* scd/iso7816.c (CMD_SELECT_DATA): New.
(iso7816_select_data): New.
* scd/app-openpgp.c (do_readcert): Allow OpenPGP.1 and OPENPGP.2
(do_writecert): Ditto.
(do_setattr): Add CERT-1 and CERT-2.
--
This has been tested with a Zeitcontrol 3.4 card. A test with a
Yubikey 5 (firmware 5.2.6) claiming to support 3.4 failed.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (struct app_local_s): s/extcap_v3/is_v3/.
s/max_certlen_3/max_certlen. Change users.
--
The extcap_v3 flag is set if the version is 3 or later and as such
does not only declare that the v3 extcap layout is used. Make this
clear by renaming.
Likewise for max_certlen_3.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (struct app_local_s): Add new flag.
(get_cached_data): Force chace use if flag is set.
(app_select_openpgp): Avoid reading DO 6E multiple times.
--
The do not cache property of 6E was introduced so that we can change
for example key attributes without getting into with the cache.
However, for initial reading the cache makes a lot of sense and thus we
now use this hack to only temporary cache. A better strategy would be
to clear the cache when we change card data but that is more error
prone.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (struct app_local_s): Add ecc.algo field.
(send_key_attr): Use ecc.algo field.
(ecc_read_pubkey): Use ecc.algo field.
(ecc_writekey): Ed448 means EdDSA.
(parse_algorithm_attribute): Set ecc.algo field from card.
Add checking for Ed25519 for ECC_FLAG_DJB_TWEAK flag.
--
There used to be a possible support of Ed25519 with ECDSA, (instead of
EdDSA). To distinguish key for Ed25519 for EdDSA, we use the
flag: (flags eddsa). Ed448 has no support for ECDSA and defaults to
EdDSA even if no such flag.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/scdaemon.h (opt): Add field opcsc_shared.
* scd/scdaemon.c (opcscShared): New.
(opts): Add "--pcsc-shared".
(main): Set flag.
* scd/apdu.c (connect_pcsc_card): Use it.
(pcsc_get_status): Take flag in account.
* scd/app-openpgp.c (cache_pin): Bypass in shared mode.
(verify_chv2: Do not auto verify chv1 in shared mode.
* scd/app-piv.c (cache_pin): By pass caceh in shared mode.
--
This option should in general not be used. The patch tries to limit
bad effects but using shared mode is somewhat dangerous depending on
the other PC/SC users.
* scd/app.c (is_same_serialno): New.
(check_application_conflict): Use this.
(select_application): Ditto.
(app_switch_current_card): Ditto.
* scd/app-openpgp.c (check_keyidstr): Ignore the card version and also
compare case insensitive.
--
This is required because we change what we emit as serialno of OpenPGP
cards but existing keys still use the old form of the serial
number (i.e. with a firmware version).
See-commit: 3a8250c020
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app.c (app_new_register): Call app_munge_serialno for Yubikeys.
(app_munge_serialno): Handle Yubikey serial numbers.
(card_get_serialno): Remove special Yubikey treatment. Drop arg
is_canonical.
(app_get_serialno): Clear ERRNO on error.
(card_get_dispserialno): New. Also change formatting of Yubikey and
OpenPGP numbers to match those printed on the card.
(app_get_dispserialno): New.
* scd/app-openpgp.c (do_getattr): Use app_get_dispserialno.
(yubikey_get_serialno): Remove.
* scd/app-piv.c (get_dispserialno): Remove.
(do_getattr): Use app_get_dispserialno.
--
This patch gets us back to a unique serial number for cards and
provides a stable serial number as printed for Yubikeys.
Because we use a slightly different serial number now for Yubikeys and
cards only supporting OpenPGP card we need to come up with another
change so that the version number of OpenPGP serial numbers are
ignored when comparing card serial numbers. This is so that existing
stub keys of gpg-agent will continue to work.
GnuPG-bug-id: 5100
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (send_keypair_info): Emit the algo string as part
of a KEYPAIRINFO.
* scd/command.c (do_readkey): Ditto.
* scd/app-piv.c (do_readkey): Ditto.
* scd/app-nks.c (do_learn_status_core): Ditto.
(struct fid_cache_s): Add field algostr.
(flush_fid_cache): Release it.
(keygripstr_from_pk_file): Fill it and add it to the cache. Use a
single exit label.
* scd/app-help.c (app_help_get_keygrip_string_pk): Add new arg
r_algostr. Change all callers.
--
This is helpful so that callers do not need to parse the key for this
basic information. Use "scd readkey --info-only" to return the info
status line instead of the key material; using just --info returns the
info in addition to the key material.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/card-util.c (kdf_setup): Fix the default value.
* scd/app-openpgp.c (do_setattr): Support kdf-setup "off" by
Zeitcontrol. Make sure Gnuk and Yubikey work well.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/app-openpgp.c (verify_chv2): Call verify_a_chv with chvno=1
when needed.
--
Confusingly, verify_chv2 has two different purposes; One for
verifying with CHV2 (in addition to CHV1), and the call by
CHECKPIN. For the latter, we should check CHV1.
Fixes-commit: af189be481
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/app-openpgp.c (do_setattr): Call flush_cache_item always.
--
Only it was called when there was an object with KDF_DATA_LENGTH_MAX.
No matter the VALUELEN, it should be flushed.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/app-openpgp.c (data_objects): 0x00FA for binary data.
(do_getattr): Parse the data and send it in status lines.
(get_algorithm_attribute_string): New.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* cd/app-openpgp.c (data_objects): Add 0x00FA.
(do_getattr): Add KEY-ATTR-INFO.
--
See the section 4.4.3.11 Algorithm Information in the OpenPGP card
functional specification version 3.4.1.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/app-openpgp.c (verify_chv2): Check availability of keys in
question.
--
With buggy Gnuk (<= 1.2.15), when no encr/auth keys are available,
it fails decrementing the signature error counter. This change
can avoid the issue.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/app-openpgp.c (do_getattr): New attrubute "UIF".
(do_learn_status): Use that.
--
Actually this is not just convenience but will make it easier to add
new keys to an openpgp card - we will need to change this only at one
place.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (get_manufacturer): New..
(do_getattr): Add new attribute "MANUFACTURER".
(do_learn_status): Always print it.
--
This will make it easy to maintain the list of OpenPGP vendors at just
one place.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/command.c (cmd_keyinfo): Use Gcrypt constants for CAP.
* scd/app-openpgp.c (do_with_keygrip): Adjust for them.
* scd/app-piv.c (do_with_keygrip): Ditto.
--
That makes it easier to read. An open question is whether we should
allow several capabilities and whether they are the ORed or ANDed.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (check_keyidstr): Add optional arg r_use_auth to
test also for OpenPGP.3.
(do_sign): Enable that new mode.
--
This is very useful to allow gpgsm to use a certificate based on the
OpenPGP card's authentication key. That key is usually used for ssh
but it makes sense to use it also for user certificate based
authentication.
Signed-off-by: Werner Koch <wk@gnupg.org>