* keygen.c (generate_keypair): Create an AUTHKEYTYPE entry for cards.

(do_generate_keypair): Abd generate the authkey.
(check_smartcard): Changed menu accordingly.

g10/ChangeLog

@@ -1,3 +1,17 @@
+2003-07-23  Werner Koch  <wk@gnupg.org>
+
+	* keygen.c (generate_keypair): Create an AUTHKEYTYPE entry for cards.
+	(do_generate_keypair): Abd generate the authkey.
+	(check_smartcard): Changed menu accordingly.
+
+2003-07-22  Werner Koch  <wk@gnupg.org>
+
+	* g10.c: New command --change-pin.
+	* card-util.c: New.
+	* call-agent.c (agent_scd_change_pin): New.
+	(agent_release_card_info): New.
+	* keygen.c (check_smartcard): Use it here.
+
 2003-07-16  Werner Koch  <wk@gnupg.org>
 
 	* export.c (parse_export_options): New option sexp-format.

g10/Makefile.am

@@ -96,6 +96,7 @@ gpg_SOURCES  = g10.c		\
 	      keyserver-internal.h \
 	      photoid.c photoid.h \
 	      call-agent.c call-agent.h \
+	      card-util.c \
 	      exec.c exec.h
 
 gpgv_SOURCES = gpgv.c           \

g10/call-agent.c

@@ -449,6 +449,19 @@ agent_havekey (const char *hexkeygrip)
 }
 
 
+/* Release the card info structure INFO. */
+void
+agent_release_card_info (struct agent_card_info_s *info)
+{
+  if (!info)
+    return;
+
+  xfree (info->serialno); info->serialno = NULL;
+  xfree (info->disp_name); info->disp_name = NULL;
+  xfree (info->pubkey_url); info->pubkey_url = NULL;
+  info->fpr1valid = info->fpr2valid = info->fpr3valid = 0;
+}
+
 static AssuanError
 learn_status_cb (void *opaque, const char *line)
 {
@@ -509,7 +522,6 @@ agent_learn (struct agent_card_info_s *info)
   return map_assuan_err (rc);
 }
 
-
 
 /* Send an setattr command to the SCdaemon. */
 int
@@ -672,7 +684,12 @@ agent_scd_pksign (const char *serialno, int hashalgo,
     return map_assuan_err (rc);
 
   init_membuf (&data, 1024);
-  snprintf (line, DIM(line)-1, "SCD PKSIGN %s", serialno);
+#if 0
+  if (!hashalgo) /* Temporary test hack. */
+    snprintf (line, DIM(line)-1, "SCD PKAUTH %s", serialno);
+  else
+#endif
+   snprintf (line, DIM(line)-1, "SCD PKSIGN %s", serialno);
   line[DIM(line)-1] = 0;
   rc = assuan_transact (agent_ctx, line, membuf_data_cb, &data,
                         NULL, NULL, NULL, NULL);
@@ -738,3 +755,34 @@ agent_scd_pkdecrypt (const char *serialno,
   return 0;
 }
 
+
+/* Change the PIN of an OpenPGP card or reset the retry counter.
+   CHVNO 1: Change the digital signature PIN
+         2: Change the decryption and authentication PIN
+         3: Change the admin PIN
+       101: Set a new digital signature PIN and reset the retry counter
+       102: Set a decryption and authentication PIN
+            and reset the retry counter
+ */
+int
+agent_scd_change_pin (int chvno)
+{
+  int rc;
+  char line[ASSUAN_LINELENGTH];
+  const char *reset = "";
+
+  if (chvno >= 100)
+    reset = "--reset";
+  chvno %= 100;
+
+  rc = start_agent ();
+  if (rc)
+    return rc;
+
+  snprintf (line, DIM(line)-1, "SCD PASSWD %s %d", reset, chvno);
+  line[DIM(line)-1] = 0;
+  rc = assuan_transact (agent_ctx, line, NULL, NULL,
+                        NULL, NULL, NULL, NULL);
+  return map_assuan_err (rc);
+}
+

g10/call-agent.h

@@ -42,6 +42,10 @@ struct agent_card_genkey_s {
   gcry_mpi_t e;
 };
 
+
+/* Release the card info structure. */
+void agent_release_card_info (struct agent_card_info_s *info);
+
 /* Return card info. */
 int agent_learn (struct agent_card_info_s *info);
 
@@ -66,6 +70,8 @@ int agent_scd_pkdecrypt (const char *serialno,
                          const unsigned char *indata, size_t indatalen,
                          char **r_buf, size_t *r_buflen);
 
+/* Change the PIN of an OpenPGP card or reset the retry counter. */
+int agent_scd_change_pin (int chvno);
 
 
 #endif /*GNUPG_G10_CALL_AGENT_H*/

g10/card-util.c

@@ -0,0 +1,117 @@
+/* card-util.c - Utility functions for the OpenPGP card.
+ *	Copyright (C) 2003 Free Software Foundation, Inc.
+ *
+ * This file is part of GnuPG.
+ *
+ * GnuPG is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuPG is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ */
+
+#include <config.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <assert.h>
+
+#include "gpg.h"
+#include "util.h"
+#include "i18n.h"
+#include "options.h"
+#include "main.h"
+#include "call-agent.h"
+
+
+/* Change the PIN of a an OpenPGP card.  This is an interactive
+   function. */
+void
+change_pin (int chvno)
+{
+  struct agent_card_info_s info;
+  int rc;
+  int reset_mode = 0;
+
+  rc = agent_learn (&info);
+  if (rc)
+    {
+      log_error (_("OpenPGP card not available: %s\n"),
+                  gpg_strerror (rc));
+      return;
+    }
+  
+  log_info (_("OpenPGP card no. %s detected\n"),
+              info.serialno? info.serialno : "[none]");
+
+  agent_release_card_info (&info);
+
+  if (opt.batch)
+    {
+      log_error (_("sorry, can't do this in batch mode\n"));
+      return;
+    }
+
+  for (;;)
+    {
+      char *answer;
+      int reread = 0;
+
+      tty_printf ("\n");
+      tty_printf ("1 - change signature PIN\n"
+                  "2 - change decryption and authentication PIN\n"
+                  "3 - change Admin's PIN\n"
+                  "R - toggle reset retry counter mode\n"
+                  "Q - quit\n");
+      tty_printf ("\n");
+      if (reset_mode)
+        {
+          tty_printf ("Reset Retry Counter mode active\n");
+          tty_printf ("\n");
+        }
+
+      answer = cpr_get("cardutil.change_pin.menu",_("Your selection? "));
+      cpr_kill_prompt();
+      if (strlen (answer) != 1)
+        continue;
+
+      rc = 0;
+      if (reset_mode && *answer == '3')
+        {
+          tty_printf ("Sorry, reset of the Admin PIN's retry counter "
+                      "is not possible.\n");
+        }
+      else if (*answer == '1'  || *answer == '2' || *answer == '3')
+        {
+          rc = agent_scd_change_pin (*answer - '0' + (reset_mode?100:0));
+          if (rc)
+            tty_printf ("Error changing/resetting the PIN: %s\n",
+                        gpg_strerror (rc));
+          else
+            tty_printf ("New PIN successfully set.\n");
+        }
+      else if (*answer == 'r' || *answer == 'R')
+        {
+          reset_mode = !reset_mode;
+        }
+      else if (*answer == 'q' || *answer == 'Q')
+        {
+          break;
+        }
+    }
+
+}
+
+
+
+
+

g10/g10.c

@@ -128,6 +128,7 @@ enum cmd_and_opt_values { aNull = 0,
     aPipeMode,
     aRebuildKeydbCaches,
     aRefreshKeys,
+    aChangePIN,
 
     oTextmode,
     oNoTextmode,
@@ -362,6 +363,8 @@ static ARGPARSE_OPTS opts[] = {
     { aExportSecretSub, "export-secret-subkeys" , 256, "@" },
     { aImport, "import",      256     , N_("import/merge keys")},
     { aFastImport, "fast-import",  256 , "@"},
+    { aChangePIN,  "change-pin", 256, N_("change a card's PIN")},
+
     { aListPackets, "list-packets",256,N_("list only the sequence of packets")},
     { aExportOwnerTrust,
 	      "export-ownertrust", 256, N_("export the ownertrust values")},
@@ -1441,6 +1444,8 @@ main( int argc, char **argv )
           case aPipeMode: set_cmd( &cmd, aPipeMode); break;
           case aRebuildKeydbCaches: set_cmd( &cmd, aRebuildKeydbCaches); break;
 
+          case aChangePIN: set_cmd (&cmd, aChangePIN); break;
+
 	  case oArmor: opt.armor = 1; opt.no_armor=0; break;
 	  case oOutput: opt.outfile = pargs.r.ret_str; break;
 	  case oQuiet: opt.quiet = 1; break;
@@ -2341,6 +2346,7 @@ main( int argc, char **argv )
       case aDeArmor:
       case aEnArmor:
       case aFixTrustDB:
+      case aChangePIN:
 	break;
       case aExportOwnerTrust: rc = setup_trustdb( 0, trustdb_name ); break;
       case aListTrustDB: rc = setup_trustdb( argc? 1:0, trustdb_name ); break;
@@ -2861,6 +2867,15 @@ main( int argc, char **argv )
         keydb_rebuild_caches ();
         break;
 
+    case aChangePIN:
+      if (!argc)
+        change_pin (0);
+      else if (argc == 1)
+        change_pin ( atoi (*argv));
+      else
+        wrong_args ("--change-pin [no]");
+      break;
+
       case aListPackets:
 	opt.list_packets=2;
       default:

g10/keygen.c

@@ -50,6 +50,7 @@ enum para_name {
   pSUBKEYTYPE,
   pSUBKEYLENGTH,
   pSUBKEYUSAGE,
+  pAUTHKEYTYPE,
   pNAMEREAL,
   pNAMEEMAIL,
   pNAMECOMMENT,
@@ -2134,6 +2135,12 @@ generate_keypair( const char *fname )
       strcpy (r->u.value, "encrypt");
       r->next = para;
       para = r;
+
+      r = xcalloc (1, sizeof *r + 20 );
+      r->key = pAUTHKEYTYPE;
+      sprintf( r->u.value, "%d", algo );
+      r->next = para;
+      para = r;
     }
   else
     {
@@ -2409,6 +2416,18 @@ do_generate_keypair (struct para_data_s *para,
       did_sub = 1;
     }
 
+  if (card && get_parameter (para, pAUTHKEYTYPE))
+    {
+      rc = gen_card_key (PUBKEY_ALGO_RSA, 3, pub_root, sec_root,
+                         get_parameter_u32 (para, pKEYEXPIRE), para);
+
+      /* FIXME: Change the usage to AUTH. */
+      if (!rc)
+	rc = write_keybinding (pub_root, pub_root, sk, PUBKEY_USAGE_SIG);
+      if (!rc)
+	rc = write_keybinding (sec_root, pub_root, sk, PUBKEY_USAGE_SIG);
+    }
+
 
   if (!rc && outctrl->use_files)
     {				/* direct write to specified files */
@@ -2832,8 +2851,7 @@ check_smartcard (char **r_serialno)
       tty_printf ("\n"
                   "N - change cardholder name\n"
                   "U - change public key URL\n"
-                  "K - generate signature and encryption key\n"
+                  "K - generate all keys\n"
-                  "A - generate authentication key\n"
                   "Q - quit\n"
                   "\n");
 
@@ -2856,7 +2874,8 @@ check_smartcard (char **r_serialno)
       else if ( *answer == 'K' || *answer == 'k')
         {
           if ( (info.fpr1valid && !fpr_is_zero (info.fpr1))
-               || (info.fpr2valid && !fpr_is_zero (info.fpr2)))
+               || (info.fpr2valid && !fpr_is_zero (info.fpr2))
+               || (info.fpr3valid && !fpr_is_zero (info.fpr3)))
             {
               tty_printf ("\n");
               log_error ("WARNING: key does already exists!\n");
@@ -2874,11 +2893,6 @@ check_smartcard (char **r_serialno)
               break;
             }
         }
-      else if ( *answer == 'A' || *answer == 'a' )
-        {
-          tty_printf (_("Generation of authentication key"
-                        " not yet implemented\n"));
-        }
       else if ( *answer == 'q' || *answer == 'Q')
         {
           rc = -1;
@@ -2887,9 +2901,7 @@ check_smartcard (char **r_serialno)
 
       if (reread)
         {
-          xfree (info.serialno); info.serialno = NULL;
+          agent_release_card_info (&info);
-          xfree (info.disp_name); info.disp_name = NULL;
-          xfree (info.pubkey_url); info.pubkey_url = NULL;
           rc = agent_learn (&info);
           if (rc)
             {
@@ -2902,11 +2914,11 @@ check_smartcard (char **r_serialno)
     }
 
   if (r_serialno && rc > 0)
-    *r_serialno = info.serialno;
+    {
-  else
+      *r_serialno = info.serialno;
-    xfree (info.serialno); 
+      info.serialno = NULL;
-  xfree (info.disp_name); 
+    }
-  xfree (info.pubkey_url);
+  agent_release_card_info (&info);
 
   return rc;
 }

g10/keyid.c

@@ -62,7 +62,7 @@ do_fingerprint_md( PKT_public_key *pk )
 
     gcry_md_open (&md, pk->version < 4 ? DIGEST_ALGO_RMD160
                                        : DIGEST_ALGO_SHA1, 0);
-    gcry_md_start_debug (md, "fpr");
+
     n = pk->version < 4 ? 8 : 6;
     for(i=0; i < npkey; i++ ) {
 	size_t nbytes;

g10/main.h

@@ -254,6 +254,9 @@ int hash_datafiles( MD_HANDLE md, MD_HANDLE md2,
 /*-- pipemode.c --*/
 void run_in_pipemode (void);
 
+/*-- card-util.c --*/
+void change_pin (int no);
+
 /*-- signal.c --*/
 void init_signals(void);
 void pause_on_sigusr( int which );

g10/sign.c

@@ -275,7 +275,43 @@ do_sign( PKT_secret_key *sk, PKT_signature *sig,
   sig->digest_algo = digest_algo;
   sig->digest_start[0] = dp[0];
   sig->digest_start[1] = dp[1];
-  if (sk->is_protected && sk->protect.s2k.mode == 1002)
+#if 0
+  if (sk->is_protected && sk->protect.s2k.mode == 1002 && !sk->is_primary)
+    {  /* Temporary hack  to test tey auth command. */
+      char *rbuf;
+      size_t rbuflen;
+      char *snbuf;
+      char *tmpbuf;
+      size_t tmp_n;
+
+      frame = encode_md_value( sk->pubkey_algo, md,
+                               digest_algo, mpi_get_nbits(sk->skey[0]), 0 );
+      if (!frame)
+        return GPG_ERR_GENERAL;
+
+      if (gcry_mpi_aprint (GCRYMPI_FMT_USG, (void **)&tmpbuf, &tmp_n, frame ))
+        BUG ();
+      for (; tmp_n && *tmpbuf; tmp_n--, tmpbuf++)
+        ;
+      assert (tmp_n);
+      tmp_n--;
+      tmpbuf++;
+
+      snbuf = serialno_and_fpr_from_sk (sk->protect.iv, sk->protect.ivlen, sk);
+      rc = agent_scd_pksign (snbuf, 0,
+                             tmpbuf, tmp_n,
+                             &rbuf, &rbuflen);
+      xfree (snbuf);
+      if (!rc)
+        {
+          unsigned int nbytes = rbuflen;
+          if (gcry_mpi_scan (&sig->data[0], GCRYMPI_FMT_USG, rbuf, &nbytes ))
+            BUG ();
+        }
+    }
+  else
+#endif 
+      if (sk->is_protected && sk->protect.s2k.mode == 1002)
     { /* FIXME: Note that we do only support RSA for now. */
       char *rbuf;
       size_t rbuflen;