const gchar*
egg_openssl_prep_dekinfo (GHashTable *headers)
{
gchar *dekinfo, *hex;
gsize ivlen;
guchar *iv;
/* Create the iv */
ivlen = gcry_cipher_get_algo_blklen (GCRY_CIPHER_3DES);
g_return_val_if_fail (ivlen, NULL);
iv = g_malloc (ivlen);
gcry_create_nonce (iv, ivlen);
/* And encode it into the string */
hex = egg_hex_encode (iv, ivlen);
g_return_val_if_fail (hex, NULL);
dekinfo = g_strdup_printf ("DES-EDE3-CBC,%s", hex);
g_free (hex);
g_free (iv);
g_hash_table_insert (headers, g_strdup ("DEK-Info"), (void*)dekinfo);
g_hash_table_insert (headers, g_strdup ("Proc-Type"), g_strdup ("4,ENCRYPTED"));
return dekinfo;
}
static void
imported_object (GckObject *object,
const gchar *destination)
{
gulong attr_types[3];
GckAttributes *attrs;
const GckAttribute *id;
CK_OBJECT_CLASS klass;
const gchar *message;
GError *err = NULL;
gchar *label, *hex;
attr_types[0] = CKA_LABEL;
attr_types[1] = CKA_CLASS;
attr_types[2] = CKA_ID;
attrs = gck_object_get_full (object, attr_types, G_N_ELEMENTS (attr_types), NULL, &err);
if (attrs == NULL) {
gkr_tool_handle_error (&err, "couldn't get imported object info");
return;
}
if (!gck_attributes_find_string (attrs, CKA_LABEL, &label))
label = g_strdup ("unknown");
if (!gck_attributes_find_ulong (attrs, CKA_CLASS, &klass))
klass = CKO_DATA;
id = gck_attributes_find (attrs, CKA_ID);
switch (klass) {
case CKO_CERTIFICATE:
message = "%s: imported certificate: %s\n";
break;
case CKO_DATA:
message = "%s: imported data: %s\n";
break;
case CKO_PRIVATE_KEY:
message = "%s: imported private key: %s\n";
break;
case CKO_PUBLIC_KEY:
message = "%s: imported public key: %s\n";
break;
case CKO_SECRET_KEY:
message = "%s: imported secret key: %s\n";
break;
default:
message = "%s: imported object: %s\n";
break;
};
g_print (message, destination, label);
if (id) {
hex = egg_hex_encode (id->value, id->length);
g_print ("\tidentifier: %s\n", hex);
g_free (hex);
}
gck_attributes_unref (attrs);
g_free (label);
}
/**
* gcr_certificate_get_serial_number_hex:
* @self: a #GcrCertificate
*
* Get the serial number of the certificate as a hex string.
*
* The caller should free the returned data using g_free() when
* it is no longer required.
*
* Returns: an allocated string containing the serial number as hex.
*/
gchar*
gcr_certificate_get_serial_number_hex (GcrCertificate *self)
{
guchar *serial;
gsize n_serial;
gchar *hex;
g_return_val_if_fail (GCR_IS_CERTIFICATE (self), NULL);
serial = gcr_certificate_get_serial_number (self, &n_serial);
if (serial == NULL)
return NULL;
hex = egg_hex_encode (serial, n_serial);
g_free (serial);
return hex;
}
/**
* builder: The GTKBuilder
* password_type: password type description
*
* Reads the encrypted data from the prompt and transfers it using output_data.
* If crypto is available, it uses crypto.
*
**/
static void
gather_password (GtkBuilder *builder, const gchar *password_type)
{
GtkEntry *entry;
gchar iv[16];
gpointer data;
gsize n_data;
gchar *name;
const gchar *text;
gchar *value;
name = g_strdup_printf ("%s_entry", password_type);
entry = GTK_ENTRY (gtk_builder_get_object (builder, name));
g_return_if_fail (GTK_IS_ENTRY (entry));
g_free (name);
if (!gtk_widget_get_realized (GTK_WIDGET (entry)))
return;
/* A non-encrypted password: just send the value back */
if (!g_key_file_has_group (input_data, "transport")) {
text = gtk_entry_get_text (entry);
value = egg_hex_encode ((const guchar*)text, strlen (text));
g_key_file_set_string (output_data, password_type, "parameter", "");
g_key_file_set_string (output_data, password_type, "value", value);
g_free (value);
return;
}
if (!the_key && !negotiate_transport_crypto ()) {
g_warning ("couldn't negotiate transport crypto for password");
return;
}
gcry_create_nonce (iv, sizeof (iv));
data = gku_prompt_util_encrypt_text (the_key, n_the_key, iv, sizeof (iv),
gtk_entry_get_text (entry), &n_data);
g_return_if_fail (data);
gku_prompt_util_encode_hex (output_data, password_type, "parameter", iv, sizeof (iv));
gku_prompt_util_encode_hex (output_data, password_type, "value", data, n_data);
g_free (data);
}
static void
dump_certificate_complete (GNode *asn)
{
GNode *cert;
gchar *issuer, *serial, *subject;
gconstpointer element;
gpointer data;
gsize n_data, n_element;
/* Parse the certificate out */
cert = egg_asn1x_create (pkix_asn1_tab, "Certificate");
g_return_if_fail (cert);
element = egg_asn1x_get_raw_element (asn, &n_element);
g_return_if_fail (element);
if (!egg_asn1x_decode (cert, element, n_element))
barf_and_die ("couldn't parse certificate", egg_asn1x_message (cert));
issuer = egg_dn_read (egg_asn1x_node (asn, "issuer", NULL));
g_return_if_fail (issuer);
subject = egg_dn_read (egg_asn1x_node (asn, "subject", NULL));
g_return_if_fail (subject);
data = egg_asn1x_get_integer_as_raw (egg_asn1x_node (asn, "serial", NULL), NULL, &n_data);
g_return_if_fail (data && n_data);
serial = egg_hex_encode (data, n_data);
g_free (data);
g_print ("Complete\n");
g_print (" issuer: %s\n", issuer);
g_print (" subject: %s\n", subject);
g_print (" serial: 0x%s\n", serial);
egg_asn1x_destroy (cert);
g_free (data);
g_free (serial);
g_free (issuer);
g_free (subject);
}
static gchar*
identifier_for_object (GkmObject *object)
{
GkmSerializableIface *serial;
const gchar *ext;
gchar *identifier;
gchar *name = NULL;
guchar *data;
gsize n_data;
g_assert (GKM_IS_OBJECT (object));
g_assert (GKM_IS_SERIALIZABLE (object));
/* Figure out the extension and prefix */
serial = GKM_SERIALIZABLE_GET_INTERFACE (object);
ext = serial->extension;
g_return_val_if_fail (ext, NULL);
/* First we try to use the CN of a subject */
data = gkm_object_get_attribute_data (object, NULL, CKA_SUBJECT, &n_data);
if (data && n_data)
name = name_for_subject (data, n_data);
g_free (data);
/* Next we try hex encoding the ID */
if (name == NULL) {
data = gkm_object_get_attribute_data (object, NULL, CKA_ID, &n_data);
if (data && n_data)
name = egg_hex_encode (data, n_data);
g_free (data);
}
/* Build up the identifier */
identifier = g_strconcat (name, ext, NULL);
g_strdelimit (identifier, UNWANTED_IDENTIFIER_CHARS, '_');
g_free (name);
return identifier;
}
static void
dump_certificate_reference (GNode *asn)
{
gchar *issuer, *serial;
gpointer data;
gsize n_data;
GNode *name;
gconstpointer element;
gsize n_element;
/* Parse the name out */
name = egg_asn1x_create (pkix_asn1_tab, "Name");
g_return_if_fail (name);
element = egg_asn1x_get_raw_element (egg_asn1x_node (asn, "issuer", NULL), &n_element);
g_return_if_fail (element);
if (!egg_asn1x_decode (name, element, n_element))
barf_and_die ("couldn't parse certificate", egg_asn1x_message (name));
issuer = egg_dn_read (name);
g_return_if_fail (issuer);
data = egg_asn1x_get_integer_as_raw (egg_asn1x_node (asn, "serial", NULL), NULL, &n_data);
g_return_if_fail (data && n_data);
serial = egg_hex_encode (data, n_data);
g_free (data);
g_print ("Reference\n");
g_print (" issuer: %s\n", issuer);
g_print (" serial: 0x%s\n", serial);
egg_asn1x_destroy (name);
g_free (data);
g_free (serial);
g_free (issuer);
}
static SecretValue *
service_decode_aes_secret (SecretSession *session,
gconstpointer param,
gsize n_param,
gconstpointer value,
gsize n_value,
const gchar *content_type)
{
gcry_cipher_hd_t cih;
gsize n_padded;
gcry_error_t gcry;
guchar *padded;
gsize pos;
if (n_param != 16) {
g_message ("received an encrypted secret structure with invalid parameter");
return NULL;
}
if (n_value == 0 || n_value % 16 != 0) {
g_message ("received an encrypted secret structure with bad secret length");
return NULL;
}
gcry = gcry_cipher_open (&cih, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CBC, 0);
if (gcry != 0) {
g_warning ("couldn't create AES cipher: %s", gcry_strerror (gcry));
return NULL;
}
#if 0
g_printerr (" lib iv: %s\n", egg_hex_encode (param, n_param));
#endif
gcry = gcry_cipher_setiv (cih, param, n_param);
g_return_val_if_fail (gcry == 0, NULL);
#if 0
g_printerr (" lib key: %s\n", egg_hex_encode (session->key, session->n_key));
#endif
gcry = gcry_cipher_setkey (cih, session->key, session->n_key);
g_return_val_if_fail (gcry == 0, NULL);
/* Copy the memory buffer */
n_padded = n_value;
padded = egg_secure_alloc (n_padded);
memcpy (padded, value, n_padded);
/* Perform the decryption */
for (pos = 0; pos < n_padded; pos += 16) {
gcry = gcry_cipher_decrypt (cih, (guchar*)padded + pos, 16, NULL, 0);
g_return_val_if_fail (gcry == 0, FALSE);
}
gcry_cipher_close (cih);
/* Unpad the resulting value */
if (!pkcs7_unpad_bytes_in_place (padded, &n_padded)) {
egg_secure_clear (padded, n_padded);
egg_secure_free (padded);
g_message ("received an invalid or unencryptable secret");
return FALSE;
}
return secret_value_new_full ((gchar *)padded, n_padded, content_type, egg_secure_free);
}
static gboolean
response_open_session_aes (SecretSession *session,
GVariant *response)
{
gconstpointer buffer;
GVariant *argument;
const gchar *sig;
gsize n_buffer;
gcry_mpi_t peer;
gcry_error_t gcry;
gpointer ikm;
gsize n_ikm;
sig = g_variant_get_type_string (response);
g_return_val_if_fail (sig != NULL, FALSE);
if (!g_str_equal (sig, "(vo)")) {
g_warning ("invalid OpenSession() response from daemon with signature: %s", sig);
return FALSE;
}
g_assert (session->path == NULL);
g_variant_get (response, "(vo)", &argument, &session->path);
buffer = g_variant_get_fixed_array (argument, &n_buffer, sizeof (guchar));
gcry = gcry_mpi_scan (&peer, GCRYMPI_FMT_USG, buffer, n_buffer, NULL);
g_return_val_if_fail (gcry == 0, FALSE);
g_variant_unref (argument);
#if 0
g_printerr (" lib publi: ");
gcry_mpi_dump (session->publi);
g_printerr ("\n lib peer: ");
gcry_mpi_dump (peer);
g_printerr ("\n");
#endif
ikm = egg_dh_gen_secret (peer, session->privat, session->prime, &n_ikm);
gcry_mpi_release (peer);
#if 0
g_printerr (" lib ikm: %s\n", egg_hex_encode (ikm, n_ikm));
#endif
if (ikm == NULL) {
g_warning ("couldn't negotiate a valid AES session key");
g_free (session->path);
session->path = NULL;
return FALSE;
}
session->n_key = 16;
session->key = egg_secure_alloc (session->n_key);
if (!egg_hkdf_perform ("sha256", ikm, n_ikm, NULL, 0, NULL, 0,
session->key, session->n_key))
g_return_val_if_reached (FALSE);
egg_secure_free (ikm);
session->algorithms = ALGORITHMS_AES;
return TRUE;
}
