diff --git a/g10/ChangeLog b/g10/ChangeLog index db19713a8..f7fdea707 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,3 +1,17 @@ +2003-07-23 Werner Koch + + * keygen.c (generate_keypair): Create an AUTHKEYTYPE entry for cards. + (do_generate_keypair): Abd generate the authkey. + (check_smartcard): Changed menu accordingly. + +2003-07-22 Werner Koch + + * g10.c: New command --change-pin. + * card-util.c: New. + * call-agent.c (agent_scd_change_pin): New. + (agent_release_card_info): New. + * keygen.c (check_smartcard): Use it here. + 2003-07-16 Werner Koch * export.c (parse_export_options): New option sexp-format. diff --git a/g10/Makefile.am b/g10/Makefile.am index 3137bb894..d6984941e 100644 --- a/g10/Makefile.am +++ b/g10/Makefile.am @@ -96,6 +96,7 @@ gpg_SOURCES = g10.c \ keyserver-internal.h \ photoid.c photoid.h \ call-agent.c call-agent.h \ + card-util.c \ exec.c exec.h gpgv_SOURCES = gpgv.c \ diff --git a/g10/call-agent.c b/g10/call-agent.c index ca4236538..3b40cd0dd 100644 --- a/g10/call-agent.c +++ b/g10/call-agent.c @@ -449,6 +449,19 @@ agent_havekey (const char *hexkeygrip) } +/* Release the card info structure INFO. */ +void +agent_release_card_info (struct agent_card_info_s *info) +{ + if (!info) + return; + + xfree (info->serialno); info->serialno = NULL; + xfree (info->disp_name); info->disp_name = NULL; + xfree (info->pubkey_url); info->pubkey_url = NULL; + info->fpr1valid = info->fpr2valid = info->fpr3valid = 0; +} + static AssuanError learn_status_cb (void *opaque, const char *line) { @@ -509,7 +522,6 @@ agent_learn (struct agent_card_info_s *info) return map_assuan_err (rc); } - /* Send an setattr command to the SCdaemon. */ int @@ -672,7 +684,12 @@ agent_scd_pksign (const char *serialno, int hashalgo, return map_assuan_err (rc); init_membuf (&data, 1024); - snprintf (line, DIM(line)-1, "SCD PKSIGN %s", serialno); +#if 0 + if (!hashalgo) /* Temporary test hack. */ + snprintf (line, DIM(line)-1, "SCD PKAUTH %s", serialno); + else +#endif + snprintf (line, DIM(line)-1, "SCD PKSIGN %s", serialno); line[DIM(line)-1] = 0; rc = assuan_transact (agent_ctx, line, membuf_data_cb, &data, NULL, NULL, NULL, NULL); @@ -738,3 +755,34 @@ agent_scd_pkdecrypt (const char *serialno, return 0; } + +/* Change the PIN of an OpenPGP card or reset the retry counter. + CHVNO 1: Change the digital signature PIN + 2: Change the decryption and authentication PIN + 3: Change the admin PIN + 101: Set a new digital signature PIN and reset the retry counter + 102: Set a decryption and authentication PIN + and reset the retry counter + */ +int +agent_scd_change_pin (int chvno) +{ + int rc; + char line[ASSUAN_LINELENGTH]; + const char *reset = ""; + + if (chvno >= 100) + reset = "--reset"; + chvno %= 100; + + rc = start_agent (); + if (rc) + return rc; + + snprintf (line, DIM(line)-1, "SCD PASSWD %s %d", reset, chvno); + line[DIM(line)-1] = 0; + rc = assuan_transact (agent_ctx, line, NULL, NULL, + NULL, NULL, NULL, NULL); + return map_assuan_err (rc); +} + diff --git a/g10/call-agent.h b/g10/call-agent.h index a6edecf47..434295e79 100644 --- a/g10/call-agent.h +++ b/g10/call-agent.h @@ -42,6 +42,10 @@ struct agent_card_genkey_s { gcry_mpi_t e; }; + +/* Release the card info structure. */ +void agent_release_card_info (struct agent_card_info_s *info); + /* Return card info. */ int agent_learn (struct agent_card_info_s *info); @@ -66,6 +70,8 @@ int agent_scd_pkdecrypt (const char *serialno, const unsigned char *indata, size_t indatalen, char **r_buf, size_t *r_buflen); +/* Change the PIN of an OpenPGP card or reset the retry counter. */ +int agent_scd_change_pin (int chvno); #endif /*GNUPG_G10_CALL_AGENT_H*/ diff --git a/g10/card-util.c b/g10/card-util.c new file mode 100644 index 000000000..36c432aee --- /dev/null +++ b/g10/card-util.c @@ -0,0 +1,117 @@ +/* card-util.c - Utility functions for the OpenPGP card. + * Copyright (C) 2003 Free Software Foundation, Inc. + * + * This file is part of GnuPG. + * + * GnuPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * GnuPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + +#include +#include +#include +#include +#include +#include + +#include "gpg.h" +#include "util.h" +#include "i18n.h" +#include "options.h" +#include "main.h" +#include "call-agent.h" + + +/* Change the PIN of a an OpenPGP card. This is an interactive + function. */ +void +change_pin (int chvno) +{ + struct agent_card_info_s info; + int rc; + int reset_mode = 0; + + rc = agent_learn (&info); + if (rc) + { + log_error (_("OpenPGP card not available: %s\n"), + gpg_strerror (rc)); + return; + } + + log_info (_("OpenPGP card no. %s detected\n"), + info.serialno? info.serialno : "[none]"); + + agent_release_card_info (&info); + + if (opt.batch) + { + log_error (_("sorry, can't do this in batch mode\n")); + return; + } + + for (;;) + { + char *answer; + int reread = 0; + + tty_printf ("\n"); + tty_printf ("1 - change signature PIN\n" + "2 - change decryption and authentication PIN\n" + "3 - change Admin's PIN\n" + "R - toggle reset retry counter mode\n" + "Q - quit\n"); + tty_printf ("\n"); + if (reset_mode) + { + tty_printf ("Reset Retry Counter mode active\n"); + tty_printf ("\n"); + } + + answer = cpr_get("cardutil.change_pin.menu",_("Your selection? ")); + cpr_kill_prompt(); + if (strlen (answer) != 1) + continue; + + rc = 0; + if (reset_mode && *answer == '3') + { + tty_printf ("Sorry, reset of the Admin PIN's retry counter " + "is not possible.\n"); + } + else if (*answer == '1' || *answer == '2' || *answer == '3') + { + rc = agent_scd_change_pin (*answer - '0' + (reset_mode?100:0)); + if (rc) + tty_printf ("Error changing/resetting the PIN: %s\n", + gpg_strerror (rc)); + else + tty_printf ("New PIN successfully set.\n"); + } + else if (*answer == 'r' || *answer == 'R') + { + reset_mode = !reset_mode; + } + else if (*answer == 'q' || *answer == 'Q') + { + break; + } + } + +} + + + + + diff --git a/g10/g10.c b/g10/g10.c index d48dada5e..b7ad9d746 100644 --- a/g10/g10.c +++ b/g10/g10.c @@ -128,6 +128,7 @@ enum cmd_and_opt_values { aNull = 0, aPipeMode, aRebuildKeydbCaches, aRefreshKeys, + aChangePIN, oTextmode, oNoTextmode, @@ -362,6 +363,8 @@ static ARGPARSE_OPTS opts[] = { { aExportSecretSub, "export-secret-subkeys" , 256, "@" }, { aImport, "import", 256 , N_("import/merge keys")}, { aFastImport, "fast-import", 256 , "@"}, + { aChangePIN, "change-pin", 256, N_("change a card's PIN")}, + { aListPackets, "list-packets",256,N_("list only the sequence of packets")}, { aExportOwnerTrust, "export-ownertrust", 256, N_("export the ownertrust values")}, @@ -1441,6 +1444,8 @@ main( int argc, char **argv ) case aPipeMode: set_cmd( &cmd, aPipeMode); break; case aRebuildKeydbCaches: set_cmd( &cmd, aRebuildKeydbCaches); break; + case aChangePIN: set_cmd (&cmd, aChangePIN); break; + case oArmor: opt.armor = 1; opt.no_armor=0; break; case oOutput: opt.outfile = pargs.r.ret_str; break; case oQuiet: opt.quiet = 1; break; @@ -2341,6 +2346,7 @@ main( int argc, char **argv ) case aDeArmor: case aEnArmor: case aFixTrustDB: + case aChangePIN: break; case aExportOwnerTrust: rc = setup_trustdb( 0, trustdb_name ); break; case aListTrustDB: rc = setup_trustdb( argc? 1:0, trustdb_name ); break; @@ -2861,6 +2867,15 @@ main( int argc, char **argv ) keydb_rebuild_caches (); break; + case aChangePIN: + if (!argc) + change_pin (0); + else if (argc == 1) + change_pin ( atoi (*argv)); + else + wrong_args ("--change-pin [no]"); + break; + case aListPackets: opt.list_packets=2; default: diff --git a/g10/keygen.c b/g10/keygen.c index 740dce571..e2552085a 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -50,6 +50,7 @@ enum para_name { pSUBKEYTYPE, pSUBKEYLENGTH, pSUBKEYUSAGE, + pAUTHKEYTYPE, pNAMEREAL, pNAMEEMAIL, pNAMECOMMENT, @@ -2134,6 +2135,12 @@ generate_keypair( const char *fname ) strcpy (r->u.value, "encrypt"); r->next = para; para = r; + + r = xcalloc (1, sizeof *r + 20 ); + r->key = pAUTHKEYTYPE; + sprintf( r->u.value, "%d", algo ); + r->next = para; + para = r; } else { @@ -2409,6 +2416,18 @@ do_generate_keypair (struct para_data_s *para, did_sub = 1; } + if (card && get_parameter (para, pAUTHKEYTYPE)) + { + rc = gen_card_key (PUBKEY_ALGO_RSA, 3, pub_root, sec_root, + get_parameter_u32 (para, pKEYEXPIRE), para); + + /* FIXME: Change the usage to AUTH. */ + if (!rc) + rc = write_keybinding (pub_root, pub_root, sk, PUBKEY_USAGE_SIG); + if (!rc) + rc = write_keybinding (sec_root, pub_root, sk, PUBKEY_USAGE_SIG); + } + if (!rc && outctrl->use_files) { /* direct write to specified files */ @@ -2832,8 +2851,7 @@ check_smartcard (char **r_serialno) tty_printf ("\n" "N - change cardholder name\n" "U - change public key URL\n" - "K - generate signature and encryption key\n" - "A - generate authentication key\n" + "K - generate all keys\n" "Q - quit\n" "\n"); @@ -2856,7 +2874,8 @@ check_smartcard (char **r_serialno) else if ( *answer == 'K' || *answer == 'k') { if ( (info.fpr1valid && !fpr_is_zero (info.fpr1)) - || (info.fpr2valid && !fpr_is_zero (info.fpr2))) + || (info.fpr2valid && !fpr_is_zero (info.fpr2)) + || (info.fpr3valid && !fpr_is_zero (info.fpr3))) { tty_printf ("\n"); log_error ("WARNING: key does already exists!\n"); @@ -2874,11 +2893,6 @@ check_smartcard (char **r_serialno) break; } } - else if ( *answer == 'A' || *answer == 'a' ) - { - tty_printf (_("Generation of authentication key" - " not yet implemented\n")); - } else if ( *answer == 'q' || *answer == 'Q') { rc = -1; @@ -2887,9 +2901,7 @@ check_smartcard (char **r_serialno) if (reread) { - xfree (info.serialno); info.serialno = NULL; - xfree (info.disp_name); info.disp_name = NULL; - xfree (info.pubkey_url); info.pubkey_url = NULL; + agent_release_card_info (&info); rc = agent_learn (&info); if (rc) { @@ -2902,11 +2914,11 @@ check_smartcard (char **r_serialno) } if (r_serialno && rc > 0) - *r_serialno = info.serialno; - else - xfree (info.serialno); - xfree (info.disp_name); - xfree (info.pubkey_url); + { + *r_serialno = info.serialno; + info.serialno = NULL; + } + agent_release_card_info (&info); return rc; } diff --git a/g10/keyid.c b/g10/keyid.c index 4587fadee..ea0632dcc 100644 --- a/g10/keyid.c +++ b/g10/keyid.c @@ -62,7 +62,7 @@ do_fingerprint_md( PKT_public_key *pk ) gcry_md_open (&md, pk->version < 4 ? DIGEST_ALGO_RMD160 : DIGEST_ALGO_SHA1, 0); - gcry_md_start_debug (md, "fpr"); + n = pk->version < 4 ? 8 : 6; for(i=0; i < npkey; i++ ) { size_t nbytes; diff --git a/g10/main.h b/g10/main.h index 2a9d5eda7..991c09a3d 100644 --- a/g10/main.h +++ b/g10/main.h @@ -254,6 +254,9 @@ int hash_datafiles( MD_HANDLE md, MD_HANDLE md2, /*-- pipemode.c --*/ void run_in_pipemode (void); +/*-- card-util.c --*/ +void change_pin (int no); + /*-- signal.c --*/ void init_signals(void); void pause_on_sigusr( int which ); diff --git a/g10/sign.c b/g10/sign.c index fa1e07b87..bdeb37d07 100644 --- a/g10/sign.c +++ b/g10/sign.c @@ -275,7 +275,43 @@ do_sign( PKT_secret_key *sk, PKT_signature *sig, sig->digest_algo = digest_algo; sig->digest_start[0] = dp[0]; sig->digest_start[1] = dp[1]; - if (sk->is_protected && sk->protect.s2k.mode == 1002) +#if 0 + if (sk->is_protected && sk->protect.s2k.mode == 1002 && !sk->is_primary) + { /* Temporary hack to test tey auth command. */ + char *rbuf; + size_t rbuflen; + char *snbuf; + char *tmpbuf; + size_t tmp_n; + + frame = encode_md_value( sk->pubkey_algo, md, + digest_algo, mpi_get_nbits(sk->skey[0]), 0 ); + if (!frame) + return GPG_ERR_GENERAL; + + if (gcry_mpi_aprint (GCRYMPI_FMT_USG, (void **)&tmpbuf, &tmp_n, frame )) + BUG (); + for (; tmp_n && *tmpbuf; tmp_n--, tmpbuf++) + ; + assert (tmp_n); + tmp_n--; + tmpbuf++; + + snbuf = serialno_and_fpr_from_sk (sk->protect.iv, sk->protect.ivlen, sk); + rc = agent_scd_pksign (snbuf, 0, + tmpbuf, tmp_n, + &rbuf, &rbuflen); + xfree (snbuf); + if (!rc) + { + unsigned int nbytes = rbuflen; + if (gcry_mpi_scan (&sig->data[0], GCRYMPI_FMT_USG, rbuf, &nbytes )) + BUG (); + } + } + else +#endif + if (sk->is_protected && sk->protect.s2k.mode == 1002) { /* FIXME: Note that we do only support RSA for now. */ char *rbuf; size_t rbuflen;