1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

724 Commits

Author SHA1 Message Date
Werner Koch
b810320b1b
sm: Fix returning of the ephemeral flag in keyboxd mode.
* sm/keydb.c (search_status_cb): Skip over the ubid.
2020-09-22 16:15:47 +02:00
Werner Koch
c772770574
sm: Implement delete key in keyboxd mode
* sm/keydb.c (keydb_delete): Implement keyboxd mode.
(keydb_update_cert): Disable unused function.
* kbx/backend-sqlite.c (be_sqlite_delete): Delete from issuer.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-09-21 09:20:40 +02:00
Werner Koch
ed6ebb696e
sm: Implement initial support for keyboxd.
* sm/gpgsm.h (MAX_FINGERPRINT_LEN): New.
* sm/keydb.c (struct keydb_local_s): Change definition of
search_result.
(keydb_get_cert): Implement keyboxd mode.
(keydb_get_flags): Temporary hack for keyboxd mode.  Needs to be
fixed.
(struct store_parm_s, store_inq_cb): New.
(keydb_insert_cert): Implement keyboxd mode.
(keydb_locate_writable): Make static.
(keydb_search_reset): Implement keyboxd mode.
(search_status_cb): New.
(keydb_search): Implement keyboxd mode. Replace return code -1 by
GPG_ERR_NOT_FOUND.
(keydb_set_cert_flags): Replace return code -1 by GPG_ERR_NOT_FOUND.
* sm/keylist.c (list_cert_colon): Adjust for replacement of -1 by
GPG_ERR_NOT_FOUND.
(list_internal_keys): Ditto.
* sm/sign.c (add_certificate_list): Ditto.
* sm/certchain.c (find_up_search_by_keyid): Ditto.
(find_up_external, find_up, find_up_dirmngr): Ditto.
(gpgsm_walk_cert_chain): Ditto.
(get_regtp_ca_info): Ditto.
* sm/certlist.c (gpgsm_add_to_certlist): Ditto.
(gpgsm_find_cert): Ditto.
* sm/delete.c (delete_one): Ditto.
* sm/export.c (gpgsm_export): Ditto.
(gpgsm_p12_export): Ditto.
* sm/import.c (gpgsm_import_files): Ditto.
--

Note that keyboxd is not yet able to handle the ephemeral flag.  This
needs fixing here and in keyboxd.  Delete et al. is also not yet
implemented.  A basic key listing works, though.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-09-10 13:05:17 +02:00
Werner Koch
6fcc263c18
keyboxd: Use D-lines instead of a separate thread.
* kbx/kbx-client-util.c (kbx_client_data_new): Add arg 'dlines'.
* g10/call-keyboxd.c (open_context): Set DLINES to true.
* sm/keydb.c (open_context): Ditto.
--

This allows to compile time switch between the D-line and the
fd-passing data communication between gpg/gpgsm and keyboxd. A quick
test with about 3000 OpenPGP keys showed that D-lines are only 10%
slower than the fd-passing based implementation.  Given that the
thread adds extra complexity we go for now with the D-line approach.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-09-10 12:14:02 +02:00
Werner Koch
adec6a84f6
kbx: Change X.509 S/N search definition.
* kbx/keybox-search-desc.h (struct keydb_search_desc): Do not overload
SNLLEN with a hex flag.  Add SNHEX.
* kbx/keybox-search.c (keybox_search): Adjust.
* common/userids.c (classify_user_id): Adjust.
* sm/keydb.c (keydb_search_desc_dump): Adjust.
* g10/keydb.c (keydb_search_desc_dump): Adjust.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-09-09 20:34:59 +02:00
Werner Koch
046f419f80
sm: New options to prepare the use of keyboxd.
* sm/Makefile.am (AM_CFLAGS): Add npth flags.
(common_libs): Use npth version of the lib.
(gpgsm_LDADD): Add npth libs.
* sm/gpgsm.c (oUseKeyboxd, oKeyboxdProgram): New.
(opts): New options --use-keyboxd and --keyboxd-program.
(main): Set them.
(gpgsm_deinit_default_ctrl): New.
(main): Call it.
* sm/server.c (gpgsm_server): Ditto.
* sm/gpgsm.h (opt): Add fields use_keyboxd and keyboxd_program.
(keydb_local_s): New type.
(struct server_control_s): Add field keybd_local.
* sm/keydb.c: Include assuan.h, asshelp.h, and kbx-client-util.h.
(struct keydb_local_s): New.
(struct keydb_handle): Add fields for keyboxd use.
(gpgsm_keydb_deinit_session_data): New.
(warn_version_mismatch): New.
(create_new_context): New.
(open_context): New.
(keydb_new): Implement keyboxd mode.
(keydb_release): Ditto.
(keydb_get_resource_name): Ditto.

* sm/keydb.c: Add stub support for all other functions.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-09-03 13:49:20 +02:00
Werner Koch
a7d006293e
sm: Add arg ctrl to keydb_new.
* sm/keydb.c (keydb_new): Add arg and change all callers.
--

This will be used later.
2020-09-03 13:49:20 +02:00
Werner Koch
2cd8bae23d
Use only one copy of the warn_server_mismatch function.
* common/asshelp.c (warn_server_version_mismatch): New.  Actually a
slightly modified version of warn_version_mismatch found in other
modules.
* common/status.c (gnupg_status_strings): New.
* g10/cpr.c (write_status_strings2): New.
* g10/call-agent.c (warn_version_mismatch): Use the new unified
warn_server_version_mismatch function.
* g10/call-dirmngr.c (warn_version_mismatch): Ditto.
* g10/call-keyboxd.c (warn_version_mismatch): Ditto.
* sm/call-agent.c (warn_version_mismatch): Ditto.
* sm/call-dirmngr.c (warn_version_mismatch): Ditto.
* tools/card-call-scd.c (warn_version_mismatch): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-09-01 20:43:57 +02:00
Werner Koch
16c1d8a14e
sm: Fix a bug in the rfc2253 parser
* sm/certdump.c (parse_dn_part): Fix parser flaw.
--

This could in theory result in reading bytes after a after Nul in a
string and thus possible segv on unallocated memory or reading other
parts of the memory.  However, it is harmless because the rfc2253
strings have been constructed by libksba.

GnuPG-bug-id: 5037
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-28 09:09:05 +02:00
Werner Koch
e7677da479
sm: Do not require a default keyring for --gpgconf-list.
* sm/gpgsm.c (main): No default keyring for gpgconf mode.
--

GnuPG-bug-id: 4867
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-25 11:36:12 +02:00
Werner Koch
32aac55875
build: New configure option --disable-tests
* configure.ac: Add option --disable-tests.  Print warnings in the
summary.
(DISABLE_TESTS): New am_conditional.
--
GnuPG-bug-id: 4960
2020-08-20 10:54:17 +02:00
Werner Koch
4031c42bfd
gpg,gpgsm: Record the creation time of a private key.
* sm/call-agent.c (gpgsm_agent_genkey): Pass --timestamp option.
(gpgsm_agent_import_key): Ditto.
* g10/call-agent.c (agent_genkey): Add arg timestamp and pass it on.
(agent_import_key): Ditto.
* g10/import.c (transfer_secret_keys): Pass the creation date to the
agent.
* g10/keygen.c (common_gen): Ditto.
--

Having the creation time in the private key file makes it a lot easier
to re-create an OpenPGP public keyblock in case it was accidentally
lost.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-19 13:43:16 +02:00
NIIBE Yutaka
f3e424d4e7 Silence compiler warnings.
* common/openpgp-oid.c (map_openpgp_pk_to_gcry): Use cast for enum
conversion.
* dirmngr/dns-stuff.c (get_dns_srv): Use explicit conversion from
int to float.
* sm/gpgsm.c (parse_keyserver_line): Initialize ERR.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-08-19 13:21:32 +09:00
Werner Koch
6bcb609e1b
Add --chuid to gpg, gpg-card, and gpg-connect-agent.
* g10/gpg.c (oChUid): New.
(opts): Add --chuid.
(main): Implement --chuid.  Delay setting of homedir until the new
chuid is done.
* sm/gpgsm.c (main): Delay setting of homedir until the new chuid is
done.
* tools/gpg-card.c (oChUid): New.
(opts): Add --chuid.
(changeuser): New helper var.
(main): Implement --chuid.
* tools/gpg-connect-agent.c (oChUid): New.
(opts): Add --chuid.
(main): Implement --chuid.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-14 12:19:11 +02:00
Werner Koch
646a30fd39
gpgsm: New option --chuid.
* sm/gpgsm.c (oChUid, opts): New option --chuid.
(main): Implement option.
--

This option will at least be useful for Scute.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-06 16:03:57 +02:00
Werner Koch
e7d7092390
sm: Also show the SHA-256 fingerprint.
* sm/keylist.c (list_cert_colon): Emit a new "fp2" record.
(list_cert_raw): Print the SHA2 fingerprint.
(list_cert_std): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-04 11:11:22 +02:00
NIIBE Yutaka
c1f81eb9fc w32: Add NETLIBS for sm/t-minip12.
* sm/Makefile.am (t_minip12_LDADD): Add NETLIBS.

--

GnuPG-bug-id: 4944
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-07-30 15:01:55 +09:00
NIIBE Yutaka
d69f5570ee w32: Add link to $(NETLIB) for -lws2_32.
* dirmngr/Makefile.am (dirmngr_LDADD): Add $(NETLIBS).
* sm/Makefile.am (gpgsm_LDADD): Ditto.
* tools/Makefile.am (gpg_wks_client_LDADD): Ditto.

--

GnuPG-bug-id: 4994
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-07-30 11:34:01 +09:00
Werner Koch
999d25d47d
Do not use the pinentry's qualitybar
* agent/genkey.c (agent_ask_new_passphrase): No qualitybar.
* g10/call-agent.c (agent_get_passphrase): Ditto.
* sm/call-agent.c (gpgsm_agent_ask_passphrase): Ditto.
--

The concept of a passphrase quality indicator is anyway questionable
because user are smart enough to trick them out and they also tend to
limit the actually used entropy.

Except for the red/green switching (to show whether constraints are
fulfilled) our qualitybar is pretty bad and thus worse than none.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-07-08 14:54:10 +02:00
Werner Koch
9ee975d588
gpgsm: Replace all assert calls by log_assert.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-07-08 14:40:34 +02:00
Werner Koch
969abcf40c
sm: Exclude rsaPSS from de-vs compliance mode.
* common/compliance.h (PK_ALGO_FLAG_RSAPSS): New.
* common/compliance.c (gnupg_pk_is_compliant): Add arg alog_flags and
test rsaPSS.  Adjust all callers.
(gnupg_pk_is_allowed): Ditto.
* sm/misc.c (gpgsm_ksba_cms_get_sig_val): New wrapper function.
(gpgsm_get_hash_algo_from_sigval): New.
* sm/certcheck.c (gpgsm_check_cms_signature): Change type of sigval
arg.  Add arg pkalgoflags.  Use the PK_ALGO_FLAG_RSAPSS.
* sm/verify.c (gpgsm_verify): Use the new wrapper and new fucntion to
also get the algo flags.  Pass algo flags along.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-07-03 16:15:29 +02:00
Werner Koch
4f1c257c03
sm: Fix regression in Friday's commit
* sm/gpgsm.c (main): Set ERR also for encrypt.
--
Fixes-commit: ccbb0cfeefed096a9841b6557d10eef12d55b721

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-06-29 15:00:04 +02:00
Werner Koch
ccbb0cfeef
sm: Try not to output a partial new message after an error.
* sm/gpgsm.c (main) <aSign,aEncr>:  Uses gpgrt_fcancel on error.
--

When creating a signature or encrypting and the respective key is not
available or the user canceled the PIN entry gpgsm prints the initial
part of the message due to internal buffering in gpgrt.  By using
gpgrt_fcancel we can avoid this at least as long as the data is less
than the standard buffer size (which is currently 8k).  If is not a
complete solution but the best we can do easily.  Outputting to the
tty is anyway more of a testing aid than for real use.

This makes use of the new gpgrt_fcancel API.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-06-26 15:21:31 +02:00
Werner Koch
208a901973
sm: Print the serial number of a cert also in decimal.
* sm/certdump.c: Include membuf.h.
(gpgsm_print_serial_decimal): New.
* sm/keylist.c (list_cert_raw): Print s/n also in decimal
(list_cert_std): Ditto.
--

Many CA's print the serial number in decimal on their cards.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-06-26 12:59:02 +02:00
Werner Koch
17a25c14f1
sm: Fix support verification of nistp521 signatures.
* sm/certcheck.c (do_encode_md): Fix obvious bug.
--
Fixes-commit: 596212e71abf33b30608348b782c093dace83110

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-06-25 08:57:33 +02:00
Werner Koch
596212e71a
sm: Support verification of nistp521 signatures.
* sm/certcheck.c (do_encode_md): Take care of nistp521.
--

That curve is a bit odd in that it does not match a common hash digest
length.  We fix that here for just this case instead of writing more
general code to support all allowed cases (i.e. hash shorter than Q).

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-06-17 14:27:12 +02:00
Werner Koch
7558128e16
sm: Fix recently introduced regression in CSR creation.
* sm/certreqgen.c (create_request): Also set SIGKEYLEN.
--

Fixes-commit: 44676819f2873705b78849e7b2fd22214b691642
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-06-03 11:21:10 +02:00
Werner Koch
44676819f2
sm: Create ECC certificates with AKI and SKI by default.
* sm/certreqgen.c (create_request): Create AKI and SKI by default.
--
GnuPG-bug-id: 4098

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-19 14:30:24 +02:00
Werner Koch
6dc3846d78
sm: Support creation of EdDSA certificates.
* sm/misc.c (transform_sigval): Support EdDSA.
* sm/certreqgen.c (create_request): Support EdDSA cert creation.
* sm/certcheck.c (gpgsm_check_cert_sig): Map some ECC algo OIDs to
hash algos.
* sm/call-agent.c (struct sethash_inq_parm_s): New.
(sethash_inq_cb): New.
(gpgsm_agent_pksign): Add mode to pass plain data for EdDSA.
--

Tested using a parameter file

    Key-Type: EdDSA
    Key-Length: 1024
    Key-Grip: 09D9AE3D494F7888C93BE5106AD8A734A87617F0
    Key-Usage: sign
    Serial: random
    Name-DN: CN=dummy test ed25519

where the keygrip is from a gpg generated Ed25519 key.  ECDSA was
tested using

    Key-Type: ECDSA
    Key-Length: 1024
    Key-Grip: 8E06A180EFFE4C65B812150CAF19BF30C0689A4C
    Key-Usage: sign
    Serial: random
    Name-DN: CN=dummy test nistp256

and RSA using

    Key-Type: RSA
    Key-Length: 2048
    Key-Grip: C6A6390E9388CDBAD71EAEA698233FE5E04F001E
    Key-Usage: sign
    Serial: random
    Name-DN: CN=dummy test rsa

The command used in all cases is

  gpgsm -v --gen-key --batch  a.parm >a.crt
  gpgsm -v --import <a.crt

More support, in particular in the user interface, is required and
will follow soon.

GnuPG-bug-id: 4888
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-18 19:32:30 +02:00
Werner Koch
b1694987bb
sm: Support import and verification of EdDSA certificates.
* sm/certdump.c (gpgsm_get_serial): New.
* sm/certcheck.c (gpgsm_check_cert_sig): Support EdDSA signatures.
--

Note that this does not work with the self-signed RFC-8410 sample
certificate; see the code for comments.

The Ed488 case has not been tested due to a lack of support in
Libgcrypt.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-13 21:22:28 +02:00
Werner Koch
f44d395bdf
sm: Support signing using ECDSA.
* sm/gpgsm.h (struct certlist_s): Add helper field pk_algo.
* sm/sign.c (gpgsm_sign): Store the public key algo.  Take the hash
algo from the curve.  Improve diagnostic output in verbose mode.
--

GnuPG-bug-id: 4098
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-11 18:41:21 +02:00
Werner Koch
68b857df13
sm: Allow decryption using dhSinglePass-stdDH-sha1kdf-scheme.
* sm/decrypt.c (ecdh_decrypt): Support
dhSinglePass-stdDH-sha1kdf-scheme.  Factor key derive code out to ...
(ecdh_derive_kek): new global function.  Allow for hashs shorter than
the key.
(hash_ecc_cms_shared_info): Make file-only.
* sm/encrypt.c (ecdh_encrypt): Replace derive code by a call to the
new ecdh_derive_kek.  Add test code to create data using
dhSinglePass-stdDH-sha1kdf-scheme.
* sm/gpgsm.h (opt): Add member force_ecdh_sha1kdf.
* sm/gpgsm.c: Add option --debug-force-ecdh-sha1kdf.
--

I did some test against

  Governikus_Signer:       2.9.2.0
  MCard security Provider: 2.4.0
  Algorithm catalog from:  05.12.2019

using a Signature Card v2.0 and a nistp256 certificate.  Encrypting
with Governikus used the stdDH-sha1kdf scheme which we can now
decrypt.  Encrypting with GPGSM uses for that curve the recommended
scheme sha256kdf but Governikus was not able to decrypt this (no
usable error message).  Encrypting using stdDH-sha1kdf with GPGSM by
using the new --debug-force-ecdh-sha1kdf option showed that
Governikus was able to decrypt this.

FWIW: RFC5753 (Use of Elliptic Curve Cryptography (ECC) Algorithms)
has this requirement:

   Implementations that support EnvelopedData with the
   ephemeral-static ECDH standard primitive:

   - MUST support the dhSinglePass-stdDH-sha256kdf-scheme key
     agreement algorithm, the id-aes128-wrap key wrap algorithm, and
     the id-aes128-cbc content encryption algorithm; and

which Governikus seems not to fulfill.

GnuPG-bug-id: 4098
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-08 18:08:50 +02:00
Werner Koch
439c9b5cb5
sm: Print algorithm infos in data decryption mode.
* common/sexputil.c (cipher_mode_to_string): New.
* sm/decrypt.c (prepare_decryption): Show cipher algo and mode.
(gpgsm_decrypt): Show key algo and fingerprint

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-08 15:21:51 +02:00
Werner Koch
34b628db46
sm: Cleanup the use of GCRY_PK_ECC and GCRY_PK_ECDSA.
* common/sexputil.c (pubkey_algo_to_string): New.
* sm/certcheck.c (do_encode_md): Replace GCRY_PK_ECDSA by GCRY_PK_ECC.
* sm/certreqgen-ui.c (check_keygrip): Add all ECC algorithms.
* sm/gpgsm.c (our_pk_test_algo): Also allow EdDSA.
* sm/verify.c (gpgsm_verify): Map ECC algo to ECDSA.  Use new pubkey
algo name function

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-08 15:10:13 +02:00
Werner Koch
a759fa963a
sm: Improve readability of the data verification output.
* sm/verify.c (gpgsm_verify): Print the used algorithms.
--

Note that we now use the full fingerprint instead of the certificate
id.  This better aligns with what we do in gpg.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-08 13:42:51 +02:00
Werner Koch
549998d1d0
sm: Fix annoying warning about not yet implemented --attribute.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-07 14:04:43 +02:00
Werner Koch
5c29d25e6c
sm: Print the key types as standard key algorithm strings.
* sm/fingerprint.c (gpgsm_get_key_algo_info): Factor code out to ...
(gpgsm_get_key_algo_info2): new.
(gpgsm_pubkey_algo_string): New.
* sm/keylist.c (list_cert_colon): Put curve into field 17
(list_cert_raw): Print the unified key algotithm string instead of the
algo and size.
(list_cert_std): Ditto.
--

It is important to known whether a 256 bit ECC uses a NIST or a
Brainpool curve.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-07 09:45:49 +02:00
Werner Koch
ee6d29f179
sm: Support decryption of ECDH data using a smartcard.
* sm/decrypt.c (ecdh_decrypt): Add arg nbits and detect bare secret.
(prepare_decryption): Add arg nbits and pass on.
(gpgsm_decrypt): Pass size of curve to prepare_decryption.
--

GnuPG-bug-id: 4098
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-07 08:03:26 +02:00
Werner Koch
d5051e31a8
sm: Support encryption using ECDH keys.
* sm/decrypt.c (hash_ecc_cms_shared_info): Make global.
* sm/encrypt.c (ecdh_encrypt): New.
(encrypt_dek): Add arg PK_ALGO and support ECDH.
(gpgsm_encrypt): Pass PK_ALGO.
--

Note: This has only been tested with a messages created and decrypted
by GnuPG.

GnuPG-bug-id: 4098
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-04 14:58:37 +02:00
Werner Koch
9bc9d0818b
doc: Typo fixes in code comments
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-04 14:55:34 +02:00
Werner Koch
5da6925a33
sm: Add support to export ECC private keys.
* sm/minip12.c [TEST]: Remove test code.  Include util.h, tlv.h. and
openpgpdefs.h.  Remove the class and tag constants and replace them by
those from tlv.h.
(builder_add_oid, builder_add_mpi): New.
(build_key_sequence): Rename to ...
(build_rsa_key_sequence): this.
(build_ecc_key_sequence): New.
(p12_build): Call RSA or ECC builder.
(p12_raw_build): Ditto.
* sm/export.c (gpgsm_p12_export): Use correct armor header for ECC.
(sexp_to_kparms): Support ECC.

* sm/t-minip12.c: New to replace the former TEST code in minip12.h.
--

GnuPG-bug-id: 4921
2020-04-27 19:54:39 +02:00
Werner Koch
c03f80dc19
sm: Minor debug output format changes.
--
2020-04-23 10:00:18 +02:00
Werner Koch
95d83cf906
sm: Support decryption of ECDH data.
* sm/decrypt.c: Include tlv.h.
(string_from_gcry_buffer): New.
(hash_ecc_cms_shared_info): New.
(ecdh_decrypt): New.
(prepare_decryption): Support ECDH.  Add arg pk_algo.
(gpgsm_decrypt): Lift some variables from an inner code block.
--

Note: This has only been tested with a single messages created by
OpenSSL and taken from the Mozilla bug tracker.  In particular the
code to included UserKeyingMaterial (ukm) has not been tested.

GnuPG-bug-id: 4098
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-23 09:59:13 +02:00
Werner Koch
8dfef5197a
sm: Support import of PKCS#12 encoded ECC private keys.
* sm/minip12.c: Include ksba.h.
(oid_pcPublicKey): New const.
(parse_bag_data): Add arg 'r-curve'.  Support parsing of ECC private
keys.
(p12_parse): Add arg 'r_curve'.
* sm/import.c (parse_p12): Support ECC import.
--

GnuPG-bug-id: 4921
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 21:05:39 +02:00
Werner Koch
a6d2f31337
sm: Replace some debug message by log_error or log_info
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-21 21:05:32 +02:00
Werner Koch
bbb7edb880
sm: Always allow authorityInfoAccess lookup if CRLs are also enabled.
* sm/certchain.c (find_up): Disable external lookups in offline mode.
Always allow AKI lookup if CRLs are also enabled.
--

GnuPG-bug-id: 4898
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-16 19:05:49 +02:00
Werner Koch
f5efbd5a11
sm: Lookup missing issuers first using authorityInfoAccess.
* sm/call-dirmngr.c (gpgsm_dirmngr_lookup): Add optional arg URL and
adjust all callers.
* sm/certchain.c (oidstr_caIssuers): New.
(struct find_up_store_certs_s): Add additional fields.
(find_up_store_certs_cb): Store the fingerprint.
(find_up_via_auth_info_access): New.
(find_up): Try the AIA URI first.
--

Note that --auto-issuer-key-retrieve is required to use that.

GnuPG-bug-id: 4898
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-16 18:03:13 +02:00
Werner Koch
c0d5c67354
sm,dirmngr: Restrict allowed parameters used with rsaPSS.
* sm/certcheck.c (extract_pss_params): Check the used PSS params.
* dirmngr/crlcache.c (finish_sig_check): Ditto.
* dirmngr/validate.c (check_cert_sig): Ditto.
--

GnuPG-bug-id: 4538

# ------------------------ >8 ------------------------
See
https://www.metzdowd.com/pipermail/cryptography/2019-November/035449.html

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 11:06:59 +02:00
Werner Koch
6c28d9343e
sm: Support rsaPSS verification also for CMS signatures.
* sm/certcheck.c (gpgsm_check_cert_sig): Factor PSS parsing out to ...
(extract_pss_params): new.
(gpgsm_check_cms_signature): Implement PSS.
--

GnuPG-bug-id: 4538
2020-04-14 15:46:04 +02:00
Werner Koch
ba34f14153
dirmngr: Support rsaPSS also in the general validate module.
* dirmngr/validate.c (hash_algo_from_buffer): New.
(uint_from_buffer): New.
(check_cert_sig): Support rsaPSS.
* sm/certcheck.c (gpgsm_check_cert_sig): Fix small memory leak on
error.
--

Yes, I know that there is a lot of code duplication.  In fact some of
the code is ugly and it would be better if we enhance Libgcrypt to
guarantee that returned memory buffers via gcry_sexp_extract_param are
allways Nul terminated and we should also enhance that function to
directly extract into an unsigned int or char *.

GnuPG-bug-id: 4538
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-09 13:05:55 +02:00