1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-10 21:38:50 +01:00
Commit Graph

1066 Commits

Author SHA1 Message Date
NIIBE Yutaka
70bb9c5127
scd: Fix how scdaemon pipe server finishes.
* scd/scdaemon.h (scd_command_handler): Fix the return type.
* scd/command.c (scd_command_handler): Not return a value.
* scd/scdaemon.c (pipe_server): Make it auto variable in main.
(main): Use auto PIPE_SERVER variable.
(start_connection_thread): When it's a pipe connection and it
finishes, let the service shutdown.

--

GnuPG-bug-id: 7151
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 01fa318be0)
2024-07-01 14:14:49 +02:00
Jakub Jelen
524e3a9345
scd: Avoid buffer overrun with more than 16 PC/SC readers.
* scd/apdu.c (apdu_dev_list_start): Fix end condition.

--

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

This is part of
GnuPG-bug-id: 7129
Fixes-commit: e8534f8999

(cherry picked from commit 4c1b007035)
2024-05-29 11:48:31 +02:00
Werner Koch
f46d75f0b2
scd:openpgp: Add new vendor.
--
2024-05-29 11:46:03 +02:00
NIIBE Yutaka
6b2ebc36a9
scd:openpgp: Robust Data Object handling for constructed case.
* scd/app-openpgp.c (get_cached_data): When it comes with
its tag and length for the constructed Data Object, remove
them.

--

Cherry-pick master commit of:
	35ef87d8d9

GnuPG-bug-id: 7058
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-05-16 09:42:47 +09:00
Werner Koch
09431d1762
scd: Improve code reability of ccid-driver.c
* scd/ccid-driver.c (my_npth_unprotect, my_npth_protect): New.
Replace all direct uses by these wrappers.
2024-03-07 13:44:30 +01:00
Werner Koch
1682ca9f01
scd: Add support for ACR-122U
* scd/ccid-driver.h (VENDOR_ACR, ACR_122U): New.
* scd/ccid-driver.c (ccid_open_usb_reader): Do not call
libsub_set_interface_alt_setting for this reader.
--

Co-authored-by: markus.montkowski@gnupg.com
2024-03-07 13:44:00 +01:00
Werner Koch
a1ea3b13e0
scd: Let the CCID module auto detach the kernel driver.
* scd/ccid-driver.c (ccid_open_usb_reader): Call
libusb_set_auto_detach_kernel_driver.

* scd/scdaemon.c (oCompatibilityFlags): New.
(opts): Add option "compatibility-flags".
(compatibility_flags): New.
(main): Parse flags.
* scd/scdaemon.h (opt): Add field compat_flags.
(COMPAT_CCID_NO_AUTO_DETACH): New.
2024-03-07 13:21:43 +01:00
Mario Haustein
3aa02027cd
scd:p15: Fix typo in a comment 2024-02-20 10:34:39 +01:00
Mario Haustein
557f29d2c1
scd:p15: Add ECC support for D-Trust Card 4.1/4.4
* scd/app-p15.c (do_sign): Add MSE RESTORE parameters for D-Trust ECC
cards.
(do_decipher): Ditto.
2024-02-20 10:32:08 +01:00
Werner Koch
1e496cf2e5
scd:p15: Take derive usage into account for decryption (2).
* scd/app-p15.c (do_getattr): Yet another palce to fix.
--
GnuPG-bug-id: 7000
Co-authored-by: Mario Haustein <mario.haustein@hrz.tu-chemnitz.de>
2024-02-20 10:29:25 +01:00
Werner Koch
3341017ff1
scd:p15: Handle duplicate certificate ids.
* scd/app-p15.c (struct app_local_s): Add field cdf_dup_counter.
(objid_in_cdflist_p): New.
(read_p15_info): Clear the counter.
(read_ef_cdf): Detect and fix duplicate IDs.
--

GnuPG-bug-id: 7001
Reported-by: Mario Haustein <mario.haustein@hrz.tu-chemnitz.de>
2024-02-20 09:17:38 +01:00
Werner Koch
ad4bc3e04d
scd:p15: Take derive usage into account for decryption.
* scd/app-p15.c (set_usage_string): Map usageflags.derive also to 'e'.
(do_auth): Allow usageflags.sign_recover.
(do_decipher): Allow usageflags.derive.
(do_with_keygrip): Take usageflags.derive into account.
(do_gettatr): Ditto.
(do_decipher): Take a missing AODF for authentication not needed.
--

This is required for D-Trust ECC cards.

The AODF thing is unrelated but seems to be a good idea.

GnuPG-bug-id: 7000
2024-02-20 09:17:38 +01:00
Werner Koch
40b85d8e8c
scd:openpgp: Allow PIN length of 6 also with a reset code.
* scd/app-openpgp.c (do_change_pin): Fix PIN length check.  Add "R"
flag to the reset code prompt.
--

When using the reset code it was not possible to set a PIN of length
6.  The "R" flags fixes a funny prompt.

Fixes-commit: efe325ffdf
scd:openpgp: Allow PIN length of 6 also with a reset code.

* scd/app-openpgp.c (do_change_pin): Fix PIN length check.  Add "R"
flag to the reset code prompt.
--

When using the reset code it was not possible to set a PIN of length
6.  The "R" flags fixes a funny prompt.

Fixes-commit: 2376cdff13
2024-01-30 15:58:14 +01:00
Werner Koch
2ed1f68b48
doc: Fix spelling errors found by lintian.
--

Reported-by: Andreas Metzler <ametzler@debian.org>
2024-01-29 09:16:21 +01:00
Werner Koch
275ced5067
scd:p15: Allow signing for CVISION cards
* scd/app-p15.c (do_sign): Add code for Starcos 3.2 and the CVISION
product.
--

The code for the Starcos cards has been implemented according to the
3.52 manual However, this does not work with my test cards.  Protocol
analysis shows that decryption can be used for the cryptovision
product.  Thus we do it the same for now.
2024-01-10 14:35:26 +01:00
Werner Koch
880dde8e5b
scd:p15: Allow PIN verification and decryption for CVISION cards.
* scd/app-p15.c (CARD_PRODUCT_CVISION): New.
(IS_STARCOS_3): New.
(read_p15_info): Detect this product.
(prepare_verify_pin): Add special handling for this product.
(do_decipher): Use dedicated MSE for Starcos 3 cards.
--

To check the verification run

  gpg-card verify User_PIN

For our test cards the "Benutzer-PIN" must be given.  For decryption
tests gpgsm can be used; --always-trust helps to avoid chain issues.
2024-01-09 17:12:20 +01:00
Werner Koch
3f8cb9b339
scd: Add support for SCE 7.0
* scd/app-common.h (CARDTYPE_SCE7): New.
* scd/app.c (strcardtype): Support it.
(atr_to_cardtype): New.
(app_new_register): Try to get the cardtype from atr_to_cardtype.
* scd/app-piv.c (app_select_piv): Tweak for SCE7.  Add general method
to construct a S/N from the Card UUID.
--

The test cards I have are rsa2048 with X.509 certificates.  I don't
have the entire chain but loading the certificates work.  For testing
I created an OpenPGP key from the keys and tested signing and
decryption.

GnuPG-bug-id: 6919
2024-01-04 16:29:33 +01:00
NIIBE Yutaka
2376cdff13
scd:openpgp: Add the length check for new PIN.
* scd/app-openpgp.c (do_change_pin): Make sure new PIN length
is longer than MINLEN.

--

GnuPG-bug-id: 6843
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-22 13:32:40 +09:00
Werner Koch
f2904737e5
scd:p15: Add a diagnostic for unsupported DTRUST4 features.
* scd/app-p15.c (do_sign): Add a diagnostic.
2023-12-20 16:52:47 +01:00
Mario Haustein via Gnupg-devel
0b85a9ac09
scd:p15: Add support for D-Trust Card 4.1/4.4
* scd/app-p15.c (CARD_PRODUCT_DTRUST4) New.
(app_select_p15): This cards uses a different AID for PKCS#15
application
(do_sign): The card doesn't support MSE SET, but requires MSE RESTORE to
a predefined template.
(do_decipher): Ditto.
2023-12-20 16:47:25 +01:00
Mario Haustein via Gnupg-devel
812f988059
scd:p15: Add support for CardOS 5.4
* scd/app-p15.c (CARD_TYPE_CARDOS_54): New.
2023-12-20 16:42:00 +01:00
Werner Koch
4c456bf075
scd:openpgp: Fallback to default ECDH params in writekey.
* scd/app-openpgp.c (ecc_writekey): Use default ECDH parameters and
remove the now useless check.
--

This seems to be better than bailing out.  In almost all cases our
standard parameters are used and if not, well, the fingerprint will be
wrong.

GnuPG-bug-id: 6378
2023-11-23 16:01:58 +01:00
Werner Koch
e43bd2a7a7
scd: New option --debug-allow-pin-logging.
* scd/scdaemon.c (oDebugAllowPINLogging): New.
(opts): Add option.
(main): Set option.
* scd/scdaemon.h (opt): Add debug_allow_pin_logging.
* scd/apdu.c (pcsc_send_apdu): Do not hide the PIN dat in the debug
output if the option is set.
(send_apdu_ccid): Ditto.
--

This option is only required during development.
2023-11-21 08:35:01 +01:00
Werner Koch
5304c9b080
scd:p15: Basic support for Starcos 3.2.
* scd/app-p15.c (CARD_TYPE_STARCOS_32): New.
(card_atr_list): Add ATR for my sample card.
(cardtype2str): Add starcos string.
(select_ef_by_path): Factor all code out to ...
(select_by_path): this.  Add arg to request a directory.  Simplify the
case pathlen>1 case.  Fix error printing.
(select_df_by_path): New.
(prepare_verify_pin): For starcos select a DF.
(app_select_p15): Don't use extended mode for starcos.
--

This allows reading the certificates from my sample cards.  Signing
does not yet work; I need to do get some I/O traces using other
software.  The basic support for AET cards shut still work but I have
not found my AET card.
2023-11-16 17:10:08 +01:00
Werner Koch
a33ad8f9bf
scd: Minor debug output tweak
* scd/apdu.c (send_le): Do not dump "[all zero]" if tehre is no data.
* scd/iso7816.c (iso7816_select_mf): Cosmetic fix.
2023-11-16 17:04:02 +01:00
NIIBE Yutaka
4257cbb06c
scd: Return GPG_ERR_PIN_BLOCKED when it's blocked.
* scd/app-openpgp.c (build_enter_admin_pin_prompt): Fix to use
GPG_ERR_PIN_BLOCKED.
(check_pin): Likewise.

--

Cherry-pick from master commit:
	e6b3d53db3

GnuPG-bug-id: 6425
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-11-08 11:49:27 +09:00
Werner Koch
4963f13f8f
scd:openpgp: Return better error codes for the Reset Code.
* scd/app-openpgp.c (do_change_pin): Use GPG_ERR_BAD_RESET_CODE where
appropriate.
* common/util.h: Add error codes missing in gpgrt 1.46.

* agent/call-pinentry.c (unlock_pinentry): Handle
GPG_ERR_BAD_RESET_CODE.
(agent_askpin): Ditlo.  Also simply condition.
(agent_get_passphrase):  Ditto.
* g10/call-agent.c (status_sc_op_failure): Handle
GPG_ERR_BAD_RESET_CODE.
* g10/card-util.c (write_sc_op_status): Ditto.
* tools/card-call-scd.c (status_sc_op_failure): Ditto.
2023-10-06 12:15:10 +02:00
Werner Koch
b83d86b988
scd:p15: Make signing work for Nexus cards.
* scd/app-p15.c (CARD_PRODUCT_NEXUS): New.
(read_p15_info): Detect Nexus cards.
(get_dispserialno): Use product_id instead of comparing the
manufacturer_id.
(do_sign): Handle Nexus like BELPIC.
2023-07-04 14:32:08 +02:00
NIIBE Yutaka
25b59cf6ce
scd:piv: Fix authentication with Administration Key.
* scd/app-piv.c (auth_adm_key): Fix the value of the Response Tag.
(do_setattr): Fix the comment.

--

Cherry-pick master commit of:
	7cfbf0dd72

Reported-by: Heiko Schäfer <heiko@schaefer.name>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-06-28 14:03:45 +09:00
Werner Koch
6657230f9e
w32: Add missing supportedOS Ids for Windows-10
--
2023-05-24 14:16:10 +02:00
Werner Koch
3fbe10172f
w32: Add missing manifests and set a requestedExecutionLevel.
* agent/gpg-agent.w32-manifest.in: New.
* dirmngr/dirmngr-client-w32info.rc: New.
* dirmngr/dirmngr-client.w32-manifest.in: New.
* dirmngr/dirmngr-w32info.rc: New.
* dirmngr/dirmngr.w32-manifest.in: New.
* dirmngr/dirmngr_ldap-w32info.rc: New.
* dirmngr/dirmngr_ldap.w32-manifest.in: New.
* g10/gpgv-w32info.rc: New.
* g10/gpgv.w32-manifest.in: New.
* kbx/keyboxd.w32-manifest.in: New.
* scd/scdaemon.w32-manifest.in: New.
* sm/gpgsm.w32-manifest.in: New.
--

This avoids the use of the VirtualStore uner Windows.

GnuPG-bug-id: 6503
2023-05-24 12:06:37 +02:00
NIIBE Yutaka
3cf5fc2e2f
scd: Fix cmd_apdu on error.
* scd/command.c (cmd_apdu): Fix the code path on error.

--

GnuPG-bug-id: 6476
Reported-by: Robin Krahl
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-05-01 11:36:36 +09:00
Werner Koch
c03ba92576
gpg: Fix writing ECDH keys to OpenPGP smartcards.
* agent/command.c (cmd_keytocard): Add new arg for ECDH params.
* scd/app-openpgp.c (ecc_writekey): Use provided ECDH params to
compute the fingerprint.
* g10/call-agent.c (agent_keytocard): Add arg ecdh_param_str.
* g10/keyid.c (ecdh_param_str_from_pk): New.
* g10/card-util.c (card_store_subkey): Pass ECDH params to writekey.
* g10/keygen.c (card_store_key_with_backup): Ditto.

* scd/app-openpgp.c (store_fpr): Add arg update.
(rsa_read_pubkey, ecc_read_pubkey): Add arg meta_update and avoid
writing the fingerprint back to the card if not set.
(read_public_key): Also add arg meta_update.
(get_public_key): Do not pass it as true here...
(do_genkey): ... but here.
(rsa_write_key, ecc_writekey): Force string the fingerprint.
--

The problem showed up because in 2.4 we changed the standard ECDH
parameter some years ago.  Now when trying to write an ECDH key
created by 2.2 with 2.4 to an openpgp card, scdaemon computes a wrong
fingerprint and thus gpg was not able to find the key again by
fingerprint.

The patch also avoids updating the stored fingerprint in certain
situations.

This fix is somewhat related to
GnuPG-bug-id: 6378
2023-04-21 15:23:29 +02:00
Werner Koch
af3724d383
scd,p15: Enforce a min. PIN length for certain cards.
* scd/app-p15.c (verify_pin): Enforce 6 for RSCS cards.
2023-04-20 12:41:08 +02:00
Werner Koch
f7e00dc73d
scd: On a Yubikey re-select the last app after the use of APDU.
* scd/app-common.h (struct card_ctx_s): Add maybe_check_aid flag.
* scd/command.c (cmd_apdu): Set it.
* scd/app.c (check_external_interference): Consult this flag.
(maybe_switch_app): Do a re-select if this flag is set.
--

After the gpg-card tool has issued a Yubikey specific command the
current application is not anymore correctly selected.  This then
results in all kind of errors.  We detect this now and try to
re-select the last app.
2023-04-18 12:04:15 +02:00
Werner Koch
2e065b4bd2
scd,openpgp: Switch key attributes between RSA and ECC in writekey.
* common/sexputil.c (get_rsa_pk_from_canon_sexp): Also allow private
keys.
(pubkey_algo_string): Ditto.
* scd/app-openpgp.c (do_writekey): Switch key attributes
--

The scd WRITEKEY command for OpenPGP cards missed proper support to
aautomagically switch key attributes based on the new key.  We had
this only in GENKEY.

GnuPG-bug-id: 6378
2023-03-15 09:42:02 +01:00
NIIBE Yutaka
4e391d95e0
scd: Fix checking memory allocation.
* scd/app-openpgp.c (read_public_key): Fix the memory.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-03-08 11:33:18 +09:00
Werner Koch
9de180c6d2
doc: Minor comment fixes.
--
2023-02-23 10:23:56 +01:00
Werner Koch
061efac03f
scd:p15: Skip deleted records.
* scd/app-p15.c (select_and_read_record): Special case deleted
records.  Support 3 byte TLVs.
(read_ef_prkdf): Skip deleted records.
(read_ef_pukdf): Ditto.
(read_ef_cdf): Ditto.
(read_ef_aodf): Ditto.
--

This fixes a problem with some CardOS 5 applications.
2022-12-09 08:49:28 +01:00
Werner Koch
9f7ff43672
scd: Redact --debug cardio output of a VERIFY APDU.
* scd/apdu.c (pcsc_send_apdu) [DBG_CARD_IO]: Detect and redact a
VERIFY.
(send_apdu_ccid): Ditto.
--

This should handle the most common case.
GnuPG-bug-id: 5085
2022-11-17 14:33:18 +01:00
Werner Koch
2c4757352d
scd:nks: Fix ECC signing if key not given by keygrip.
* scd/app-nks.c (keygripstr_from_pk_file): Set r_algo if not in cache.
2022-11-15 14:52:40 +01:00
Werner Koch
8361e13ef2
scd:nks: Support non-ESIGN signing with the Signature Card v2
* scd/app-nks.c (do_sign): Handle ECC for NKS cards
2022-10-25 11:57:23 +02:00
NIIBE Yutaka
3d7dbf1661
agent,dirmngr,gpg,scd: Clean up for modern compiler.
* agent/protect.c (agent_get_shadow_info_type): It's a write only
variable, useful for debugging.
* g10/key-check.c (key_check_all_keysigs): Likewise.
* g10/keyedit.c (show_basic_key_info, menu_expire): Likewise.
* scd/app-sc-hsm.c (read_ef_prkd): Likewise.
* dirmngr/crlfetch.c (fetch_next_ksba_cert): Initialize the vars.
* dirmngr/ks-action.c (ks_action_help): Remove unused variables.
* dirmngr/server.c (make_keyserver_item): Likewise.
* dirmngr/validate.c (check_cert_sig): Initialize the variable.
* scd/app-p15.c (select_and_read_record): Likewise.
* tests/gpgscm/scheme.c (scheme_init_new): A function with no args.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-09-14 12:08:58 +09:00
NIIBE Yutaka
87d4338ed1
gpg,common,scd,sm: Function prototype fixes for modern compiler.
* common/gettime.c (gnupg_get_time): It has no arguments.
* common/signal.c (gnupg_block_all_signals): Likewise.
(gnupg_unblock_all_signals): Likewise.
* common/utf8conv.c (get_native_charset): Likewise.
* g10/cpr.c (is_status_enabled, cpr_enabled): Likewise.
* g10/getkey.c (getkey_disable_caches): Likewise.
* g10/keygen.c (ask_expiredate): Likewise.
* g10/passphrase.c (have_static_passphrase): Likewise.
(get_last_passphrase): Likewise.
* g10/tdbio.c (tdbio_is_dirty, tdbio_sync): Likewise.
(tdbio_get_dbname, open_db, tdbio_db_matches_options): Likewise.
(tdbio_read_nextcheck): Likewise.
* g10/trustdb.c (how_to_fix_the_trustdb): Likewise.
* scd/scdaemon.c (scd_get_socket_name): Likewise.
* sm/passphrase.c (have_static_passphrase): Likewise.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-09-13 16:34:00 +09:00
NIIBE Yutaka
6df8608c3e scd: Add npth_unprotect/npth_protect for blocking operations.
* scd/ccid-driver.c (ccid_open_usb_reader): Name the thread.
(ccid_vendor_specific_setup, ccid_open_usb_reader): Wrap
blocking operations by npth_unprotect/npth_protect.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-08-25 13:13:11 +09:00
Werner Koch
f4b01ddc6a
scd: Add a libusb debug level.
* scd/ccid-driver.c (USE_LIBUSB_DEBUG_CB): New const.
(debug_libusb_cb): new.
(ccid_set_debug_level): Use it.
--

This allows to see the libusb log in our usual debug output.  For this
the option debug-ccid-driver needs to be given 5 or more times.
2022-08-22 12:05:18 +02:00
Werner Koch
67e510cbf7
scd:opengpg: Minor vendor name fix
--
2022-07-28 13:06:03 +02:00
Werner Koch
6d9c8a1cbc
scd:openpgp: New vendor
--
2022-07-28 09:01:24 +02:00
NIIBE Yutaka
f34b9147eb scd:openpgp: Fix workaround for Yubikey heuristics.
* scd/app-openpgp.c (parse_algorithm_attribute): Handle the case
of firmware 5.4, too.

--

GnuPG-bug-id: 6070
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-07-13 10:40:55 +09:00
NIIBE Yutaka
dd600bbc84 scd: Support specifying keygrip for learn command.
* scd/command.c (cmd_learn): Allow keygrip argument.

--

GnuPG-bug-id: 6002
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-06-10 13:54:03 +09:00