1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-09 21:28:51 +01:00
Commit Graph

9428 Commits

Author SHA1 Message Date
Werner Koch
964363e788
scd:p15: Make $SIGNKEY et al determination more fault tolerant.
* scd/app-p15.c (do_getattr): Change how we use gpgUsage to figure out
the keys to use.
2021-03-24 12:27:36 +01:00
Werner Koch
c56926f773
sm: Add a few more OIDs to the table for nicer keylistings
--
2021-03-24 12:27:35 +01:00
Werner Koch
5346da61c1
gpg: No warning in quiet mode for S2K mode 0.
--
2021-03-24 12:27:35 +01:00
NIIBE Yutaka
14ef703ad6 gpg: Fix v5 signature for clearsign.
* g10/sign.c (clearsign_file): Prepare EXTRAHASH.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-24 15:50:12 +09:00
NIIBE Yutaka
90a5b4e648 gpg: Support ECDH with v5 key.
* g10/ecdh.c (build_kdf_params): Use the first 20 octets.
* g10/pkglue.c (pk_encrypt): Remove length check to 20.
* g10/pubkey-enc.c (get_it): Likewise.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-24 14:51:42 +09:00
Werner Koch
a107b24ddb
gpgconf: Fix listing of default_pubkey_algo.
* tools/gpgconf-comp.c (known_options_gpg, known_options_gpgsm): No
flags needed for pseudo options.
(known_pseudo_options_gpg, known_pseudo_options_gpgsm): New.
(gc_component): Add field known_pseudo_options.
(struct read_line_wrapper_parm_s): New.
(read_line_wrapper): New.
(retrieve_options_from_program): Use read_line_wrapper to handle
pseudo options.
--

GnuPG-bug-id: 5341

Due to reading the list of options from the argparser of the
component, we had no more information about the pseudo options and
thus could not emit them.  Well, there is just one pseudo option right
now, but with this change we have a generalized concept for them:
Pseudo options are used to convey information from a component to
gpgconf; for example build-in values.
2021-03-23 12:16:37 +01:00
Werner Koch
1f5f08376d
gpgconf: Support use-keyboxd.
--

We flag this option as invisible so that it does not show up in a GUI
but it will be possible to grep for the option.
2021-03-22 19:41:44 +01:00
Werner Koch
ed82ef9145
kbxd: Group the options.
* kbx/keyboxd.h (opt): Remove unused field 'batch'.
* kbx/keyboxd.c (opts): Remove --batch.  Add group descriptions.
2021-03-22 19:13:07 +01:00
Werner Koch
e03ddb66c7
doc: Fix option name.
--
2021-03-22 16:30:11 +01:00
NIIBE Yutaka
1524a942b6 gpg: Support exporting Ed448 SSH key.
* common/openpgp-oid.c (oid_ed448, openpgp_oidbuf_is_ed448): New.
(openpgp_oid_is_ed448): New.
* common/util.h (openpgp_oid_is_ed448): New.
* g10/export.c (export_one_ssh_key): Support Ed448 key.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-22 16:57:18 +09:00
NIIBE Yutaka
0b45c5a994 gpg: Fix exporting SSH key.
* g10/export.c (export_one_ssh_key): Finish base 64 encoder before
writing out the comment string.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-22 16:55:29 +09:00
Werner Koch
475644e049
card: Support OpenPGP.1 and OpenPGP.2 for readcert and writecert.
* tools/gpg-card.c (cmd_writecert): Allow the other key references.
(cmd_readcert): Ditto.
--

See previous commit for testing info.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-19 18:28:00 +01:00
Werner Koch
37b1c5c200
scd:openpgp: Allow reading and writing user certs for keys 1 and 2
* scd/iso7816.c (CMD_SELECT_DATA): New.
(iso7816_select_data): New.
* scd/app-openpgp.c (do_readcert): Allow OpenPGP.1 and OPENPGP.2
(do_writecert): Ditto.
(do_setattr): Add CERT-1 and CERT-2.
--

This has been tested with a Zeitcontrol 3.4 card.  A test with a
Yubikey 5 (firmware 5.2.6) claiming to support 3.4 failed.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-19 18:26:03 +01:00
Werner Koch
bbdb48ec0d
scd:openpgp: Rename an internal variable.
* scd/app-openpgp.c (struct app_local_s): s/extcap_v3/is_v3/.
s/max_certlen_3/max_certlen.  Change users.
--

The extcap_v3 flag is set if the version is 3 or later and as such
does not only declare that the v3 extcap layout is used.  Make this
clear by renaming.

Likewise for max_certlen_3.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-19 15:24:08 +01:00
Werner Koch
d5fb598323
scd:openpgp: Small speedup reading card properties.
* scd/app-openpgp.c (struct app_local_s): Add new flag.
(get_cached_data): Force chace use if flag is set.
(app_select_openpgp): Avoid reading DO 6E multiple times.
--

The do not cache property of 6E was introduced so that we can change
for example key attributes without getting into with the cache.
However, for initial reading the cache makes a lot of sense and thus we
now use this hack to only temporary cache.  A better strategy would be
to clear the cache when we change card data but that is more error
prone.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-19 13:43:46 +01:00
Werner Koch
85082a83c2
scd:p15: Allow to use an auth object label with cmd CHECKPIN.
* scd/app-p15.c (prepare_verify_pin): Allow for PRKDF to be NULL.
(make_pin_prompt): Ditto.
(verify_pin): Ditto.
(do_check_pin): Allow using the Label to specify a PIN.
--

Note that a label may not work in all cases because we can't select
the protected object's EF first.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-18 16:30:10 +01:00
Werner Koch
1ac189f2df
card: Print PIN descriptions and fix number of printed retry counters.
* tools/gpg-card.h (struct card_info_s): Add fields nmaxlen, nchvinfo,
and chvlabels.
* tools/card-call-scd.c (release_card_info): Free chvlabels.
(learn_status_cb): Parse CHV-LABEL.  Set nmaxlen and nchvinfo.
* tools/gpg-card.c (list_retry_counter): Print CHV labels.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-18 11:29:31 +01:00
Werner Koch
ef29a960bf
scd:p15: New attribute CHV-LABEL.
* scd/app-p15.c (parse_common_obj_attr): Map spaces in the lapel to
underscores.
(read_ef_aodf): Prettify printing of the type.
(do_getattr): New attribute CHV-LABEL
(do_learn_status): Emit CHV-LABEL.
(verify_pin): Distinguish the PIN prompts.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-18 11:08:16 +01:00
Werner Koch
26215cb211
agent: Simplify a function.
* agent/findkey.c (agent_public_key_from_file): Use a membuf instead
of handcounting space.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-18 09:53:09 +01:00
Werner Koch
bf1d7bc369
scd:p15: Implement CHV-STATUS attribute
* scd/command.c (send_status_direct): Return an error.
* scd/app-p15.c (do_learn_status): Emit CHV-STATUS.
(compare_aodf_objid): New.
(do_getattr): Implement CHV-STATUS.
2021-03-16 18:52:38 +01:00
Werner Koch
e4c2d7be22
card: Generalize the CHV counter printing.
* tools/gpg-card.c (list_retry_counter): New.  Factored out from the
other functions.
(cmd_verify): Re-read the chv status.
2021-03-16 18:51:23 +01:00
Damien Goutte-Gattat via Gnupg-devel
c0f50811fc
build: Check for the IBM TSS tools to run the tpm2d tests.
* configure.ac (TEST_LIBTSS): Make that conditional depend on the
detection of tssstartup.

--
While the tpm2d daemon can use either the Intel TSS or the IBM TSS,
the test code (specifically, the start_sw_tpm.sh script) requires
some tools from the IBM TSS (tssstartup and tsspowerup).

If a software TPM is detected at configure time but the IBM TSS
tools are absent (e.g. because only the Intel TSS is available on
the system), `make check` will attempt to run the tpm2d tests and
those will fail when the start_sw_tpm.sh script is launched.

This patch makes running the tpm2d tests dependent not only on
the detection of a software TPM, but also on the detection of
tssstartup (it is probably safe to assume that if tssstartup is
present, then tsspowerup is available as well).

Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
2021-03-16 10:57:01 +01:00
Damien Goutte-Gattat via Gnupg-devel
ad481666ea
build: Fix distcheck when tpm2dtests are run.
* tests/tpm2dtests/Makefile.am (EXTRA_DIST): Distribute test files.
(CLEANFILES): Make sure to remove log files.

Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
2021-03-16 10:56:57 +01:00
James Bottomley
a788f2e830
tests:tpm2d: add missing start_sw_tpm.sh script
* tests/tpm2dtests/start_sw_tpm.sh: New.
* tests/tpm2dtests/Makefile.am: Add.
--

This accidentally got left out of the initial commit for testing
6720f1343 ("tpm2d: add tests for the tpm2daemon")

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

Added to Makefile and wrote tiny ChangeLog.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-15 17:09:32 +01:00
Werner Koch
1523b5f76f
gpg: New option --no-auto-trust-new-key.
* g10/gpg.c (oNoAutoTrustNewKey): New.
(opts): Add --no-auto-trust-new-key.
(main): Set it.
* g10/options.h (opt): Add flags.no_auto_trust_new_key.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-15 10:47:19 +01:00
Werner Koch
683ff00bb1
w32: Silence a compiler warning in dirmngr.c
--
2021-03-15 09:50:31 +01:00
Werner Koch
8d6123faa8
build: new option to disable building of tpm2daemon
* configure.ac (build_tpmd): New configure option --disable-tpm2d
(BUILD_WITH_TPM2D): New.
* Makefile.am (tests): Use conditionally BUILD_TPM2D instead of
HAVE_LIBTSS.
* build-aux/speedo.mk (speedo_pkg_gnupg_configure) [W32]: Do not build
tpm2d.
* autogen.rc: Ditto.
2021-03-15 09:50:30 +01:00
NIIBE Yutaka
b743942a97 scd: Add handling of Ed448 key.
* scd/app-openpgp.c (struct app_local_s): Add ecc.algo field.
(send_key_attr): Use ecc.algo field.
(ecc_read_pubkey): Use ecc.algo field.
(ecc_writekey): Ed448 means EdDSA.
(parse_algorithm_attribute): Set ecc.algo field from card.
Add checking for Ed25519 for ECC_FLAG_DJB_TWEAK flag.

--

There used to be a possible support of Ed25519 with ECDSA, (instead of
EdDSA).  To distinguish key for Ed25519 for EdDSA, we use the
flag: (flags eddsa).  Ed448 has no support for ECDSA and defaults to
EdDSA even if no such flag.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-15 17:02:32 +09:00
NIIBE Yutaka
f482e4bd12 scd: Fix count_sos_bits handling.
* scd/app-openpgp.c (count_sos_bits): Handle an exceptional case.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-15 17:00:56 +09:00
NIIBE Yutaka
373b52e69a common: Fix the NBITS of Ed448in OIDTABLE.
common/openpgp-oid.c (oidtable): Ed448 uses 456-bit signature.

--

While the curve itself is 448-bit, the signature size is 456-bit.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-15 16:53:45 +09:00
Werner Koch
3f1c3f55ea
doc: Typo fix in scdaemon.texi
--
2021-03-14 11:30:23 +01:00
James Bottomley
4997838c7b
doc: add documentation for gpg's keytotpm command
--
The tpm2d patches introduced a new --edit-key command: keytotpm.  Add
a descriptive entry explaining what it does and how it works.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2021-03-12 19:24:37 +01:00
Werner Koch
5732e7a8e9
scd: New option --pcsc-shared.
* scd/scdaemon.h (opt): Add field opcsc_shared.
* scd/scdaemon.c (opcscShared): New.
(opts): Add "--pcsc-shared".
(main): Set flag.
* scd/apdu.c (connect_pcsc_card): Use it.
(pcsc_get_status): Take flag in account.
* scd/app-openpgp.c (cache_pin): Bypass in shared mode.
(verify_chv2: Do not auto verify chv1 in shared mode.
* scd/app-piv.c (cache_pin): By pass caceh in shared mode.
--

This option should in general not be used.  The patch tries to limit
bad effects but using shared mode is somewhat dangerous depending on
the other PC/SC users.
2021-03-12 09:31:17 +01:00
NIIBE Yutaka
95156ef9bf scd: Fix computing fingerprint for ECC with SOS.
* scd/app-openpgp.c (count_sos_bits): New.  Count as sos_write does.
(store_fpr): For ECC, use count_sos_bits.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-12 16:20:28 +09:00
NIIBE Yutaka
cfc1497efa gpg: Fix compute_fingerprint for ECC with SOS.
* g10/keyid.c (hash_public_key): Tweak NBITS just as sos_write does.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-12 16:15:04 +09:00
Valtteri Vuorikoski
8cad11d13b
scd:piv: Improve APT parser compatibility.
* scd/app-piv.c (app_select_piv): Allow for full AID.
--

It appears that SP-800-73-x is not too clear about the format of these
objects. Many current cards (such as the Yubikey 5 series) apparently
have only the PIX in DO 0x4F and only the RID in object 0x79/0x4F.

However, other cards as well as the PivApplet Javacard applet have the
full AID in 0x4F (which actually seems closer to what the standard
says). PivApplet also has the full AID in 0x79/0x4F, but this is
probably incorrect. (Here is a long discussion of the matter from an
OpenSC author:
https://github.com/arekinath/PivApplet/issues/43#issuecomment-772649709)

[Taken from a mail to gnupg-devel date 2021-02-03.]

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-11 14:06:51 +01:00
Werner Koch
6976a70270
doc: Add a sending patches section to HACKING.
--

This is based on a patch by

Co-authored-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
Co-authored-by: Todd Zullinger <tmz@pobox.com>

regarding Libassuan sent to gnupg-devel on 2018-02-02
2021-03-11 13:05:10 +01:00
Werner Koch
752adf8a6b
doc: Always use --edit-key and not just the --edit abbreviation.
--

Reported-by: Carl Michael Skog
2021-03-11 12:38:51 +01:00
Werner Koch
fe02ef0450
gpg: New option --force-sign-key
* g10/gpg.c (oForceSignKey,opts): New option "--force-sign-key".
(main): Set it.
* g10/options.h (opt): New flag flags.force_sign_key.
* g10/keyedit.c (sign_uids): Use new flag.
--

GnuPG-bug-id: 4584
2021-03-11 11:27:07 +01:00
James Bottomley via Gnupg-devel
b9c560e3a4
tpmd2: Add Support for the Intel TSS
* configure.ac: Check for Intel TSS.
* tpm2d/intel-tss.h: New.
* tpm2d/tpm2.h (HAVE_INTEL_TSS): Use the Intel code.

--
The Intel TSS is somewhat of a moving target, so this wraps support
for this TSS into tpm2daemon.  Unfortunately this wrapper uses some
APIs that are only present in a relatively recent Intel TSS, so it
looks like it will only work with version 2.4.0 or higher.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

- Add header blurb; see previous patch.
- Add new file to the Makefile

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-11 08:49:45 +01:00
Werner Koch
6a83fc073d
tpmd2: Add copyright blurbs.
--

Confirmed by James Bottomley; see
https://lists.gnupg.org/pipermail/gnupg-devel/2021-March/034755.html

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-11 08:33:44 +01:00
Werner Koch
43bb5250a6
agent: Fix build without TPM
--
2021-03-10 15:52:20 +01:00
James Bottomley
6720f1343a
tpm2d: add tests for the tpm2daemon
* configure.ac: Detect TPM emulator and enable tests.
* tests/tpm2dtests/: New test suite.
* tests/Makefile.am: Run tests.

--
Add a set of tests that exercise tpm2daemon handling of keys and
verify compatibility with non-tpm based keys.

Running this test infrastructure requires a tpm emulator, which is
tested for during configuration.  If an emulator is not found, the
tests won't be run since they require the presence of a TPM (although
the TPM handling code will still be built).

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

- Fixed tests/Makefile.am for make distcheck.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-10 14:29:50 +01:00
James Bottomley
92b601fcee
gpg: Add new command keytotpm to convert a private key to TPM format
* agent/command.c (cmd_keytotpm): New.
(agent/command.c): Register new command KEYTOTPM.
* g10/call-agent.c (agent_keytotpm): New.
* g10/keyedit.c (cmdKEYTOTPM): New command "keytotpm".
(keyedit_menu): Implement.

--

The plumbing is done in two parts: the agent is modified to understand
a KEYTOTPM assuan command taking the key grip as an argument.  This
simply obtains the key s expression and calls the existing writeky
diversion to the tpm2daemon.  The daemon reponds with the TPM
conversion of the key and that key is then stored in the keyfile as a
shadowed-private-key with "tpm2-v1" type.

To effect the conversion, all the user does from gpg --edit-key is
select which private key they wish to move (or move the primary if no
key is selected) and type keytotpm.  The conversion to TPM form is
instantaneous and once converted, the actual key cannot be recovered,
meaning that if you want your gpg key to move to a new laptop you must
keep an unconverted backup copy in a safe location.

When you do a list command, all TPM keys show up as

     card-no: TPM-Protected

The key is stored encrypted to the TPM2 storage seed and since each
TPM has a unique seed, only the single TPM contained in your laptop
can now read the key.  This means you cannot simply copy the shadowed
key file over to a new laptop, you must copy over the backup copy and
then convert it to TPM form on the new laptop.

To decomission your laptop, execute a tssclear command which
regenerates the storage seed and effectively shreds all keys.  Note
when you have done this *every* TPM2 shadowed private key becomes
unreadable by any TPM and all are effectively destroyed.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

Very minor cosmetic changes.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-10 13:34:18 +01:00
James Bottomley
1f995b9ba4
agent: Add new shadow key type and functions to call tpm2daemon
* agent/call-tpm2d.c: New.
* divert-tpm2.c: New.
* agent/Makefile.am: Add new files.
* agent/agent.h (DAEMON_TPM2D): New.  Add stub fucntions.
* agent/call-daemon.c (GNUPG_MODULE_NAME_TPM2DAEMON): New.
* agent/command.c (do_one_keyinfo): Handle tpmv2.
* agent/gpg-agent.c (oTpm2daemonProgram): New.
(opts): New option --tpm2daemon-program.
(parse_rereadable_options): Handle option.
* agent/pkdecrypt.c (agent_pkdecrypt): Divert to tpm2d.
(agent_pksign_do): Ditto.
---

A new shadow key type: "tpm2-v1" is introduced signalling that the
shadowed key is handled by the tpm2daemon.  A function to identify
this type is introduced and diversions to the tpm2daemon functions are
conditioned on this function for pkign and pkdecrypt where the same
diversions to scd are currently done.  The (info) field of the
shadowed key stores the actual TPM key.  The TPM key is encrypted so
only the physical TPM it was created on can read it (so no special
protection is required for the info filed), but if the (info) field
becomes corrupt or damaged, the key will be lost (unlike the token
case, where the key is actually moved inside the token).

Note, this commit adds handling for existing TPM format shadow keys,
but there is still no way to create them.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

Additional changes:
* Add ChangeLog entries.
* Some minor indentation fixes.
* agent/Makefile.am (gpg_agent_SOURCES): Change to make distcheck
  work.
* agent/agent.h [!HAVE_LIBTSS]: Do not return -EINVAL but an
  gpg_error_t.  Mark args as unused.
* agent/protect.c (agent_is_tpm2_key): Free BUF.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-10 13:23:05 +01:00
James Bottomley
62a7854816
tpm2d: Add tpm2daemon code
* tpm2d: New directory.
* Makefile.am (SUBDIRS): Add directory.
* configure.ac: Detect libtss and decide whether to build tpm2d.
* am/cmacros.am: Add a define.
* util.h (GNUPG_MODULE_NAME_TPM2DAEMON): New.
* common/homedir.c (gnupg_module_name): Add tpm2d.
* common/mapstrings.c (macros): Add "TPM2DAEMON".
* tools/gpgconf.h (GC_COMPONENT_TPM2DAEMON): New.
* tools/gpgconf-comp.c (known_options_tpm2daemon): New.
(gc_component): Add TPM2.
(tpm2daemon_runtime_change): New.
* tpm2d/Makefile.am: New.
* tpm2d/command.c: New.
* tpm2d/ibm-tss.h: New.
* tpm2d/tpm2.c: New.
* tpm2d/tpm2.h: New.
* tpm2d/tpm2daemon.c: New.
* tpm2d/tpm2daemon.h: New.

---
This commit adds and plumbs in a tpm2daemon to the build to mirror the
operation of scdaemon.  The architecture of the code is that
tpm2daemon.c itself is pretty much a clone of scd/scdaemon.c just with
updated function prefixes (this argues there could be some further
consolidation of the daemon handling code).  Note that although this
commit causes the daemon to be built and installed, nothing actually
starts it or uses it yet.

Command handling
----------------

command.c is copied from the command handler in scd.c except that the
command implementation is now done in terms of tpm2 commands and the
wire protocol is far simpler.  The tpm2daemon only responds to 4
commands

IMPORT:    import a standard s-expression private key and export it to
           TPM2 format.  This conversion cannot be undone and the
           private key now can *only* be used by the TPM2.  To anyone
           who gets hold of the private key now, it's just an
           encrypted binary blob.

PKSIGN:    create a signature from the tpm2 key.  The TPM2 form private
           key is retrieved by KEYDATA and the hash to be signed by
           EXTRA.  Note there is no hash specifier because the tpm2
           tss deduces the hash type from the length of the EXTRA
           data.  This is actually a limitation of the tpm2 command
           API and it will be interesting to see how this fares if the
           tpm2 ever supports say sha3-256 hashes.

PKDECRYPT: decrypt (RSA case) or derive (ECC case) a symmetric key.
	   The tpm2 for private key is retrieved by KEYDATA and the
	   information used to create the symmetric key by EXTRA.

KILLTPM2D: stop the daemon

All the tpm2 primitives used by command.c are in tpm2.h and all the
tpm2 specific gunk is confined to tpm2.c, which is the only piece of
this that actually does calls into the tss library.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

Changes from James' patch:

- gpgconf: The displayed name is "TPM" and not "TPM2".  That
  string is used by GUIs and should be something the user
  understands.  For example we also use "network" instead
  of "Dirmngr".
- Removed some commented includes.
- Use 16 as emulation of GPG_ERR_SOURCE_TPM2.
- Silenced a C90 compiler warning and flags unused parameters.
- Removed "if HAVE_LIBS" from tpm2/Makefile.am and add missing
  files so that make distcheck works.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-10 12:33:08 +01:00
Werner Koch
0f191a0707
scd:p15: Fix faulty removal of a test code change.
--

Fixes-commit: 08b5ac492a
2021-03-10 12:25:42 +01:00
Werner Koch
08b5ac492a
scd:p15: Support special extended usage flags for OpenPGP keys.
* scd/app-p15.c (struct gpgusage_flags_s): New.
(struct prkdf_object_s): Add field gpgusage.
(struct app_local_s): Add field any_gpgusage.
(dump_gpgusage_flags): New.
(read_p15_info): Parse athe gpgusage flags.
(do_getattr): Take care of the gpgusage flags.
--

This features allows to mark keys to be used for OpenPGP.  This is
done by putting additional extended key infos into the certificate
stored on the cards.  Only if any such extended key usage is detected
for a stored certificate this new mode chimes in.

This feature gives the card issuer a high flexibility on how to make
sure certain keys are used with OpenPGP.
2021-03-10 11:03:02 +01:00
Werner Koch
a1f281eeec
scd: Swapped openpgp card vendor 0x000a with new 0x000d.
--
2021-03-09 11:15:34 +01:00
Werner Koch
9f8361eda8
scd: Add new Openpgp card vendor name
--
2021-03-09 11:03:14 +01:00