1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-09 21:28:51 +01:00
Commit Graph

1035 Commits

Author SHA1 Message Date
NIIBE Yutaka
3cf5fc2e2f
scd: Fix cmd_apdu on error.
* scd/command.c (cmd_apdu): Fix the code path on error.

--

GnuPG-bug-id: 6476
Reported-by: Robin Krahl
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-05-01 11:36:36 +09:00
Werner Koch
c03ba92576
gpg: Fix writing ECDH keys to OpenPGP smartcards.
* agent/command.c (cmd_keytocard): Add new arg for ECDH params.
* scd/app-openpgp.c (ecc_writekey): Use provided ECDH params to
compute the fingerprint.
* g10/call-agent.c (agent_keytocard): Add arg ecdh_param_str.
* g10/keyid.c (ecdh_param_str_from_pk): New.
* g10/card-util.c (card_store_subkey): Pass ECDH params to writekey.
* g10/keygen.c (card_store_key_with_backup): Ditto.

* scd/app-openpgp.c (store_fpr): Add arg update.
(rsa_read_pubkey, ecc_read_pubkey): Add arg meta_update and avoid
writing the fingerprint back to the card if not set.
(read_public_key): Also add arg meta_update.
(get_public_key): Do not pass it as true here...
(do_genkey): ... but here.
(rsa_write_key, ecc_writekey): Force string the fingerprint.
--

The problem showed up because in 2.4 we changed the standard ECDH
parameter some years ago.  Now when trying to write an ECDH key
created by 2.2 with 2.4 to an openpgp card, scdaemon computes a wrong
fingerprint and thus gpg was not able to find the key again by
fingerprint.

The patch also avoids updating the stored fingerprint in certain
situations.

This fix is somewhat related to
GnuPG-bug-id: 6378
2023-04-21 15:23:29 +02:00
Werner Koch
af3724d383
scd,p15: Enforce a min. PIN length for certain cards.
* scd/app-p15.c (verify_pin): Enforce 6 for RSCS cards.
2023-04-20 12:41:08 +02:00
Werner Koch
f7e00dc73d
scd: On a Yubikey re-select the last app after the use of APDU.
* scd/app-common.h (struct card_ctx_s): Add maybe_check_aid flag.
* scd/command.c (cmd_apdu): Set it.
* scd/app.c (check_external_interference): Consult this flag.
(maybe_switch_app): Do a re-select if this flag is set.
--

After the gpg-card tool has issued a Yubikey specific command the
current application is not anymore correctly selected.  This then
results in all kind of errors.  We detect this now and try to
re-select the last app.
2023-04-18 12:04:15 +02:00
Werner Koch
2e065b4bd2
scd,openpgp: Switch key attributes between RSA and ECC in writekey.
* common/sexputil.c (get_rsa_pk_from_canon_sexp): Also allow private
keys.
(pubkey_algo_string): Ditto.
* scd/app-openpgp.c (do_writekey): Switch key attributes
--

The scd WRITEKEY command for OpenPGP cards missed proper support to
aautomagically switch key attributes based on the new key.  We had
this only in GENKEY.

GnuPG-bug-id: 6378
2023-03-15 09:42:02 +01:00
NIIBE Yutaka
4e391d95e0
scd: Fix checking memory allocation.
* scd/app-openpgp.c (read_public_key): Fix the memory.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-03-08 11:33:18 +09:00
Werner Koch
9de180c6d2
doc: Minor comment fixes.
--
2023-02-23 10:23:56 +01:00
Werner Koch
061efac03f
scd:p15: Skip deleted records.
* scd/app-p15.c (select_and_read_record): Special case deleted
records.  Support 3 byte TLVs.
(read_ef_prkdf): Skip deleted records.
(read_ef_pukdf): Ditto.
(read_ef_cdf): Ditto.
(read_ef_aodf): Ditto.
--

This fixes a problem with some CardOS 5 applications.
2022-12-09 08:49:28 +01:00
Werner Koch
9f7ff43672
scd: Redact --debug cardio output of a VERIFY APDU.
* scd/apdu.c (pcsc_send_apdu) [DBG_CARD_IO]: Detect and redact a
VERIFY.
(send_apdu_ccid): Ditto.
--

This should handle the most common case.
GnuPG-bug-id: 5085
2022-11-17 14:33:18 +01:00
Werner Koch
2c4757352d
scd:nks: Fix ECC signing if key not given by keygrip.
* scd/app-nks.c (keygripstr_from_pk_file): Set r_algo if not in cache.
2022-11-15 14:52:40 +01:00
Werner Koch
8361e13ef2
scd:nks: Support non-ESIGN signing with the Signature Card v2
* scd/app-nks.c (do_sign): Handle ECC for NKS cards
2022-10-25 11:57:23 +02:00
NIIBE Yutaka
3d7dbf1661
agent,dirmngr,gpg,scd: Clean up for modern compiler.
* agent/protect.c (agent_get_shadow_info_type): It's a write only
variable, useful for debugging.
* g10/key-check.c (key_check_all_keysigs): Likewise.
* g10/keyedit.c (show_basic_key_info, menu_expire): Likewise.
* scd/app-sc-hsm.c (read_ef_prkd): Likewise.
* dirmngr/crlfetch.c (fetch_next_ksba_cert): Initialize the vars.
* dirmngr/ks-action.c (ks_action_help): Remove unused variables.
* dirmngr/server.c (make_keyserver_item): Likewise.
* dirmngr/validate.c (check_cert_sig): Initialize the variable.
* scd/app-p15.c (select_and_read_record): Likewise.
* tests/gpgscm/scheme.c (scheme_init_new): A function with no args.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-09-14 12:08:58 +09:00
NIIBE Yutaka
87d4338ed1
gpg,common,scd,sm: Function prototype fixes for modern compiler.
* common/gettime.c (gnupg_get_time): It has no arguments.
* common/signal.c (gnupg_block_all_signals): Likewise.
(gnupg_unblock_all_signals): Likewise.
* common/utf8conv.c (get_native_charset): Likewise.
* g10/cpr.c (is_status_enabled, cpr_enabled): Likewise.
* g10/getkey.c (getkey_disable_caches): Likewise.
* g10/keygen.c (ask_expiredate): Likewise.
* g10/passphrase.c (have_static_passphrase): Likewise.
(get_last_passphrase): Likewise.
* g10/tdbio.c (tdbio_is_dirty, tdbio_sync): Likewise.
(tdbio_get_dbname, open_db, tdbio_db_matches_options): Likewise.
(tdbio_read_nextcheck): Likewise.
* g10/trustdb.c (how_to_fix_the_trustdb): Likewise.
* scd/scdaemon.c (scd_get_socket_name): Likewise.
* sm/passphrase.c (have_static_passphrase): Likewise.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-09-13 16:34:00 +09:00
NIIBE Yutaka
6df8608c3e scd: Add npth_unprotect/npth_protect for blocking operations.
* scd/ccid-driver.c (ccid_open_usb_reader): Name the thread.
(ccid_vendor_specific_setup, ccid_open_usb_reader): Wrap
blocking operations by npth_unprotect/npth_protect.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-08-25 13:13:11 +09:00
Werner Koch
f4b01ddc6a
scd: Add a libusb debug level.
* scd/ccid-driver.c (USE_LIBUSB_DEBUG_CB): New const.
(debug_libusb_cb): new.
(ccid_set_debug_level): Use it.
--

This allows to see the libusb log in our usual debug output.  For this
the option debug-ccid-driver needs to be given 5 or more times.
2022-08-22 12:05:18 +02:00
Werner Koch
67e510cbf7
scd:opengpg: Minor vendor name fix
--
2022-07-28 13:06:03 +02:00
Werner Koch
6d9c8a1cbc
scd:openpgp: New vendor
--
2022-07-28 09:01:24 +02:00
NIIBE Yutaka
f34b9147eb scd:openpgp: Fix workaround for Yubikey heuristics.
* scd/app-openpgp.c (parse_algorithm_attribute): Handle the case
of firmware 5.4, too.

--

GnuPG-bug-id: 6070
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-07-13 10:40:55 +09:00
NIIBE Yutaka
dd600bbc84 scd: Support specifying keygrip for learn command.
* scd/command.c (cmd_learn): Allow keygrip argument.

--

GnuPG-bug-id: 6002
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-06-10 13:54:03 +09:00
NIIBE Yutaka
273b8ec193 scd,openpgp: Support READCERT by keygrip.
* scd/app-openpgp.c (do_readcert): Allow use of keygrip.

--

GnuPG-bug-id: 6002
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-06-10 11:45:26 +09:00
Werner Koch
3a2fb1c306
scd:nks: Don't flag the ESIGN keypair EF as encryption capable.
* scd/app-nks.c (filelist): Tweak 0x4531.
--

Actually the certificate has no encryption usage but we should also
tell that via KEYINFO so that this key is never tried to create an
encryption certificate.
2022-06-01 17:55:49 +02:00
Werner Koch
b92b3206e7
scd:nks: Some code cleanup.
* scd/app-nks.c (find_fid_by_keyref): Factor keyref parsing out to ...
(parse_keyref): new.
(do_readcert): Use new function instead of partly duplicated code.
Make detection of keygrip more robust.
(do_readkey): Make detection of keygrip more robust.
(do_with_keygrip): Use get_nks_tag.
--

Also added a couple of comments.
2022-06-01 17:52:42 +02:00
Werner Koch
07eaf006c2
scd:nks: Support the Telesec ESIGN application.
* scd/app-nks.c (find_fid_by_keyref): Disable the cache for now.
(readcert_from_ef): Considere an all zero certificate as not found.
(do_sign): Support ECC and the ESIGN application.
--

This allows me to create qualified signatures using my Telesec card.
There is of course more work to do but this is the first step.

Note: The design of the FID cache needs to be reconsidered.  Until
that the lookup here has been disabled.  The do_sign code should be
revamped to be similar to what we do in app-p15.

GnuPG-bug-id: 5219, 4938
2022-05-29 15:55:26 +02:00
NIIBE Yutaka
5264d3f58e scd: Return USAGE information for KEYINFO command.
* scd/command.c (hlp_keyinfo): Update.
(send_keyinfo): Add a USAGE argument.
* scd/scdaemon.h (send_keyinfo): Add a USAGE argument.
* scd/app-nks.c (set_usage_string): New.
(do_learn_status_core, do_readkey): Use set_usage_string.
(do_with_keygrip): Add USAGE to call send_keyinfo,
using set_usage_string.
* scd/app-openpgp.c (get_usage_string): New.
(send_keypair_info): Use get_usage_string.
(send_keyinfo_if_available): Add USAGE to call send_keyinfo,
using get_usage_string.
* scd/app-p15.c (set_usage_string): New.
(send_keypairinfo): Use set_usage_string.
(do_with_keygrip): Add USAGE to call send_keyinfo,
using set_usage_string.
* scd/app-piv.c (do_with_keygrip): Add USAGE to call send_keyinfo.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-05-26 12:01:16 +09:00
NIIBE Yutaka
64c8786105 scd,piv: Fix status report of KEYPAIRINFO.
* scd/app-piv.c (do_readkey): Use "-" for usage when not available.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-05-26 11:57:31 +09:00
NIIBE Yutaka
052f58422d agent,scd: Make sure to set CONFIDENTIAL flag in Assuan.
* agent/call-scd.c (inq_needpin): Call assuan_begin_confidential
and assuan_end_confidential, and wipe the memory after use.
* agent/command.c (cmd_preset_passphrase): Likewise.
(cmd_put_secret): Likewise.
* scd/command.c (pin_cb): Likewise.

--

GnuPG-bug-id: 5977
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-05-25 14:53:06 +09:00
NIIBE Yutaka
ea97683d58 scd: Support automatic card selection for READCERT with keygrip.
* scd/command.c (cmd_readcert): Select by KEYGRIP.

--

GnuPG-bug-id: 6003
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-05-24 16:17:01 +09:00
NIIBE Yutaka
1b1684cf61 scd: Fix use of SCardListReaders for PC/SC.
* scd/apdu.c (apdu_dev_list_start): Initialize NREADER.

--

Reported-by: Ludovic Rousseau
GnuPG-bug-id: 5979
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-05-17 10:19:44 +09:00
NIIBE Yutaka
53eddf9b9e scd: Fail when no good algorithm attribute.
* scd/app-openpgp.c (parse_algorithm_attribute): Return the error.
(change_keyattr): Follow the change.
(app_select_openpgp): Handle the error of parse_algorithm_attribute.

--

This change allows following invocation of app_select_openpgp, which
may work well (if the problem is device side for initial connection).

GnuPG-bug-id: 5963
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-05-11 11:16:26 +09:00
Werner Koch
5e5df82b5f
scd:openpgp: New card vendor.
--

BTW, we should add a function to read out the entire table so that you
can ask scdaemon for that list.  iirc,  Kleopatra still uses a copy of
the table.
2022-05-10 16:21:27 +02:00
Werner Koch
3d7d7e8bfd
scd:p15: Improve the displayed S/N for Technology Nexus cards.
* scd/app-p15.c (any_control_or_space_mem): New.
(get_dispserialno): Add new code.
--

This works with my test cards and now reflects what's printed on the
front matter of the card.
2022-05-06 11:43:07 +02:00
Werner Koch
6f612fd5f6
scd:p15: Fix the the sanity check of the displayed S/N.
* scd/app-p15.c (any_control_or_space): Fix loop.
--

This check is only done to avoid printing wrongly encoded S/N for
human consumption.
e
2022-05-06 11:39:30 +02:00
NIIBE Yutaka
054d14887e scd: Add workaround for ECC attribute on Yubikey.
* scd/app-openpgp.c (parse_algorithm_attribute): Skip possibly bogus
octet in a key attribute.

--

GnuPG-bug-id: 5963
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-05-06 18:27:11 +09:00
Werner Koch
bbcca7357b
scd:p15: Fix reading certificates without length info.
* scd/app-p15.c (readcert_by_cdf): Do not use extended mode if the CDF
object has no length info.  Add debug output when reading a cert.
(read_p15_info): No more need to disable extended mode for GeNUA cards.
2022-05-05 13:39:03 +02:00
Werner Koch
7dc5693926
scd: New debug flags "card".
* scd/scdaemon.c (debug_flags): Add "card".
* scd/scdaemon.h (DBG_CARD_VALUE, DBG_CARD): New.
--

Some information from parsing the card are often very helpful.
However, the card_io triggered APDU dumps are in most cases too heavy.
Thus this new debug flag.
2022-05-05 13:35:56 +02:00
NIIBE Yutaka
2848fe4c84 scd: Fix hard-coded constant for RSA auth.
* scd/app-openpgp.c (do_auth): Allow larger data for RSA-4096.

--

OpenPGPcard specification says that it will be rejected by the card
when it's larger.  We have been the check on host side too, but it was
written when it only had a support for RSA-2048.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-04-25 11:14:10 +09:00
NIIBE Yutaka
e8fb8e2b3e scd: Don't inhibit SSH authentication for larger data if it can.
* scd/app-openpgp.c (do_auth): Use command chaining if available.

--

GnuPG-bug-id: 5935
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-04-22 11:50:19 +09:00
Werner Koch
dd727ec968
scd: Renamed a constant in ccid-driver.c
* scd/ccid-driver.c (MAX_DEVICE): Rename to CCID_MAX_DEVICE.
--

Just for documentation reasons.
2022-04-14 10:26:40 +02:00
Werner Koch
6294ae282d
scd: Minor code reorganization
* scd/ccid-driver.c: Move struct defines to the top.
--
2022-04-14 10:15:23 +02:00
Werner Koch
8ac92f0e80
scd: Fix memory leak in ccid-driver.
* scd/ccid-driver.c (ccid_dev_scan): Use loop var and not the count.
--

Due to an assignment out of bounds this might lead to a crash if there
are more than 15 readers.  In any case it fixes a memory leak.
Kudos to the friendly auditor who found that bug.

Fixes-commit: 8a41e73c31
2022-04-14 10:15:23 +02:00
Werner Koch
618aa8689a
scd:p15: Improve the PIN prompt for Genua cards.
* scd/app-p15.c (CARD_PRODUCT_GENUA): New.
(cardproduct2str): Add it.
(read_p15_info): Detect and set GENUA
(make_pin_prompt): Take holder string from the AODF.
2022-04-13 13:06:27 +02:00
Werner Koch
0dcc249852
scd: Support for GeNUA cards.
* scd/app-p15.c (read_p15_info): Disable extended mode for Genua
cards.
2022-04-11 17:48:45 +02:00
NIIBE Yutaka
f584ad9504 scd,tpm2d: Fix for consistent use of socket FD.
* scd/command.c (scd_command_handler): Use gnupg_fd_t for the argument
but no INT2FD to listen.  Use GNUPG_INVALID_FD.
* tpm2d/command.c (tpm2d_command_handler): Likewise.
* scd/scdaemon.c (start_connection_thread): Follow the change.
* tpm2d/tpm2daemon.c (start_connection_thread): Likewise.
* scd/scdaemon.h (scd_command_handler): Use gnupg_fd_t.
* tpm2d/tpm2daemon.h (tpm2d_command_handler): Likewise.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-03-31 21:03:13 +09:00
NIIBE Yutaka
a67a09be30 scd,w32: Fix socket resource leak.
* scd/scdaemon.c (main): Use gnupg_fd_t for socket, and use
assuan_sock_close for the socket allocated by assuan_sock_new.
(handle_connections): Use gnupg_fd_t for listen_fd.
Use assuan_sock_close for the socket by npth_accept.

--

GnuPG-bug-id: 5029
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-03-29 09:55:02 +09:00
NIIBE Yutaka
c6dd9ff929 scd: Fix DEVINFO with no --watch.
* scd/app.c (app_send_devinfo): Fix for outputing once.
* scd/command.c (hlp_devinfo): Fix comment.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-03-15 15:19:11 +09:00
NIIBE Yutaka
665b59a066 Fix previous commit.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-03-11 14:09:22 +09:00
NIIBE Yutaka
934864d399 scd: Enhance PASSWD command to accept KEYGRIP optionally.
* scd/command.c (cmd_passwd): Handle KEYGRIP optionally.

--

GnuPG-bug-id: 5862
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-03-10 11:11:38 +09:00
NIIBE Yutaka
d577ed2956 scd: Use same idiom for same work.
* scd/command.c (cmd_serialno, cmd_getattr): Use 'while' instead of
'for'.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-03-10 11:02:11 +09:00
NIIBE Yutaka
58e6990eaa scd: Fix PK_AUTH with --challenge-response option.
* scd/app.c (app_auth): It's only APPTYPE_OPENPGP which supports
the challenge response interaction.
* scd/command.c (cmd_pkauth): It only wants if it works or not.

--

GnuPG-bug-id: 5862
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-03-04 10:11:38 +09:00
NIIBE Yutaka
44621120a2 scd: Add --challenge-response option to PK_AUTH for OpenPGP card.
* scd/app-openpgp.c (rmd160_prefix, sha1_prefix, sha224_prefix)
(sha256_prefix, sha384_prefix, sha512_prefix): Move the scope up.
(gen_challenge): New.
(do_auth): Support challenge-response check if it signs correctly.
* scd/app.c (app_auth): Remove the check INDATA and INDATALEN.
* scd/command.c (cmd_pkauth): Support --challenge-response option.

--

GnuPG-bug-id: 5862
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-03-03 17:45:49 +09:00