* scd/app-p15.c (select_and_read_record): Special case deleted
records. Support 3 byte TLVs.
(read_ef_prkdf): Skip deleted records.
(read_ef_pukdf): Ditto.
(read_ef_cdf): Ditto.
(read_ef_aodf): Ditto.
--
This fixes a problem with some CardOS 5 applications.
* scd/apdu.c (pcsc_send_apdu) [DBG_CARD_IO]: Detect and redact a
VERIFY.
(send_apdu_ccid): Ditto.
--
This should handle the most common case.
GnuPG-bug-id: 5085
* scd/app-nks.c (do_learn_status_core): Use new flag.
* scd/app-sc-hsm.c (do_learn_status): Ditto.
--
The flag was already backported to some apps but not to these.
* scd/app-nks.c (filelist): Tweak 0x4531.
--
Actually the certificate has no encryption usage but we should also
tell that via KEYINFO so that this key is never tried to create an
encryption certificate.
(cherry picked from commit 3a2fb1c306)
* scd/app-nks.c (find_fid_by_keyref): Factor keyref parsing out to ...
(parse_keyref): new.
(do_readcert): Use new function instead of partly duplicated code.
Make detection of keygrip more robust.
(do_readkey): Make detection of keygrip more robust.
(do_with_keygrip): Use get_nks_tag.
--
Also added a couple of comments.
(cherry picked from commit b92b3206e7)
* scd/app-nks.c (find_fid_by_keyref): Disable the cache for now.
(readcert_from_ef): Considere an all zero certificate as not found.
(do_sign): Support ECC and the ESIGN application.
--
This allows me to create qualified signatures using my Telesec card.
There is of course more work to do but this is the first step.
Note: The design of the FID cache needs to be reconsidered. Until
that the lookup here has been disabled. The do_sign code should be
revamped to be similar to what we do in app-p15.
GnuPG-bug-id: 5219, 4938, 6252
Backported-from-master: 07eaf006c2
* scd/app-nks.c (set_usage_string): New.
(do_learn_status_core, do_readkey): Use set_usage_string.
(do_with_keygrip): Add USAGE to call send_keyinfo,
using set_usage_string.
* scd/command.c (send_keyinfo): Add arg usage.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: 5264d3f58e
GnuPG-bug-id: 6252
This backports only the NKS parts of the original patch
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-nks.c (keygripstr_from_pk_file): Fix ignored error.
(get_nks_tag): New.
(do_learn_status_core): Use it. Make sure not to mange the
KEYPAIRINFO line if no usage is known.
(do_readkey): Output the KEYPAIRINFO for the keygrip case.
--
Note that this only handles the most common case of providing a
keygrip. $AUTHKEYID and ODLM are not yet supported.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 63320ba2f8)
* scd/app-nks.c (do_sign): Handle plain SHA-2 digests and verify
encoding of ASN.1 encoded hashes.
--
This makes it possible to create CSRs for NetKey card keys which are
signed with SHA256 by default.
GnuPG-bug-id: 5184
(cherry picked from commit 8fe976d5b9)
* scd/app-nks.c (filelist): Use special value -1 for IDLM pubkeys.
(keygripstr_from_pk_file): Handle special value.
(do_readcert): Ditto.
(do_writecert): Ditto.
--
This allows to get information about the keys from the card. However
the do_readkey still requires a fallback to readcert. This does not
work because there are no certificates yet on the card. The fix is to
fully implement do_readkey.
(cherry picked from commit 806547d9d2)
* scd/app-nks.c (do_learn_status_core): Emit the algo string as part
of a KEYPAIRINFO.
(struct fid_cache_s): Add field algostr.
(flush_fid_cache): Release it.
(keygripstr_from_pk_file): Fill it and add it to the cache. Use a
single exit label. Set algostr.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 26da47ae53
Backported-from-master: 006944b856
GnuPG-bug-id: 6252, 5144
This has been backported to keep this, and only this, module in sync
with master. All other changes from the original patch have been
stripped.
* scd/iso7816.c (CMD_UPDATE_BINARY): New.
(iso7816_update_binary): New.
* scd/app-nks.c (do_deinit): Factor some code out to...
(flush_fid_cache): new.
(do_writecert): New.
(app_select_nks): Register new handler.
--
This has been backported only to make the following backpoorts easier.
The code is only used in 2.3; for details see the original commit
message.
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: c1663c690b
GnuPG-bug-id: 6252
* scd/app-nks.c (filelist): Add a dedicated key entry for ESIGN.
(do_readcert): Test for the app_id.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 07aef873eb
GnuPG-bug-id: 6252
* scd/app-nks.c (NKS_APP_IDLM): New.
(struct app_local_s): Replace NKS_VERSION by the global APPVERSION.
(do_learn_status): Always send CHV-STATUS.
(find_fid_by_keyref): Basic support for IDLM only use.
(do_learn_status_core): Ditto.
(do_readcert): Ditto.
(verify_pin): Ditto.
(parse_pwidstr): Ditto.
(do_with_keygrip): Ditto.
(switch_application): Ditto.
(app_select_nks): Fallback to IDLM.
--
Backported-from-master: 1f6a39092f
GnuPG-bug-id: 6252
Also not directly required for the Signature Card 2.0, it is easier to
port this patch as well.
* scd/app-nks.c (get_dispserialno): Move more to the top.
(do_getattr): Add $DISPSERIALNO and SERIALNO. Make CHV-STATUS work
with NKS15.
(verify_pin): Use dedicated min. PIN lengths.
(parse_pwidstr): Support NKS15
--
GnuPG-bug-id: 4938
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit aecc008acb)
* scd/app-nks.c: Major rework to support non-RSA cards.
--
This is a fist step so support this ECC card. The code has been
reworked while taking care that old cards should keep on working.
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: f05a32e5c9
GnuPG-bug-id: 6252
* scd/app-openpgp.c (parse_algorithm_attribute): Return the error.
(change_keyattr): Follow the change.
(app_select_openpgp): Handle the error of parse_algorithm_attribute.
--
Backport master commit of:
53eddf9b9e
This change allows following invocation of app_select_openpgp, which
may work well (if the problem is device side for initial connection).
GnuPG-bug-id: 5963
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/app-p15.c (any_control_or_space_mem): New.
(get_dispserialno): Add new code.
--
This works with my test cards and now reflects what's printed on the
front matter of the card.
* scd/app-p15.c (readcert_by_cdf): Do not use extended mode if the CDF
object has no length info. Add debug output when reading a cert.
(read_p15_info): No more need to disable extended mode for GeNUA cards.
* scd/scdaemon.c (debug_flags): Add "card".
* scd/scdaemon.h (DBG_CARD_VALUE, DBG_CARD): New.
--
Some information from parsing the card are often very helpful.
However, the card_io triggered APDU dumps are in most cases too heavy.
Thus this new debug flag.
* scd/ccid-driver.c (ccid_dev_scan): Use loop var and not the count.
--
Due to an assignment out of bounds this might lead to a crash if there
are more than 15 readers. In any case it fixes a memory leak.
Kudos to the friendly auditor who found that bug.
Fixes-commit: 8a41e73c31
* scd/app-p15.c (CARD_PRODUCT_GENUA): New.
(cardproduct2str): Add it.
(read_p15_info): Detect and set GENUA
(make_pin_prompt): Take holder string from the AODF.
* scd/app-p15.c (auth_type_t): New.
(struct aodf_object_s): Add field auth_type.
(read_ef_aodf): Distinguish between pin and authkey types. Include
the authtype in the verbose mode diags.
--
Note that the bulk of changes are just indentation changes. There
should be no functional change.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit e387cc97c8)
* scd/app-p15.c (CARD_TYPE_AET): New.
(cardtype2str): Add string.
(card_atr_list): Add corresponding ATR.
(app_local_s): New flag no_extended_mode. Turn two other flags into
bit flags.
(select_ef_by_path): Hack to handle the 3FFF thing.
(readcert_by_cdf): Do not use extended mode for AET.
(app_select_p15): Set no_extended_mode.
---
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 544ec7872a)
* scd/apdu.c (apdu_send_direct): Use lock_slot.
--
Cherry-pick the master commit of:
f808012ac2
With trylock_slot, it may return SW_HOST_BUSY. This may occur when
apdu_get_status is called by scd_update_reader_status_file.
Simply using lock_slot is much easier for user of apdu_send_direct.
GnuPG-bug-id: 5831
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
