1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-24 10:39:57 +01:00

782 Commits

Author SHA1 Message Date
Werner Koch
7ed523ca13
scd:nks: Support non-ESIGN signing with the Signature Card v2
* scd/app-nks.c (do_sign): Handle ECC for NKS cards
--

Backported-from-master: 959c627892121ce9707bfa36f2510216b4f6f247
GnuPG-bug-id: 6252
2022-10-28 12:13:29 +02:00
Werner Koch
12d3b16729
scd: Use app_get_slot at more places.
--

This is helpful for backporting other changes.
2022-10-28 12:07:11 +02:00
Werner Koch
934bbe67c2
scd: Use APP_LEARN_FLAG_KEYPAIRINFO with more apps.
* scd/app-nks.c (do_learn_status_core): Use new flag.
* scd/app-sc-hsm.c (do_learn_status): Ditto.
--

The flag was already backported to some apps but not to these.
2022-10-28 11:55:31 +02:00
Werner Koch
1e69676981
scd:nks: Don't flag the ESIGN keypair EF as encryption capable.
* scd/app-nks.c (filelist): Tweak 0x4531.
--

Actually the certificate has no encryption usage but we should also
tell that via KEYINFO so that this key is never tried to create an
encryption certificate.

(cherry picked from commit 3a2fb1c30633373d17880469e0b84ab2a9524585)
2022-10-20 12:22:08 +02:00
Werner Koch
f24904ee35
scd:nks: Some code cleanup.
* scd/app-nks.c (find_fid_by_keyref): Factor keyref parsing out to ...
(parse_keyref): new.
(do_readcert): Use new function instead of partly duplicated code.
Make detection of keygrip more robust.
(do_readkey): Make detection of keygrip more robust.
(do_with_keygrip): Use get_nks_tag.
--

Also added a couple of comments.

(cherry picked from commit b92b3206e72b635fd815eaf85e7acc67c2a52ffe)
2022-10-20 12:22:08 +02:00
Werner Koch
5cd25f4ca4
scd:nks: Support the Telesec ESIGN application.
* scd/app-nks.c (find_fid_by_keyref): Disable the cache for now.
(readcert_from_ef): Considere an all zero certificate as not found.
(do_sign): Support ECC and the ESIGN application.
--

This allows me to create qualified signatures using my Telesec card.
There is of course more work to do but this is the first step.

Note: The design of the FID cache needs to be reconsidered.  Until
that the lookup here has been disabled.  The do_sign code should be
revamped to be similar to what we do in app-p15.

GnuPG-bug-id: 5219, 4938, 6252
Backported-from-master: 07eaf006c2763a6b40d2734b1c6704da466e0ed0
2022-10-20 12:22:08 +02:00
NIIBE Yutaka
b199582789
scd:nks: Return USAGE information for KEYINFO command.
* scd/app-nks.c (set_usage_string): New.
(do_learn_status_core, do_readkey): Use set_usage_string.
(do_with_keygrip): Add USAGE to call send_keyinfo,
using set_usage_string.
* scd/command.c (send_keyinfo): Add arg usage.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: 5264d3f58e8a8362900c3518bdd683ff9a23cccc
GnuPG-bug-id: 6252

This backports only the NKS parts of the original patch

Signed-off-by: Werner Koch <wk@gnupg.org>
2022-10-20 12:22:08 +02:00
Werner Koch
77b008d1e7
scd:nks: Handle APP_READKEY_FLAG_INFO.
* scd/app-nks.c (keygripstr_from_pk_file): Fix ignored error.
(get_nks_tag): New.
(do_learn_status_core): Use it.  Make sure not to mange the
KEYPAIRINFO line if no usage is known.
(do_readkey): Output the KEYPAIRINFO for the keygrip case.
--

Note that this only handles the most common case of providing a
keygrip.  $AUTHKEYID and ODLM are not yet supported.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 63320ba2f8147ee86f4406c9590f6b28cad4771d)
2022-10-20 12:22:08 +02:00
Ingo Klöcker
8bccd95b38
scd:nks: Add support for signing plain SHA-2 digests.
* scd/app-nks.c (do_sign): Handle plain SHA-2 digests and verify
encoding of ASN.1 encoded hashes.
--

This makes it possible to create CSRs for NetKey card keys which are
signed with SHA256 by default.

GnuPG-bug-id: 5184
(cherry picked from commit 8fe976d5b9a0f2902868737dd502c749565222a6)
2022-10-20 12:22:08 +02:00
NIIBE Yutaka
3c1acb7b9f
scd:nks: Support READKEY with keygrip and for "NKS-IDLM" keyref.
* scd/app-nks.c (do_readkey): Allow KEYGRIP access.
Support NKS-IDLM.XXXX keyref.

--

GnuPG-bug-id: 5150
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 3b392630881350baabeba16fa760bad04be94d03)
2022-10-20 12:22:08 +02:00
NIIBE Yutaka
0979ae3491
scd:nks: Factor out pubkey retrieval from keygrip handling.
* scd/app-nks.c (pubkey_from_pk_file): New.
(keygripstr_from_pk_file): Use pubkey_from_pk_file.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit b7c087375d84c31ab8a645cd81e6b1e6185cb30d)
2022-10-20 12:22:08 +02:00
NIIBE Yutaka
1f2823e0be
scd:nks: Add support of KEYGRIP for do_readcert.
* scd/app-nks.c (do_readcert): Support KEYGRIP.

--

GnuPG-bug-id: 5150
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 4020cd9d656264bec5e7fb5e45c5e06eff8656c3)
2022-10-20 12:22:08 +02:00
NIIBE Yutaka
ea7234d2f5
scd:nks: Factor out iteration over filelist.
* scd/app-nks.c (iterate_over_filelist): New.
(do_with_keygrip): Use iterate_over_filelist.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 6c4365847666cefac73ccc743a99fac473da2186)
2022-10-20 12:22:08 +02:00
NIIBE Yutaka
c9eb4c0632
scd:nks: Fix caching keygrip (more).
* scd/app-nks.c (keygripstr_from_pk_file): Distinguish by APP_ID.

--

GnuPG-bug-id: 5150, 5161
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: 87d2c579cc38c1d2787945650125fb0e0336652c
Fixes-commit: 00f594e3ecb26b010e87d5491b648369e7a92408
2022-10-20 12:22:08 +02:00
Werner Koch
cf5f6896f8
scd:nks: Minor additions to the basic IDLM application support.
* scd/app-nks.c (filelist): Use special value -1 for IDLM pubkeys.
(keygripstr_from_pk_file): Handle special value.
(do_readcert): Ditto.
(do_writecert): Ditto.
--

This allows to get information about the keys from the card.  However
the do_readkey still requires a fallback to readcert.  This does not
work because there are no certificates yet on the card.  The fix is to
fully implement do_readkey.

(cherry picked from commit 806547d9d243b26c2275fc00c645ee39d258b49b)
2022-10-20 12:22:08 +02:00
NIIBE Yutaka
f1bd7369a7
scd,nks: Fix caching keygrip.
* scd/app-nks.c (keygripstr_from_pk_file): Identify by cfid if
available.
--

GnuPG-bug-id: 5150, 6252
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: 920154370834ad8d947aed19c9d914a27dde6baa:
2022-10-20 12:22:08 +02:00
Werner Koch
c1c3331cf9
scd:nks: Emit the algo string with KEYPAIRINFO
* scd/app-nks.c (do_learn_status_core): Emit the algo string as part
of a KEYPAIRINFO.
(struct fid_cache_s): Add field algostr.
(flush_fid_cache): Release it.
(keygripstr_from_pk_file): Fill it and add it to the cache.  Use a
single exit label.  Set algostr.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 26da47ae53d51e16ae6867cd419ddbf124a94933
Backported-from-master: 006944b856ee2202905290e8a2f5523a7877d444
GnuPG-bug-id: 6252, 5144

This has been backported to keep this, and only this, module in sync
with master. All other changes from the original patch have been
stripped.
2022-10-20 12:22:08 +02:00
Werner Koch
fe698586b5
scd:nks: Implement writecert for the Signature card v2.
* scd/iso7816.c (CMD_UPDATE_BINARY): New.
(iso7816_update_binary): New.
* scd/app-nks.c (do_deinit): Factor some code out to...
(flush_fid_cache): new.
(do_writecert): New.
(app_select_nks): Register new handler.
--

This has been backported only to make the following backpoorts easier.
The code is only used in 2.3; for details see the original commit
message.

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: c1663c690b29d2dea8bc782c42de5eca08a24cc9
GnuPG-bug-id: 6252
2022-10-20 12:22:07 +02:00
Werner Koch
c99870f790
scd:nks: Fix certificate read problem with TCOS signature card v2.
* scd/app-nks.c (filelist): Add a dedicated key entry for ESIGN.
(do_readcert): Test for the app_id.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 07aef873ebc77241e9a2be225537319f6fc15a41
GnuPG-bug-id: 6252
2022-10-20 12:22:07 +02:00
Werner Koch
a974d8aefa
scd:nks: Fix remaining tries warning in --reset mode.
* scd/app-nks.c (do_change_pin): Change computation of 'remaining'.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 2429e8559844e27de478d7e90834a714b3748834
GnuPG-bug-id: 6252
2022-10-20 12:22:07 +02:00
Werner Koch
60ba61e78e
scd:nks: Add framework to support IDKey cards.
* scd/app-nks.c (NKS_APP_IDLM): New.
(struct app_local_s): Replace NKS_VERSION by the global APPVERSION.
(do_learn_status): Always send CHV-STATUS.
(find_fid_by_keyref): Basic support for IDLM only use.
(do_learn_status_core): Ditto.
(do_readcert): Ditto.
(verify_pin): Ditto.
(parse_pwidstr): Ditto.
(do_with_keygrip): Ditto.
(switch_application): Ditto.
(app_select_nks): Fallback to IDLM.
--

Backported-from-master: 1f6a39092fe4b5f02bc4741a0a23d102d30f4063
GnuPG-bug-id: 6252

Also not directly required for the Signature Card 2.0, it is easier to
port this patch as well.
2022-10-20 12:22:07 +02:00
Werner Koch
a83281176c
scd:nks: Get the PIN prompts right for the Signature Card
* scd/app-nks.c (get_dispserialno): Move more to the top.
(do_getattr): Add $DISPSERIALNO and SERIALNO.  Make CHV-STATUS work
with NKS15.
(verify_pin): Use dedicated min. PIN lengths.
(parse_pwidstr): Support NKS15
--

GnuPG-bug-id: 4938
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit aecc008acb64ebbb6c667c4a128af4e61da57f84)
2022-10-20 12:22:07 +02:00
Werner Koch
bbef2d1790
scd:nks: Support decryption using ECDH.
* scd/app-nks.c (struct fid_cache_s): Add field 'algo'.
(keygripstr_from_pk_file): Add arg 'r_algo' to return the algo.
(find_fid_by_keyref): Ditto.
(get_dispserialno): New.
(make_prompt): New.
(verify_pin): Provide better prompts.
(do_decipher): Support ECDH.
(parse_pwidstr): Add hack tospecify any pwid..
(do_change_pin): Support Signature Card V2.0 (NKS15) style NullPIN.
Provide a better prompt.
--

GnuPG-bug-id: 4938, 6252
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: af45d884aa1c3eccbc6972a2e5197ece3fd1987a
2022-10-20 12:22:07 +02:00
Werner Koch
f5e0469d6e
scd:nks: Add do_with_keygrip and implement a cache.
* scd/app-nks.c (struct fid_cache_s): New.
(struct app_local_s): Add field 'fid_cache'.
(do_deinit): Release the cache.
(keygripstr_from_pk_file): Implement the cache.
(find_fid_by_keyref): New
(do_sign, do_decipher): Use new function.
(do_with_keygrip): New.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 1e72a1a218490c0fc07811a02ddad6cc38913f77
GnuPG-bug-id: 6252
2022-10-20 12:22:07 +02:00
Werner Koch
471e610fcd
scd:nks: Allow retrieving certificates from a Signature Card v.20
* scd/app-nks.c: Major rework to support non-RSA cards.
--

This is a fist step so support this ECC card.  The code has been
reworked while taking care that old cards should keep on working.

Signed-off-by: Werner Koch <wk@gnupg.org>

Backported-from-master: f05a32e5c9db7d0840c74fccc350a9e0ff5fb819
GnuPG-bug-id: 6252
2022-10-20 12:22:07 +02:00
NIIBE Yutaka
e1169e8f8a
scd: Add npth_unprotect/npth_protect for blocking operations.
* scd/ccid-driver.c (ccid_open_usb_reader): Name the thread.
(ccid_vendor_specific_setup, ccid_open_usb_reader): Wrap
blocking operations by npth_unprotect/npth_protect.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-08-31 13:50:07 +02:00
NIIBE Yutaka
8c9f879d4a scd:openpgp: Fix workaround for Yubikey heuristics.
* scd/app-openpgp.c (parse_algorithm_attribute): Handle the case
of firmware 5.4, too.

--

Cherry-picked master commit of:
	f34b9147eb3070bce80d53febaa564164cd6c977

GnuPG-bug-id: 6070
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-07-13 10:53:56 +09:00
NIIBE Yutaka
225c66f13b scd: Fail when no good algorithm attribute.
* scd/app-openpgp.c (parse_algorithm_attribute): Return the error.
(change_keyattr): Follow the change.
(app_select_openpgp): Handle the error of parse_algorithm_attribute.

--

Backport master commit of:
	53eddf9b9ea01210f71b851b5cb92a5f1cdb6f7d

This change allows following invocation of app_select_openpgp, which
may work well (if the problem is device side for initial connection).

GnuPG-bug-id: 5963
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-07-13 09:47:32 +09:00
NIIBE Yutaka
07e43eda8d scd: Don't inhibit SSH authentication for larger data if it can.
* scd/app-openpgp.c (do_auth): Use command chaining if available.

--

Cherry-picked from master branch of:
	e8fb8e2b3e66d5ea8a3dc90afdc14611abf2c3da

GnuPG-bug-id: 5935
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-07-12 16:11:08 +09:00
NIIBE Yutaka
aeee62593a agent,scd: Make sure to set CONFIDENTIAL flag in Assuan.
* agent/call-scd.c (inq_needpin): Call assuan_begin_confidential
and assuan_end_confidential, and wipe the memory after use.
* agent/command.c (cmd_preset_passphrase): Likewise.
* scd/command.c (pin_cb): Likewise.

--

Backport the change of master commit of:
	052f58422dca1044aba7acb4cf57416e7a8cb01f

GnuPG-bug-id: 5977
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-06-09 14:28:08 +09:00
Werner Koch
e3db6c74a6
scd:p15: Fix accidental commit of debug code
* scd/app-p15.c (do_sign): Revert MSE setting.
--

Fixes-commit: 91acbdc93c8a6ae06b483a27c8bb7c33a978108d
2022-06-01 12:19:56 +02:00
Werner Koch
62becf599e
scd: Shorten cardio debug output for all zeroes.
* scd/apdu.c (all_zero_p): New.
(send_le): Use it.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 9b6f574928546e6905a92c3e74d72478f1585c66)
2022-06-01 12:07:05 +02:00
NIIBE Yutaka
7bc794c311 scd: Fix use of SCardListReaders for PC/SC.
* scd/apdu.c (open_pcsc_reader): Initialize NREADER.

--

Backport master commit of:
	1b1684cf6192d9edb90a54ebe4a0e66b3d59a44b

Reported-by: Ludovic Rousseau
GnuPG-bug-id: 5979
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-05-17 10:25:34 +09:00
NIIBE Yutaka
a5217c9000 scd: Add workaround for ECC attribute on Yubikey.
* scd/app-openpgp.c (parse_algorithm_attribute): Skip possibly bogus
octet in a key attribute.

--

Apply master commit of:
	054d14887ef8fa1cbadef4ed2ea28213f25f5d25

GnuPG-bug-id: 5963
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-05-10 14:21:09 +09:00
Werner Koch
91acbdc93c
scd:p15: Improve the displayed S/N for Technology Nexus cards.
* scd/app-p15.c (any_control_or_space_mem): New.
(get_dispserialno): Add new code.
--

This works with my test cards and now reflects what's printed on the
front matter of the card.
2022-05-06 11:37:47 +02:00
Werner Koch
8efe738c4a
scd:p15: Fix the the sanity check of the displayed S/N.
* scd/app-p15.c (any_control_or_space): Fix loop.
--

This check is only done to avoid printing wrongly encoded S/N for
human consumption.
e
2022-05-06 11:35:02 +02:00
Werner Koch
7f029eef6c
scd:p15: Fix reading certificates without length info.
* scd/app-p15.c (readcert_by_cdf): Do not use extended mode if the CDF
object has no length info.  Add debug output when reading a cert.
(read_p15_info): No more need to disable extended mode for GeNUA cards.
2022-05-05 14:12:50 +02:00
Werner Koch
d60f930d9b
scd: New debug flags "card".
* scd/scdaemon.c (debug_flags): Add "card".
* scd/scdaemon.h (DBG_CARD_VALUE, DBG_CARD): New.
--

Some information from parsing the card are often very helpful.
However, the card_io triggered APDU dumps are in most cases too heavy.
Thus this new debug flag.
2022-05-05 14:12:23 +02:00
Werner Koch
58532fe56c
scd: Minor code reorganization
* scd/ccid-driver.c: Move struct defines to the top.
(MAX_DEVICE): Rename to CCID_MAX_DEVICE.
2022-04-14 10:25:15 +02:00
Werner Koch
c4b14be48f
scd: Fix memory leak in ccid-driver.
* scd/ccid-driver.c (ccid_dev_scan): Use loop var and not the count.
--

Due to an assignment out of bounds this might lead to a crash if there
are more than 15 readers.  In any case it fixes a memory leak.
Kudos to the friendly auditor who found that bug.

Fixes-commit: 8a41e73c31adb86d4a7dca4da695e5ad1347811f
2022-04-14 10:17:28 +02:00
Werner Koch
e99670f944
scd:p15: Improve the PIN prompt for Genua cards.
* scd/app-p15.c (CARD_PRODUCT_GENUA): New.
(cardproduct2str): Add it.
(read_p15_info): Detect and set GENUA
(make_pin_prompt): Take holder string from the AODF.
2022-04-13 13:58:37 +02:00
Werner Koch
44ec383cde
scd:p15: Support for GeNUA cards.
* scd/app-p15.c (read_p15_info): Disable extended mode for Genua
cards.
2022-04-13 13:58:26 +02:00
Werner Koch
29fd805818
scd:p15: Prepare AODF parsing for other authentication types.
* scd/app-p15.c (auth_type_t): New.
(struct aodf_object_s): Add field auth_type.
(read_ef_aodf): Distinguish between pin and authkey types.  Include
the authtype in the verbose mode diags.
--

Note that the bulk of changes are just indentation changes.  There
should be no functional change.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit e387cc97c82313457e4f79729a137e5871891bc1)
2022-04-13 13:56:58 +02:00
Werner Koch
80cf64c651
scd:p15: Add basic support for AET JCOP cards.
* scd/app-p15.c (CARD_TYPE_AET): New.
(cardtype2str): Add string.
(card_atr_list): Add corresponding ATR.
(app_local_s): New flag no_extended_mode.  Turn two other flags into
bit flags.
(select_ef_by_path): Hack to handle the 3FFF thing.
(readcert_by_cdf): Do not use extended mode for AET.
(app_select_p15): Set no_extended_mode.
---
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 544ec7872aed24c296ea34fac777eca287f7bb47)
2022-04-13 13:32:09 +02:00
Werner Koch
a2db490de5
scd:p15: Used extended mode already for RSA 2048
* scd/app-p15.c (do_sign, do_decipher): Replace GT by GE.
--
2022-02-21 12:23:04 +01:00
NIIBE Yutaka
3c3765405d scd: Use lock_slot for apdu_send_direct.
* scd/apdu.c (apdu_send_direct): Use lock_slot.

--

Cherry-pick the master commit of:
	f808012ac2cf67ec563da178d963f300a7f2564d

With trylock_slot, it may return SW_HOST_BUSY.  This may occur when
apdu_get_status is called by scd_update_reader_status_file.

Simply using lock_slot is much easier for user of apdu_send_direct.

GnuPG-bug-id: 5831
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-02-17 14:05:01 +09:00
Werner Koch
38c666ec3f
scd: Also prefer Yubikeys if no reader port is given.
* scd/apdu.c (select_a_reader): Extend the white list.
2022-01-25 19:02:38 +01:00
Werner Koch
7f9791e167
scd: Re-group the options in the --help output.
--

This looks better and is also required for further simplifications of
gpgconf.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit daf5f4355db7c4203f5b7e01807956328a7d173c)
2021-12-29 21:24:42 +01:00
Werner Koch
5f890f417f
gpgconf: Support reading global options (part 2).
* tools/gpgconf-comp.c: Remove all regular option descriptions.  They
are now read in from the component.  Also remove a few meanwhile
obsolete options.
* agent/gpg-agent.c: Add option description which were only set in
gpgconf-comp.c.
* dirmngr/dirmngr.c: Ditto.
* scd/scdaemon.c: Ditto.
* sm/gpgsm.c: Ditto.
* g10/gpg.c: Ditto.
--

This second part removes all regular option descriptions because they
can be read from the components.  A few were missing in the components
and thus moved to there.

Signed-off-by: Werner Koch <wk@gnupg.org>

This is a backport from master (2.3).
2021-12-29 09:42:45 +01:00
NIIBE Yutaka
b6b735edab
scd:openpgp: Support longer data for INTERNAL_AUTHENTICATE.
* scd/app-openpgp.c (do_auth): Use extended Lc, when supported.

--

GnuPG-bug-id: 5682
Co-authored-by: Klas Lindfors
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-11-15 17:54:04 +01:00