security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-03 12:11:33 +01:00
Code Activity

Smartcard related updates

Browse Source
This commit is contained in:
Werner Koch 2010-11-17 13:21:24 +00:00
parent b97aeb03d5
commit 0103a53aa6
14 changed files with 275 additions and 309 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@ -1,3 +1,7 @@
2010-11-17 Werner Koch <wk@g10code.com>
* configure.ac (ENABLE_CARD_SUPPORT): Define.
2010-10-27 Werner Koch <wk@g10code.com> 2010-10-27 Werner Koch <wk@g10code.com>
* acinclude.m4 (GNUPG_TIME_T_UNSIGNED): New. * acinclude.m4 (GNUPG_TIME_T_UNSIGNED): New.

2
configure.ac
View File

@ -485,7 +485,7 @@ AH_BOTTOM([
#define HTTP_NO_WSASTARTUP #define HTTP_NO_WSASTARTUP
/* We always include support for the OpenPGP card. */ /* We always include support for the OpenPGP card. */
/* Disabled for now ENABLE_CARD_SUPPORT 1 */ #define ENABLE_CARD_SUPPORT 1
/* We explicitly need to disable PTH's soft mapping as Debian /* We explicitly need to disable PTH's soft mapping as Debian
currently enables it by default for no reason. */ currently enables it by default for no reason. */

3
doc/DETAILS
View File

@ -817,7 +817,8 @@ The format of this file is as follows:
The filename is used until a new filename is used (at commit points) The filename is used until a new filename is used (at commit points)
and all keys are written to that file. If a new filename is given, and all keys are written to that file. If a new filename is given,
this file is created (and overwrites an existing one). this file is created (and overwrites an existing one).
Both control statements must be given. GnuPG < 2.1: Both control statements must be given.
GnuPG >= 2.1: "%secring" is now a no-op.
%ask-passphrase %ask-passphrase
Enable a mode where the command "passphrase" is ignored and Enable a mode where the command "passphrase" is ignored and
instead the usual passphrase dialog is used. This does not instead the usual passphrase dialog is used. This does not

21
g10/ChangeLog
View File

@ -1,3 +1,24 @@
2010-11-17 Werner Koch <wk@g10code.com>
* keyedit.c (find_pk_from_sknode): Remove.
* misc.c (get_signature_count): Call agent.
* keygen.c (gen_card_key): Rework. Remove arg PARA.
(generate_keypair): Change arg BACKUP_ENCRYPTION_DIR to the flag
CARD_BACKUP_KEY.
(pBACKUPENCDIR): Change to pCARDBACKUPKEY.
(struct output_control_s): Remove struct SEC. Remove all usages
of it.
(gen_card_key_with_backup): Remove arg BACKUP_DIR.
* call-agent.c (agent_scd_genkey): Remove extra memset.
2010-11-16 Werner Koch <wk@g10code.com>
* keygen.c (generate_card_subkeypair): Remove arg SEC_KEYBLOCK and
change to return an error code. Rework for removed secring code.
* card-util.c (card_generate_subkey): Remove arg SEC_KEYBLOCK.
Return an error code instead of a success flag. Change caller.
2010-10-29 David Shaw <dshaw@jabberwocky.com> 2010-10-29 David Shaw <dshaw@jabberwocky.com>
* pkclist.c (select_algo_from_prefs): Make sure the scores can't * pkclist.c (select_algo_from_prefs): Make sure the scores can't

8
g10/call-agent.c
View File

@ -771,10 +771,9 @@ scd_genkey_cb (void *opaque, const char *line)
} }
/* Send a GENKEY command to the SCdaemon. SERIALNO is not used in /* Send a GENKEY command to the SCdaemon. SERIALNO is not used in
this implementation. If CREATEDATE has been given, it will be this implementation. If CREATEDATE is not 0, it will be passed to
passed to SCDAEMON so that the key can be created with this SCDAEMON so that the key is created with this timestamp. INFO will
timestamp; note the user needs to use the returned timestamp as old receive information about the generated key. */
versions of scddaemon don't support this option. */
int int
agent_scd_genkey (struct agent_card_genkey_s *info, int keyno, int force, agent_scd_genkey (struct agent_card_genkey_s *info, int keyno, int force,
const char *serialno, u32 createtime) const char *serialno, u32 createtime)
@ -794,7 +793,6 @@ agent_scd_genkey (struct agent_card_genkey_s *info, int keyno, int force,
else else
*tbuf = 0; *tbuf = 0;
memset (info, 0, sizeof *info);
snprintf (line, DIM(line)-1, "SCD GENKEY %s%s %s %d", snprintf (line, DIM(line)-1, "SCD GENKEY %s%s %s %d",
*tbuf? "--timestamp=":"", tbuf, *tbuf? "--timestamp=":"", tbuf,
force? "--force":"", force? "--force":"",

35
g10/card-util.c
View File

@ -581,11 +581,12 @@ card_status (estream_t fp, char *serialno, size_t serialnobuflen)
if ( thefpr && !fpr_is_ff (thefpr) if ( thefpr && !fpr_is_ff (thefpr)
&& !get_pubkey_byfprint (pk, thefpr, 20)) && !get_pubkey_byfprint (pk, thefpr, 20))
{ {
KBNODE keyblock = NULL;
print_pubkey_info (fp, pk); print_pubkey_info (fp, pk);
#if GNUPG_MAJOR_VERSION == 1 #if GNUPG_MAJOR_VERSION == 1
{
kbnode_t keyblock = NULL;
if ( !get_seckeyblock_byfprint (&keyblock, thefpr, 20) ) if ( !get_seckeyblock_byfprint (&keyblock, thefpr, 20) )
print_card_key_info (fp, keyblock); print_card_key_info (fp, keyblock);
else if ( !get_keyblock_byfprint (&keyblock, thefpr, 20) ) else if ( !get_keyblock_byfprint (&keyblock, thefpr, 20) )
@ -604,6 +605,7 @@ card_status (estream_t fp, char *serialno, size_t serialnobuflen)
} }
release_kbnode (keyblock); release_kbnode (keyblock);
}
#endif /* GNUPG_MAJOR_VERSION == 1 */ #endif /* GNUPG_MAJOR_VERSION == 1 */
} }
else else
@ -1431,7 +1433,7 @@ generate_card_keys (void)
the serialnumber and thus it won't harm. */ the serialnumber and thus it won't harm. */
} }
generate_keypair (NULL, info.serialno, want_backup? opt.homedir:NULL); generate_keypair (NULL, info.serialno, want_backup);
leave: leave:
agent_release_card_info (&info); agent_release_card_info (&info);
@ -1441,16 +1443,17 @@ generate_card_keys (void)
/* This function is used by the key edit menu to generate an arbitrary /* This function is used by the key edit menu to generate an arbitrary
subkey. */ subkey. */
int gpg_error_t
card_generate_subkey (KBNODE pub_keyblock, KBNODE sec_keyblock) card_generate_subkey (KBNODE pub_keyblock)
{ {
gpg_error_t err;
struct agent_card_info_s info; struct agent_card_info_s info;
int okay = 0;
int forced_chv1 = 0; int forced_chv1 = 0;
int keyno; int keyno;
if (get_info_for_key_operation (&info)) err = get_info_for_key_operation (&info);
return 0; if (err)
return err;
show_card_key_info (&info); show_card_key_info (&info);
@ -1468,6 +1471,7 @@ card_generate_subkey (KBNODE pub_keyblock, KBNODE sec_keyblock)
if (*answer == CONTROL_D) if (*answer == CONTROL_D)
{ {
xfree (answer); xfree (answer);
err = gpg_error (GPG_ERR_CANCELED);
goto leave; goto leave;
} }
keyno = *answer? atoi(answer): 0; keyno = *answer? atoi(answer): 0;
@ -1478,9 +1482,13 @@ card_generate_subkey (KBNODE pub_keyblock, KBNODE sec_keyblock)
} }
if (replace_existing_key_p (&info, keyno)) if (replace_existing_key_p (&info, keyno))
{
err = gpg_error (GPG_ERR_CANCELED);
goto leave; goto leave;
}
if (check_pin_for_key_operation (&info, &forced_chv1)) err = check_pin_for_key_operation (&info, &forced_chv1);
if (err)
goto leave; goto leave;
/* If the cards features changeable key attributes, we ask for the /* If the cards features changeable key attributes, we ask for the
@ -1495,7 +1503,8 @@ card_generate_subkey (KBNODE pub_keyblock, KBNODE sec_keyblock)
{ {
/* Error: Better read the default key size again. */ /* Error: Better read the default key size again. */
agent_release_card_info (&info); agent_release_card_info (&info);
if (get_info_for_key_operation (&info)) err = get_info_for_key_operation (&info);
if (err)
goto leave; goto leave;
goto ask_again; goto ask_again;
} }
@ -1503,13 +1512,12 @@ card_generate_subkey (KBNODE pub_keyblock, KBNODE sec_keyblock)
the serialnumber and thus it won't harm. */ the serialnumber and thus it won't harm. */
} }
/* xxx = generate_card_subkeypair (pub_keyblock, sec_keyblock, */ err = generate_card_subkeypair (pub_keyblock, keyno, info.serialno);
/* keyno, info.serialno); */
leave: leave:
agent_release_card_info (&info); agent_release_card_info (&info);
restore_forced_chv1 (&forced_chv1); restore_forced_chv1 (&forced_chv1);
return okay; return err;
} }
@ -1520,6 +1528,7 @@ card_generate_subkey (KBNODE pub_keyblock, KBNODE sec_keyblock)
int int
card_store_subkey (KBNODE node, int use) card_store_subkey (KBNODE node, int use)
{ {
log_info ("FIXME: card_store_subkey has not yet been implemented\n");
/* struct agent_card_info_s info; */ /* struct agent_card_info_s info; */
/* int okay = 0; */ /* int okay = 0; */
/* int rc; */ /* int rc; */

4
g10/gpg.c
View File

@ -3705,12 +3705,12 @@ main (int argc, char **argv)
if( opt.batch ) { if( opt.batch ) {
if( argc > 1 ) if( argc > 1 )
wrong_args("--gen-key [parameterfile]"); wrong_args("--gen-key [parameterfile]");
generate_keypair( argc? *argv : NULL, NULL, NULL ); generate_keypair (argc? *argv : NULL, NULL, 0);
} }
else { else {
if( argc ) if( argc )
wrong_args("--gen-key"); wrong_args("--gen-key");
generate_keypair(NULL, NULL, NULL); generate_keypair (NULL, NULL, 0);
} }
break; break;

67
g10/keyedit.c
View File

@ -108,35 +108,6 @@ struct sign_attrib
}; };
#ifdef ENABLE_CARD_SUPPORT
/* Given a node SEC_NODE with a secret key or subkey, locate the
corresponding public key from pub_keyblock. */
static PKT_public_key *
find_pk_from_sknode (KBNODE pub_keyblock, KBNODE sec_node)
{
KBNODE node = pub_keyblock;
PKT_secret_key *sk;
PKT_public_key *pk;
#warning: This is not anymore needed.
if (sec_node->pkt->pkttype == PKT_SECRET_KEY
&& node->pkt->pkttype == PKT_PUBLIC_KEY)
return node->pkt->pkt.public_key;
if (sec_node->pkt->pkttype != PKT_SECRET_SUBKEY)
return NULL;
sk = sec_node->pkt->pkt.secret_key;
for (; node; node = node->next)
if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
{
pk = node->pkt->pkt.public_key;
if (pk->keyid[0] == sk->keyid[0] && pk->keyid[1] == sk->keyid[1])
return pk;
}
return NULL;
}
#endif /* ENABLE_CARD_SUPPORT */
/* TODO: Fix duplicated code between here and the check-sigs/list-sigs /* TODO: Fix duplicated code between here and the check-sigs/list-sigs
code in keylist.c. */ code in keylist.c. */
@ -1833,7 +1804,7 @@ keyedit_menu (ctrl_t ctrl, const char *username, strlist_t locusr,
#ifdef ENABLE_CARD_SUPPORT #ifdef ENABLE_CARD_SUPPORT
case cmdADDCARDKEY: case cmdADDCARDKEY:
if (card_generate_subkey (keyblock)) if (!card_generate_subkey (keyblock))
{ {
redisplay = 1; redisplay = 1;
modified = 1; modified = 1;
@ -1868,7 +1839,7 @@ keyedit_menu (ctrl_t ctrl, const char *username, strlist_t locusr,
} }
if (node) if (node)
{ {
PKT_public_key *xxpk = find_pk_from_sknode (keyblock, node); PKT_public_key *xxpk = node->pkt->pkt.public_key;
if (card_store_subkey (node, xxpk ? xxpk->pubkey_usage : 0)) if (card_store_subkey (node, xxpk ? xxpk->pubkey_usage : 0))
{ {
redisplay = 1; redisplay = 1;
@ -1934,25 +1905,25 @@ keyedit_menu (ctrl_t ctrl, const char *username, strlist_t locusr,
if (cmd == cmdCHECKBKUPKEY) if (cmd == cmdCHECKBKUPKEY)
{ {
PKT_secret_key *sk = node->pkt->pkt.secret_key; /* PKT_public_key *sk = node->pkt->pkt.secret_key; */
switch (is_secret_key_protected (sk)) /* switch (is_secret_key_protected (sk)) */
{ /* { */
case 0: /* Not protected. */ /* case 0: /\* Not protected. *\/ */
tty_printf (_("This key is not protected.\n")); /* tty_printf (_("This key is not protected.\n")); */
break; /* break; */
case -1: /* case -1: */
log_error (_("unknown key protection algorithm\n")); /* log_error (_("unknown key protection algorithm\n")); */
break; /* break; */
default: /* default: */
if (sk->protect.s2k.mode == 1001) /* if (sk->protect.s2k.mode == 1001) */
tty_printf (_("Secret parts of key" /* tty_printf (_("Secret parts of key" */
" are not available.\n")); /* " are not available.\n")); */
if (sk->protect.s2k.mode == 1002) /* if (sk->protect.s2k.mode == 1002) */
tty_printf (_("Secret parts of key" /* tty_printf (_("Secret parts of key" */
" are stored on-card.\n")); /* " are stored on-card.\n")); */
/* else */ /* else */
/* check_secret_key (sk, 0); */ /* check_secret_key (sk, 0); */
} /* } */
} }
else /* Store it. */ else /* Store it. */
{ {

270
g10/keygen.c
View File

@ -78,7 +78,7 @@ enum para_name {
pPASSPHRASE_DEK, pPASSPHRASE_DEK,
pPASSPHRASE_S2K, pPASSPHRASE_S2K,
pSERIALNO, pSERIALNO,
pBACKUPENCDIR, pCARDBACKUPKEY,
pHANDLE, pHANDLE,
pKEYSERVER pKEYSERVER
}; };
@ -98,7 +98,8 @@ struct para_data_s {
} u; } u;
}; };
struct output_control_s { struct output_control_s
{
int lnr; int lnr;
int dryrun; int dryrun;
int ask_passphrase; int ask_passphrase;
@ -110,12 +111,6 @@ struct output_control_s {
IOBUF stream; IOBUF stream;
armor_filter_context_t *afx; armor_filter_context_t *afx;
} pub; } pub;
struct {
char *fname;
char *newfname;
IOBUF stream;
armor_filter_context_t *afx;
} sec;
}; };
@ -137,13 +132,12 @@ static int mdc_available,ks_modify;
static void do_generate_keypair( struct para_data_s *para, static void do_generate_keypair( struct para_data_s *para,
struct output_control_s *outctrl, int card ); struct output_control_s *outctrl, int card );
static int write_keyblock (iobuf_t out, kbnode_t node); static int write_keyblock (iobuf_t out, kbnode_t node);
static int gen_card_key (int algo, int keyno, int is_primary, kbnode_t pub_root, static gpg_error_t gen_card_key (int algo, int keyno, int is_primary,
u32 *timestamp, u32 expireval, kbnode_t pub_root,
struct para_data_s *para); u32 *timestamp, u32 expireval);
static int gen_card_key_with_backup (int algo, int keyno, int is_primary, static int gen_card_key_with_backup (int algo, int keyno, int is_primary,
kbnode_t pub_root, u32 timestamp, kbnode_t pub_root, u32 timestamp,
u32 expireval, struct para_data_s *para, u32 expireval, struct para_data_s *para);
const char *backup_dir);
static void static void
@ -2221,7 +2215,8 @@ release_parameter_list( struct para_data_s *r )
{ {
struct para_data_s *r2; struct para_data_s *r2;
for( ; r ; r = r2 ) { for (; r ; r = r2)
{
r2 = r->next; r2 = r->next;
if (r->key == pPASSPHRASE_DEK) if (r->key == pPASSPHRASE_DEK)
xfree (r->u.dek); xfree (r->u.dek);
@ -2657,11 +2652,6 @@ proc_parameter_file( struct para_data_s *para, const char *fname,
para = r; para = r;
} }
if( !!outctrl->pub.newfname ^ !!outctrl->sec.newfname ) {
log_error("%s:%d: only one ring name is set\n", fname, outctrl->lnr );
return -1;
}
do_generate_keypair( para, outctrl, card ); do_generate_keypair( para, outctrl, card );
return 0; return 0;
} }
@ -2708,7 +2698,6 @@ read_parameter_file( const char *fname )
memset( &outctrl, 0, sizeof( outctrl ) ); memset( &outctrl, 0, sizeof( outctrl ) );
outctrl.pub.afx = new_armor_context (); outctrl.pub.afx = new_armor_context ();
outctrl.sec.afx = new_armor_context ();
if( !fname || !*fname) if( !fname || !*fname)
fname = "-"; fname = "-";
@ -2783,13 +2772,7 @@ read_parameter_file( const char *fname )
} }
} }
else if( !ascii_strcasecmp( keyword, "%secring" ) ) { else if( !ascii_strcasecmp( keyword, "%secring" ) ) {
if( outctrl.sec.fname && !strcmp( outctrl.sec.fname, value ) ) /* Ignore this command. */
; /* still the same file - ignore it */
else {
xfree( outctrl.sec.newfname );
outctrl.sec.newfname = xstrdup( value );
outctrl.use_files = 1;
}
} }
else else
log_info("skipping control `%s' (%s)\n", keyword, value ); log_info("skipping control `%s' (%s)\n", keyword, value );
@ -2865,40 +2848,32 @@ read_parameter_file( const char *fname )
if( outctrl.use_files ) { /* close open streams */ if( outctrl.use_files ) { /* close open streams */
iobuf_close( outctrl.pub.stream ); iobuf_close( outctrl.pub.stream );
iobuf_close( outctrl.sec.stream );
/* Must invalidate that ugly cache to actually close it. */ /* Must invalidate that ugly cache to actually close it. */
if (outctrl.pub.fname) if (outctrl.pub.fname)
iobuf_ioctl (NULL, IOBUF_IOCTL_INVALIDATE_CACHE, iobuf_ioctl (NULL, IOBUF_IOCTL_INVALIDATE_CACHE,
0, (char*)outctrl.pub.fname); 0, (char*)outctrl.pub.fname);
if (outctrl.sec.fname)
iobuf_ioctl (NULL, IOBUF_IOCTL_INVALIDATE_CACHE,
0, (char*)outctrl.sec.fname);
xfree( outctrl.pub.fname ); xfree( outctrl.pub.fname );
xfree( outctrl.pub.newfname ); xfree( outctrl.pub.newfname );
xfree( outctrl.sec.fname );
xfree( outctrl.sec.newfname );
} }
release_parameter_list( para ); release_parameter_list( para );
iobuf_close (fp); iobuf_close (fp);
release_armor_context (outctrl.pub.afx); release_armor_context (outctrl.pub.afx);
release_armor_context (outctrl.sec.afx);
} }
/* /*
* Generate a keypair (fname is only used in batch mode) If * Generate a keypair (fname is only used in batch mode) If
* CARD_SERIALNO is not NULL the function will create the keys on an * CARD_SERIALNO is not NULL the function will create the keys on an
* OpenPGP Card. If BACKUP_ENCRYPTION_DIR has been set and * OpenPGP Card. If CARD_BACKUP_KEY has been set and CARD_SERIALNO is
* CARD_SERIALNO is NOT NULL, the encryption key for the card gets * NOT NULL, the encryption key for the card is generated on the host,
* generate in software, imported to the card and a backup file * imported to the card and a backup file created by gpg-agent.
* written to directory given by this argument .
*/ */
void void
generate_keypair (const char *fname, const char *card_serialno, generate_keypair (const char *fname, const char *card_serialno,
const char *backup_encryption_dir) int card_backup_key)
{ {
unsigned int nbits; unsigned int nbits;
char *uid = NULL; char *uid = NULL;
@ -2964,11 +2939,11 @@ generate_keypair (const char *fname, const char *card_serialno,
r->next = para; r->next = para;
para = r; para = r;
if (backup_encryption_dir) if (card_backup_key)
{ {
r = xcalloc (1, sizeof *r + strlen (backup_encryption_dir) ); r = xcalloc (1, sizeof *r + 1);
r->key = pBACKUPENCDIR; r->key = pCARDBACKUPKEY;
strcpy (r->u.value, backup_encryption_dir); strcpy (r->u.value, "1");
r->next = para; r->next = para;
para = r; para = r;
} }
@ -3071,7 +3046,7 @@ generate_keypair (const char *fname, const char *card_serialno,
} }
#ifdef ENABLE_CARD_SUPPORT #if 0 /* not required */
/* Generate a raw key and return it as a secret key packet. The /* Generate a raw key and return it as a secret key packet. The
function will ask for the passphrase and return a protected as well function will ask for the passphrase and return a protected as well
as an unprotected copy of a new secret key packet. 0 is returned as an unprotected copy of a new secret key packet. 0 is returned
@ -3270,7 +3245,7 @@ do_generate_keypair (struct para_data_s *para,
else else
err = gen_card_key (PUBKEY_ALGO_RSA, 1, 1, pub_root, err = gen_card_key (PUBKEY_ALGO_RSA, 1, 1, pub_root,
&timestamp, &timestamp,
get_parameter_u32 (para, pKEYEXPIRE), para); get_parameter_u32 (para, pKEYEXPIRE));
/* Get the pointer to the generated public key packet. */ /* Get the pointer to the generated public key packet. */
if (!err) if (!err)
@ -3301,7 +3276,7 @@ do_generate_keypair (struct para_data_s *para,
{ {
err = gen_card_key (PUBKEY_ALGO_RSA, 3, 0, pub_root, err = gen_card_key (PUBKEY_ALGO_RSA, 3, 0, pub_root,
&timestamp, &timestamp,
get_parameter_u32 (para, pKEYEXPIRE), para); get_parameter_u32 (para, pKEYEXPIRE));
if (!err) if (!err)
err = write_keybinding (pub_root, pri_psk, NULL, err = write_keybinding (pub_root, pri_psk, NULL,
PUBKEY_USAGE_AUTH, timestamp, cache_nonce); PUBKEY_USAGE_AUTH, timestamp, cache_nonce);
@ -3331,23 +3306,20 @@ do_generate_keypair (struct para_data_s *para,
} }
else else
{ {
if ((s = get_parameter_value (para, pBACKUPENCDIR))) if ((s = get_parameter_value (para, pCARDBACKUPKEY)))
{ {
/* A backup of the encryption key has been requested. /* A backup of the encryption key has been requested.
Generate the key in software and import it then to Generate the key in software and import it then to
the card. Write a backup file. */ the card. Write a backup file. */
err = gen_card_key_with_backup (PUBKEY_ALGO_RSA, 2, 0, err = gen_card_key_with_backup
pub_root, (PUBKEY_ALGO_RSA, 2, 0, pub_root, timestamp,
timestamp, get_parameter_u32 (para, pKEYEXPIRE), para);
get_parameter_u32 (para,
pKEYEXPIRE),
para, s);
} }
else else
{ {
err = gen_card_key (PUBKEY_ALGO_RSA, 2, 0, pub_root, err = gen_card_key (PUBKEY_ALGO_RSA, 2, 0, pub_root,
&timestamp, &timestamp,
get_parameter_u32 (para, pKEYEXPIRE), para); get_parameter_u32 (para, pKEYEXPIRE));
} }
} }
@ -3551,79 +3523,63 @@ generate_subkeypair (KBNODE keyblock)
#ifdef ENABLE_CARD_SUPPORT #ifdef ENABLE_CARD_SUPPORT
/* Generate a subkey on a card. */ /* Generate a subkey on a card. */
int gpg_error_t
generate_card_subkeypair (KBNODE pub_keyblock, KBNODE sec_keyblock, generate_card_subkeypair (kbnode_t pub_keyblock,
int keyno, const char *serialno) int keyno, const char *serialno)
{ {
gpg_error_t err = 0; gpg_error_t err = 0;
int okay = 0;
kbnode_t node; kbnode_t node;
PKT_secret_key *pri_sk = NULL, *sub_sk; PKT_public_key *pri_pk = NULL;
int algo; int algo;
unsigned int use; unsigned int use;
u32 expire; u32 expire;
char *passphrase = NULL;
u32 cur_time; u32 cur_time;
struct para_data_s *para = NULL; struct para_data_s *para = NULL;
assert (keyno >= 1 && keyno <= 3); assert (keyno >= 1 && keyno <= 3);
para = xcalloc (1, sizeof *para + strlen (serialno) ); para = xtrycalloc (1, sizeof *para + strlen (serialno) );
if (!para)
{
err = gpg_error_from_syserror ();
goto leave;
}
para->key = pSERIALNO; para->key = pSERIALNO;
strcpy (para->u.value, serialno); strcpy (para->u.value, serialno);
/* Break out the primary secret key */ /* Break out the primary secret key */
node = find_kbnode (sec_keyblock, PKT_SECRET_KEY); node = find_kbnode (pub_keyblock, PKT_PUBLIC_KEY);
if (!node) if (!node)
{ {
log_error("Oops; secret key not found anymore!\n"); log_error ("Oops; publkic key lost!\n");
err = gpg_error (GPG_ERR_INTERNAL);
goto leave; goto leave;
} }
pri_pk = node->pkt->pkt.public_key;
/* Make a copy of the sk to keep the protected one in the keyblock */
pri_sk = copy_secret_key (NULL, node->pkt->pkt.secret_key);
cur_time = make_timestamp(); cur_time = make_timestamp();
if (pri_sk->timestamp > cur_time) if (pri_pk->timestamp > cur_time)
{ {
ulong d = pri_sk->timestamp - cur_time; ulong d = pri_pk->timestamp - cur_time;
log_info (d==1 ? _("key has been created %lu second " log_info (d==1 ? _("key has been created %lu second "
"in future (time warp or clock problem)\n") "in future (time warp or clock problem)\n")
: _("key has been created %lu seconds " : _("key has been created %lu seconds "
"in future (time warp or clock problem)\n"), d ); "in future (time warp or clock problem)\n"), d );
if (!opt.ignore_time_conflict) if (!opt.ignore_time_conflict)
{ {
err = G10ERR_TIME_CONFLICT; err = gpg_error (GPG_ERR_TIME_CONFLICT);
goto leave; goto leave;
} }
} }
if (pri_sk->version < 4) if (pri_pk->version < 4)
{ {
log_info (_("NOTE: creating subkeys for v3 keys " log_info (_("NOTE: creating subkeys for v3 keys "
"is not OpenPGP compliant\n")); "is not OpenPGP compliant\n"));
err = gpg_error (GPG_ERR_NOT_SUPPORTED);
goto leave; goto leave;
} }
/* Unprotect to get the passphrase. */
switch( is_secret_key_protected (pri_sk) )
{
case -1:
err = G10ERR_PUBKEY_ALGO;
break;
case 0:
tty_printf("This key is not protected.\n");
break;
default:
tty_printf("Key is protected.\n");
err = check_secret_key( pri_sk, 0 );
if (!err)
passphrase = get_last_passphrase();
break;
}
if (err)
goto leave;
algo = PUBKEY_ALGO_RSA; algo = PUBKEY_ALGO_RSA;
expire = ask_expire_interval (0, NULL); expire = ask_expire_interval (0, NULL);
if (keyno == 1) if (keyno == 1)
@ -3634,40 +3590,37 @@ generate_card_subkeypair (KBNODE pub_keyblock, KBNODE sec_keyblock,
use = PUBKEY_USAGE_AUTH; use = PUBKEY_USAGE_AUTH;
if (!cpr_enabled() && !cpr_get_answer_is_yes("keygen.cardsub.okay", if (!cpr_enabled() && !cpr_get_answer_is_yes("keygen.cardsub.okay",
_("Really create? (y/N) "))) _("Really create? (y/N) ")))
{
err = gpg_error (GPG_ERR_CANCELED);
goto leave; goto leave;
}
if (passphrase)
set_next_passphrase (passphrase);
/* Note, that depending on the backend, the card key generation may /* Note, that depending on the backend, the card key generation may
update CUR_TIME. */ update CUR_TIME. */
err = gen_card_key (algo, keyno, 0, pub_keyblock, &cur_time, expire, para); err = gen_card_key (algo, keyno, 0, pub_keyblock, &cur_time, expire);
if (!err) /* Get the pointer to the generated public subkey packet. */
err = write_keybinding (pub_keyblock, pub_keyblock, pri_sk, sub_sk,
use, cur_time);
if (!err)
err = write_keybinding (sec_keyblock, pub_keyblock, pri_sk, sub_sk,
use, cur_time);
if (!err) if (!err)
{ {
okay = 1; PKT_public_key *sub_pk = NULL;
write_status_text (STATUS_KEY_CREATED, "S");
for (node = pub_keyblock; node; node = node->next)
if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
sub_pk = node->pkt->pkt.public_key;
assert (sub_pk);
err = write_keybinding (pub_keyblock, pri_pk, sub_pk,
use, cur_time, NULL);
} }
leave: leave:
if (err) if (err)
log_error (_("Key generation failed: %s\n"), g10_errstr(err) ); log_error (_("Key generation failed: %s\n"), g10_errstr(err) );
xfree (passphrase); else
/* Release the copy of the (now unprotected) secret keys. */ write_status_text (STATUS_KEY_CREATED, "S");
if (pri_sk)
free_secret_key (pri_sk);
set_next_passphrase( NULL );
release_parameter_list (para); release_parameter_list (para);
return okay; return err;
} }
#endif /* !ENABLE_CARD_SUPPORT */ #endif /* !ENABLE_CARD_SUPPORT */
/* /*
* Write a keyblock to an output stream * Write a keyblock to an output stream
*/ */
@ -3693,84 +3646,74 @@ write_keyblock( IOBUF out, KBNODE node )
/* Note that timestamp is an in/out arg. */ /* Note that timestamp is an in/out arg. */
static int static gpg_error_t
gen_card_key (int algo, int keyno, int is_primary, KBNODE pub_root, gen_card_key (int algo, int keyno, int is_primary, kbnode_t pub_root,
u32 *timestamp, u32 expireval, struct para_data_s *para) u32 *timestamp, u32 expireval)
{ {
#ifdef ENABLE_CARD_SUPPORT #ifdef ENABLE_CARD_SUPPORT
int rc; gpg_error_t err;
const char *s;
struct agent_card_genkey_s info; struct agent_card_genkey_s info;
PACKET *pkt; PACKET *pkt;
PKT_secret_key *sk;
PKT_public_key *pk; PKT_public_key *pk;
assert (algo == PUBKEY_ALGO_RSA); if (algo != PUBKEY_ALGO_RSA)
return gpg_error (GPG_ERR_PUBKEY_ALGO);
/* Fixme: We don't have the serialnumber available, thus passing NULL. */ pk = xtrycalloc (1, sizeof *pk );
rc = agent_scd_genkey (&info, keyno, 1, NULL, *timestamp); if (!pk)
/* if (gpg_err_code (rc) == GPG_ERR_EEXIST) */ return gpg_error_from_syserror ();
/* { */ pkt = xtrycalloc (1, sizeof *pkt);
/* tty_printf ("\n"); */ if (!pkt)
/* log_error ("WARNING: key does already exists!\n"); */
/* tty_printf ("\n"); */
/* if ( cpr_get_answer_is_yes( "keygen.card.replace_key", */
/* _("Replace existing key? "))) */
/* rc = agent_scd_genkey (&info, keyno, 1); */
/* } */
if (rc)
{ {
log_error ("key generation failed: %s\n", gpg_strerror (rc)); xfree (pk);
return rc; return gpg_error_from_syserror ();
} }
if ( !info.n || !info.e )
/* Note: SCD knows the serialnumber, thus there is no point in passing it. */
err = agent_scd_genkey (&info, keyno, 1, NULL, *timestamp);
/* The code below is not used because we force creation of
* the a card key (3rd arg).
* if (gpg_err_code (rc) == GPG_ERR_EEXIST)
* {
* tty_printf ("\n");
* log_error ("WARNING: key does already exists!\n");
* tty_printf ("\n");
* if ( cpr_get_answer_is_yes( "keygen.card.replace_key",
* _("Replace existing key? ")))
* rc = agent_scd_genkey (&info, keyno, 1);
* }
*/
if (!err && (!info.n || !info.e))
{ {
log_error ("communication error with SCD\n"); log_error ("communication error with SCD\n");
gcry_mpi_release (info.n); gcry_mpi_release (info.n);
gcry_mpi_release (info.e); gcry_mpi_release (info.e);
return gpg_error (GPG_ERR_GENERAL); err = gpg_error (GPG_ERR_GENERAL);
}
if (err)
{
log_error ("key generation failed: %s\n", gpg_strerror (err));
xfree (pkt);
xfree (pk);
return err;
} }
if (*timestamp != info.created_at) if (*timestamp != info.created_at)
log_info ("Note that the key does not use the suggested creation date\n"); log_info ("NOTE: the key does not use the suggested creation date\n");
*timestamp = info.created_at; *timestamp = info.created_at;
pk = xcalloc (1, sizeof *pk ); pk->timestamp = info.created_at;
sk = xcalloc (1, sizeof *sk ); pk->version = 4;
sk->timestamp = pk->timestamp = info.created_at;
sk->version = pk->version = 4;
if (expireval) if (expireval)
sk->expiredate = pk->expiredate = pk->timestamp + expireval; pk->expiredate = pk->timestamp + expireval;
sk->pubkey_algo = pk->pubkey_algo = algo; pk->pubkey_algo = algo;
pk->pkey[0] = info.n; pk->pkey[0] = info.n;
pk->pkey[1] = info.e; pk->pkey[1] = info.e;
sk->skey[0] = gcry_mpi_copy (pk->pkey[0]);
sk->skey[1] = gcry_mpi_copy (pk->pkey[1]);
sk->skey[2] = gcry_mpi_set_opaque (NULL, xstrdup ("dummydata"), 10*8);
sk->is_protected = 1;
sk->protect.s2k.mode = 1002;
s = get_parameter_value (para, pSERIALNO);
if (s)
{
for (sk->protect.ivlen=0; sk->protect.ivlen < 16 && *s && s[1];
sk->protect.ivlen++, s += 2)
sk->protect.iv[sk->protect.ivlen] = xtoi_2 (s);
}
if( ret_sk )
*ret_sk = sk;
pkt = xcalloc (1,sizeof *pkt);
pkt->pkttype = is_primary ? PKT_PUBLIC_KEY : PKT_PUBLIC_SUBKEY; pkt->pkttype = is_primary ? PKT_PUBLIC_KEY : PKT_PUBLIC_SUBKEY;
pkt->pkt.public_key = pk; pkt->pkt.public_key = pk;
add_kbnode (pub_root, new_kbnode (pkt)); add_kbnode (pub_root, new_kbnode (pkt));
pkt = xcalloc (1,sizeof *pkt);
pkt->pkttype = is_primary ? PKT_SECRET_KEY : PKT_SECRET_SUBKEY;
pkt->pkt.secret_key = sk;
add_kbnode(sec_root, new_kbnode( pkt ));
return 0; return 0;
#else #else
return gpg_error (GPG_ERR_NOT_SUPPORTED); return gpg_error (GPG_ERR_NOT_SUPPORTED);
@ -3782,10 +3725,9 @@ gen_card_key (int algo, int keyno, int is_primary, KBNODE pub_root,
static int static int
gen_card_key_with_backup (int algo, int keyno, int is_primary, gen_card_key_with_backup (int algo, int keyno, int is_primary,
KBNODE pub_root, u32 timestamp, KBNODE pub_root, u32 timestamp,
u32 expireval, struct para_data_s *para, u32 expireval, struct para_data_s *para)
const char *backup_dir)
{ {
#ifdef ENABLE_CARD_SUPPORT #if 0 /* FIXME: Move this to gpg-agent. */
int rc; int rc;
const char *s; const char *s;
PACKET *pkt; PACKET *pkt;
@ -3947,9 +3889,9 @@ gen_card_key_with_backup (int algo, int keyno, int is_primary,
} }
#ifdef ENABLE_CARD_SUPPORT #if 0
int int
save_unprotected_key_to_card (PKT_secret_key *sk, int keyno) save_unprotected_key_to_card (PKT_public_key *sk, int keyno)
{ {
int rc; int rc;
unsigned char *rsa_n = NULL; unsigned char *rsa_n = NULL;

3
g10/keylist.c
View File

@ -182,8 +182,7 @@ print_card_key_info (estream_t fp, kbnode_t keyblock)
{ {
/* KBNODE node; */ /* KBNODE node; */
/* int i; */ /* int i; */
#warning Fixme: Needs to be adjusted to gpg-agent
log_debug ("Fixme: Needs to be adjusted to gpg-agent\n");
/* for (node = keyblock; node; node = node->next) */ /* for (node = keyblock; node; node = node->next) */
/* { */ /* { */
/* if (node->pkt->pkttype == PKT_SECRET_KEY */ /* if (node->pkt->pkttype == PKT_SECRET_KEY */

8
g10/main.h
View File

@ -232,7 +232,7 @@ u32 parse_expire_string(const char *string);
u32 ask_expire_interval(int object,const char *def_expire); u32 ask_expire_interval(int object,const char *def_expire);
u32 ask_expiredate(void); u32 ask_expiredate(void);
void generate_keypair (const char *fname, const char *card_serialno, void generate_keypair (const char *fname, const char *card_serialno,
const char *backup_encryption_dir ); int card_backup_key);
int keygen_set_std_prefs (const char *string,int personal); int keygen_set_std_prefs (const char *string,int personal);
PKT_user_id *keygen_get_std_prefs (void); PKT_user_id *keygen_get_std_prefs (void);
int keygen_add_key_expire( PKT_signature *sig, void *opaque ); int keygen_add_key_expire( PKT_signature *sig, void *opaque );
@ -246,9 +246,9 @@ gpg_error_t make_backsig (PKT_signature *sig, PKT_public_key *pk,
u32 timestamp, const char *cache_nonce); u32 timestamp, const char *cache_nonce);
gpg_error_t generate_subkeypair (kbnode_t pub_keyblock); gpg_error_t generate_subkeypair (kbnode_t pub_keyblock);
#ifdef ENABLE_CARD_SUPPORT #ifdef ENABLE_CARD_SUPPORT
int generate_card_subkeypair (KBNODE pub_keyblock, KBNODE sec_keyblock, gpg_error_t generate_card_subkeypair (kbnode_t pub_keyblock,
int keyno, const char *serialno); int keyno, const char *serialno);
int save_unprotected_key_to_card (PKT_secret_key *sk, int keyno); int save_unprotected_key_to_card (PKT_public_key *sk, int keyno);
#endif #endif
/*-- openfile.c --*/ /*-- openfile.c --*/
@ -348,7 +348,7 @@ int gpg_server (ctrl_t);
void change_pin (int no, int allow_admin); void change_pin (int no, int allow_admin);
void card_status (estream_t fp, char *serialno, size_t serialnobuflen); void card_status (estream_t fp, char *serialno, size_t serialnobuflen);
void card_edit (ctrl_t ctrl, strlist_t commands); void card_edit (ctrl_t ctrl, strlist_t commands);
int card_generate_subkey (KBNODE pub_keyblock, KBNODE sec_keyblock); gpg_error_t card_generate_subkey (KBNODE pub_keyblock);
int card_store_subkey (KBNODE node, int use); int card_store_subkey (KBNODE node, int use);
#endif #endif

13
g10/misc.c
View File

@ -548,13 +548,12 @@ static unsigned long
get_signature_count (PKT_public_key *pk) get_signature_count (PKT_public_key *pk)
{ {
#ifdef ENABLE_CARD_SUPPORT #ifdef ENABLE_CARD_SUPPORT
/* FIXME: Need to call the agent. */ struct agent_card_info_s info;
/* if(sk && sk->is_protected && sk->protect.s2k.mode==1002) */ #warning fixme: We should check that the correct card has been inserted
/* { */ if (!agent_scd_getattr ("SIG-COUNTER",&info))
/* struct agent_card_info_s info; */ return info.sig_counter;
/* if(agent_scd_getattr("SIG-COUNTER",&info)==0) */ else
/* return info.sig_counter; */ return 0;
/* } */
#else #else
(void)pk; (void)pk;
return 0; return 0;

5
scd/ChangeLog
View File

@ -1,3 +1,8 @@
2010-11-16 Werner Koch <wk@g10code.com>
* apdu.c (PCSC_UNKNOWN) [W32]: Fix all these values which don't
match those of libpcsc. Reported by Michael Petig.
2010-10-27 Werner Koch <wk@g10code.com> 2010-10-27 Werner Koch <wk@g10code.com>
* scdaemon.c (create_socket_name): Use TMPDIR. Change callers. * scdaemon.c (create_socket_name): Use TMPDIR. Change callers.

19
scd/apdu.c
View File

@ -1,5 +1,5 @@
/* apdu.c - ISO 7816 APDU functions and low level I/O /* apdu.c - ISO 7816 APDU functions and low level I/O
* Copyright (C) 2003, 2004, 2008, 2009 Free Software Foundation, Inc. * Copyright (C) 2003, 2004, 2008, 2009, 2010 Free Software Foundation, Inc.
* *
* This file is part of GnuPG. * This file is part of GnuPG.
* *
@ -165,7 +165,11 @@ static char (* DLSTDCALL CT_close) (unsigned short ctn);
#define PCSC_PROTOCOL_T0 1 #define PCSC_PROTOCOL_T0 1
#define PCSC_PROTOCOL_T1 2 #define PCSC_PROTOCOL_T1 2
#ifdef HAVE_W32_SYSTEM
# define PCSC_PROTOCOL_RAW 0x00010000 /* The active protocol. */
#else
# define PCSC_PROTOCOL_RAW 4 # define PCSC_PROTOCOL_RAW 4
#endif
#define PCSC_SHARE_EXCLUSIVE 1 #define PCSC_SHARE_EXCLUSIVE 1
#define PCSC_SHARE_SHARED 2 #define PCSC_SHARE_SHARED 2
@ -176,6 +180,15 @@ static char (* DLSTDCALL CT_close) (unsigned short ctn);
#define PCSC_UNPOWER_CARD 2 #define PCSC_UNPOWER_CARD 2
#define PCSC_EJECT_CARD 3 #define PCSC_EJECT_CARD 3
#ifdef HAVE_W32_SYSTEM
# define PCSC_UNKNOWN 0x0000 /* The driver is not aware of the status. */
# define PCSC_ABSENT 0x0001 /* Card is absent. */
# define PCSC_PRESENT 0x0002 /* Card is present. */
# define PCSC_SWALLOWED 0x0003 /* Card is present and electrical connected. */
# define PCSC_POWERED 0x0004 /* Card is powered. */
# define PCSC_NEGOTIABLE 0x0005 /* Card is awaiting PTS. */
# define PCSC_SPECIFIC 0x0006 /* Card is ready for use. */
#else
# define PCSC_UNKNOWN 0x0001 # define PCSC_UNKNOWN 0x0001
# define PCSC_ABSENT 0x0002 /* Card is absent. */ # define PCSC_ABSENT 0x0002 /* Card is absent. */
# define PCSC_PRESENT 0x0004 /* Card is present. */ # define PCSC_PRESENT 0x0004 /* Card is present. */
@ -183,6 +196,7 @@ static char (* DLSTDCALL CT_close) (unsigned short ctn);
# define PCSC_POWERED 0x0010 /* Card is powered. */ # define PCSC_POWERED 0x0010 /* Card is powered. */
# define PCSC_NEGOTIABLE 0x0020 /* Card is awaiting PTS. */ # define PCSC_NEGOTIABLE 0x0020 /* Card is awaiting PTS. */
# define PCSC_SPECIFIC 0x0040 /* Card is ready for use. */ # define PCSC_SPECIFIC 0x0040 /* Card is ready for use. */
#endif
#define PCSC_STATE_UNAWARE 0x0000 /* Want status. */ #define PCSC_STATE_UNAWARE 0x0000 /* Want status. */
#define PCSC_STATE_IGNORE 0x0001 /* Ignore this reader. */ #define PCSC_STATE_IGNORE 0x0001 /* Ignore this reader. */
@ -195,6 +209,9 @@ static char (* DLSTDCALL CT_close) (unsigned short ctn);
#define PCSC_STATE_EXCLUSIVE 0x0080 /* Exclusive Mode. */ #define PCSC_STATE_EXCLUSIVE 0x0080 /* Exclusive Mode. */
#define PCSC_STATE_INUSE 0x0100 /* Shared mode. */ #define PCSC_STATE_INUSE 0x0100 /* Shared mode. */
#define PCSC_STATE_MUTE 0x0200 /* Unresponsive card. */ #define PCSC_STATE_MUTE 0x0200 /* Unresponsive card. */
#ifdef HAVE_W32_SYSTEM
# define PCSC_STATE_UNPOWERED 0x0400 /* Card not powerred up. */
#endif
/* Some PC/SC error codes. */ /* Some PC/SC error codes. */
#define PCSC_E_CANCELLED 0x80100002 #define PCSC_E_CANCELLED 0x80100002