mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
Smartcard related updates
This commit is contained in:
parent
b97aeb03d5
commit
0103a53aa6
@ -1,3 +1,7 @@
|
||||
2010-11-17 Werner Koch <wk@g10code.com>
|
||||
|
||||
* configure.ac (ENABLE_CARD_SUPPORT): Define.
|
||||
|
||||
2010-10-27 Werner Koch <wk@g10code.com>
|
||||
|
||||
* acinclude.m4 (GNUPG_TIME_T_UNSIGNED): New.
|
||||
|
@ -485,7 +485,7 @@ AH_BOTTOM([
|
||||
#define HTTP_NO_WSASTARTUP
|
||||
|
||||
/* We always include support for the OpenPGP card. */
|
||||
/* Disabled for now ENABLE_CARD_SUPPORT 1 */
|
||||
#define ENABLE_CARD_SUPPORT 1
|
||||
|
||||
/* We explicitly need to disable PTH's soft mapping as Debian
|
||||
currently enables it by default for no reason. */
|
||||
|
@ -817,7 +817,8 @@ The format of this file is as follows:
|
||||
The filename is used until a new filename is used (at commit points)
|
||||
and all keys are written to that file. If a new filename is given,
|
||||
this file is created (and overwrites an existing one).
|
||||
Both control statements must be given.
|
||||
GnuPG < 2.1: Both control statements must be given.
|
||||
GnuPG >= 2.1: "%secring" is now a no-op.
|
||||
%ask-passphrase
|
||||
Enable a mode where the command "passphrase" is ignored and
|
||||
instead the usual passphrase dialog is used. This does not
|
||||
|
@ -1,3 +1,24 @@
|
||||
2010-11-17 Werner Koch <wk@g10code.com>
|
||||
|
||||
* keyedit.c (find_pk_from_sknode): Remove.
|
||||
* misc.c (get_signature_count): Call agent.
|
||||
* keygen.c (gen_card_key): Rework. Remove arg PARA.
|
||||
(generate_keypair): Change arg BACKUP_ENCRYPTION_DIR to the flag
|
||||
CARD_BACKUP_KEY.
|
||||
(pBACKUPENCDIR): Change to pCARDBACKUPKEY.
|
||||
(struct output_control_s): Remove struct SEC. Remove all usages
|
||||
of it.
|
||||
(gen_card_key_with_backup): Remove arg BACKUP_DIR.
|
||||
|
||||
* call-agent.c (agent_scd_genkey): Remove extra memset.
|
||||
|
||||
2010-11-16 Werner Koch <wk@g10code.com>
|
||||
|
||||
* keygen.c (generate_card_subkeypair): Remove arg SEC_KEYBLOCK and
|
||||
change to return an error code. Rework for removed secring code.
|
||||
* card-util.c (card_generate_subkey): Remove arg SEC_KEYBLOCK.
|
||||
Return an error code instead of a success flag. Change caller.
|
||||
|
||||
2010-10-29 David Shaw <dshaw@jabberwocky.com>
|
||||
|
||||
* pkclist.c (select_algo_from_prefs): Make sure the scores can't
|
||||
|
@ -771,10 +771,9 @@ scd_genkey_cb (void *opaque, const char *line)
|
||||
}
|
||||
|
||||
/* Send a GENKEY command to the SCdaemon. SERIALNO is not used in
|
||||
this implementation. If CREATEDATE has been given, it will be
|
||||
passed to SCDAEMON so that the key can be created with this
|
||||
timestamp; note the user needs to use the returned timestamp as old
|
||||
versions of scddaemon don't support this option. */
|
||||
this implementation. If CREATEDATE is not 0, it will be passed to
|
||||
SCDAEMON so that the key is created with this timestamp. INFO will
|
||||
receive information about the generated key. */
|
||||
int
|
||||
agent_scd_genkey (struct agent_card_genkey_s *info, int keyno, int force,
|
||||
const char *serialno, u32 createtime)
|
||||
@ -794,7 +793,6 @@ agent_scd_genkey (struct agent_card_genkey_s *info, int keyno, int force,
|
||||
else
|
||||
*tbuf = 0;
|
||||
|
||||
memset (info, 0, sizeof *info);
|
||||
snprintf (line, DIM(line)-1, "SCD GENKEY %s%s %s %d",
|
||||
*tbuf? "--timestamp=":"", tbuf,
|
||||
force? "--force":"",
|
||||
|
@ -581,11 +581,12 @@ card_status (estream_t fp, char *serialno, size_t serialnobuflen)
|
||||
if ( thefpr && !fpr_is_ff (thefpr)
|
||||
&& !get_pubkey_byfprint (pk, thefpr, 20))
|
||||
{
|
||||
KBNODE keyblock = NULL;
|
||||
|
||||
print_pubkey_info (fp, pk);
|
||||
|
||||
#if GNUPG_MAJOR_VERSION == 1
|
||||
{
|
||||
kbnode_t keyblock = NULL;
|
||||
|
||||
if ( !get_seckeyblock_byfprint (&keyblock, thefpr, 20) )
|
||||
print_card_key_info (fp, keyblock);
|
||||
else if ( !get_keyblock_byfprint (&keyblock, thefpr, 20) )
|
||||
@ -604,6 +605,7 @@ card_status (estream_t fp, char *serialno, size_t serialnobuflen)
|
||||
}
|
||||
|
||||
release_kbnode (keyblock);
|
||||
}
|
||||
#endif /* GNUPG_MAJOR_VERSION == 1 */
|
||||
}
|
||||
else
|
||||
@ -1431,7 +1433,7 @@ generate_card_keys (void)
|
||||
the serialnumber and thus it won't harm. */
|
||||
}
|
||||
|
||||
generate_keypair (NULL, info.serialno, want_backup? opt.homedir:NULL);
|
||||
generate_keypair (NULL, info.serialno, want_backup);
|
||||
|
||||
leave:
|
||||
agent_release_card_info (&info);
|
||||
@ -1441,16 +1443,17 @@ generate_card_keys (void)
|
||||
|
||||
/* This function is used by the key edit menu to generate an arbitrary
|
||||
subkey. */
|
||||
int
|
||||
card_generate_subkey (KBNODE pub_keyblock, KBNODE sec_keyblock)
|
||||
gpg_error_t
|
||||
card_generate_subkey (KBNODE pub_keyblock)
|
||||
{
|
||||
gpg_error_t err;
|
||||
struct agent_card_info_s info;
|
||||
int okay = 0;
|
||||
int forced_chv1 = 0;
|
||||
int keyno;
|
||||
|
||||
if (get_info_for_key_operation (&info))
|
||||
return 0;
|
||||
err = get_info_for_key_operation (&info);
|
||||
if (err)
|
||||
return err;
|
||||
|
||||
show_card_key_info (&info);
|
||||
|
||||
@ -1468,6 +1471,7 @@ card_generate_subkey (KBNODE pub_keyblock, KBNODE sec_keyblock)
|
||||
if (*answer == CONTROL_D)
|
||||
{
|
||||
xfree (answer);
|
||||
err = gpg_error (GPG_ERR_CANCELED);
|
||||
goto leave;
|
||||
}
|
||||
keyno = *answer? atoi(answer): 0;
|
||||
@ -1478,9 +1482,13 @@ card_generate_subkey (KBNODE pub_keyblock, KBNODE sec_keyblock)
|
||||
}
|
||||
|
||||
if (replace_existing_key_p (&info, keyno))
|
||||
{
|
||||
err = gpg_error (GPG_ERR_CANCELED);
|
||||
goto leave;
|
||||
}
|
||||
|
||||
if (check_pin_for_key_operation (&info, &forced_chv1))
|
||||
err = check_pin_for_key_operation (&info, &forced_chv1);
|
||||
if (err)
|
||||
goto leave;
|
||||
|
||||
/* If the cards features changeable key attributes, we ask for the
|
||||
@ -1495,7 +1503,8 @@ card_generate_subkey (KBNODE pub_keyblock, KBNODE sec_keyblock)
|
||||
{
|
||||
/* Error: Better read the default key size again. */
|
||||
agent_release_card_info (&info);
|
||||
if (get_info_for_key_operation (&info))
|
||||
err = get_info_for_key_operation (&info);
|
||||
if (err)
|
||||
goto leave;
|
||||
goto ask_again;
|
||||
}
|
||||
@ -1503,13 +1512,12 @@ card_generate_subkey (KBNODE pub_keyblock, KBNODE sec_keyblock)
|
||||
the serialnumber and thus it won't harm. */
|
||||
}
|
||||
|
||||
/* xxx = generate_card_subkeypair (pub_keyblock, sec_keyblock, */
|
||||
/* keyno, info.serialno); */
|
||||
err = generate_card_subkeypair (pub_keyblock, keyno, info.serialno);
|
||||
|
||||
leave:
|
||||
agent_release_card_info (&info);
|
||||
restore_forced_chv1 (&forced_chv1);
|
||||
return okay;
|
||||
return err;
|
||||
}
|
||||
|
||||
|
||||
@ -1520,6 +1528,7 @@ card_generate_subkey (KBNODE pub_keyblock, KBNODE sec_keyblock)
|
||||
int
|
||||
card_store_subkey (KBNODE node, int use)
|
||||
{
|
||||
log_info ("FIXME: card_store_subkey has not yet been implemented\n");
|
||||
/* struct agent_card_info_s info; */
|
||||
/* int okay = 0; */
|
||||
/* int rc; */
|
||||
|
@ -3705,12 +3705,12 @@ main (int argc, char **argv)
|
||||
if( opt.batch ) {
|
||||
if( argc > 1 )
|
||||
wrong_args("--gen-key [parameterfile]");
|
||||
generate_keypair( argc? *argv : NULL, NULL, NULL );
|
||||
generate_keypair (argc? *argv : NULL, NULL, 0);
|
||||
}
|
||||
else {
|
||||
if( argc )
|
||||
wrong_args("--gen-key");
|
||||
generate_keypair(NULL, NULL, NULL);
|
||||
generate_keypair (NULL, NULL, 0);
|
||||
}
|
||||
break;
|
||||
|
||||
|
@ -108,35 +108,6 @@ struct sign_attrib
|
||||
};
|
||||
|
||||
|
||||
#ifdef ENABLE_CARD_SUPPORT
|
||||
/* Given a node SEC_NODE with a secret key or subkey, locate the
|
||||
corresponding public key from pub_keyblock. */
|
||||
static PKT_public_key *
|
||||
find_pk_from_sknode (KBNODE pub_keyblock, KBNODE sec_node)
|
||||
{
|
||||
KBNODE node = pub_keyblock;
|
||||
PKT_secret_key *sk;
|
||||
PKT_public_key *pk;
|
||||
|
||||
#warning: This is not anymore needed.
|
||||
if (sec_node->pkt->pkttype == PKT_SECRET_KEY
|
||||
&& node->pkt->pkttype == PKT_PUBLIC_KEY)
|
||||
return node->pkt->pkt.public_key;
|
||||
if (sec_node->pkt->pkttype != PKT_SECRET_SUBKEY)
|
||||
return NULL;
|
||||
sk = sec_node->pkt->pkt.secret_key;
|
||||
for (; node; node = node->next)
|
||||
if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
|
||||
{
|
||||
pk = node->pkt->pkt.public_key;
|
||||
if (pk->keyid[0] == sk->keyid[0] && pk->keyid[1] == sk->keyid[1])
|
||||
return pk;
|
||||
}
|
||||
|
||||
return NULL;
|
||||
}
|
||||
#endif /* ENABLE_CARD_SUPPORT */
|
||||
|
||||
|
||||
/* TODO: Fix duplicated code between here and the check-sigs/list-sigs
|
||||
code in keylist.c. */
|
||||
@ -1833,7 +1804,7 @@ keyedit_menu (ctrl_t ctrl, const char *username, strlist_t locusr,
|
||||
|
||||
#ifdef ENABLE_CARD_SUPPORT
|
||||
case cmdADDCARDKEY:
|
||||
if (card_generate_subkey (keyblock))
|
||||
if (!card_generate_subkey (keyblock))
|
||||
{
|
||||
redisplay = 1;
|
||||
modified = 1;
|
||||
@ -1868,7 +1839,7 @@ keyedit_menu (ctrl_t ctrl, const char *username, strlist_t locusr,
|
||||
}
|
||||
if (node)
|
||||
{
|
||||
PKT_public_key *xxpk = find_pk_from_sknode (keyblock, node);
|
||||
PKT_public_key *xxpk = node->pkt->pkt.public_key;
|
||||
if (card_store_subkey (node, xxpk ? xxpk->pubkey_usage : 0))
|
||||
{
|
||||
redisplay = 1;
|
||||
@ -1934,25 +1905,25 @@ keyedit_menu (ctrl_t ctrl, const char *username, strlist_t locusr,
|
||||
|
||||
if (cmd == cmdCHECKBKUPKEY)
|
||||
{
|
||||
PKT_secret_key *sk = node->pkt->pkt.secret_key;
|
||||
switch (is_secret_key_protected (sk))
|
||||
{
|
||||
case 0: /* Not protected. */
|
||||
tty_printf (_("This key is not protected.\n"));
|
||||
break;
|
||||
case -1:
|
||||
log_error (_("unknown key protection algorithm\n"));
|
||||
break;
|
||||
default:
|
||||
if (sk->protect.s2k.mode == 1001)
|
||||
tty_printf (_("Secret parts of key"
|
||||
" are not available.\n"));
|
||||
if (sk->protect.s2k.mode == 1002)
|
||||
tty_printf (_("Secret parts of key"
|
||||
" are stored on-card.\n"));
|
||||
/* PKT_public_key *sk = node->pkt->pkt.secret_key; */
|
||||
/* switch (is_secret_key_protected (sk)) */
|
||||
/* { */
|
||||
/* case 0: /\* Not protected. *\/ */
|
||||
/* tty_printf (_("This key is not protected.\n")); */
|
||||
/* break; */
|
||||
/* case -1: */
|
||||
/* log_error (_("unknown key protection algorithm\n")); */
|
||||
/* break; */
|
||||
/* default: */
|
||||
/* if (sk->protect.s2k.mode == 1001) */
|
||||
/* tty_printf (_("Secret parts of key" */
|
||||
/* " are not available.\n")); */
|
||||
/* if (sk->protect.s2k.mode == 1002) */
|
||||
/* tty_printf (_("Secret parts of key" */
|
||||
/* " are stored on-card.\n")); */
|
||||
/* else */
|
||||
/* check_secret_key (sk, 0); */
|
||||
}
|
||||
/* } */
|
||||
}
|
||||
else /* Store it. */
|
||||
{
|
||||
|
286
g10/keygen.c
286
g10/keygen.c
@ -78,7 +78,7 @@ enum para_name {
|
||||
pPASSPHRASE_DEK,
|
||||
pPASSPHRASE_S2K,
|
||||
pSERIALNO,
|
||||
pBACKUPENCDIR,
|
||||
pCARDBACKUPKEY,
|
||||
pHANDLE,
|
||||
pKEYSERVER
|
||||
};
|
||||
@ -98,7 +98,8 @@ struct para_data_s {
|
||||
} u;
|
||||
};
|
||||
|
||||
struct output_control_s {
|
||||
struct output_control_s
|
||||
{
|
||||
int lnr;
|
||||
int dryrun;
|
||||
int ask_passphrase;
|
||||
@ -110,12 +111,6 @@ struct output_control_s {
|
||||
IOBUF stream;
|
||||
armor_filter_context_t *afx;
|
||||
} pub;
|
||||
struct {
|
||||
char *fname;
|
||||
char *newfname;
|
||||
IOBUF stream;
|
||||
armor_filter_context_t *afx;
|
||||
} sec;
|
||||
};
|
||||
|
||||
|
||||
@ -137,13 +132,12 @@ static int mdc_available,ks_modify;
|
||||
static void do_generate_keypair( struct para_data_s *para,
|
||||
struct output_control_s *outctrl, int card );
|
||||
static int write_keyblock (iobuf_t out, kbnode_t node);
|
||||
static int gen_card_key (int algo, int keyno, int is_primary, kbnode_t pub_root,
|
||||
u32 *timestamp, u32 expireval,
|
||||
struct para_data_s *para);
|
||||
static gpg_error_t gen_card_key (int algo, int keyno, int is_primary,
|
||||
kbnode_t pub_root,
|
||||
u32 *timestamp, u32 expireval);
|
||||
static int gen_card_key_with_backup (int algo, int keyno, int is_primary,
|
||||
kbnode_t pub_root, u32 timestamp,
|
||||
u32 expireval, struct para_data_s *para,
|
||||
const char *backup_dir);
|
||||
u32 expireval, struct para_data_s *para);
|
||||
|
||||
|
||||
static void
|
||||
@ -2217,18 +2211,19 @@ generate_user_id (KBNODE keyblock)
|
||||
|
||||
|
||||
static void
|
||||
release_parameter_list( struct para_data_s *r )
|
||||
release_parameter_list (struct para_data_s *r)
|
||||
{
|
||||
struct para_data_s *r2;
|
||||
|
||||
for( ; r ; r = r2 ) {
|
||||
for (; r ; r = r2)
|
||||
{
|
||||
r2 = r->next;
|
||||
if( r->key == pPASSPHRASE_DEK )
|
||||
xfree( r->u.dek );
|
||||
else if( r->key == pPASSPHRASE_S2K )
|
||||
xfree( r->u.s2k );
|
||||
if (r->key == pPASSPHRASE_DEK)
|
||||
xfree (r->u.dek);
|
||||
else if (r->key == pPASSPHRASE_S2K )
|
||||
xfree (r->u.s2k);
|
||||
|
||||
xfree(r);
|
||||
xfree (r);
|
||||
}
|
||||
}
|
||||
|
||||
@ -2657,11 +2652,6 @@ proc_parameter_file( struct para_data_s *para, const char *fname,
|
||||
para = r;
|
||||
}
|
||||
|
||||
if( !!outctrl->pub.newfname ^ !!outctrl->sec.newfname ) {
|
||||
log_error("%s:%d: only one ring name is set\n", fname, outctrl->lnr );
|
||||
return -1;
|
||||
}
|
||||
|
||||
do_generate_keypair( para, outctrl, card );
|
||||
return 0;
|
||||
}
|
||||
@ -2708,7 +2698,6 @@ read_parameter_file( const char *fname )
|
||||
|
||||
memset( &outctrl, 0, sizeof( outctrl ) );
|
||||
outctrl.pub.afx = new_armor_context ();
|
||||
outctrl.sec.afx = new_armor_context ();
|
||||
|
||||
if( !fname || !*fname)
|
||||
fname = "-";
|
||||
@ -2783,13 +2772,7 @@ read_parameter_file( const char *fname )
|
||||
}
|
||||
}
|
||||
else if( !ascii_strcasecmp( keyword, "%secring" ) ) {
|
||||
if( outctrl.sec.fname && !strcmp( outctrl.sec.fname, value ) )
|
||||
; /* still the same file - ignore it */
|
||||
else {
|
||||
xfree( outctrl.sec.newfname );
|
||||
outctrl.sec.newfname = xstrdup( value );
|
||||
outctrl.use_files = 1;
|
||||
}
|
||||
/* Ignore this command. */
|
||||
}
|
||||
else
|
||||
log_info("skipping control `%s' (%s)\n", keyword, value );
|
||||
@ -2865,40 +2848,32 @@ read_parameter_file( const char *fname )
|
||||
|
||||
if( outctrl.use_files ) { /* close open streams */
|
||||
iobuf_close( outctrl.pub.stream );
|
||||
iobuf_close( outctrl.sec.stream );
|
||||
|
||||
/* Must invalidate that ugly cache to actually close it. */
|
||||
if (outctrl.pub.fname)
|
||||
iobuf_ioctl (NULL, IOBUF_IOCTL_INVALIDATE_CACHE,
|
||||
0, (char*)outctrl.pub.fname);
|
||||
if (outctrl.sec.fname)
|
||||
iobuf_ioctl (NULL, IOBUF_IOCTL_INVALIDATE_CACHE,
|
||||
0, (char*)outctrl.sec.fname);
|
||||
|
||||
xfree( outctrl.pub.fname );
|
||||
xfree( outctrl.pub.newfname );
|
||||
xfree( outctrl.sec.fname );
|
||||
xfree( outctrl.sec.newfname );
|
||||
}
|
||||
|
||||
release_parameter_list( para );
|
||||
iobuf_close (fp);
|
||||
release_armor_context (outctrl.pub.afx);
|
||||
release_armor_context (outctrl.sec.afx);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Generate a keypair (fname is only used in batch mode) If
|
||||
* CARD_SERIALNO is not NULL the function will create the keys on an
|
||||
* OpenPGP Card. If BACKUP_ENCRYPTION_DIR has been set and
|
||||
* CARD_SERIALNO is NOT NULL, the encryption key for the card gets
|
||||
* generate in software, imported to the card and a backup file
|
||||
* written to directory given by this argument .
|
||||
* OpenPGP Card. If CARD_BACKUP_KEY has been set and CARD_SERIALNO is
|
||||
* NOT NULL, the encryption key for the card is generated on the host,
|
||||
* imported to the card and a backup file created by gpg-agent.
|
||||
*/
|
||||
void
|
||||
generate_keypair (const char *fname, const char *card_serialno,
|
||||
const char *backup_encryption_dir)
|
||||
int card_backup_key)
|
||||
{
|
||||
unsigned int nbits;
|
||||
char *uid = NULL;
|
||||
@ -2964,11 +2939,11 @@ generate_keypair (const char *fname, const char *card_serialno,
|
||||
r->next = para;
|
||||
para = r;
|
||||
|
||||
if (backup_encryption_dir)
|
||||
if (card_backup_key)
|
||||
{
|
||||
r = xcalloc (1, sizeof *r + strlen (backup_encryption_dir) );
|
||||
r->key = pBACKUPENCDIR;
|
||||
strcpy (r->u.value, backup_encryption_dir);
|
||||
r = xcalloc (1, sizeof *r + 1);
|
||||
r->key = pCARDBACKUPKEY;
|
||||
strcpy (r->u.value, "1");
|
||||
r->next = para;
|
||||
para = r;
|
||||
}
|
||||
@ -3071,7 +3046,7 @@ generate_keypair (const char *fname, const char *card_serialno,
|
||||
}
|
||||
|
||||
|
||||
#ifdef ENABLE_CARD_SUPPORT
|
||||
#if 0 /* not required */
|
||||
/* Generate a raw key and return it as a secret key packet. The
|
||||
function will ask for the passphrase and return a protected as well
|
||||
as an unprotected copy of a new secret key packet. 0 is returned
|
||||
@ -3270,7 +3245,7 @@ do_generate_keypair (struct para_data_s *para,
|
||||
else
|
||||
err = gen_card_key (PUBKEY_ALGO_RSA, 1, 1, pub_root,
|
||||
×tamp,
|
||||
get_parameter_u32 (para, pKEYEXPIRE), para);
|
||||
get_parameter_u32 (para, pKEYEXPIRE));
|
||||
|
||||
/* Get the pointer to the generated public key packet. */
|
||||
if (!err)
|
||||
@ -3301,7 +3276,7 @@ do_generate_keypair (struct para_data_s *para,
|
||||
{
|
||||
err = gen_card_key (PUBKEY_ALGO_RSA, 3, 0, pub_root,
|
||||
×tamp,
|
||||
get_parameter_u32 (para, pKEYEXPIRE), para);
|
||||
get_parameter_u32 (para, pKEYEXPIRE));
|
||||
if (!err)
|
||||
err = write_keybinding (pub_root, pri_psk, NULL,
|
||||
PUBKEY_USAGE_AUTH, timestamp, cache_nonce);
|
||||
@ -3331,23 +3306,20 @@ do_generate_keypair (struct para_data_s *para,
|
||||
}
|
||||
else
|
||||
{
|
||||
if ((s = get_parameter_value (para, pBACKUPENCDIR)))
|
||||
if ((s = get_parameter_value (para, pCARDBACKUPKEY)))
|
||||
{
|
||||
/* A backup of the encryption key has been requested.
|
||||
Generate the key in software and import it then to
|
||||
the card. Write a backup file. */
|
||||
err = gen_card_key_with_backup (PUBKEY_ALGO_RSA, 2, 0,
|
||||
pub_root,
|
||||
timestamp,
|
||||
get_parameter_u32 (para,
|
||||
pKEYEXPIRE),
|
||||
para, s);
|
||||
err = gen_card_key_with_backup
|
||||
(PUBKEY_ALGO_RSA, 2, 0, pub_root, timestamp,
|
||||
get_parameter_u32 (para, pKEYEXPIRE), para);
|
||||
}
|
||||
else
|
||||
{
|
||||
err = gen_card_key (PUBKEY_ALGO_RSA, 2, 0, pub_root,
|
||||
×tamp,
|
||||
get_parameter_u32 (para, pKEYEXPIRE), para);
|
||||
get_parameter_u32 (para, pKEYEXPIRE));
|
||||
}
|
||||
}
|
||||
|
||||
@ -3551,81 +3523,65 @@ generate_subkeypair (KBNODE keyblock)
|
||||
|
||||
#ifdef ENABLE_CARD_SUPPORT
|
||||
/* Generate a subkey on a card. */
|
||||
int
|
||||
generate_card_subkeypair (KBNODE pub_keyblock, KBNODE sec_keyblock,
|
||||
gpg_error_t
|
||||
generate_card_subkeypair (kbnode_t pub_keyblock,
|
||||
int keyno, const char *serialno)
|
||||
{
|
||||
gpg_error_t err = 0;
|
||||
int okay = 0;
|
||||
kbnode_t node;
|
||||
PKT_secret_key *pri_sk = NULL, *sub_sk;
|
||||
PKT_public_key *pri_pk = NULL;
|
||||
int algo;
|
||||
unsigned int use;
|
||||
u32 expire;
|
||||
char *passphrase = NULL;
|
||||
u32 cur_time;
|
||||
struct para_data_s *para = NULL;
|
||||
|
||||
assert (keyno >= 1 && keyno <= 3);
|
||||
|
||||
para = xcalloc (1, sizeof *para + strlen (serialno) );
|
||||
para = xtrycalloc (1, sizeof *para + strlen (serialno) );
|
||||
if (!para)
|
||||
{
|
||||
err = gpg_error_from_syserror ();
|
||||
goto leave;
|
||||
}
|
||||
para->key = pSERIALNO;
|
||||
strcpy (para->u.value, serialno);
|
||||
|
||||
/* Break out the primary secret key */
|
||||
node = find_kbnode (sec_keyblock, PKT_SECRET_KEY);
|
||||
node = find_kbnode (pub_keyblock, PKT_PUBLIC_KEY);
|
||||
if (!node)
|
||||
{
|
||||
log_error("Oops; secret key not found anymore!\n");
|
||||
log_error ("Oops; publkic key lost!\n");
|
||||
err = gpg_error (GPG_ERR_INTERNAL);
|
||||
goto leave;
|
||||
}
|
||||
|
||||
/* Make a copy of the sk to keep the protected one in the keyblock */
|
||||
pri_sk = copy_secret_key (NULL, node->pkt->pkt.secret_key);
|
||||
pri_pk = node->pkt->pkt.public_key;
|
||||
|
||||
cur_time = make_timestamp();
|
||||
if (pri_sk->timestamp > cur_time)
|
||||
if (pri_pk->timestamp > cur_time)
|
||||
{
|
||||
ulong d = pri_sk->timestamp - cur_time;
|
||||
ulong d = pri_pk->timestamp - cur_time;
|
||||
log_info (d==1 ? _("key has been created %lu second "
|
||||
"in future (time warp or clock problem)\n")
|
||||
: _("key has been created %lu seconds "
|
||||
"in future (time warp or clock problem)\n"), d );
|
||||
if (!opt.ignore_time_conflict)
|
||||
{
|
||||
err = G10ERR_TIME_CONFLICT;
|
||||
err = gpg_error (GPG_ERR_TIME_CONFLICT);
|
||||
goto leave;
|
||||
}
|
||||
}
|
||||
|
||||
if (pri_sk->version < 4)
|
||||
if (pri_pk->version < 4)
|
||||
{
|
||||
log_info (_("NOTE: creating subkeys for v3 keys "
|
||||
"is not OpenPGP compliant\n"));
|
||||
err = gpg_error (GPG_ERR_NOT_SUPPORTED);
|
||||
goto leave;
|
||||
}
|
||||
|
||||
/* Unprotect to get the passphrase. */
|
||||
switch( is_secret_key_protected (pri_sk) )
|
||||
{
|
||||
case -1:
|
||||
err = G10ERR_PUBKEY_ALGO;
|
||||
break;
|
||||
case 0:
|
||||
tty_printf("This key is not protected.\n");
|
||||
break;
|
||||
default:
|
||||
tty_printf("Key is protected.\n");
|
||||
err = check_secret_key( pri_sk, 0 );
|
||||
if (!err)
|
||||
passphrase = get_last_passphrase();
|
||||
break;
|
||||
}
|
||||
if (err)
|
||||
goto leave;
|
||||
|
||||
algo = PUBKEY_ALGO_RSA;
|
||||
expire = ask_expire_interval (0,NULL);
|
||||
expire = ask_expire_interval (0, NULL);
|
||||
if (keyno == 1)
|
||||
use = PUBKEY_USAGE_SIG;
|
||||
else if (keyno == 2)
|
||||
@ -3634,40 +3590,37 @@ generate_card_subkeypair (KBNODE pub_keyblock, KBNODE sec_keyblock,
|
||||
use = PUBKEY_USAGE_AUTH;
|
||||
if (!cpr_enabled() && !cpr_get_answer_is_yes("keygen.cardsub.okay",
|
||||
_("Really create? (y/N) ")))
|
||||
{
|
||||
err = gpg_error (GPG_ERR_CANCELED);
|
||||
goto leave;
|
||||
|
||||
if (passphrase)
|
||||
set_next_passphrase (passphrase);
|
||||
}
|
||||
|
||||
/* Note, that depending on the backend, the card key generation may
|
||||
update CUR_TIME. */
|
||||
err = gen_card_key (algo, keyno, 0, pub_keyblock, &cur_time, expire, para);
|
||||
if (!err)
|
||||
err = write_keybinding (pub_keyblock, pub_keyblock, pri_sk, sub_sk,
|
||||
use, cur_time);
|
||||
if (!err)
|
||||
err = write_keybinding (sec_keyblock, pub_keyblock, pri_sk, sub_sk,
|
||||
use, cur_time);
|
||||
err = gen_card_key (algo, keyno, 0, pub_keyblock, &cur_time, expire);
|
||||
/* Get the pointer to the generated public subkey packet. */
|
||||
if (!err)
|
||||
{
|
||||
okay = 1;
|
||||
write_status_text (STATUS_KEY_CREATED, "S");
|
||||
PKT_public_key *sub_pk = NULL;
|
||||
|
||||
for (node = pub_keyblock; node; node = node->next)
|
||||
if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY)
|
||||
sub_pk = node->pkt->pkt.public_key;
|
||||
assert (sub_pk);
|
||||
err = write_keybinding (pub_keyblock, pri_pk, sub_pk,
|
||||
use, cur_time, NULL);
|
||||
}
|
||||
|
||||
leave:
|
||||
if (err)
|
||||
log_error (_("Key generation failed: %s\n"), g10_errstr(err) );
|
||||
xfree (passphrase);
|
||||
/* Release the copy of the (now unprotected) secret keys. */
|
||||
if (pri_sk)
|
||||
free_secret_key (pri_sk);
|
||||
set_next_passphrase( NULL );
|
||||
else
|
||||
write_status_text (STATUS_KEY_CREATED, "S");
|
||||
release_parameter_list (para);
|
||||
return okay;
|
||||
return err;
|
||||
}
|
||||
#endif /* !ENABLE_CARD_SUPPORT */
|
||||
|
||||
|
||||
/*
|
||||
* Write a keyblock to an output stream
|
||||
*/
|
||||
@ -3693,83 +3646,73 @@ write_keyblock( IOBUF out, KBNODE node )
|
||||
|
||||
|
||||
/* Note that timestamp is an in/out arg. */
|
||||
static int
|
||||
gen_card_key (int algo, int keyno, int is_primary, KBNODE pub_root,
|
||||
u32 *timestamp, u32 expireval, struct para_data_s *para)
|
||||
static gpg_error_t
|
||||
gen_card_key (int algo, int keyno, int is_primary, kbnode_t pub_root,
|
||||
u32 *timestamp, u32 expireval)
|
||||
{
|
||||
#ifdef ENABLE_CARD_SUPPORT
|
||||
int rc;
|
||||
const char *s;
|
||||
gpg_error_t err;
|
||||
struct agent_card_genkey_s info;
|
||||
PACKET *pkt;
|
||||
PKT_secret_key *sk;
|
||||
PKT_public_key *pk;
|
||||
|
||||
assert (algo == PUBKEY_ALGO_RSA);
|
||||
if (algo != PUBKEY_ALGO_RSA)
|
||||
return gpg_error (GPG_ERR_PUBKEY_ALGO);
|
||||
|
||||
/* Fixme: We don't have the serialnumber available, thus passing NULL. */
|
||||
rc = agent_scd_genkey (&info, keyno, 1, NULL, *timestamp);
|
||||
/* if (gpg_err_code (rc) == GPG_ERR_EEXIST) */
|
||||
/* { */
|
||||
/* tty_printf ("\n"); */
|
||||
/* log_error ("WARNING: key does already exists!\n"); */
|
||||
/* tty_printf ("\n"); */
|
||||
/* if ( cpr_get_answer_is_yes( "keygen.card.replace_key", */
|
||||
/* _("Replace existing key? "))) */
|
||||
/* rc = agent_scd_genkey (&info, keyno, 1); */
|
||||
/* } */
|
||||
|
||||
if (rc)
|
||||
pk = xtrycalloc (1, sizeof *pk );
|
||||
if (!pk)
|
||||
return gpg_error_from_syserror ();
|
||||
pkt = xtrycalloc (1, sizeof *pkt);
|
||||
if (!pkt)
|
||||
{
|
||||
log_error ("key generation failed: %s\n", gpg_strerror (rc));
|
||||
return rc;
|
||||
xfree (pk);
|
||||
return gpg_error_from_syserror ();
|
||||
}
|
||||
if ( !info.n || !info.e )
|
||||
|
||||
/* Note: SCD knows the serialnumber, thus there is no point in passing it. */
|
||||
err = agent_scd_genkey (&info, keyno, 1, NULL, *timestamp);
|
||||
/* The code below is not used because we force creation of
|
||||
* the a card key (3rd arg).
|
||||
* if (gpg_err_code (rc) == GPG_ERR_EEXIST)
|
||||
* {
|
||||
* tty_printf ("\n");
|
||||
* log_error ("WARNING: key does already exists!\n");
|
||||
* tty_printf ("\n");
|
||||
* if ( cpr_get_answer_is_yes( "keygen.card.replace_key",
|
||||
* _("Replace existing key? ")))
|
||||
* rc = agent_scd_genkey (&info, keyno, 1);
|
||||
* }
|
||||
*/
|
||||
if (!err && (!info.n || !info.e))
|
||||
{
|
||||
log_error ("communication error with SCD\n");
|
||||
gcry_mpi_release (info.n);
|
||||
gcry_mpi_release (info.e);
|
||||
return gpg_error (GPG_ERR_GENERAL);
|
||||
err = gpg_error (GPG_ERR_GENERAL);
|
||||
}
|
||||
if (err)
|
||||
{
|
||||
log_error ("key generation failed: %s\n", gpg_strerror (err));
|
||||
xfree (pkt);
|
||||
xfree (pk);
|
||||
return err;
|
||||
}
|
||||
|
||||
if (*timestamp != info.created_at)
|
||||
log_info ("Note that the key does not use the suggested creation date\n");
|
||||
log_info ("NOTE: the key does not use the suggested creation date\n");
|
||||
*timestamp = info.created_at;
|
||||
|
||||
pk = xcalloc (1, sizeof *pk );
|
||||
sk = xcalloc (1, sizeof *sk );
|
||||
sk->timestamp = pk->timestamp = info.created_at;
|
||||
sk->version = pk->version = 4;
|
||||
pk->timestamp = info.created_at;
|
||||
pk->version = 4;
|
||||
if (expireval)
|
||||
sk->expiredate = pk->expiredate = pk->timestamp + expireval;
|
||||
sk->pubkey_algo = pk->pubkey_algo = algo;
|
||||
pk->expiredate = pk->timestamp + expireval;
|
||||
pk->pubkey_algo = algo;
|
||||
pk->pkey[0] = info.n;
|
||||
pk->pkey[1] = info.e;
|
||||
sk->skey[0] = gcry_mpi_copy (pk->pkey[0]);
|
||||
sk->skey[1] = gcry_mpi_copy (pk->pkey[1]);
|
||||
sk->skey[2] = gcry_mpi_set_opaque (NULL, xstrdup ("dummydata"), 10*8);
|
||||
sk->is_protected = 1;
|
||||
sk->protect.s2k.mode = 1002;
|
||||
s = get_parameter_value (para, pSERIALNO);
|
||||
if (s)
|
||||
{
|
||||
for (sk->protect.ivlen=0; sk->protect.ivlen < 16 && *s && s[1];
|
||||
sk->protect.ivlen++, s += 2)
|
||||
sk->protect.iv[sk->protect.ivlen] = xtoi_2 (s);
|
||||
}
|
||||
|
||||
if( ret_sk )
|
||||
*ret_sk = sk;
|
||||
|
||||
pkt = xcalloc (1,sizeof *pkt);
|
||||
pkt->pkttype = is_primary ? PKT_PUBLIC_KEY : PKT_PUBLIC_SUBKEY;
|
||||
pkt->pkt.public_key = pk;
|
||||
add_kbnode(pub_root, new_kbnode( pkt ));
|
||||
|
||||
pkt = xcalloc (1,sizeof *pkt);
|
||||
pkt->pkttype = is_primary ? PKT_SECRET_KEY : PKT_SECRET_SUBKEY;
|
||||
pkt->pkt.secret_key = sk;
|
||||
add_kbnode(sec_root, new_kbnode( pkt ));
|
||||
add_kbnode (pub_root, new_kbnode (pkt));
|
||||
|
||||
return 0;
|
||||
#else
|
||||
@ -3782,10 +3725,9 @@ gen_card_key (int algo, int keyno, int is_primary, KBNODE pub_root,
|
||||
static int
|
||||
gen_card_key_with_backup (int algo, int keyno, int is_primary,
|
||||
KBNODE pub_root, u32 timestamp,
|
||||
u32 expireval, struct para_data_s *para,
|
||||
const char *backup_dir)
|
||||
u32 expireval, struct para_data_s *para)
|
||||
{
|
||||
#ifdef ENABLE_CARD_SUPPORT
|
||||
#if 0 /* FIXME: Move this to gpg-agent. */
|
||||
int rc;
|
||||
const char *s;
|
||||
PACKET *pkt;
|
||||
@ -3947,9 +3889,9 @@ gen_card_key_with_backup (int algo, int keyno, int is_primary,
|
||||
}
|
||||
|
||||
|
||||
#ifdef ENABLE_CARD_SUPPORT
|
||||
#if 0
|
||||
int
|
||||
save_unprotected_key_to_card (PKT_secret_key *sk, int keyno)
|
||||
save_unprotected_key_to_card (PKT_public_key *sk, int keyno)
|
||||
{
|
||||
int rc;
|
||||
unsigned char *rsa_n = NULL;
|
||||
|
@ -182,8 +182,7 @@ print_card_key_info (estream_t fp, kbnode_t keyblock)
|
||||
{
|
||||
/* KBNODE node; */
|
||||
/* int i; */
|
||||
|
||||
log_debug ("Fixme: Needs to be adjusted to gpg-agent\n");
|
||||
#warning Fixme: Needs to be adjusted to gpg-agent
|
||||
/* for (node = keyblock; node; node = node->next) */
|
||||
/* { */
|
||||
/* if (node->pkt->pkttype == PKT_SECRET_KEY */
|
||||
|
10
g10/main.h
10
g10/main.h
@ -231,8 +231,8 @@ void show_basic_key_info (KBNODE keyblock);
|
||||
u32 parse_expire_string(const char *string);
|
||||
u32 ask_expire_interval(int object,const char *def_expire);
|
||||
u32 ask_expiredate(void);
|
||||
void generate_keypair( const char *fname, const char *card_serialno,
|
||||
const char *backup_encryption_dir );
|
||||
void generate_keypair (const char *fname, const char *card_serialno,
|
||||
int card_backup_key);
|
||||
int keygen_set_std_prefs (const char *string,int personal);
|
||||
PKT_user_id *keygen_get_std_prefs (void);
|
||||
int keygen_add_key_expire( PKT_signature *sig, void *opaque );
|
||||
@ -246,9 +246,9 @@ gpg_error_t make_backsig (PKT_signature *sig, PKT_public_key *pk,
|
||||
u32 timestamp, const char *cache_nonce);
|
||||
gpg_error_t generate_subkeypair (kbnode_t pub_keyblock);
|
||||
#ifdef ENABLE_CARD_SUPPORT
|
||||
int generate_card_subkeypair (KBNODE pub_keyblock, KBNODE sec_keyblock,
|
||||
gpg_error_t generate_card_subkeypair (kbnode_t pub_keyblock,
|
||||
int keyno, const char *serialno);
|
||||
int save_unprotected_key_to_card (PKT_secret_key *sk, int keyno);
|
||||
int save_unprotected_key_to_card (PKT_public_key *sk, int keyno);
|
||||
#endif
|
||||
|
||||
/*-- openfile.c --*/
|
||||
@ -348,7 +348,7 @@ int gpg_server (ctrl_t);
|
||||
void change_pin (int no, int allow_admin);
|
||||
void card_status (estream_t fp, char *serialno, size_t serialnobuflen);
|
||||
void card_edit (ctrl_t ctrl, strlist_t commands);
|
||||
int card_generate_subkey (KBNODE pub_keyblock, KBNODE sec_keyblock);
|
||||
gpg_error_t card_generate_subkey (KBNODE pub_keyblock);
|
||||
int card_store_subkey (KBNODE node, int use);
|
||||
#endif
|
||||
|
||||
|
13
g10/misc.c
13
g10/misc.c
@ -548,13 +548,12 @@ static unsigned long
|
||||
get_signature_count (PKT_public_key *pk)
|
||||
{
|
||||
#ifdef ENABLE_CARD_SUPPORT
|
||||
/* FIXME: Need to call the agent. */
|
||||
/* if(sk && sk->is_protected && sk->protect.s2k.mode==1002) */
|
||||
/* { */
|
||||
/* struct agent_card_info_s info; */
|
||||
/* if(agent_scd_getattr("SIG-COUNTER",&info)==0) */
|
||||
/* return info.sig_counter; */
|
||||
/* } */
|
||||
struct agent_card_info_s info;
|
||||
#warning fixme: We should check that the correct card has been inserted
|
||||
if (!agent_scd_getattr ("SIG-COUNTER",&info))
|
||||
return info.sig_counter;
|
||||
else
|
||||
return 0;
|
||||
#else
|
||||
(void)pk;
|
||||
return 0;
|
||||
|
@ -1,3 +1,8 @@
|
||||
2010-11-16 Werner Koch <wk@g10code.com>
|
||||
|
||||
* apdu.c (PCSC_UNKNOWN) [W32]: Fix all these values which don't
|
||||
match those of libpcsc. Reported by Michael Petig.
|
||||
|
||||
2010-10-27 Werner Koch <wk@g10code.com>
|
||||
|
||||
* scdaemon.c (create_socket_name): Use TMPDIR. Change callers.
|
||||
|
35
scd/apdu.c
35
scd/apdu.c
@ -1,5 +1,5 @@
|
||||
/* apdu.c - ISO 7816 APDU functions and low level I/O
|
||||
* Copyright (C) 2003, 2004, 2008, 2009 Free Software Foundation, Inc.
|
||||
* Copyright (C) 2003, 2004, 2008, 2009, 2010 Free Software Foundation, Inc.
|
||||
*
|
||||
* This file is part of GnuPG.
|
||||
*
|
||||
@ -165,7 +165,11 @@ static char (* DLSTDCALL CT_close) (unsigned short ctn);
|
||||
|
||||
#define PCSC_PROTOCOL_T0 1
|
||||
#define PCSC_PROTOCOL_T1 2
|
||||
#define PCSC_PROTOCOL_RAW 4
|
||||
#ifdef HAVE_W32_SYSTEM
|
||||
# define PCSC_PROTOCOL_RAW 0x00010000 /* The active protocol. */
|
||||
#else
|
||||
# define PCSC_PROTOCOL_RAW 4
|
||||
#endif
|
||||
|
||||
#define PCSC_SHARE_EXCLUSIVE 1
|
||||
#define PCSC_SHARE_SHARED 2
|
||||
@ -176,13 +180,23 @@ static char (* DLSTDCALL CT_close) (unsigned short ctn);
|
||||
#define PCSC_UNPOWER_CARD 2
|
||||
#define PCSC_EJECT_CARD 3
|
||||
|
||||
#define PCSC_UNKNOWN 0x0001
|
||||
#define PCSC_ABSENT 0x0002 /* Card is absent. */
|
||||
#define PCSC_PRESENT 0x0004 /* Card is present. */
|
||||
#define PCSC_SWALLOWED 0x0008 /* Card is present and electrical connected. */
|
||||
#define PCSC_POWERED 0x0010 /* Card is powered. */
|
||||
#define PCSC_NEGOTIABLE 0x0020 /* Card is awaiting PTS. */
|
||||
#define PCSC_SPECIFIC 0x0040 /* Card is ready for use. */
|
||||
#ifdef HAVE_W32_SYSTEM
|
||||
# define PCSC_UNKNOWN 0x0000 /* The driver is not aware of the status. */
|
||||
# define PCSC_ABSENT 0x0001 /* Card is absent. */
|
||||
# define PCSC_PRESENT 0x0002 /* Card is present. */
|
||||
# define PCSC_SWALLOWED 0x0003 /* Card is present and electrical connected. */
|
||||
# define PCSC_POWERED 0x0004 /* Card is powered. */
|
||||
# define PCSC_NEGOTIABLE 0x0005 /* Card is awaiting PTS. */
|
||||
# define PCSC_SPECIFIC 0x0006 /* Card is ready for use. */
|
||||
#else
|
||||
# define PCSC_UNKNOWN 0x0001
|
||||
# define PCSC_ABSENT 0x0002 /* Card is absent. */
|
||||
# define PCSC_PRESENT 0x0004 /* Card is present. */
|
||||
# define PCSC_SWALLOWED 0x0008 /* Card is present and electrical connected. */
|
||||
# define PCSC_POWERED 0x0010 /* Card is powered. */
|
||||
# define PCSC_NEGOTIABLE 0x0020 /* Card is awaiting PTS. */
|
||||
# define PCSC_SPECIFIC 0x0040 /* Card is ready for use. */
|
||||
#endif
|
||||
|
||||
#define PCSC_STATE_UNAWARE 0x0000 /* Want status. */
|
||||
#define PCSC_STATE_IGNORE 0x0001 /* Ignore this reader. */
|
||||
@ -195,6 +209,9 @@ static char (* DLSTDCALL CT_close) (unsigned short ctn);
|
||||
#define PCSC_STATE_EXCLUSIVE 0x0080 /* Exclusive Mode. */
|
||||
#define PCSC_STATE_INUSE 0x0100 /* Shared mode. */
|
||||
#define PCSC_STATE_MUTE 0x0200 /* Unresponsive card. */
|
||||
#ifdef HAVE_W32_SYSTEM
|
||||
# define PCSC_STATE_UNPOWERED 0x0400 /* Card not powerred up. */
|
||||
#endif
|
||||
|
||||
/* Some PC/SC error codes. */
|
||||
#define PCSC_E_CANCELLED 0x80100002
|
||||
|
Loading…
x
Reference in New Issue
Block a user