1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-27 11:10:13 +01:00

10550 Commits

Author SHA1 Message Date
Werner Koch
e17d3f8660
scd:p15: New flag APP_LEARN_FLAG_REREAD.
* scd/app-p15.c (do_deinit): Factor code out to ...
(release_lists, release_tokeninfo): new.
(read_ef_tokeninfo): Reset all data before reading.
(read_p15_info): Ditto.
(do_learn_status): Implement reread flag.
--

Objects of a card may be protected by a PIN and thus only readble
after a verify command.  This new flag makes it possible to gather the
entire PKCS#15 card info again without a need for a reset (and thus
loss of the verify status).

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-01 10:28:07 +02:00
Werner Koch
1c16878efd
scd: Replace all assert macros by the log_assert macro.
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-31 19:16:05 +02:00
Werner Koch
6ca5407151
build: Require automake 1.16.3
* configure.ac (min_automake_version): Bump to 1.16.3
--

This version has the now needed support for

 - new variable AM_DISTCHECK_DVI_TARGET, to allow overriding the
   "make dvi" that is done as part of distcheck.
2021-03-31 09:18:12 +02:00
NIIBE Yutaka
8d6152a4cf build: Update gpg-error.m4.
* m4/gpg-error.m4: Update from libgpg-error.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-31 10:37:06 +09:00
Werner Koch
0d6f276f61
card: Print the key's label if available.
* tools/gpg-card.h (struct key_info_s): Add field 'label'.
* tools/card-call-scd.c (learn_status_cb): Parse KEY-LABEL.
(scd_learn): Always request KEY-LABEL.
* tools/gpg-card.c (nullnone): New.
(list_one_kinfo, list_card): Use it.  Print the label.
--

PKCS#15 defines label which help to understand for what a key is
intended.  Print them.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-30 17:28:45 +02:00
Werner Koch
7f91263632
scd:p15: Return labels for keys and certificates.
* scd/app-p15.c (send_certinfo): Extend certinfo.
(do_getattr): Support KEY-LABEL.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-30 17:25:24 +02:00
Werner Koch
651c07a730
scd:p15: For CardOS make use of ISO7816_VERIFY_NOT_NEEDED.
* scd/app-p15.c (verify_pin): Take care of verify status.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-30 11:43:45 +02:00
Werner Koch
de4d3c99aa
scd:p15: Return the creation time of the keys.
* scd/app-p15.c (struct prkdf_object_s): Add keytime and keyalgostr.
(keygrip_from_prkdf): Set them.
(send_keypairinfo): Extend KEYPAIRINFO.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-30 10:27:20 +02:00
NIIBE Yutaka
d1bac0a3be build: Fix for make distcheck, no EPS support.
* Makefile.am (AM_DISTCHECK_DVI_TARGET): Specify 'pdf'.
* doc/Makefile.am (EXTRA_DIST, BUILT_SOURCES): Remove EPS files.
(gnupg.dvi): Remove.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-30 12:38:50 +09:00
Werner Koch
592f480117
scd:p15: Make RSA with SHA512 work with CardOS.
* scd/app-p15.c (do_sign): Rewrite.
--

This basically works now but for my test card I need to pass
--cert-digest-algo-512 manually.  Need to check this again and
automate it.  It will also be useful to take the NotBefore timestamp
from the dummy X.509 certificate and use that for the PGP key creation
time.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-29 20:36:01 +02:00
Werner Koch
2d2391dfc2
agent: Skip unknown unknown ssh curves seen on cards.
* agent/command-ssh.c (ssh_handler_request_identities): Skip unknown
curves.
--

For example when using my standard ed25519 token and testing cards
with only Brainpool support, the ssh-agent failed due to the unknown
curves seen on the card.  This patches fixes this by ignoring keys
with unknown curves.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-29 15:39:32 +02:00
Werner Koch
a494b29af9
scd:p15: Support ECDSA and ECDH for CardOS.
* scd/iso7816.c (iso7816_pso_csv): New.
* scd/app-help.c (app_help_pubkey_from_cert): Uncompress a point if
needed.

* scd/app-p15.c (CARD_PRODUCT_RSCS): New.
(struct prkdf_object_s): Add fields is_ecc, token_label, and
tokenflags.
(do_deinit): Free new fields.
(cardproduct2str): New.
(read_ef_prkdf): Set new is_ecc flag.
(read_ef_tokeninfo): Store some data and move Tokeninfo diags to ...
(read_p15_info): here.  set the product info here after all data has
been gathered.
(send_keypairinfo): Chnage the way the gpgusage flags are used.
(make_pin_prompt): If the token has a label and the current cert has
no CN, show the label as holder info.
(do_sign): Support ECDSA.  Take care of the gpgusage flags.
(do_decipher): Support ECDH.  Take care of the gpgusage flags.
--

This has been tested with Trusted Object Manager generated cards by
Rohde & Schwarz Cybersecurity.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-29 14:49:08 +02:00
Werner Koch
f129b0e977
gpg: Allow ECDH with a smartcard returning just the x-ccordinate.
* g10/ecdh.c (extract_secret_x): Add extra safety check. Allow for
x-only coordinate.
2021-03-29 14:36:52 +02:00
Werner Koch
18d884f841
gpgconf: Do not i18n an empty string to the PO files meta data.
* tools/gpgconf-comp.c (my_dgettext): Ignore empty strings.
--

GnuPG-bug-id: 5363
2021-03-28 10:38:42 +02:00
Werner Koch
a5e72b663b
tests: Make sure the built keyboxd is used by the tests.
* tests/openpgp/defs.scm (tool): Add keyboxd.
* tests/openpgp/setup.scm: Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-26 17:06:44 +01:00
Werner Koch
057131159b
gpgconf: Fix another argv overflow if --homedir is used.
* tools/gpgconf-comp.c (gc_component_check_options): Increase array.
--

I missed to fix that one with the last patch.

Note that there was no problem in 2.2 at thismlocation - probably
because it had been manually backported once.

GnuPG-bug-id: 5366
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-26 16:51:35 +01:00
Werner Koch
d3d57a1bc8
gpgconf: Fix argv overflow if --homedir is used.
* tools/gpgconf-comp.c (gc_component_launch): Fix crasg due to too
small array.
(gpg_agent_runtime_change): Fix error message.
(scdaemon_runtime_change): Ditto.
(tpm2daemon_runtime_change): Ditto.
(dirmngr_runtime_change): Ditto.
(keyboxd_runtime_change): Ditto.
--

GnuPG-bug-id: 5366
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-26 14:44:17 +01:00
Werner Koch
6de1ec3ba5
agent: Add debug output for failed RSA signature verification
* agent/pksign.c (agent_pksign_do): Support ECC and DSA verification
and print some debug info in the error case.
--

Note that the addition of do_encode_dsa has no immediate effect
because we use the code only for RSA.  However, for debugging it can
be useful to change the code to check also other created signatures.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-26 14:30:58 +01:00
Werner Koch
935765b451
common: New function to uncompress an ECC public key.
* common/sexputil.c (ec2os): New.
(uncompress_ecc_q_in_canon_sexp): New.

* common/t-sexputil.c (fail2): new.
(test_ecc_uncompress): New.
(main): Run new test.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-26 14:30:58 +01:00
Werner Koch
6a80d6f920
indent: Modernize mem2str.
--
2021-03-26 14:30:58 +01:00
NIIBE Yutaka
d4e5979c63 scd: Fix PC/SC error handling at apdu_dev_list_start.
* scd/apdu.c (PCSC_E_NO_READERS_AVAILABLE): Add.
(pcsc_error_to_sw): Handle PCSC_E_NO_READERS_AVAILABLE.
(apdu_dev_list_start): Return error correctly.

--

GnuPG-bug-id: 4864
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-26 11:24:30 +09:00
Werner Koch
73bad368da
card: Add option --use-default-pin to command "login".
* tools/gpg-card.c (cmd_login): Add option.
2021-03-24 14:39:59 +01:00
Werner Koch
964363e788
scd:p15: Make $SIGNKEY et al determination more fault tolerant.
* scd/app-p15.c (do_getattr): Change how we use gpgUsage to figure out
the keys to use.
2021-03-24 12:27:36 +01:00
Werner Koch
c56926f773
sm: Add a few more OIDs to the table for nicer keylistings
--
2021-03-24 12:27:35 +01:00
Werner Koch
5346da61c1
gpg: No warning in quiet mode for S2K mode 0.
--
2021-03-24 12:27:35 +01:00
NIIBE Yutaka
14ef703ad6 gpg: Fix v5 signature for clearsign.
* g10/sign.c (clearsign_file): Prepare EXTRAHASH.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-24 15:50:12 +09:00
NIIBE Yutaka
90a5b4e648 gpg: Support ECDH with v5 key.
* g10/ecdh.c (build_kdf_params): Use the first 20 octets.
* g10/pkglue.c (pk_encrypt): Remove length check to 20.
* g10/pubkey-enc.c (get_it): Likewise.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-24 14:51:42 +09:00
Werner Koch
a107b24ddb
gpgconf: Fix listing of default_pubkey_algo.
* tools/gpgconf-comp.c (known_options_gpg, known_options_gpgsm): No
flags needed for pseudo options.
(known_pseudo_options_gpg, known_pseudo_options_gpgsm): New.
(gc_component): Add field known_pseudo_options.
(struct read_line_wrapper_parm_s): New.
(read_line_wrapper): New.
(retrieve_options_from_program): Use read_line_wrapper to handle
pseudo options.
--

GnuPG-bug-id: 5341

Due to reading the list of options from the argparser of the
component, we had no more information about the pseudo options and
thus could not emit them.  Well, there is just one pseudo option right
now, but with this change we have a generalized concept for them:
Pseudo options are used to convey information from a component to
gpgconf; for example build-in values.
2021-03-23 12:16:37 +01:00
Werner Koch
1f5f08376d
gpgconf: Support use-keyboxd.
--

We flag this option as invisible so that it does not show up in a GUI
but it will be possible to grep for the option.
2021-03-22 19:41:44 +01:00
Werner Koch
ed82ef9145
kbxd: Group the options.
* kbx/keyboxd.h (opt): Remove unused field 'batch'.
* kbx/keyboxd.c (opts): Remove --batch.  Add group descriptions.
2021-03-22 19:13:07 +01:00
Werner Koch
e03ddb66c7
doc: Fix option name.
--
2021-03-22 16:30:11 +01:00
NIIBE Yutaka
1524a942b6 gpg: Support exporting Ed448 SSH key.
* common/openpgp-oid.c (oid_ed448, openpgp_oidbuf_is_ed448): New.
(openpgp_oid_is_ed448): New.
* common/util.h (openpgp_oid_is_ed448): New.
* g10/export.c (export_one_ssh_key): Support Ed448 key.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-22 16:57:18 +09:00
NIIBE Yutaka
0b45c5a994 gpg: Fix exporting SSH key.
* g10/export.c (export_one_ssh_key): Finish base 64 encoder before
writing out the comment string.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-22 16:55:29 +09:00
Werner Koch
475644e049
card: Support OpenPGP.1 and OpenPGP.2 for readcert and writecert.
* tools/gpg-card.c (cmd_writecert): Allow the other key references.
(cmd_readcert): Ditto.
--

See previous commit for testing info.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-19 18:28:00 +01:00
Werner Koch
37b1c5c200
scd:openpgp: Allow reading and writing user certs for keys 1 and 2
* scd/iso7816.c (CMD_SELECT_DATA): New.
(iso7816_select_data): New.
* scd/app-openpgp.c (do_readcert): Allow OpenPGP.1 and OPENPGP.2
(do_writecert): Ditto.
(do_setattr): Add CERT-1 and CERT-2.
--

This has been tested with a Zeitcontrol 3.4 card.  A test with a
Yubikey 5 (firmware 5.2.6) claiming to support 3.4 failed.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-19 18:26:03 +01:00
Werner Koch
bbdb48ec0d
scd:openpgp: Rename an internal variable.
* scd/app-openpgp.c (struct app_local_s): s/extcap_v3/is_v3/.
s/max_certlen_3/max_certlen.  Change users.
--

The extcap_v3 flag is set if the version is 3 or later and as such
does not only declare that the v3 extcap layout is used.  Make this
clear by renaming.

Likewise for max_certlen_3.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-19 15:24:08 +01:00
Werner Koch
d5fb598323
scd:openpgp: Small speedup reading card properties.
* scd/app-openpgp.c (struct app_local_s): Add new flag.
(get_cached_data): Force chace use if flag is set.
(app_select_openpgp): Avoid reading DO 6E multiple times.
--

The do not cache property of 6E was introduced so that we can change
for example key attributes without getting into with the cache.
However, for initial reading the cache makes a lot of sense and thus we
now use this hack to only temporary cache.  A better strategy would be
to clear the cache when we change card data but that is more error
prone.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-19 13:43:46 +01:00
Werner Koch
85082a83c2
scd:p15: Allow to use an auth object label with cmd CHECKPIN.
* scd/app-p15.c (prepare_verify_pin): Allow for PRKDF to be NULL.
(make_pin_prompt): Ditto.
(verify_pin): Ditto.
(do_check_pin): Allow using the Label to specify a PIN.
--

Note that a label may not work in all cases because we can't select
the protected object's EF first.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-18 16:30:10 +01:00
Werner Koch
1ac189f2df
card: Print PIN descriptions and fix number of printed retry counters.
* tools/gpg-card.h (struct card_info_s): Add fields nmaxlen, nchvinfo,
and chvlabels.
* tools/card-call-scd.c (release_card_info): Free chvlabels.
(learn_status_cb): Parse CHV-LABEL.  Set nmaxlen and nchvinfo.
* tools/gpg-card.c (list_retry_counter): Print CHV labels.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-18 11:29:31 +01:00
Werner Koch
ef29a960bf
scd:p15: New attribute CHV-LABEL.
* scd/app-p15.c (parse_common_obj_attr): Map spaces in the lapel to
underscores.
(read_ef_aodf): Prettify printing of the type.
(do_getattr): New attribute CHV-LABEL
(do_learn_status): Emit CHV-LABEL.
(verify_pin): Distinguish the PIN prompts.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-18 11:08:16 +01:00
Werner Koch
26215cb211
agent: Simplify a function.
* agent/findkey.c (agent_public_key_from_file): Use a membuf instead
of handcounting space.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-18 09:53:09 +01:00
Werner Koch
bf1d7bc369
scd:p15: Implement CHV-STATUS attribute
* scd/command.c (send_status_direct): Return an error.
* scd/app-p15.c (do_learn_status): Emit CHV-STATUS.
(compare_aodf_objid): New.
(do_getattr): Implement CHV-STATUS.
2021-03-16 18:52:38 +01:00
Werner Koch
e4c2d7be22
card: Generalize the CHV counter printing.
* tools/gpg-card.c (list_retry_counter): New.  Factored out from the
other functions.
(cmd_verify): Re-read the chv status.
2021-03-16 18:51:23 +01:00
Damien Goutte-Gattat via Gnupg-devel
c0f50811fc
build: Check for the IBM TSS tools to run the tpm2d tests.
* configure.ac (TEST_LIBTSS): Make that conditional depend on the
detection of tssstartup.

--
While the tpm2d daemon can use either the Intel TSS or the IBM TSS,
the test code (specifically, the start_sw_tpm.sh script) requires
some tools from the IBM TSS (tssstartup and tsspowerup).

If a software TPM is detected at configure time but the IBM TSS
tools are absent (e.g. because only the Intel TSS is available on
the system), `make check` will attempt to run the tpm2d tests and
those will fail when the start_sw_tpm.sh script is launched.

This patch makes running the tpm2d tests dependent not only on
the detection of a software TPM, but also on the detection of
tssstartup (it is probably safe to assume that if tssstartup is
present, then tsspowerup is available as well).

Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
2021-03-16 10:57:01 +01:00
Damien Goutte-Gattat via Gnupg-devel
ad481666ea
build: Fix distcheck when tpm2dtests are run.
* tests/tpm2dtests/Makefile.am (EXTRA_DIST): Distribute test files.
(CLEANFILES): Make sure to remove log files.

Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
2021-03-16 10:56:57 +01:00
James Bottomley
a788f2e830
tests:tpm2d: add missing start_sw_tpm.sh script
* tests/tpm2dtests/start_sw_tpm.sh: New.
* tests/tpm2dtests/Makefile.am: Add.
--

This accidentally got left out of the initial commit for testing
6720f1343 ("tpm2d: add tests for the tpm2daemon")

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

Added to Makefile and wrote tiny ChangeLog.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-15 17:09:32 +01:00
Werner Koch
1523b5f76f
gpg: New option --no-auto-trust-new-key.
* g10/gpg.c (oNoAutoTrustNewKey): New.
(opts): Add --no-auto-trust-new-key.
(main): Set it.
* g10/options.h (opt): Add flags.no_auto_trust_new_key.

Signed-off-by: Werner Koch <wk@gnupg.org>
Beta-2.3.0-beta1655
2021-03-15 10:47:19 +01:00
Werner Koch
683ff00bb1
w32: Silence a compiler warning in dirmngr.c
--
2021-03-15 09:50:31 +01:00
Werner Koch
8d6123faa8
build: new option to disable building of tpm2daemon
* configure.ac (build_tpmd): New configure option --disable-tpm2d
(BUILD_WITH_TPM2D): New.
* Makefile.am (tests): Use conditionally BUILD_TPM2D instead of
HAVE_LIBTSS.
* build-aux/speedo.mk (speedo_pkg_gnupg_configure) [W32]: Do not build
tpm2d.
* autogen.rc: Ditto.
2021-03-15 09:50:30 +01:00
NIIBE Yutaka
b743942a97 scd: Add handling of Ed448 key.
* scd/app-openpgp.c (struct app_local_s): Add ecc.algo field.
(send_key_attr): Use ecc.algo field.
(ecc_read_pubkey): Use ecc.algo field.
(ecc_writekey): Ed448 means EdDSA.
(parse_algorithm_attribute): Set ecc.algo field from card.
Add checking for Ed25519 for ECC_FLAG_DJB_TWEAK flag.

--

There used to be a possible support of Ed25519 with ECDSA, (instead of
EdDSA).  To distinguish key for Ed25519 for EdDSA, we use the
flag: (flags eddsa).  Ed448 has no support for ECDSA and defaults to
EdDSA even if no such flag.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-15 17:02:32 +09:00