scd:p15: Support signing with CardOS 5 cards.

* scd/app-help.c (app_help_get_keygrip_string_pk): Add optional arg
r_pkey and change all callers.
(app_help_get_keygrip_string): Ditto.
* scd/app-p15.c (struct cdf_object_s): Use bit flags
(struct aodf_object_s): Ditto.  Add field 'fid'.
(struct prkdf_object_s): Ditto.  Add fields keygrip, keyalgo, and
keynbits.
(parse_certid): Allow a keygrip instead of a certid aka keyref.
(read_ef_aodf): Store the FID.
(keygripstr_from_prkdf): Rename to ...
(keygrip_from_prkdf): this.  Remove arg r_gripstr and implement cache.
Change callers to directly use the values from the object.  Also store
the algo and length of the key ion the object.
(keyref_from_keyinfo): New. Factored out code.
(do_sign): Support SHA-256 and >2048 bit RSA keys.
(do_with_keygrip): New.
(app_select_p15): Register new function.
--

This has been tested with a D-Trust card featuring 3072 bit keys.
Note that non-repudiation key for a qualified signature does not yet
work because we do not yet support rsaPSS padding.  Thus a gpgsm
--learn shows a couple of Bad Signature errors for this key.

Signed-off-by: Werner Koch <wk@gnupg.org>

scd/app-piv.c

@@ -1356,7 +1356,7 @@ get_keygrip_by_tag (app_t app, unsigned int tag,
       err = ksba_cert_init_from_mem (cert, certbuf, certbuflen);
       if (err)
         goto leave;
-      err = app_help_get_keygrip_string (cert, *r_keygripstr);
+      err = app_help_get_keygrip_string (cert, *r_keygripstr, NULL);
     }
 
  leave:
@@ -1564,7 +1564,7 @@ do_readkey (app_t app, ctrl_t ctrl, const char *keyrefstr, unsigned int flags,
       char idbuf[50];
       const char *usage;
 
-      err = app_help_get_keygrip_string_pk (pk, pklen, keygripstr);
+      err = app_help_get_keygrip_string_pk (pk, pklen, keygripstr, NULL);
       if (err)
         {
           log_error ("app_help_get_keygrip_string_pk failed: %s\n",