* common/sexputil.c (get_rsa_pk_from_canon_sexp): Also allow private
keys.
(pubkey_algo_string): Ditto.
* scd/app-openpgp.c (do_writekey): Switch key attributes
--
The scd WRITEKEY command for OpenPGP cards missed proper support to
aautomagically switch key attributes based on the new key. We had
this only in GENKEY.
GnuPG-bug-id: 6378
* scd/app-openpgp.c (data_objects): 0x00FA for binary data.
(do_getattr): Parse the data and send it in status lines.
(get_algorithm_attribute_string): New.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: eba2563dab
Backported-from-master: 43bbc25b0f
* scd/iso7816.c (iso7816_read_binary_ext): Handle the 0x6a86 SW the
same as 6b00.
* scd/apdu.c (apdu_get_atr): Modify debug messages.
* scd/app-p15.c (app_select_p15): Print FCI on error.
(read_p15_info): Clean up diag in presence of debug options.
--
Some cards return 6a86 instead of 6b00.
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 44f977d0e3
* scd/app-p15.c (read_ef_prkdf, read_ef_pukdf)
(read_ef_cdf, read_ef_aodf): Allow for a zero length path and
correctly skip unsupported auth types.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 7a8545c91b
* scd/app-openpgp.c (struct app_local_s): Add field keyalgo.
(parse_algorithm_attribute): Store the new keyalgo field.
(change_keyattr): Change info message.
(change_keyattr_from_string): Rewrite to also accept a keyref and a
keyalgo string.
(do_genkey): Change the keyattr if a keyalgo string is given.
* scd/command.c (cmd_genkey): Add option --algo.
--
Having this feature makes it easier to use OpenPGP cards in a similar
way to other cards. Note that the explicit changing via SETATTR is
still supported.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit d7d75da505)
(cherry picked from commit b349adc5c0)
* scd/app-p15.c (select_and_read_record): Special case deleted
records. Support 3 byte TLVs.
(read_ef_prkdf): Skip deleted records.
(read_ef_pukdf): Ditto.
(read_ef_cdf): Ditto.
(read_ef_aodf): Ditto.
--
This fixes a problem with some CardOS 5 applications.
* scd/apdu.c (pcsc_send_apdu) [DBG_CARD_IO]: Detect and redact a
VERIFY.
(send_apdu_ccid): Ditto.
--
This should handle the most common case.
GnuPG-bug-id: 5085
* scd/app-nks.c (do_learn_status_core): Use new flag.
* scd/app-sc-hsm.c (do_learn_status): Ditto.
--
The flag was already backported to some apps but not to these.
* scd/app-nks.c (filelist): Tweak 0x4531.
--
Actually the certificate has no encryption usage but we should also
tell that via KEYINFO so that this key is never tried to create an
encryption certificate.
(cherry picked from commit 3a2fb1c306)
* scd/app-nks.c (find_fid_by_keyref): Factor keyref parsing out to ...
(parse_keyref): new.
(do_readcert): Use new function instead of partly duplicated code.
Make detection of keygrip more robust.
(do_readkey): Make detection of keygrip more robust.
(do_with_keygrip): Use get_nks_tag.
--
Also added a couple of comments.
(cherry picked from commit b92b3206e7)
* scd/app-nks.c (find_fid_by_keyref): Disable the cache for now.
(readcert_from_ef): Considere an all zero certificate as not found.
(do_sign): Support ECC and the ESIGN application.
--
This allows me to create qualified signatures using my Telesec card.
There is of course more work to do but this is the first step.
Note: The design of the FID cache needs to be reconsidered. Until
that the lookup here has been disabled. The do_sign code should be
revamped to be similar to what we do in app-p15.
GnuPG-bug-id: 5219, 4938, 6252
Backported-from-master: 07eaf006c2
* scd/app-nks.c (set_usage_string): New.
(do_learn_status_core, do_readkey): Use set_usage_string.
(do_with_keygrip): Add USAGE to call send_keyinfo,
using set_usage_string.
* scd/command.c (send_keyinfo): Add arg usage.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: 5264d3f58e
GnuPG-bug-id: 6252
This backports only the NKS parts of the original patch
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-nks.c (keygripstr_from_pk_file): Fix ignored error.
(get_nks_tag): New.
(do_learn_status_core): Use it. Make sure not to mange the
KEYPAIRINFO line if no usage is known.
(do_readkey): Output the KEYPAIRINFO for the keygrip case.
--
Note that this only handles the most common case of providing a
keygrip. $AUTHKEYID and ODLM are not yet supported.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 63320ba2f8)
* scd/app-nks.c (do_sign): Handle plain SHA-2 digests and verify
encoding of ASN.1 encoded hashes.
--
This makes it possible to create CSRs for NetKey card keys which are
signed with SHA256 by default.
GnuPG-bug-id: 5184
(cherry picked from commit 8fe976d5b9)
* scd/app-nks.c (filelist): Use special value -1 for IDLM pubkeys.
(keygripstr_from_pk_file): Handle special value.
(do_readcert): Ditto.
(do_writecert): Ditto.
--
This allows to get information about the keys from the card. However
the do_readkey still requires a fallback to readcert. This does not
work because there are no certificates yet on the card. The fix is to
fully implement do_readkey.
(cherry picked from commit 806547d9d2)
* scd/app-nks.c (do_learn_status_core): Emit the algo string as part
of a KEYPAIRINFO.
(struct fid_cache_s): Add field algostr.
(flush_fid_cache): Release it.
(keygripstr_from_pk_file): Fill it and add it to the cache. Use a
single exit label. Set algostr.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 26da47ae53
Backported-from-master: 006944b856
GnuPG-bug-id: 6252, 5144
This has been backported to keep this, and only this, module in sync
with master. All other changes from the original patch have been
stripped.
* scd/iso7816.c (CMD_UPDATE_BINARY): New.
(iso7816_update_binary): New.
* scd/app-nks.c (do_deinit): Factor some code out to...
(flush_fid_cache): new.
(do_writecert): New.
(app_select_nks): Register new handler.
--
This has been backported only to make the following backpoorts easier.
The code is only used in 2.3; for details see the original commit
message.
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: c1663c690b
GnuPG-bug-id: 6252
* scd/app-nks.c (filelist): Add a dedicated key entry for ESIGN.
(do_readcert): Test for the app_id.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 07aef873eb
GnuPG-bug-id: 6252
* scd/app-nks.c (NKS_APP_IDLM): New.
(struct app_local_s): Replace NKS_VERSION by the global APPVERSION.
(do_learn_status): Always send CHV-STATUS.
(find_fid_by_keyref): Basic support for IDLM only use.
(do_learn_status_core): Ditto.
(do_readcert): Ditto.
(verify_pin): Ditto.
(parse_pwidstr): Ditto.
(do_with_keygrip): Ditto.
(switch_application): Ditto.
(app_select_nks): Fallback to IDLM.
--
Backported-from-master: 1f6a39092f
GnuPG-bug-id: 6252
Also not directly required for the Signature Card 2.0, it is easier to
port this patch as well.
* scd/app-nks.c (get_dispserialno): Move more to the top.
(do_getattr): Add $DISPSERIALNO and SERIALNO. Make CHV-STATUS work
with NKS15.
(verify_pin): Use dedicated min. PIN lengths.
(parse_pwidstr): Support NKS15
--
GnuPG-bug-id: 4938
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit aecc008acb)
* scd/app-nks.c: Major rework to support non-RSA cards.
--
This is a fist step so support this ECC card. The code has been
reworked while taking care that old cards should keep on working.
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: f05a32e5c9
GnuPG-bug-id: 6252
* scd/app-openpgp.c (parse_algorithm_attribute): Return the error.
(change_keyattr): Follow the change.
(app_select_openpgp): Handle the error of parse_algorithm_attribute.
--
Backport master commit of:
53eddf9b9e
This change allows following invocation of app_select_openpgp, which
may work well (if the problem is device side for initial connection).
GnuPG-bug-id: 5963
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
