1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

673 Commits

Author SHA1 Message Date
Werner Koch
c7ff8c59b9
sm: Fix a warning in an es_fopencooie function.
* sm/certdump.c (format_name_writer): Take care of a flush request.
--

We won't see a flush here so that fix does not solve a real bug but we
want to be correct.  Note that this function seems to predate the
es_fopenmem function and thus in master (2.3) we should replace it
entirely.

GnuPG-bug-id: 4495
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from 2.2 commit 8d0d61aca3d2713df8a33444af3658b859d72be8)
2020-04-01 09:58:11 +02:00
Werner Koch
9c5c7c6f60
sm: Fix possible NULL deref in error messages of --gen-key.
* sm/certreqgen.c: Protect printing the liniernur in case of !R.
--

GnuPG-bug-id: 4895
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-30 17:16:30 +02:00
Werner Koch
0b583a555e
sm: Consider certificates w/o CRL DP as valid.
* sm/certchain.c (is_cert_still_valid): Shortcut if tehre is no DP.
* common/audit.c (proc_type_verify): Print "n/a" if a cert has no
distribution point.
* sm/gpgsm.h (opt): Add field enable_issuer_based_crl_check.
* sm/gpgsm.c (oEnableIssuerBasedCRLCheck): New.
(opts): Add option --enable-issuer-based-crl-check.
(main): Set option.
--

If the issuer does not provide a DP and the user wants such an issuer,
we expect that a certificate does not need revocation checks.  The new
option --enable-issuer-based-crl-check can be used to revert to the
old behaviour which requires that a suitable LDAP server has been
configured to lookup a CRL by issuer.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-27 21:16:07 +01:00
NIIBE Yutaka
e06a8e3e87 gpgsm: Fix the previous commit.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-03-27 19:42:14 +09:00
NIIBE Yutaka
49ea53b755 gpgsm: Support key generation with ECC.
* sm/certreqgen.c (pKEYCURVE): New.
(read_parameters): Add pKEYCURVE handling.
(proc_parameters): Support ECC key generation.

GnuPG-bug-id: 4888
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-03-26 15:54:14 +09:00
NIIBE Yutaka
238707db8b gpgsm: Remove restriction of key generation (only RSA).
* sm/certreqgen.c (proc_parameters): Remove checking GCRY_PK_RSA.

--

This is an initial change to support ECC key generation.

GnuPG-bug-id: 4888
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-03-26 11:30:58 +09:00
Werner Koch
451cd1b392
gpgconf: Further simplify the gpgconf option processing.
* common/gc-opt-flags.h (GC_OPT_FLAG_RUNTIME): Move to ...
* tools/gpgconf-comp.c: here.
(known_options_scdaemon): Remove "options".
(known_options_dirmngr): Remove "options".
(known_options_gpgsm): Remove "options".
(known_options_gpg): Remove "options" and "keyserver".
(struct gc_option_s): Rename active t gpgconf_list.
(gc_component_list_options): Do not act upon active.
(option_check_validity): Ditto.
(is_known_option): Make it work correctly for unknown options.
(retrieve_options_from_program): Use renamed flag gpgconf_list only to
detect duplicated items from --gpgconf-list.  Do not set runtime.
Only e set the options if set by --gpgconf-list; never clear them.
* agent/gpg-agent.c: Simplify the --gpgconf-list output.
* dirmngr/dirmngr.c: Ditto.
* g10/gpg.c: Ditto.
* kbx/keyboxd.c: Ditto.
* scd/scdaemon.c: Ditto.
* sm/gpgsm.c: Ditto.
* tests/openpgp/gpgconf.scm: Use "compliance" instead of "keyserver"
for the string arg test.
--

There is no need to read the list of options from the components
unless they convey a default value.  It is better to consult only the
list we have in gpgconf-comp.c to decide on whether an option should
be displayed.   Right, this might mess up thing if a newer gpgconf
version is used with an older component, but we already print warnings
in this case and in general we do not want to support this anymore -
the times of gpg 1.4. and 2.0 are long over now.

GnuPG-bug-id: 4788
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-14 19:12:41 +01:00
Werner Koch
9bc3e7ec03
gpgsm: Re-group the options in the --help output.
--

This looks better and is also required for further simplifications of
gpgconf.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-06 16:21:10 +01:00
Werner Koch
4423e9dcde
gpgconf: Support reading global options (part 2).
* tools/gpgconf-comp.c: Remove all regular option descriptions.  They
are now read in from the component.  Also remove a few meanwhile
obsolete options.
* agent/gpg-agent.c: Add option description which were only set in
gpgconf-comp.c.
* dirmngr/dirmngr.c: Ditto.
* scd/scdaemon.c: Ditto.
* sm/gpgsm.c: Ditto.
* g10/gpg.c: Ditto.
--

This second part removes all regular option descriptions because they
can be read from the components.  A few were missing in the components
and thus moved to there.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-06 10:09:26 +01:00
Werner Koch
2c823bd878
Use gpgrt's new option parser for gpgc, gpgsm, and gpg-agent.
* g10/gpgv.c: Use new option parser.
* sm/gpgsm.c: Ditto.
* agent/gpg-agent.c: Ditto.
(opts): Add option --no-options.
--

This is the next part of changes.  The latest libgpg-error is required
so that that re-reading options (SIGHUP) works.

GnuPG-bug-id: 4788
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-02-20 14:59:58 +01:00
Werner Koch
0e8f6e2aa9
gpg: Use gpgrt's new option parser to provide a global conf file.
* common/util.h: Remove argparse.h.
* common/argparse.c: Undef GPGRT_ENABLE_ARGPARSE_MACROS.
* configure.ac (GPGRT_ENABLE_ARGPARSE_MACROS): Define.
* agent/gpg-agent.c: Undef GPGRT_ENABLE_ARGPARSE_MACROS and include
argparse.h.  Do this also for all main modules which use our option
parser except for gpg.  Replace calls to strusage by calls to
gpgrt_strusage everywhere.

* g10/gpg.c (opts): Change type to gpgrt_opt_t.  Flag oOptions and
oNoOptions with ARGPARSE_conffile and ARGPARSE_no_conffile.
(main): Change type of pargs to gpgrt_argparse_t.  Rework the option
parser to make use of the new gpgrt_argparser.
--

This is not yet finished but a make check works.  gpg has the most
complex and oldest option handling and thus this is the first
migration target.  SE-Linux checks and version-ed config files are
missing and will be added later.

GnuPG-bug-id: 4788
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-02-20 11:13:32 +01:00
Daniel Kahn Gillmor
0904b8ef34 Spelling cleanup.
No functional changes, just fixing minor spelling issues.

---

Most of these were identified from the command line by running:

  codespell \
    --ignore-words-list fpr,stati,keyserver,keyservers,asign,cas,iff,ifset \
    --skip '*.po,ChangeLog*,help.*.txt,*.jpg,*.eps,*.pdf,*.png,*.gpg,*.asc' \
    doc g13 g10 kbx agent artwork scd tests tools am common dirmngr sm \
    NEWS README README.maint TODO

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-02-18 18:07:46 -05:00
Werner Koch
6aff8a1328
build: Always use EXTERN_UNLESS_MAIN_MODULE pattern.
* common/util.h (EXTERN_UNLESS_MAIN_MODULE): Add the definion only
here but now without the Norcroft-C.  Change all other places where it
gets defined.
* common/iobuf.h (iobuf_debug_mode): Declare unconditionally as
extern.
* common/iobuf.c (iobuf_debug_mode): Define it here.
* agent/gpg-agent.c (INCLUDED_BY_MAIN_MODULE): Define here and also in
all main modules of all other programs.

* g10/main.h: Put util.h before the local header files.
--

This change is required for use with gcc/ld's LTO feature which does
not allow common blocks.  Further gcc 10 will make -fno-common the
default and thus this chnage is always needed.  What a pitty.

Co-authored-by: Tomáš Mráz
GnuPG-bug-id: 4831
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 21d9bd8b87a9f793a106095e3838eb71825189d7)

- Applied respective chnages also to gpg-card and keyboxd.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-02-10 16:50:47 +01:00
Werner Koch
2e5ab34496
sm: New option --issuer-der for the listkey commands.
* sm/server.c (do_listkeys): Implement new option.
--

This option can be used by clients who can only provide a DER encoded
form of the issuer.  For example in PKCS#11 providers.

Testing:

Put the DER encoded issuer DN into a file, say issuer.der.
The run
   gpg-connect-agent -E -- gpgsm --server
   > /definqfile ISSUER_DER issuer.der
   > list-keys --issuer-der 01020304

and if the local keyring has a certifictate with that issuer and a s/n
of 0x01020304 that certificate will be listed.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-02-03 14:54:23 +01:00
Werner Koch
14aa797bb8
gpg,sm: Avoid useless ASFW diagnostic in loopback mode.
* common/sysutils.c (inhibit_set_foregound_window): New var.
(gnupg_inhibit_set_foregound_window): New func.
(gnupg_allow_set_foregound_window): Use var.
* g10/gpg.c (main): Inhibit in loopback mode.
* sm/gpgsm.c (main): Ditto.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-01-13 15:20:49 +01:00
Werner Koch
d246f317c0
sm: Add special case for expired intermediate certificates.
* sm/gpgsm.h (struct server_control_s): Add field 'current_time'.
* sm/certchain.c (find_up_search_by_keyid): Detect a corner case.
Also simplify by using ref-ed cert objects in place of an anyfound
var.
--

See the code for a description of the problem. Tested using the certs
from the bug report and various command lines

  gpgsm --faked-system-time=XXXX --disable-crl-checks \
         -ea -v --debug x509  -r 0x95599828

with XXXX being 20190230T000000 -> target cert too young
with XXXX being 20190330T000000 -> okay
with XXXX being 20190830T000000 -> okay, using the long term cert
with XXXX being 20220330T000000 -> target cert expired

The --disabled-crl-checks option is required because in our a simple
test setting dirmngr does not know about the faked time.

GnuPG-bug-id: 4696
Signed-off-by: Werner Koch <wk@gnupg.org>
2019-12-06 20:25:56 +01:00
Werner Koch
6e1c99bc39
gpgsm: Allow sepcification of ldaps servers.
* sm/gpgsm.h (struct keyserver_spec): Add field use_ldaps.
* sm/gpgsm.c (parse_keyserver_line): Parse flags.
* sm/call-dirmngr.c (prepare_dirmngr): Send ldaps flag to the dirmngr.

* dirmngr/dirmngr.h (struct ldap_server_s): Add field use_ldaps.
* dirmngr/ldapserver.c (ldapserver_parse_one): Parse flags.
* dirmngr/ldap.c (start_cert_fetch_ldap): Call wrapper with --tls.

* dirmngr/dirmngr_ldap.c: New option --tls.
(fetch_ldap): Make use of that option.
--

There was no way to specify an LDAPS server in
dirmngr_ldapserver.socnf or with gpgsm's --keyserver option.  This
patch fixes this.  Eventually we should allow to replace host and port
by a partial URI in the same way ldap_initialize does it.  For backward
compatibility we do not yet do that.

Although the dirmngr code accepts an URL (eg. taken from a
certificate), I can't see how the scheme was ever used.  Thus the
patch also detects an ldaps scheme and uses this.  That part has not
been tested, though.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-11-09 11:29:59 +01:00
Werner Koch
9698761933
Merge branch 'switch-to-gpgk' into master
--
Resolved Conflicts:

* common/asshelp.c: Keep the new code in master for spawing under
Windows.
* g10/Makefile.am: Keep all new file.
* g10/photoid.c: Pass CTRL to pct_expando.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-27 15:44:23 +02:00
Werner Koch
e64f0dfd72
gpg,sm: Implement keybox compression run and release lock in gpgsm
* g10/keydb.c (keydb_add_resource): Call keybox_compress.
* sm/keydb.c (keydb_add_resource): Release the lock after a compress.
--

Note that in gpgsm we already did the compress run but we didn't
released the lock on the file.  This might have been a reason for some
strange hangs.

GnuPG-bug-id: 4644
Signed-off-by: Werner Koch <wk@gnupg.org>
2019-08-23 15:51:43 +02:00
Werner Koch
1f980d23af
kbx: Allow writing using a estream.
* kbx/keybox-file.c (_keybox_write_header_blob): New optional arg
stream.  Change callers.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-08-06 15:01:21 +02:00
NIIBE Yutaka
ef2424144a sm: Support AES-256 key.
* sm/decrypt.c (prepare_decryption): Handle a case for AES-256.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-08-05 10:15:08 +09:00
NIIBE Yutaka
15fe78184c sm: Fix error checking of decryption result.
* sm/call-agent.c (gpgsm_agent_pkdecrypt): Fix condition.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-07-26 10:03:36 +09:00
Daniel Kahn Gillmor
3ba091ab8c gpg,gpgsm: Handle pkdecrypt responses with/without NUL terminators.
* g10/call-agent.c (agent_pkdecrypt): accept but do not require
NUL-terminated data from the agent.
* sm/call-agent.c (gpgsm_agent_pkdecrypt): accept but do not require
NUL-terminated data from the agent.

GnuPG-bug-id: 4652
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-07-26 09:53:33 +09:00
NIIBE Yutaka
37d758e5f2 sm: Fix card access.
* sm/call-agent.c (gpgsm_scd_pksign): Cast to integer for %b.

--

This fix is needed on big endian machine where size_t is bigger
than integer.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-07-09 16:59:56 +09:00
NIIBE Yutaka
38b9da7de3 sm: Return the last error for pubkey decryption.
* sm/decrypt.c: Use TMP_RC for ksba_cms_get_issuer_serial,
and return the last error when no key is available.
Fix the error report with TMP_RC for second call of
ksba_cms_get_issuer_serial.

GnuPG-bug-id: 4561
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-07-05 15:46:19 +09:00
Werner Koch
9bf650db02
sm: Print a better diagnostic for encryption certificate selection.
* sm/certlist.c (gpgsm_add_to_certlist): Add diagnostic and fold two
similar branches.
--

Without this patch gpgsm printed:

 gpgsm[23045]: DBG: chan_6 <- RECIPIENT edward.tester@demo.gnupg.com
 gpgsm[23045]: certificate is not usable for encryption
 gpgsm[23045]: certificate is good

with this patch a

 gpgsm[23045]: looking for another certificate

is inserted into the log.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-06-04 09:24:03 +02:00
Werner Koch
f2ac6742d4
Return better error code for some getinfo IPC commands.
* agent/command.c (cmd_getinfo): Return GPG_ERR_FALSE as boolean False.
* g13/server.c (cmd_getinfo): Ditto.
* sm/server.c (cmd_getinfo): Ditto.
--

GPG_ERR_FALSE was introduced with libgpg-error 1.21 and we now require
a later version for gnupg 2.  Thus we can switch to this more
descriptive code.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-06-03 16:33:10 +02:00
Werner Koch
521e7d4644
sm: Avoid confusing diagnostic for the default key.
* sm/certlist.c (cert_usage_p): Add arg 'silent' and change all
callers.
(gpgsm_cert_use_sign_p): Add arg 'silent' and pass to cert_usage_p.
Change all callers.
* sm/sign.c (gpgsm_get_default_cert): Set SILENT when calling
gpgsm_cert_use_sign_p
--

GnuPG-bug-id: 4535
Signed-off-by: Werner Koch <wk@gnupg.org>
2019-05-27 15:44:16 +02:00
Werner Koch
6e041b7b35
sm: Add a couple of debug calls to the keydb module.
* sm/gpgsm.h (DBG_CLOCK_VALUE, DBG_CLOCK): New.
(DBG_LOOKUP_VALUE, DBG_LOOKUP): New.
* sm/gpgsm.c: new debug flags "lookup" and "clock"
* sm/keydb.c: Add log_clock calls to most functions.
(keydb_search_desc_dump): New.
(keydb_search) [DBG_LOOKUP]: Print descrh decription.
* sm/keylist.c (list_cert_std): Flush FP in debug mode to better
syncronize the output with the debug output
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-05-15 08:52:21 +02:00
Werner Koch
22e274f839
sm: Change keydb code to use the keybox locking.
* kbx/keybox-init.c (keybox_lock): New arg TIMEOUT.  Change all
callers to pass -1 when locking.
* sm/keydb.c (struct resource_item): Remove LOCKANDLE.
(struct keydb_handle): Add KEEP_LOCK.
(keydb_add_resource): Use keybox locking instead of a separate dotlock
for testing whether we can run a compress.
(keydb_release): Reset KEEP_LOCK.
(keydb_lock): Set KEEP_LOCK.
(unlock_all): Take care of KEEP_LOCK.
(lock_all): Use keybox_lock instead of dotlock fucntions.
(keydb_delete): Remove arg UNLOCK.
* sm/delete.c (delete_one): Adjust keydb_delete.  Due to the KEEP_LOCK
the keydb_release takes care of unlocking.
--

This aligns the code more with g10/keydb.c and avoids the separate
calls to dotlock_take.

GnuPG-bug-id: 4505
Signed-off-by: Werner Koch <wk@gnupg.org>
2019-05-14 13:36:08 +02:00
Werner Koch
5f3864fb64
sm: Add yet inactive options to support authenticode
* sm/gpgsm.c (opts): New options --authenticode and --attribute.
* sm/gpgsm.h (opt): Add vars authenticode and attribute_list.
* sm/sign.c (add_signed_attribute): New but inactive.
(gpgsm_sign): Use new options.
--

Because libksba 1.4 is not yet ready the new code is not yet active.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-04-30 08:28:54 +02:00
Werner Koch
2b1135cf92
scd: New standard attributes $ENCRKEYID and $SIGNKEYID.
* g10/call-agent.c (agent_scd_keypairinfo): Use --keypairinfo.
* sm/call-agent.c (gpgsm_agent_scd_keypairinfo): Ditto.
* scd/app-openpgp.c (do_getattr): Add attributes "$ENCRKEYID" and
"$SIGNKEYID".
* scd/app-piv.c (do_getattr): Ditto.
--

We already have $AUTHKEYID to locate the keyref of the key to be used
with ssh.  It will also be useful to have default keyref for
encryption and signing.  For example, this will allow us to repalce
the use of "OPENPGP.2" by a app type specific keyref.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-04-03 13:16:22 +02:00
Werner Koch
f952226043
common: Extend function pubkey_algo_string.
* common/sexputil.c (pubkey_algo_string): Add arg R_ALGOID.
* sm/certreqgen-ui.c (gpgsm_gencertreq_tty): Adjust.
* tools/gpg-card.c (list_one_kinfo): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-04-02 18:50:55 +02:00
Werner Koch
9ed1aa56c4
sm: Show the usage flags when generating a key from a card.
* g10/call-agent.c (scd_keypairinfo_status_cb): Also store the usage
flags.
* sm/call-agent.c (scd_keypairinfo_status_cb): Ditto.
* sm/certreqgen-ui.c (gpgsm_gencertreq_tty): Print the usage flags.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-04-01 19:58:33 +02:00
Werner Koch
aa58d2a49b
sm: Allow decryption even if expired other keys are configured.
* sm/gpgsm.c (main): Add special handling for bad keys in decrypt
mode.
--

The problem can easily be tested by adding --encrypt-to EXPIRED_KEY to
a decryption command.  With that patch the errors are printed but
decryption continues and the process returns success unless other
errors occur.

GnuPG-bug-id: 4431
Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-26 13:31:06 +01:00
Andre Heinecke
e4e0804ed1
sm, w32: Translate logger and status fd to handles
* sm/gpgsm.c (main): Call translate_sys2libc_fd_int to
convert the FDs.

--
This is required to actually pass gpgsm an fd on windows
and not a windows handle.

For the passphrase-fd this was already done.
2019-03-25 14:08:56 +01:00
Werner Koch
bdda31a26b
kbx: Unify the fingerprint search modes.
* kbx/keybox-search-desc.h (KEYDB_SEARCH_MODE_FPR16)
(KEYDB_SEARCH_MODE_FPR20, KEYDB_SEARCH_MODE_FPR32): Remove.  Switch
all users to KEYDB_SEARCH_MODE_FPR along with the fprlen value.
--

These search modes were added over time and there has until recently
be no incentive to remove the cruft.  With the change for v5 keys I
finally went over all places and allowed the generic fingerprint mode
along with a given length of the fingerprint at all places.
Consequently the other modes can now be removed.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-14 14:55:06 +01:00
Werner Koch
f40e9d6a52
kbx: Add support for 32 byte fingerprints.
* common/userids.c (classify_user_id): Support 32 byte fingerprints.
* kbx/keybox-search-desc.h (KEYDB_SEARCH_MODE_FPR32): New.
(struct keydb_search_desc): Add field fprlen.
* kbx/keybox-defs.h (struct _keybox_openpgp_key_info): Add field
version and increase size of fpr to 32.
* kbx/keybox-blob.c: Define new version 2 for PGP and X509 blobs.
(struct keyboxblob_key): Add field fprlen and increase size of fpr.
(pgp_create_key_part_single): Allow larger fingerprints.
(create_blob_header): Implement blob version 2 and add arg want_fpr32.
(_keybox_create_openpgp_blob): Detect the need for blob version 2.
* kbx/keybox-search.c (blob_get_first_keyid): Support 32 byte
fingerprints.
(blob_cmp_fpr): Ditto.
(blob_cmp_fpr_part): Ditto.
(has_fingerprint): Add arg fprlen and pass on.
(keybox_search): Support KEYDB_SEARCH_MODE_FPR32 and adjust for
changed has_fingerprint.
* kbx/keybox-openpgp.c (parse_key): Support version 5 keys.
* kbx/keybox-dump.c (_keybox_dump_blob): Support blob version 2.

* g10/delkey.c (do_delete_key): Support KEYDB_SEARCH_MODE_FPR32.
* g10/export.c (exact_subkey_match_p): Ditto.
* g10/gpg.c (main): Ditto.
* g10/getkey.c (get_pubkey_byfprint): Adjust for changed
KEYDB_SEARCH_MODE_FPR.
* g10/keydb.c (keydb_search_desc_dump): Support
KEYDB_SEARCH_MODE_FPR32 and adjust for changed KEYDB_SEARCH_MODE_FPR.
(keydb_search): Add new arg fprlen and change all callers.
* g10/keyedit.c (find_by_primary_fpr): Ditto.
* g10/keyid.c (keystr_from_desc): Ditto.
* g10/keyring.c (keyring_search): Ditto.
* g10/keyserver.c (print_keyrec): Ditto.
(parse_keyrec): Ditto.
(keyserver_export): Ditto.
(keyserver_retrieval_screener): Ditto.
(keyserver_import): Ditto.
(keyserver_import_fprint): Ditto.
(keyidlist): Ditto.
(keyserver_get_chunk): Ditto.

* g10/keydb.c (keydb_search): Add new arg fprlen and change all
callers.

* sm/keydb.c (keydb_search_fpr): Adjust for changed
KEYDB_SEARCH_MODE_FPR.
--

This prepares the support for OpenPGP v5 keys.  The new version 2 blob
format is needed for the longer fingerprints and we also use this
opportunity to prepare for storing the keygrip in the blob for faster
lookup by keygrip.  Right now this is not yet functional.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-14 11:26:54 +01:00
Werner Koch
86c241a8c9
sm: Print Yubikey attestation extensions with --dump-cert.
* sm/keylist.c (oidtranstbl): Add Yubikey OIDs.
(OID_FLAG_HEX): New.
(print_hex_extn): New.
(list_cert_raw): Make use of that flag.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-01 15:23:49 +01:00
Werner Koch
2c75af9f65
sm: Don't mark a cert as de-vs compliant if it leads to SHA-1 sigs.
* sm/keylist.c (print_compliance_flags): Also check the diges_also.
--

A certificate with algorithm sha1WithRSAEncryption can be de-vs
compliant (e.g. if the next in the chain used sha256WithRSAEncryption
to sign it and RSA is long enough) but flagging it as such is useless
because that certificate can't be used because it will create
signatures using the non-compliant SHA-1 algorithm.

Well, it could be used for encryption.  But also evaluating the
key-usage flags here would make it harder for the user to understand
why certain certificates are listed as de-vs compliant and others are
not.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-28 14:45:21 +01:00
Werner Koch
c1000c6738
sm: Fix certificate creation with key on card.
* sm/certreqgen.c (create_request): Fix for certmode.
--

When using an existing key from a card for certificate signing (in
contrast to the default of generating a CSR), the code tried to use
the same key for signing instead of the Signing-Key parameter.  It is
perfectly okay to use the regular signing path via gpg-agent for
certificate creation - only self-signed certificates with a key on the
card require the direct use of the card key (via "SCD PKSIGN").

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-21 17:32:39 +01:00
Werner Koch
d7a54ca461
sm: Prepare algo mapping to handle values > 255.
* sm/misc.c (transform_sigval): Allow for larger values of MDALGO and
PKALGO.
--

Libgcrypt already defines larger values for them, so we should be
prepared in case we use them in the future.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-21 08:51:50 +01:00
Damien Goutte-Gattat via Gnupg-devel
3cbdf896e6 sm: Support generation of card-based ed25519 CSR.
* sm/call-agent.c (gpgsm_scd_pksign): Allow SHA512. Create proper
S-expression for EdDSA signature.
* sm/certreqgen.c (create_request): Force use of SHA512 when
using a ed25519 key.
* sm/misc.c (transform_sigval): Insert OID for ed25519.

--

GnuPG-bug-id: 4013
Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
2019-02-18 11:33:20 +09:00
Damien Goutte-Gattat via Gnupg-devel
74e9b579ca sm: Support generation of card-based ECDSA CSR.
* sm/call-agent.c (gpgsm_scd_pksign): Identify type of signing key
and format resulting S-expression accordingly.
* sm/misc.c (transform_sigval): Support ECDSA signatures.
--

Current GpgSM implementation assumes card-based keys are RSA keys.
This patch introduces support for ECDSA keys.

By itself this patch is not sufficient, we also need support
from libksba.

GnuPG-bug-id: 4092
Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
2019-02-15 11:01:20 +09:00
Werner Koch
0328976c94
sm: In --gen-key with "key from card" show also the algorithm.
* sm/certreqgen-ui.c (gpgsm_gencertreq_tty): Get and show algo.
--

This extends the prompt to show something like

  Serial number of the card: FF020001008A77F6
  Available keys:
     (1) 4130F84FA3704F4645924AEC3FFA48AD26D33656 PIV.9A nistp384
     (2) AB2988FB8C227BCD5175BF92F66AA3A95AE83214 PIV.9E rsa2048
     (3) DB7DDAEAA88534BA45CCD7A9B761425103EA2090 PIV.9C rsa2048
     (4) BABB48C3D80ACCF9839F101DF2910966C8B988DF PIV.9D nistp256
  Your selection? 1

Having the algorithm here is helpful in particular because right now
we support only RSA with X.509.  Take care: PIV card based certificate
creation does not yet work.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-08 12:35:26 +01:00
Daniel Kahn Gillmor
a7c5d65eb5 all: fix more spelling errors 2018-10-25 16:53:05 -04:00
Daniel Kahn Gillmor
b39ece7d35 headers: fix spelling
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2018-10-25 16:53:05 -04:00
Daniel Kahn Gillmor
54eb375ff1 all: fix spelling and typos
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2018-10-24 15:56:18 -04:00
Werner Koch
793fd8d876
sm: Use the correct string in an error message.
* sm/gpgsm.c (main): Fix error message.
--

GnuPG-bug-id: 4219
2018-10-24 19:55:19 +02:00
Werner Koch
7b7576637d
Merge branch 'STABLE-BRANCH-2-2' into master
--

Resolved Conflicts:
	NEWS  - removed
	configure.ac - removed

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-05-13 13:29:40 +02:00