security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-08 12:44:23 +01:00
Code Activity

scd: Extend KEYPAIRINFO with an algorithm string.

Browse Source 
* scd/app-openpgp.c (send_keypair_info): Emit the algo string as part
of a KEYPAIRINFO.
* scd/command.c (do_readkey): Ditto.
* scd/app-piv.c (do_readkey): Ditto.
* scd/app-nks.c (do_learn_status_core): Ditto.
(struct fid_cache_s): Add field algostr.
(flush_fid_cache): Release it.
(keygripstr_from_pk_file): Fill it and add it to the cache.  Use a
single exit label.
* scd/app-help.c (app_help_get_keygrip_string_pk): Add new arg
r_algostr.  Change all callers.
--

This is helpful so that callers do not need to parse the key for this
basic information.  Use "scd readkey --info-only" to return the info
status line instead of the key material; using just --info returns the
info in addition to the key material.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2020-09-21 14:47:53 +02:00
parent babd87f2da
commit 26da47ae53
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
8 changed files with 104 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
agent/call-scd.c
View File

@ -677,7 +677,7 @@ readkey_status_cb (void *opaque, const char *line)
&& !parm->keyref) && !parm->keyref)
{ {
/* The format of such a line is: /* The format of such a line is:
* KEYPAIRINFO <hexgrip> <keyref> [usage] [keytime] * KEYPAIRINFO <hexgrip> <keyref> [usage] [keytime] [algostr]
* *
* Here we only need the keyref. We use only the first received * Here we only need the keyref. We use only the first received
* KEYPAIRINFO; it is possible to receive several if there are * KEYPAIRINFO; it is possible to receive several if there are

9
doc/DETAILS
View File

@ -2,7 +2,7 @@
#+TITLE: GnuPG Details #+TITLE: GnuPG Details
# Globally disable superscripts and subscripts: # Globally disable superscripts and subscripts:
#+OPTIONS: ^:{} #+OPTIONS: ^:{}
# #+STARTUP: showall
# Note: This file uses org-mode; it should be easy to read as plain # Note: This file uses org-mode; it should be easy to read as plain
# text but be aware of some markup peculiarities: Verbatim code is # text but be aware of some markup peculiarities: Verbatim code is
@ -1183,7 +1183,7 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB:
byte is either '-' for standard key or 'e' for an ephemeral key. byte is either '-' for standard key or 'e' for an ephemeral key.
The second byte is either '-' or 'r' for a known revoked key. The second byte is either '-' or 'r' for a known revoked key.
*** KEYPAIRINFO <grip> <keyref> [<usage>] [<keytime>] *** KEYPAIRINFO <grip> <keyref> [<usage>] [<keytime>] [<algostr>]
This status is emitted by scdaemon and gpg-agent to convey brief This status is emitted by scdaemon and gpg-agent to convey brief
information about keypairs stored on tokens. <grip> is the information about keypairs stored on tokens. <grip> is the
@ -1195,8 +1195,9 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB:
encryption, 's' for signing, 'a' for authentication). A '-' can be encryption, 's' for signing, 'a' for authentication). A '-' can be
used to tell that usage flags are not conveyed. <keytime> is used used to tell that usage flags are not conveyed. <keytime> is used
by OpenPGP cards for the stored key creation time. A '-' means no by OpenPGP cards for the stored key creation time. A '-' means no
info available. The format is the usual ISO string are a number info available. The format is the usual ISO string or a number
with the seconds since Epoch. with the seconds since Epoch. <algostr> is the algorithm or curve
this key uses (e.g. "rsa2048") or a "-" if not known.
*** MANUFACTURER <n> [<string>] *** MANUFACTURER <n> [<string>]
This status returns the Manufactorer ID as the unsigned number N. This status returns the Manufactorer ID as the unsigned number N.

2
scd/app-common.h
View File

@ -220,7 +220,7 @@ unsigned int app_help_count_bits (const unsigned char *a, size_t len);
gpg_error_t app_help_get_keygrip_string_pk (const void *pk, size_t pklen, gpg_error_t app_help_get_keygrip_string_pk (const void *pk, size_t pklen,
char *hexkeygrip, char *hexkeygrip,
gcry_sexp_t *r_pkey, gcry_sexp_t *r_pkey,
int *r_algo); int *r_algo, char **r_algostr);
gpg_error_t app_help_get_keygrip_string (ksba_cert_t cert, char *hexkeygrip, gpg_error_t app_help_get_keygrip_string (ksba_cert_t cert, char *hexkeygrip,
gcry_sexp_t *r_pkey, int *r_algo); gcry_sexp_t *r_pkey, int *r_algo);
gpg_error_t app_help_pubkey_from_cert (const void *cert, size_t certlen, gpg_error_t app_help_pubkey_from_cert (const void *cert, size_t certlen,

21
scd/app-help.c
View File

@ -57,10 +57,12 @@ app_help_count_bits (const unsigned char *a, size_t len)
* function succeeded, the S-expression representing the key is stored * function succeeded, the S-expression representing the key is stored
* there. The caller needs to call gcry_sexp_release on that. If * there. The caller needs to call gcry_sexp_release on that. If
* R_ALGO is not NULL the public key algorithm id of Libgcrypt is * R_ALGO is not NULL the public key algorithm id of Libgcrypt is
* stored there. */ * stored there. If R_ALGOSTR is not NULL and the function succeeds a
* newly allocated algo string (e.g. "rsa2048") is stored there. */
gpg_error_t gpg_error_t
app_help_get_keygrip_string_pk (const void *pk, size_t pklen, char *hexkeygrip, app_help_get_keygrip_string_pk (const void *pk, size_t pklen, char *hexkeygrip,
gcry_sexp_t *r_pkey, int *r_algo) gcry_sexp_t *r_pkey, int *r_algo,
char **r_algostr)
{ {
gpg_error_t err; gpg_error_t err;
gcry_sexp_t s_pkey; gcry_sexp_t s_pkey;
@ -68,6 +70,8 @@ app_help_get_keygrip_string_pk (const void *pk, size_t pklen, char *hexkeygrip,
if (r_pkey) if (r_pkey)
*r_pkey = NULL; *r_pkey = NULL;
if (r_algostr)
*r_algostr = NULL;
err = gcry_sexp_sscan (&s_pkey, NULL, pk, pklen); err = gcry_sexp_sscan (&s_pkey, NULL, pk, pklen);
if (err) if (err)
@ -81,6 +85,17 @@ app_help_get_keygrip_string_pk (const void *pk, size_t pklen, char *hexkeygrip,
if (r_algo) if (r_algo)
*r_algo = get_pk_algo_from_key (s_pkey); *r_algo = get_pk_algo_from_key (s_pkey);
if (r_algostr)
{
*r_algostr = pubkey_algo_string (s_pkey, NULL);
if (!*r_algostr)
{
err = gpg_error_from_syserror ();
gcry_sexp_release (s_pkey);
return err;
}
}
if (r_pkey) if (r_pkey)
*r_pkey = s_pkey; *r_pkey = s_pkey;
else else
@ -116,7 +131,7 @@ app_help_get_keygrip_string (ksba_cert_t cert, char *hexkeygrip,
if (!n) if (!n)
return gpg_error (GPG_ERR_INV_SEXP); return gpg_error (GPG_ERR_INV_SEXP);
err = app_help_get_keygrip_string_pk ((void*)p, n, hexkeygrip, err = app_help_get_keygrip_string_pk ((void*)p, n, hexkeygrip,
r_pkey, r_algo); r_pkey, r_algo, NULL);
ksba_free (p); ksba_free (p);
return err; return err;
} }

57
scd/app-nks.c
View File

@ -178,6 +178,7 @@ struct fid_cache_s {
int fid; /* Zero for an unused slot. */ int fid; /* Zero for an unused slot. */
unsigned int got_keygrip:1; /* The keygrip and algo are valid. */ unsigned int got_keygrip:1; /* The keygrip and algo are valid. */
int algo; int algo;
char *algostr; /* malloced. */
char keygripstr[2*KEYGRIP_LEN+1]; char keygripstr[2*KEYGRIP_LEN+1];
}; };
@ -217,6 +218,8 @@ flush_fid_cache (app_t app)
while (app->app_local->fid_cache) while (app->app_local->fid_cache)
{ {
struct fid_cache_s *next = app->app_local->fid_cache->next; struct fid_cache_s *next = app->app_local->fid_cache->next;
if (app->app_local->fid_cache)
xfree (app->app_local->fid_cache->algostr);
xfree (app->app_local->fid_cache); xfree (app->app_local->fid_cache);
app->app_local->fid_cache = next; app->app_local->fid_cache = next;
} }
@ -270,10 +273,12 @@ get_dispserialno (app_t app)
* all the ECC parameters required, we don't do that but rely that the * all the ECC parameters required, we don't do that but rely that the
* corresponding certificate at CFID is already available and get the * corresponding certificate at CFID is already available and get the
* public key from there. If R_ALGO is not NULL the public key * public key from there. If R_ALGO is not NULL the public key
* algorithm for the returned KEYGRIP is stored there. */ * algorithm for the returned KEYGRIP is stored there. If R_ALGOSTR
* is not NULL the public key algo string (e.g. "rsa2048") is stored
* there. */
static gpg_error_t static gpg_error_t
keygripstr_from_pk_file (app_t app, int pkfid, int cfid, char *r_gripstr, keygripstr_from_pk_file (app_t app, int pkfid, int cfid, char *r_gripstr,
int *r_algo) int *r_algo, char **r_algostr)
{ {
gpg_error_t err; gpg_error_t err;
unsigned char grip[20]; unsigned char grip[20];
@ -281,6 +286,7 @@ keygripstr_from_pk_file (app_t app, int pkfid, int cfid, char *r_gripstr,
size_t buflen[2]; size_t buflen[2];
gcry_sexp_t sexp = NULL; gcry_sexp_t sexp = NULL;
int algo = 0; /* Public key algo. */ int algo = 0; /* Public key algo. */
char *algostr = NULL; /* Public key algo string. */
int i; int i;
int offset[2] = { 0, 0 }; int offset[2] = { 0, 0 };
struct fid_cache_s *ci; struct fid_cache_s *ci;
@ -290,9 +296,17 @@ keygripstr_from_pk_file (app_t app, int pkfid, int cfid, char *r_gripstr,
{ {
if (!ci->got_keygrip) if (!ci->got_keygrip)
return gpg_error (GPG_ERR_NOT_FOUND); return gpg_error (GPG_ERR_NOT_FOUND);
if (r_algostr && !ci->algostr)
break; /* Not in the cache - try w/o cache. */
memcpy (r_gripstr, ci->keygripstr, 2*KEYGRIP_LEN+1); memcpy (r_gripstr, ci->keygripstr, 2*KEYGRIP_LEN+1);
if (r_algo) if (r_algo)
*r_algo = ci->algo; *r_algo = ci->algo;
if (r_algostr)
{
*r_algostr = xtrystrdup (ci->algostr);
if (!*r_algostr)
return gpg_error_from_syserror ();
}
return 0; /* Found in cache. */ return 0; /* Found in cache. */
} }
@ -308,7 +322,7 @@ keygripstr_from_pk_file (app_t app, int pkfid, int cfid, char *r_gripstr,
{ {
log_error ("nks: error reading certificate %04X: %s\n", log_error ("nks: error reading certificate %04X: %s\n",
cfid, gpg_strerror (err)); cfid, gpg_strerror (err));
return err; goto leave;
} }
err = app_help_pubkey_from_cert (cert, certlen, &pk, &pklen); err = app_help_pubkey_from_cert (cert, certlen, &pk, &pklen);
@ -317,10 +331,11 @@ keygripstr_from_pk_file (app_t app, int pkfid, int cfid, char *r_gripstr,
{ {
log_error ("nks: error parsing certificate %04X: %s\n", log_error ("nks: error parsing certificate %04X: %s\n",
cfid, gpg_strerror (err)); cfid, gpg_strerror (err));
return err; goto leave;
} }
err = app_help_get_keygrip_string_pk (pk, pklen, r_gripstr, NULL, &algo); err = app_help_get_keygrip_string_pk (pk, pklen, r_gripstr, NULL,
&algo, &algostr);
xfree (pk); xfree (pk);
if (err) if (err)
log_error ("nks: error getting keygrip for certificate %04X: %s\n", log_error ("nks: error getting keygrip for certificate %04X: %s\n",
@ -331,17 +346,17 @@ keygripstr_from_pk_file (app_t app, int pkfid, int cfid, char *r_gripstr,
err = iso7816_select_file (app_get_slot (app), pkfid, 0); err = iso7816_select_file (app_get_slot (app), pkfid, 0);
if (err) if (err)
return err; goto leave;
err = iso7816_read_record (app_get_slot (app), 1, 1, 0, err = iso7816_read_record (app_get_slot (app), 1, 1, 0,
&buffer[0], &buflen[0]); &buffer[0], &buflen[0]);
if (err) if (err)
return err; goto leave;
err = iso7816_read_record (app_get_slot (app), 2, 1, 0, err = iso7816_read_record (app_get_slot (app), 2, 1, 0,
&buffer[1], &buflen[1]); &buffer[1], &buflen[1]);
if (err) if (err)
{ {
xfree (buffer[0]); xfree (buffer[0]);
return err; goto leave;
} }
if (app->appversion < 3) if (app->appversion < 3)
@ -391,7 +406,8 @@ keygripstr_from_pk_file (app_t app, int pkfid, int cfid, char *r_gripstr,
{ {
xfree (buffer[0]); xfree (buffer[0]);
xfree (buffer[1]); xfree (buffer[1]);
return gpg_error_from_syserror (); err = gpg_error_from_syserror ();
goto leave;
} }
newbuf[0] = 0; newbuf[0] = 0;
memcpy (newbuf+1, buffer[i]+offset[i], buflen[i] - offset[i]); memcpy (newbuf+1, buffer[i]+offset[i], buflen[i] - offset[i]);
@ -430,6 +446,12 @@ keygripstr_from_pk_file (app_t app, int pkfid, int cfid, char *r_gripstr,
leave: leave:
if (!err) if (!err)
{ {
if (r_algostr)
{
*r_algostr = algostr;
algostr = NULL;
}
/* FIXME: We need to implement not_found caching. */ /* FIXME: We need to implement not_found caching. */
for (ci = app->app_local->fid_cache; ci; ci = ci->next) for (ci = app->app_local->fid_cache; ci; ci = ci->next)
if (ci->fid && ci->fid == pkfid) if (ci->fid && ci->fid == pkfid)
@ -437,6 +459,8 @@ keygripstr_from_pk_file (app_t app, int pkfid, int cfid, char *r_gripstr,
/* Update the keygrip. */ /* Update the keygrip. */
memcpy (ci->keygripstr, r_gripstr, 2*KEYGRIP_LEN+1); memcpy (ci->keygripstr, r_gripstr, 2*KEYGRIP_LEN+1);
ci->algo = algo; ci->algo = algo;
xfree (ci->algostr);
ci->algostr = algostr? xtrystrdup (algostr) : NULL;
ci->got_keygrip = 1; ci->got_keygrip = 1;
break; break;
} }
@ -461,6 +485,7 @@ keygripstr_from_pk_file (app_t app, int pkfid, int cfid, char *r_gripstr,
} }
} }
gcry_sexp_release (sexp); gcry_sexp_release (sexp);
xfree (algostr);
return err; return err;
} }
@ -526,7 +551,7 @@ find_fid_by_keyref (app_t app, const char *keyref, int *r_idx, int *r_algo)
err = keygripstr_from_pk_file (app, filelist[idx].fid, err = keygripstr_from_pk_file (app, filelist[idx].fid,
filelist[idx].iskeypair, filelist[idx].iskeypair,
keygripstr, r_algo); keygripstr, r_algo, NULL);
if (err) if (err)
{ {
log_info ("nks: no keygrip for FID 0x%04X: %s - ignored\n", log_info ("nks: no keygrip for FID 0x%04X: %s - ignored\n",
@ -595,7 +620,7 @@ find_fid_by_keyref (app_t app, const char *keyref, int *r_idx, int *r_algo)
/* We need to get the public key algo. */ /* We need to get the public key algo. */
err = keygripstr_from_pk_file (app, filelist[idx].fid, err = keygripstr_from_pk_file (app, filelist[idx].fid,
filelist[idx].iskeypair, filelist[idx].iskeypair,
keygripstr, r_algo); keygripstr, r_algo, NULL);
if (err) if (err)
log_error ("nks: no keygrip for FID 0x%04X: %s\n", log_error ("nks: no keygrip for FID 0x%04X: %s\n",
filelist[idx].fid, gpg_strerror (err)); filelist[idx].fid, gpg_strerror (err));
@ -822,9 +847,11 @@ do_learn_status_core (app_t app, ctrl_t ctrl, unsigned int flags,
char gripstr[40+1]; char gripstr[40+1];
char usagebuf[5]; char usagebuf[5];
int usageidx = 0; int usageidx = 0;
char *algostr = NULL;
err = keygripstr_from_pk_file (app, filelist[i].fid, err = keygripstr_from_pk_file (app, filelist[i].fid,
filelist[i].iskeypair, gripstr, NULL); filelist[i].iskeypair, gripstr,
NULL, &algostr);
if (err) if (err)
log_error ("can't get keygrip from FID 0x%04X: %s\n", log_error ("can't get keygrip from FID 0x%04X: %s\n",
filelist[i].fid, gpg_strerror (err)); filelist[i].fid, gpg_strerror (err));
@ -843,8 +870,11 @@ do_learn_status_core (app_t app, ctrl_t ctrl, unsigned int flags,
gripstr, 40, gripstr, 40,
id_buf, strlen (id_buf), id_buf, strlen (id_buf),
usagebuf, strlen (usagebuf), usagebuf, strlen (usagebuf),
"-", (size_t)1,
algostr, strlen (algostr),
NULL, (size_t)0); NULL, (size_t)0);
} }
xfree (algostr);
} }
} }
} }
@ -2073,7 +2103,8 @@ do_with_keygrip (app_t app, ctrl_t ctrl, int action,
} }
err = keygripstr_from_pk_file (app, filelist[idx].fid, err = keygripstr_from_pk_file (app, filelist[idx].fid,
filelist[idx].iskeypair, keygripstr, NULL); filelist[idx].iskeypair, keygripstr,
NULL, NULL);
if (err) if (err)
{ {
log_error ("can't get keygrip from FID 0x%04X: %s\n", log_error ("can't get keygrip from FID 0x%04X: %s\n",

23
scd/app-openpgp.c
View File

@ -2049,6 +2049,7 @@ send_keypair_info (app_t app, ctrl_t ctrl, int key)
gpg_error_t err = 0; gpg_error_t err = 0;
const char *usage; const char *usage;
u32 fprtime; u32 fprtime;
char *algostr = NULL;
err = get_public_key (app, keyno); err = get_public_key (app, keyno);
if (err) if (err)
@ -2069,11 +2070,29 @@ send_keypair_info (app_t app, ctrl_t ctrl, int key)
if (retrieve_fprtime_from_card (app, keyno, &fprtime)) if (retrieve_fprtime_from_card (app, keyno, &fprtime))
fprtime = 0; fprtime = 0;
err = send_status_printf (ctrl, "KEYPAIRINFO", "%s OPENPGP.%d %s %lu", {
gcry_sexp_t s_pkey;
if (gcry_sexp_new (&s_pkey, app->app_local->pk[keyno].key,
app->app_local->pk[keyno].keylen, 0))
algostr = xtrystrdup ("?");
else
{
algostr = pubkey_algo_string (s_pkey, NULL);
gcry_sexp_release (s_pkey);
}
}
if (!algostr)
{
err = gpg_error_from_syserror ();
goto leave;
}
err = send_status_printf (ctrl, "KEYPAIRINFO", "%s OPENPGP.%d %s %lu %s",
app->app_local->pk[keyno].keygrip_str, app->app_local->pk[keyno].keygrip_str,
keyno+1, usage, (unsigned long)fprtime); keyno+1, usage, (unsigned long)fprtime, algostr);
leave: leave:
xfree (algostr);
return err; return err;
} }

7
scd/app-piv.c
View File

@ -1538,8 +1538,10 @@ do_readkey (app_t app, ctrl_t ctrl, const char *keyrefstr, unsigned int flags,
char keygripstr[KEYGRIP_LEN*2+1]; char keygripstr[KEYGRIP_LEN*2+1];
char idbuf[50]; char idbuf[50];
const char *usage; const char *usage;
char *algostr;
err = app_help_get_keygrip_string_pk (pk, pklen, keygripstr, NULL, NULL); err = app_help_get_keygrip_string_pk (pk, pklen, keygripstr,
NULL, NULL, &algostr);
if (err) if (err)
{ {
log_error ("app_help_get_keygrip_string_pk failed: %s\n", log_error ("app_help_get_keygrip_string_pk failed: %s\n",
@ -1553,7 +1555,10 @@ do_readkey (app_t app, ctrl_t ctrl, const char *keyrefstr, unsigned int flags,
keygripstr, strlen (keygripstr), keygripstr, strlen (keygripstr),
idbuf, strlen (idbuf), idbuf, strlen (idbuf),
usage, strlen (usage), usage, strlen (usage),
"-", (size_t)1,
algostr, strlen (algostr),
NULL, (size_t)0); NULL, (size_t)0);
xfree (algostr);
} }
if (r_pk && r_pklen) if (r_pk && r_pklen)

10
scd/command.c
View File

@ -433,7 +433,7 @@ static const char hlp_learn[] =
"or a \"CANCEL\" to force the function to terminate with a Cancel\n" "or a \"CANCEL\" to force the function to terminate with a Cancel\n"
"error message.\n" "error message.\n"
"\n" "\n"
"With the option --keypairinfo only KEYPARIINFO status lines are\n" "With the option --keypairinfo only KEYPAIRINFO status lines are\n"
"returned.\n" "returned.\n"
"\n" "\n"
"The response of this command is a list of status lines formatted as\n" "The response of this command is a list of status lines formatted as\n"
@ -650,9 +650,11 @@ do_readkey (card_t card, ctrl_t ctrl, const char *line,
if (opt_info) if (opt_info)
{ {
char keygripstr[KEYGRIP_LEN*2+1]; char keygripstr[KEYGRIP_LEN*2+1];
char *algostr;
rc = app_help_get_keygrip_string_pk (*pk_p, *pklen_p, rc = app_help_get_keygrip_string_pk (*pk_p, *pklen_p,
keygripstr, NULL, NULL); keygripstr, NULL, NULL,
&algostr);
if (rc) if (rc)
{ {
log_error ("app_help_get_keygrip_string failed: %s\n", log_error ("app_help_get_keygrip_string failed: %s\n",
@ -665,7 +667,11 @@ do_readkey (card_t card, ctrl_t ctrl, const char *line,
send_status_info (ctrl, "KEYPAIRINFO", send_status_info (ctrl, "KEYPAIRINFO",
keygripstr, strlen (keygripstr), keygripstr, strlen (keygripstr),
line, strlen (line), line, strlen (line),
"-", (size_t)1,
"-", (size_t)1,
algostr, strlen (algostr),
NULL, (size_t)0); NULL, (size_t)0);
xfree (algostr);
} }
} }
else else