* g10/card-util.c (gen_kdf_data): Support single salt.
(kdf_setup): Can have argument for single salt.
* scd/app-openpgp.c (pin2hash_if_kdf): Support single salt.
--
Gnuk has "admin-less" mode. To support "admin-less" mode with KDF
feature, salt should be same for user and admin. Thus, I introduce a
valid use of single salt.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* g10/card-util.c (ask_card_rsa_keysize): Drop support for magic
number 25519 for ed25519/cv25519. Rename from ask_card_keyattr.
(ask_card_keyattr): Support ECC, as well as RSA.
(do_change_keyattr): Support ECC dropping magical number 25519.
* g10/keygen.c (ask_curve): Allow call from outside, adding last arg
of CURRENT.
(generate_keypair): Follow the change of ask_curve.
(generate_subkeypair): Likewise.
--
GnuPG-bug-id: 3781
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* g10/card-util.c (generate_card_keys): Check PIN later.
(card_generate_subkey): Likewise.
--
Changing key attribute resets PIN authentication status. So, CHECKPIN
should be after that, before key generation. Note that CHECKPIN is
done for binding signature.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* g10/card-util.c (factory_reset): Dummy PIN size is now 32-byte.
Connect the card again at the last step.
--
Before the change, a user has to quit the session to continue. Now,
it is possible to type RET in the session and see if it's really done.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* g10/call-agent.h (agent_card_info_s): Add fields grp1, grp2 and
grp3.
* g10/call-agent.c (unhexify_fpr): Allow for space as delimiter.
(learn_status_cb): Parse KEYPARIINFO int the grpX fields.
* g10/card-util.c (print_keygrip): New.
(current_card_status): Print "grp:" records or with --with-keygrip a
human readable keygrip.
--
Suggested-by: Peter Lebbing <peter@digitalbrains.com>
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/card-util.c (current_card_status): String changes.
(change_sex): Description change.
(cmds): Add "salutation"; keep "sex" as an alias.
--
Note that we can't change the used values or tags but at least the UI
should show reflect the real purpose of the field.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/card-util.c (factory_reset): Simplify.
--
In this summer, I got report about old code before this change didn't
work with newer Yubikey. I got another report test version of OpenPGP
card V3.3 implementation didn't work, either. Then, I confirmed that
according to the OpenPGP card specification, the procedure of old code
is not expected by its author.
This change simplify "factory-reset" as simple.
Only versions of Gnuk 1.2.2, 1.2.3, 1.2.4, won't work with this
change. That's because the factory-reset feature of Gnuk was
introduced by reading the implementation of GnuPG, instead of reading
the specification. Gnuk 1.2.5 and later works well. All OpenPGPcard
implementations I have work well (2.0, 2.1, 2.2, test version of 3).
GnuPG-bug-id: 3286
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit d63b7966cd)
* g10/card-util.c (ask_card_keyattr): Handle special value 25519.
(do_change_keyattr): Allow changing to cv25519/ed25519.
(generate_card_keys): Ditto.
(card_generate_subkey): Ditto.
--
This is kludge to make it easier for gnuk to be switched into ECC
mode. This is basically the same change as
commit ea09b6cded
but without the string change in show_keysize_warning.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/card-util.c (ask_card_rsa_keysize): Rename to ask_card_keyattr.
(do_change_rsa_keysize): Rename to do_change_keyattr.
--
We want to support other algos than RSA and thus we need a better name
for the functions.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit f795f4529d)
* g10/card-util.c (ask_card_keyattr): Print "rsaNNNN".
--
This is a separate patch from the previous to avoid string changes
when backporting the other patch to 2.2.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/card-util.c (show_keysize_warning): Slightly change the text.
(ask_card_keyattr): Handle special value 25519.
(do_change_keyattr): Allow changing to cv25519/ed25519.
(generate_card_keys): Ditto.
(card_generate_subkey): Ditto.
--
This is kludge to make it easier for gnuk to be switched into ECC
mode.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/card-util.c (ask_card_rsa_keysize): Rename to ask_card_keyattr.
(do_change_rsa_keysize): Rename to do_change_keyattr.
--
We want to support other algos than RSA and thus we need a better name
for the functions.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/card-util.c (factory_reset): Simplify.
--
In this summer, I got report about old code before this change didn't
work with newer Yubikey. I got another report test version of OpenPGP
card V3.3 implementation didn't work, either. Then, I confirmed that
according to the OpenPGP card specification, the procedure of old code
is not expected by its author.
This change simplify "factory-reset" as simple.
Only versions of Gnuk 1.2.2, 1.2.3, 1.2.4, won't work with this
change. That's because the factory-reset feature of Gnuk was
introduced by reading the implementation of GnuPG, instead of reading
the specification. Gnuk 1.2.5 and later works well. All OpenPGPcard
implementations I have work well (2.0, 2.1, 2.2, test version of 3).
GnuPG-bug-id: 3286
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* g10/card-util.c (change_cafpr): Use MAX_FINGERPRINT_LEN.
* g10/cipher.c (write_header): Use snprintf.
* g10/gpg.h (MAX_FINGERPRINT_LEN): Change to 32.
(MAX_FORMATTED_FINGERPRINT_LEN): Change to 59
* g10/keyid.c (format_hexfingerprint): Add v5 fingerprint format.
* g10/tofu.c (get_policy): Use MAX_FINGERPRINT_LEN for the buffer but
keep the raw length for now.
--
Note that this patch only increases the size of the buffer and adds a
new formatting for v5 fingerprints. Moe work is required to fix
internal data structures like those in trustdb.gpg and the tofu
tables.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/import.c (import_keys_stream): Remove this unused function.
(import_keys_internal): Add arg origin.
(import_keys): Ditto.
(import_keys_es_stream): Ditto.
(import): Ditto.
(import_one): Ditto.
(apply_meta_data): New stub.
(import_secret_one): Pass 0 for ORIGIN.
* g10/keyserver.c (keyserver_get_chunk): For now pass 0 for ORIGIN.
(keyserver_fetch): Add arg origin.
(keyserver_import_cert): Pass KEYORG_DANE for ORIGIN.
(keyserver_import_wkd): Pass KEYORG_WKD for ORIGIN.
* g10/gpg.c (main): Pass OPT.KEY_ORIGIN to import_keys and
keyserver_fetch.
* g10/card-util.c (fetch_url): Pass KEYORG_URL for ORIGIN.
--
This is just the framework; applying the meta data will be done in
another commit.
GnuPG-bug-id: 3252
Signed-off-by: Werner Koch <wk@gnupg.org>
--
For proper operations as a server we need to avoid global variables.
Thus we need to pass the session state CTRL to most functions. Quite
a lot of changes but fortunately straightforward to do.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/call-dirmngr.c (gpg_dirmngr_ks_get): Add arg 'quick'.
(gpg_dirmngr_wkd_get): Ditto.
* g10/keyserver.c (keyserver_get): Add arg 'quick'.
(keyserver_get_chunk): Add arg 'quick'.
(keyserver_import_fprint): Ditto. Change callers to pass 0 for it.
(keyserver_import_keyid): Ditto.
(keyserver_import_wkd): Ditto.
* g10/mainproc.c (check_sig_and_print): Call the 3 fucntions with
QUICK set.
--
Note that this option has not yet been implemented by dirmngr.
Dirmngr will simply ignore it for now.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (send_key_attr): Use curve instead of OID.
(ecdh_params): New.
(ecc_read_pubkey): Use ecdh_params. Use curve name.
(ecc_writekey): Likewise.
(ecc_curve): Rename from ecc_oid.
(parse_algorithm_attribute): Use ecc_curve.
* g10/call-agent.c (learn_status_cb): Use openpgp_is_curve_supported to
intern the curve name string.
* g10/card-util.c (card_status): Conver curve name to alias for print.
--
Now, sdcaemon answer for KEY-ATTR is in the canonical curve name
instead of the alias. Since it is used of key generation for
card encryption key with backup, it should be canonical name.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* g10/call-agent.h (struct agent_card_info_s): Add curve field.
* g10/call-agent.c (learn_status_cb): Use curve name.
* g10/card-util.c (card_status): Show pubkey name.
* scd/app-openpgp.c (struct app_local_s): Record OID and flags.
(store_fpr): Use ALGO instead of key type.
(send_key_attr): Use curve name instead of OID.
(get_public_key): Clean up by OID to curve name.
(ecc_writekey): Support any curves in libgcrypt.
(do_genkey, do_auth, ): Follow the change.
(ecc_oid): New.
(parse_algorithm_attribute): Show OID here.
* g10/card-util.c (do_change_keysize): Put "rsa".
* scd/app-openpgp.c (change_keyattr, change_keyattr_from_string):
Change the command format.
(rsa_writekey): Check key type.
(do_writekey): Remove "ecdh" and "ecdsa" support which was available
in experimental libgcrypt before 1.6.0.
* g10/keylist.c (print_pubkey_info): Print either "pub" or "sub".
* g10/getkey.c (get_pubkey_byfprint): Add optional arg R_KEYBLOCK.
* g10/keyid.c (keyid_from_fingerprint): Adjust for change.
* g10/revoke.c (gen_desig_revoke): Adjust for change.
* g10/card-util.c (card_status): Simplify by using new arg. Align
card-no string.
* g10/card-util.c (card_status): Remove not used GnuPG-1 code.
--
This now prints "sub" if the first used card key is actually a subkey.
Signed-off-by: Werner Koch <wk@gnupg.org>
g10/call-agent.h (agent_scd_learn): Add FORCE option.
g10/call-agent.c (agent_scd_learn): Implement FORCE option.
g10/keygen.c (gen_card_key): Follow the change of option.
g10/card-util.c (change_pin, card_status, factory_reset): Likewise.
g10/keyedit.c (keyedit_menu): Update private key storage by
agent_scd_learn.
--
This is not a perfect solution since there is a possibility user
unplug card before quitting 'gpg --keyedit' session. Usually,
it works well.
GnuPG-bug-id: 1846
* common/util.h (GPG_ERR_OBJ_TERM_STATE): New.
* scd/iso7816.c (map_sw): Add this error code.
* scd/app-openpgp.c (do_getattr): Return the life cycle indicator.
* scd/app.c (select_application): Allow a return value of
GPG_ERR_OBJ_TERM_STATE.
* scd/scdaemon.c (set_debug): Print the DBG_READER value.
* g10/call-agent.c (start_agent): Print a status line for the
termination state.
(agent_scd_learn): Make arg "info" optional.
(agent_scd_apdu): New.
* g10/card-util.c (send_apdu): New.
(factory_reset): New.
(card_edit): Add command factory-reset.
Signed-off-by: Werner Koch <wk@gnupg.org>
--
Also fixed some of my own copyright notices due to the termination of
my assignment. The one displayed by --version is kept at FSF because
we had contributors in 2014 with FSF assignments and it gives the FSF
some visibility.
* g10/call-agent.c (agent_scd_learn): Rename from agent_learn.
(agent_learn): New.
* g10/keygen.c (gen_card_key): Call new agent-learn.
--
Without a shadow key we can't create the self-signatures. Thus we
need to issue the learn command after each key generation.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (aFullKeygen): New.
(opts): Add command --full-key-gen.
(main): Implement it.
* g10/keygen.c (DEFAULT_STD_ALGO): Replace wrong GCRY_PK_RSA although
the value is identical.
(DEFAULT_STD_CURVE): New.
(DEFAULT_STD_SUBALGO): New.
(DEFAULT_STD_SUBKEYSIZE): New.
(DEFAULT_STD_SUBCURVE): New.
(quick_generate_keypair): Use new macros here.
(generate_keypair): Add arg "full" and fix call callers. Do not ask
for keysize in non-full node.
(ask_user_id): Add arg "full" and simplify for non-full mode.
The asymmetric quotes used by GNU in the past (`...') don't render
nicely on modern systems. We now use two \x27 characters ('...').
The proper solution would be to use the correct Unicode symmetric
quotes here. However this has the disadvantage that the system
requires Unicode support. We don't want that today. If Unicode is
available a generated po file can be used to output proper quotes. A
simple sed script like the one used for en@quote is sufficient to
change them.
The changes have been done by applying
sed -i "s/\`\([^'\`]*\)'/'\1'/g"
to most files and fixing obvious problems by hand. The msgid strings in
the po files were fixed with a similar command.
This works by specifying the keygrip instead of an algorithm (section
number 13) and requires that the option -expert has been used. It
will be easy to extend this to the primary key.
This patch implementes a chunk mode to pass the key parameters from
scdaemon to gpg. This allows to pass arbitrary long key paremeters;
it is used for keys larger than 3072 bit.
Note: the card key generation in gpg is currently broken. The keys
are generated but it is not possible to create the self-signature
because at that time the gpg-agent does not yet know about the new
keys and thus can't divert the sign request to the card. We either
need to run the learn command right after calling agent_scd_genkey or
implement a way to sign using the currently inserted card. Another
option would be to get rid of agent_scd_genkey and implement the
feature directly in agent_genkey.
We better do this once and for all instead of cluttering all future
commits with diffs of trailing white spaces. In the majority of cases
blank or single lines are affected and thus this change won't disturb
a git blame too much. For future commits the pre-commit scripts
checks that this won't happen again.
NIIBE Yutaka