sm: Fix certificate creation with key on card.

* sm/certreqgen.c (create_request): Fix for certmode. -- When using an existing key from a card for certificate signing (in contrast to the default of generating a CSR), the code tried to use the same key for signing instead of the Signing-Key parameter. It is perfectly okay to use the regular signing path via gpg-agent for certificate creation - only self-signed certificates with a key on the card require the direct use of the card key (via "SCD PKSIGN"). Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-21 17:32:39 +01:00 · 2019-02-21 17:32:39 +01:00 · c1000c6738
parent 7317aeb3f4
commit c1000c6738
1 changed files with 1 additions and 1 deletions
--- a/sm/certreqgen.c
+++ b/sm/certreqgen.c
@ -1314,7 +1314,7 @@ create_request (ctrl_t ctrl,
          log_info ("about to sign the %s for key: &%s\n",
                    certmode? "certificate":"CSR", hexgrip);

-          if (carddirect)
+          if (carddirect && !certmode)
            rc = gpgsm_scd_pksign (ctrl, carddirect, NULL,
                                   gcry_md_read (md, mdalgo),
                                   gcry_md_get_algo_dlen (mdalgo),