1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-09 21:28:51 +01:00
Commit Graph

10243 Commits

Author SHA1 Message Date
Werner Koch
15e065dee8
doc: Add instructions on how to setup an Active Directory.
--
2020-12-23 14:45:55 +01:00
bobwxc
ea3fb3dc94 doc: Update Simplified Chinese doc/help.zh_CN.txt.
--

GnuPG-bug-id: 5189
Signed-off-by: bobwxc  <bobwxc@yeah.net>
2020-12-23 11:38:50 +09:00
NIIBE Yutaka
eeea4f0fab doc: Update Japanese doc/help.ja.txt.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-23 11:25:03 +09:00
Werner Koch
fc0eaa9add
common: Remove superfluous debug output from dotlock.c.
* common/dotlock.c (dotlock_create_unix): Remove debug output.
--

This was left over from developement about 10 years ago.  Exhibits
itself when using sshfs.

GnuPG-bug-id: 5193
2020-12-21 19:43:35 +01:00
Werner Koch
e0cbb97925
doc: Explain LDAP keyserver parameters 2020-12-21 16:06:16 +01:00
Werner Koch
355e2992c0
dirmngr: Do not block threads in LDAP keyserver calls.
* dirmngr/ks-engine-ldap.c: Wrap some ldap calls.
--

The former gpgkeys_ldap module has once been ported to dirmngr but
unfortunately the dirmngr_ldap wrapper has not been used so that we
have internal LDAP calls with these problems:

- No usable timeouts.
- On non-Windows platforms a lot of extra libs and possibly even a
  second copy of Libgcrypt is pulled in.
- Only one threads runs at a time.

This patch mitigates the last point.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-18 11:57:14 +01:00
Werner Koch
4a3836e2b2
gpg: New AKL method "ntds"
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Change the new
support for KEYDB_SEARCH_MODE_MAIL.
(ks_ldap_get): Add a debug.
* g10/options.h (AKL_NTDS): New.
* g10/keyserver.c (keyserver_import_ntds): New.
(keyserver_get_chunk): Allow KEYDB_SEARCH_MODE_MAIL.
* g10/getkey.c (parse_auto_key_locate): Support "ntds".
(get_pubkey_byname): Ditto.
2020-12-17 18:25:34 +01:00
Werner Koch
1194e4f7e2
dirmngr: Support "ldap:///" for the current AD user.
* dirmngr/http.h (struct parsed_uri_s): Add field ad_current.
* dirmngr/ldap-parse-uri.c (ldap_parse_uri): Set it.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Take care of ad_current.
--

Ported from 2.2.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-17 18:25:11 +01:00
Werner Koch
2cadcce3e8
dirmngr: Allow LDAP searches via fingerprint.
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Add arg
serverinfo and allow searching by fingerprint.
(ks_ldap_get, ks_ldap_search): First connect then create teh filter.
--

With the new schema we can finally search by fingerprint.
2020-12-17 10:20:28 +01:00
Werner Koch
2b06afbf26
dirmngr: Finalize Active Directory LDAP Schema
--

With these modifications it is now possible to store and retrieve keys
from an AD without manually tweaking the schema.  Permissions need to
be set manuallay, though.
2020-12-17 10:17:22 +01:00
Werner Koch
a2434ccabd
dirmngr: Store all version 2 schema attributes.
* g10/call-dirmngr.c (ks_put_inq_cb): Emit "fpr" records.
* dirmngr/ks-engine-ldap.c (extract_attributes): Add args
extract-state and schemav2.  Add data for the new schema version.
remove the legacy code to handle UIDs in the "pub" line.
(ks_ldap_put): Set new attributes for NTDS use the fingerprint as CN.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-15 13:36:19 +01:00
Werner Koch
2c6bb03cfb
dirmngr: Remove superfluous attribute from the LDAP schema.
--

I accidently added a gpgSubCertID attribute not realizing that the
pgpSubKeyID already carries the long keyid.  Remove that.  Note that
the pgpkeyID has the short keyid and the long keyid has the name
pgpCertID.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-15 08:52:06 +01:00
Werner Koch
e9ddd61fe9
dirmngr: Support the new Active Directory schema
* dirmngr/ks-engine-ldap.c (SERVERINFO_): New constants.
(my_ldap_connect): Relace args pgpkeyattrp and real_ldapp by a new
serverinfo arg.  Set the new info flags.
(ks_ldap_get): Adjust for change.
(ks_ldap_search): Ditto.
(ks_ldap_put): Ditto.  Replace xmalloc by xtrymalloc.  Change the DN
for use with NTDS (aka Active Directory).
* doc/ldap/gnupg-ldap-init.ldif (pgpSoftware): Update definition of
pgpVersion.
* doc/ldap/gnupg-ldap-ad-init.ldif: New.
* doc/ldap/gnupg-ldap-ad-schema.ldif: New.
--

This is a first take on better Active Directory support.  The main
change for NTDS in the code is that the an top-RDN of CN is used
instead of the old pgpCertID.  More changes to come; for example using
and storing the fingerprint.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-14 19:29:49 +01:00
Werner Koch
cc056eb534
dirmngr: Do not store the useless pgpSignerID in the LDAP.
* dirmngr/ks-engine-ldap.c (extract_attributes): Do not store the
pgpSignerID.
* g10/call-dirmngr.c (ks_put_inq_cb): Do not emit sig records.
--

The pgpSignerID has no use in the LDAP and thus don't store it.
David's idea back in 2004 was
              /* This bit is really for the benefit of people who
                 store their keys in LDAP servers.  It makes it easy
                 to do queries for things like "all keys signed by
                 Isabella".  */
See-commit: 3ddd4410ae

I consider this dangerous because such a query is not able to validate
the signature, does not get revocation signatures, and also has no
information about the validity of the signatures.  Further many keys
are spammed tehse days with faked signatures and it does not make
sense to blow up the LDAP with such garbage.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-14 19:29:49 +01:00
Werner Koch
37a899d0e4
dirmngr: Fix adding keys to an LDAP server.
* dirmngr/ks-engine-ldap.c (ks_ldap_put): Extract attribites into
addlist.
--

The code used the wrong list which resulting in adding attributes
marked for deletion.  In particular Active Directory does not accept
such an data and rejects them.  The bug was introduced into 2.1 while
porting the code from the old keyserver helpers to dirmngr.

Fixes-commit: 51341badb6
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-14 19:29:49 +01:00
NIIBE Yutaka
3b39263088 scd:nks: Support READKEY with keygrip and for "NKS-IDLM" keyref.
* scd/app-nks.c (do_readkey): Allow KEYGRIP access.
Support NKS-IDLM.XXXX keyref.

--

GnuPG-bug-id: 5150
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-11 14:08:40 +09:00
NIIBE Yutaka
b7c087375d scd:nks: Factor out pubkey retrieval from keygrip handling.
* scd/app-nks.c (pubkey_from_pk_file): New.
(keygripstr_from_pk_file): Use pubkey_from_pk_file.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-11 14:06:52 +09:00
NIIBE Yutaka
4020cd9d65 scd:nks: Add support of KEYGRIP for do_readcert.
* scd/app-nks.c (do_readcert): Support KEYGRIP.

--

GnuPG-bug-id: 5150
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-10 10:40:35 +09:00
NIIBE Yutaka
6c43658476 scd:nks: Factor out iteration over filelist.
* scd/app-nks.c (iterate_over_filelist): New.
(do_with_keygrip): Use iterate_over_filelist.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-10 10:40:11 +09:00
Werner Koch
c7c88648b7
wks-client: Improve an error message
* tools/gpg-wks-client.c (read_confirmation_request): Print trust
letter.
--

The trust letter gives a hint on what's wrong with the key.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-09 10:59:51 +01:00
NIIBE Yutaka
a9aa30ed2c scd:ccid:spr532: Extend abort_cmd for initialization time.
* scd/ccid-driver.c (abort_cmd): Add INIT argument to support
synchronize until success, even ignoring timeout.
(bulk_in): Normal use case of abort_cmd.
(ccid_vendor_specific_init): Initial use case of abort_cmd.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-09 12:54:43 +09:00
NIIBE Yutaka
f503730272 scd:ccid: Call libusb_clear_halt in ccid_vendor_specific_setup.
* scd/ccid-driver.c (ccid_vendor_specific_setup): Only for SPR532,
call libusb_clear_halt.

--

GnuPG-bug-id: 5167
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-09 12:52:08 +09:00
NIIBE Yutaka
ffabc29d5e scd:ccid: Revert the addition of libusb_clear_halt for EP_INTR.
* scd/ccid-driver.c (ccid_setup_intr): Don't call libusb_clear_halt.

--

GnuPG-bug-id: 5167
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-09 12:40:47 +09:00
NIIBE Yutaka
946555ea3c scd:yubikey: Fix support of Yubikey NEO.
* scd/app-openpgp.c (get_public_key): Yubikey NEO also has this issue.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-08 17:45:18 +09:00
NIIBE Yutaka
eda3c688fc agent: Allow decryption with card but no file.
* agent/pkdecrypt.c (agent_pkdecrypt): Support decryption with card
but without a stub key.

--

GnuPG-bug-id: 5170
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-08 15:15:45 +09:00
NIIBE Yutaka
9beab36dfa agent: Clean up the API of agent_pkdecrypt.
* agent/agent.h (agent_pkdecrypt): Use gpg_error_t type.
* agent/pkdecrypt.c (agent_pkdecrypt): Use gpg_error_t type.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-08 15:06:33 +09:00
NIIBE Yutaka
cbb0e069f5 agent: Allow pksign operation with card but no file.
* agent/pksign.c (agent_pksign_do): Add support with no file.

--

GnuPG-bug-id: 5166
Signed-off-by: Ingo Klöcker <dev@ingo-kloecker.de>
2020-12-08 13:20:29 +09:00
Ingo Klöcker
255d33d651 gpg: Make quick-gen-key with algo "card" work for keys without keytime
* g10/keygen.c (quick_generate_keypair): Set pCARDKEY flag if algostr
is "card" or "card/...".
--

For keys stored on NetKey cards or PIV cards we do not necessarily
know the creation time. Therefore set the cardkey flag if the generation
of a key from the keys available on the currently inserted smartcard
is requested with the special algo "card" or, in case of the extended
unattended mode, with an algo like "card/sign".

GnuPG-bug-id: 5141
Signed-off-by: Ingo Klöcker <dev@ingo-kloecker.de>
2020-12-07 15:15:10 +01:00
NIIBE Yutaka
1cd615afe3 gpg,card: Allow no version information of Yubikey.
* g10/call-agent.c (learn_status_cb): Assume >= 2 when no version.
* tools/card-call-scd.c (learn_status_cb): Likewise.

--

GnuPG-bug-id: 5100
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-07 10:02:17 +09:00
NIIBE Yutaka
87d2c579cc scd:nks: Fix caching keygrip (more).
* scd/app-nks.c (keygripstr_from_pk_file): Distinguish by APP_ID.

--

GnuPG-bug-id: 5150, 5161
Fixes-commit: 9201543708
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-03 16:21:49 +09:00
NIIBE Yutaka
54b88ae460 scd: Fix KEYINFO command with --data option.
* scd/command.c (cmd_keyinfo): Handle --data option correctly.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-03 15:28:35 +09:00
NIIBE Yutaka
a25c99b156 scd:openpgp: Fix writing ECC key to card.
* scd/app-openpgp.c (build_privkey_template): Adding another argument
of ecc_d_fixed_len to handle variable-size MPI.

--

GnuPG-bug-id: 5163
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-03 15:04:14 +09:00
Werner Koch
63ed2054a1
kbx: Better error message in case of a crippled Libgcrypt.
* kbx/keybox-openpgp.c (keygrip_from_keyparm): Detect missing curve.
2020-12-02 11:14:19 +01:00
Jens Meißner
4f9ac5dac0
doc: Add parameters for batch generation of ECC keys.
* doc/gpg.texi: Add parameters for batch generation of ECC keys.

--

There are parameters required for batch generation of ECC keys which
weren't mentioned in the documentation.

Signed-off-by: Jens Meißner <meissner@b1-systems.de>
2020-12-01 09:56:42 +01:00
Werner Koch
806547d9d2
scd:nks: Minor additions to the basic IDLM application support.
* scd/app-nks.c (filelist): Use special value -1 for IDLM pubkeys.
(keygripstr_from_pk_file): Handle special value.
(do_readcert): Ditto.
(do_writecert): Ditto.
--

This allows to get information about the keys from the card.  However
the do_readkey still requires a fallback to readcert.  This does not
work because there are no certificates yet on the card.  The fix is to
fully implement do_readkey.
2020-11-30 10:12:46 +01:00
Werner Koch
ad469609b1
card: Let the APDU command prints a description of the status word.
* tools/card-call-scd.c (scd_apdu_strerror): New.
* tools/gpg-card.c (cmd_apdu): Print a description.
--

Pretty convenient to explore smartcards.
2020-11-27 11:28:16 +01:00
Werner Koch
0e34683a6c
scd: New getinfo sub-command apdu_strerror.
* scd/apdu.c (apdu_strerror): Add missing status codes.
* scd/command.c (cmd_getinfo): New sub-command apdu_strerror.
--

This is quite handy for gpg-card's APDU command and avoids that we
need to duplicate the mapping table or put it into a shared file.
2020-11-27 11:14:30 +01:00
Werner Koch
5804db1a13
card: Netkey improvement for passwd.
* tools/gpg-card.c (cmd_passwd) [Netkey]: No Standard/QES menu if the
card does not support it.  Print no error in cases the user canceled.
2020-11-27 10:00:21 +01:00
NIIBE Yutaka
bb591222c3 scd:ccid-driver: Fix pinpad error handling for cancel/timeout.
* scd/apdu.h (SW_HOST_UI_CANCELLED, SW_HOST_UI_TIMEOUT): New.
* scd/ccid-driver.h (CCID_DRIVER_ERR_UI_CANCELLED): New.
(CCID_DRIVER_ERR_UI_TIMEOUT): New.
* scd/ccid-driver.c (bulk_in): Handle PIN input cancel/timeout error.
* scd/iso7816.c (map_sw): Support SW_HOST_UI_CANCELLED and
SW_HOST_UI_TIMEOUT.

--

GnuPG-bug-id: 4614
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-11-27 15:17:56 +09:00
Werner Koch
7113263a00
agent: Fix YK s/n and prettify the request card prompt for Yubikeys
* agent/divert-scd.c (ask_for_card): Detect and re-format the Yubikey
prompt.
* scd/app.c (app_munge_serialno): Fix Yubikey s/n munging.
(card_get_dispserialno): Ditto.
* scd/app-openpgp.c (get_disp_serialno): Remove.
(get_prompt_info): Use app_get_dispserialno.--
--
2020-11-26 15:56:37 +01:00
Werner Koch
d784e76349
scd: Do not try to use a non-enabled app after card switching.
* scd/app.c (app_dump_state): Also print the refcount.
(maybe_switch_app): Make sure the app exists on the card.
--

When switching the current card and the card does not support the same
apps as the former, we now reset the app to the first one.

Testcase is to use a standard OpenPGP card and a P15 card.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-11-26 12:16:56 +01:00
Werner Koch
764c69a841
scd: Add special serialno compare for OpenPGP cards.
* scd/app.c (is_same_serialno): New.
(check_application_conflict): Use this.
(select_application): Ditto.
(app_switch_current_card): Ditto.
* scd/app-openpgp.c (check_keyidstr): Ignore the card version and also
compare case insensitive.
--

This is required because we change what we emit as serialno of OpenPGP
cards but existing keys still use the old form of the serial
number (i.e. with a firmware version).

See-commit: 3a8250c020
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-11-26 09:54:23 +01:00
NIIBE Yutaka
605ab99912 gpg: Report an error for receiving key from agent.
* g10/export.c (do_export_one_keyblock): Report an error.

--

GnuPG-bug-id: 5151
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-11-26 09:50:40 +09:00
NIIBE Yutaka
9201543708 scd,nks: Fix caching keygrip.
* scd/app-nks.c (keygripstr_from_pk_file): Identify by cfid if
available.

--

GnuPG-bug-id: 5150
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-11-26 09:35:35 +09:00
Werner Koch
00037f499d
scd:p15: Print the internal card type.
* scd/app-p15.c (read_ef_tokeninfo): Print the internal card type.
2020-11-25 15:48:20 +01:00
Werner Koch
c7b9a4ee43
scd:p15: Improve support for some CardOS based cards.
* scd/iso7816.c (iso7816_read_binary_ext): Add optional arg r_sw and
change callers.
(iso7816_read_record): Factor all code out to ...
(iso7816_read_record_ext): new.
* scd/app-p15.c (select_and_read_binary): Fallback to record reading.
(read_ef_aodf): Clear EOF error.
2020-11-25 15:27:21 +01:00
Werner Koch
60e1ce6612
g13: Add missing header
--
2020-11-25 10:23:55 +01:00
Werner Koch
3a8250c020
scd: Rework the handling of the displayed serial number.
* scd/app.c (app_new_register): Call app_munge_serialno for Yubikeys.
(app_munge_serialno): Handle Yubikey serial numbers.
(card_get_serialno): Remove special Yubikey treatment.  Drop arg
is_canonical.
(app_get_serialno): Clear ERRNO on error.
(card_get_dispserialno): New.  Also change formatting of Yubikey and
OpenPGP numbers to match those printed on the card.
(app_get_dispserialno): New.
* scd/app-openpgp.c (do_getattr): Use app_get_dispserialno.
(yubikey_get_serialno): Remove.
* scd/app-piv.c (get_dispserialno): Remove.
(do_getattr): Use app_get_dispserialno.
--

This patch gets us back to a unique serial number for cards and
provides a stable serial number as printed for Yubikeys.

Because we use a slightly different serial number now for Yubikeys and
cards only supporting OpenPGP card we need to come up with another
change so that the version number of OpenPGP serial numbers are
ignored when comparing card serial numbers.  This is so that existing
stub keys of gpg-agent will continue to work.

GnuPG-bug-id: 5100
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-11-25 10:23:55 +01:00
NIIBE Yutaka
c3a20c88fb scd: Fix an error return for READKEY.
* scd/command.c (cmd_readkey): Return when error.

--

GnuPG-bug-id: 5150
Suggested-by: Ingo Klöcker
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-11-25 11:38:15 +09:00
NIIBE Yutaka
006944b856 scd,nks: Fix SEGV for learn for older card.
* scd/app-nks.c (keygripstr_from_pk_file): Set algostr.

--

GnuPG-bug-id: 5144
Fixes-commit: 26da47ae53
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-11-25 10:32:28 +09:00