* scd/scdaemon.h (opt): Add field opcsc_shared.
* scd/scdaemon.c (opcscShared): New.
(opts): Add "--pcsc-shared".
(main): Set flag.
* scd/apdu.c (connect_pcsc_card): Use it.
(pcsc_get_status): Take flag in account.
* scd/app-openpgp.c (verify_chv2): Do not auto verify chv1 in shared
mode.
--
This option should in general not be used. The patch tries to limit
bad effects but using shared mode is somewhat dangerous depending on
the other PC/SC users.
(cherry picked from commit 5732e7a8e9)
* common/openpgp-oid.c (openpgp_curve_to_oid): Add optional arg R_NBITS.
Change all callers.
--
In particular for ed25519 and cv25519 it is quite useful to have an
ability to get the required algorithm.
(cherry picked from commit 24095101a5)
* scd/app-common.h (struct app_ctx_s): Add parameter ctrl to function
pointers for readkey, setattr, sign, auth, decipher, and check_pin.
--
This is a yet another patch to allow for easier backporting.
* scd/app-common.h (struct app_ctx_s): Rename unused field
card_version to cardversion.
* scd/app.c (app_new_register): Add code rom 2.3 to detect the Yubikey
and set cardversion.
(app_get_dispserialno): New.
* scd/app-openpgp.c (do_getattr): Use app_get_dispserialno.
* scd/app-common.h (cardtype_t): New.
(apptype_t): New.
(struct app_ctx_s): Change type of field apptype. Add fields
appversion and cardtype. Adjust all app-*.c for the new type.
* scd/app.c (supported_app_list): New.
(strapptype): New.
(apptype_from_name): New.
(app_dump_state): Use strapptype.
(app_write_learn_status): Ditto.
(app_getattr): Ditto.
(check_conflict): Use apptype_from_name and integer comparison.
* scd/app-openpgp.c: Replace app->card_version by app->appversion.
--
This is another patch to make backporting from 2.3 easier.
* scd/app-common.h (APP_WRITEKEY_FLAG_FORCE): New.
(APP_READKEY_FLAG_INFO): New.
(APP_LEARN_FLAG_KEYPAIRINFO): New.
(APP_LEARN_FLAG_MULTI): New.
(struct app_ctx_s): New forward declaration.
(struct app_ctx_s): Add members prep_reselect, reselect, and
with_keygrip.
(KEYGRIP_ACTION_SEND_DATA): New.
(KEYGRIP_ACTION_WRITE_STATUS): New.
(KEYGRIP_ACTION_LOOKUP): New.
(APP_CARD): New macro.
* scd/scdaemon.h: Include app-common.h and remove from all other
files.
(app_t): Move typedef to ...
* scd/app-common.h: here.
--
These changes will make it easier to backport changes from 2.3 to 2.2.
Signed-off-by: Werner Koch <wk@gnupg.org>
--
It does not make sense to keep support form GnuPG 1 here given that we
don't intend to ever backport any of the current stuff to the legacy
version.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (struct app_local_s): Add keygrip_str.
(store_keygrip): New.
(read_public_key): Store the keygrip.
(get_public_key): Sitto.
(send_keypair_info): USe the stored keygrip.
(check_keyidstr): New. Factored out from other functions and
extended.
(do_sign): Use check_keyidstr.
(do_auth): Ditto.
(do_decipher): Ditto.
(do_check_pin): Ditto.
--
This code is a backport of commits:
b0f0791e4a
cd: Factor out a function to check keyidstr.
4c4999b818
scd:openpgp: Allow PKSIGN with keygrip also for OPENPGP.3.
e769609cd3
scd: Allow KEYGRIP as KEYIDSTR.
Co-authored-by: NIIBE Yutaka <gniibe@fsij.org>
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (verify_chv2): Check availability of keys in
question.
--
Backport master commit of:
af189be481
With buggy Gnuk (<= 1.2.15), when no encr/auth keys are available,
it fails decrementing the signature error counter. This change
can avoid the issue.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* common/logging.c (log_printhex): Chnage order of args. Make it
printf alike. Change all callers.
* configure.ac: Add -Wno-format-zero-length
--
This makes it consistent with modern libgpgrt logging and thus eases
back porting from newer GnuPG versions which use libgpgrt logging.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (get_manufacturer): New..
(do_getattr): Add new attribute "MANUFACTURER".
(do_learn_status): Always print it.
--
This will make it easy to maintain the list of OpenPGP vendors at just
one place.
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported from master:
.. or well in master and 2.2
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/call-agent.c (agent_scd_keypairinfo): Use --keypairinfo.
* sm/call-agent.c (gpgsm_agent_scd_keypairinfo): Ditto.
* scd/app-openpgp.c (do_getattr): Add attributes "$ENCRKEYID" and
"$SIGNKEYID".
* scd/app-nks.c (do_getattr): Add attributes too.
--
We already have $AUTHKEYID to locate the keyref of the key to be used
with ssh. It will also be useful to have default keyref for
encryption and signing. For example, this will allow us to replace
the use of "OPENPGP.2" by a app type specific keyref.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 2b1135cf92)
Removed changes for the non-existing app-piv.c.
Added support for NKS.
* g10/card-util.c (current_card_status): String changes.
(change_sex): Description change.
(cmds): Add "salutation"; keep "sex" as an alias.
--
Note that we can't change the used values or tags but at least the UI
should show reflect the real purpose of the field.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 166f3f9ec4)
* g10/ecdh.c (kek_params_table): Use CIPHER_ALGO_AES192 for
ECC strength 384, according to RFC-6637.
--
Reported-by: Trevor Bentley
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit af3efd149f)
* scd/app-openpgp.c (do_setattr): Add new table item to flush a
different tag.
--
For whatever reasons the OpenPGP card reads the 3 CA fingerprints from
one object but sets them individually using 3 different tags. The
cache flushing was not prepared for this and so a changed CA
fingerprint showed only up after a card reset. This patch fixes it.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit c9f4c1f0de)
Fixed conflict by removing the UIF-* entries from the table.
* scd/app.c (app_genkey): Add arg keytype.
* scd/app-common.h (struct app_ctx_s): Fitto for the genkey member.
* scd/command.c (cmd_genkey): Adjust for change.
* scd/iso7816.c (do_generate_keypair): Replace arg read_only by new
args p1 and p2.
(iso7816_read_public_key): Adjust for this.
(iso7816_generate_keypair): Add new args p1 and p2.
* scd/app-openpgp.c (do_genkey): Adjust for changes.
--
The OpenPGP card creates keys according to parameters read from a data
object. Other cards we are about to implement require a direct
specification of the requested keytype. This patch implements the
required changes.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 9a9cb0257a)
* scd/app-openpgp.c (do_change_pin): Allow prefixing the CHVNO with
"OPENPGP."
--
The generic keyref allows for better error detection in case a keyref
is send to a wrong card. This has been taken from master commit
3231ecdafd which has additional changed
for gpg-card-tool, which is only available there.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/command.c (cmd_passwd): Add option --clear.
(send_status_printf): New.
* scd/app-common.h (APP_CHANGE_FLAG_CLEAR): New.
* scd/app-nks.c (do_change_pin): Return an error if that option is
used.
* scd/app-openpgp.c (do_change_pin): Ditto.
--
Card application may support this option to clear the PIN verification
status of a specific PIN.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 29929e6552)
* scd/app-openpgp.c (do_sign): Clear DID_CHV1 after signing.
--
Cherry-picked from master commit of:
78f542e1f4
We have a corner case: In "not forced" situation and authenticated,
and it is changed to "forced", card implementaiton can actually accept
signing, but GnuPG requires authentication, because it is "forced".
GnuPG-bug-id: 4177
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* g10/card-util.c (gen_kdf_data): Support single salt.
(kdf_setup): Can have argument for single salt.
* scd/app-openpgp.c (pin2hash_if_kdf): Support single salt.
--
Gnuk has "admin-less" mode. To support "admin-less" mode with KDF
feature, salt should be same for user and admin. Thus, I introduce a
valid use of single salt.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/app-openpgp.c (change_rsa_keyattr): Try usual RSA.
--
In the OpenPGP card specification, there are multiple options to
support RSA (having P and Q or not, etc.), and it is implementation
dependent. Since GnuPG doesn't have knowledge which card
implementation support which option and there is no way (yet) for card
to express itself which key attributes are supported, we haven't
supported key attribute change back to RSA. But, many card
implementation uses P and Q, try this option. If other cases,
factory-reset would be easier option.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/app-openpgp.c (get_cached_data): Return NULL for Data Object
with no data.
--
When GET_DATA returns no data with success (90 00), this routine
firstly returned buffer with length zero, and secondly (with cache)
returned NULL, which is inconsistent. Now, it returns NULL for both
cases.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/app-openpgp.c (determine_rsa_response): Round bits up.
--
Co-authored-by: Arnaud Fontaine <arnaud.fontaine@ssi.gouv.fr>
Arnaud wrote:
Actually, when the incorrect expected response length (i.e. Le
field) is transmitted to the card, the card's answer is missing a
byte (i.e. ... 6101) so an additional command has to be sent to the
card to retrieve the last byte. Using the correct length avoids to
send the additional command to retrieve the missing byte, when the
computed length is wrong.
Note that an value of 65537 for E is pretty standard and thus we can
avoid the 6101 return code inmost cases.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (data_objects): Special DOs like "Login Data",
"URL", "Private DO N" can be longer size >= 256.
(struct app_local_s): Define bits for v3 card.
(get_cached_data): Use extcap.max_special_do for special DOs.
(app_select_openpgp): Detect if extcap_v3, kdf_do, and other bits.
--
GnuPG-bug-id: 3262
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
