diff --git a/doc/scdaemon.texi b/doc/scdaemon.texi index f069a9fb8..134ca40df 100644 --- a/doc/scdaemon.texi +++ b/doc/scdaemon.texi @@ -478,12 +478,39 @@ TO BE WRITTEN. @node Scdaemon PASSWD @subsection Change PINs. -TO BE WRITTEN. +@example + PASSWD [--reset] @var{chvno} +@end example + +Change the PIN or reset the retry counter of the card holder +verification vector number @var{chvno}. @node Scdaemon CHECKPIN @subsection Perform a VERIFY operation. -TO BE WRITTEN. +@example + CHECKPIN @var{idstr} +@end example + +Perform a VERIFY operation without doing anything else. This may be +used to initialize a the PIN cache earlier to long lasting +operations. Its use is highly application dependent: + +@table @strong +@item OpenPGP + +Perform a simple verify operation for CHV1 and CHV2, so that further +operations won't ask for CHV2 and it is possible to do a cheap check on +the PIN: If there is something wrong with the PIN entry system, only the +regular CHV will get blocked and not the dangerous CHV3. @var{idstr} is +the usual card's serial number in hex notation; an optional fingerprint +part will get ignored. + +There is however a special mode if @var{idstr} is suffixed with the +literal string @code{[CHV3]}: In this case the Admin PIN is checked if +and only if the retry counter is still at 3. + +@end table diff --git a/scd/ChangeLog b/scd/ChangeLog index 91603f61b..64a4a8b72 100644 --- a/scd/ChangeLog +++ b/scd/ChangeLog @@ -1,5 +1,10 @@ 2005-05-23 Werner Koch + * Makefile.am: Do not build sc-copykeys anymore. + + * app-openpgp.c (app_openpgp_storekey, app_openpgp_readkey) + (app_openpgp_cardinfo): Removed. + * ccid-driver.c (parse_ccid_descriptor): SCR335 FW version 5.14 is good. (do_close_reader): Never do a reset. The caller should instead @@ -11,6 +16,7 @@ Thanks to Ludovic Rousseau for this hint and the magic numbers. (print_command_failed): New. (bulk_in): Use it here. Add new arg NO_DEBUG. + (ccid_slot_status): Disabled debugging. 2005-05-21 Werner Koch diff --git a/scd/Makefile.am b/scd/Makefile.am index c3688da5f..e76f83ea4 100644 --- a/scd/Makefile.am +++ b/scd/Makefile.am @@ -18,7 +18,7 @@ ## Process this file with automake to produce Makefile.in -bin_PROGRAMS = scdaemon sc-copykeys +bin_PROGRAMS = scdaemon if ! HAVE_W32_SYSTEM pkglib_PROGRAMS = pcsc-wrapper endif @@ -47,22 +47,25 @@ scdaemon_LDADD = ../jnlib/libjnlib.a ../common/libcommon.a \ $(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(PTH_LIBS) $(LIBASSUAN_LIBS) \ $(LIBUSB_LIBS) -lgpg-error $(LIBINTL) $(DL_LIBS) -sc_copykeys_SOURCES = \ - sc-copykeys.c scdaemon.h \ - apdu.c apdu.h \ - ccid-driver.c ccid-driver.h \ - iso7816.c iso7816.h \ - tlv.c tlv.h \ - atr.c atr.h \ - app.c app-common.h app-help.c $(card_apps) - -sc_copykeys_LDADD = \ - ../jnlib/libjnlib.a ../common/libcommon.a \ - ../common/libsimple-pwquery.a \ - $(LIBGCRYPT_LIBS) $(PTH_LIBS) $(KSBA_LIBS) $(LIBASSUAN_LIBS) \ - $(LIBUSB_LIBS) \ - -lgpg-error @LIBINTL@ @DL_LIBS@ - +# Removed for now: We need to decide whether it makes sense to +# continue it at all, given that gpg has now all required +# functionality. +#sc_copykeys_SOURCES = \ +# sc-copykeys.c scdaemon.h \ +# apdu.c apdu.h \ +# ccid-driver.c ccid-driver.h \ +# iso7816.c iso7816.h \ +# tlv.c tlv.h \ +# atr.c atr.h \ +# app.c app-common.h app-help.c $(card_apps) +# +#sc_copykeys_LDADD = \ +# ../jnlib/libjnlib.a ../common/libcommon.a \ +# ../common/libsimple-pwquery.a \ +# $(LIBGCRYPT_LIBS) $(PTH_LIBS) $(KSBA_LIBS) $(LIBASSUAN_LIBS) \ +# $(LIBUSB_LIBS) \ +# -lgpg-error @LIBINTL@ @DL_LIBS@ +# pcsc_wrapper_SOURCES = pcsc-wrapper.c pcsc_wrapper_LDADD = $(DL_LIBS) pcsc_wrapper_CFLAGS = diff --git a/scd/app-common.h b/scd/app-common.h index c2c302395..613ad61f6 100644 --- a/scd/app-common.h +++ b/scd/app-common.h @@ -176,23 +176,6 @@ gpg_error_t app_check_pin (app_t app, const char *keyidstr, /*-- app-openpgp.c --*/ gpg_error_t app_select_openpgp (app_t app); -gpg_error_t app_openpgp_cardinfo (app_t app, - char **serialno, - char **disp_name, - char **pubkey_url, - unsigned char **fpr1, - unsigned char **fpr2, - unsigned char **fpr3); -gpg_error_t app_openpgp_storekey (app_t app, int keyno, - unsigned char *template, size_t template_len, - time_t created_at, - const unsigned char *m, size_t mlen, - const unsigned char *e, size_t elen, - gpg_error_t (*pincb)(void*, const char *, char **), - void *pincb_arg); -gpg_error_t app_openpgp_readkey (app_t app, int keyno, - unsigned char **m, size_t *mlen, - unsigned char **e, size_t *elen); /*-- app-nks.c --*/ gpg_error_t app_select_nks (app_t app); diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c index 1165ec683..91e208a0a 100644 --- a/scd/app-openpgp.c +++ b/scd/app-openpgp.c @@ -2521,215 +2521,3 @@ leave: -/* This function is a hack to retrieve essential information about the - card to be displayed by simple tools. It mostly resembles what the - LEARN command returns. All parameters return allocated strings or - buffers or NULL if the data object is not available. All returned - values are sanitized. */ -gpg_error_t -app_openpgp_cardinfo (app_t app, - char **serialno, - char **disp_name, - char **pubkey_url, - unsigned char **fpr1, - unsigned char **fpr2, - unsigned char **fpr3) -{ - int rc; - void *relptr; - unsigned char *value; - size_t valuelen; - - if (serialno) - { - time_t dummy; - - *serialno = NULL; - rc = app_get_serial_and_stamp (app, serialno, &dummy); - if (rc) - { - log_error (_("error getting serial number: %s\n"), - gpg_strerror (rc)); - return rc; - } - } - - if (disp_name) - { - *disp_name = NULL; - relptr = get_one_do (app, 0x005B, &value, &valuelen, NULL); - if (relptr) - { - *disp_name = make_printable_string (value, valuelen, 0); - xfree (relptr); - } - } - - if (pubkey_url) - { - *pubkey_url = NULL; - relptr = get_one_do (app, 0x5F50, &value, &valuelen, NULL); - if (relptr) - { - *pubkey_url = make_printable_string (value, valuelen, 0); - xfree (relptr); - } - } - - if (fpr1) - *fpr1 = NULL; - if (fpr2) - *fpr2 = NULL; - if (fpr3) - *fpr3 = NULL; - relptr = get_one_do (app, 0x00C5, &value, &valuelen, NULL); - if (relptr && valuelen >= 60) - { - if (fpr1) - { - *fpr1 = xmalloc (20); - memcpy (*fpr1, value + 0, 20); - } - if (fpr2) - { - *fpr2 = xmalloc (20); - memcpy (*fpr2, value + 20, 20); - } - if (fpr3) - { - *fpr3 = xmalloc (20); - memcpy (*fpr3, value + 40, 20); - } - } - xfree (relptr); - - return 0; -} - - - -/* This function is currently only used by the sc-copykeys program to - store a key on the smartcard. app_t ist the application handle, - KEYNO is the number of the key and PINCB, PINCB_ARG are used to ask - for the SO PIN. TEMPLATE and TEMPLATE_LEN describe a buffer with - the key template to store. CREATED_AT is the timestamp used to - create the fingerprint. M, MLEN is the RSA modulus and E, ELEN the - RSA public exponent. This function silently overwrites an existing - key.*/ -gpg_error_t -app_openpgp_storekey (app_t app, int keyno, - unsigned char *template, size_t template_len, - time_t created_at, - const unsigned char *m, size_t mlen, - const unsigned char *e, size_t elen, - gpg_error_t (*pincb)(void*, const char *, char **), - void *pincb_arg) -{ - int rc; - unsigned char fprbuf[20]; - - if (keyno < 1 || keyno > 3) - return gpg_error (GPG_ERR_INV_ID); - keyno--; - - rc = verify_chv3 (app, pincb, pincb_arg); - if (rc) - goto leave; - - flush_cache (app); - - xfree (app->app_local->pk[keyno].key); - app->app_local->pk[keyno].key = NULL; - app->app_local->pk[keyno].keylen = 0; - app->app_local->pk[keyno].read_done = 0; - - rc = iso7816_put_data (app->slot, - (app->card_version > 0x0007? 0xE0 : 0xE9) + keyno, - template, template_len); - if (rc) - { - log_error (_("failed to store the key: %s\n"), gpg_strerror (rc)); - rc = gpg_error (GPG_ERR_CARD); - goto leave; - } - -/* log_printhex ("RSA n:", m, mlen); */ -/* log_printhex ("RSA e:", e, elen); */ - - rc = store_fpr (app->slot, keyno, (u32)created_at, - m, mlen, e, elen, fprbuf, app->card_version); - - leave: - return rc; -} - - -/* Utility function for external tools: Read the public RSA key at - KEYNO and return modulus and exponent in (M,MLEN) and (E,ELEN). */ -gpg_error_t -app_openpgp_readkey (app_t app, int keyno, unsigned char **m, size_t *mlen, - unsigned char **e, size_t *elen) -{ - int rc; - const unsigned char *keydata, *a; - unsigned char *buffer; - size_t buflen, keydatalen, alen; - - *m = NULL; - *e = NULL; - - if (keyno < 1 || keyno > 3) - return gpg_error (GPG_ERR_INV_ID); - keyno--; - - rc = iso7816_read_public_key(app->slot, - keyno == 0? "\xB6" : - keyno == 1? "\xB8" : "\xA4", - 2, - &buffer, &buflen); - if (rc) - { - rc = gpg_error (GPG_ERR_CARD); - log_error (_("reading the key failed\n")); - goto leave; - } - - keydata = find_tlv (buffer, buflen, 0x7F49, &keydatalen); - if (!keydata) - { - log_error (_("response does not contain the public key data\n")); - rc = gpg_error (GPG_ERR_CARD); - goto leave; - } - - a = find_tlv (keydata, keydatalen, 0x0081, &alen); - if (!a) - { - log_error (_("response does not contain the RSA modulus\n")); - rc = gpg_error (GPG_ERR_CARD); - goto leave; - } - *mlen = alen; - *m = xmalloc (alen); - memcpy (*m, a, alen); - - a = find_tlv (keydata, keydatalen, 0x0082, &alen); - if (!a) - { - log_error (_("response does not contain the RSA public exponent\n")); - rc = gpg_error (GPG_ERR_CARD); - goto leave; - } - *elen = alen; - *e = xmalloc (alen); - memcpy (*e, a, alen); - - leave: - xfree (buffer); - if (rc) - { - xfree (*m); *m = NULL; - xfree (*e); *e = NULL; - } - return rc; -} diff --git a/scd/command.c b/scd/command.c index c68d0e925..738b1f003 100644 --- a/scd/command.c +++ b/scd/command.c @@ -1095,7 +1095,7 @@ cmd_random (assuan_context_t ctx, char *line) /* PASSWD [--reset] - Change the PIN or reset thye retry counter of the card holder + Change the PIN or reset the retry counter of the card holder verfication vector CHVNO. */ static int cmd_passwd (assuan_context_t ctx, char *line) @@ -1142,7 +1142,23 @@ cmd_passwd (assuan_context_t ctx, char *line) } -/* CHECKPIN +/* CHECKPIN + + Perform a VERIFY operation without doing anything else. This may + be used to initialize a the PIN cache earlier to long lasting + operations. Its use is highly application dependent. + + For OpenPGP: + + Perform a simple verify operation for CHV1 and CHV2, so that + further operations won't ask for CHV2 and it is possible to do a + cheap check on the PIN: If there is something wrong with the PIN + entry system, only the regular CHV will get blocked and not the + dangerous CHV3. IDSTR is the usual card's serial number in hex + notation; an optional fingerprint part will get ignored. There + is however a special mode if the IDSTR is sffixed with the + literal string "[CHV3]": In this case the Admin PIN is checked + if and only if the retry counter is still at 3. */ static int