1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-10-29 19:48:43 +01:00
Commit Graph

826 Commits

Author SHA1 Message Date
Werner Koch
1d0874c3d2
scd: New getinfo subcommand "manufacturer"
* scd/command.c (cmd_getinfo): Add subcommand "manufacturer".
* scd/app-openpgp.c (get_manufacturer): Rename to ...
(app_openpgp_manufacturer): this and make global.
--

Example:

  $ gpg-connect-agent 'scd getinfo manufacturer 42' /bye
  D Magrathea
  OK

Backported-from-master: a8cef7ebc2
2024-08-07 11:21:31 +02:00
NIIBE Yutaka
bb57c808b2
scd:openpgp: Fix PIN pin2hash_if_kdf.
* scd/app-openpgp.c (pin2hash_if_kdf): DEK had been changed to pointer
to allocated memory, so, we need to use DEKLEN for the length.

--

GnuPG-bug-id: 7121
Fixes-commit: 20e85585ed
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-05-16 10:28:38 +09:00
Werner Koch
ce69c103f4
scd:openpgp: Allow PIN length of 6 also with a reset code.
* scd/app-openpgp.c (do_change_pin): Fix PIN length check.  Add "R"
flag to the reset code prompt.
--

When using the reset code it was not possible to set a PIN of length
6.  The "R" flags fixes a funny prompt.

Fixes-commit: efe325ffdf
2024-01-30 15:50:09 +01:00
NIIBE Yutaka
efe325ffdf
scd:openpgp: Add the length check for new PIN.
* scd/app-openpgp.c (do_change_pin): Make sure new PIN length
is longer than MINLEN.

--

GnuPG-bug-id: 6843
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 2376cdff13)
2024-01-26 15:14:02 +01:00
Werner Koch
20e85585ed
scd:openpgp: Restructure the pin2hash_id_kdf function.
* scd/app-openpgp.c (wipe_and_free_string, wipe_and_free): Enable
functions.
(pin2hash_if_kdf): Change interface.  The input PIN is not anymore
changed.  Further there are no more assumptions about the length of
the provided buffer.
(verify_a_chv): Adjust for changed pin2hash_if_kdf.
(verify_chv2): Ditto
(verify_chv3): Ditto.
(do_change_pin): Ditto.
(do_sign): Ditto.
--

Note that this a part of the patch
63bda3aad8 which we used in 2.4 to
implement a PIN cache.  For easier backporting we need to add this
here.
2024-01-26 15:11:54 +01:00
Werner Koch
1d472e4934
scd:openpgp: Print a diagnostic for the use of default ECDH params.
* scd/app-openpgp.c (ecc_writekey): Remove the useless check and print
a diagnostic if the default params are used.
--

Note that here in 2.2 we use different default ECDH parameters than in
2.4 (AES192 instead of AES256 for 384 bit curves).

GnuPG-bug-id: 6378
2023-11-23 16:06:15 +01:00
Werner Koch
c45a8b034c
scd:openpgp: Use a special compare for the serialno.
* scd/app-openpgp.c (check_keyidstr): Ignore the card version and also
compare case insensitive.
(do_learn_status): Add mssing error handling.
--

This is required because we changed what we emit as serialno of
OpenPGP cards but existing keys still use the old form of the serial
number (i.e. with a firmware version).  This is so that existing stub
keys of gpg-agent will continue to work.

GnuPG-bug-id: 5100
2023-10-11 10:18:59 +02:00
Werner Koch
4e47639af0
scd:openpgp: Allow the reading the key by keygrip.
* scd/app-openpgp.c (do_readkey): Allow the keygrip for the keyid.
Use case insensitive match forthe keyid.
(do_readcert): Allow the keygrip for the keyid.
--

This patch is only to sync ths up with master.
2023-10-11 10:04:52 +02:00
Werner Koch
9252847646
scd:openpgp: Extend KEYPAIRINFO with an algorithm string.
* scd/app-openpgp.c (retrieve_fprtime_from_card): New.
(send_keypair_info): Add more to KEYPAIRINFO.
--

This is mainly needed to sync this version with master.
2023-10-11 09:51:13 +02:00
Werner Koch
10f8bb1671
scd:openpgp: Use shared fucntion for the dispserialno.
* scd/app-openpgp.c (wipe_and_free): New.
(wipe_and_free_string): New.
(get_disp_serialno): Remove.  Replace callers by function
app_get_dispserialno.
(get_usage_string): New.
(send_keypair_info): Use new function.
--

The new function has the same behaviour.  The wipe functions are
not yet used.
2023-10-11 09:38:45 +02:00
Werner Koch
fe683a1d7c
scd:openpgp: Some comment updates
--
2023-10-10 16:51:29 +02:00
NIIBE Yutaka
acda0a3f33
scd: Add handling of "Algorithm Information" DO.
* cd/app-openpgp.c (data_objects): Add 0x00FA.
(do_getattr): Add KEY-ATTR-INFO.

--

See the section 4.4.3.11 Algorithm Information in the OpenPGP card
functional specification version 3.4.1.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 90d0072165)
Some parts where already here.
2023-10-10 16:37:03 +02:00
Werner Koch
d4208704a7
scd:openpgp: New KEY-STATUS attribute.
* scd/app-openpgp.c (do_getattr): Return KEY-STATUS
--

(cherry picked from commit 2149676122)
Some things from the original commit where already here.
2023-10-10 16:33:34 +02:00
Werner Koch
216f3fc96a
scd:openpgp: Add attribute "UIF" for convenience.
* scd/app-openpgp.c (do_getattr): New attrubute "UIF".
(do_learn_status): Use that.
--

Actually this is not just convenience but will make it easier to add
new keys to an openpgp card - we will need to change this only at one
place.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 11f0700282)
2023-10-10 16:25:31 +02:00
NIIBE Yutaka
52abdac2d4
scd: Add handling of Ed448 key.
* scd/app-openpgp.c (struct app_local_s): Add ecc.algo field.
(send_key_attr): Use ecc.algo field.
(ecc_read_pubkey): Use ecc.algo field.
(ecc_writekey): Ed448 means EdDSA.
(parse_algorithm_attribute): Set ecc.algo field from card.
Add checking for Ed25519 for ECC_FLAG_DJB_TWEAK flag.

--

There used to be a possible support of Ed25519 with ECDSA, (instead of
EdDSA).  To distinguish key for Ed25519 for EdDSA, we use the
flag: (flags eddsa).  Ed448 has no support for ECDSA and defaults to
EdDSA even if no such flag.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit b743942a97)
2023-10-10 16:17:04 +02:00
Werner Koch
b262a21c61
scd:openpgp: Support the ecdh-params arg for writing keys.
* scd/app-openpgp.c (ecc_writekey): Use provided ECDH params to
compute the fingerprint.  Add a default for use by gnupg 2.2.
(store_fpr): Add arg update.
(rsa_read_pubkey, ecc_read_pubkey): Add arg meta_update and avoid
writing the fingerprint back to the card if not set.
(read_public_key): Also add arg meta_update.
(get_public_key): Do not pass it as true here...
(do_genkey): ... but here.
--

This is based on commit c03ba92576 and
done here to ease backporting.  There is no functional change.

GnuPG-bug-id: 6378
2023-10-10 16:10:21 +02:00
Werner Koch
d25e960652
scd:openpgp: Handle wrong error return code of Yubikey.
* scd/app-openpgp.c (get_public_key): Handle wrong error code by
Yubikeys.
--

This has been taken from commits
  0db9c83555
  946555ea3c
2023-10-10 16:10:02 +02:00
NIIBE Yutaka
d938abcc5e
scd: Fix description string.
* scd/app-openpgp.c (data_objects): Capitalize the word for usage.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit e6b7e0ff99)
2023-10-10 15:17:29 +02:00
NIIBE Yutaka
7666a45830
scd:openpgp: Support UIF changing command.
* g10/card-util.c (uif, cmdUIF): New.
(card_edit): Add call to uif by cmdUIF.
* scd/app-openpgp.c (do_getattr): Support UIF-1, UIF-2, and UIF-3.
(do_setattr): Likewise.
(do_learn_status): Learn UIF-1, UIF-2, and UIF-3.

--

GnuPG-bug-id: 4158
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 0cb65564e0)
Also included the relevant part from
commit 0240345728

Note that this patch is mainly to simplifying backporting and not to
support the UIF.
2023-10-10 15:16:22 +02:00
Werner Koch
9e3b7e26a9
scd:openpgp: Small speedup reading card properties.
* scd/app-openpgp.c (struct app_local_s): Add new flag.
(get_cached_data): Force chace use if flag is set.
(app_select_openpgp): Avoid reading DO 6E multiple times.
--

The do not cache property of 6E was introduced so that we can change
for example key attributes without getting into with the cache.
However, for initial reading the cache makes a lot of sense and thus we
now use this hack to only temporary cache.  A better strategy would be
to clear the cache when we change card data but that is more error
prone.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit d5fb598323)
2023-10-10 13:59:51 +02:00
Werner Koch
57bfad2c39
scd:openpgp: Allow reading and writing user certs for keys 1 and 2
* scd/iso7816.c (CMD_SELECT_DATA): New.
(iso7816_select_data): New.
* scd/app-openpgp.c (do_readcert): Allow OpenPGP.1 and OPENPGP.2
(do_writecert): Ditto.
(do_setattr): Add CERT-1 and CERT-2.
--

This has been tested with a Zeitcontrol 3.4 card.  A test with a
Yubikey 5 (firmware 5.2.6) claiming to support 3.4 failed.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 37b1c5c200)
2023-10-10 13:54:26 +02:00
Werner Koch
b2363c1dd9
scd: Allow standard keyref scheme for app-openpgp.
* scd/app-openpgp.c (do_change_pin): Allow prefixing the CHVNO with
"OPENPGP."
--

The generic keyref allows for better error detection in case a keyref
is send to a wrong card.  This has been taken from master commit
3231ecdafd which has additional changed
for gpg-card-tool, which is only available there.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 6651a0640d)
2023-10-10 13:43:38 +02:00
NIIBE Yutaka
3d368c1a7d
scd:openpgp: Support GET DATA response with no header for DO 0x00FA.
* scd/app-openpgp.c (do_getattr): Support Gnuk, as well.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 43bbc25b0f)
2023-10-10 13:29:49 +02:00
Werner Koch
c4eada0787
scd:openpgp: Pass arg ctrl to more functions.
* scd/app-openpgp.c (verify_a_chv): Add currently unused arg ctrl.
Adjust callers.
(verify_chv3): Ditto.
(verify_chv2): Add arg ctrl.  Adjust callers.
(change_keyattr): Ditto.
(change_rsa_keyattr): Ditto.
(change_keyattr_from_string): Ditto.
(rsa_writekey): Ditto.
(ecc_writekey): Ditto.
--

This helps in backporting from master.
2023-10-10 13:25:23 +02:00
Werner Koch
03aa4e6651
scd:openpgp: Replace assert by log_assert.
* scd/app-openpgp.c: Remope assert.h. Replace all assert by
log_assert.
2023-10-10 12:11:50 +02:00
NIIBE Yutaka
a942986f17
scd:openpgp: Fix computing fingerprint for ECC with SOS.
* scd/app-openpgp.c (count_sos_bits): New.  Count as sos_write does.
(store_fpr): For ECC, use count_sos_bits.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 95156ef9bf)
and
(cherry picked from commit f482e4bd12)
2023-10-10 12:06:22 +02:00
Werner Koch
24033dc8ae
scd:openpgp: Very minor refactoring
* scd/app-openpgp.c (app_select_openpgp): Move AID definition to ...
(openpgp_aid): new.
2023-10-10 11:55:25 +02:00
Werner Koch
7f8cac5cec
scd:openpgp: Rename an internal variable.
* scd/app-openpgp.c (struct app_local_s): s/extcap_v3/is_v3/.
s/max_certlen_3/max_certlen.  Change users.
--

The extcap_v3 flag is set if the version is 3 or later and as such
does not only declare that the v3 extcap layout is used.  Make this
clear by renaming.

Likewise for max_certlen_3.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit bbdb48ec0d)
2023-10-10 11:46:14 +02:00
Werner Koch
f88cdb1fd9
scd,w32: Fix build dependency
* scd/Makefile.am (scdaemon_DEPENDENCIES): Fix.
--
Fixes-commit: 625fb54899
2023-08-29 11:15:57 +02:00
Werner Koch
625fb54899
w32: Add missing manifests and set a requestedExecutionLevel.
* agent/gpg-agent.w32-manifest.in: New.
* dirmngr/dirmngr-client-w32info.rc: New.
* dirmngr/dirmngr-client.w32-manifest.in: New.
* dirmngr/dirmngr-w32info.rc: New.
* dirmngr/dirmngr.w32-manifest.in: New.
* dirmngr/dirmngr_ldap-w32info.rc: New.
* dirmngr/dirmngr_ldap.w32-manifest.in: New.
* g10/gpgv-w32info.rc: New.
* g10/gpgv.w32-manifest.in: New.
* kbx/keyboxd.w32-manifest.in: New.
* scd/scdaemon.w32-manifest.in: New.
* sm/gpgsm.w32-manifest.in: New.
--

This avoids the use of the VirtualStore uner Windows.

GnuPG-bug-id: 6503

Backported from 2.4; some manifest files already existed in 2.2 but
not in 2.4
2023-05-25 11:10:21 +02:00
NIIBE Yutaka
c40e764108
scd: Fix cmd_apdu on error.
* scd/command.c (cmd_apdu): Fix the code path on error.

--

GnuPG-bug-id: 6476
Reported-by: Robin Krahl
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-05-10 10:08:27 +02:00
Werner Koch
e60544520b
scd,p15: Enforce a min. PIN length for certain cards.
* scd/app-p15.c (verify_pin): Enforce 6 for RSCS cards.
2023-04-20 12:42:08 +02:00
Werner Koch
2630872cff
scd,openpgp: Switch key attributes between RSA and ECC in writekey.
* common/sexputil.c (get_rsa_pk_from_canon_sexp): Also allow private
keys.
(pubkey_algo_string): Ditto.
* scd/app-openpgp.c (do_writekey): Switch key attributes
--

The scd WRITEKEY command for OpenPGP cards missed proper support to
aautomagically switch key attributes based on the new key.  We had
this only in GENKEY.

GnuPG-bug-id: 6378
2023-03-14 16:16:40 +01:00
NIIBE Yutaka
abcf0116ee
scd: Fix checking memory allocation.
* scd/app-openpgp.c (read_public_key): Fix the memory.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-03-08 11:04:15 +01:00
NIIBE Yutaka
d6aa8bcbbb
scd: Parse "Algorithm Information" data object in scdaemon.
* scd/app-openpgp.c (data_objects): 0x00FA for binary data.
(do_getattr): Parse the data and send it in status lines.
(get_algorithm_attribute_string): New.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: eba2563dab
Backported-from-master: 43bbc25b0f
2023-02-17 13:04:09 +01:00
Werner Koch
1915b95ffd
scd:p15: Add pre-check for ascii-numeric PINs.
* scd/app-p15.c (verify_pin): ascii-numeric is different than BCD.

(cherry picked from commit 029924a46e)
Added a few typo fixes.
2023-02-17 12:15:08 +01:00
Werner Koch
326f6fa166
scd:p15: Use APP_CARD macro at some other places.
--

This makes back porting easier.
2023-02-17 12:09:57 +01:00
Werner Koch
adf387b3f1
scd: Improve reading of binary records.
* scd/iso7816.c (iso7816_read_binary_ext): Handle the 0x6a86 SW the
same as 6b00.
* scd/apdu.c (apdu_get_atr): Modify debug messages.
* scd/app-p15.c (app_select_p15): Print FCI on error.
(read_p15_info): Clean up diag in presence of debug options.
--

Some cards return 6a86 instead of 6b00.

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 44f977d0e3
2023-02-17 12:02:35 +01:00
Werner Koch
88606cc484
scd:p15: Handle cards with bad encoded path objects.
* scd/app-p15.c (read_ef_prkdf, read_ef_pukdf)
(read_ef_cdf, read_ef_aodf): Allow for a zero length path and
correctly skip unsupported auth types.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 7a8545c91b
2023-02-17 11:38:57 +01:00
Werner Koch
210ba98355
scd:openpgp: Allow auto-changing of the key attributes in genkey.
* scd/app-openpgp.c (struct app_local_s): Add field keyalgo.
(parse_algorithm_attribute): Store the new keyalgo field.
(change_keyattr): Change info message.
(change_keyattr_from_string): Rewrite to also accept a keyref and a
keyalgo string.
(do_genkey): Change the keyattr if a keyalgo string is given.
* scd/command.c (cmd_genkey): Add option --algo.
--

Having this feature makes it easier to use OpenPGP cards in a similar
way to other cards.  Note that the explicit changing via SETATTR is
still supported.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit d7d75da505)
(cherry picked from commit b349adc5c0)
2023-01-13 14:54:23 +01:00
Werner Koch
398cec3ac7
scd: Return CARDTYPE, CARDVERSION, and APPVERSION.
* scd/app.c (strcardtype): New.
(app_write_learn_status): Return more info.
(app_getattr): Allow for CARDTYPE.
2023-01-13 13:59:20 +01:00
Werner Koch
e778c9ce89
scd:p15: Skip deleted records.
* scd/app-p15.c (select_and_read_record): Special case deleted
records.  Support 3 byte TLVs.
(read_ef_prkdf): Skip deleted records.
(read_ef_pukdf): Ditto.
(read_ef_cdf): Ditto.
(read_ef_aodf): Ditto.
--

This fixes a problem with some CardOS 5 applications.
2022-12-08 10:58:19 +01:00
Werner Koch
2e18c371d2
scd: Redact --debug cardio output of a VERIFY APDU.
* scd/apdu.c (pcsc_send_apdu) [DBG_CARD_IO]: Detect and redact a
VERIFY.
(send_apdu_ccid): Ditto.
--

This should handle the most common case.
GnuPG-bug-id: 5085
2022-11-25 13:58:22 +01:00
Werner Koch
84aba39491
scd:nks: Fix ECC signing if key not given by keygrip.
* scd/app-nks.c (keygripstr_from_pk_file): Set r_algo if not in cache.
2022-11-25 13:56:47 +01:00
Werner Koch
adbe5a35a5
scd:nks: Support non-ESIGN signing with the Signature Card v2
* scd/app-nks.c (do_sign): Handle ECC for NKS cards
--

Backported-from-master: 959c627892121ce9707bfa36f2510216b4f6f247
GnuPG-bug-id: 6252
2022-11-25 13:55:16 +01:00
Werner Koch
19791a1d4c
scd: Use app_get_slot at more places.
--

This is helpful for backporting other changes.
2022-11-25 13:55:13 +01:00
Werner Koch
ea222a0d9c
scd: Use APP_LEARN_FLAG_KEYPAIRINFO with more apps.
* scd/app-nks.c (do_learn_status_core): Use new flag.
* scd/app-sc-hsm.c (do_learn_status): Ditto.
--

The flag was already backported to some apps but not to these.
2022-11-25 13:55:12 +01:00
Werner Koch
1e69676981
scd:nks: Don't flag the ESIGN keypair EF as encryption capable.
* scd/app-nks.c (filelist): Tweak 0x4531.
--

Actually the certificate has no encryption usage but we should also
tell that via KEYINFO so that this key is never tried to create an
encryption certificate.

(cherry picked from commit 3a2fb1c306)
2022-10-20 12:22:08 +02:00
Werner Koch
f24904ee35
scd:nks: Some code cleanup.
* scd/app-nks.c (find_fid_by_keyref): Factor keyref parsing out to ...
(parse_keyref): new.
(do_readcert): Use new function instead of partly duplicated code.
Make detection of keygrip more robust.
(do_readkey): Make detection of keygrip more robust.
(do_with_keygrip): Use get_nks_tag.
--

Also added a couple of comments.

(cherry picked from commit b92b3206e7)
2022-10-20 12:22:08 +02:00
Werner Koch
5cd25f4ca4
scd:nks: Support the Telesec ESIGN application.
* scd/app-nks.c (find_fid_by_keyref): Disable the cache for now.
(readcert_from_ef): Considere an all zero certificate as not found.
(do_sign): Support ECC and the ESIGN application.
--

This allows me to create qualified signatures using my Telesec card.
There is of course more work to do but this is the first step.

Note: The design of the FID cache needs to be reconsidered.  Until
that the lookup here has been disabled.  The do_sign code should be
revamped to be similar to what we do in app-p15.

GnuPG-bug-id: 5219, 4938, 6252
Backported-from-master: 07eaf006c2
2022-10-20 12:22:08 +02:00