Fix a signing problem with the card

agent/ChangeLog

@@ -1,3 +1,8 @@
+2010-10-18  Werner Koch  <wk@g10code.com>
+
+	* call-scd.c (agent_card_pksign): Make sure to return an unsigned
+	number.
+
 2010-10-14  Werner Koch  <wk@g10code.com>
 
 	* command.c (cmd_genkey): Add option --no-protection.

agent/call-scd.c

@@ -1,5 +1,5 @@
 /* call-scd.c - fork of the scdaemon to do SC operations
- *	Copyright (C) 2001, 2002, 2005, 2007 Free Software Foundation, Inc.
+ * Copyright (C) 2001, 2002, 2005, 2007, 2010 Free Software Foundation, Inc.
  *
  * This file is part of GnuPG.
  *
@@ -812,6 +812,7 @@ agent_card_pksign (ctrl_t ctrl,
   size_t len;
   unsigned char *sigbuf;
   size_t sigbuflen;
+  int prepend_nul;
 
   *r_buf = NULL;
   rc = start_scd (ctrl);
@@ -850,15 +851,20 @@ agent_card_pksign (ctrl_t ctrl,
   sigbuf = get_membuf (&data, &sigbuflen);
 
   /* Create an S-expression from it which is formatted like this:
-     "(7:sig-val(3:rsa(1:sSIGBUFLEN:SIGBUF)))" */
-  *r_buflen = 21 + 11 + sigbuflen + 4;
+     "(7:sig-val(3:rsa(1:sSIGBUFLEN:SIGBUF)))".  We better make sure
+     that this won't be interpreted as a negative number.  */
+  prepend_nul = (sigbuflen && (*sigbuf & 0x80));
+
+  *r_buflen = 21 + 11 + prepend_nul + sigbuflen + 4;
   p = xtrymalloc (*r_buflen);
   *r_buf = (unsigned char*)p;
   if (!p)
     return unlock_scd (ctrl, out_of_core ());
   p = stpcpy (p, "(7:sig-val(3:rsa(1:s" );
-  sprintf (p, "%u:", (unsigned int)sigbuflen);
+  sprintf (p, "%u:", (unsigned int)sigbuflen + prepend_nul);
   p += strlen (p);
+  if (prepend_nul)
+    *p++ = 0;
   memcpy (p, sigbuf, sigbuflen);
   p += sigbuflen;
   strcpy (p, ")))");

dirmngr/crlcache.c

@@ -1943,7 +1943,19 @@ get_auth_key_id (ksba_crl_t crl, char **serialno)
 
 /* Insert the CRL retrieved using URL into the cache specified by
    CACHE.  The CRL itself will be read from the stream FP and is
-   expected in binary format. */
+   expected in binary format.
+
+   Called by:
+      crl_cache_load
+         cmd_loadcrl
+         --load-crl
+      crl_cache_reload_crl
+         cmd_isvalid
+         cmd_checkcrl
+      cmd_loadcrl
+      --fetch-crl
+      
+ */
 gpg_error_t
 crl_cache_insert (ctrl_t ctrl, const char *url, ksba_reader_t reader)
 {

g10/ChangeLog

@@ -1,3 +1,7 @@
+2010-10-18  Werner Koch  <wk@g10code.com>
+
+	* sign.c (do_sign): Remove warning and commented old code.
+
 2010-10-14  Werner Koch  <wk@g10code.com>
 
 	* call-agent.c (agent_genkey): Add arg NO_PROTECTION.

g10/sign.c

@@ -251,6 +251,7 @@ do_sign (PKT_public_key *pksk, PKT_signature *sig,
   gpg_error_t err;
   gcry_mpi_t frame;
   byte *dp;
+  char *hexgrip;
 
   if (pksk->timestamp > sig->timestamp )
     {
@@ -277,64 +278,33 @@ do_sign (PKT_public_key *pksk, PKT_signature *sig,
   sig->data[0] = NULL;
   sig->data[1] = NULL;
 
-#warning fixme: Use the agent for the card
-/*     if (pksk->is_protected && pksk->protect.s2k.mode == 1002)  */
-/*       {  */
-/* #ifdef ENABLE_CARD_SUPPORT */
-/*         unsigned char *rbuf; */
-/*         size_t rbuflen; */
-/*         char *snbuf; */
-        
-/*         snbuf = serialno_and_fpr_from_sk (sk->protect.iv, */
-/*                                           sk->protect.ivlen, sk); */
-/*         rc = agent_scd_pksign (snbuf, digest_algo, */
-/*                                gcry_md_read (md, digest_algo), */
-/*                                gcry_md_get_algo_dlen (digest_algo), */
-/*                                &rbuf, &rbuflen); */
-/*         xfree (snbuf); */
-/*         if (!rc) */
-/*           { */
-/*             if (gcry_mpi_scan (&sig->data[0], GCRYMPI_FMT_USG, */
-/*                                rbuf, rbuflen, NULL)) */
-/*               BUG (); */
-/*             xfree (rbuf); */
-/*           } */
-/* #else */
-/*         return gpg_error (GPG_ERR_NOT_SUPPORTED); */
-/* #endif /\* ENABLE_CARD_SUPPORT *\/ */
-/*       } */
-/*     else  */
-  if (1)
+  
+  err = hexkeygrip_from_pk (pksk, &hexgrip);
+  if (!err)
     {
-      char *hexgrip;
+      char *desc;
+      gcry_sexp_t s_sigval;
       
-      err = hexkeygrip_from_pk (pksk, &hexgrip);
-      if (!err)
+      desc = gpg_format_keydesc (pksk, 0, 1);
+      err = agent_pksign (NULL/*ctrl*/, cache_nonce, hexgrip, desc, 
+                          dp, gcry_md_get_algo_dlen (mdalgo), mdalgo,
+                          &s_sigval);
+      xfree (desc);
+      
+      if (err)
+        ;
+      else if (pksk->pubkey_algo == GCRY_PK_RSA
+               || pksk->pubkey_algo == GCRY_PK_RSA_S)
+        sig->data[0] = mpi_from_sexp (s_sigval, "s");
+      else
         {
-          char *desc;
-          gcry_sexp_t s_sigval;
-          
-          desc = gpg_format_keydesc (pksk, 0, 1);
-          err = agent_pksign (NULL/*ctrl*/, cache_nonce, hexgrip, desc, 
-                              dp, gcry_md_get_algo_dlen (mdalgo), mdalgo,
-                              &s_sigval);
-          xfree (desc);
-     
-          if (err)
-            ;
-          else if (pksk->pubkey_algo == GCRY_PK_RSA
-                   || pksk->pubkey_algo == GCRY_PK_RSA_S)
-            sig->data[0] = mpi_from_sexp (s_sigval, "s");
-          else
-            {
-              sig->data[0] = mpi_from_sexp (s_sigval, "r");
-              sig->data[1] = mpi_from_sexp (s_sigval, "s");
-            }
-      
-          gcry_sexp_release (s_sigval);
+          sig->data[0] = mpi_from_sexp (s_sigval, "r");
+          sig->data[1] = mpi_from_sexp (s_sigval, "s");
         }
-      xfree (hexgrip);
+      
+      gcry_sexp_release (s_sigval);
     }
+  xfree (hexgrip);
 
   /* Check that the signature verification worked and nothing is
    * fooling us e.g. by a bug in the signature create code or by

scd/ChangeLog

@@ -1,3 +1,8 @@
+2010-10-18  Werner Koch  <wk@g10code.com>
+
+	* app-openpgp.c (parse_algorithm_attribute): Remove extra const in
+	definition of DESC.
+
 2010-08-16  Werner Koch  <wk@g10code.com>
 
 	* scdaemon.c: Replace remaining printf by es_printf.

scd/app-openpgp.c

@@ -3596,7 +3596,7 @@ parse_algorithm_attribute (app_t app, int keyno)
   unsigned char *buffer;
   size_t buflen;
   void *relptr;
-  const char const desc[3][5] = {"sign", "encr", "auth"};
+  const char desc[3][5] = {"sign", "encr", "auth"};
 
   assert (keyno >=0 && keyno <= 2);
 

tools/mail-signed-keys

@@ -81,7 +81,7 @@ function myflush()
          print "Hi,"                                        | sendmail
          print ""                                           | sendmail
          print "Here you get back the signed key."          | sendmail
-	 print "Please send it yourself to a keyserver."    | sendmail
+	 print "I already sent them to the keyservers."     | sendmail
          print ""                                           | sendmail
          print "Peace,"                                     | sendmail
          print "      " signame                             | sendmail