1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-10 21:38:50 +01:00
Commit Graph

10248 Commits

Author SHA1 Message Date
Werner Koch
880dde8e5b
scd:p15: Allow PIN verification and decryption for CVISION cards.
* scd/app-p15.c (CARD_PRODUCT_CVISION): New.
(IS_STARCOS_3): New.
(read_p15_info): Detect this product.
(prepare_verify_pin): Add special handling for this product.
(do_decipher): Use dedicated MSE for Starcos 3 cards.
--

To check the verification run

  gpg-card verify User_PIN

For our test cards the "Benutzer-PIN" must be given.  For decryption
tests gpgsm can be used; --always-trust helps to avoid chain issues.
2024-01-09 17:12:20 +01:00
Werner Koch
35fd89b168
gpgconf: Adjust -X command for the new VERSION file format
* tools/gpgconf.c (show_version_gnupg): Read and parse the entire
VERSION file.
--

GnuPG-bug-id: 6918
2024-01-09 12:52:57 +01:00
Werner Koch
45f6357881
common,w32: Remove duplicated backslashes when setting the homedir.
* common/homedir.c (copy_dir_with_fixup) [W32]: Fold double
backslashes.
--

This is in general no problem but when we hash or compare the directory
to test whether tit is the standard home directory, we may use a
different socket file and thus a second instance of a daemon.

GnuPG-bug-id: 6833
2024-01-09 10:13:54 +01:00
Werner Koch
2cb97713e9
gpg: Improve error return for --quick-add-subkey and -add-adsk.
* g10/keyedit.c (keyedit_quick_addkey): Emit a ERROR status line.
(keyedit_quick_addadsk): Ditto.
--

GnuPG-bug-id: 6880
2024-01-05 11:33:51 +01:00
Werner Koch
3f8cb9b339
scd: Add support for SCE 7.0
* scd/app-common.h (CARDTYPE_SCE7): New.
* scd/app.c (strcardtype): Support it.
(atr_to_cardtype): New.
(app_new_register): Try to get the cardtype from atr_to_cardtype.
* scd/app-piv.c (app_select_piv): Tweak for SCE7.  Add general method
to construct a S/N from the Card UUID.
--

The test cards I have are rsa2048 with X.509 certificates.  I don't
have the entire chain but loading the certificates work.  For testing
I created an OpenPGP key from the keys and tested signing and
decryption.

GnuPG-bug-id: 6919
2024-01-04 16:29:33 +01:00
Werner Koch
4c04143d81
gpg: Choose key from inserted card over a non-inserted card
* g10/call-agent.c (agent_probe_secret_key): Do not return an error
but 0.
* g10/getkey.c (finish_lookup): Improve the selection of secret keys.
--

GnuPG-bug-id: 6831
2024-01-02 10:19:57 +01:00
NIIBE Yutaka
591a53d716
gpg: Don't call keybox_compress when KEYDB_RESOURCE_FLAG_READONLY.
* g10/keydb.c (keydb_add_resource): Check the FLAGS to call
keybox_compress.

--

GnuPG-bug-id: 6811
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-29 10:57:26 +09:00
NIIBE Yutaka
2be53b214d
tools: Fix argparse table of gpgconf.
* tools/gpgconf.c (opts): Use ARGPARSE macros.

--

GnuPG-bug-id: 6902
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-25 10:09:41 +09:00
Werner Koch
431239b83d
doc: Explain why socket activation is a problem
--
2023-12-22 13:19:40 +01:00
Werner Koch
239c1fdc28
common: Add keyword socketdir to gpgconf.ctl
* common/homedir.c (enum wantdir_values): New enums.
(unix_rootdir): Change arg to use the enums.  Adjust all callers.  Add
support for the socketdir keyword.
(_gnupg_socketdir_internal): Take care of the socketdir keyword in
gpgconf.ctl.

* doc/tools.texi (Files used by gpgconf): Briefly explain the
gpgconf.ctl syntax.
2023-12-22 12:47:39 +01:00
NIIBE Yutaka
2376cdff13
scd:openpgp: Add the length check for new PIN.
* scd/app-openpgp.c (do_change_pin): Make sure new PIN length
is longer than MINLEN.

--

GnuPG-bug-id: 6843
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-22 13:32:40 +09:00
NIIBE Yutaka
91255c3afd
tools: Remove the dotlock tool.
* tools/Makefile.am (libexec_PROGRAMS): Remove dotlock.
* tools/dotlock.c: Remove.

--

It's integrated into gpgconf (--lock/--unlock).

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-21 12:35:55 +09:00
Werner Koch
f2904737e5
scd:p15: Add a diagnostic for unsupported DTRUST4 features.
* scd/app-p15.c (do_sign): Add a diagnostic.
2023-12-20 16:52:47 +01:00
Mario Haustein via Gnupg-devel
0b85a9ac09
scd:p15: Add support for D-Trust Card 4.1/4.4
* scd/app-p15.c (CARD_PRODUCT_DTRUST4) New.
(app_select_p15): This cards uses a different AID for PKCS#15
application
(do_sign): The card doesn't support MSE SET, but requires MSE RESTORE to
a predefined template.
(do_decipher): Ditto.
2023-12-20 16:47:25 +01:00
Mario Haustein via Gnupg-devel
812f988059
scd:p15: Add support for CardOS 5.4
* scd/app-p15.c (CARD_TYPE_CARDOS_54): New.
2023-12-20 16:42:00 +01:00
Werner Koch
5d651fc8fd
doc: Explain what to put into mailcap for gpg-wks-client.
--
2023-12-20 15:30:37 +01:00
NIIBE Yutaka
93b5ba38dc
tools: Integrate the dotlock tool into gpgconf.
* tools/gpgconf.c (dotlock_tool): New.
(main): Add --lock and --unlock commands.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-20 11:06:03 +09:00
NIIBE Yutaka
1f04993cd0
common: Add dotlock util under libexec.
* tools/Makefile.am (libexec_PROGRAMS): Add dotlock.
* tools/dotlock.c: Finish the first implementation.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-20 11:05:50 +09:00
NIIBE Yutaka
b298322d36
common: Clean up the temporary file at dotlock_destroy.
* common/dotlock.c (dotlock_destroy): Clean up the temporary file
created when it fails.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-20 11:05:36 +09:00
NIIBE Yutaka
2f6fec3f48
common: Support not-removing the lockfile by dotlock_destroy.
* common/dotlock.c (dotlock_destroy): Keep the lock
when DOTLOCK_LOCK_BY_PARENT.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-20 11:05:22 +09:00
NIIBE Yutaka
5488ad0517
common: Fix a possible resource leak for dotlock.
* common/dotlock.c (dotlock_destroy_unix): Don't release ->TNAME here.
(dotlock_destroy): Release the memory unconditionally.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-20 11:05:12 +09:00
Werner Koch
8eff1d4c51
common: Improve the parsing of gpgconf.ctl variables.
* common/homedir.c (unix_rootdir): Simplify.
--

This also relaxes the syntax in that the equal sign may now be
surrounded by any number of spaces.
2023-12-19 10:04:49 +01:00
NIIBE Yutaka
6b4fd3a5da
common: Enhance dotlock, so that we can have a CLI util.
* common/dotlock.h (DOTLOCK_LOCK_BY_PARENT, DOTLOCK_LOCKED): New.
* common/dotlock.c [HAVE_POSIX_SYSTEM]: Include <dirent.h>.
(dotlock_get_process_id, dotlock_detect_tname): New.
(dotlock_create_unix): Handle the case when no_write option is
specified.  Not creating the lock file, but detect the the file of
tname.
(dotlock_create) [HAVE_POSIX_SYSTEM]: Add support of
DOTLOCK_LOCK_BY_PARENT and DOTLOCK_LOCKED for dotlock CLI util.
(dotlock_take_unix): Support the case of DOTLOCK_LOCK_BY_PARENT.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-19 15:59:41 +09:00
NIIBE Yutaka
1c5584c395
kbx: Create public-keys.d, after creating the homedir.
* kbx/keyboxd.c (create_directories): Following the behavior of
gpg-agent, call create_public_keys_directory after mkdir.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-19 15:56:13 +09:00
Werner Koch
bd8346f7ab
keyboxd: Pass lock info back to gpg and gpgsm.
* g10/call-keyboxd.c (keydb_default_status_cb): New.
(keydb_update_keyblock): Add new status callback.
(keydb_insert_keyblock): Ditto.
(keydb_delete_keyblock): Ditto.
(search_status_cb): Also try the new status callback.
* sm/keydb.c (keydb_default_status_cb): New.
(keydb_insert_cert): Add new status callback.
(keydb_delete): Ditto
(search_status_cb): Also try the new status callback.
--

GnuPG-bug-id: 6838
2023-12-18 16:23:19 +01:00
Werner Koch
c99282fc78
keyboxd: Timeout on failure to get the database lock.
* kbx/backend-sqlite.c (dblock_info_cb): New.
(create_or_open_database): Add arg ctrl.  Add a 10 second timeout.
Avoid warning on error if not locked.
(be_sqlite_add_resource): Do not open the database here.
(be_sqlite_search): ... but do it here.
--

Note that we need to delay the initalization to the first use of the
database so that we actually have a recipient for the status messages.

GnuPG-bug-id: 6838
2023-12-18 15:25:45 +01:00
Werner Koch
937aeb1904
common: Add an info callback to dotlock.
* common/dotlock.h (enum dotlock_reasons): New.
(DOTLOCK_PREPARE_CREATE): New flag.
* common/dotlock.c (struct dotlock_handle): Add info_cb and
info_cb_value.
(dotlock_create): Support the new flag.
(dotlock_finish_create): New.
(read_lockfile): Silence in case of ENOENT.
(dotlock_set_info_cb): New.  Use callback after all error and info
messages.
(dotlock_take_unix, dotlock_take_w32): Allow termination by callback.
2023-12-18 15:21:26 +01:00
Werner Koch
f57717bf23
common: Improve error return for dotlock.
* common/dotlock.c (dotlock_take_unix): Return a ETIMEDOUT insteaad of
EACCESS on timeout.
(dotlock_take_w32): Ditto.
2023-12-12 16:31:30 +01:00
NIIBE Yutaka
6b93b92111
doc: Fix description of scdaemon for --disable-ccid.
--

GnuPG-bug-id: 6871
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-12 14:26:49 +09:00
Ahelenia Ziemiańska
fa677a37ce
po: Fix quotes in Polish Translation.
--

Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
2023-12-07 11:59:20 +09:00
Daniel Cerqueira
a14f73a192
po: Update Portuguese Translation.
--

This commit log (with no ChangeLog entry) is written by gniibe,
following the practice; Translation update don't need a ChangeLog
entry in a commit log.

Signed-off-by: Daniel Cerqueira <dan.git@brilhante.top>
2023-11-30 08:57:52 +09:00
Werner Koch
73aa6dc6e4
gpgsm: Set validity flag in keylisting to n for untrusted root cert.
* sm/keylist.c (list_cert_colon): Map not_trusted to 'n' for non-root
certs like we do for root certs.
--

GnuPG-bug-id: 6841
2023-11-27 13:39:45 +01:00
Werner Koch
4c456bf075
scd:openpgp: Fallback to default ECDH params in writekey.
* scd/app-openpgp.c (ecc_writekey): Use default ECDH parameters and
remove the now useless check.
--

This seems to be better than bailing out.  In almost all cases our
standard parameters are used and if not, well, the fingerprint will be
wrong.

GnuPG-bug-id: 6378
2023-11-23 16:01:58 +01:00
Werner Koch
09329d52b5
agent: Update the key file only if changed (slight return).
* agent/findkey.c (read_key_file): Add optional arg r_orig_key_value
to return the old Key value.  Change all callers.
(agent_write_private_key): Detect whether the Key entry was really
changed.
--

GnuPG-bug-id: 6829
2023-11-21 12:24:17 +01:00
Werner Koch
813bb65d95
common: Check wether to set the modified flag in nve_set.
* common/name-value.c (nvc_set): Factor code out to ...
(nve_set): here.
2023-11-21 08:56:24 +01:00
Werner Koch
cf2d3f7ba0
agent: Update the key file only if not changed.
* common/name-value.c (struct name_value_container): Add flag
"modified".
(nvc_modified): New.
(nvc_new): Set flag.
(_nvc_add): Set flag.
(nvc_delete): Set flag.
(nvc_set): Set flag unless value did not change.
(nve_set): Add arg PK.  Change the caller.
* agent/findkey.c (agent_write_private_key): Update only if modified.
--

This helps software which uses a file system watcher to track changes
to private keys.  In particular smartcard triggered changes are a
problem for such software because this may at worst trigger another
smartcard read.

GnuPG-bug-id: 6829
2023-11-21 08:37:41 +01:00
Werner Koch
e43bd2a7a7
scd: New option --debug-allow-pin-logging.
* scd/scdaemon.c (oDebugAllowPINLogging): New.
(opts): Add option.
(main): Set option.
* scd/scdaemon.h (opt): Add debug_allow_pin_logging.
* scd/apdu.c (pcsc_send_apdu): Do not hide the PIN dat in the debug
output if the option is set.
(send_apdu_ccid): Ditto.
--

This option is only required during development.
2023-11-21 08:35:01 +01:00
NIIBE Yutaka
2fa916ebff
po: Update Japanese Translation.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-11-20 10:53:09 +09:00
NIIBE Yutaka
960877b10f
gpg: Report BEGIN_* status before examining the input.
* common/miscellaneous.c (is_openpgp_compressed_packet)
(is_file_compressed): Moved to ...
* common/iobuf.c: ... in this file.
(is_file_compressed): Change the argument to INP, the iobuf.
* common/util.h (is_file_compressed): Remove.
* common/iobuf.h (is_file_compressed): Add.
* g10/cipher-aead.c (write_header): Don't call write_status_printf
here.
(cipher_filter_aead): Call write_status_printf when called with
IOBUFCTRL_INIT.
* g10/cipher-cfb.c (write_header): Don't call write_status_printf
here.
(cipher_filter_cfb): Call write_status_printf when called with
IOBUFCTRL_INIT.
* g10/encrypt.c (encrypt_simple): Use new is_file_compressed function,
after call of iobuf_push_filter.
(encrypt_crypt): Likewise.
* g10/sign.c (sign_file): Likewise.

--

Cherry-pick from master commit of:
	2f872fa68c

GnuPG-bug-id: 6481
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-11-17 08:40:49 +09:00
Werner Koch
5304c9b080
scd:p15: Basic support for Starcos 3.2.
* scd/app-p15.c (CARD_TYPE_STARCOS_32): New.
(card_atr_list): Add ATR for my sample card.
(cardtype2str): Add starcos string.
(select_ef_by_path): Factor all code out to ...
(select_by_path): this.  Add arg to request a directory.  Simplify the
case pathlen>1 case.  Fix error printing.
(select_df_by_path): New.
(prepare_verify_pin): For starcos select a DF.
(app_select_p15): Don't use extended mode for starcos.
--

This allows reading the certificates from my sample cards.  Signing
does not yet work; I need to do get some I/O traces using other
software.  The basic support for AET cards shut still work but I have
not found my AET card.
2023-11-16 17:10:08 +01:00
Werner Koch
a33ad8f9bf
scd: Minor debug output tweak
* scd/apdu.c (send_le): Do not dump "[all zero]" if tehre is no data.
* scd/iso7816.c (iso7816_select_mf): Cosmetic fix.
2023-11-16 17:04:02 +01:00
Werner Koch
def8f5f3d2
gpg,gpgsm: Hide password in debug output also for asked passwords.
* g10/call-agent.c (agent_get_passphrase): Call
assuan_begin_confidential and assuan_end_confidential.
* sm/call-agent.c (gpgsm_agent_ask_passphrase): Ditto.
--

GnuPG-bug-id: 6654

The drawback of this solution is that we don't see any IPC lines from
the assuan_transact.  Everything else would require larger changes to
libassuan.
2023-11-14 15:09:27 +01:00
Werner Koch
e6cedba119
gpgsm: Re-introduce the bad passphrase hint for pkcs#12.
* sm/minip12.c (parse_bag_encrypted_data): Set the badpass flag.
(parse_shrouded_key_bag): Ditto.
--
2023-11-14 09:47:13 +01:00
NIIBE Yutaka
bafa7bf27f
gpg,sm: Set confidential in assuan communication for password.
* g10/call-agent.c (default_inq_cb): Call assuan_begin_confidential
and assuan_end_confidential.
* sm/call-agent.c (default_inq_cb): Likewise.

--

Cherry pick from master commit of:
	ec1446f944

GnuPG-bug-id: 6654
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-11-09 13:40:03 +09:00
Werner Koch
3572b19fbd
gpgsm: Support ECDSA in de-vs mode.
* common/compliance.h (PK_ALGO_FLAG_ECC18): New.
* common/compliance.c (gnupg_pk_is_allowed): Implement.
* sm/decrypt.c (gpgsm_decrypt): Pass new flag.
* sm/sign.c (gpgsm_sign): Ditto.
* sm/verify.c (gpgsm_verify): Ditto.
--

GnuPG-bug-id: 6802
2023-11-08 17:09:22 +01:00
Werner Koch
bf7b785b0e
common: Declare two LibrePGP constants for future use
* common/openpgpdefs.h (SIGSUBPKT_META_HASH): New.
(SIGSUBPKT_TRUST_ALIAS): New.
2023-11-08 17:09:22 +01:00
Werner Koch
3a669f175f
gpgsm: Cleanup of legacy variable name use.
* sm/encrypt.c (gpgsm_encrypt): Unify use of RC and ERR.
* sm/sign.c (gpgsm_sign): ditto.
--

Initially we didn't used the gpg_error_t thingy and while migrating
we sometimes used RC and ERR for tracking the error.  This is pretty
error prone and thus we better remove it (after 20 years).
2023-11-08 17:09:22 +01:00
NIIBE Yutaka
d6f738729f
gpg,tools: Handle GPG_ERR_PIN_BLOCKED and GPG_ERR_NO_RESET_CODE.
* g10/card-util.c (write_sc_op_status): Emit 3 and 4 in status line.
* tools/card-call-scd.c (status_sc_op_failure): Likewise.

--

Cherry-pick from master commit of:
	64f5f7b74e

GnuPG-bug-id: 6425
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-11-08 13:57:53 +09:00
NIIBE Yutaka
4db2e13e2c
tools:gpg-card: Fix an error code for Reset Code.
* tools/gpg-card.c (cmd_unblock): Use GPG_ERR_NO_RESET_CODE.

--

Cherry-pick from master commit of:
	65607fb81d

GnuPG-bug-id: 6425
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-11-08 13:57:15 +09:00
NIIBE Yutaka
4257cbb06c
scd: Return GPG_ERR_PIN_BLOCKED when it's blocked.
* scd/app-openpgp.c (build_enter_admin_pin_prompt): Fix to use
GPG_ERR_PIN_BLOCKED.
(check_pin): Likewise.

--

Cherry-pick from master commit:
	e6b3d53db3

GnuPG-bug-id: 6425
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-11-08 11:49:27 +09:00