export.c File Reference

GPG public key export implementation. More...

Go to the source code of this file.

Functions
int	gpg_get_public_key (const char *key_id, uint8_t *public_key_out, char *keygrip_out)

Detailed Description

GPG public key export implementation.

Definition in file export.c.

Function Documentation

gpg_get_public_key()

int gpg_get_public_key	(	const char *	key_id,
		uint8_t *	public_key_out,
		char *	keygrip_out
	)

Definition at line 251 of file export.c.

                                                                                       {
  if (!key_id || !public_key_out) {
    log_error("Invalid arguments to gpg_get_public_key");
    return -1;
  }
 
  // SECURITY: Validate key_id to prevent command injection
  // GPG key IDs should be hexadecimal (0-9, a-f, A-F)
  if (!validate_shell_safe(key_id, NULL)) {
    log_error("Invalid GPG key ID format - contains unsafe characters: %s", key_id);
    return -1;
  }
 
  // Additional validation: ensure key_id is hex alphanumeric
  for (size_t i = 0; key_id[i] != '\0'; i++) {
    if (!isxdigit((unsigned char)key_id[i])) {
      log_error("Invalid GPG key ID format - must be hexadecimal: %s", key_id);
      return -1;
    }
  }
 
  // Escape key_id for safe use in shell command (single quotes)
  char escaped_key_id[BUFFER_SIZE_MEDIUM];
  if (!escape_shell_single_quotes(key_id, escaped_key_id, sizeof(escaped_key_id))) {
    log_error("Failed to escape GPG key ID for shell command");
    return -1;
  }
 
  // Use gpg to list the key and get the keygrip
  char cmd[BUFFER_SIZE_LARGE];
  safe_snprintf(cmd, sizeof(cmd), "gpg --list-keys --with-keygrip --with-colons 0x%s " PLATFORM_SHELL_NULL_REDIRECT,
                escaped_key_id);
 
  FILE *fp = NULL;
  if (platform_popen(cmd, "r", &fp) != ASCIICHAT_OK || !fp) {
    log_error("Failed to run gpg command - GPG may not be installed");
#ifdef _WIN32
    log_error("To install GPG on Windows, download Gpg4win from:");
    log_error("  https://www.gpg4win.org/download.html");
#elif defined(__APPLE__)
    log_error("To install GPG on macOS, use Homebrew:");
    log_error("  brew install gnupg");
#else
    log_error("To install GPG on Linux:");
    log_error("  Debian/Ubuntu: sudo apt-get install gnupg");
    log_error("  Fedora/RHEL:   sudo dnf install gnupg2");
    log_error("  Arch Linux:    sudo pacman -S gnupg");
    log_error("  Alpine Linux:  sudo apk add gnupg");
#endif
    return -1;
  }
 
  char line[BUFFER_SIZE_XLARGE];
  char found_keygrip[128] = {0};
  bool found_key = false;
 
  // Parse gpg output
  // Format: pub:..., grp:::::::::<keygrip>:
  while (fgets(line, sizeof(line), fp)) {
    if (strncmp(line, "pub:", 4) == 0) {
      // Found the public key line
      found_key = true;
    } else if (found_key && strncmp(line, "grp:", 4) == 0) {
      // Extract keygrip using PCRE2 regex
      // Format: grp:::::::::D52FF935FBA59609EE65E1685287828242A1EA1A:
      char *keygrip_extracted = NULL;
 
      if (crypto_regex_extract_gpg_keygrip(line, &keygrip_extracted)) {
        // Successfully extracted keygrip
        SAFE_STRNCPY(found_keygrip, keygrip_extracted, sizeof(found_keygrip));
        if (keygrip_out) {
          SAFE_STRNCPY(keygrip_out, found_keygrip, 41);
        }
        SAFE_FREE(keygrip_extracted);
      } else {
        // Fallback to manual parsing if regex fails
        const char *grp_start = line + 4;
        int colon_count = 0;
        while (*grp_start && colon_count < 8) {
          if (*grp_start == ':') {
            colon_count++;
          }
          grp_start++;
        }
 
        if (colon_count == 8) {
          const char *grp_end = strchr(grp_start, ':');
          if (grp_end) {
            size_t grp_len = grp_end - grp_start;
            if (grp_len < sizeof(found_keygrip)) {
              memcpy(found_keygrip, grp_start, grp_len);
              found_keygrip[grp_len] = '\0';
 
              if (keygrip_out) {
                SAFE_STRNCPY(keygrip_out, found_keygrip, 41);
              }
            }
          }
        }
      }
      break;
    }
  }
 
  platform_pclose(&fp);
 
  if (!found_key || strlen(found_keygrip) == 0) {
    log_error("Could not find GPG key with ID: %s", key_id);
    return -1;
  }
 
  log_debug("Found keygrip for key %s: %s", key_id, found_keygrip);
 
  // Try to use GPG agent API to read the public key directly via READKEY command
  int agent_sock = gpg_agent_connect();
  if (agent_sock < 0) {
    log_debug("GPG agent not available, falling back to gpg --export for public key extraction");
    // Fallback: Use gpg --export to get the public key
    int export_result = gpg_export_public_key(key_id, public_key_out);
    if (export_result == 0) {
      log_debug("Successfully extracted public key using fallback method");
    } else {
      log_error("Fallback public key extraction failed for key ID: %s", key_id);
    }
    return export_result;
  }
 
  // Send READKEY command with keygrip to get the public key S-expression
  char readkey_cmd[BUFFER_SIZE_SMALL];
  safe_snprintf(readkey_cmd, sizeof(readkey_cmd), "READKEY %s\n", found_keygrip);
 
  // Cast agent_sock back to pipe_t (gpg_agent_connect returns pipe_t cast to int for portability)
  pipe_t agent_pipe = (pipe_t)(intptr_t)agent_sock;
  ssize_t bytes_written = platform_pipe_write(agent_pipe, (const unsigned char *)readkey_cmd, strlen(readkey_cmd));
  if (bytes_written != (ssize_t)strlen(readkey_cmd)) {
    log_error("Failed to send READKEY command to GPG agent");
    gpg_agent_disconnect(agent_sock);
    return -1;
  }
 
  // Read the response (public key S-expression)
  char response[BUFFER_SIZE_XXXLARGE];
  memset(response, 0, sizeof(response));
  ssize_t bytes_read = platform_pipe_read(agent_pipe, (unsigned char *)response, sizeof(response) - 1);
 
  gpg_agent_disconnect(agent_sock);
 
  if (bytes_read <= 0) {
    log_error("Failed to read READKEY response from GPG agent");
    return -1;
  }
 
  // Parse the S-expression to extract Ed25519 public key (q value)
  // GPG agent returns binary S-expressions in format: (1:q<length>:<binary-data>)
  // Example: (1:q33:<33-bytes>) where first byte is 0x40 (Ed25519 prefix), then 32-byte key
  const char *q_marker = strstr(response, "(1:q");
  if (!q_marker) {
    log_warn("Failed to find public key (1:q) in GPG agent READKEY response, trying gpg --export fallback");
    log_debug("Response was: %.*s", (int)(bytes_read < 200 ? bytes_read : 200), response);
    gpg_agent_disconnect(agent_sock);
 
    // Fallback: Use gpg --export for public-only keys
    int export_result = gpg_export_public_key(key_id, public_key_out);
    if (export_result == 0) {
      log_debug("Successfully extracted public key using gpg --export fallback");
    } else {
      log_error("Fallback public key extraction failed for key ID: %s", key_id);
    }
    return export_result;
  }
 
  // Skip "(1:q" to get to the length field
  const char *len_start = q_marker + 4;
 
  // Parse the length (e.g., "33:")
  char *colon = strchr(len_start, ':');
  if (!colon) {
    log_error("Malformed S-expression: missing colon after length");
    return -1;
  }
 
  size_t key_len = strtoul(len_start, NULL, 10);
  if (key_len != 33) {
    log_error("Unexpected Ed25519 public key length: %zu bytes (expected 33)", key_len);
    return -1;
  }
 
  // Skip the colon to get to the binary data
  const unsigned char *binary_start = (const unsigned char *)(colon + 1);
 
  // Ed25519 public keys in GPG format have a 0x40 prefix byte, then 32 bytes of actual key
  if (binary_start[0] != 0x40) {
    log_error("Invalid Ed25519 public key prefix: 0x%02x (expected 0x40)", binary_start[0]);
    return -1;
  }
 
  // Copy the 32-byte public key (skip the 0x40 prefix)
  memcpy(public_key_out, binary_start + 1, 32);
 
  log_debug("Extracted Ed25519 public key from GPG agent via READKEY command");
  return 0;
}

References bytes_written, crypto_regex_extract_gpg_keygrip(), escape_shell_single_quotes(), gpg_agent_connect(), gpg_agent_disconnect(), safe_snprintf(), and validate_shell_safe().

Referenced by extract_ed25519_from_gpg(), and parse_private_key().