1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

9347 Commits

Author SHA1 Message Date
James Bottomley
4997838c7b
doc: add documentation for gpg's keytotpm command
--
The tpm2d patches introduced a new --edit-key command: keytotpm.  Add
a descriptive entry explaining what it does and how it works.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
2021-03-12 19:24:37 +01:00
Werner Koch
5732e7a8e9
scd: New option --pcsc-shared.
* scd/scdaemon.h (opt): Add field opcsc_shared.
* scd/scdaemon.c (opcscShared): New.
(opts): Add "--pcsc-shared".
(main): Set flag.
* scd/apdu.c (connect_pcsc_card): Use it.
(pcsc_get_status): Take flag in account.
* scd/app-openpgp.c (cache_pin): Bypass in shared mode.
(verify_chv2: Do not auto verify chv1 in shared mode.
* scd/app-piv.c (cache_pin): By pass caceh in shared mode.
--

This option should in general not be used.  The patch tries to limit
bad effects but using shared mode is somewhat dangerous depending on
the other PC/SC users.
2021-03-12 09:31:17 +01:00
NIIBE Yutaka
95156ef9bf scd: Fix computing fingerprint for ECC with SOS.
* scd/app-openpgp.c (count_sos_bits): New.  Count as sos_write does.
(store_fpr): For ECC, use count_sos_bits.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-12 16:20:28 +09:00
NIIBE Yutaka
cfc1497efa gpg: Fix compute_fingerprint for ECC with SOS.
* g10/keyid.c (hash_public_key): Tweak NBITS just as sos_write does.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-12 16:15:04 +09:00
Valtteri Vuorikoski
8cad11d13b
scd:piv: Improve APT parser compatibility.
* scd/app-piv.c (app_select_piv): Allow for full AID.
--

It appears that SP-800-73-x is not too clear about the format of these
objects. Many current cards (such as the Yubikey 5 series) apparently
have only the PIX in DO 0x4F and only the RID in object 0x79/0x4F.

However, other cards as well as the PivApplet Javacard applet have the
full AID in 0x4F (which actually seems closer to what the standard
says). PivApplet also has the full AID in 0x79/0x4F, but this is
probably incorrect. (Here is a long discussion of the matter from an
OpenSC author:
https://github.com/arekinath/PivApplet/issues/43#issuecomment-772649709)

[Taken from a mail to gnupg-devel date 2021-02-03.]

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-11 14:06:51 +01:00
Werner Koch
6976a70270
doc: Add a sending patches section to HACKING.
--

This is based on a patch by

Co-authored-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
Co-authored-by: Todd Zullinger <tmz@pobox.com>

regarding Libassuan sent to gnupg-devel on 2018-02-02
2021-03-11 13:05:10 +01:00
Werner Koch
752adf8a6b
doc: Always use --edit-key and not just the --edit abbreviation.
--

Reported-by: Carl Michael Skog
2021-03-11 12:38:51 +01:00
Werner Koch
fe02ef0450
gpg: New option --force-sign-key
* g10/gpg.c (oForceSignKey,opts): New option "--force-sign-key".
(main): Set it.
* g10/options.h (opt): New flag flags.force_sign_key.
* g10/keyedit.c (sign_uids): Use new flag.
--

GnuPG-bug-id: 4584
2021-03-11 11:27:07 +01:00
James Bottomley via Gnupg-devel
b9c560e3a4
tpmd2: Add Support for the Intel TSS
* configure.ac: Check for Intel TSS.
* tpm2d/intel-tss.h: New.
* tpm2d/tpm2.h (HAVE_INTEL_TSS): Use the Intel code.

--
The Intel TSS is somewhat of a moving target, so this wraps support
for this TSS into tpm2daemon.  Unfortunately this wrapper uses some
APIs that are only present in a relatively recent Intel TSS, so it
looks like it will only work with version 2.4.0 or higher.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

- Add header blurb; see previous patch.
- Add new file to the Makefile

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-11 08:49:45 +01:00
Werner Koch
6a83fc073d
tpmd2: Add copyright blurbs.
--

Confirmed by James Bottomley; see
https://lists.gnupg.org/pipermail/gnupg-devel/2021-March/034755.html

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-11 08:33:44 +01:00
Werner Koch
43bb5250a6
agent: Fix build without TPM
--
2021-03-10 15:52:20 +01:00
James Bottomley
6720f1343a
tpm2d: add tests for the tpm2daemon
* configure.ac: Detect TPM emulator and enable tests.
* tests/tpm2dtests/: New test suite.
* tests/Makefile.am: Run tests.

--
Add a set of tests that exercise tpm2daemon handling of keys and
verify compatibility with non-tpm based keys.

Running this test infrastructure requires a tpm emulator, which is
tested for during configuration.  If an emulator is not found, the
tests won't be run since they require the presence of a TPM (although
the TPM handling code will still be built).

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

- Fixed tests/Makefile.am for make distcheck.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-10 14:29:50 +01:00
James Bottomley
92b601fcee
gpg: Add new command keytotpm to convert a private key to TPM format
* agent/command.c (cmd_keytotpm): New.
(agent/command.c): Register new command KEYTOTPM.
* g10/call-agent.c (agent_keytotpm): New.
* g10/keyedit.c (cmdKEYTOTPM): New command "keytotpm".
(keyedit_menu): Implement.

--

The plumbing is done in two parts: the agent is modified to understand
a KEYTOTPM assuan command taking the key grip as an argument.  This
simply obtains the key s expression and calls the existing writeky
diversion to the tpm2daemon.  The daemon reponds with the TPM
conversion of the key and that key is then stored in the keyfile as a
shadowed-private-key with "tpm2-v1" type.

To effect the conversion, all the user does from gpg --edit-key is
select which private key they wish to move (or move the primary if no
key is selected) and type keytotpm.  The conversion to TPM form is
instantaneous and once converted, the actual key cannot be recovered,
meaning that if you want your gpg key to move to a new laptop you must
keep an unconverted backup copy in a safe location.

When you do a list command, all TPM keys show up as

     card-no: TPM-Protected

The key is stored encrypted to the TPM2 storage seed and since each
TPM has a unique seed, only the single TPM contained in your laptop
can now read the key.  This means you cannot simply copy the shadowed
key file over to a new laptop, you must copy over the backup copy and
then convert it to TPM form on the new laptop.

To decomission your laptop, execute a tssclear command which
regenerates the storage seed and effectively shreds all keys.  Note
when you have done this *every* TPM2 shadowed private key becomes
unreadable by any TPM and all are effectively destroyed.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

Very minor cosmetic changes.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-10 13:34:18 +01:00
James Bottomley
1f995b9ba4
agent: Add new shadow key type and functions to call tpm2daemon
* agent/call-tpm2d.c: New.
* divert-tpm2.c: New.
* agent/Makefile.am: Add new files.
* agent/agent.h (DAEMON_TPM2D): New.  Add stub fucntions.
* agent/call-daemon.c (GNUPG_MODULE_NAME_TPM2DAEMON): New.
* agent/command.c (do_one_keyinfo): Handle tpmv2.
* agent/gpg-agent.c (oTpm2daemonProgram): New.
(opts): New option --tpm2daemon-program.
(parse_rereadable_options): Handle option.
* agent/pkdecrypt.c (agent_pkdecrypt): Divert to tpm2d.
(agent_pksign_do): Ditto.
---

A new shadow key type: "tpm2-v1" is introduced signalling that the
shadowed key is handled by the tpm2daemon.  A function to identify
this type is introduced and diversions to the tpm2daemon functions are
conditioned on this function for pkign and pkdecrypt where the same
diversions to scd are currently done.  The (info) field of the
shadowed key stores the actual TPM key.  The TPM key is encrypted so
only the physical TPM it was created on can read it (so no special
protection is required for the info filed), but if the (info) field
becomes corrupt or damaged, the key will be lost (unlike the token
case, where the key is actually moved inside the token).

Note, this commit adds handling for existing TPM format shadow keys,
but there is still no way to create them.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

Additional changes:
* Add ChangeLog entries.
* Some minor indentation fixes.
* agent/Makefile.am (gpg_agent_SOURCES): Change to make distcheck
  work.
* agent/agent.h [!HAVE_LIBTSS]: Do not return -EINVAL but an
  gpg_error_t.  Mark args as unused.
* agent/protect.c (agent_is_tpm2_key): Free BUF.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-10 13:23:05 +01:00
James Bottomley
62a7854816
tpm2d: Add tpm2daemon code
* tpm2d: New directory.
* Makefile.am (SUBDIRS): Add directory.
* configure.ac: Detect libtss and decide whether to build tpm2d.
* am/cmacros.am: Add a define.
* util.h (GNUPG_MODULE_NAME_TPM2DAEMON): New.
* common/homedir.c (gnupg_module_name): Add tpm2d.
* common/mapstrings.c (macros): Add "TPM2DAEMON".
* tools/gpgconf.h (GC_COMPONENT_TPM2DAEMON): New.
* tools/gpgconf-comp.c (known_options_tpm2daemon): New.
(gc_component): Add TPM2.
(tpm2daemon_runtime_change): New.
* tpm2d/Makefile.am: New.
* tpm2d/command.c: New.
* tpm2d/ibm-tss.h: New.
* tpm2d/tpm2.c: New.
* tpm2d/tpm2.h: New.
* tpm2d/tpm2daemon.c: New.
* tpm2d/tpm2daemon.h: New.

---
This commit adds and plumbs in a tpm2daemon to the build to mirror the
operation of scdaemon.  The architecture of the code is that
tpm2daemon.c itself is pretty much a clone of scd/scdaemon.c just with
updated function prefixes (this argues there could be some further
consolidation of the daemon handling code).  Note that although this
commit causes the daemon to be built and installed, nothing actually
starts it or uses it yet.

Command handling
----------------

command.c is copied from the command handler in scd.c except that the
command implementation is now done in terms of tpm2 commands and the
wire protocol is far simpler.  The tpm2daemon only responds to 4
commands

IMPORT:    import a standard s-expression private key and export it to
           TPM2 format.  This conversion cannot be undone and the
           private key now can *only* be used by the TPM2.  To anyone
           who gets hold of the private key now, it's just an
           encrypted binary blob.

PKSIGN:    create a signature from the tpm2 key.  The TPM2 form private
           key is retrieved by KEYDATA and the hash to be signed by
           EXTRA.  Note there is no hash specifier because the tpm2
           tss deduces the hash type from the length of the EXTRA
           data.  This is actually a limitation of the tpm2 command
           API and it will be interesting to see how this fares if the
           tpm2 ever supports say sha3-256 hashes.

PKDECRYPT: decrypt (RSA case) or derive (ECC case) a symmetric key.
	   The tpm2 for private key is retrieved by KEYDATA and the
	   information used to create the symmetric key by EXTRA.

KILLTPM2D: stop the daemon

All the tpm2 primitives used by command.c are in tpm2.h and all the
tpm2 specific gunk is confined to tpm2.c, which is the only piece of
this that actually does calls into the tss library.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

Changes from James' patch:

- gpgconf: The displayed name is "TPM" and not "TPM2".  That
  string is used by GUIs and should be something the user
  understands.  For example we also use "network" instead
  of "Dirmngr".
- Removed some commented includes.
- Use 16 as emulation of GPG_ERR_SOURCE_TPM2.
- Silenced a C90 compiler warning and flags unused parameters.
- Removed "if HAVE_LIBS" from tpm2/Makefile.am and add missing
  files so that make distcheck works.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-10 12:33:08 +01:00
Werner Koch
0f191a0707
scd:p15: Fix faulty removal of a test code change.
--

Fixes-commit: 08b5ac492afc6c6e7eaaa1f70d67c81cbda2c9be
2021-03-10 12:25:42 +01:00
Werner Koch
08b5ac492a
scd:p15: Support special extended usage flags for OpenPGP keys.
* scd/app-p15.c (struct gpgusage_flags_s): New.
(struct prkdf_object_s): Add field gpgusage.
(struct app_local_s): Add field any_gpgusage.
(dump_gpgusage_flags): New.
(read_p15_info): Parse athe gpgusage flags.
(do_getattr): Take care of the gpgusage flags.
--

This features allows to mark keys to be used for OpenPGP.  This is
done by putting additional extended key infos into the certificate
stored on the cards.  Only if any such extended key usage is detected
for a stored certificate this new mode chimes in.

This feature gives the card issuer a high flexibility on how to make
sure certain keys are used with OpenPGP.
2021-03-10 11:03:02 +01:00
Werner Koch
a1f281eeec
scd: Swapped openpgp card vendor 0x000a with new 0x000d.
--
2021-03-09 11:15:34 +01:00
Werner Koch
9f8361eda8
scd: Add new Openpgp card vendor name
--
2021-03-09 11:03:14 +01:00
Werner Koch
521d3cdee5
doc: Update the NEWS file.
--
2021-03-08 22:17:04 +01:00
Werner Koch
a4021d9be4
sm: Init nPth which might be used by some helper code.
* sm/gpgsm.c: Include npth.h.
(main): Init nPth.
--

Actually we currently do not use extra threads but we need to link to
the npth version of the common functions because there is an option to
use threads.  Now, without initialized npth, we could experience a
crash in gnupg_sleep, which uses npth_usleep in the npth based common
functions.

Fixes-commit: 046f419f806036248c058c4bd44368f8596287b7
2021-03-08 21:53:29 +01:00
Werner Koch
33c492dcb9
w32: Cleanup use of pid_t in call-daemon
* agent/call-daemon.c (struct wait_child_thread_parm_s) [W32]: Do not
use HANDLE for pid_t.
(wait_child_thread): Ditto.
--

Mingw has its own definition of pid_t as does libassuan.  We should use
this instead of using HANDLE.  Things are a bit complicated in
Windows, because Windows also has a pid_t but that is mostly useless;
in particular because you can't wait on a real pid but need a handle.
2021-03-08 21:53:29 +01:00
Werner Koch
cf2f6d8a3f
w32: Change spawn functions to use Unicode version of CreateProcess.
* common/exechelp-w32.c (gnupg_spawn_process): Change to use
CreateProcessW.
(gnupg_spawn_process_fd): Ditto.
(gnupg_spawn_process_detached): Ditto.
* g10/exec.c (w32_system): Ditto.
--

GnuPG-bug-id: 4398

We do not use this weirdo CREATE_UNICODE_ENVIRONMENT flag because it
does not make any sense to have non-ASCII names in the environment.  I
can't imagine why this should be used at all and rationale for this
API features is, well, sparse.
2021-03-08 21:53:28 +01:00
NIIBE Yutaka
fc99f77b14 scd: Fix for X448.
* scd/app-openpgp.c (do_decipher): Support with no prefix.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-08 16:23:26 +09:00
Werner Koch
8c41b8aac3
w32: Always use Unicode for console input and output.
* common/init.c (_init_common_subsystems) [W32]: Set the codepage to
UTF-8 for input and putput.  Switch gettext to UTF-8.
* tools/gpgconf.c (main): Display the input and output codepage if
they differ.
* g10/gpg.c (utf8_strings) [W32]: Make sure this is always set.
--

With this patch the former patch to use ReadConsoleW and WriteConsoleW
in ttyio.c are kind of superfluous because the ANSI version of these
functions are also able to read/write UTF-8 directly given the console
code page has been set correctly.  However, this seems to work only
with recent versions of Windows-10.

GnuPG-bug-id: 4365
2021-03-05 15:33:40 +01:00
Werner Koch
31b708e268
w32: Free memory allocated by new function w32_write_console.
* common/ttyio.c (w32_write_console): Free buffer.
--
2021-03-05 10:53:55 +01:00
Werner Koch
f165c8a737
common,w32: Allow Unicode input and output with the console.
* common/ttyio.c (do_get) [W32]: Use ReadConsoleW.
(w32_write_console): New.
(tty_printf, tty_fprintf) [W32]: Use new function.
--

Note that due this change fixed stings (i.e. gettext translations)
printed to the console will not be rendered correctly unless "chcp
65001" has been used.  This needs to be fixed by followup patch.

GnuPG-bug-id: 4365
2021-03-05 10:43:11 +01:00
Werner Koch
8622f53994
common: Re-indent ttyio.c and remove EMX, RISCOS, and CE support
* common/ttyio.c: Remove cruft like EMX and RISCOS support.  Translate
a few strings.  Re-indent.
--
2021-03-05 09:19:43 +01:00
Werner Koch
7262d602d8
common: Rename w32-misc.c to w32-cmdline.c
* common/w32-misc.c: Rename to ....
* common/w32-cmdline.c: this.
* common/Makefile.am: Adjust.
--
2021-03-04 17:14:02 +01:00
Werner Koch
089c943967
common,w32: Implement globing of command line args.
* common/w32-misc.c [W32]: Include windows.h
(struct add_arg_s): New.
(add_arg): New.
(glob_arg): New.
(parse_cmdstring): Add arg argvflags and set it.
(w32_parse_commandline): Add arg r_itemsalloced.  Add globing.

* common/init.c (prepare_w32_commandline): Mark glob created items as
leaked.

* common/t-w32-cmdline.c : Include windows.h
(test_all): Add simple glob test for Unix.
(main): Add manual test mode for Windows.

--

GnuPG-bug-id: 4398
2021-03-04 16:59:21 +01:00
Werner Koch
20c6007686
common,w32: Refine the command line parsing for \ in quotes.
* common/t-w32-cmdline.c (test_all): Add new test cases.
* common/w32-misc.c (strip_one_arg): Add arg endquote.
(parse_cmdstring): Take care of backslashes in quotes.
--

I found some new test vectors from Microsoft.
2021-03-04 12:49:03 +01:00
Werner Koch
8e15506d66
gpg: Prepare for globing with UTF-8.
* g10/gpg.c (_dowildcard): Remove.
(my_strusage): Enable wildcards using our new system.
--

This patch actually removes the current globing using a mingw
feature.  We are not able to use this because it does not handle
Unicode filenames.  The plan is to implement this in init.c.  This
patch merely configures gpg to request globing.

GnuPG-bug-id: 4398
2021-03-04 10:43:46 +01:00
Werner Koch
deb6c94362
common: First take on handling Unicode command line args.
* common/w32-misc.c: New.
* common/t-w32-cmdline.c: New.
* common/init.c: Include w32help.h.
(prepare_w32_commandline): New.
(_init_common_subsystems) [W32]: Call prepare_w32_commandline.

* common/Makefile.am (common_sources) [W32]: Add w32-misc.c
(module_tests): Add t-w32-cmdline
(t_w32_cmdline_LDADD): New.
--

The rules for the command line parser are not cleary specified - if at
all.  See the comment in t-w32-cmdline.c.

We can't use the mingw version because that would require to change
all argv handling to be wchar_t and that only for Windows.  That would
be too ugly.  Parsing the command line into argv by us is much easier
and we can do that only if needed - i.e. if globing is required (we
are prepared for this) or a non-ASCII character has been encountered.
This way we keep things stable and only fix the currently not working
Unicode problem.

GnuPG-bug-id: 4398
2021-03-04 10:22:14 +01:00
Nicolas Fella via Gnupg-devel
be2da24456
gpg: Keep temp files when opening images via xdg-open
* g10/photoid.c (get_default_photo_command): Change parameter for
xdg-open.
--

xdg-open spawns the user's preferred image viewer and then exits.
Therefore we must not remove the temp file when it exits,
otherwise by the time the actual image viewer is started the file
doesn't exist any more.

Signed-off-by: Nicolas Fella <nicolas.fella@gmx.de>
2021-03-01 09:43:26 +01:00
Werner Koch
5ed1567e7c
po: Make agent/commands.c translatable and update German translation.
--

GnuPG-bug-id: 4777

This also fixes a bad fuzzy translation which accidently had been
commited without realizing that there was indeed a change (from
"... GnuPG" to "... %s").
2021-02-26 14:53:48 +01:00
bobwxc
f5897b3d24 po: Update Simplified Chinese Translation.
--

Signed-off-by: bobwxc <bobwxc@yeah.net>
2021-02-26 12:00:12 +09:00
Werner Koch
e54cd36bbb
doc: Typo fixes for dirmngr.texi
--
2021-02-25 17:03:35 +01:00
Werner Koch
c032066d6b
kbx: Log debug fixes
--
2021-02-25 17:02:49 +01:00
Werner Koch
d51a5ca108
scd:p15: Read out the access flags.
* scd/app-p15.c (struct keyaccess_flags_s): New.
(struct prkdf_object_s): Add field accessflags.
(dump_keyusage_flags): New.
(dump_keyaccess_flags): New.
(parse_keyaccess_flags): New.
(parse_common_key_attr): Return access flags.
(read_ef_prkdf): Parse the access flags.  Allow for ECkeys.
(read_ef_pukdf): Ditto.  Use new functions for printing.
(read_p15_info): Use new fucntion for printing.
2021-02-25 17:01:38 +01:00
Werner Koch
7de53c2633
build: Require sqlite 3.27
--

Requiring 3.28 had the problem that for example Debin distributes a
3.27 with backported fixes.  There is no 3.28.  So we relax this
again.

Fixes-commit: d763548f2e00726a40ec886c8179c07bf4e6e664
2021-02-25 17:01:03 +01:00
Werner Koch
a170f0e73f
sm: Do not print certain issuer not found diags in quiet mode.
* sm/certchain.c (find_up_dirmngr): Print one diagnostic only in
verbose mode.  Do not print issuer not found diags in quiet mode.
* sm/minip12.c (parse_bag_data): Add missing verbose condition.
--

GnuPG-bug-id: 4757
2021-02-25 09:16:18 +01:00
Werner Koch
473b83d1b9
sm: Fix issuer certificate look error due to legacy error code.
* sm/certchain.c (find_up): Get rid of the legacy return code -1 and
chnage var name rc to err.
(gpgsm_walk_cert_chain): Change var name rc to err.
(do_validate_chain): Get rid of the legacy return code -1.
--

This was detected while fixing
GnuPG-bug-id: 4757
2021-02-25 09:00:38 +01:00
Werner Koch
d763548f2e
build: Require a fixed SQlite version.
--

We are actually not vulnerable but it seems to be a good idea to force
installation of a good copy of SQlite

GnuPG-bug-id: 4510
2021-02-24 22:53:40 +01:00
Werner Koch
cfdaf2bcc8
scd:p15: Get the label value of all objects for better diagnostics.
* scd/app-p15.c (struct cdf_object_s): Add fields authid, authidlen,
and label.
(struct prkdf_object_s): Add field label.
(struct aodf_object_s): Ditto.
(release_cdflist): Free new fields.
(release_prkdflist): Free new field.
(release_aodf_object): Ditto.
(parse_common_obj_attr): Return the label.
(read_ef_prkdf): Store the label.
(read_ef_pukdf): Ditto.
(read_ef_cdf): Use parse_common_obj_attr and store authid and label.
Print them im verbose mode.
(read_ef_aodf): Store the label and print it.
2021-02-24 15:50:00 +01:00
Werner Koch
8f353cbacb
doc: Explain how Tor is detected.
--
2021-02-24 11:08:45 +01:00
Werner Koch
615d2e4fb1
sm: Silence some output on --quiet
* sm/encrypt.c (gpgsm_encrypt): Take care of --quiet.
* sm/gpgsm.c: Include minip12.h.
(set_debug): Call p12_set_verbosity.
* sm/import.c (parse_p12): Dump keygrip only in debug mode.
* sm/minip12.c (opt_verbose, p12_set_verbosity): New.
(parse_bag_encrypted_data): Print info messages only in verbose mode.
--

GnuPG-bug-id: 4757
2021-02-24 08:40:06 +01:00
Werner Koch
33aaa37e5b
scd:p15: Make it code work again for D-Trust cards.
* scd/app-p15.c (select_and_read_binary): Allow to skip the select.
(select_and_read_record): Return the statusword.  Silence error
message for SW_FILE_STRUCT.
(select_ef_by_path): Fix selection with a home_DF.
(read_first_record): Fallback to read_binary for CardOS and return
info about this.
(read_ef_prkdf): Use info from read_first_record to decide whether to
use record or binary mode.
(read_ef_pukdf): Ditto.
(read_ef_aodf): Ditto.
(read_ef_cdf): Ditto.  New arg cdftype for diagnostics.
(read_p15_info): Pass cdftype.

* scd/apdu.h (SW_FILE_STRUCT): New.
* scd/apdu.c (apdu_strerror): Map that one to a string.
* scd/iso7816.c (map_sw): and to a gpg-error.
2021-02-23 12:56:42 +01:00
Werner Koch
2490f4e8e1
scd: Fix readkey --info in case a readkey command is available.
* scd/command.c (do_readkey): Make --info also work if a readkey
command is available.

* scd/app-p15.c (cdf_object_from_certid): Fix a but introduced with
the previous commit.
2021-02-22 18:28:45 +01:00
Werner Koch
488eaedc9a
scd:p15: Extract extended usage flagsand act upon them.
* scd/app-p15.c: Add a couple of oid constants.
(struct cdf_object_s): Replace fields image and imagelen by cert.
(struct prkdf_object_s): Add extusage flags
(send_keypairinfo): Use them.
(cdf_object_from_certid): Factor parts out to ...
(cdf_object_from_objid): new function.
(read_ef_prkdf): Move info printing to ...
(read_p15_info): here.  Fill the extusage flags.
(readcert_by_cdf): Cache the ksba cert object instead of the binary
cert.
* scd/app.c (select_additional_application): Fix a log_debug call.
(scd_update_reader_status_file): Ditto.
--

This allows us to return only KEYPAIRINFO lines for keys we can
actually use.
2021-02-22 17:51:11 +01:00
Werner Koch
4c9b509d24
sm: Extend the list of known OIDs.
* sm/keylist.c (oidtranstbl): Add a couple of OIDs and mark them for
key usage.
2021-02-22 15:54:05 +01:00