* common/compliance.c (get_compliance_cache): New.
(gnupg_rng_is_compliant): Use per mode cache.
(gnupg_gcrypt_is_compliant): Ditto.
--
This addresses the problem tha the check might be called with
different compliance values and thus it should return the
corresponding cached result.
Signed-off-by: Werner Koch <wk@gnupg.org>
* tools/gpg-card.c (cmd_list): Add flag --reread.
* tools/card-call-scd.c (scd_learn): New arg reread.
* tools/card-call-scd.c (release_card_info): Fix releasing of the new
label var.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/command.c (cmd_learn): Add flag --reread.
* scd/app-common.h (struct app_ctx_s): New field need_reset.
* scd/app.c (write_learn_status_core): Set need_reset if we notice an
error after returning from a reread. Change all callers of card
functions to return GPG_ERR_CARD_RESET so that that app is not anymore
used.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-p15.c (do_deinit): Factor code out to ...
(release_lists, release_tokeninfo): new.
(read_ef_tokeninfo): Reset all data before reading.
(read_p15_info): Ditto.
(do_learn_status): Implement reread flag.
--
Objects of a card may be protected by a PIN and thus only readble
after a verify command. This new flag makes it possible to gather the
entire PKCS#15 card info again without a need for a reset (and thus
loss of the verify status).
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac (min_automake_version): Bump to 1.16.3
--
This version has the now needed support for
- new variable AM_DISTCHECK_DVI_TARGET, to allow overriding the
"make dvi" that is done as part of distcheck.
* tools/gpg-card.h (struct key_info_s): Add field 'label'.
* tools/card-call-scd.c (learn_status_cb): Parse KEY-LABEL.
(scd_learn): Always request KEY-LABEL.
* tools/gpg-card.c (nullnone): New.
(list_one_kinfo, list_card): Use it. Print the label.
--
PKCS#15 defines label which help to understand for what a key is
intended. Print them.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-p15.c (do_sign): Rewrite.
--
This basically works now but for my test card I need to pass
--cert-digest-algo-512 manually. Need to check this again and
automate it. It will also be useful to take the NotBefore timestamp
from the dummy X.509 certificate and use that for the PGP key creation
time.
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/command-ssh.c (ssh_handler_request_identities): Skip unknown
curves.
--
For example when using my standard ed25519 token and testing cards
with only Brainpool support, the ssh-agent failed due to the unknown
curves seen on the card. This patches fixes this by ignoring keys
with unknown curves.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/iso7816.c (iso7816_pso_csv): New.
* scd/app-help.c (app_help_pubkey_from_cert): Uncompress a point if
needed.
* scd/app-p15.c (CARD_PRODUCT_RSCS): New.
(struct prkdf_object_s): Add fields is_ecc, token_label, and
tokenflags.
(do_deinit): Free new fields.
(cardproduct2str): New.
(read_ef_prkdf): Set new is_ecc flag.
(read_ef_tokeninfo): Store some data and move Tokeninfo diags to ...
(read_p15_info): here. set the product info here after all data has
been gathered.
(send_keypairinfo): Chnage the way the gpgusage flags are used.
(make_pin_prompt): If the token has a label and the current cert has
no CN, show the label as holder info.
(do_sign): Support ECDSA. Take care of the gpgusage flags.
(do_decipher): Support ECDH. Take care of the gpgusage flags.
--
This has been tested with Trusted Object Manager generated cards by
Rohde & Schwarz Cybersecurity.
Signed-off-by: Werner Koch <wk@gnupg.org>
* tools/gpgconf-comp.c (gc_component_check_options): Increase array.
--
I missed to fix that one with the last patch.
Note that there was no problem in 2.2 at thismlocation - probably
because it had been manually backported once.
GnuPG-bug-id: 5366
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/pksign.c (agent_pksign_do): Support ECC and DSA verification
and print some debug info in the error case.
--
Note that the addition of do_encode_dsa has no immediate effect
because we use the code only for RSA. However, for debugging it can
be useful to change the code to check also other created signatures.
Signed-off-by: Werner Koch <wk@gnupg.org>
* tools/gpgconf-comp.c (known_options_gpg, known_options_gpgsm): No
flags needed for pseudo options.
(known_pseudo_options_gpg, known_pseudo_options_gpgsm): New.
(gc_component): Add field known_pseudo_options.
(struct read_line_wrapper_parm_s): New.
(read_line_wrapper): New.
(retrieve_options_from_program): Use read_line_wrapper to handle
pseudo options.
--
GnuPG-bug-id: 5341
Due to reading the list of options from the argparser of the
component, we had no more information about the pseudo options and
thus could not emit them. Well, there is just one pseudo option right
now, but with this change we have a generalized concept for them:
Pseudo options are used to convey information from a component to
gpgconf; for example build-in values.
* tools/gpg-card.c (cmd_writecert): Allow the other key references.
(cmd_readcert): Ditto.
--
See previous commit for testing info.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/iso7816.c (CMD_SELECT_DATA): New.
(iso7816_select_data): New.
* scd/app-openpgp.c (do_readcert): Allow OpenPGP.1 and OPENPGP.2
(do_writecert): Ditto.
(do_setattr): Add CERT-1 and CERT-2.
--
This has been tested with a Zeitcontrol 3.4 card. A test with a
Yubikey 5 (firmware 5.2.6) claiming to support 3.4 failed.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (struct app_local_s): s/extcap_v3/is_v3/.
s/max_certlen_3/max_certlen. Change users.
--
The extcap_v3 flag is set if the version is 3 or later and as such
does not only declare that the v3 extcap layout is used. Make this
clear by renaming.
Likewise for max_certlen_3.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (struct app_local_s): Add new flag.
(get_cached_data): Force chace use if flag is set.
(app_select_openpgp): Avoid reading DO 6E multiple times.
--
The do not cache property of 6E was introduced so that we can change
for example key attributes without getting into with the cache.
However, for initial reading the cache makes a lot of sense and thus we
now use this hack to only temporary cache. A better strategy would be
to clear the cache when we change card data but that is more error
prone.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-p15.c (prepare_verify_pin): Allow for PRKDF to be NULL.
(make_pin_prompt): Ditto.
(verify_pin): Ditto.
(do_check_pin): Allow using the Label to specify a PIN.
--
Note that a label may not work in all cases because we can't select
the protected object's EF first.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-p15.c (parse_common_obj_attr): Map spaces in the lapel to
underscores.
(read_ef_aodf): Prettify printing of the type.
(do_getattr): New attribute CHV-LABEL
(do_learn_status): Emit CHV-LABEL.
(verify_pin): Distinguish the PIN prompts.
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac (TEST_LIBTSS): Make that conditional depend on the
detection of tssstartup.
--
While the tpm2d daemon can use either the Intel TSS or the IBM TSS,
the test code (specifically, the start_sw_tpm.sh script) requires
some tools from the IBM TSS (tssstartup and tsspowerup).
If a software TPM is detected at configure time but the IBM TSS
tools are absent (e.g. because only the Intel TSS is available on
the system), `make check` will attempt to run the tpm2d tests and
those will fail when the start_sw_tpm.sh script is launched.
This patch makes running the tpm2d tests dependent not only on
the detection of a software TPM, but also on the detection of
tssstartup (it is probably safe to assume that if tssstartup is
present, then tsspowerup is available as well).
Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
* tests/tpm2dtests/start_sw_tpm.sh: New.
* tests/tpm2dtests/Makefile.am: Add.
--
This accidentally got left out of the initial commit for testing
6720f1343 ("tpm2d: add tests for the tpm2daemon")
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Added to Makefile and wrote tiny ChangeLog.
Signed-off-by: Werner Koch <wk@gnupg.org>