agent: Add option --pss to pksign to be used by smartcards.

* agent/command.c (cmd_sethash): Add option --pss and allow for --hash=null. * agent/agent.h (struct server_control_s): Add digest.is_pss and zero where needed. * agent/pksign.c (agent_pksign_do): Allow for PSS with cards. * scd/command.c (cmd_pksign): Add for --hash=none. -- This is not a full implementaion of PSS but allows scdaemon card drivers to detect already PSS formatted data. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-03 22:56:33 +02:00 · 2020-08-10 10:01:03 +02:00 · 2020-08-10 10:01:03 +02:00 · bb096905b9
commit bb096905b9
parent 373c975859
5 changed files with 31 additions and 8 deletions
--- a/agent/pksign.c
+++ b/agent/pksign.c
@ -497,6 +497,12 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
        err = do_encode_dsa (data, datalen,
                             algo, s_skey,
                             &s_hash);
+      else if (ctrl->digest.is_pss)
+        {
+          log_info ("signing with rsaPSS is currently only supported"
+                    " for (some) smartcards\n");
+          err = gpg_error (GPG_ERR_NOT_SUPPORTED);
+        }
      else
        err = do_encode_md (data, datalen,
                            ctrl->digest.algo,
@ -540,7 +546,13 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,

      if (s_hash == NULL)
        {
-          if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1)
+          if (ctrl->digest.is_pss)
+            {
+              err = gcry_sexp_build (&s_hash, NULL,
+                                     "(data (flags raw) (value %b))",
+                                     (int)datalen, data);
+            }
+          else if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1)
            err = do_encode_raw_pkcs1 (data, datalen,
                                       gcry_pk_get_nbits (sexp_key), &s_hash);
          else