* tools/card-call-scd.c (learn_status_cb): Adjust for recent change.
--
This adjusts for the chnage in scdaemon.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (send_keypair_info): Reaturn the key creation time
as part of a KEYPAIRINFO.
(do_readkey): Do not return the KEY-TIME anymore.
--
Sending the KEY_TIME status as part of a READKEY command was only
recently added. It is better to merge that into the KEYPAIRINFO line.
Another patch with chnage this for the consumers of that info.
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/call-scd.c (agent_card_serialno): Allow NULL for R_SERIAL.
(struct readkey_status_parm_s): New.
(readkey_status_cb): New.
(agent_card_readkey): Add optional arg R_KEYREF and change all
callers.
* agent/findkey.c (key_parms_from_sexp): Allow also a "public-key".
* agent/divert-scd.c (ask_for_card): Allow for SHADOW_INFO being NULL.
* agent/pksign.c (agent_pksign_do): Fallback to sign with an on-card
if there is no stub key yet. Create the stub key. Also fixed a
misnaming between s_pkey and s_skey.
--
This change allows to create OpenPGP keys directly from a card without
first making sure that a stub key exists. It is also the less
surprising behaviour.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/call-agent.h (struct card_key_info_s): Rename to ...
(struct keypair_info_s): this.
(keypair_info_t): New. Use this everywhere instead of
card_key_info_s.
* g10/call-agent.c (agent_scd_free_keyinfo): Rename to ..
(free_keypair_info): this. Change all callers.
--
The struct is also useful to store the data from KEYPAIRINFO status
lines. Thus renaming it makes sense. A future patch will extend the
struct.
Signed-off-by: Werner Koch <wk@gnupg.org>
* tools/gpg-card.h (struct pubkey_s): Add field created.
* tools/card-keys.c (parse_key_record): Set that field.
* tools/gpg-card.c (print_shax_fpr): Print the fingerprint without
spaces for easier c+p.
(list_one_kinfo): Print the actual used fingerprint and creation date
from the keyblock.
--
A common problem with OpenPGP cards is that the fingerprint as stored
on the card does not match the actual fingerprint. Print both values
to be able to investigate such issues.
Signed-off-by: Werner Koch <wk@gnupg.org>
* tools/gpg-card.h (opt): Add var no_key_lookup.
* tools/gpg-card.c (oNoKeyLookup): New const.
(opts): New option --no-key-lookup.
(list_one_kinfo): Add arg no_key_lookup and implement.
(list_all_kinfo): Add arg no_key_lookup.
(list_openpgp, list_piv, list_card): Ditto.
(cmd_list): New option --no-key-lookup.
--
Printing the OpenPGP and X.509 keys used for a specific card key can
be a lengthy operation. The new command line option and option to
"list" allows to suppress that part of the output.
* g10/call-agent.c (readkey_status_cb): New.
(agent_scd_readkey): Add new arg r_keytime and allow NULL for
r_result. Change all callers.
(agent_readkey): Minor code reformatting.
* g10/keygen.c (pCARDKEY): New.
(struct para_data_s): Add u.bool.
(get_parameter_bool): New.
(do_create_from_keygrip): Add arg cardkey and make use of it.
(ask_algo): Add args r_cardkey and r_keytime. Read the keytime of the
selected card key and return it.
(generate_keypair): Store CARDKEY and KEYTIME.
(do_generate_keypair): Pass CARDKEY to do_create_from_keygrip.
(generate_subkeypair): Ditto.
--
This allows to first create keys on the card (e.g. using gpg-card)
even without having any public key for OpenPGP. Then the key
generation option 14 (cardkey) can be used to create a primary OpenPGP
key from the key on the card.
There are still a couple of problems related to the agent which
creates the stub key and may run into problems if creating a second
key from the card. This will be fixed in a future patch.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (retrieve_fprtime_from_card): New.
(do_readkey): Send a KEY_TIME status.
--
It might be easier to fold this into KEYPAIRINFO but for backward
compatibility using a separate status line is safer.
Signed-off-by: Werner Koch <wk@gnupg.org>
* tools/gpg-card.c (generate_all_openpgp_card_keys): Add demo key
generation.
(generate_key): Allow generatiing one OpenPGP key.
--
This does now allows to create a single OpenPGP key optioanlly with a
specified parameter. For example to create an auth key:
gpg-card generate --algo=ed25519 OPENPGP.3
Using option --force will overwrite and already existing key.
scdaemon does here take care of swicthing the key attributes before
generating the key.
TODO: We need to add some more stuff to app-openpgp so that the user
is not annoyed by beeing asked to enter the Admin-PIN twice (change
the key attributes clear the verification state). gpg's key
generation also needs some tweaks for using an existing card key which
has no key stub in private-keys-v1.d.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (do_readkey): Use case insensitive match of the
keyref.
(do_writekey, do_sign, do_auth, do_decipher): Ditto.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (struct app_local_s): Add field keyalgo.
(parse_algorithm_attribute): Store the new keyalgo field.
(change_keyattr): Change info message.
(change_keyattr_from_string): Rewrite to also accept a keyref and a
keyalgo string.
(do_genkey): Change the keyattr if a keyalgo string is given.
--
Having this feature makes it easier to use OpenPGP cards in a similar
way to other cards. Note that the explicit changing via SETATTR is
still supported.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/openpgp-oid.c (openpgp_curve_to_oid): Add optional arg R_NBITS.
Change all callers.
--
In particular for ed25519 and cv25519 it is quite useful to have an
ability to get the required algorithm.
* common/util.h (EXTERN_UNLESS_MAIN_MODULE): Add the definion only
here but now without the Norcroft-C. Change all other places where it
gets defined.
* common/iobuf.h (iobuf_debug_mode): Declare unconditionally as
extern.
* common/iobuf.c (iobuf_debug_mode): Define it here.
* agent/gpg-agent.c (INCLUDED_BY_MAIN_MODULE): Define here and also in
all main modules of all other programs.
* g10/main.h: Put util.h before the local header files.
--
This change is required for use with gcc/ld's LTO feature which does
not allow common blocks. Further gcc 10 will make -fno-common the
default and thus this chnage is always needed. What a pitty.
Co-authored-by: Tomáš Mráz
GnuPG-bug-id: 4831
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 21d9bd8b87a9f793a106095e3838eb71825189d7)
- Applied respective chnages also to gpg-card and keyboxd.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/verify.c (verify_files): Track the first error code.
--
It seems to be possible to play tricks with packet structures so that
log_error is not used for a bad input data. By actually checking the
return code and let the main driver in gpg call log_error, we can fix
this case.
Note that using gpg --verify-files and relying solely on gpg's return
code is at best a questionable strategy. It is for example impossible
to tell which data has been signed.
Signed-off-by: Werner Koch <wk@gnupg.org>
* tools/gpg-card.h (struct key_attr): Remove.
(struct key_info_s): Remove key_attr. Add keyalgo and keyalgo_id.
* tools/card-call-scd.c (learn_status_cb): Rework the key-attr info.
* tools/gpg-card.c (list_one_kinfo): Always show the algorithm; if
there is no key show the key attributes instead.
(list_openpgp): Do not print the "Key attributes".
(generate_key): Factor the repalce key pormpt out to ...
(ask_replace_keys): new.
(generate_openpgp): Rename to generate_all_openpgp_card_keys and add
an algo parameter.
(generate_generic): Rename to generate_key. Prepare generation of a
single OpenPGP key.
(cmd_generate): Revamp.
(ask_card_rsa_keysize): Remove.
(ask_card_keyattr): Remove.
(do_change_keyattr): Remove.
(cmd_keyattr): Remove.
(enum cmdids): Remove cmdKEYATTR.
(cmds): Ditto.
(dispatch_command): Ditto.
(interactive_loop): Ditto.
--
This change shows the key attributes of an OpenPGP card instead of the
key's algorithm if no key exists. It also remove the key-attr command
because for uniformity it is better to do this directly in
scd/app-openpgp.c At least for this new gpg-card tool.
There a couple of other changes but to the generate command but they
are not yet ready.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (send_key_attr): Use log_assert.
(do_genkey): Allow prefix.
--
It is more uniform to always use full keyref (e.g. "OPENPGP.1")
instead of just the key number.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/openpgp-oid.c (openpgp_oid_or_name_to_curve): New.
(get_keyalgo_string): Use it.
--
We do not always have an OID, so except the name or the alias of the
curve as well. This creates a second entry mapping to the same name
but that does not matter.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/openpgp-oid.c (openpgp_oid_to_str): Remove duplicated call.
--
The removed function was already called. No memleak etc, though.
Fixes-commit: 4a1558d0c7190cf13d35385e47291a7aa121be3e
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/openpgp-oid.c (struct keyalgo_string_s): New.
(keyalgo_strings): New.
(keyalgo_strings_size, keyalgo_strings_used): New.
(get_keyalgo_string): New.
--
This function is intended as a more general version of gpg's
pubkey_string function. It has the advantage to avoid mallocs and
uses static table of algorithm strings instead. There should be only
a few dozen of such strings (if at all) and thus all those allocations
we do internally in gpg's pubkey_string and the static buffers all
over the place are not too nice.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/misc.c (map_pk_gcry_to_openpgp): Move to ...
* common/openpgp-oid.c (map_gcry_pk_to_openpgp): here and rename.
Change all 4 callers.
(map_openpgp_pk_to_gcry): New.
Signed-off-by: Werner Koch <wk@gnupg.org>
* sm/server.c (do_listkeys): Implement new option.
--
This option can be used by clients who can only provide a DER encoded
form of the issuer. For example in PKCS#11 providers.
Testing:
Put the DER encoded issuer DN into a file, say issuer.der.
The run
gpg-connect-agent -E -- gpgsm --server
> /definqfile ISSUER_DER issuer.der
> list-keys --issuer-der 01020304
and if the local keyring has a certifictate with that issuer and a s/n
of 0x01020304 that certificate will be listed.
Signed-off-by: Werner Koch <wk@gnupg.org>
* tools/watchgnupg.c: Include sys/wait.h.
(GNUPG_DEF_COPYRIGHT_LINE): Add a default value for standalone
building.
(get_logname): New.
(main): Use a default socket name and add option --homedir.
--
This is quite convenient and saves a lot of typing or shell alias
definitions.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/call-agent.c (keyinfo_status_cb): Parse more fields.
(agent_probe_secret_key): Use KEYINFO and returns bigger value
representing the preference.
* g10/getkey.c (finish_lookup): For subkeys, select one
by using value of agent_probe_secret_key.
--
GnuPG-bug-id: 3416
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* tools/card-call-scd.c (struct card_cardlist_parm_s): Add field
with_apps.
(card_cardlist_cb): Handle the new with_apps flag.
(scd_switchcard): New.
(scd_switchapp): New.
(scd_applist): New.
(scd_serialno): Pass --all also in --demand mode.
* tools/gpg-card.c (cmd_list): Simplify switching of cards. Add
switching of alls. Print a list of apps per card.
--
Note that the output format of "list --card" slightly changes: The
current card is indicated with an asterisk. That should not harm any
robust parsers which might already be in use. It is anyway a
development version.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app.c: Include membuf.h.
(app_switch_current_card): New.
(send_card_and_app_list): Factor code out to ...
(send_serialno_and_app_status): new.
(app_send_card_list): New.
(app_send_active_apps): New.
(app_switch_active_app): New.
* scd/command.c (cmd_switchcard): New.
(cmd_switchapp): New.
(register_commands): Register new commands.
(cmd_getinfo): New sub-commands "active_apps" and "all_active_apps".
--
These new commands allow to switch between known cards and are in
particular useful for the gpg-card tool.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-piv.c (ask_and_prepare_chv): here.
--
The test code from the last PIV change was accidently kept enabled.
Fixes-commit: 2dd6b4b998dd6e156e2e75ede0f40fb768c69f40
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/parse-packet.c (enum_sig_subpkt): Print a hexdump.
--
A test key for this is 02DF08F5FD356BF27F5F7B838921B5DCCD15A883 .
A key listing in verbose mode will now yield
gpg: DBG: buffer shorter than subpacket (10/9/25);\
dump: 19100d87e54973647cff
The error here is that the packet length is 0x19 but what follows is a
long keyid (subpacket 16) which is shorter. The debug output might be
helpful to better analyze broken signatures.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/skclist.c (enum_secret_keys): Don't use agent_scd_cardlist and
agent_scd_serialno, but agent_scd_keyinfo.
--
When there are multiple cards/tokens, this change can avoid switching
card of foreground access.
GnuPG-bug-id: 4784
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/app-openpgp.c (struct app_local_s): New field pincache.
(cache_pin): Set it.
(pin_from_cache): Consult it.
* scd/app-piv.c (struct app_local_s): New field pincache.
(cache_pin): Set it.
(pin_from_cache): Consult it.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/command.c (pincache_put): Add arg pinlen and change all callers
to provide it.
* scd/app-piv.c (cache_pin): New.
(pin_from_cache): New.
(ask_and_prepare_chv): Add args no_cache and r_unpaddedpinlen. Take
PIN from the cache. Return the unpadded length.
(verify_chv): Add arg ctrl. Cache the PIN.
(do_change_chv): Clear PIN cache.
--
The PIV pins are padded but we want to store the unpadded PIN. Thus
the changes to the function.
Code has has been tested by commenting the no_cache parameter because
we the current test certificate was created for PIV.9C which requires
a verification for each use. More testing is required.
GnuPG-bug-id: 4791
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/command.c (struct server_local_s): Add last_card_keyinfo.
(eventcounter): Add maybe_key_change.
(cmd_genkey, cmd_scd, cmd_import_key, cmd_delete_key): Bump new
counter.
(cmd_keyinfo): Cache the keyinfo from the card.
(start_command_handler): Release the cache.
--
This cache speeds up processing of commands like "gpg -K" because
scdaemon does not need to be asked for each key as long as nothing
changed with the card.
We should have a better notification service from scdaemon to make
sure that we get only the relevant events. What we do right now is a
bit course but sufficient.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/sysutils.c (inhibit_set_foregound_window): New var.
(gnupg_inhibit_set_foregound_window): New func.
(gnupg_allow_set_foregound_window): Use var.
* g10/gpg.c (main): Inhibit in loopback mode.
* sm/gpgsm.c (main): Ditto.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app.c (maybe_switch_app): Factor reselect code out to ...
(run_reselect): new.
(app_write_learn_status): Tweak diagnostics.
(app_do_with_keygrip): Run reselect if a card has more than one
switchable application.
* agent/call-scd.c (agent_card_serialno): Ditto.
* tools/card-call-scd.c (start_agent): Use option --all with SERIALNO.
(scd_serialno): Ditto.
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/command-ssh.c (card_key_available): Supply KEYINFO argument.
Call agent_card_readkey by KEYGRIP of KEYINFO.
Don't use $AUTHKEYID, but IDSTR of KEYINFO.
(ssh_handler_request_identities): Follow the change of
card_key_available.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>