1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-09 21:28:51 +01:00
Commit Graph

43 Commits

Author SHA1 Message Date
Werner Koch
a494b29af9
scd:p15: Support ECDSA and ECDH for CardOS.
* scd/iso7816.c (iso7816_pso_csv): New.
* scd/app-help.c (app_help_pubkey_from_cert): Uncompress a point if
needed.

* scd/app-p15.c (CARD_PRODUCT_RSCS): New.
(struct prkdf_object_s): Add fields is_ecc, token_label, and
tokenflags.
(do_deinit): Free new fields.
(cardproduct2str): New.
(read_ef_prkdf): Set new is_ecc flag.
(read_ef_tokeninfo): Store some data and move Tokeninfo diags to ...
(read_p15_info): here.  set the product info here after all data has
been gathered.
(send_keypairinfo): Chnage the way the gpgusage flags are used.
(make_pin_prompt): If the token has a label and the current cert has
no CN, show the label as holder info.
(do_sign): Support ECDSA.  Take care of the gpgusage flags.
(do_decipher): Support ECDH.  Take care of the gpgusage flags.
--

This has been tested with Trusted Object Manager generated cards by
Rohde & Schwarz Cybersecurity.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-29 14:49:08 +02:00
Werner Koch
37b1c5c200
scd:openpgp: Allow reading and writing user certs for keys 1 and 2
* scd/iso7816.c (CMD_SELECT_DATA): New.
(iso7816_select_data): New.
* scd/app-openpgp.c (do_readcert): Allow OpenPGP.1 and OPENPGP.2
(do_writecert): Ditto.
(do_setattr): Add CERT-1 and CERT-2.
--

This has been tested with a Zeitcontrol 3.4 card.  A test with a
Yubikey 5 (firmware 5.2.6) claiming to support 3.4 failed.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-19 18:26:03 +01:00
Werner Koch
7620473cd0
scd: Define new status word
* scd/apdu.h (SW_NO_CURRENT_EF): New.
--

This merely to show better diagnostics.
Used for example by CardOS 5.3.
2021-01-27 18:31:12 +01:00
Werner Koch
fc287c0552
scd:p15: First step towards real CardOS 5 support.
* scd/iso7816.c (iso7816_select_path): Add arg from_cdf.
* scd/app-nks.c (do_readkey): Adjust for this change.

* scd/app-p15.c (CARD_TYPE_CARDOS_53): New.
(IS_CARDOS_5): New.
(card_atr_list): Add standard ATR for CardOS 5.3.
(select_and_read_binary): Remove the fallback to record read hack.
(select_and_read_record): New.
(select_ef_by_path): Rework and support CardOS feature.
(read_ef_prkdf): Use read record for CardOS.
(read_ef_cdf): Ditto.
(read_ef_aodf): Ditto.  Also fix bug in the detection of other
unsupported attribute types.
(verify_pin): Use IS_CARDOS_5 macro.
(app_select_p15): Force direct method for CardOS.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-01-26 17:42:55 +01:00
Werner Koch
c7b9a4ee43
scd:p15: Improve support for some CardOS based cards.
* scd/iso7816.c (iso7816_read_binary_ext): Add optional arg r_sw and
change callers.
(iso7816_read_record): Factor all code out to ...
(iso7816_read_record_ext): new.
* scd/app-p15.c (select_and_read_binary): Fallback to record reading.
(read_ef_aodf): Clear EOF error.
2020-11-25 15:27:21 +01:00
Werner Koch
c1663c690b
scd:nks: Implement writecert for the Signature card v2.
* scd/iso7816.c (CMD_UPDATE_BINARY): New.
(iso7816_update_binary): New.
* scd/app-nks.c (do_deinit): Factor some code out to...
(flush_fid_cache): new.
(do_writecert): New.
(app_select_nks): Register new handler.
--

This can be used with gpg-card to write the 3 extra certificates of a
Telesec TCOS Signature Card v2.  The card with the qualified signature
is distributed with the keys for encryption and advanced signatures
but without the certificates.  The certificates can be downloaded from
the website after an mail confirmation.  Unpacked the downloaded
zipfile has these certificates:

  auth_zert.crt
  sig_zert.crt
  enc_zert.crt

Using gpg-card issue these commands:

 writecert NKS-NKS3.4531 <sig_zert.crt
 writecert NKS-NKS3.45B1 <enc_zert.crt
 writecert NKS-NKS3.4571 <auth_zert.crt

Don't mix that up, tight now there is no checking that the
certificates match the public key.  I also need to write another patch
to actually implement signing and encryption with these nistp256
certificates.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-07-02 18:35:34 +02:00
Werner Koch
60d018f6a9
scd: Factor common PIN status check out.
* scd/iso7816.h (ISO7816_VERIFY_ERROR): New.
(ISO7816_VERIFY_NO_PIN): New.
(ISO7816_VERIFY_BLOCKED): New.
(ISO7816_VERIFY_NULLPIN): New.
(ISO7816_VERIFY_NOT_NEEDED): New.
* scd/iso7816.c (iso7816_verify_status): New.
* scd/app-nks.c (get_chv_status): Use new function.
* scd/app-piv.c (get_chv_status): Ditto.
(verify_chv): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-07 18:26:00 +02:00
Werner Koch
42ddcc87f4
scd:p15: Fix decrypt followed by sign problem for D-Trust cards.
* scd/iso7816.c (iso7816_select_mf): New.
* scd/app-p15.c (card_product_t): New.
(struct app_local_s): Add field 'card_product'.
(read_ef_tokeninfo): Detect D-Trust card.
(prepare_verify_pin): Switch to D-Trust AID.
(do_decipher): Restore a SE for D-TRust cards.  Chnage the passing
indicator to 0x81.
--

Using what I learned from a USB trace running the Governikus Signer
Software on Windows this fixes the left over problem with the new
D-Trust card support.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-07 16:03:11 +02:00
Werner Koch
c9ad81070a
scd: Add function for binary read in extended mode.
* scd/iso7816.c (iso7816_read_binary): Factor code out to ...
(iso7816_read_binary_ext): new function.  Add arg extended_mode.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-31 11:53:36 +02:00
Werner Koch
e897e1e255
scd:piv: Implement import of private keys for Yubikeys.
* scd/app-piv.c (concat_tlv_list): Add arg 'secure' and adjust
 callers.
(writekey_rsa, writekey_ecc): New.
(do_writekey): New.
(do_writecert): Provide a better error message for an empty cert.
(app_select_piv): Register do_writekey.
* scd/iso7816.c (iso7816_send_apdu): New.
* scd/app-common.h (APP_WRITEKEY_FLAG_FORCE): New.
* agent/command.c (cmd_keytocard): Make the timestamp optional.
* tools/card-call-scd.c (inq_writekey_parms): Remove.
(scd_writekey): Rewrite.
* tools/gpg-card.c (cmd_writekey): New.
(enum cmdids): Add cmdWRITEKEY.
(dispatch_command, interactive_loop): Call cmd_writekey.
--

This has been tested with gpgsm and RSA keys.  For ECC keys only
partly tested using the sample OpenPGP nistp256 and nistp384 keys
because gpgsm does not yet support ECC certificates and thus we can't
write the certificates to the cert object after a writekey.  Note that
they nevertheless show up in "gpgcard list" because gpg-card searches
for them in gpg and gpgsm.  However, this does not work completely.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-05 15:49:20 +01:00
Werner Koch
9a9cb0257a
scd: Make app_genkey and supporting ISO function more flexible.
* scd/app.c (app_genkey): Add arg keytype.
* scd/app-common.h (struct app_ctx_s): Fitto for the genkey member.
* scd/command.c (cmd_genkey): Adjust for change.
* scd/iso7816.c (do_generate_keypair): Replace arg read_only by new
args p1 and p2.
(iso7816_read_public_key): Adjust for this.
(iso7816_generate_keypair): Add new args p1 and p2.
* scd/app-openpgp.c (do_genkey): Adjust for changes.
--

The OpenPGP card creates keys according to parameters read from a data
object.  Other cards we are about to implement require a direct
specification of the requested keytype.  This patch implements the
required changes.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-06 14:07:42 +01:00
Werner Koch
70bb5c7931
scd: One new and one improved 7816 function.
* scd/apdu.c (apdu_send_direct): New arg R_SW.
* scd/command.c (cmd_apdu): Ditto.
* scd/iso7816.c (iso7816_apdu_direct): New arg R_SW.
(iso7816_general_authenticate): New.
* scd/app-nks.c (get_chv_status, get_nks_version): Pass NULL for new
arg.
--

iso7816_general_authenticate will be used for the PIV card support.
The new arg to iso7816_apdu_direct and apdu_send_direct allows to get
the raw status word back without the need to handle an output buffer.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-01-20 11:41:23 +01:00
Werner Koch
405feca2bd
scd: Add two variants to the set of ISO7816 functions.
* scd/iso7816.c (iso7816_select_application_ext): New.
(iso7816_get_data_odd): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-01-03 15:18:15 +01:00
NIIBE Yutaka
0703de01c8 scd: Fix API of select_file/_path.
* scd/iso7816.c (iso7816_select_file, iso7816_select_path): Remove
unused arguments.
* scd/app-dinsig.c (do_readcert): Follow the change.
* scd/app-help.c (app_help_read_length_of_cert): Likewise.
* scd/app-nks.c (keygripstr_from_pk_file, do_readcert, do_readkey)
(switch_application): Likewise.
* scd/app-p15.c (select_and_read_binary, select_ef_by_path)
(micardo_mse, app_select_p15): Likewise.
* scd/app.c (app_new_register): Likewise.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-03-06 13:39:46 +09:00
Werner Koch
4d7dc432b5
Change all http://www.gnu.org in license notices to https://
--
2016-11-05 12:02:19 +01:00
NIIBE Yutaka
f1845f25db scd: minor cleanup to merge other works.
* scd/iso7816.c (do_generate_keypair): Use const char * for DATA.
(iso7816_generate_keypair, iso7816_read_public_key): Likewise.
* scd/app-openpgp.c (get_public_key): Follow the change.
(do_genkey): Ditto.  Use ERR instead of RC.  Use u32 for CREATED_AT.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-10-18 20:48:08 +09:00
NIIBE Yutaka
7253093add scd: Rename 'keypad' to 'pinpad'.
* NEWS: Mention scd changes.

* agent/divert-scd.c (getpin_cb): Change message.

* agent/call-scd.c (inq_needpin): Change the protocol to
POPUPPINPADPROMPT and DISMISSPINPADPROMPT.
* scd/command.c (pin_cb): Likewise.

* scd/apdu.c (struct reader_table_s): Rename member functions.
(check_pcsc_pinpad, pcsc_pinpad_verify, pcsc_pinpad_modify,
check_ccid_pinpad, ccid_pinpad_operation, apdu_check_pinpad
apdu_pinpad_verify, apdu_pinpad_modify): Rename.

* scd/apdu.h (SW_HOST_NO_PINPAD, apdu_check_pinpad)
(apdu_pinpad_verify, apdu_pinpad_modify): Rename.

* scd/iso7816.h (iso7816_check_pinpad): Rename.

* scd/iso7816.c (map_sw): Use SW_HOST_NO_PINPAD.
(iso7816_check_pinpad): Rename.
(iso7816_verify_kp, iso7816_change_reference_data_kp): Follow
the change.

* scd/ccid-driver.h (CCID_DRIVER_ERR_NO_PINPAD): Rename.
* scd/ccid-driver.c (ccid_transceive_secure): Use it.

* scd/app-dinsig.c (verify_pin): Follow the change.
* scd/app-nks.c (verify_pin): Follow the change.

* scd/app-openpgp.c (check_pinpad_request): Rename.
(parse_login_data, verify_a_chv, verify_chv3, do_change_pin): Follow
the change.

* scd/scdaemon.c (oDisablePinpad, oEnablePinpadVarlen): Rename.

* scd/scdaemon.h (opt): Rename to disable_pinpad,
enable_pinpad_varlen.

* tools/gpgconf-comp.c (gc_options_scdaemon): Rename to
disable-pinpad.
2013-02-08 09:06:39 +09:00
NIIBE Yutaka
40a914a2e3 SCD: Support fixed length PIN input for keypad.
* scd/iso7816.h (struct pininfo_s): Remove MODE and add FIXEDLEN.
* scd/app-dinsig.c (verify_pin): Initialize FIXEDLEN to unknown.
* scd/app-nks.c (verify_pin): Likewise.
* scd/app-openpgp.c (verify_a_chv, verify_chv3, do_change_pin):
Likewise.
* scd/apdu.c (check_pcsc_keypad): Add comment.
(pcsc_keypad_verify, pcsc_keypad_modify): PC/SC driver only support
readers with the feature of variable length input (yet).
(apdu_check_keypad): Set FIXEDLEN.
* scd/ccid-driver.c (ccid_transceive_secure): Add GEMPC_PINPAD
specific settings.
Support fixed length PIN input for keypad.
2013-02-05 13:37:06 +09:00
NIIBE Yutaka
b526f6e223 SCD: API cleanup for keypad handling.
* scd/iso7816.h (struct pininfo_s): Rename from iso7816_pininfo_s.
Change meaning of MODE.
(pininfo_t): Rename from iso7816_pininfo_t.
* scd/sc-copykeys.c: Include "iso7816.h".
* scd/scdaemon.c, scd/command.c: Likewise.
* scd/ccid-driver.c: Include "scdaemon.h" and "iso7816.h".
(ccid_transceive_secure): Follow the change of PININFO_T.
* scd/app.c: Include "apdu.h" after "iso7816.h".
* scd/iso7816.c (iso7816_check_keypad, iso7816_verify_kp)
(iso7816_change_reference_data_kp): Follow the change of API.
* scd/apdu.c (struct reader_table_s): Change API of CHECK_KEYPAD,
KEYPAD_VERIFY, KEYPAD_MODIFY to have arg of PININFO_T.
(check_pcsc_keypad, check_ccid_keypad): Likewise.
(apdu_check_keypad, apdu_keypad_verify, apdu_keypad_modify): Likewise.
(pcsc_keypad_verify, pcsc_keypad_modify, ct_send_apdu)
(pcsc_send_apdu_direct,  pcsc_send_apdu_wrapped, pcsc_send_apdu)
(send_apdu_ccid, ccid_keypad_operation, my_rapdu_send_apdu, send_apdu)
(send_le): Follow the change of API.
* scd/apdu.h (apdu_check_keypad, apdu_keypad_verify)
(apdu_keypad_modify): Change the API.
* scd/app-dinsig.c, scd/app-nks.c, scd/app-openpgp.c: Follow the
change.
2013-02-05 13:37:06 +09:00
NIIBE Yutaka
ca89277cb4 SCD: Clean up. Remove PADLEN for keypad input.
* scd/apdu.c (struct pininfo_s): Use iso7816_pininfo_s.
(struct reader_table_s): Remove last arg from check_keypad method.
(check_pcsc_keypad, check_pcsc_keypad): Remove PIN_PADLEN.
(pcsc_keypad_verify, pcsc_keypad_modify): Don't check PIN_PADLEN.
(send_apdu_ccid, ccid_keypad_operation): Remove PIN_PADLEN.
(apdu_check_keypad, apdu_keypad_verify, apdu_keypad_modify):
Likewise.

* scd/apdu.h (apdu_check_keypad, apdu_keypad_verify)
(apdu_keypad_modify): Remove PIN_PADLEN.

* scd/ccid-driver.c (ccid_transceive_secure): Remove PIN_PADLEN.

* scd/ccid-driver.h (ccid_transceive_secure): Remove PIN_PADLEN.

* scd/iso7816.c (iso7816_check_keypad, iso7816_verify_kp)
(iso7816_change_reference_data_kp): Remove PADLEN.

* scd/iso7816.h (struct iso7816_pininfo_s): Remove PADLEN, PADCHAR.
--
In the OpenPGPcard specification, password comes with no padding.  In
GnuPG, we support keypad input for OpenPGPcard only.  Thus, it is
useless to try to support padding for keypad input.
2013-02-05 13:35:44 +09:00
NIIBE Yutaka
bf37c32367 Fix pinpad input support for passphrase modification.
* apdu.c (pcsc_keypad_verify): Have dummy Lc field with value 0.
(pcsc_keypad_modify): Likewise.
(pcsc_keypad_modify): It's only for ISO7816_CHANGE_REFERENCE_DATA.
bConfirmPIN value is determined by the parameter p0.

* app-openpgp.c (do_change_pin): The flag use_keypad should be 0 when
reset_mode is on, or resetcode is on.  use_keypad only makes sense for
iso7816_change_reference_data_kp.

* iso7816.h (iso7816_put_data_kp): Remove.
(iso7816_reset_retry_counter_kp): Remove.
(iso7816_reset_retry_counter_with_rc_kp): Remove.
(iso7816_change_reference_data_kp): Add an argument: IS_EXCHANGE.

* iso7816.c (iso7816_put_data_kp): Remove.
(iso7816_reset_retry_counter_kp): Remove.
(iso7816_reset_retry_counter_with_rc_kp): Remove.
(iso7816_change_reference_data_kp): Add an argument: IS_EXCHANGE.
2011-12-02 13:57:12 +09:00
NIIBE Yutaka
5a62b0d6ee PC/SC pinpad support (pinpad input for modify pass phrase with resetcode, by admin). 2011-11-29 17:56:22 +09:00
NIIBE Yutaka
57d4f7fae1 PC/SC pinpad support (pinpad input for modify pass phrase). 2011-11-29 11:59:32 +09:00
NIIBE Yutaka
26b4a012e3 PC/SC pinpad support.
Before this change, it is layered like following:

	iso7816_verify
        iso7816_verify_kp
	apdu_send_simple, apdu_send_simple_kp
	...

After this change, it will be layered like:

	iso7816_verify      iso7816_verify_kp
        apdu_send_simple    apdu_keypad_verify
	...

and apdu_send_simple_kp will be deprecated.

For PC/SC API, we use:
  SCardControl API to compose CCID PC_to_RDR_Secure message
  SCardTransmit API to compose CCID PC_to_RDR_XfrBlock message

Considering the support of PC/SC, we have nothing to share between _kp
version of iso7816_* and no _kp version.
2011-11-28 16:16:38 +09:00
Werner Koch
b008274afd Nuked almost all trailing white space.
We better do this once and for all instead of cluttering all future
commits with diffs of trailing white spaces.  In the majority of cases
blank or single lines are affected and thus this change won't disturb
a git blame too much.  For future commits the pre-commit scripts
checks that this won't happen again.
2011-02-04 12:57:53 +01:00
Werner Koch
983f91937c Fix for extended length Le in decipher 2009-09-03 10:57:23 +00:00
Werner Koch
96abdb1386 Fix for card keys > 2048 bit. 2009-07-10 10:15:33 +00:00
Werner Koch
5f8acaccc0 Add readcert command.
fix reading large certificates.
2009-06-17 09:45:50 +00:00
Werner Koch
eeca39ae50 More support for Netkey cards.
Small changes to teh CCID driver.
Support 2048 bit OpenPGP cards.
2009-05-08 15:07:45 +00:00
Werner Koch
98e1a75e20 Implement decryption for TCOS 3 cards. 2009-03-30 12:46:06 +00:00
Werner Koch
7784e86a66 Add limited support for NetKey 3.0 cards. 2009-01-08 19:56:30 +00:00
Werner Koch
96f16f736e Finished support for v2 cards with the exception of secure messaging. 2008-09-25 10:06:02 +00:00
Werner Koch
f899b9683b Support the Certifciate DO of the v2 OpenPGP cards. 2008-09-23 09:57:45 +00:00
Werner Koch
93d3811abc Changed to GPLv3.
Removed intl/.
2007-07-04 19:49:40 +00:00
Werner Koch
6a13cf2c3d Preparing an interim release 2005-11-28 11:52:25 +00:00
Werner Koch
6f90f05cb2 Bug fixes and ssh support for the BELPIC. 2005-09-09 11:18:08 +00:00
Werner Koch
1b2f7cbe3b Basically made Belgian EID cards work.
Signature creation has not yet been tested.
Also other changes to better cope with T=0 cards.
2005-09-05 14:36:36 +00:00
Werner Koch
e1f3dc1c77 Added ID keywords because these files are often used in other packages. 2004-10-14 09:12:36 +00:00
Werner Koch
f8d44bc637 *** empty log message *** 2004-03-16 10:49:37 +00:00
Werner Koch
97958029f6 (iso7816_manage_security_env): New.
(iso7816_decipher): Add PADIND argument.

** app-nks.c is now functional **
2004-01-28 16:21:57 +00:00
Werner Koch
eb24d8b751 Some minor bug fixes, new test utilities and started support for other
smartcard applications.
2004-01-27 16:40:42 +00:00
Werner Koch
f194ebc782 Fixes to make inclusion of card raleted source files into 1.3 easier. 2003-10-02 10:27:34 +00:00
Repo Admin
9ca4830a5b This commit was manufactured by cvs2svn to create branch
'GNUPG-1-9-BRANCH'.
2003-08-05 17:11:04 +00:00