* scd/app-openpgp.c (ecc_writekey): Use provided ECDH params to
compute the fingerprint. Add a default for use by gnupg 2.2.
(store_fpr): Add arg update.
(rsa_read_pubkey, ecc_read_pubkey): Add arg meta_update and avoid
writing the fingerprint back to the card if not set.
(read_public_key): Also add arg meta_update.
(get_public_key): Do not pass it as true here...
(do_genkey): ... but here.
--
This is based on commit c03ba92576e34f791430ab1c68814ff16c81407b and
done here to ease backporting. There is no functional change.
GnuPG-bug-id: 6378
* scd/app-openpgp.c (get_public_key): Handle wrong error code by
Yubikeys.
--
This has been taken from commits
0db9c83555b4a8a0c52f96e96ec20dbfd3d75272
946555ea3ceb823b95ed13654ae4fd667daa4337
* scd/app-openpgp.c (data_objects): Capitalize the word for usage.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit e6b7e0ff9990813ac9f11b2d9d92596d6379ebfe)
* g10/card-util.c (uif, cmdUIF): New.
(card_edit): Add call to uif by cmdUIF.
* scd/app-openpgp.c (do_getattr): Support UIF-1, UIF-2, and UIF-3.
(do_setattr): Likewise.
(do_learn_status): Learn UIF-1, UIF-2, and UIF-3.
--
GnuPG-bug-id: 4158
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 0cb65564e022fface5ada4de8e0c2c4c3d0ac8ad)
Also included the relevant part from
commit 0240345728a84d8f235ce05889e83963e52742eb
Note that this patch is mainly to simplifying backporting and not to
support the UIF.
* scd/app-openpgp.c (struct app_local_s): Add new flag.
(get_cached_data): Force chace use if flag is set.
(app_select_openpgp): Avoid reading DO 6E multiple times.
--
The do not cache property of 6E was introduced so that we can change
for example key attributes without getting into with the cache.
However, for initial reading the cache makes a lot of sense and thus we
now use this hack to only temporary cache. A better strategy would be
to clear the cache when we change card data but that is more error
prone.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit d5fb5983232cf4d60cf6aa00d0ae5a16cf948e19)
* scd/iso7816.c (CMD_SELECT_DATA): New.
(iso7816_select_data): New.
* scd/app-openpgp.c (do_readcert): Allow OpenPGP.1 and OPENPGP.2
(do_writecert): Ditto.
(do_setattr): Add CERT-1 and CERT-2.
--
This has been tested with a Zeitcontrol 3.4 card. A test with a
Yubikey 5 (firmware 5.2.6) claiming to support 3.4 failed.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 37b1c5c2004c1147a13b388863aaa8f0caf7d71f)
* scd/app-openpgp.c (do_change_pin): Allow prefixing the CHVNO with
"OPENPGP."
--
The generic keyref allows for better error detection in case a keyref
is send to a wrong card. This has been taken from master commit
3231ecdafd71ac47b734469b07170756979ede72 which has additional changed
for gpg-card-tool, which is only available there.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 6651a0640d0f1b4dd161210dc55974d9b93b7253)
* scd/app-openpgp.c (count_sos_bits): New. Count as sos_write does.
(store_fpr): For ECC, use count_sos_bits.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 95156ef9bfb6a3a525454d50ae2f5b538ccbd774)
and
(cherry picked from commit f482e4bd121ff2862bfb53a82f1d5c2cf3524a10)
* scd/app-openpgp.c (struct app_local_s): s/extcap_v3/is_v3/.
s/max_certlen_3/max_certlen. Change users.
--
The extcap_v3 flag is set if the version is 3 or later and as such
does not only declare that the v3 extcap layout is used. Make this
clear by renaming.
Likewise for max_certlen_3.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit bbdb48ec0ddd99ce23fcba42949c00a2594fb9a5)
* common/sexputil.c (get_rsa_pk_from_canon_sexp): Also allow private
keys.
(pubkey_algo_string): Ditto.
* scd/app-openpgp.c (do_writekey): Switch key attributes
--
The scd WRITEKEY command for OpenPGP cards missed proper support to
aautomagically switch key attributes based on the new key. We had
this only in GENKEY.
GnuPG-bug-id: 6378
* scd/app-openpgp.c (data_objects): 0x00FA for binary data.
(do_getattr): Parse the data and send it in status lines.
(get_algorithm_attribute_string): New.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: eba2563dabbb4f61537900289fbe3ae113904733
Backported-from-master: 43bbc25b0f57dec24412886ff46041e0b1f3de26
* scd/app-p15.c (verify_pin): ascii-numeric is different than BCD.
(cherry picked from commit 029924a46e08ffcda038d89f06abfb41c980a9ad)
Added a few typo fixes.
* scd/iso7816.c (iso7816_read_binary_ext): Handle the 0x6a86 SW the
same as 6b00.
* scd/apdu.c (apdu_get_atr): Modify debug messages.
* scd/app-p15.c (app_select_p15): Print FCI on error.
(read_p15_info): Clean up diag in presence of debug options.
--
Some cards return 6a86 instead of 6b00.
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 44f977d0e332e77fb8a775c4837c00118bbe08cb
* scd/app-p15.c (read_ef_prkdf, read_ef_pukdf)
(read_ef_cdf, read_ef_aodf): Allow for a zero length path and
correctly skip unsupported auth types.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 7a8545c91b09277b0833dc0e5881ba5d1c8dbca3
* scd/app-openpgp.c (struct app_local_s): Add field keyalgo.
(parse_algorithm_attribute): Store the new keyalgo field.
(change_keyattr): Change info message.
(change_keyattr_from_string): Rewrite to also accept a keyref and a
keyalgo string.
(do_genkey): Change the keyattr if a keyalgo string is given.
* scd/command.c (cmd_genkey): Add option --algo.
--
Having this feature makes it easier to use OpenPGP cards in a similar
way to other cards. Note that the explicit changing via SETATTR is
still supported.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit d7d75da50543bc7259c5a6e6367b58cbca7f1b7b)
(cherry picked from commit b349adc5c0d00d2fc405a45bd078f1580b5610cc)
* scd/app-p15.c (select_and_read_record): Special case deleted
records. Support 3 byte TLVs.
(read_ef_prkdf): Skip deleted records.
(read_ef_pukdf): Ditto.
(read_ef_cdf): Ditto.
(read_ef_aodf): Ditto.
--
This fixes a problem with some CardOS 5 applications.
* scd/apdu.c (pcsc_send_apdu) [DBG_CARD_IO]: Detect and redact a
VERIFY.
(send_apdu_ccid): Ditto.
--
This should handle the most common case.
GnuPG-bug-id: 5085
* scd/app-nks.c (do_learn_status_core): Use new flag.
* scd/app-sc-hsm.c (do_learn_status): Ditto.
--
The flag was already backported to some apps but not to these.
* scd/app-nks.c (filelist): Tweak 0x4531.
--
Actually the certificate has no encryption usage but we should also
tell that via KEYINFO so that this key is never tried to create an
encryption certificate.
(cherry picked from commit 3a2fb1c30633373d17880469e0b84ab2a9524585)
* scd/app-nks.c (find_fid_by_keyref): Factor keyref parsing out to ...
(parse_keyref): new.
(do_readcert): Use new function instead of partly duplicated code.
Make detection of keygrip more robust.
(do_readkey): Make detection of keygrip more robust.
(do_with_keygrip): Use get_nks_tag.
--
Also added a couple of comments.
(cherry picked from commit b92b3206e72b635fd815eaf85e7acc67c2a52ffe)
* scd/app-nks.c (find_fid_by_keyref): Disable the cache for now.
(readcert_from_ef): Considere an all zero certificate as not found.
(do_sign): Support ECC and the ESIGN application.
--
This allows me to create qualified signatures using my Telesec card.
There is of course more work to do but this is the first step.
Note: The design of the FID cache needs to be reconsidered. Until
that the lookup here has been disabled. The do_sign code should be
revamped to be similar to what we do in app-p15.
GnuPG-bug-id: 5219, 4938, 6252
Backported-from-master: 07eaf006c2763a6b40d2734b1c6704da466e0ed0
* scd/app-nks.c (set_usage_string): New.
(do_learn_status_core, do_readkey): Use set_usage_string.
(do_with_keygrip): Add USAGE to call send_keyinfo,
using set_usage_string.
* scd/command.c (send_keyinfo): Add arg usage.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: 5264d3f58e8a8362900c3518bdd683ff9a23cccc
GnuPG-bug-id: 6252
This backports only the NKS parts of the original patch
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-nks.c (keygripstr_from_pk_file): Fix ignored error.
(get_nks_tag): New.
(do_learn_status_core): Use it. Make sure not to mange the
KEYPAIRINFO line if no usage is known.
(do_readkey): Output the KEYPAIRINFO for the keygrip case.
--
Note that this only handles the most common case of providing a
keygrip. $AUTHKEYID and ODLM are not yet supported.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 63320ba2f8147ee86f4406c9590f6b28cad4771d)
* scd/app-nks.c (do_sign): Handle plain SHA-2 digests and verify
encoding of ASN.1 encoded hashes.
--
This makes it possible to create CSRs for NetKey card keys which are
signed with SHA256 by default.
GnuPG-bug-id: 5184
(cherry picked from commit 8fe976d5b9a0f2902868737dd502c749565222a6)
* scd/app-nks.c (filelist): Use special value -1 for IDLM pubkeys.
(keygripstr_from_pk_file): Handle special value.
(do_readcert): Ditto.
(do_writecert): Ditto.
--
This allows to get information about the keys from the card. However
the do_readkey still requires a fallback to readcert. This does not
work because there are no certificates yet on the card. The fix is to
fully implement do_readkey.
(cherry picked from commit 806547d9d243b26c2275fc00c645ee39d258b49b)
* scd/app-nks.c (do_learn_status_core): Emit the algo string as part
of a KEYPAIRINFO.
(struct fid_cache_s): Add field algostr.
(flush_fid_cache): Release it.
(keygripstr_from_pk_file): Fill it and add it to the cache. Use a
single exit label. Set algostr.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 26da47ae53d51e16ae6867cd419ddbf124a94933
Backported-from-master: 006944b856ee2202905290e8a2f5523a7877d444
GnuPG-bug-id: 6252, 5144
This has been backported to keep this, and only this, module in sync
with master. All other changes from the original patch have been
stripped.
* scd/iso7816.c (CMD_UPDATE_BINARY): New.
(iso7816_update_binary): New.
* scd/app-nks.c (do_deinit): Factor some code out to...
(flush_fid_cache): new.
(do_writecert): New.
(app_select_nks): Register new handler.
--
This has been backported only to make the following backpoorts easier.
The code is only used in 2.3; for details see the original commit
message.
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: c1663c690b29d2dea8bc782c42de5eca08a24cc9
GnuPG-bug-id: 6252
* scd/app-nks.c (filelist): Add a dedicated key entry for ESIGN.
(do_readcert): Test for the app_id.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 07aef873ebc77241e9a2be225537319f6fc15a41
GnuPG-bug-id: 6252
* scd/app-nks.c (NKS_APP_IDLM): New.
(struct app_local_s): Replace NKS_VERSION by the global APPVERSION.
(do_learn_status): Always send CHV-STATUS.
(find_fid_by_keyref): Basic support for IDLM only use.
(do_learn_status_core): Ditto.
(do_readcert): Ditto.
(verify_pin): Ditto.
(parse_pwidstr): Ditto.
(do_with_keygrip): Ditto.
(switch_application): Ditto.
(app_select_nks): Fallback to IDLM.
--
Backported-from-master: 1f6a39092fe4b5f02bc4741a0a23d102d30f4063
GnuPG-bug-id: 6252
Also not directly required for the Signature Card 2.0, it is easier to
port this patch as well.
