generate-key.cpp - mozsearch

comm-central/third_party/rnp/src/lib/generate-key.cpp

Enable keyboard shortcuts

Revision control

Copy as Markdown

Other Tools

HG Web

/*

 * Copyright (c) 2017, [Ribose Inc](https://www.ribose.com).

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

 * are met:

 * 1. Redistributions of source code must retain the above copyright

 *    notice, this list of conditions and the following disclaimer.

 * 2. Redistributions in binary form must reproduce the above copyright

 *    notice, this list of conditions and the following disclaimer in the

 *    documentation and/or other materials provided with the distribution.

 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS

 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT

 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR

 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT

 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

*/

#include <stdbool.h>

#include <stdint.h>

#include <assert.h>

#include <string.h>

#include <rekey/rnp_key_store.h>

#include <librekey/key_store_pgp.h>

#include <librekey/key_store_g10.h>

#include <librepgp/stream-packet.h>

#include "crypto.h"

#include "pgp-key.h"

#include "defaults.h"

#include "utils.h"

static const uint8_t DEFAULT_SYMMETRIC_ALGS[] = {

  PGP_SA_AES_256, PGP_SA_AES_192, PGP_SA_AES_128};

static const uint8_t DEFAULT_HASH_ALGS[] = {

  PGP_HASH_SHA256, PGP_HASH_SHA384, PGP_HASH_SHA512, PGP_HASH_SHA224};

static const uint8_t DEFAULT_COMPRESS_ALGS[] = {

  PGP_C_ZLIB, PGP_C_BZIP2, PGP_C_ZIP, PGP_C_NONE};

static const id_str_pair pubkey_alg_map[] = {

  {PGP_PKA_RSA, "RSA (Encrypt or Sign)"},

  {PGP_PKA_RSA_ENCRYPT_ONLY, "RSA Encrypt-Only"},

  {PGP_PKA_RSA_SIGN_ONLY, "RSA Sign-Only"},

  {PGP_PKA_ELGAMAL, "Elgamal (Encrypt-Only)"},

  {PGP_PKA_DSA, "DSA"},

  {PGP_PKA_ECDH, "ECDH"},

  {PGP_PKA_ECDSA, "ECDSA"},

  {PGP_PKA_ELGAMAL_ENCRYPT_OR_SIGN, "Reserved (formerly Elgamal Encrypt or Sign"},

  {PGP_PKA_RESERVED_DH, "Reserved for Diffie-Hellman (X9.42)"},

  {PGP_PKA_EDDSA, "EdDSA"},

  {PGP_PKA_SM2, "SM2"},

  {PGP_PKA_PRIVATE00, "Private/Experimental"},

  {PGP_PKA_PRIVATE01, "Private/Experimental"},

  {PGP_PKA_PRIVATE02, "Private/Experimental"},

  {PGP_PKA_PRIVATE03, "Private/Experimental"},

  {PGP_PKA_PRIVATE04, "Private/Experimental"},

  {PGP_PKA_PRIVATE05, "Private/Experimental"},

  {PGP_PKA_PRIVATE06, "Private/Experimental"},

  {PGP_PKA_PRIVATE07, "Private/Experimental"},

  {PGP_PKA_PRIVATE08, "Private/Experimental"},

  {PGP_PKA_PRIVATE09, "Private/Experimental"},

  {PGP_PKA_PRIVATE10, "Private/Experimental"},

  {0, NULL}};

static bool

load_generated_g10_key(pgp_key_t *           dst,

                       pgp_key_pkt_t *       newkey,

                       pgp_key_t *           primary_key,

                       pgp_key_t *           pubkey,

                       rnp::SecurityContext &ctx)

    // this should generally be zeroed

    assert(dst->type() == 0);

    // if a primary is provided, make sure it's actually a primary key

    assert(!primary_key || primary_key->is_primary());

    // if a pubkey is provided, make sure it's actually a public key

    assert(!pubkey || pubkey->is_public());

    // G10 always needs pubkey here

    assert(pubkey);

    // this would be better on the stack but the key store does not allow it

    std::unique_ptr<rnp_key_store_t> key_store(new (std::nothrow) rnp_key_store_t(ctx));

    if (!key_store) {

        return false;

    /* Write g10 seckey */

    rnp::MemoryDest memdst(NULL, 0);

    if (!g10_write_seckey(&memdst.dst(), newkey, NULL, ctx)) {

        RNP_LOG("failed to write generated seckey");

        return false;

    std::vector<pgp_key_t *> key_ptrs; /* holds primary and pubkey, when used */

    // if this is a subkey, add the primary in first

    if (primary_key) {

        key_ptrs.push_back(primary_key);

    // G10 needs the pubkey for copying some attributes (key version, creation time, etc)

    key_ptrs.push_back(pubkey);

    rnp::MemorySource  memsrc(memdst.memory(), memdst.writeb(), false);

    pgp_key_provider_t prov(rnp_key_provider_key_ptr_list, &key_ptrs);

    if (!rnp_key_store_g10_from_src(key_store.get(), &memsrc.src(), &prov)) {

        return false;

    if (rnp_key_store_get_key_count(key_store.get()) != 1) {

        return false;

    // if a primary key is provided, it should match the sub with regards to type

    assert(!primary_key || (primary_key->is_secret() == key_store->keys.front().is_secret()));

    *dst = pgp_key_t(key_store->keys.front());

    return true;

static uint8_t

pk_alg_default_flags(pgp_pubkey_alg_t alg)

    // just use the full capabilities as the ultimate fallback

    return pgp_pk_alg_capabilities(alg);

// TODO: Similar as pgp_pick_hash_alg but different enough to

//       keep another version. This will be changed when refactoring crypto

static void

adjust_hash_alg(rnp_keygen_crypto_params_t &crypto)

    if (!crypto.hash_alg) {

        crypto.hash_alg = (pgp_hash_alg_t) DEFAULT_HASH_ALGS[0];

    if ((crypto.key_alg != PGP_PKA_DSA) && (crypto.key_alg != PGP_PKA_ECDSA)) {

        return;

    pgp_hash_alg_t min_hash = (crypto.key_alg == PGP_PKA_ECDSA) ?

                                ecdsa_get_min_hash(crypto.ecc.curve) :

                                dsa_get_min_hash(crypto.dsa.q_bitlen);

    if (rnp::Hash::size(crypto.hash_alg) < rnp::Hash::size(min_hash)) {

        crypto.hash_alg = min_hash;

static void

keygen_merge_crypto_defaults(rnp_keygen_crypto_params_t &crypto)

    // default to RSA

    if (!crypto.key_alg) {

        crypto.key_alg = PGP_PKA_RSA;

    switch (crypto.key_alg) {

    case PGP_PKA_RSA:

        if (!crypto.rsa.modulus_bit_len) {

            crypto.rsa.modulus_bit_len = DEFAULT_RSA_NUMBITS;

        break;

    case PGP_PKA_SM2:

        if (!crypto.hash_alg) {

            crypto.hash_alg = PGP_HASH_SM3;

        if (!crypto.ecc.curve) {

            crypto.ecc.curve = PGP_CURVE_SM2_P_256;

        break;

    case PGP_PKA_ECDH:

    case PGP_PKA_ECDSA: {

        if (!crypto.hash_alg) {

            crypto.hash_alg = (pgp_hash_alg_t) DEFAULT_HASH_ALGS[0];

        break;

    case PGP_PKA_EDDSA:

        if (!crypto.ecc.curve) {

            crypto.ecc.curve = PGP_CURVE_ED25519;

        break;

    case PGP_PKA_DSA: {

        if (!crypto.dsa.p_bitlen) {

            crypto.dsa.p_bitlen = DSA_DEFAULT_P_BITLEN;

        if (!crypto.dsa.q_bitlen) {

            crypto.dsa.q_bitlen = dsa_choose_qsize_by_psize(crypto.dsa.p_bitlen);

        break;

    default:

        break;

    adjust_hash_alg(crypto);

static bool

validate_keygen_primary(const rnp_keygen_primary_desc_t &desc)

    /* Confirm that the specified pk alg can certify.

     * gpg requires this, though the RFC only says that a V4 primary

     * key SHOULD be a key capable of certification.

*/

    if (!(pgp_pk_alg_capabilities(desc.crypto.key_alg) & PGP_KF_CERTIFY)) {

        RNP_LOG("primary key alg (%d) must be able to sign", desc.crypto.key_alg);

        return false;

    // check key flags

    if (!desc.cert.key_flags) {

        // these are probably not *technically* required

        RNP_LOG("key flags are required");

        return false;

    } else if (desc.cert.key_flags & ~pgp_pk_alg_capabilities(desc.crypto.key_alg)) {

        // check the flags against the alg capabilities

        RNP_LOG("usage not permitted for pk algorithm");

        return false;

    // require a userid

    if (!desc.cert.userid[0]) {

        RNP_LOG("userid is required for primary key");

        return false;

    return true;

static uint32_t

get_numbits(const rnp_keygen_crypto_params_t *crypto)

    switch (crypto->key_alg) {

    case PGP_PKA_RSA:

    case PGP_PKA_RSA_ENCRYPT_ONLY:

    case PGP_PKA_RSA_SIGN_ONLY:

        return crypto->rsa.modulus_bit_len;

    case PGP_PKA_ECDSA:

    case PGP_PKA_ECDH:

    case PGP_PKA_EDDSA:

    case PGP_PKA_SM2: {

        if (const ec_curve_desc_t *curve = get_curve_desc(crypto->ecc.curve)) {

            return curve->bitlen;

        } else {

            return 0;

    case PGP_PKA_DSA:

        return crypto->dsa.p_bitlen;

    case PGP_PKA_ELGAMAL:

    case PGP_PKA_ELGAMAL_ENCRYPT_OR_SIGN:

        return crypto->elgamal.key_bitlen;

    default:

        return 0;

static void

set_default_user_prefs(pgp_user_prefs_t &prefs)

    if (prefs.symm_algs.empty()) {

        prefs.set_symm_algs(

          std::vector<uint8_t>(DEFAULT_SYMMETRIC_ALGS,

                               DEFAULT_SYMMETRIC_ALGS + ARRAY_SIZE(DEFAULT_SYMMETRIC_ALGS)));

    if (prefs.hash_algs.empty()) {

        prefs.set_hash_algs(std::vector<uint8_t>(

          DEFAULT_HASH_ALGS, DEFAULT_HASH_ALGS + ARRAY_SIZE(DEFAULT_HASH_ALGS)));

    if (prefs.z_algs.empty()) {

        prefs.set_z_algs(std::vector<uint8_t>(

          DEFAULT_COMPRESS_ALGS, DEFAULT_COMPRESS_ALGS + ARRAY_SIZE(DEFAULT_COMPRESS_ALGS)));

static void

keygen_primary_merge_defaults(rnp_keygen_primary_desc_t &desc)

    keygen_merge_crypto_defaults(desc.crypto);

    set_default_user_prefs(desc.cert.prefs);

    if (!desc.cert.key_flags) {

        // set some default key flags if none are provided

        desc.cert.key_flags = pk_alg_default_flags(desc.crypto.key_alg);

    if (desc.cert.userid.empty()) {

        char uid[MAX_ID_LENGTH] = {0};

        snprintf(uid,

                 sizeof(uid),

                 "%s %d-bit key <%s@localhost>",

                 id_str_pair::lookup(pubkey_alg_map, desc.crypto.key_alg),

                 get_numbits(&desc.crypto),

                 getenv_logname());

        desc.cert.userid = uid;

bool

pgp_generate_primary_key(rnp_keygen_primary_desc_t &desc,

                         bool                       merge_defaults,

                         pgp_key_t &                primary_sec,

                         pgp_key_t &                primary_pub,

                         pgp_key_store_format_t     secformat)

    // validate args

    if (primary_sec.type() || primary_pub.type()) {

        RNP_LOG("invalid parameters (should be zeroed)");

        return false;

    try {

        // merge some defaults in, if requested

        if (merge_defaults) {

            keygen_primary_merge_defaults(desc);

        // now validate the keygen fields

        if (!validate_keygen_primary(desc)) {

            return false;

        // generate the raw key and fill tag/secret fields

        pgp_key_pkt_t secpkt;

        if (!pgp_generate_seckey(desc.crypto, secpkt, true)) {

            return false;

        pgp_key_t sec(secpkt);

        pgp_key_t pub(secpkt, true);

        sec.add_uid_cert(desc.cert, desc.crypto.hash_alg, *desc.crypto.ctx, &pub);

        switch (secformat) {

        case PGP_KEY_STORE_GPG:

        case PGP_KEY_STORE_KBX:

            primary_sec = std::move(sec);

            primary_pub = std::move(pub);

            break;

        case PGP_KEY_STORE_G10:

            primary_pub = std::move(pub);

            if (!load_generated_g10_key(

                  &primary_sec, &secpkt, NULL, &primary_pub, *desc.crypto.ctx)) {

                RNP_LOG("failed to load generated key");

                return false;

            break;

        default:

            RNP_LOG("invalid format");

            return false;

    } catch (const std::exception &e) {

        RNP_LOG("Failure: %s", e.what());

        return false;

    /* mark it as valid */

    primary_pub.mark_valid();

    primary_sec.mark_valid();

    /* refresh key's data */

    return primary_pub.refresh_data(*desc.crypto.ctx) &&

           primary_sec.refresh_data(*desc.crypto.ctx);

static bool

validate_keygen_subkey(rnp_keygen_subkey_desc_t &desc)

    if (!desc.binding.key_flags) {

        RNP_LOG("key flags are required");

        return false;

    } else if (desc.binding.key_flags & ~pgp_pk_alg_capabilities(desc.crypto.key_alg)) {

        // check the flags against the alg capabilities

        RNP_LOG("usage not permitted for pk algorithm");

        return false;

    return true;

static void

keygen_subkey_merge_defaults(rnp_keygen_subkey_desc_t &desc)

    keygen_merge_crypto_defaults(desc.crypto);

    if (!desc.binding.key_flags) {

        // set some default key flags if none are provided

        desc.binding.key_flags = pk_alg_default_flags(desc.crypto.key_alg);

bool

pgp_generate_subkey(rnp_keygen_subkey_desc_t &     desc,

                    bool                           merge_defaults,

                    pgp_key_t &                    primary_sec,

                    pgp_key_t &                    primary_pub,

                    pgp_key_t &                    subkey_sec,

                    pgp_key_t &                    subkey_pub,

                    const pgp_password_provider_t &password_provider,

                    pgp_key_store_format_t         secformat)

    // validate args

    if (!primary_sec.is_primary() || !primary_pub.is_primary() || !primary_sec.is_secret() ||

        !primary_pub.is_public()) {

        RNP_LOG("invalid parameters");

        return false;

    if (subkey_sec.type() || subkey_pub.type()) {

        RNP_LOG("invalid parameters (should be zeroed)");

        return false;

    // merge some defaults in, if requested

    if (merge_defaults) {

        keygen_subkey_merge_defaults(desc);

    // now validate the keygen fields

    if (!validate_keygen_subkey(desc)) {

        return false;

    try {

        /* decrypt the primary seckey if needed (for signatures) */

        rnp::KeyLocker primlock(primary_sec);

        if (primary_sec.encrypted() &&

            !primary_sec.unlock(password_provider, PGP_OP_ADD_SUBKEY)) {

            RNP_LOG("Failed to unlock primary key.");

            return false;

        /* generate the raw subkey */

        pgp_key_pkt_t secpkt;

        if (!pgp_generate_seckey(desc.crypto, secpkt, false)) {

            return false;

        pgp_key_pkt_t pubpkt = pgp_key_pkt_t(secpkt, true);

        pgp_key_t     sec(secpkt, primary_sec);

        pgp_key_t     pub(pubpkt, primary_pub);

        /* add binding */

        primary_sec.add_sub_binding(

          sec, pub, desc.binding, desc.crypto.hash_alg, *desc.crypto.ctx);

        /* copy to the result */

        subkey_pub = std::move(pub);

        switch (secformat) {

        case PGP_KEY_STORE_GPG:

        case PGP_KEY_STORE_KBX:

            subkey_sec = std::move(sec);

            break;

        case PGP_KEY_STORE_G10:

            if (!load_generated_g10_key(

                  &subkey_sec, &secpkt, &primary_sec, &subkey_pub, *desc.crypto.ctx)) {

                RNP_LOG("failed to load generated key");

                return false;

            break;

        default:

            RNP_LOG("invalid format");

            return false;

        subkey_pub.mark_valid();

        subkey_sec.mark_valid();

        return subkey_pub.refresh_data(&primary_pub, *desc.crypto.ctx) &&

               subkey_sec.refresh_data(&primary_sec, *desc.crypto.ctx);

    } catch (const std::exception &e) {

        RNP_LOG("Subkey generation failed: %s", e.what());

        return false;