mirror of
git://git.gnupg.org/gnupg.git
synced 2024-06-05 23:07:49 +02:00
agent: Add option --pss to pksign to be used by smartcards.
* agent/command.c (cmd_sethash): Add option --pss and allow for --hash=null. * agent/agent.h (struct server_control_s): Add digest.is_pss and zero where needed. * agent/pksign.c (agent_pksign_do): Allow for PSS with cards. * scd/command.c (cmd_pksign): Add for --hash=none. -- This is not a full implementaion of PSS but allows scdaemon card drivers to detect already PSS formatted data. Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
parent
373c975859
commit
bb096905b9
|
@ -254,12 +254,14 @@ struct server_control_s
|
||||||
/* Information on the currently used digest (for signing commands). */
|
/* Information on the currently used digest (for signing commands). */
|
||||||
struct {
|
struct {
|
||||||
char *data; /* NULL or malloced data of length VALUELEN. If
|
char *data; /* NULL or malloced data of length VALUELEN. If
|
||||||
this is set The other fields are ignored. Used
|
this is set the other fields are ignored. Used
|
||||||
for PureEdDSA. */
|
for PureEdDSA and RSA with PSS (in which case
|
||||||
|
data_is_pss is also set). */
|
||||||
int valuelen;
|
int valuelen;
|
||||||
int algo;
|
int algo;
|
||||||
unsigned char value[MAX_DIGEST_LEN];
|
unsigned char value[MAX_DIGEST_LEN];
|
||||||
int raw_value: 1;
|
unsigned int raw_value: 1;
|
||||||
|
unsigned int is_pss: 1; /* DATA holds PSS formated data. */
|
||||||
} digest;
|
} digest;
|
||||||
unsigned char keygrip[20];
|
unsigned char keygrip[20];
|
||||||
int have_keygrip;
|
int have_keygrip;
|
||||||
|
|
|
@ -2790,6 +2790,7 @@ ssh_handler_sign_request (ctrl_t ctrl, estream_t request, estream_t response)
|
||||||
ctrl->digest.algo = hash_algo;
|
ctrl->digest.algo = hash_algo;
|
||||||
xfree (ctrl->digest.data);
|
xfree (ctrl->digest.data);
|
||||||
ctrl->digest.data = NULL;
|
ctrl->digest.data = NULL;
|
||||||
|
ctrl->digest.is_pss = 0;
|
||||||
if ((spec.flags & SPEC_FLAG_USE_PKCS1V2))
|
if ((spec.flags & SPEC_FLAG_USE_PKCS1V2))
|
||||||
ctrl->digest.raw_value = 0;
|
ctrl->digest.raw_value = 0;
|
||||||
else
|
else
|
||||||
|
|
|
@ -707,11 +707,12 @@ cmd_setkeydesc (assuan_context_t ctx, char *line)
|
||||||
|
|
||||||
static const char hlp_sethash[] =
|
static const char hlp_sethash[] =
|
||||||
"SETHASH (--hash=<name>)|(<algonumber>) <hexstring>]\n"
|
"SETHASH (--hash=<name>)|(<algonumber>) <hexstring>]\n"
|
||||||
"SETHASH --inquire\n"
|
"SETHASH [--pss] --inquire\n"
|
||||||
"\n"
|
"\n"
|
||||||
"The client can use this command to tell the server about the data\n"
|
"The client can use this command to tell the server about the data\n"
|
||||||
"(which usually is a hash) to be signed. The option --inquire is\n"
|
"(which usually is a hash) to be signed. The option --inquire is\n"
|
||||||
"used to ask back for to-be-signed data in case of PureEdDSA";
|
"used to ask back for to-be-signed data in case of PureEdDSA or\n"
|
||||||
|
"with --pss for pre-formatted rsaPSS.";
|
||||||
static gpg_error_t
|
static gpg_error_t
|
||||||
cmd_sethash (assuan_context_t ctx, char *line)
|
cmd_sethash (assuan_context_t ctx, char *line)
|
||||||
{
|
{
|
||||||
|
@ -722,7 +723,7 @@ cmd_sethash (assuan_context_t ctx, char *line)
|
||||||
unsigned char *buf;
|
unsigned char *buf;
|
||||||
char *endp;
|
char *endp;
|
||||||
int algo;
|
int algo;
|
||||||
int opt_inquire;
|
int opt_inquire, opt_pss;
|
||||||
|
|
||||||
/* Parse the alternative hash options which may be used instead of
|
/* Parse the alternative hash options which may be used instead of
|
||||||
the algo number. */
|
the algo number. */
|
||||||
|
@ -744,6 +745,8 @@ cmd_sethash (assuan_context_t ctx, char *line)
|
||||||
algo = GCRY_MD_MD5;
|
algo = GCRY_MD_MD5;
|
||||||
else if (has_option (line, "--hash=tls-md5sha1"))
|
else if (has_option (line, "--hash=tls-md5sha1"))
|
||||||
algo = MD_USER_TLS_MD5SHA1;
|
algo = MD_USER_TLS_MD5SHA1;
|
||||||
|
else if (has_option (line, "--hash=none"))
|
||||||
|
algo = 0;
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
err = set_error (GPG_ERR_ASS_PARAMETER, "invalid hash algorithm");
|
err = set_error (GPG_ERR_ASS_PARAMETER, "invalid hash algorithm");
|
||||||
|
@ -753,6 +756,7 @@ cmd_sethash (assuan_context_t ctx, char *line)
|
||||||
else
|
else
|
||||||
algo = 0;
|
algo = 0;
|
||||||
|
|
||||||
|
opt_pss = has_option (line, "--pss");
|
||||||
opt_inquire = has_option (line, "--inquire");
|
opt_inquire = has_option (line, "--inquire");
|
||||||
line = skip_options (line);
|
line = skip_options (line);
|
||||||
|
|
||||||
|
@ -772,6 +776,7 @@ cmd_sethash (assuan_context_t ctx, char *line)
|
||||||
ctrl->digest.data = NULL;
|
ctrl->digest.data = NULL;
|
||||||
ctrl->digest.algo = algo;
|
ctrl->digest.algo = algo;
|
||||||
ctrl->digest.raw_value = 0;
|
ctrl->digest.raw_value = 0;
|
||||||
|
ctrl->digest.is_pss = opt_pss;
|
||||||
|
|
||||||
if (opt_inquire)
|
if (opt_inquire)
|
||||||
{
|
{
|
||||||
|
@ -3807,6 +3812,7 @@ start_command_handler (ctrl_t ctrl, gnupg_fd_t listen_fd, gnupg_fd_t fd)
|
||||||
|
|
||||||
ctrl->digest.data = NULL;
|
ctrl->digest.data = NULL;
|
||||||
ctrl->digest.raw_value = 0;
|
ctrl->digest.raw_value = 0;
|
||||||
|
ctrl->digest.is_pss = 0;
|
||||||
|
|
||||||
assuan_set_io_monitor (ctx, io_monitor, NULL);
|
assuan_set_io_monitor (ctx, io_monitor, NULL);
|
||||||
agent_set_progress_cb (progress_cb, ctrl);
|
agent_set_progress_cb (progress_cb, ctrl);
|
||||||
|
|
|
@ -497,6 +497,12 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
|
||||||
err = do_encode_dsa (data, datalen,
|
err = do_encode_dsa (data, datalen,
|
||||||
algo, s_skey,
|
algo, s_skey,
|
||||||
&s_hash);
|
&s_hash);
|
||||||
|
else if (ctrl->digest.is_pss)
|
||||||
|
{
|
||||||
|
log_info ("signing with rsaPSS is currently only supported"
|
||||||
|
" for (some) smartcards\n");
|
||||||
|
err = gpg_error (GPG_ERR_NOT_SUPPORTED);
|
||||||
|
}
|
||||||
else
|
else
|
||||||
err = do_encode_md (data, datalen,
|
err = do_encode_md (data, datalen,
|
||||||
ctrl->digest.algo,
|
ctrl->digest.algo,
|
||||||
|
@ -540,7 +546,13 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
|
||||||
|
|
||||||
if (s_hash == NULL)
|
if (s_hash == NULL)
|
||||||
{
|
{
|
||||||
if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1)
|
if (ctrl->digest.is_pss)
|
||||||
|
{
|
||||||
|
err = gcry_sexp_build (&s_hash, NULL,
|
||||||
|
"(data (flags raw) (value %b))",
|
||||||
|
(int)datalen, data);
|
||||||
|
}
|
||||||
|
else if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1)
|
||||||
err = do_encode_raw_pkcs1 (data, datalen,
|
err = do_encode_raw_pkcs1 (data, datalen,
|
||||||
gcry_pk_get_nbits (sexp_key), &s_hash);
|
gcry_pk_get_nbits (sexp_key), &s_hash);
|
||||||
else
|
else
|
||||||
|
|
|
@ -891,7 +891,7 @@ pin_cb (void *opaque, const char *info, char **retstr)
|
||||||
|
|
||||||
|
|
||||||
static const char hlp_pksign[] =
|
static const char hlp_pksign[] =
|
||||||
"PKSIGN [--hash=[rmd160|sha{1,224,256,384,512}|md5]] <hexified_id>\n"
|
"PKSIGN [--hash=[rmd160|sha{1,224,256,384,512}|md5|none]] <hexified_id>\n"
|
||||||
"\n"
|
"\n"
|
||||||
"The --hash option is optional; the default is SHA1.";
|
"The --hash option is optional; the default is SHA1.";
|
||||||
static gpg_error_t
|
static gpg_error_t
|
||||||
|
@ -920,6 +920,8 @@ cmd_pksign (assuan_context_t ctx, char *line)
|
||||||
hash_algo = GCRY_MD_SHA512;
|
hash_algo = GCRY_MD_SHA512;
|
||||||
else if (has_option (line, "--hash=md5"))
|
else if (has_option (line, "--hash=md5"))
|
||||||
hash_algo = GCRY_MD_MD5;
|
hash_algo = GCRY_MD_MD5;
|
||||||
|
else if (has_option (line, "--hash=none")) /* For raw RSA. */
|
||||||
|
hash_algo = 0;
|
||||||
else if (!strstr (line, "--"))
|
else if (!strstr (line, "--"))
|
||||||
hash_algo = GCRY_MD_SHA1;
|
hash_algo = GCRY_MD_SHA1;
|
||||||
else
|
else
|
||||||
|
|
Loading…
Reference in New Issue
Block a user