1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

8160 Commits

Author SHA1 Message Date
Daniel Kahn Gillmor
145987238e gpgv: Improve documentation for keyring choices
* doc/gpgv.texi: Improve documentation for keyring choices

--

From the existing documentation, it's not clear whether the default
keyring will always be mixed into the set of keyrings, or whether it
will be skipped if a --keyring is present.  The updated text here
attempts to describe the keyring selection logic more completely.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-03-03 10:22:34 -05:00
Werner Koch
86c241a8c9
sm: Print Yubikey attestation extensions with --dump-cert.
* sm/keylist.c (oidtranstbl): Add Yubikey OIDs.
(OID_FLAG_HEX): New.
(print_hex_extn): New.
(list_cert_raw): Make use of that flag.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-01 15:23:49 +01:00
Werner Koch
51df13d9ec
scd:piv: Add feature to read Yubikey attestation certificates.
* scd/app-piv.c (do_readcert): Add hack to read Yubikey attestaions.
--

Use
  gpg-card 'readcert PIV.ATST.9A >x.crt'
to store the attestation certificate for 9A into X.CRT.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-01 14:04:29 +01:00
Werner Koch
696d4c290d
scd:piv: Allow writecert to only write matching certs.
* scd/app-piv.c (do_readkey): Read the key from the cert here instead
of letting the upper layer do this.
(do_writecert): Check that the cert matches the key and that a key has
already been generated.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-01 12:58:56 +01:00
Werner Koch
280baee72d
card: Remove the "admin" command.
* tools/gpg-card.c (cmd_passwd): Remove arg allow_admin.
(enum cmdids): Rename cmdAUTHENTICATE to cmdAUTH and cmdFACTORYRESET
to cmdFACTRST.
(cmds): Remove column 'admin_only'.
(interactive_loop): Remove admin_only stuff.
--

That command has always been an annoyance.  Symbols have been renamed
for source cosmetics.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-01 12:20:24 +01:00
Werner Koch
2c75af9f65
sm: Don't mark a cert as de-vs compliant if it leads to SHA-1 sigs.
* sm/keylist.c (print_compliance_flags): Also check the diges_also.
--

A certificate with algorithm sha1WithRSAEncryption can be de-vs
compliant (e.g. if the next in the chain used sha256WithRSAEncryption
to sign it and RSA is long enough) but flagging it as such is useless
because that certificate can't be used because it will create
signatures using the non-compliant SHA-1 algorithm.

Well, it could be used for encryption.  But also evaluating the
key-usage flags here would make it harder for the user to understand
why certain certificates are listed as de-vs compliant and others are
not.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-28 14:45:21 +01:00
NIIBE Yutaka
0173b249cf agent: PKSIGN should return signature in same format for card.
* agent/pksign.c (agent_pksign_do):

--

It's best to keep same data format by libgcrypt.

For card (due to historical reasons), gpg-agent or scdaemon used to
prefix 0x00 when it starts 0x80, so that it can be parsed signed MPI
as well as unsigned MPI.  It used to do nothing for preceding zeros.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-27 10:37:26 +09:00
Werner Koch
c2235d994d
scd: Simplify the app_readkey parameters.
* scd/app-help.c (app_help_pubkey_from_cert): New.
* scd/command.c (cmd_readkey): Refactor to use that new function and
handle the --advanced flag only here.
* scd/app.c (app_readkey): Remove parm advanced.
* scd/app-common.h (struct app_ctx_s): Remove parm advanced from the
readkey member.
* scd/app-nks.c (do_readkey): Adjust for removed parm.
* scd/app-piv.c (do_readkey): Ditto.
* scd/app-openpgp.c (do_readkey): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-26 17:01:46 +01:00
Werner Koch
ac485b4f25
conf: New option --show-socket.
* tools/gpgconf-comp.c (gc_component_t): Move this enum to ...
* tools/gpgconf.h: here.
* tools/gpgconf.c (oShowSocket): New.
(opts): Add new option.
(main): Implement new option.
--

This is a convenience options for software which directly connects to
gpg-agent and thus needs to new the socket.  By using --show-socket
along with --launch that software can also autostart the agent or the
dirmngr.  Without this two calls to gpgconf would be required.

Actually the same behaviour can be achieved by running
gpg-connect-agent to query the running gpg-agent's socket via GETINFO.
The gpg-connect also makes sure that the agent is started.  This is
not anymore suggested because gpgconf shall in future be used for all
such things.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-26 13:13:08 +01:00
NIIBE Yutaka
371ae25f8f libdns: Avoid using compound literals (8).
* dirmngr/dns.h (dns_quietinit): Remove.
(dns_hints_i_new): Remove.

--

Even before our change, dns_quietinit was questionable macro;  There
was no place in dns.c which requires overrides in initializer list.
Only redundant zero were.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-26 12:26:02 +09:00
NIIBE Yutaka
d661acd483 libdns: Avoid using compound literals (7).
* dirmngr/dns.h (DNS_OPTS_INIT, dns_opts): Remove.
* dirmngr/dns-stuff.c (libdns_res_open): Use zero-ed, and initialized
automatic variable for opts.
* dirmngr/dns.c (send_query, resolve_query, resolve_addrinfo):
Likewise.

--

In fact, DNS_OPTS_INIT was only needed when args are none.  With
partially specified initialization, C99 guarantees zero-ed other
members just like static object.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-26 12:13:35 +09:00
NIIBE Yutaka
6501e59d36 libdns: Avoid using compound literals (6).
* dirmngr/dns.h (dns_rr_i_new): Remove.
(dns_rr_i_init): Remove unused second argument.
* dirmngr/dns.c (dns_p_dump, dns_hints_query, print_packet)
(parse_packet): Use automatic variable for struct dns_rr_i.
(dns_d_cname): No need to call dns_rr_i_init after memset 0.
(dns_rr_i_init): Remove unused second argument.  Return nothing.
* dirmngr/dns-stuff.c (resolve_addr_libdns, get_dns_cert_libdns)
(getsrv_libdns): Follow the change of dns_rr_i_init.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-26 11:55:32 +09:00
NIIBE Yutaka
a1ccfe2b37 libdns: Avoid using compound literals (5).
* dirmngr/dns.h (dns_rr_foreach): Don't use dns_rr_i_new.
Call dns_rr_grep with NULL.
* dirmngr/dns.c (dns_rr_grep): Support NULL for error_.

--

Here we still use C99 feature of struct member initialization in
dns_rr_foreach, for struct dns_rr_i.  Note that in C99, it guarantees
non-specified member fields are initialized by zero.  So, there's no
need to use dns_rr_i_new at all.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-26 11:53:41 +09:00
NIIBE Yutaka
7313a112f9 libdns: Avoid using compound literals (4).
* dirmngr/dns.h (dns_d_new*): Remove.
* dirmngr/dns.c (parse_packet): Use dns_d_init with automatic
variable.
(parse_domain): Likewise.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-26 10:58:16 +09:00
NIIBE Yutaka
72efb78402 libdns: Avoid using compound literals (3).
* dirmngr/dns.h (dns_p_new): Remove.
* dirmngr/dns.c (dns_hosts_query): Use dns_p_init with automatic
variable.
(dns_hints_query, dns_res_glue, parse_packet, query_hosts)
(send_query, show_hints, echo_port): Likewise.

--

Implicit automatic allocation by compound literals is confusing
for C90 code.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-26 10:34:03 +09:00
NIIBE Yutaka
455ef62d29 libdns: Avoid using compound literals (2).
* dirmngr/dns.h (dns_strsection1, dns_strsection3): Remove.
(dns_strclass1, dns_strclass3): Remove.
(dns_strtype1, dns_strtype3): Remove.
(dns_strsection, dns_strclass, dns_strtype): Directly use the
function.
* dirmngr/dns.c (dns_strsection): Use automatic variable.
(dns_strclass, dns_strtype): Likewise.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-26 10:12:24 +09:00
NIIBE Yutaka
1c40549938 libdns: Avoid using compound literals.
* dirmngr/dns.c (dns_inet_pton, dns_so_tcp_keep): Use automatic
variables.
(dns_poll, dns_send_nopipe): Likewise, adding const qualifier.

--

Compound literals is a feature of C99.  Because we only use C90 plus
some limited features, in the project, it's better to avoid it.

Besides, we make sure when it's read-only.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-26 09:42:54 +09:00
Werner Koch
a481d17432
scd: PIV: Always require a PIN for signing with 9C.
* scd/app-piv.c (verify_chv): Add arg 'force'.
(do_sign): Use force for 0x9c.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-25 11:29:54 +01:00
Werner Koch
28de5c0ea5
card: Rename gpg-card-tool to gpg-card.
* tools/card-tool-keys.c: Rename to card-keys.c.
* tools/card-tool-misc.c: Rename to card-misc.c.
* tools/card-tool-yubikey.c: Rename to card-yubikey.c.
* tools/card-tool.h: Rename to gpg-card.h.
* tools/gpg-card-tool-w32info.rc: Rename to gpg-card-w32info.rc
* doc/card-tool.texi: Rename top gpg-card.texi

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-25 09:34:30 +01:00
Werner Koch
a12c3a566e
agent: Fix for suggested Libgcrypt use.
* agent/divert-scd.c (divert_pkdecrypt): Skip a flags parameter.
--

The libgcrypt docs say that a "flags" parameter should always be used
in the input of pkdecrypt.  Thus we should allow that parameter also
when parsing an s-expression to figure out the algorithm for use with
scdaemon.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-25 08:24:52 +01:00
NIIBE Yutaka
e140c6d4f5 gpgscm: Build well even if NDEBUG defined.
* gpgscm/scheme.c (gc_reservation_failure): Fix adding ";".
[!NDEBUG] (scheme_init_custom_alloc): Don't init seserved_lineno.

--

Picked from libgpg-error commit of:
	8a9397896fd202dcfb3fb46259e43bc05a0ddd2e

In some build environment, NDEBUG is defined (although it's
bad practice).  This change supports such a situation.

GnuPG-bug-id: 3959
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-25 10:44:16 +09:00
NIIBE Yutaka
611faf1579 scd: internal driver: Submit SET_INTERFACE control transfer.
* scd/ccid-driver.c (ccid_open_usb_reader): Alway submit SET_INTERFACE
control transfer.

--

This handling is not mondatory, but it's better to do so, because
there are card reader with pinpad and token with ack button, which
support user interaction.

User interaction status should be reset at open time.  The status
should be reset when the session is closed/stopped.  In practice,
since cleanup routine in a driver may not be called properly, it's
good to submit SET_INTERFACE at open time.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-22 20:05:09 +09:00
Werner Koch
c1000c6738
sm: Fix certificate creation with key on card.
* sm/certreqgen.c (create_request): Fix for certmode.
--

When using an existing key from a card for certificate signing (in
contrast to the default of generating a CSR), the code tried to use
the same key for signing instead of the Signing-Key parameter.  It is
perfectly okay to use the regular signing path via gpg-agent for
certificate creation - only self-signed certificates with a key on the
card require the direct use of the card key (via "SCD PKSIGN").

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-21 17:32:39 +01:00
Werner Koch
7317aeb3f4
card: Print usage info for each key.
* tools/card-call-scd.c (learn_status_cb): Handle extended
KEYPARIRINFO.
* tools/card-tool.h (struct key_info_s): Add field 'usage'.
* tools/gpg-card-tool.c (list_one_kinfo): Show usage flags.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-21 12:43:07 +01:00
Werner Koch
5e21ef2d55
scd: Extend KEYPAIRINFO by key usage info.
* scd/app-openpgp.c (send_keypair_info): Append usage string.
* scd/app-piv.c (struct data_object_s): Remove column 'binary'.  Add
column 'usage'.
(dump_all_do): Adjust for removed 'binary'.
(send_keypair_and_cert_info): Append usage string.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-21 12:41:10 +01:00
Werner Koch
3384ba6c1c
card: Print the keyref in the listing.
* tools/gpg-card-tool.c (list_one_kinfo): Print the keyref.
--

The named keys are nice but knowing the actual keyref mapping to them
is also useful.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-21 08:51:54 +01:00
Werner Koch
5ecc7a0260
scd: Don't let the "undefined" app cause a conflict error.
* scd/app.c (check_conflict): Ignore "undefined".

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-21 08:51:53 +01:00
Werner Koch
d7a54ca461
sm: Prepare algo mapping to handle values > 255.
* sm/misc.c (transform_sigval): Allow for larger values of MDALGO and
PKALGO.
--

Libgcrypt already defines larger values for them, so we should be
prepared in case we use them in the future.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-21 08:51:50 +01:00
NIIBE Yutaka
2013cb5ee6 scd: Clear CHV status on timeout error.
* scd/app-openpgp.c (clear_chv_status): New.
(do_change_pin): Use clear_chv_status.
(do_sign): Call clear_chv_status on GPG_ERR_TIMEOUT.
(do_auth, do_decipher): Likewise.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-21 15:50:43 +09:00
NIIBE Yutaka
bd15aa34ab scd: Handle ack button timeout as GPG_ERR_TIMEOUT.
* scd/apdu.h (SW_ACK_TIMEOUT): New.
* scd/iso7816.c (map_sw): Return GPG_ERR_TIMEOUT for SW_ACK_TIMEOUT.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-21 15:16:11 +09:00
NIIBE Yutaka
64b7c6fd19 tests: Add "disable-scdaemon" in gpg-agent.conf.
* tests/openpgp/defs.scm: Add "disable-scdaemon".  Remove
  "scdaemon-program".
* tests/gpgme/gpgme-defs.scm, tests/gpgsm/gpgsm-defs.scm: Likewise.
* tests/inittests, tests/pkits/inittests: Add "disable-scdaemon"

--

Before this change, running "make check" accesses USB device by
scdaemon on host computer.  If there is any smartcard/token available,
it may affect test results.  Because default key choice depends on
smartcard/token availability now and existing tests have nothing about
testing smartcard/token, disabling scdaemon is good.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-21 12:26:09 +09:00
NIIBE Yutaka
c395f83153 agent: Terminate pinentry process gracefully, by watching socket.
* agent/call-pinentry.c (watch_sock): New.
(do_getpin): Spawn the watching thread.

--

While we don't have npth_cancel (and it's difficult to implement it
correctly), this is a kind of best compromise allowing a thread's
polling when pinentry is active.

GnuPG-bug-id: 2011
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-19 14:36:50 +09:00
NIIBE Yutaka
99aa54323f agent: Minor change for pinentry status handling.
* agent/call-pinentry.c (struct entry_parm_s): Add status.
(do_getpin): Use param->status.
(agent_askpin): Copy param->status. to pininfo.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-19 14:28:04 +09:00
NIIBE Yutaka
ada797f477 agent: Factor out the getpin interaction.
* agent/call-pinentry.c (do_getpin): New.
(agent_askpin, agent_get_passphrase): Use do_getpin.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-19 11:55:55 +09:00
Damien Goutte-Gattat via Gnupg-devel
3cbdf896e6 sm: Support generation of card-based ed25519 CSR.
* sm/call-agent.c (gpgsm_scd_pksign): Allow SHA512. Create proper
S-expression for EdDSA signature.
* sm/certreqgen.c (create_request): Force use of SHA512 when
using a ed25519 key.
* sm/misc.c (transform_sigval): Insert OID for ed25519.

--

GnuPG-bug-id: 4013
Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
2019-02-18 11:33:20 +09:00
Damien Goutte-Gattat via Gnupg-devel
74e9b579ca sm: Support generation of card-based ECDSA CSR.
* sm/call-agent.c (gpgsm_scd_pksign): Identify type of signing key
and format resulting S-expression accordingly.
* sm/misc.c (transform_sigval): Support ECDSA signatures.
--

Current GpgSM implementation assumes card-based keys are RSA keys.
This patch introduces support for ECDSA keys.

By itself this patch is not sufficient, we also need support
from libksba.

GnuPG-bug-id: 4092
Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
2019-02-15 11:01:20 +09:00
Ingvar Hagelund
b89f1790e0 po: Correct a simple typo in the Norwegian translation
Signed-off-by: Ingvar Hagelund <ingvar@redpill-linpro.com>
2019-02-14 09:44:38 -05:00
Werner Koch
7e1cd2cd41
card: New command "yubikey".
* tools/card-tool-yubikey.c: New.
* tools/Makefile.am (gpg_card_tool_SOURCES): Add it.
* tools/card-call-scd.c (scd_apdu): Allow returning data.
* tools/card-tool-misc.c (send_apdu): New.  Move from gpg-card-tool.c
and let it return data.  Change all callers.

* tools/gpg-card-tool.c (cmd_writecert): Prepend the certref with the
current application type.
(cmd_yubikey): New.
--

This command allows listing of active applications and to enable or
disable selected applications.  This is in particular useful to
disable the OpenPGP application so that the PIV support can easily be
tested.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-13 09:49:07 +01:00
Werner Koch
43b14b4cc2
scd: Implement decryption for PIV cards.
* scd/app-piv.c (do_decipher): New.
--

Note that ECDH decryption has not been tested due to the lack of ECC
support in gpgsm.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-11 15:32:54 +01:00
Werner Koch
b283869440
scd: For PIV cards used NO_AUTH instead of BAD_PIN.
* common/util.h (GPG_ERR_NO_AUTH, GPG_ERR_BAD_AUTH): Add replacement
codes for gpgrt < 1.36.
* scd/app-piv.c (auth_adm_key):
(do_genkey, do_writecert): Use better error codes.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-11 09:07:54 +01:00
Werner Koch
53beea56af
scd: Implement RSA signing for PIV cards.
* scd/app-piv.c (concat_tlv_list): New.
(get_key_algorithm_by_dobj): Rename args for clarity.
(do_auth): factor all code out to ...
(do_sign): new.  Implement RSA signing.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-08 17:03:32 +01:00
Werner Koch
0328976c94
sm: In --gen-key with "key from card" show also the algorithm.
* sm/certreqgen-ui.c (gpgsm_gencertreq_tty): Get and show algo.
--

This extends the prompt to show something like

  Serial number of the card: FF020001008A77F6
  Available keys:
     (1) 4130F84FA3704F4645924AEC3FFA48AD26D33656 PIV.9A nistp384
     (2) AB2988FB8C227BCD5175BF92F66AA3A95AE83214 PIV.9E rsa2048
     (3) DB7DDAEAA88534BA45CCD7A9B761425103EA2090 PIV.9C rsa2048
     (4) BABB48C3D80ACCF9839F101DF2910966C8B988DF PIV.9D nistp256
  Your selection? 1

Having the algorithm here is helpful in particular because right now
we support only RSA with X.509.  Take care: PIV card based certificate
creation does not yet work.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-08 12:35:26 +01:00
Werner Koch
03bf8e967a
common: Provide function to get public key algo names in our format.
* tools/card-tool-misc.c (pubkey_algo_string): Move to  ...
* common/sexputil.c (pubkey_algo_string): here.
--

The new gpg format for public key algorithms is useful at other places
as well.  Thus we make this new function available.  Note that the
code we use in gpg is not based on s-expressions and thus a new
function was required.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-08 12:10:45 +01:00
Werner Koch
a1cb4a940f
card: Make "generate" work for PIV cards.
* tools/card-call-scd.c (scd_genkey_cb): Make createtime optional.
(scd_genkey_cb):  Ditto.  Add arg algo.
* tools/gpg-card-tool.c (cmd_generate): Add options and factor card
specific code out to ...
(generate_openpgp, generate_generic): new functions.
--

This patch keeps the interactive OpenPGP mode but adds a pure command
line mode for other cards; in particular PIV cards.  What we still
need to do is:
 a) Add an interactive mode for PIV cards
 b) Add a command line mode for OpenPGP cards.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-08 11:58:27 +01:00
Werner Koch
b349adc5c0
scd: Allow generating ECC curves on PIV cards.
* scd/app-piv.c (genkey_parse_ecc): New.
(get_keygrip_by_tag): Call that one.
(do_readkey): Call that one.
* scd/command.c (cmd_genkey): Add option --algo.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-08 11:53:34 +01:00
Werner Koch
e2f18023b3
common: New functions get_option_value and ascii_strupr.
* common/server-help.c (get_option_value): New.
* common/stringhelp.c (ascii_strupr): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-08 11:13:33 +01:00
Werner Koch
b79bc877f2
card: Print the used algorithm of all keys.
* tools/card-call-scd.c (scd_readkey): New.
* tools/card-tool-misc.c (pubkey_algo_string): New.
* tools/gpg-card-tool.c (list_one_kinfo): Print the algo.
--

It is convenient to see the actual algorithm of keys even if no
certificate has yet been created.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-07 20:28:43 +01:00
Werner Koch
df6ba6dfd2
card: Fix a NULL-ptr deref in key listings.
* tools/card-tool-keys.c (get_matching_keys): Fix segv.
* tools/gpg-card-tool.c (main): Init info.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-07 16:28:03 +01:00
Werner Koch
5bf1212000
scd: Store a new PIV public key in the certificate DO.
* scd/app-piv.c (struct genkey_result_s): Remove type and all users.
(send_keypair_and_cert_info): Print certinfo only if we got a cert..
(readcert_by_tag): Add arg r_mechanism and implement reading of public
keys.
(get_keygrip_by_tag): Use a public key to compute the keygrip.
(do_readcert): Make sure to only return a certificate.
(do_readkey): Read public key from the DO if a certificate is missing.
(get_key_algorithm_by_dobj): Get the algorithm also from a public key.
(does_key_exist): String changes.
(do_genkey): Remove result caching and store public key in the DO.
--

This removes the result cache and instead stores the public key in the
certificate object.  This allows to properly list public keys at any
time after generating a key and before a new certificate is stored
there.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-07 16:14:09 +01:00
Werner Koch
fcec5b40e5
card: Support reading and writing PIV certificates
* scd/app-piv.c (add_tlv): New.
(put_data): New.
(do_writecert): New.
(do_setattr): Remove usused special mode 0.
* tools/gpg-card-tool.c (cmd_writecert): Allow other cards than
OPENPGP.
(cmd_readcert): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-07 11:05:22 +01:00