gpg: Provide better diagnostic for replaced card keys.

* agent/divert-scd.c (divert_pksign): Add arg 'grip'. Replace OPENPGP key reference to keygrips. (divert_pkdecrypt): Ditto. * agent/protect.c (parse_shadow_info): Trim spaces. * agent/pkdecrypt.c (agent_pkdecrypt): Pass the keygrip. * agent/pksign.c (agent_pksign_do): Ditto. * g10/mainproc.c (print_pkenc_list): Print extra info for an invalid id error. * g10/sign.c (do_sign): Ditto. -- Using the keygrip instead of the identifier works on OpenPGP cards and thus we use that to make sure that we are working on the right card. For other cards we better don't do that to avoid regressions. Those other cards are also usually provided and do not allow to self-generate the keys. Note that old versions of the code (gpg 1.4) used the fingerprint as additional check but that was eventually removed and now that we use the keygrip all over the place, it is best to use this to identify a key. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-03 22:56:33 +02:00 · 2020-11-13 16:05:28 +01:00 · 2020-11-13 16:05:28 +01:00 · 5d98f95aa9
commit 5d98f95aa9
parent aeed0b93ff
7 changed files with 51 additions and 5 deletions
--- a/agent/agent.h
+++ b/agent/agent.h
@ -545,10 +545,12 @@ void agent_reload_trustlist (void);
 /*-- divert-scd.c --*/
 int divert_pksign (ctrl_t ctrl, const char *desc_text,
                   const unsigned char *digest, size_t digestlen, int algo,
+                   const unsigned char *grip,
                   const unsigned char *shadow_info, unsigned char **r_sig,
                   size_t *r_siglen);
 int divert_pkdecrypt (ctrl_t ctrl, const char *desc_text,
                      const unsigned char *cipher,
+                      const unsigned char *grip,
                      const unsigned char *shadow_info,
                      char **r_buf, size_t *r_len, int *r_padding);
 int divert_generic_cmd (ctrl_t ctrl,