* g10/sign.c (sign_file): Use iobuf_read instead of iobuf_get for
reading data from detached file.
--
This patch reduces iobuf_read per byte processing overhead and speeds
up detached signing.
Detached signing speed on AMD Ryzen 5800X (4.3GiB file, SHA256):
gpg process
user time
before: 3.951s
after: 1.898s (2.0x faster)
GnuPG-bug-id: T5826
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Backported-from-master: f8943ce098f6f193da791faf43fff823568697d9
Numbers above are given for the version in master but should be
similar for here (2.2).
* g10/plaintext.c (do_hash): Use iobuf_read instead of iobuf_get for
reading data; Use gcry_md_write instead of gcry_md_putc for hash data.
--
This patch reduces iobuf_read per byte processing overhead and speeds
up detached signature verifying.
Detached verifying speed on AMD Ryzen 5800X (4.3GiB file, SHA256):
gpg process
user time
before: 9.410s
after: 1.913s (4.9x faster)
GnuPG-bug-id: T5826
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
(cherry picked from commit 4e27b9defc608f1fa31ca50f1ed1d5761b73b480)
* g10/mainproc.c (proc_encrypted): Set complaince_de_vs also if
require-compliance is set.
--
Without this fix require-compliance would fail if no --status-fd was
used.
* tests/gpgscm/tests.scm (open-log-file): Keep the log file in objdir.
--
Before the change, it is at ephemeral temp directory which is removed.
This is not useful at all. Possibly, it was done before the introduce
of ephemeral temp directory for each test and not changed.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* tests/openpgp/issue2941.scm: Use 233.
--
On Windows machine (emulated by Wine), 23 may be valid value for
handle.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* common/t-session-env.c [HAVE_W32_SYSTEM] (test_all): HOME is not
defined, so, exclude the tests.
--
Backport master commit of:
b47a23f5fac551727d24f65765e21485ed2bb02c
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/apdu.c (pcsc_send_apdu) [DBG_CARD_IO]: Detect and redact a
VERIFY.
(send_apdu_ccid): Ditto.
--
This should handle the most common case.
GnuPG-bug-id: 5085
* g10/kbnode.c (new_kbnode2): New.
* g10/import.c (delete_inv_parts): New arg r_otherrevsigs to store
misplaced revocations.
(import_revoke_cert): Allow to pass an entire list.
(import_one): Import revocations found by delete_inv_parts.
--
It might be useful to distribute revocations of old keys along with
new keys. This is in particicualrr useful for WKD stored keys. This
patch allows to put unrelated standalone revocations into a key. For
example they can simply appended to a keyblock. Right now it is a bit
inaesthetic to see diagnostics about misplaced or bad revocation
signatures.
Backported-from-master: 7aaedfb10767c74f3e6868dd1563cbbf1282ab2f
* g10/armor.c (is_armored): Add PKT_ENCRYPTED_AEAD.
--
With this fix it is now possible to feed a vanilla packet of type 20
without first forcing gpg to assume binary mode.
* g10/gpg.c (oCompatibilityFlags): New.
(opts): Add option.
(compatibility_flags): New list.
(main): Set flags and print help.
* g10/options.h (opt): Add field compatibility_flags.
--
No flags are yet defined but it is good to have the framework.
* scd/app-nks.c (do_learn_status_core): Use new flag.
* scd/app-sc-hsm.c (do_learn_status): Ditto.
--
The flag was already backported to some apps but not to these.
* scd/app-nks.c (filelist): Tweak 0x4531.
--
Actually the certificate has no encryption usage but we should also
tell that via KEYINFO so that this key is never tried to create an
encryption certificate.
(cherry picked from commit 3a2fb1c30633373d17880469e0b84ab2a9524585)
* scd/app-nks.c (find_fid_by_keyref): Factor keyref parsing out to ...
(parse_keyref): new.
(do_readcert): Use new function instead of partly duplicated code.
Make detection of keygrip more robust.
(do_readkey): Make detection of keygrip more robust.
(do_with_keygrip): Use get_nks_tag.
--
Also added a couple of comments.
(cherry picked from commit b92b3206e72b635fd815eaf85e7acc67c2a52ffe)
* scd/app-nks.c (find_fid_by_keyref): Disable the cache for now.
(readcert_from_ef): Considere an all zero certificate as not found.
(do_sign): Support ECC and the ESIGN application.
--
This allows me to create qualified signatures using my Telesec card.
There is of course more work to do but this is the first step.
Note: The design of the FID cache needs to be reconsidered. Until
that the lookup here has been disabled. The do_sign code should be
revamped to be similar to what we do in app-p15.
GnuPG-bug-id: 5219, 4938, 6252
Backported-from-master: 07eaf006c2763a6b40d2734b1c6704da466e0ed0
* scd/app-nks.c (set_usage_string): New.
(do_learn_status_core, do_readkey): Use set_usage_string.
(do_with_keygrip): Add USAGE to call send_keyinfo,
using set_usage_string.
* scd/command.c (send_keyinfo): Add arg usage.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: 5264d3f58e8a8362900c3518bdd683ff9a23cccc
GnuPG-bug-id: 6252
This backports only the NKS parts of the original patch
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-nks.c (keygripstr_from_pk_file): Fix ignored error.
(get_nks_tag): New.
(do_learn_status_core): Use it. Make sure not to mange the
KEYPAIRINFO line if no usage is known.
(do_readkey): Output the KEYPAIRINFO for the keygrip case.
--
Note that this only handles the most common case of providing a
keygrip. $AUTHKEYID and ODLM are not yet supported.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 63320ba2f8147ee86f4406c9590f6b28cad4771d)
* scd/app-nks.c (do_sign): Handle plain SHA-2 digests and verify
encoding of ASN.1 encoded hashes.
--
This makes it possible to create CSRs for NetKey card keys which are
signed with SHA256 by default.
GnuPG-bug-id: 5184
(cherry picked from commit 8fe976d5b9a0f2902868737dd502c749565222a6)
* scd/app-nks.c (filelist): Use special value -1 for IDLM pubkeys.
(keygripstr_from_pk_file): Handle special value.
(do_readcert): Ditto.
(do_writecert): Ditto.
--
This allows to get information about the keys from the card. However
the do_readkey still requires a fallback to readcert. This does not
work because there are no certificates yet on the card. The fix is to
fully implement do_readkey.
(cherry picked from commit 806547d9d243b26c2275fc00c645ee39d258b49b)
* scd/app-nks.c (do_learn_status_core): Emit the algo string as part
of a KEYPAIRINFO.
(struct fid_cache_s): Add field algostr.
(flush_fid_cache): Release it.
(keygripstr_from_pk_file): Fill it and add it to the cache. Use a
single exit label. Set algostr.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 26da47ae53d51e16ae6867cd419ddbf124a94933
Backported-from-master: 006944b856ee2202905290e8a2f5523a7877d444
GnuPG-bug-id: 6252, 5144
This has been backported to keep this, and only this, module in sync
with master. All other changes from the original patch have been
stripped.
* scd/iso7816.c (CMD_UPDATE_BINARY): New.
(iso7816_update_binary): New.
* scd/app-nks.c (do_deinit): Factor some code out to...
(flush_fid_cache): new.
(do_writecert): New.
(app_select_nks): Register new handler.
--
This has been backported only to make the following backpoorts easier.
The code is only used in 2.3; for details see the original commit
message.
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: c1663c690b29d2dea8bc782c42de5eca08a24cc9
GnuPG-bug-id: 6252
* scd/app-nks.c (filelist): Add a dedicated key entry for ESIGN.
(do_readcert): Test for the app_id.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 07aef873ebc77241e9a2be225537319f6fc15a41
GnuPG-bug-id: 6252
* scd/app-nks.c (NKS_APP_IDLM): New.
(struct app_local_s): Replace NKS_VERSION by the global APPVERSION.
(do_learn_status): Always send CHV-STATUS.
(find_fid_by_keyref): Basic support for IDLM only use.
(do_learn_status_core): Ditto.
(do_readcert): Ditto.
(verify_pin): Ditto.
(parse_pwidstr): Ditto.
(do_with_keygrip): Ditto.
(switch_application): Ditto.
(app_select_nks): Fallback to IDLM.
--
Backported-from-master: 1f6a39092fe4b5f02bc4741a0a23d102d30f4063
GnuPG-bug-id: 6252
Also not directly required for the Signature Card 2.0, it is easier to
port this patch as well.
* scd/app-nks.c (get_dispserialno): Move more to the top.
(do_getattr): Add $DISPSERIALNO and SERIALNO. Make CHV-STATUS work
with NKS15.
(verify_pin): Use dedicated min. PIN lengths.
(parse_pwidstr): Support NKS15
--
GnuPG-bug-id: 4938
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit aecc008acb64ebbb6c667c4a128af4e61da57f84)
* scd/app-nks.c: Major rework to support non-RSA cards.
--
This is a fist step so support this ECC card. The code has been
reworked while taking care that old cards should keep on working.
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: f05a32e5c9db7d0840c74fccc350a9e0ff5fb819
GnuPG-bug-id: 6252