[svn] GnuPG - r4466 - in trunk: . agent doc sm
svn author wk
cvs at cvs.gnupg.org
Tue Mar 20 11:00:56 CET 2007
Author: wk
Date: 2007-03-20 11:00:55 +0100 (Tue, 20 Mar 2007)
New Revision: 4466
Modified:
trunk/NEWS
trunk/agent/ChangeLog
trunk/agent/minip12.c
trunk/agent/minip12.h
trunk/agent/protect-tool.c
trunk/doc/gpgsm.texi
trunk/sm/ChangeLog
trunk/sm/export.c
trunk/sm/gpgsm.c
trunk/sm/gpgsm.h
Log:
Allow setting of the passphrase encoding of pkcs#12 files.
New option --p12-charset.
Modified: trunk/NEWS
===================================================================
--- trunk/NEWS 2007-03-19 18:54:34 UTC (rev 4465)
+++ trunk/NEWS 2007-03-20 10:00:55 UTC (rev 4466)
@@ -5,7 +5,7 @@
without the funopen/fopencookie API.
* PKCS#12 import now tries several encodings in case the passphrase
- was not utf-8 encoded.
+ was not utf-8 encoded. New option --p12-charset for gpgsm.
Noteworthy changes in version 2.0.3 (2007-03-08)
Modified: trunk/agent/ChangeLog
===================================================================
--- trunk/agent/ChangeLog 2007-03-19 18:54:34 UTC (rev 4465)
+++ trunk/agent/ChangeLog 2007-03-20 10:00:55 UTC (rev 4466)
@@ -1,3 +1,8 @@
+2007-03-20 Werner Koch <wk at g10code.com>
+
+ * protect-tool.c: New option --p12-charset.
+ * minip12.c (p12_build): Implement it.
+
2007-03-19 Werner Koch <wk at g10code.com>
* minip12.c: Include iconv.h.
Modified: trunk/agent/minip12.c
===================================================================
--- trunk/agent/minip12.c 2007-03-19 18:54:34 UTC (rev 4465)
+++ trunk/agent/minip12.c 2007-03-20 10:00:55 UTC (rev 4466)
@@ -28,11 +28,11 @@
#include <assert.h>
#include <gcrypt.h>
#include <iconv.h>
+#include <errno.h>
#ifdef TEST
#include <sys/stat.h>
#include <unistd.h>
-#include <errno.h>
#endif
#include "../jnlib/logging.h"
@@ -518,6 +518,10 @@
"ISO-8859-8",
"ISO-8859-9",
"KOI8-R",
+ "IBM437",
+ "IBM850",
+ "EUC-JP",
+ "BIG5",
NULL
};
int charsetidx = 0;
@@ -2139,25 +2143,75 @@
}
-/* Expect the RSA key parameters in KPARMS and a password in
- PW. Create a PKCS structure from it and return it as well as the
- length in R_LENGTH; return NULL in case of an error. */
+/* Expect the RSA key parameters in KPARMS and a password in PW.
+ Create a PKCS structure from it and return it as well as the length
+ in R_LENGTH; return NULL in case of an error. If CHARSET is not
+ NULL, re-encode PW to that character set. */
unsigned char *
p12_build (gcry_mpi_t *kparms, unsigned char *cert, size_t certlen,
- const char *pw, size_t *r_length)
+ const char *pw, const char *charset, size_t *r_length)
{
- unsigned char *buffer;
+ unsigned char *buffer = NULL;
size_t n, buflen;
char salt[8];
struct buffer_s seqlist[3];
int seqlistidx = 0;
unsigned char sha1hash[20];
char keyidstr[8+1];
+ char *pwbuf = NULL;
+ size_t pwbufsize = 0;
n = buflen = 0; /* (avoid compiler warning). */
memset (sha1hash, 0, 20);
*keyidstr = 0;
+ if (charset && pw && *pw)
+ {
+ iconv_t cd;
+ const char *inptr;
+ char *outptr;
+ size_t inbytes, outbytes;
+
+ /* We assume that the converted passphrase is at max 2 times
+ longer than its utf-8 encoding. */
+ pwbufsize = strlen (pw)*2 + 1;
+ pwbuf = gcry_malloc_secure (pwbufsize);
+ if (!pwbuf)
+ {
+ log_error ("out of secure memory while converting passphrase\n");
+ goto failure;
+ }
+
+ cd = iconv_open (charset, "utf-8");
+ if (cd == (iconv_t)(-1))
+ {
+ log_error ("can't convert passphrase to"
+ " requested charset `%s': %s\n",
+ charset, strerror (errno));
+ gcry_free (pwbuf);
+ goto failure;
+ }
+
+ inptr = pw;
+ inbytes = strlen (pw);
+ outptr = pwbuf;
+ outbytes = pwbufsize - 1;
+ if ( iconv (cd, (ICONV_CONST char **)&inptr, &inbytes,
+ &outptr, &outbytes) == (size_t)-1)
+ {
+ log_error ("error converting passphrase to"
+ " requested charset `%s': %s\n",
+ charset, strerror (errno));
+ gcry_free (pwbuf);
+ iconv_close (cd);
+ goto failure;
+ }
+ *outptr = 0;
+ iconv_close (cd);
+ pw = pwbuf;
+ }
+
+
if (cert && certlen)
{
/* Calculate the hash value we need for the bag attributes. */
@@ -2219,6 +2273,11 @@
buffer = create_final (seqlist, pw, &buflen);
failure:
+ if (pwbuf)
+ {
+ wipememory (pwbuf, pwbufsize);
+ gcry_free (pwbuf);
+ }
for ( ; seqlistidx; seqlistidx--)
gcry_free (seqlist[seqlistidx].buffer);
Modified: trunk/agent/minip12.h
===================================================================
--- trunk/agent/minip12.h 2007-03-19 18:54:34 UTC (rev 4465)
+++ trunk/agent/minip12.h 2007-03-20 10:00:55 UTC (rev 4466)
@@ -31,7 +31,8 @@
unsigned char *p12_build (gcry_mpi_t *kparms,
unsigned char *cert, size_t certlen,
- const char *pw, size_t *r_length);
+ const char *pw, const char *charset,
+ size_t *r_length);
#endif /*MINIP12_H*/
Modified: trunk/agent/protect-tool.c
===================================================================
--- trunk/agent/protect-tool.c 2007-03-19 18:54:34 UTC (rev 4465)
+++ trunk/agent/protect-tool.c 2007-03-20 10:00:55 UTC (rev 4466)
@@ -65,6 +65,7 @@
oP12Import,
oP12Export,
+ oP12Charset,
oStore,
oForce,
oHaveCert,
@@ -96,6 +97,7 @@
static const char *opt_passphrase;
static char *opt_prompt;
static int opt_status_msg;
+static const char *opt_p12_charset;
static char *get_passphrase (int promptno, int opt_check);
static char *get_new_passphrase (int promptno);
@@ -118,8 +120,10 @@
{ oShowShadowInfo, "show-shadow-info", 256, "return the shadow info"},
{ oShowKeygrip, "show-keygrip", 256, "show the \"keygrip\""},
- { oP12Import, "p12-import", 256, "import a PKCS-12 encoded private key"},
- { oP12Export, "p12-export", 256, "export a private key PKCS-12 encoded"},
+ { oP12Import, "p12-import", 256, "import a pkcs#12 encoded private key"},
+ { oP12Export, "p12-export", 256, "export a private key pkcs#12 encoded"},
+ { oP12Charset,"p12-charset", 2,
+ "|NAME|set charset for a new PKCS#12 passphrase to NAME" },
{ oHaveCert, "have-cert", 0, "certificate to export provided on STDIN"},
{ oStore, "store", 0, "store the created key in the appropriate place"},
{ oForce, "force", 0, "force overwriting"},
@@ -127,6 +131,7 @@
{ oHomedir, "homedir", 2, "@" },
{ oPrompt, "prompt", 2, "|ESCSTRING|use ESCSTRING as prompt in pinentry"},
{ oStatusMsg, "enable-status-msg", 0, "@"},
+
{0}
};
@@ -987,7 +992,7 @@
kparms[8] = NULL;
key = p12_build (kparms, cert, certlen,
- (pw=get_new_passphrase (3)), &keylen);
+ (pw=get_new_passphrase (3)), opt_p12_charset, &keylen);
release_passphrase (pw);
xfree (cert);
for (i=0; i < 8; i++)
@@ -1101,6 +1106,7 @@
case oShowKeygrip: cmd = oShowKeygrip; break;
case oP12Import: cmd = oP12Import; break;
case oP12Export: cmd = oP12Export; break;
+ case oP12Charset: opt_p12_charset = pargs.r.ret_str; break;
case oPassphrase: opt_passphrase = pargs.r.ret_str; break;
case oStore: opt_store = 1; break;
Modified: trunk/doc/gpgsm.texi
===================================================================
--- trunk/doc/gpgsm.texi 2007-03-19 18:54:34 UTC (rev 4465)
+++ trunk/doc/gpgsm.texi 2007-03-20 10:00:55 UTC (rev 4466)
@@ -233,11 +233,11 @@
@item --export-secret-key-p12 @var{key-id}
@opindex export
-Export the private key and the certificate identified by @var{key-id}
-in a PKCS#12 format. When using along with the @code{--armor} option
-a few informational lines are prepended to the output. Note, that the
-PKCS#12 format is higly insecure and this command is only provided if
-there is no other way to exchange the private key.
+Export the private key and the certificate identified by @var{key-id} in
+a PKCS#12 format. When using along with the @code{--armor} option a few
+informational lines are prepended to the output. Note, that the PKCS#12
+format is not very secure and this command is only provided if there is
+no other way to exchange the private key. (@pxref{option --p12-charset})
@item --import [@var{files}]
@opindex import
@@ -437,6 +437,19 @@
@opindex assume-binary
Assume the input data is binary encoded.
+ at anchor{option --p12-charset}
+ at item --p12-charset @var{name}
+ at opindex p12-charset
+ at command{gpgsm} uses the UTF-8 encoding when encoding passphrases for
+PKCS#12 files. This option may be used to force the passphrase to be
+encoded in the specified encoding @var{name}. This is useful if the
+application used to import the key uses a different encoding and thus
+won't be able to import a file generated by @command{gpgsm}. Commonly
+used values for @var{name} are @code{Latin1} and @code{CP850}. Note
+that @command{gpgsm} itself automagically imports any file with a
+passphrase encoded to the most commonly used encodings.
+
+
@item --local-user @var{user_id}
@item -u @var{user_id}
@opindex local-user
Modified: trunk/sm/ChangeLog
===================================================================
--- trunk/sm/ChangeLog 2007-03-19 18:54:34 UTC (rev 4465)
+++ trunk/sm/ChangeLog 2007-03-20 10:00:55 UTC (rev 4466)
@@ -1,3 +1,9 @@
+2007-03-20 Werner Koch <wk at g10code.com>
+
+ * gpgsm.c: Add option --p12-charset.
+ * gpgsm.h (struct opt): Add p12_charset.
+ * export.c (popen_protect_tool): Use new option.
+
2007-03-19 Werner Koch <wk at g10code.com>
Changes to let export and key listing use estream to help systems
Modified: trunk/sm/export.c
===================================================================
--- trunk/sm/export.c 2007-03-19 18:54:34 UTC (rev 4465)
+++ trunk/sm/export.c 2007-03-20 10:00:55 UTC (rev 4466)
@@ -416,6 +416,12 @@
putc ('\n', fp);
}
+ if (opt.p12_charset)
+ {
+ fprintf (fp, "The passphrase is %s encoded.\n\n",
+ opt.p12_charset);
+ }
+
ctrl->pem_name = "PKCS12";
rc = gpgsm_create_writer (&b64writer, ctrl, fp, NULL, &writer);
if (rc)
@@ -567,6 +573,11 @@
argv[i++] = "--prompt";
argv[i++] = prompt?prompt:"";
argv[i++] = "--enable-status-msg";
+ if (opt.p12_charset)
+ {
+ argv[i++] = "--p12-charset";
+ argv[i++] = opt.p12_charset;
+ }
argv[i++] = "--",
argv[i++] = keygrip,
argv[i] = NULL;
Modified: trunk/sm/gpgsm.c
===================================================================
--- trunk/sm/gpgsm.c 2007-03-19 18:54:34 UTC (rev 4465)
+++ trunk/sm/gpgsm.c 2007-03-20 10:00:55 UTC (rev 4466)
@@ -131,6 +131,7 @@
oBase64,
oNoArmor,
+ oP12Charset,
oDisableCRLChecks,
oEnableCRLChecks,
@@ -280,6 +281,8 @@
{ oArmor, "armor", 0, N_("create ascii armored output")},
{ oArmor, "armour", 0, "@" },
{ oBase64, "base64", 0, N_("create base-64 encoded output")},
+
+ { oP12Charset, "p12-charset", 2, "@" },
{ oAssumeArmor, "assume-armor", 0, N_("assume input is in PEM format")},
{ oAssumeBase64, "assume-base64", 0,
@@ -955,7 +958,7 @@
set_cmd (&cmd, pargs.r_opt);
break;
- /* output encoding selection */
+ /* Output encoding selection. */
case oArmor:
ctrl.create_pem = 1;
break;
@@ -968,7 +971,11 @@
ctrl.create_base64 = 0;
break;
- /* Input encoding selection */
+ case oP12Charset:
+ opt.p12_charset = pargs.r.ret_str;
+ break;
+
+ /* Input encoding selection. */
case oAssumeArmor:
ctrl.autodetect_encoding = 0;
ctrl.is_pem = 1;
Modified: trunk/sm/gpgsm.h
===================================================================
--- trunk/sm/gpgsm.h 2007-03-19 18:54:34 UTC (rev 4465)
+++ trunk/sm/gpgsm.h 2007-03-20 10:00:55 UTC (rev 4466)
@@ -74,6 +74,10 @@
int armor; /* force base64 armoring (see also ctrl.with_base64) */
int no_armor; /* don't try to figure out whether data is base64 armored*/
+ const char *p12_charset; /* Use this charset for encoding the
+ pkcs#12 passphrase. */
+
+
const char *def_cipher_algoid; /* cipher algorithm to use if
nothing else is specified */
More information about the Gnupg-commits
mailing list