security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-06-07 23:27:48 +02:00
Code Activity

scd:openpgp: Allow PKSIGN with keygrip also for OPENPGP.3.

Browse Source 
* scd/app-openpgp.c (check_keyidstr): Add optional arg r_use_auth to
test also for OpenPGP.3.
(do_sign): Enable that new mode.
--

This is very useful to allow gpgsm to use a certificate based on the
OpenPGP card's authentication key.  That key is usually used for ssh
but it makes sense to use it also for user certificate based
authentication.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2020-03-27 19:35:27 +01:00
parent e06a8e3e87
commit 4c4999b818
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 18 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
scd/app-openpgp.c
View File

@ -4755,9 +4755,12 @@ check_against_given_fingerprint (app_t app, const char *fpr, int key)
When KEYNO is 0 and KEYIDSTR is for a keygrip, the keygrip should When KEYNO is 0 and KEYIDSTR is for a keygrip, the keygrip should
be to be compared is the first one (keygrip for signing). be to be compared is the first one (keygrip for signing).
When KEYNO is 1, KEYIDSTR is for a keygrip, and R_USE_AUTH is not
NULL, OpenPGP.1 is first tested and then OpenPGP.3. In the latter
case 1 is stored at R_USE_AUTH
*/ */
static int static int
check_keyidstr (app_t app, const char *keyidstr, int keyno) check_keyidstr (app_t app, const char *keyidstr, int keyno, int *r_use_auth)
{ {
int rc; int rc;
const char *s; const char *s;
@ -4765,6 +4768,9 @@ check_keyidstr (app_t app, const char *keyidstr, int keyno)
const char *fpr = NULL; const char *fpr = NULL;
unsigned char tmp_sn[20]; /* Actually 16 bytes but also for the fpr. */ unsigned char tmp_sn[20]; /* Actually 16 bytes but also for the fpr. */
if (r_use_auth)
*r_use_auth = 0;
if (strlen (keyidstr) < 32) if (strlen (keyidstr) < 32)
return gpg_error (GPG_ERR_INV_ID); return gpg_error (GPG_ERR_INV_ID);
else else
@ -4780,6 +4786,13 @@ check_keyidstr (app_t app, const char *keyidstr, int keyno)
keygrip_str = app->app_local->pk[keyno?keyno-1:0].keygrip_str; keygrip_str = app->app_local->pk[keyno?keyno-1:0].keygrip_str;
if (!strncmp (keygrip_str, keyidstr, 40)) if (!strncmp (keygrip_str, keyidstr, 40))
return 0; return 0;
else if (keyno == 1 && r_use_auth
&& !strncmp (app->app_local->pk[2].keygrip_str,
keyidstr, 40))
{
*r_use_auth = 1;
return 0;
}
else else
return gpg_error (GPG_ERR_INV_ID); return gpg_error (GPG_ERR_INV_ID);
} }
@ -4902,7 +4915,7 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo,
use_auth = 1; use_auth = 1;
else else
{ {
rc = check_keyidstr (app, keyidstr, 1); rc = check_keyidstr (app, keyidstr, 1, &use_auth);
if (rc) if (rc)
return rc; return rc;
} }
@ -5057,7 +5070,7 @@ do_auth (app_t app, ctrl_t ctrl, const char *keyidstr,
; ;
else else
{ {
rc = check_keyidstr (app, keyidstr, 3); rc = check_keyidstr (app, keyidstr, 3, NULL);
if (rc) if (rc)
return rc; return rc;
} }
@ -5112,7 +5125,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
; ;
else else
{ {
rc = check_keyidstr (app, keyidstr, 2); rc = check_keyidstr (app, keyidstr, 2, NULL);
if (rc) if (rc)
return rc; return rc;
} }
@ -5338,7 +5351,7 @@ do_check_pin (app_t app, ctrl_t ctrl, const char *keyidstr,
if (!keyidstr || !*keyidstr) if (!keyidstr || !*keyidstr)
return gpg_error (GPG_ERR_INV_VALUE); return gpg_error (GPG_ERR_INV_VALUE);
rc = check_keyidstr (app, keyidstr, 0); rc = check_keyidstr (app, keyidstr, 0, NULL);
if (rc) if (rc)
return rc; return rc;