1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-11 21:48:50 +01:00
Commit Graph

965 Commits

Author SHA1 Message Date
Werner Koch
e387cc97c8
scd:p15: Prepare AODF parsing for other authentication types.
* scd/app-p15.c (auth_type_t): New.
(struct aodf_object_s): Add field auth_type.
(read_ef_aodf): Distinguish between pin and authkey types.  Include
the authtype in the verbose mode diags.
--

Note that the bulk of chnages are just indentation chnages.  There
should be no functional change.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-22 11:11:46 +02:00
Werner Koch
029924a46e
scd:p15: Add pre-check for ascii-numeric PINs.
* scd/app-p15.c (verify_pin): acii-numerix is different than BCD.
2021-06-18 18:02:08 +02:00
Werner Koch
544ec7872a
scd:p15: Add basic support for AET JCOP cards.
* scd/app-p15.c (CARD_TYPE_AET): New.
(cardtype2str): Add string.
(card_atr_list): Add corresponding ATR.
(app_local_s): New flag no_extended_mode.  Turn two other flags into
bit flags.
(select_ef_by_path): Hack to handle the 3FFF thing.
(readcert_by_cdf): Do not use etxended mode for AET.
(app_select_p15): Set no_extended_mode.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-18 17:42:38 +02:00
Werner Koch
7a8545c91b
scd:p15: Handle cards with bad encoded path objects.
* scd/app-p15.c (read_ef_prkdf, read_ef_pukdf)
(read_ef_cdf, read_ef_aodf): Allow for a zero length path and
correctly skip unsupported auth types.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-18 17:42:38 +02:00
Werner Koch
44f977d0e3
scd: Improve reading of binary records.
* scd/iso7816.c (iso7816_read_binary_ext): Handle the 0x6a86 SW the
same as 6b00.
* scd/apdu.c (apdu_get_atr): Modify debug messages.
* scd/app-p15.c (app_select_p15): Print FCI on error.
(read_p15_info): Clean up diag in presence of debug options.
--

Some cards return 6a86 instead of 6b00.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-18 17:42:38 +02:00
NIIBE Yutaka
7718244168 scd: Fix RESET handling.
* scd/app.c (scd_update_reader_status_file): Clear ->reset_requested.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-17 16:07:09 +09:00
NIIBE Yutaka
4e02db75e3 scd: Support clearing of Reset Code by ''.
* scd/app-openpgp.c (do_change_pin): Allow null-string.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-11 13:42:01 +09:00
Werner Koch
cd53c6d0f3
scd: Add new card vendor.
--
2021-06-10 21:55:36 +02:00
NIIBE Yutaka
c3a9ee0b65 scd: Fix serial number detection for Yubikey 5.
* scd/app.c (app_new_register): Handle serial number correctly.

--

GnuPG-bug-id: 5442
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-08 10:37:48 +09:00
NIIBE Yutaka
ee5b6af370 scd: Fix READER-PORT option handling for PC/SC.
* scd/apdu.c (apdu_open_reader): READERNO should be -1 when
READER-PORT is specified for PC/SC.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-07 11:38:25 +09:00
NIIBE Yutaka
5b1806454c scd: Fix zero-byte handling in ECC.
* scd/app-openpgp.c (ecc_writekey): Don't remove zero-byte.

--

Fixes-commit: a25c99b156
GnuPG-bug-id: 5163
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-28 11:34:56 +09:00
Jakub Jelen
27e7bde12e
scd: avoid memory leaks
* scd/app-p15.c (send_certinfo): free labelbuf
  (do_sign): goto leave instead of return
* scd/app-piv.c (do_sign): goto leave instead of return, fix typo in
  variable name, avoid using uninitialized variables
* scd/command.c (cmd_genkey): goto leave instead of return

--

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
GnuPG-bug-id: 5393
2021-05-20 14:48:18 +02:00
Ingo Klöcker
65bc5ea95e scd:p15: Fix logic for appending product name to MANUFACTURER.
* scd/app-p15.c (do_getattr): Append product name to MANUFACTURER if
manufacturer_id does not already contain a bracket and if we have a
product name.
2021-05-18 09:45:06 +02:00
NIIBE Yutaka
58b330e935 scd: Remove wrong assertion and add protection to PCSC.COUNT.
* scd/apdu.c (apdu_dev_list_finish): Fix for calling
release_pcsc_context.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-14 13:06:10 +09:00
Werner Koch
965bb0693c
A few minor code cleanups and typo fixes.
* agent/command-ssh.c (ssh_handler_request_identities): Remove double
check of ERR.
* g10/getkey.c (get_pubkey_byname): Remove double use of break.
* g10/pkglue.c (pk_encrypt): Handle possible NULL-ptr access due to
failed malloc.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-11 09:06:34 +02:00
NIIBE Yutaka
32baa9acfb scd: Serialize READER_TABLE access for PC/SC.
* scd/apdu.c (apdu_dev_list_start): Remove locking READER_TABLE_LOCK.
Don't increment PCSC.COUNT here.
(apdu_dev_list_finish): Don't decrement PCSC.COUNT here.
(apdu_open_reader): Protect access with READER_TABLE_LOCK.

--

GnuPG-bug-id: 5416
Fixes-commit: 8d81fd7c01
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-11 10:25:12 +09:00
NIIBE Yutaka
ec5591dc4e scd: Fix close_pcsc_reader.
* scd/apdu.c (close_pcsc_reader): Don't touch .RDRNAME field.
(apdu_dev_list_finish): Clear .RDRNAME field and replace call of
close_pcsc_reader by release_pcsc_context.  Add assertion.

--

GnuPG-bug-id: 5416
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-10 10:49:21 +09:00
NIIBE Yutaka
cccc9bd5db scd: Make sure releasing PC/SC context.
* scd/apdu.c (release_pcsc_context): New.
(close_pcsc_reader): Use release_pcsc_context.  Add assertion.
(apdu_dev_list_start): Replace call of close_pcsc_reader
into release_pcsc_context, add condition.

--

GnuPG-bug-id: 5416
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-10 10:31:08 +09:00
NIIBE Yutaka
0498ea8fbd scd: Increment PCSC.COUNT correctly.
* scd/apdu.c (open_pcsc_reader): PCSC.COUNT should
be incremented before possible call of close_pcsc_reader.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-07 11:25:20 +09:00
NIIBE Yutaka
5d1b413106 scd: Fix memory leak for RDRNAME and serialize access.
* scd/apdu.c (close_pcsc_reader): Move locking to...
(apdu_close_reader): ... here, as it's also needed for CCID driver.
Free RDRNAME when closed.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-07 10:48:13 +09:00
NIIBE Yutaka
039aed9d40 scd: Fix declarations for PC/SC access.
* scd/apdu.c (pcsc_begin_transaction, pcsc_transmit): Use HANDLE.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-07 07:11:17 +09:00
NIIBE Yutaka
53bdc6288f scd: Recover the partial match for PORTSTR for PC/SC.
* scd/apdu.c (apdu_open_reader): Allow partial match of
PORTSTR again just like 2.2 does.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-06 19:08:34 +09:00
NIIBE Yutaka
d6fe82d3d1 scd: When reader is specified, make sure only open once.
* scd/apdu.c (apdu_open_reader): Make sure not to try multiple times,
when PORTSTR is specified.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-06 19:05:30 +09:00
Werner Koch
8d81fd7c01
scd: Fix PC/SC removed card problem
* scd/apdu.c (pcsc_cancel): New.
(pcsc_init): Load new function.
(connect_pcsc_card): Use it after a removed card error.
--

Well, that was easier than I expected yesterday.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-29 09:14:25 +02:00
Werner Koch
1f846823b3
scd:p15: Fix the name of a card.
--
2021-04-28 18:31:51 +02:00
Werner Koch
bb8e3996e4
scd: Fix problem with reader list becoming empty.
* scd/apdu.c (close_pcsc_reader): Do not decrement refcount if already
zero.  Always release context if or becomes zero.
(apdu_dev_list_start): Unlock prior to close_pcsc_reader.  For PC/SC
increment the count.  Always release the lock.
(apdu_dev_list_finish): No more unlocking.  Use close_pcsc_reader
instead of code duplication.

* scd/apdu.c (pcsc_error_string): Add an error code.
* scd/scdaemon.c (scd_kick_the_loop): Fix a diagnostic.
--

There was an obvious bug in that the pcsc.count could go below zero
and thus there was no chance to get the context release.  Releasing
and recreating the context is at least under Windows important to get
rit of the PCSC_E_SERVICE_STOPPED.

Also removes a potential problem in holding the reader_table_lock
between calls to apdu_dev_list_start apdu_dev_list_finish.  There is
no need for this.  Instead we bump the pcsc.count.

The reader_table_lock strategy should be reviewed; we may be able to
remove it.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-28 18:21:56 +02:00
Kirill Elagin
f209d7d2db scd: Fix unblock PIN by a Reset Code with KDF.
* scd/app-openpgp.c (do_change_pin): Use correct CHVNO=1 for
pin2hash_if_kdf, for user's PIN.

--

GnuPG-bug-id: 5413
Signed-off-by: Kirill Elagin <kirelagin@gmail.com>
2021-04-27 20:34:35 +09:00
Werner Koch
cc5aa68b63
scd:p15: Fix last commit and improve D-TRUST detection.
* scd/app-p15.c (read_p15_info): Improve D-TRUST card detection.
(do_getattr): Fix faulty code for the last commit.  Append the product
name to MANUFACTURER.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-25 16:35:36 +02:00
Werner Koch
21e3f750bd
scd:p15: Shorten the displayed s/n of RSCS cards
* scd/app-p15.c (get_dispserialno): Add dedicated handling for RSCS.
--

In fact we fix the display of the s/n because the s/n was taken from a
certificate.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-25 14:53:34 +02:00
Werner Koch
9e24f2a45c
scd: Fix PSO_CSV for 512 bit curves
* scd/iso7816.c (iso7816_pso_csv): Use BER-TLV instead of SIMPLE-TLV

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-22 11:04:30 +02:00
Werner Koch
45918813f0
Support log-file option from common.conf for all daemon.
* agent/gpg-agent.c: Include comopt.h.
(main): Read log-file option from common.conf.
(reread_configuration): Ditto.
* dirmngr/dirmngr.c: Include comopt.h.
(main): Read log-file option from common.conf.
(reread_configuration): Ditto.
* kbx/keyboxd.c: Include comopt.h.
(main): Read log-file option from common.conf.
(reread_configuration): Ditto.
* scd/scdaemon.c: Include comopt.h.
(main): Read log-file option from common.conf.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-20 10:50:10 +02:00
Werner Koch
30f90fc857
scd:p15: Support attribute KEY-FPR.
* scd/app-p15.c: Include openpgpdefs.h.
(struct prkdf_object_s): Add fields have_keytime and ecdh_kdf.
(read_p15_info): Set ecdh_kdf.
(keygrip_from_prkdf): Flag that we have the keytime.
(send_keypairinfo): Send the key time only if valid.
(send_key_fpr_line): New.
(send_key_fpr): New.
(do_getattr): Add KEY-FPR.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-16 12:49:37 +02:00
Jakub Jelen
7cbe29c4fb scd: Fix memory leaks.
* scd/apdu.c (apdu_dev_list_start): Free DL.
* scd/app-nks.c (pubkey_from_pk_file): Fix typo in condition.

--

GnuPG-bug-id: 5393
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2021-04-13 14:21:29 +09:00
Werner Koch
ecb9265b8d
scd:p15: Match private keys with certificates also by labels.
* scd/app-p15.c (cdf_object_from_label): New.
(cdf_object_from_certid): Fallback to label matching.
(read_p15_info): Ditto.
(keygrip_from_prkdf): Ditto.  Replace duplicated code by a call to
cdf_object_from_objid.
--

In case there is no certificate for a private key we now also try to
find a certificate using a matching label.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-12 11:41:00 +02:00
Werner Koch
63320ba2f8
scd:nks: Handle APP_READKEY_FLAG_INFO.
* scd/app-nks.c (keygripstr_from_pk_file): Fix ignored error.
(get_nks_tag): New.
(do_learn_status_core): Use it.  Make sure not to mange the
KEYPAIRINFO line if no usage is known.
(do_readkey): Output the KEYPAIRINFO for the keygrip case.
--

Note that this only handles the most common case of providing a
keygrip.  $AUTHKEYID and ODLM are not yet supported.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-08 19:30:51 +02:00
Werner Koch
22fd48e48d
scd: Fix duplicate output of KEYPAIRINFO by readkey command.
* scd/app-help.c (app_help_get_keygrip_string_pk): Make HEXKEYGRIP
parm optional.
* scd/command.c (do_readkey): Remove duplicate output of keypairinfo
lines.
--

Note that this change needs a fix in app-p15 which does not yet handle
the APP_READKEY_FLAG_INFO.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-08 19:27:25 +02:00
NIIBE Yutaka
ab66c43575 scd: Fix CCID driver for SCM SPR332/SPR532.
* scd/ccid-driver.c (ccid_vendor_specific_pinpad_setup): New.
(ccid_vendor_specific_setup): Only send CLEAR_HALT.
(ccid_transceive_secure): Each time, use send_escape_cmd.

--

GnuPG-bug-id: 5297
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-04-08 13:41:28 +09:00
Werner Koch
ff87f4e578
scd: New flag --reread for LEARN
* scd/command.c (cmd_learn): Add flag --reread.
* scd/app-common.h (struct app_ctx_s): New field need_reset.
* scd/app.c (write_learn_status_core): Set need_reset if we notice an
error after returning from a reread.  Change all callers of card
functions to return GPG_ERR_CARD_RESET so that that app is not anymore
used.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-01 10:31:52 +02:00
Werner Koch
e17d3f8660
scd:p15: New flag APP_LEARN_FLAG_REREAD.
* scd/app-p15.c (do_deinit): Factor code out to ...
(release_lists, release_tokeninfo): new.
(read_ef_tokeninfo): Reset all data before reading.
(read_p15_info): Ditto.
(do_learn_status): Implement reread flag.
--

Objects of a card may be protected by a PIN and thus only readble
after a verify command.  This new flag makes it possible to gather the
entire PKCS#15 card info again without a need for a reset (and thus
loss of the verify status).

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-01 10:28:07 +02:00
Werner Koch
1c16878efd
scd: Replace all assert macros by the log_assert macro.
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-31 19:16:05 +02:00
Werner Koch
7f91263632
scd:p15: Return labels for keys and certificates.
* scd/app-p15.c (send_certinfo): Extend certinfo.
(do_getattr): Support KEY-LABEL.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-30 17:25:24 +02:00
Werner Koch
651c07a730
scd:p15: For CardOS make use of ISO7816_VERIFY_NOT_NEEDED.
* scd/app-p15.c (verify_pin): Take care of verify status.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-30 11:43:45 +02:00
Werner Koch
de4d3c99aa
scd:p15: Return the creation time of the keys.
* scd/app-p15.c (struct prkdf_object_s): Add keytime and keyalgostr.
(keygrip_from_prkdf): Set them.
(send_keypairinfo): Extend KEYPAIRINFO.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-30 10:27:20 +02:00
Werner Koch
592f480117
scd:p15: Make RSA with SHA512 work with CardOS.
* scd/app-p15.c (do_sign): Rewrite.
--

This basically works now but for my test card I need to pass
--cert-digest-algo-512 manually.  Need to check this again and
automate it.  It will also be useful to take the NotBefore timestamp
from the dummy X.509 certificate and use that for the PGP key creation
time.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-29 20:36:01 +02:00
Werner Koch
a494b29af9
scd:p15: Support ECDSA and ECDH for CardOS.
* scd/iso7816.c (iso7816_pso_csv): New.
* scd/app-help.c (app_help_pubkey_from_cert): Uncompress a point if
needed.

* scd/app-p15.c (CARD_PRODUCT_RSCS): New.
(struct prkdf_object_s): Add fields is_ecc, token_label, and
tokenflags.
(do_deinit): Free new fields.
(cardproduct2str): New.
(read_ef_prkdf): Set new is_ecc flag.
(read_ef_tokeninfo): Store some data and move Tokeninfo diags to ...
(read_p15_info): here.  set the product info here after all data has
been gathered.
(send_keypairinfo): Chnage the way the gpgusage flags are used.
(make_pin_prompt): If the token has a label and the current cert has
no CN, show the label as holder info.
(do_sign): Support ECDSA.  Take care of the gpgusage flags.
(do_decipher): Support ECDH.  Take care of the gpgusage flags.
--

This has been tested with Trusted Object Manager generated cards by
Rohde & Schwarz Cybersecurity.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-29 14:49:08 +02:00
NIIBE Yutaka
d4e5979c63 scd: Fix PC/SC error handling at apdu_dev_list_start.
* scd/apdu.c (PCSC_E_NO_READERS_AVAILABLE): Add.
(pcsc_error_to_sw): Handle PCSC_E_NO_READERS_AVAILABLE.
(apdu_dev_list_start): Return error correctly.

--

GnuPG-bug-id: 4864
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-26 11:24:30 +09:00
Werner Koch
964363e788
scd:p15: Make $SIGNKEY et al determination more fault tolerant.
* scd/app-p15.c (do_getattr): Change how we use gpgUsage to figure out
the keys to use.
2021-03-24 12:27:36 +01:00
Werner Koch
37b1c5c200
scd:openpgp: Allow reading and writing user certs for keys 1 and 2
* scd/iso7816.c (CMD_SELECT_DATA): New.
(iso7816_select_data): New.
* scd/app-openpgp.c (do_readcert): Allow OpenPGP.1 and OPENPGP.2
(do_writecert): Ditto.
(do_setattr): Add CERT-1 and CERT-2.
--

This has been tested with a Zeitcontrol 3.4 card.  A test with a
Yubikey 5 (firmware 5.2.6) claiming to support 3.4 failed.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-19 18:26:03 +01:00
Werner Koch
bbdb48ec0d
scd:openpgp: Rename an internal variable.
* scd/app-openpgp.c (struct app_local_s): s/extcap_v3/is_v3/.
s/max_certlen_3/max_certlen.  Change users.
--

The extcap_v3 flag is set if the version is 3 or later and as such
does not only declare that the v3 extcap layout is used.  Make this
clear by renaming.

Likewise for max_certlen_3.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-19 15:24:08 +01:00
Werner Koch
d5fb598323
scd:openpgp: Small speedup reading card properties.
* scd/app-openpgp.c (struct app_local_s): Add new flag.
(get_cached_data): Force chace use if flag is set.
(app_select_openpgp): Avoid reading DO 6E multiple times.
--

The do not cache property of 6E was introduced so that we can change
for example key attributes without getting into with the cache.
However, for initial reading the cache makes a lot of sense and thus we
now use this hack to only temporary cache.  A better strategy would be
to clear the cache when we change card data but that is more error
prone.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-19 13:43:46 +01:00