1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

832 Commits

Author SHA1 Message Date
NIIBE Yutaka
6e51f2044a scd: Fix the use case of verify_chv2 by CHECKPIN.
* scd/app-openpgp.c (verify_chv2): Call verify_a_chv with chvno=1
when needed.

--

Confusingly, verify_chv2 has two different purposes;  One for
verifying with CHV2 (in addition to CHV1), and the call by
CHECKPIN.  For the latter, we should check CHV1.

Fixes-commit: af189be481df02a77e088aa0a60a1fc02dfa12bf
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-09-15 15:31:23 +09:00
Werner Koch
fbc1b199fd
scd:piv: Avoid conflict when writing a cert.
* scd/app-piv.c (map_curve_name_to_oid): New.
(my_cmp_public_key): New.
(do_writecert): Replace simple memcmp by cmp_canon_sexp.
--

GnuPG-bug-id: 5061
2020-09-11 15:47:39 +02:00
NIIBE Yutaka
d4cb774ddd scd: Flush KDF DO (0x00F9) when it's being set.
* scd/app-openpgp.c (do_setattr): Call flush_cache_item always.

--

Only it was called when there was an object with KDF_DATA_LENGTH_MAX.
No matter the VALUELEN, it should be flushed.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-09-10 15:20:01 +09:00
NIIBE Yutaka
0db9c83555 scd: Add a workaround for Yubikey.
* scd/app-openpgp.c (get_public_key): Handle wrong code for Yubikey.

--

Yubikey version 5 s/n 609074582 returns 0x6982, version 5.2.4 s/n
610616049 returns 0x6581, where 0x6a88 is expected.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-09-08 11:41:33 +09:00
NIIBE Yutaka
270c49b8c6 scd: Fix handling 0x00FA to support OpenPGP card 3.4.
* scd/app-openpgp.c (data_objects): It may be longer.

Fixes-commit: 90d0072165cc5c6888f14462392a211de0c4b232
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-09-07 14:24:48 +09:00
Werner Koch
0e721b635d
scd: Increase the number of supported readers from 4 to 16.
--

The limit on 4 readers I introduced in 2003 is too low for some of our
use cases.  16 looks better.   TODO: Return a useful error message in
gpg-card if the limit has been reached.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-09-04 12:51:54 +02:00
NIIBE Yutaka
43bbc25b0f scd: Support GET DATA response with no header for DO 0x00FA.
* scd/app-openpgp.c (do_getattr): Support Gnuk, as well.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-09-04 17:16:59 +09:00
NIIBE Yutaka
eba2563dab scd: Parse "Algorithm Information" data object in scdaemon.
* scd/app-openpgp.c (data_objects): 0x00FA for binary data.
(do_getattr): Parse the data and send it in status lines.
(get_algorithm_attribute_string): New.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-09-04 13:12:57 +09:00
NIIBE Yutaka
90d0072165 scd: Add handling of "Algorithm Information" DO.
* cd/app-openpgp.c (data_objects): Add 0x00FA.
(do_getattr): Add KEY-ATTR-INFO.

--

See the section 4.4.3.11 Algorithm Information in the OpenPGP card
functional specification version 3.4.1.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-09-03 19:58:10 +09:00
Werner Koch
a0a4744bd0
scd: New option to APDU command to return the ATR as data.
* scd/command.c (cmd_apdu): Add new option --data-atr.
* tools/gpg-card.c (cmd_apdu): Use that here.  Also fix the --exlen
option and do not print the statusword in atr mode.
* tools/card-call-scd.c (scd_apdu): Detect atr mode anddon't assume a
status word.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-27 11:55:37 +02:00
Werner Koch
95b5a852e2
scd: Fix reading of the ATR for card type detection.
* scd/app.c (app_new_register): Do not use apdu_get_slot.
--

apdu_get_slot() may only be used after the APP has been initialized.
Thus we need to pass teh slot here directly.

Fixes-commit: 9f148360a2bf04672b43ef7cec48e21d44b06ae1
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-27 11:53:06 +02:00
NIIBE Yutaka
9f148360a2 scd: Add heuristics to identify cardtype.
* scd/app-common.h (cardtype_t): Add CARDTYPE_GNUK and
CARDTYPE_ZEITCONTROL.
* scd/app.c (strcardtype): Handle CARDTYPE_GNUK and
CARDTYPE_ZEITCONTROL.
(app_new_register): Detect Gnuk and Zeit Control implementation
by examining its ATR string.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-08-27 14:32:04 +09:00
NIIBE Yutaka
af189be481 scd: Add condition for VERIFY with 0x82.
* scd/app-openpgp.c (verify_chv2): Check availability of keys in
question.

--

With buggy Gnuk (<= 1.2.15), when no encr/auth keys are available,
it fails decrementing the signature error counter.  This change
can avoid the issue.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-08-27 10:41:51 +09:00
NIIBE Yutaka
4fa0a65676 scd: Fix possible uninitialized variables.
* scd/app-openpgp.c (do_change_pin): Initialize resultlen2.
(do_change_pin): Don't call wipe_and_free on the error path.
Initialize bufferlen2.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-08-19 11:39:22 +09:00
Werner Koch
2af884c643
scd: Log info about CCIDs with permission problems.
* scd/apdu.c (open_ccid_reader): Add arg r_cciderr.
(apdu_open_reader): Print a note on EPERM of the USB device.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-12 16:44:22 +02:00
Werner Koch
9a8d7e41bb
scd: Map some error codes from libusb to ccid-driver error codes.
* scd/ccid-driver.h (CCID_DRIVER_ERR_USB_*): New error codes.
* scd/apdu.h: New SW_HOST error codes.
* scd/apdu.c (host_sw_string): Print them
* scd/ccid-driver.c (map_libusb_error): New.
(ccid_open_usb_reader, bulk_in, abort_cmd): Map libusb error codes.
* scd/iso7816.c (map_sw): Map new codes to gpg-error.
--

This change will help to get low level error conditions from hipher
application code.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-12 16:06:49 +02:00
Werner Koch
cbf203801e
scd:piv: Allow signing using PSS.
* scd/app-piv.c (do_sign): Allow for PSS.
--

This has been tested with Scute and Openvpn.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-10 10:22:42 +02:00
Werner Koch
bb096905b9
agent: Add option --pss to pksign to be used by smartcards.
* agent/command.c (cmd_sethash): Add option --pss and allow for
--hash=null.
* agent/agent.h (struct server_control_s): Add digest.is_pss and
zero where needed.
* agent/pksign.c (agent_pksign_do): Allow for PSS with cards.
* scd/command.c (cmd_pksign): Add for --hash=none.
--

This is not a full implementaion of PSS but allows scdaemon card
drivers to detect already PSS formatted data.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-10 10:22:42 +02:00
NIIBE Yutaka
2a34a2afea scd: Silence compiler warning.
* scd/app-openpgp.c (build_ecc_privkey_template): Fix allocation size.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-07-31 17:03:09 +09:00
NIIBE Yutaka
daa2cec6a5 scd: Fix closing reader and reeleasing context in PC/SC.
* scd/apdu.c (close_pcsc_reader): Unlock the reader_table_lock.
(apdu_dev_list_finish): Release the context when no readers.

--

Fixes-commit: 46d185f60397f68830bfdfb99627b29aea5016f1
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-07-17 20:42:38 +09:00
NIIBE Yutaka
46d185f603 scd: PC/SC: Don't release the context when it's in use.
* scd/apdu.c (close_pcsc_reader): Check if it's not in the loop.

--

GnuPG-bug-id: 4998
Reported-by: Kevin Locke
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-07-17 11:11:45 +09:00
Werner Koch
c1663c690b
scd:nks: Implement writecert for the Signature card v2.
* scd/iso7816.c (CMD_UPDATE_BINARY): New.
(iso7816_update_binary): New.
* scd/app-nks.c (do_deinit): Factor some code out to...
(flush_fid_cache): new.
(do_writecert): New.
(app_select_nks): Register new handler.
--

This can be used with gpg-card to write the 3 extra certificates of a
Telesec TCOS Signature Card v2.  The card with the qualified signature
is distributed with the keys for encryption and advanced signatures
but without the certificates.  The certificates can be downloaded from
the website after an mail confirmation.  Unpacked the downloaded
zipfile has these certificates:

  auth_zert.crt
  sig_zert.crt
  enc_zert.crt

Using gpg-card issue these commands:

 writecert NKS-NKS3.4531 <sig_zert.crt
 writecert NKS-NKS3.45B1 <enc_zert.crt
 writecert NKS-NKS3.4571 <auth_zert.crt

Don't mix that up, tight now there is no checking that the
certificates match the public key.  I also need to write another patch
to actually implement signing and encryption with these nistp256
certificates.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-07-02 18:35:34 +02:00
Werner Koch
07aef873eb
scd:nks: Fix certificate read problem with TCOS signature card v2.
* scd/app-nks.c (filelist): Add a dedicated key entry for ESIGN.
(do_readcert): Test for the app_id.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-06-30 14:41:49 +02:00
Werner Koch
58b091df83
scd: Change how the removed card flag is set.
* scd/command.c (cmd_serialno): Set/clear card removed flags for all
connections using the current card.
--

This seems to solve the problems I had in gpg-card and ssh.  I am not
sure why the old code was done this way - maybe an oversight when
adding support for multiple cards.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-06-30 14:41:49 +02:00
Werner Koch
9b6f574928
scd: Shorten cardio debug output for all zeroes.
* scd/apdu.c (all_zero_p): New.
(send_le): Use it.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-06-29 15:04:08 +02:00
Werner Koch
2429e85598
scd:nks: Fix remaining tries warning in --reset mode.
* scd/app-nks.c (do_change_pin): Chnage computaion of 'remaining'.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-06-25 11:27:26 +02:00
Werner Koch
61bb75d045
build: Fix recent commit for SOURCE_DATE_EPOCH.
--

Fixes-commit: 074ab108e768b2f946d789c1f3a7f14a65e07c52
which was recently pushed to make use of $SOURCE_DATE_EPOCH
as fallback.

Also fixes two typos
2020-06-08 18:45:55 +02:00
NIIBE Yutaka
f3df8dbb69 scd: Fix condition for C5 data object for newer Yubikey.
* scd/app-openpgp.c (compare_fingerprint): Relax the condition.

GnuPG-bug-id: 4957
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-05-29 11:18:50 +09:00
Werner Koch
2149676122
scd:openpgp: New KEY-STATUS attribute.
* scd/app-openpgp.c (do_getattr): Return KEY-STATUS
2020-05-27 13:47:13 +02:00
Werner Koch
11f0700282
scd:openpgp: Add attribute "UIF" for convenience.
* scd/app-openpgp.c (do_getattr): New attrubute "UIF".
(do_learn_status): Use that.
--

Actually this is not just convenience but will make it easier to add
new keys to an openpgp card - we will need to change this only at one
place.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-26 16:24:12 +02:00
Werner Koch
2009088670
scd: Fix Yubikey app switching problem
* scd/app.c (select_all_additional_applications_internal): Re-select
first app.  Add arg 'ctrl'.
--

Usually keygrip based access to the Yubikey does a switching back and
forth and thus keeps the card and scdaemon's internal state in sync.
However, if we do only a listing scdaemon did not reselect the first
application (e.g. OpenPGP) after adding other applications (e.g. PIV)
and thus led to wrong info returned in a listing.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-26 16:24:12 +02:00
Werner Koch
1f6a39092f
scd:nks: Add framework to support IDKey cards.
* scd/app-nks.c (NKS_APP_IDLM): New.
(struct app_local_s): Replace NKS_VERSION by the global APPVERSION.
(do_learn_status): Always send CHV-STATUS.
(find_fid_by_keyref): Basic support for IDLM only use.
(do_learn_status_core): Ditto.
(do_readcert): Ditto.
(verify_pin): Ditto.
(parse_pwidstr): Ditto.
(do_with_keygrip): Ditto.
(switch_application): Ditto.
(app_select_nks): Fallback to IDLM.
--
2020-05-07 19:44:45 +02:00
Werner Koch
aecc008acb
scd:nks: Get the PIN prompts right for the Signature Card
* scd/app-nks.c (get_dispserialno): Move more to the top.
(do_getattr): Add $DISPSERIALNO and SERIALNO.  Make CHV-STATUS work
with NKS15.
(verify_pin): Use dedicated min. PIN lengths.
(parse_pwidstr): Support NKS15
--

GnuPG-bug-id: 4938
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-07 14:03:38 +02:00
Werner Koch
af45d884aa
scd:nks: Support decryption using ECDH.
* scd/app-nks.c (struct fid_cache_s): Add field 'algo'.
(keygripstr_from_pk_file): Add arg 'r_algo' to return the algo.
(find_fid_by_keyref): Ditto.
(get_dispserialno): New.
(make_prompt): New.
(verify_pin): Provide better prompts.
(do_decipher): Support ECDH.
(parse_pwidstr): Add hack tospecify any pwid..
(do_change_pin): Support Signature Card V2.0 (NKS15) style NullPIN.
Provide a better prompt.
--

GnuPG-bug-id: 4938
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-07 08:18:28 +02:00
Werner Koch
314859d7e7
scd: Extend an internal function to also return the algo.
* scd/app-help.c (app_help_get_keygrip_string_pk): Add optional arg
r_algo.  Change all callers.
(app_help_get_keygrip_string): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-05 08:07:11 +02:00
Werner Koch
1e72a1a218
scd:nks: Add do_with_keygrip and implement a cache.
* scd/app-nks.c (struct fid_cache_s): New.
(struct app_local_s): Add field 'fid_cache'.
(do_deinit): Release the cache.
(keygripstr_from_pk_file): Implement the cache.
(find_fid_by_keyref): New
(do_sign, do_decipher): Use new function.
(do_with_keygrip): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-04 19:01:16 +02:00
Werner Koch
f05a32e5c9
scd:nks: Allow retrieving certificates from a Signature Card v.20
* scd/app-nks.c: Major rework to support non-RSA cards.
--

This is a fist step so support this ECC card.  The code has been
reworked while taking care that old cards should keep on working.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-17 16:09:58 +02:00
Werner Koch
3633ca6e21
scd: Detect missing card in "getinfo all_active_apps".
* scd/app.c (send_card_and_app_list): Detect no app case.
--

This is a minor nug fix to return a better error message.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-17 16:09:54 +02:00
Werner Koch
bfedc760ef
scd:p15: Return a display S/N via Assuan.
* scd/app-p15.c (make_pin_prompt): Factor some code out to ...
(get_dispserialno): this.
(do_getattr): Use new fucntion for a $DISPSERIALNO.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-09 12:20:18 +02:00
Werner Koch
9ec8d984be
scd:p15: Show a pretty PIN prompt.
* scd/app-p15.c (struct prkdf_object_s): New fields common_name and
serial_number.
(release_prkdflist): Free them.
(keygrip_from_prkdf): Parse cert and set them.
(any_control_or_space): New.
(make_pin_prompt): New.
(verify_pin): Construct a pretty PIN prompt.
(do_sign): Remove debug output.
--

The D-Trust card has the SerialNumber part of the Subject printed on
the front matter, we assume this is also possible with other cards and
thus we show this as serial number.

The holder of the card is also extracted from the card's subject.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-07 20:38:15 +02:00
Werner Koch
f28795b615
scd: Return GPG_ERR_BAD_PIN on 0x63Cn status word.
* scd/iso7816.c (map_sw): Detect 0x63Cn status code.
--

I really wonder when that got lost and we ended up with a simple card
error.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-07 19:09:27 +02:00
Werner Koch
60d018f6a9
scd: Factor common PIN status check out.
* scd/iso7816.h (ISO7816_VERIFY_ERROR): New.
(ISO7816_VERIFY_NO_PIN): New.
(ISO7816_VERIFY_BLOCKED): New.
(ISO7816_VERIFY_NULLPIN): New.
(ISO7816_VERIFY_NOT_NEEDED): New.
* scd/iso7816.c (iso7816_verify_status): New.
* scd/app-nks.c (get_chv_status): Use new function.
* scd/app-piv.c (get_chv_status): Ditto.
(verify_chv): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-07 18:26:00 +02:00
Werner Koch
42ddcc87f4
scd:p15: Fix decrypt followed by sign problem for D-Trust cards.
* scd/iso7816.c (iso7816_select_mf): New.
* scd/app-p15.c (card_product_t): New.
(struct app_local_s): Add field 'card_product'.
(read_ef_tokeninfo): Detect D-Trust card.
(prepare_verify_pin): Switch to D-Trust AID.
(do_decipher): Restore a SE for D-TRust cards.  Chnage the passing
indicator to 0x81.
--

Using what I learned from a USB trace running the Governikus Signer
Software on Windows this fixes the left over problem with the new
D-Trust card support.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-07 16:03:11 +02:00
Werner Koch
aa60645b99
scd:p15: Emit MANUFACTURER, $ENCRKEYID, $SIGNKEYID.
* scd/app-p15.c (read_ef_tokeninfo): Store manufacturer_id.
(do_getattr): Implement MANUFACTURER, $ENCRKEYID and $SIGNKEYID.
(send_keypairinfo): Also print usage flags.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-03 11:21:32 +02:00
Werner Koch
541a6a903e
scd:openpgp: New attribute "MANUFACTURER".
* scd/app-openpgp.c (get_manufacturer): New..
(do_getattr): Add new attribute "MANUFACTURER".
(do_learn_status): Always print it.
--

This will make it easy to maintain the list of OpenPGP vendors at just
one place.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-03 09:56:56 +02:00
Werner Koch
61c5b0767f
scd:p15: Implement do_with_keygrip and capabilities.
* scd/app-p15.c (prepare_verify_pin): Allow use without an AODF.
(verify_pin): Ditto.
(do_with_keygrip): Implement capability restrictions.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-02 14:23:26 +02:00
Werner Koch
8149742ddf
scd:p15: Rename some variables and functions for clarity.
* scd/app-p15.c: Rename keyinfo to prkdf.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-02 12:40:09 +02:00
Werner Koch
5b7b42e2b2
scd: Use Gcrypt usage constants for the do_with_keygrip capabilities.
* scd/command.c (cmd_keyinfo): Use Gcrypt constants for CAP.
* scd/app-openpgp.c (do_with_keygrip): Adjust for them.
* scd/app-piv.c (do_with_keygrip): Ditto.
--

That makes it easier to read.  An open question is whether we should
allow several capabilities and whether they are the ORed or ANDed.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-02 11:54:01 +02:00
NIIBE Yutaka
2ccbcfec12 scd: New command DEVINFO.
* scd/app.c (notify_cond): New condition variable.
(app_send_devinfo, app_wait): New.
(scd_update_reader_status_file): Kick NOTIFY_COND.
(initialize_module_command): Initialize NOTIFY_COND.
* scd/command.c (struct server_local_s):  Add watching_status.
(cmd_devinfo): New.
(register_commands): Add DEVINFO command.
(send_client_notifications): Write status change to DEVINFO channel.
* scd/scdaemon.h (app_wait, app_send_devinfo): New.

GnuPG-bug-id: 4864
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-04-02 15:39:26 +09:00
Werner Koch
29f8f52bf8
scd:p15: Cache the PIN.
* scd/app-p15.c (struct prkdf_object_s): Add flag pin_verified.
(verify_pin): Make use of it.
--

Theee is still a problem with the APDUs we send: Switching between
signing and decryption does work but not in the other way.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-01 20:31:21 +02:00