1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

1036 Commits

Author SHA1 Message Date
NIIBE Yutaka
44621120a2 scd: Add --challenge-response option to PK_AUTH for OpenPGP card.
* scd/app-openpgp.c (rmd160_prefix, sha1_prefix, sha224_prefix)
(sha256_prefix, sha384_prefix, sha512_prefix): Move the scope up.
(gen_challenge): New.
(do_auth): Support challenge-response check if it signs correctly.
* scd/app.c (app_auth): Remove the check INDATA and INDATALEN.
* scd/command.c (cmd_pkauth): Support --challenge-response option.

--

GnuPG-bug-id: 5862
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-03-03 17:45:49 +09:00
NIIBE Yutaka
8e650dbd48 scd: Let READKEY support --format=ssh option.
* scd/command.c (do_readkey): Support --format=ssh option.
* common/ssh-utils.c (ssh_public_key_in_base64): New.
* common/ssh-utils.h (ssh_public_key_in_base64): New declaration.

--

Code duplication (agent/command-ssh.c) will be cleaned up later.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-03-02 14:07:46 +09:00
Werner Koch
597253ca17
scd:p15: Used extended mode already for RSA 2048
* scd/app-p15.c (do_sign, do_decipher): Replace GT by GE.
--
2022-02-21 12:17:08 +01:00
NIIBE Yutaka
f9c9938b28 scd,pcsc: Fix error handling for a reader with reader-port.
* scd/apdu.c (apdu_open_reader): Make sure dl->idx is always
incremented to handle error from open_pcsc_reader correctly.

--

Reported-by: Anže Jenšterle
GnuPG-bug-id: 5758
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-01-04 14:56:29 +09:00
NIIBE Yutaka
a575b0aba5 scd:openpgp: Support longer data for INTERNAL_AUTHENTICATE.
* scd/app-openpgp.c (do_auth): Use extended Lc, when supported.

--

GnuPG-bug-id: 5682
Co-authored-by: Klas Lindfors
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-11-15 11:40:41 +09:00
Jakub Jelen
c0b1bcc5c6 scd: Avoid memory leak.
* scd/command.c (cmd_readkey): Free allocated memory on failure path.

--

GnuPG-bug-id: 5393
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2021-11-12 15:35:38 +09:00
Werner Koch
c36f9917bb
scd: Add new OpenPGP card vendor.
--
2021-11-04 16:35:41 +01:00
NIIBE Yutaka
49f7fcb90b scd: Simplify the loop of DEVINFO.
* scd/app.c (app_send_devinfo): Factor out lock/unlock.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-11-02 14:06:16 +09:00
NIIBE Yutaka
99e00ec6db scd: Fix the previous commit.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-10-29 11:47:17 +09:00
NIIBE Yutaka
48e824b6ea scd: Modify DEVINFO behavior to support looping forever.
* scd/app.c (struct mrsw_lock): Add notify_cond member.
(notify_cond): Remove.
(card_list_r_lock, card_list_r_unlock): Rename.
(card_list_w_lock, card_list_w_unlock): Rename.
(card_list_signal, card_list_wait): New, fixing thinko about
notify/wakeup with MRSW lock.
(app_send_devinfo): Support looping.
(select_application): Notify app_send_devinfo thread for newly
detected device.
(initialize_module_command): Initialize notify_cond member.
(app_wait): Remove.
* scd/command.c (cmd_devinfo): Use new API of app_send_devinfo.
* scd/scdaemon.h (app_wait): Remove.

--

GnuPG-bug-id: 5359
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-10-29 10:58:26 +09:00
NIIBE Yutaka
3918fa1a94 agent,dirmngr,kbx,scd,tpm2d: Use gnupg_sleep.
* agent/findkey.c (unprotect): Use gnupg_sleep.
* agent/gpg-agent.c (handle_connections): Likewise.
* dirmngr/crlfetch.c (handle_connections): Likewise.
* kbx/keyboxd.c (handle_connections): Likewise.
* tpm2d/tpm3daemon.c (handle_connections): Likewise.
* scd/scdaemon.c (handle_connections): Likewise.
* scd/command.c (cmd_lock): Likewise.
* dirmngr/ldap-wrapper.c (ldap_reaper_thread): Likewise.
(ldap_wrapper_wait_connections): Use gnupg_usleep.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-10-05 14:05:56 +09:00
Werner Koch
255d4d5815
sm: Add LotW support to the key listing
* sm/certdump.c (parse_dn_part): Translate OID to "Callsign"
* sm/keylist.c (oidtranstbl): Some more OIDs.
--

This is Ham thingy to make it easier to read LotW certificates.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-09-09 13:30:22 +02:00
NIIBE Yutaka
1565baa93a scd: Don't release the context until list_finish for PC/SC.
* scd/apdu.c (apdu_dev_list_start): Increment PCSC.COUNT here.
(apdu_dev_list_finish): Decrement PCSC.COUNT.

--

GnuPG-bug-id: 5416
Fixes-commit: 32baa9acfb153004bdb2509f9516482b78f256a4
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-20 15:22:28 +09:00
NIIBE Yutaka
5c8124b8b9 scd: Small clean up for card access.
* scd/app.c (app_get_challenge): Remove the check to ref_count.
* scd/command.c (send_client_notifications): Update comments.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-07-22 11:22:47 +09:00
NIIBE Yutaka
50ad29f9a7 scd: Fix direct use of card with no ctrl->card_ctx.
* scd/app.c (maybe_switch_app): Remove check of ref_count.

--

Fixes-commit: 0d6b4210cf31d1c3ca0e8b034537a158fe3caca8
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-07-22 09:43:30 +09:00
NIIBE Yutaka
0d6b4210cf scd: Fix access to list of cards (3/3).
* scd/app-common.h (card_reset): Simplify more.
(select_additional_application): Supply CARD.
(card_ref, card_unref): Remove.
(card_get, card_put): New.
* scd/app.c (card_reset): No locking/unlocking inside.
(app_switch_current_card): Fix comment.
(select_additional_application): No locking/unlocking inside.
(do_with_keygrip): New, unlocked version.
(card_get): New, with support of KEYGRIP.
(card_unref): Remove.
(card_put): New.
(app_write_learn_status, app_readcert: No locking/unlocking inside.
(app_readkey, app_getattr, app_setattr, app_sign, app_auth): Likewise.
(app_decipher, app_writecert, app_writekey): Likewise.
(app_genkey, app_get_challenge, app_change_pin): Likewise.
(app_check_pin, app_switch_active_app): Likewise.
* scd/command.c (do_reset): Use card_get/card_put.
(open_card_with_request): Use card_get/card_put, return CARD locked.
(cmd_serialno): Follow the change of open_card_with_request.
(cmd_switchapp): Use card_get/card_put.
(cmd_learn, cmd_readcert, cmd_readkey, cmd_pksign): Likewise.
(cmd_pkauth, cmd_pkdecrypt, cmd_getattr): Likewise.
(cmd_setattr, cmd_writecert, cmd_writekey): Likewise.
(cmd_genkey, cmd_random, cmd_passwd): Likewise.
(cmd_checkpin, cmd_getinfo, cmd_restart): Likewise.
(cmd_disconnect, cmd_apdu, cmd_devinfo): Likewise.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-07-21 17:22:26 +09:00
NIIBE Yutaka
b436fb6766 scd: Fix access to list of cards (2/3).
* scd/app-common.h (card_reset, select_application): Simplify.
* scd/app.c (card_reset, select_application): Simplify.
* scd/command.c (do_reset): Follow the change.
(open_card, open_card_with_request): Follow the change.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-07-21 15:59:03 +09:00
NIIBE Yutaka
216945a80e scd: Fix access to list of cards (1/3).
* scd/app.c (card_list_lock): Use MRSW lock.
(lock_r_card_list, unlock_r_card_list): New.
(lock_w_card_list, unlock_w_card_list): New.
(app_dump_state, app_send_devinfo): Use the MRSW lock.
(select_application, app_switch_current_card): Likewise.
(scd_update_reader_status_file): Likewise.
(initialize_module_command, send_card_and_app_list): Likewise.
(app_do_with_keygrip, app_wait): Likewise.

--

GnuPG-bug-id: 5524
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-07-21 15:34:16 +09:00
Werner Koch
924c8221fb
scd: Silence compiler waring about unused args.
--
2021-07-08 14:11:10 +02:00
NIIBE Yutaka
044e5a3c38 scd: Detect external interference when PCSC_SHARED.
* scd/app-common.h (check_aid): New method.
* scd/app-openpgp.c (do_check_aid): New.
* scd/app-piv.c (do_check_aid): New.
* scd/app.c (check_external_interference): New.
(maybe_switch_app): Check interference to determine switching is
needed.

--

GnuPG-bug-id: 5484
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-07-06 14:52:29 +09:00
NIIBE Yutaka
25ae80b8eb scd:ccid: Handle LIBUSB_TRANSFER_OVERFLOW interrupt transfer.
* scd/ccid-driver.c (intr_cb): Ignore LIBUSB_TRANSFER_OVERFLOW.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-23 12:08:20 +09:00
Werner Koch
e387cc97c8
scd:p15: Prepare AODF parsing for other authentication types.
* scd/app-p15.c (auth_type_t): New.
(struct aodf_object_s): Add field auth_type.
(read_ef_aodf): Distinguish between pin and authkey types.  Include
the authtype in the verbose mode diags.
--

Note that the bulk of chnages are just indentation chnages.  There
should be no functional change.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-22 11:11:46 +02:00
Werner Koch
029924a46e
scd:p15: Add pre-check for ascii-numeric PINs.
* scd/app-p15.c (verify_pin): acii-numerix is different than BCD.
2021-06-18 18:02:08 +02:00
Werner Koch
544ec7872a
scd:p15: Add basic support for AET JCOP cards.
* scd/app-p15.c (CARD_TYPE_AET): New.
(cardtype2str): Add string.
(card_atr_list): Add corresponding ATR.
(app_local_s): New flag no_extended_mode.  Turn two other flags into
bit flags.
(select_ef_by_path): Hack to handle the 3FFF thing.
(readcert_by_cdf): Do not use etxended mode for AET.
(app_select_p15): Set no_extended_mode.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-18 17:42:38 +02:00
Werner Koch
7a8545c91b
scd:p15: Handle cards with bad encoded path objects.
* scd/app-p15.c (read_ef_prkdf, read_ef_pukdf)
(read_ef_cdf, read_ef_aodf): Allow for a zero length path and
correctly skip unsupported auth types.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-18 17:42:38 +02:00
Werner Koch
44f977d0e3
scd: Improve reading of binary records.
* scd/iso7816.c (iso7816_read_binary_ext): Handle the 0x6a86 SW the
same as 6b00.
* scd/apdu.c (apdu_get_atr): Modify debug messages.
* scd/app-p15.c (app_select_p15): Print FCI on error.
(read_p15_info): Clean up diag in presence of debug options.
--

Some cards return 6a86 instead of 6b00.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-18 17:42:38 +02:00
NIIBE Yutaka
7718244168 scd: Fix RESET handling.
* scd/app.c (scd_update_reader_status_file): Clear ->reset_requested.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-17 16:07:09 +09:00
NIIBE Yutaka
4e02db75e3 scd: Support clearing of Reset Code by ''.
* scd/app-openpgp.c (do_change_pin): Allow null-string.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-11 13:42:01 +09:00
Werner Koch
cd53c6d0f3
scd: Add new card vendor.
--
2021-06-10 21:55:36 +02:00
NIIBE Yutaka
c3a9ee0b65 scd: Fix serial number detection for Yubikey 5.
* scd/app.c (app_new_register): Handle serial number correctly.

--

GnuPG-bug-id: 5442
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-08 10:37:48 +09:00
NIIBE Yutaka
ee5b6af370 scd: Fix READER-PORT option handling for PC/SC.
* scd/apdu.c (apdu_open_reader): READERNO should be -1 when
READER-PORT is specified for PC/SC.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-07 11:38:25 +09:00
NIIBE Yutaka
5b1806454c scd: Fix zero-byte handling in ECC.
* scd/app-openpgp.c (ecc_writekey): Don't remove zero-byte.

--

Fixes-commit: a25c99b156ca9acaa7712e9c09a6df0a7a23c833
GnuPG-bug-id: 5163
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-28 11:34:56 +09:00
Jakub Jelen
27e7bde12e
scd: avoid memory leaks
* scd/app-p15.c (send_certinfo): free labelbuf
  (do_sign): goto leave instead of return
* scd/app-piv.c (do_sign): goto leave instead of return, fix typo in
  variable name, avoid using uninitialized variables
* scd/command.c (cmd_genkey): goto leave instead of return

--

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
GnuPG-bug-id: 5393
2021-05-20 14:48:18 +02:00
Ingo Klöcker
65bc5ea95e scd:p15: Fix logic for appending product name to MANUFACTURER.
* scd/app-p15.c (do_getattr): Append product name to MANUFACTURER if
manufacturer_id does not already contain a bracket and if we have a
product name.
2021-05-18 09:45:06 +02:00
NIIBE Yutaka
58b330e935 scd: Remove wrong assertion and add protection to PCSC.COUNT.
* scd/apdu.c (apdu_dev_list_finish): Fix for calling
release_pcsc_context.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-14 13:06:10 +09:00
Werner Koch
965bb0693c
A few minor code cleanups and typo fixes.
* agent/command-ssh.c (ssh_handler_request_identities): Remove double
check of ERR.
* g10/getkey.c (get_pubkey_byname): Remove double use of break.
* g10/pkglue.c (pk_encrypt): Handle possible NULL-ptr access due to
failed malloc.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-11 09:06:34 +02:00
NIIBE Yutaka
32baa9acfb scd: Serialize READER_TABLE access for PC/SC.
* scd/apdu.c (apdu_dev_list_start): Remove locking READER_TABLE_LOCK.
Don't increment PCSC.COUNT here.
(apdu_dev_list_finish): Don't decrement PCSC.COUNT here.
(apdu_open_reader): Protect access with READER_TABLE_LOCK.

--

GnuPG-bug-id: 5416
Fixes-commit: 8d81fd7c01e8dfacc719ff190f8e364014e32fdf
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-11 10:25:12 +09:00
NIIBE Yutaka
ec5591dc4e scd: Fix close_pcsc_reader.
* scd/apdu.c (close_pcsc_reader): Don't touch .RDRNAME field.
(apdu_dev_list_finish): Clear .RDRNAME field and replace call of
close_pcsc_reader by release_pcsc_context.  Add assertion.

--

GnuPG-bug-id: 5416
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-10 10:49:21 +09:00
NIIBE Yutaka
cccc9bd5db scd: Make sure releasing PC/SC context.
* scd/apdu.c (release_pcsc_context): New.
(close_pcsc_reader): Use release_pcsc_context.  Add assertion.
(apdu_dev_list_start): Replace call of close_pcsc_reader
into release_pcsc_context, add condition.

--

GnuPG-bug-id: 5416
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-10 10:31:08 +09:00
NIIBE Yutaka
0498ea8fbd scd: Increment PCSC.COUNT correctly.
* scd/apdu.c (open_pcsc_reader): PCSC.COUNT should
be incremented before possible call of close_pcsc_reader.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-07 11:25:20 +09:00
NIIBE Yutaka
5d1b413106 scd: Fix memory leak for RDRNAME and serialize access.
* scd/apdu.c (close_pcsc_reader): Move locking to...
(apdu_close_reader): ... here, as it's also needed for CCID driver.
Free RDRNAME when closed.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-07 10:48:13 +09:00
NIIBE Yutaka
039aed9d40 scd: Fix declarations for PC/SC access.
* scd/apdu.c (pcsc_begin_transaction, pcsc_transmit): Use HANDLE.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-07 07:11:17 +09:00
NIIBE Yutaka
53bdc6288f scd: Recover the partial match for PORTSTR for PC/SC.
* scd/apdu.c (apdu_open_reader): Allow partial match of
PORTSTR again just like 2.2 does.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-06 19:08:34 +09:00
NIIBE Yutaka
d6fe82d3d1 scd: When reader is specified, make sure only open once.
* scd/apdu.c (apdu_open_reader): Make sure not to try multiple times,
when PORTSTR is specified.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-06 19:05:30 +09:00
Werner Koch
8d81fd7c01
scd: Fix PC/SC removed card problem
* scd/apdu.c (pcsc_cancel): New.
(pcsc_init): Load new function.
(connect_pcsc_card): Use it after a removed card error.
--

Well, that was easier than I expected yesterday.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-29 09:14:25 +02:00
Werner Koch
1f846823b3
scd:p15: Fix the name of a card.
--
2021-04-28 18:31:51 +02:00
Werner Koch
bb8e3996e4
scd: Fix problem with reader list becoming empty.
* scd/apdu.c (close_pcsc_reader): Do not decrement refcount if already
zero.  Always release context if or becomes zero.
(apdu_dev_list_start): Unlock prior to close_pcsc_reader.  For PC/SC
increment the count.  Always release the lock.
(apdu_dev_list_finish): No more unlocking.  Use close_pcsc_reader
instead of code duplication.

* scd/apdu.c (pcsc_error_string): Add an error code.
* scd/scdaemon.c (scd_kick_the_loop): Fix a diagnostic.
--

There was an obvious bug in that the pcsc.count could go below zero
and thus there was no chance to get the context release.  Releasing
and recreating the context is at least under Windows important to get
rit of the PCSC_E_SERVICE_STOPPED.

Also removes a potential problem in holding the reader_table_lock
between calls to apdu_dev_list_start apdu_dev_list_finish.  There is
no need for this.  Instead we bump the pcsc.count.

The reader_table_lock strategy should be reviewed; we may be able to
remove it.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-28 18:21:56 +02:00
Kirill Elagin
f209d7d2db scd: Fix unblock PIN by a Reset Code with KDF.
* scd/app-openpgp.c (do_change_pin): Use correct CHVNO=1 for
pin2hash_if_kdf, for user's PIN.

--

GnuPG-bug-id: 5413
Signed-off-by: Kirill Elagin <kirelagin@gmail.com>
2021-04-27 20:34:35 +09:00
Werner Koch
cc5aa68b63
scd:p15: Fix last commit and improve D-TRUST detection.
* scd/app-p15.c (read_p15_info): Improve D-TRUST card detection.
(do_getattr): Fix faulty code for the last commit.  Append the product
name to MANUFACTURER.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-25 16:35:36 +02:00
Werner Koch
21e3f750bd
scd:p15: Shorten the displayed s/n of RSCS cards
* scd/app-p15.c (get_dispserialno): Add dedicated handling for RSCS.
--

In fact we fix the display of the s/n because the s/n was taken from a
certificate.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-25 14:53:34 +02:00
Werner Koch
9e24f2a45c
scd: Fix PSO_CSV for 512 bit curves
* scd/iso7816.c (iso7816_pso_csv): Use BER-TLV instead of SIMPLE-TLV

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-22 11:04:30 +02:00
Werner Koch
45918813f0
Support log-file option from common.conf for all daemon.
* agent/gpg-agent.c: Include comopt.h.
(main): Read log-file option from common.conf.
(reread_configuration): Ditto.
* dirmngr/dirmngr.c: Include comopt.h.
(main): Read log-file option from common.conf.
(reread_configuration): Ditto.
* kbx/keyboxd.c: Include comopt.h.
(main): Read log-file option from common.conf.
(reread_configuration): Ditto.
* scd/scdaemon.c: Include comopt.h.
(main): Read log-file option from common.conf.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-20 10:50:10 +02:00
Werner Koch
30f90fc857
scd:p15: Support attribute KEY-FPR.
* scd/app-p15.c: Include openpgpdefs.h.
(struct prkdf_object_s): Add fields have_keytime and ecdh_kdf.
(read_p15_info): Set ecdh_kdf.
(keygrip_from_prkdf): Flag that we have the keytime.
(send_keypairinfo): Send the key time only if valid.
(send_key_fpr_line): New.
(send_key_fpr): New.
(do_getattr): Add KEY-FPR.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-16 12:49:37 +02:00
Jakub Jelen
7cbe29c4fb scd: Fix memory leaks.
* scd/apdu.c (apdu_dev_list_start): Free DL.
* scd/app-nks.c (pubkey_from_pk_file): Fix typo in condition.

--

GnuPG-bug-id: 5393
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2021-04-13 14:21:29 +09:00
Werner Koch
ecb9265b8d
scd:p15: Match private keys with certificates also by labels.
* scd/app-p15.c (cdf_object_from_label): New.
(cdf_object_from_certid): Fallback to label matching.
(read_p15_info): Ditto.
(keygrip_from_prkdf): Ditto.  Replace duplicated code by a call to
cdf_object_from_objid.
--

In case there is no certificate for a private key we now also try to
find a certificate using a matching label.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-12 11:41:00 +02:00
Werner Koch
63320ba2f8
scd:nks: Handle APP_READKEY_FLAG_INFO.
* scd/app-nks.c (keygripstr_from_pk_file): Fix ignored error.
(get_nks_tag): New.
(do_learn_status_core): Use it.  Make sure not to mange the
KEYPAIRINFO line if no usage is known.
(do_readkey): Output the KEYPAIRINFO for the keygrip case.
--

Note that this only handles the most common case of providing a
keygrip.  $AUTHKEYID and ODLM are not yet supported.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-08 19:30:51 +02:00
Werner Koch
22fd48e48d
scd: Fix duplicate output of KEYPAIRINFO by readkey command.
* scd/app-help.c (app_help_get_keygrip_string_pk): Make HEXKEYGRIP
parm optional.
* scd/command.c (do_readkey): Remove duplicate output of keypairinfo
lines.
--

Note that this change needs a fix in app-p15 which does not yet handle
the APP_READKEY_FLAG_INFO.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-08 19:27:25 +02:00
NIIBE Yutaka
ab66c43575 scd: Fix CCID driver for SCM SPR332/SPR532.
* scd/ccid-driver.c (ccid_vendor_specific_pinpad_setup): New.
(ccid_vendor_specific_setup): Only send CLEAR_HALT.
(ccid_transceive_secure): Each time, use send_escape_cmd.

--

GnuPG-bug-id: 5297
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-04-08 13:41:28 +09:00
Werner Koch
ff87f4e578
scd: New flag --reread for LEARN
* scd/command.c (cmd_learn): Add flag --reread.
* scd/app-common.h (struct app_ctx_s): New field need_reset.
* scd/app.c (write_learn_status_core): Set need_reset if we notice an
error after returning from a reread.  Change all callers of card
functions to return GPG_ERR_CARD_RESET so that that app is not anymore
used.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-01 10:31:52 +02:00
Werner Koch
e17d3f8660
scd:p15: New flag APP_LEARN_FLAG_REREAD.
* scd/app-p15.c (do_deinit): Factor code out to ...
(release_lists, release_tokeninfo): new.
(read_ef_tokeninfo): Reset all data before reading.
(read_p15_info): Ditto.
(do_learn_status): Implement reread flag.
--

Objects of a card may be protected by a PIN and thus only readble
after a verify command.  This new flag makes it possible to gather the
entire PKCS#15 card info again without a need for a reset (and thus
loss of the verify status).

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-01 10:28:07 +02:00
Werner Koch
1c16878efd
scd: Replace all assert macros by the log_assert macro.
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-31 19:16:05 +02:00
Werner Koch
7f91263632
scd:p15: Return labels for keys and certificates.
* scd/app-p15.c (send_certinfo): Extend certinfo.
(do_getattr): Support KEY-LABEL.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-30 17:25:24 +02:00
Werner Koch
651c07a730
scd:p15: For CardOS make use of ISO7816_VERIFY_NOT_NEEDED.
* scd/app-p15.c (verify_pin): Take care of verify status.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-30 11:43:45 +02:00
Werner Koch
de4d3c99aa
scd:p15: Return the creation time of the keys.
* scd/app-p15.c (struct prkdf_object_s): Add keytime and keyalgostr.
(keygrip_from_prkdf): Set them.
(send_keypairinfo): Extend KEYPAIRINFO.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-30 10:27:20 +02:00
Werner Koch
592f480117
scd:p15: Make RSA with SHA512 work with CardOS.
* scd/app-p15.c (do_sign): Rewrite.
--

This basically works now but for my test card I need to pass
--cert-digest-algo-512 manually.  Need to check this again and
automate it.  It will also be useful to take the NotBefore timestamp
from the dummy X.509 certificate and use that for the PGP key creation
time.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-29 20:36:01 +02:00
Werner Koch
a494b29af9
scd:p15: Support ECDSA and ECDH for CardOS.
* scd/iso7816.c (iso7816_pso_csv): New.
* scd/app-help.c (app_help_pubkey_from_cert): Uncompress a point if
needed.

* scd/app-p15.c (CARD_PRODUCT_RSCS): New.
(struct prkdf_object_s): Add fields is_ecc, token_label, and
tokenflags.
(do_deinit): Free new fields.
(cardproduct2str): New.
(read_ef_prkdf): Set new is_ecc flag.
(read_ef_tokeninfo): Store some data and move Tokeninfo diags to ...
(read_p15_info): here.  set the product info here after all data has
been gathered.
(send_keypairinfo): Chnage the way the gpgusage flags are used.
(make_pin_prompt): If the token has a label and the current cert has
no CN, show the label as holder info.
(do_sign): Support ECDSA.  Take care of the gpgusage flags.
(do_decipher): Support ECDH.  Take care of the gpgusage flags.
--

This has been tested with Trusted Object Manager generated cards by
Rohde & Schwarz Cybersecurity.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-29 14:49:08 +02:00
NIIBE Yutaka
d4e5979c63 scd: Fix PC/SC error handling at apdu_dev_list_start.
* scd/apdu.c (PCSC_E_NO_READERS_AVAILABLE): Add.
(pcsc_error_to_sw): Handle PCSC_E_NO_READERS_AVAILABLE.
(apdu_dev_list_start): Return error correctly.

--

GnuPG-bug-id: 4864
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-26 11:24:30 +09:00
Werner Koch
964363e788
scd:p15: Make $SIGNKEY et al determination more fault tolerant.
* scd/app-p15.c (do_getattr): Change how we use gpgUsage to figure out
the keys to use.
2021-03-24 12:27:36 +01:00
Werner Koch
37b1c5c200
scd:openpgp: Allow reading and writing user certs for keys 1 and 2
* scd/iso7816.c (CMD_SELECT_DATA): New.
(iso7816_select_data): New.
* scd/app-openpgp.c (do_readcert): Allow OpenPGP.1 and OPENPGP.2
(do_writecert): Ditto.
(do_setattr): Add CERT-1 and CERT-2.
--

This has been tested with a Zeitcontrol 3.4 card.  A test with a
Yubikey 5 (firmware 5.2.6) claiming to support 3.4 failed.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-19 18:26:03 +01:00
Werner Koch
bbdb48ec0d
scd:openpgp: Rename an internal variable.
* scd/app-openpgp.c (struct app_local_s): s/extcap_v3/is_v3/.
s/max_certlen_3/max_certlen.  Change users.
--

The extcap_v3 flag is set if the version is 3 or later and as such
does not only declare that the v3 extcap layout is used.  Make this
clear by renaming.

Likewise for max_certlen_3.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-19 15:24:08 +01:00
Werner Koch
d5fb598323
scd:openpgp: Small speedup reading card properties.
* scd/app-openpgp.c (struct app_local_s): Add new flag.
(get_cached_data): Force chace use if flag is set.
(app_select_openpgp): Avoid reading DO 6E multiple times.
--

The do not cache property of 6E was introduced so that we can change
for example key attributes without getting into with the cache.
However, for initial reading the cache makes a lot of sense and thus we
now use this hack to only temporary cache.  A better strategy would be
to clear the cache when we change card data but that is more error
prone.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-19 13:43:46 +01:00
Werner Koch
85082a83c2
scd:p15: Allow to use an auth object label with cmd CHECKPIN.
* scd/app-p15.c (prepare_verify_pin): Allow for PRKDF to be NULL.
(make_pin_prompt): Ditto.
(verify_pin): Ditto.
(do_check_pin): Allow using the Label to specify a PIN.
--

Note that a label may not work in all cases because we can't select
the protected object's EF first.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-18 16:30:10 +01:00
Werner Koch
ef29a960bf
scd:p15: New attribute CHV-LABEL.
* scd/app-p15.c (parse_common_obj_attr): Map spaces in the lapel to
underscores.
(read_ef_aodf): Prettify printing of the type.
(do_getattr): New attribute CHV-LABEL
(do_learn_status): Emit CHV-LABEL.
(verify_pin): Distinguish the PIN prompts.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-18 11:08:16 +01:00
Werner Koch
bf1d7bc369
scd:p15: Implement CHV-STATUS attribute
* scd/command.c (send_status_direct): Return an error.
* scd/app-p15.c (do_learn_status): Emit CHV-STATUS.
(compare_aodf_objid): New.
(do_getattr): Implement CHV-STATUS.
2021-03-16 18:52:38 +01:00
NIIBE Yutaka
b743942a97 scd: Add handling of Ed448 key.
* scd/app-openpgp.c (struct app_local_s): Add ecc.algo field.
(send_key_attr): Use ecc.algo field.
(ecc_read_pubkey): Use ecc.algo field.
(ecc_writekey): Ed448 means EdDSA.
(parse_algorithm_attribute): Set ecc.algo field from card.
Add checking for Ed25519 for ECC_FLAG_DJB_TWEAK flag.

--

There used to be a possible support of Ed25519 with ECDSA, (instead of
EdDSA).  To distinguish key for Ed25519 for EdDSA, we use the
flag: (flags eddsa).  Ed448 has no support for ECDSA and defaults to
EdDSA even if no such flag.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-15 17:02:32 +09:00
NIIBE Yutaka
f482e4bd12 scd: Fix count_sos_bits handling.
* scd/app-openpgp.c (count_sos_bits): Handle an exceptional case.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-15 17:00:56 +09:00
Werner Koch
5732e7a8e9
scd: New option --pcsc-shared.
* scd/scdaemon.h (opt): Add field opcsc_shared.
* scd/scdaemon.c (opcscShared): New.
(opts): Add "--pcsc-shared".
(main): Set flag.
* scd/apdu.c (connect_pcsc_card): Use it.
(pcsc_get_status): Take flag in account.
* scd/app-openpgp.c (cache_pin): Bypass in shared mode.
(verify_chv2: Do not auto verify chv1 in shared mode.
* scd/app-piv.c (cache_pin): By pass caceh in shared mode.
--

This option should in general not be used.  The patch tries to limit
bad effects but using shared mode is somewhat dangerous depending on
the other PC/SC users.
2021-03-12 09:31:17 +01:00
NIIBE Yutaka
95156ef9bf scd: Fix computing fingerprint for ECC with SOS.
* scd/app-openpgp.c (count_sos_bits): New.  Count as sos_write does.
(store_fpr): For ECC, use count_sos_bits.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-12 16:20:28 +09:00
Valtteri Vuorikoski
8cad11d13b
scd:piv: Improve APT parser compatibility.
* scd/app-piv.c (app_select_piv): Allow for full AID.
--

It appears that SP-800-73-x is not too clear about the format of these
objects. Many current cards (such as the Yubikey 5 series) apparently
have only the PIX in DO 0x4F and only the RID in object 0x79/0x4F.

However, other cards as well as the PivApplet Javacard applet have the
full AID in 0x4F (which actually seems closer to what the standard
says). PivApplet also has the full AID in 0x79/0x4F, but this is
probably incorrect. (Here is a long discussion of the matter from an
OpenSC author:
https://github.com/arekinath/PivApplet/issues/43#issuecomment-772649709)

[Taken from a mail to gnupg-devel date 2021-02-03.]

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-11 14:06:51 +01:00
Werner Koch
0f191a0707
scd:p15: Fix faulty removal of a test code change.
--

Fixes-commit: 08b5ac492afc6c6e7eaaa1f70d67c81cbda2c9be
2021-03-10 12:25:42 +01:00
Werner Koch
08b5ac492a
scd:p15: Support special extended usage flags for OpenPGP keys.
* scd/app-p15.c (struct gpgusage_flags_s): New.
(struct prkdf_object_s): Add field gpgusage.
(struct app_local_s): Add field any_gpgusage.
(dump_gpgusage_flags): New.
(read_p15_info): Parse athe gpgusage flags.
(do_getattr): Take care of the gpgusage flags.
--

This features allows to mark keys to be used for OpenPGP.  This is
done by putting additional extended key infos into the certificate
stored on the cards.  Only if any such extended key usage is detected
for a stored certificate this new mode chimes in.

This feature gives the card issuer a high flexibility on how to make
sure certain keys are used with OpenPGP.
2021-03-10 11:03:02 +01:00
Werner Koch
a1f281eeec
scd: Swapped openpgp card vendor 0x000a with new 0x000d.
--
2021-03-09 11:15:34 +01:00
Werner Koch
9f8361eda8
scd: Add new Openpgp card vendor name
--
2021-03-09 11:03:14 +01:00
NIIBE Yutaka
fc99f77b14 scd: Fix for X448.
* scd/app-openpgp.c (do_decipher): Support with no prefix.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-08 16:23:26 +09:00
Werner Koch
d51a5ca108
scd:p15: Read out the access flags.
* scd/app-p15.c (struct keyaccess_flags_s): New.
(struct prkdf_object_s): Add field accessflags.
(dump_keyusage_flags): New.
(dump_keyaccess_flags): New.
(parse_keyaccess_flags): New.
(parse_common_key_attr): Return access flags.
(read_ef_prkdf): Parse the access flags.  Allow for ECkeys.
(read_ef_pukdf): Ditto.  Use new functions for printing.
(read_p15_info): Use new fucntion for printing.
2021-02-25 17:01:38 +01:00
Werner Koch
cfdaf2bcc8
scd:p15: Get the label value of all objects for better diagnostics.
* scd/app-p15.c (struct cdf_object_s): Add fields authid, authidlen,
and label.
(struct prkdf_object_s): Add field label.
(struct aodf_object_s): Ditto.
(release_cdflist): Free new fields.
(release_prkdflist): Free new field.
(release_aodf_object): Ditto.
(parse_common_obj_attr): Return the label.
(read_ef_prkdf): Store the label.
(read_ef_pukdf): Ditto.
(read_ef_cdf): Use parse_common_obj_attr and store authid and label.
Print them im verbose mode.
(read_ef_aodf): Store the label and print it.
2021-02-24 15:50:00 +01:00
Werner Koch
33aaa37e5b
scd:p15: Make it code work again for D-Trust cards.
* scd/app-p15.c (select_and_read_binary): Allow to skip the select.
(select_and_read_record): Return the statusword.  Silence error
message for SW_FILE_STRUCT.
(select_ef_by_path): Fix selection with a home_DF.
(read_first_record): Fallback to read_binary for CardOS and return
info about this.
(read_ef_prkdf): Use info from read_first_record to decide whether to
use record or binary mode.
(read_ef_pukdf): Ditto.
(read_ef_aodf): Ditto.
(read_ef_cdf): Ditto.  New arg cdftype for diagnostics.
(read_p15_info): Pass cdftype.

* scd/apdu.h (SW_FILE_STRUCT): New.
* scd/apdu.c (apdu_strerror): Map that one to a string.
* scd/iso7816.c (map_sw): and to a gpg-error.
2021-02-23 12:56:42 +01:00
Werner Koch
2490f4e8e1
scd: Fix readkey --info in case a readkey command is available.
* scd/command.c (do_readkey): Make --info also work if a readkey
command is available.

* scd/app-p15.c (cdf_object_from_certid): Fix a but introduced with
the previous commit.
2021-02-22 18:28:45 +01:00
Werner Koch
488eaedc9a
scd:p15: Extract extended usage flagsand act upon them.
* scd/app-p15.c: Add a couple of oid constants.
(struct cdf_object_s): Replace fields image and imagelen by cert.
(struct prkdf_object_s): Add extusage flags
(send_keypairinfo): Use them.
(cdf_object_from_certid): Factor parts out to ...
(cdf_object_from_objid): new function.
(read_ef_prkdf): Move info printing to ...
(read_p15_info): here.  Fill the extusage flags.
(readcert_by_cdf): Cache the ksba cert object instead of the binary
cert.
* scd/app.c (select_additional_application): Fix a log_debug call.
(scd_update_reader_status_file): Ditto.
--

This allows us to return only KEYPAIRINFO lines for keys we can
actually use.
2021-02-22 17:51:11 +01:00
Werner Koch
6d4280b13d
scd: Minor tweak for easier backporting
* scd/app-common.h (APP_CARD): New.  Use it in app-*.c to access
app->card.
--

This should help to make backporting to 2.2 easier.
2021-02-19 10:15:54 +01:00
Werner Koch
8a74b87261
scd:piv: Fix a typo in a string.
--
2021-02-18 16:08:02 +01:00
Werner Koch
0c080ed579
scd:p15: Read PuKDF and minor refactoring.
* scd/app-p15.c (pukdf_object_t): New.
(struct app_local_s): Add field public_key_info.
(release_pukdflist): New.
(select_and_read_record): No diagnostic in case of not_found.
(read_first_record): New.  Factored out from the read_ef_ fucntions.
(read_ef_pukdf): New.  Basically a copy of read_ef_prkdf for now.
(read_p15_info): Also read the public keys.

(cardtype2str): New.
(read_ef_tokeninfo): Print a string with the cardtype.
2021-02-02 12:38:03 +01:00
Werner Koch
1e197c29ed
scd:p15: Make file selection more robust.
* scd/app-p15.c: Include host2net.h.
(DEFAULT_HOME_DF): New.
(select_and_read_binary): Replace slot by app.  Change callers.  Use
select_ef_by_path.
(select_and_read_record): ditto.
(select_ef_by_path): Make use use the home_df.
(parse_certid): Adjust for always set home_df.
(print_tokeninfo_tokenflags): Ditto.
(app_select_p15): Take the home_df from the FCI returned by select.
--

This uses modern APDUs and always selectd starting at the PCKS-15 home
DF.  We could have made this much simpler but the goal is to keep
support for older cards although we can't test that easily.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-01-27 18:39:42 +01:00
Werner Koch
7620473cd0
scd: Define new status word
* scd/apdu.h (SW_NO_CURRENT_EF): New.
--

This merely to show better diagnostics.
Used for example by CardOS 5.3.
2021-01-27 18:31:12 +01:00
Werner Koch
5bcbc8cee3
scd:p15: Factor the commonKeyAttributes parser out.
* scd/app-p15.c (read_ef_prkdf): Fix detection of unsupported key
 objects.  Factor some code out to ...
(parse_common_key_attr): new.
--
2021-01-27 13:28:12 +01:00
Werner Koch
fb84674d6c
scd:p15: Factor the commonObjectAttributes parser out.
* scd/app-p15.c (parse_common_obj_attr): New.
(read_ef_prkdf): Use new function.
(read_ef_aodf): Ditto.
2021-01-26 19:10:12 +01:00
Werner Koch
fc287c0552
scd:p15: First step towards real CardOS 5 support.
* scd/iso7816.c (iso7816_select_path): Add arg from_cdf.
* scd/app-nks.c (do_readkey): Adjust for this change.

* scd/app-p15.c (CARD_TYPE_CARDOS_53): New.
(IS_CARDOS_5): New.
(card_atr_list): Add standard ATR for CardOS 5.3.
(select_and_read_binary): Remove the fallback to record read hack.
(select_and_read_record): New.
(select_ef_by_path): Rework and support CardOS feature.
(read_ef_prkdf): Use read record for CardOS.
(read_ef_cdf): Ditto.
(read_ef_aodf): Ditto.  Also fix bug in the detection of other
unsupported attribute types.
(verify_pin): Use IS_CARDOS_5 macro.
(app_select_p15): Force direct method for CardOS.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-01-26 17:42:55 +01:00
Werner Koch
60499d9894
scd:p15: Show the ATR as part of the TokenInfo diagnostics.
* scd/app-p15.c (read_ef_tokeninfo): Print the ATR in verbose mode.
--

It is convenient to see the ATR close to the other info,

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-01-21 10:44:43 +01:00
Ingo Klöcker
8fe976d5b9 scd:nks: Add support for signing plain SHA-3 digests.
* scd/app-nks.c (do_sign): Handle plain SHA-3 digests and verify
encoding of ASN.1 encoded hashes.
--

This makes it possible to create CSRs for NetKey card keys which are
signed with SHA256 by default.

GnuPG-bug-id: 5184
2021-01-06 12:19:11 +01:00
NIIBE Yutaka
3b39263088 scd:nks: Support READKEY with keygrip and for "NKS-IDLM" keyref.
* scd/app-nks.c (do_readkey): Allow KEYGRIP access.
Support NKS-IDLM.XXXX keyref.

--

GnuPG-bug-id: 5150
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-11 14:08:40 +09:00