* agent/command.c (cmd_keytocard): Add new arg for ECDH params.
* scd/app-openpgp.c (ecc_writekey): Use provided ECDH params to
compute the fingerprint.
* g10/call-agent.c (agent_keytocard): Add arg ecdh_param_str.
* g10/keyid.c (ecdh_param_str_from_pk): New.
* g10/card-util.c (card_store_subkey): Pass ECDH params to writekey.
* g10/keygen.c (card_store_key_with_backup): Ditto.
* scd/app-openpgp.c (store_fpr): Add arg update.
(rsa_read_pubkey, ecc_read_pubkey): Add arg meta_update and avoid
writing the fingerprint back to the card if not set.
(read_public_key): Also add arg meta_update.
(get_public_key): Do not pass it as true here...
(do_genkey): ... but here.
(rsa_write_key, ecc_writekey): Force string the fingerprint.
--
The problem showed up because in 2.4 we changed the standard ECDH
parameter some years ago. Now when trying to write an ECDH key
created by 2.2 with 2.4 to an openpgp card, scdaemon computes a wrong
fingerprint and thus gpg was not able to find the key again by
fingerprint.
The patch also avoids updating the stored fingerprint in certain
situations.
This fix is somewhat related to
GnuPG-bug-id: 6378
* scd/app-common.h (struct card_ctx_s): Add maybe_check_aid flag.
* scd/command.c (cmd_apdu): Set it.
* scd/app.c (check_external_interference): Consult this flag.
(maybe_switch_app): Do a re-select if this flag is set.
--
After the gpg-card tool has issued a Yubikey specific command the
current application is not anymore correctly selected. This then
results in all kind of errors. We detect this now and try to
re-select the last app.
* common/sexputil.c (get_rsa_pk_from_canon_sexp): Also allow private
keys.
(pubkey_algo_string): Ditto.
* scd/app-openpgp.c (do_writekey): Switch key attributes
--
The scd WRITEKEY command for OpenPGP cards missed proper support to
aautomagically switch key attributes based on the new key. We had
this only in GENKEY.
GnuPG-bug-id: 6378
* scd/app-p15.c (select_and_read_record): Special case deleted
records. Support 3 byte TLVs.
(read_ef_prkdf): Skip deleted records.
(read_ef_pukdf): Ditto.
(read_ef_cdf): Ditto.
(read_ef_aodf): Ditto.
--
This fixes a problem with some CardOS 5 applications.
* scd/apdu.c (pcsc_send_apdu) [DBG_CARD_IO]: Detect and redact a
VERIFY.
(send_apdu_ccid): Ditto.
--
This should handle the most common case.
GnuPG-bug-id: 5085
* scd/ccid-driver.c (USE_LIBUSB_DEBUG_CB): New const.
(debug_libusb_cb): new.
(ccid_set_debug_level): Use it.
--
This allows to see the libusb log in our usual debug output. For this
the option debug-ccid-driver needs to be given 5 or more times.
* scd/app-nks.c (filelist): Tweak 0x4531.
--
Actually the certificate has no encryption usage but we should also
tell that via KEYINFO so that this key is never tried to create an
encryption certificate.
* scd/app-nks.c (find_fid_by_keyref): Factor keyref parsing out to ...
(parse_keyref): new.
(do_readcert): Use new function instead of partly duplicated code.
Make detection of keygrip more robust.
(do_readkey): Make detection of keygrip more robust.
(do_with_keygrip): Use get_nks_tag.
--
Also added a couple of comments.
* scd/app-nks.c (find_fid_by_keyref): Disable the cache for now.
(readcert_from_ef): Considere an all zero certificate as not found.
(do_sign): Support ECC and the ESIGN application.
--
This allows me to create qualified signatures using my Telesec card.
There is of course more work to do but this is the first step.
Note: The design of the FID cache needs to be reconsidered. Until
that the lookup here has been disabled. The do_sign code should be
revamped to be similar to what we do in app-p15.
GnuPG-bug-id: 5219, 4938
* scd/app-openpgp.c (parse_algorithm_attribute): Return the error.
(change_keyattr): Follow the change.
(app_select_openpgp): Handle the error of parse_algorithm_attribute.
--
This change allows following invocation of app_select_openpgp, which
may work well (if the problem is device side for initial connection).
GnuPG-bug-id: 5963
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
--
BTW, we should add a function to read out the entire table so that you
can ask scdaemon for that list. iirc, Kleopatra still uses a copy of
the table.
* scd/app-p15.c (any_control_or_space_mem): New.
(get_dispserialno): Add new code.
--
This works with my test cards and now reflects what's printed on the
front matter of the card.
* scd/app-p15.c (readcert_by_cdf): Do not use extended mode if the CDF
object has no length info. Add debug output when reading a cert.
(read_p15_info): No more need to disable extended mode for GeNUA cards.
* scd/scdaemon.c (debug_flags): Add "card".
* scd/scdaemon.h (DBG_CARD_VALUE, DBG_CARD): New.
--
Some information from parsing the card are often very helpful.
However, the card_io triggered APDU dumps are in most cases too heavy.
Thus this new debug flag.
* scd/app-openpgp.c (do_auth): Allow larger data for RSA-4096.
--
OpenPGPcard specification says that it will be rejected by the card
when it's larger. We have been the check on host side too, but it was
written when it only had a support for RSA-2048.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/ccid-driver.c (ccid_dev_scan): Use loop var and not the count.
--
Due to an assignment out of bounds this might lead to a crash if there
are more than 15 readers. In any case it fixes a memory leak.
Kudos to the friendly auditor who found that bug.
Fixes-commit: 8a41e73c31adb86d4a7dca4da695e5ad1347811f
* scd/app-p15.c (CARD_PRODUCT_GENUA): New.
(cardproduct2str): Add it.
(read_p15_info): Detect and set GENUA
(make_pin_prompt): Take holder string from the AODF.
* scd/command.c (scd_command_handler): Use gnupg_fd_t for the argument
but no INT2FD to listen. Use GNUPG_INVALID_FD.
* tpm2d/command.c (tpm2d_command_handler): Likewise.
* scd/scdaemon.c (start_connection_thread): Follow the change.
* tpm2d/tpm2daemon.c (start_connection_thread): Likewise.
* scd/scdaemon.h (scd_command_handler): Use gnupg_fd_t.
* tpm2d/tpm2daemon.h (tpm2d_command_handler): Likewise.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/scdaemon.c (main): Use gnupg_fd_t for socket, and use
assuan_sock_close for the socket allocated by assuan_sock_new.
(handle_connections): Use gnupg_fd_t for listen_fd.
Use assuan_sock_close for the socket by npth_accept.
--
GnuPG-bug-id: 5029
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/app.c (app_auth): It's only APPTYPE_OPENPGP which supports
the challenge response interaction.
* scd/command.c (cmd_pkauth): It only wants if it works or not.
--
GnuPG-bug-id: 5862
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>