,
+ ksba_const_sexp_t ciphertext,
+ char **r_buf, size_t *r_buflen);
+int gpgsm_agent_genkey (ctrl_t ctrl,
+ ksba_const_sexp_t keyparms, ksba_sexp_t *r_pubkey);
+int gpgsm_agent_readkey (ctrl_t ctrl, int fromcard, const char *hexkeygrip,
+ ksba_sexp_t *r_pubkey);
+int gpgsm_agent_scd_serialno (ctrl_t ctrl, char **r_serialno);
+int gpgsm_agent_scd_keypairinfo (ctrl_t ctrl, strlist_t *r_list);
+int gpgsm_agent_istrusted (ctrl_t ctrl, ksba_cert_t cert, const char *hexfpr,
+ struct rootca_flags_s *rootca_flags);
+int gpgsm_agent_havekey (ctrl_t ctrl, const char *hexkeygrip);
+int gpgsm_agent_marktrusted (ctrl_t ctrl, ksba_cert_t cert);
+int gpgsm_agent_learn (ctrl_t ctrl);
+int gpgsm_agent_passwd (ctrl_t ctrl, const char *hexkeygrip, const char *desc);
+gpg_error_t gpgsm_agent_get_confirmation (ctrl_t ctrl, const char *desc);
+gpg_error_t gpgsm_agent_send_nop (ctrl_t ctrl);
+gpg_error_t gpgsm_agent_keyinfo (ctrl_t ctrl, const char *hexkeygrip,
+ char **r_serialno);
+gpg_error_t gpgsm_agent_ask_passphrase (ctrl_t ctrl, const char *desc_msg,
+ int repeat, char **r_passphrase);
+gpg_error_t gpgsm_agent_keywrap_key (ctrl_t ctrl, int forexport,
+ void **r_kek, size_t *r_keklen);
+gpg_error_t gpgsm_agent_import_key (ctrl_t ctrl,
+ const void *key, size_t keylen);
+gpg_error_t gpgsm_agent_export_key (ctrl_t ctrl, const char *keygrip,
+ const char *desc,
+ unsigned char **r_result,
+ size_t *r_resultlen);
+
+/*-- call-dirmngr.c --*/
+int gpgsm_dirmngr_isvalid (ctrl_t ctrl,
+ ksba_cert_t cert, ksba_cert_t issuer_cert,
+ int use_ocsp);
+int gpgsm_dirmngr_lookup (ctrl_t ctrl, strlist_t names, const char *uri,
+ int cache_only,
+ void (*cb)(void*, ksba_cert_t), void *cb_value);
+int gpgsm_dirmngr_run_command (ctrl_t ctrl, const char *command,
+ int argc, char **argv);
+
+
+/*-- misc.c --*/
+void setup_pinentry_env (void);
+gpg_error_t transform_sigval (const unsigned char *sigval, size_t sigvallen,
+ int mdalgo,
+ unsigned char **r_newsigval,
+ size_t *r_newsigvallen);
+gcry_sexp_t gpgsm_ksba_cms_get_sig_val (ksba_cms_t cms, int idx);
+int gpgsm_get_hash_algo_from_sigval (gcry_sexp_t sigval,
+ unsigned int *r_pkalgo_flags);
+
+
+
+#endif /*GPGSM_H*/