1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-10 21:38:50 +01:00
Commit Graph

678 Commits

Author SHA1 Message Date
NIIBE Yutaka
e769609cd3 scd: Allow KEYGRIP as KEYIDSTR.
* scd/app-openpgp.c (struct app_local_s): Add keygrip_str.
(store_keygrip): New.
(read_public_key): Call store_keygrip to hold keygrip.
(get_public_key): Likewise.
(send_keypair_info): Use stored keygrip_str.
(check_keyidstr): Allow use of KEYGRIP.
(do_check_pin): Allow use of KEYGRIP of signing slot.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-04-23 10:51:01 +09:00
NIIBE Yutaka
b0f0791e4a scd: Factor out a function to check keyidstr.
* scd/app-openpgp.c (check_keyidstr): New.
(do_sign, do_auth, do_decipher, do_check_pin): Use check_keyidstr.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-04-22 20:34:36 +09:00
Werner Koch
958172cc3a
scd:piv: Fix RSA decryption.
* scd/app-piv.c (do_decipher): Fixup leading zero byte.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-04-04 12:52:09 +02:00
NIIBE Yutaka
f1cf799a37 scd: Better handling of timeout and time extension.
* scd/ccid-driver.c (CCID_CMD_TIMEOUT_LONGER): Remove.
(ccid_transceive): Don't use x4 blindly for bBWI, but use dynamically
determined value.  Use value from variable wait_more for bulk_in.
Set wait_more by the value of time extension request.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-04-04 15:58:21 +09:00
Werner Koch
679b8f1c04
scd: New options --info and --info-only for READKEY.
* scd/command.c (cmd_readkey): New options --info and --info-only.
* scd/app.c (app_readkey): New arg 'flags'.
* scd/app-common.h (APP_READKEY_FLAG_INFO): New.
(struct app_ctx_s): New args 'ctrl' and 'flags' for member readkey.
Change all implementers.
* scd/app-nks.c (do_readkey): Stub implementation of
APP_READKEY_FLAG_INFO.
* scd/app-openpgp.c (do_readkey): Implement APP_READKEY_FLAG_INFO.
* scd/app-piv.c (do_readkey): Ditto.
--

This feature allows to quickly get the keygrip and in most cases also
the usage flags for one specific keyref.  Example:

 <- readkey --info-only  PIV.9D
 -> S KEYPAIRINFO FC6061FB457224370B85C6F34DD56CD29E669620 PIV.9D e
 -> OK

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-04-03 17:31:39 +02:00
Werner Koch
2b1135cf92
scd: New standard attributes $ENCRKEYID and $SIGNKEYID.
* g10/call-agent.c (agent_scd_keypairinfo): Use --keypairinfo.
* sm/call-agent.c (gpgsm_agent_scd_keypairinfo): Ditto.
* scd/app-openpgp.c (do_getattr): Add attributes "$ENCRKEYID" and
"$SIGNKEYID".
* scd/app-piv.c (do_getattr): Ditto.
--

We already have $AUTHKEYID to locate the keyref of the key to be used
with ssh.  It will also be useful to have default keyref for
encryption and signing.  For example, this will allow us to repalce
the use of "OPENPGP.2" by a app type specific keyref.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-04-03 13:16:22 +02:00
Werner Koch
97feef8ee9
scd: New option --application-priority.
* scd/scdaemon.c (oApplicationPriority): New.
(opts): Add "application_priority".
(main): Process option.
* scd/app.c (app_update_priority_list): New.
(get_supported_applications): Take apps from global list.

* tools/gpgconf-comp.c (gc_options_scdaemon): Add option.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-28 17:38:05 +01:00
Werner Koch
5a3055eb72
scd: Support reading the Yubikey 4 firmware version.
* scd/app.c (app_new_register): Detect yk4 version numbers.
--

Having the version of the yubikey is important to select which other
methods can be used with a Yubikey.  Note that we do not detect the
formfactor of a Yubikey 4 and instead use 0 for our serial number
prefix.  This does not affect app-openpgp becuase there we use the app
specific serial number.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-27 17:35:50 +01:00
Werner Koch
5a96db65e5
doc: Add a spec comment to app-piv.c
--
2019-03-22 12:29:02 +01:00
Werner Koch
393269948c
scd: Refactor the app selection code.
* scd/app.c (app_priority_list): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-22 09:44:04 +01:00
NIIBE Yutaka
f199b627ce Fix the previous commit.
* g10/ecdh.c (kek_params_table): Revert the change.
* scd/app-openpgp.c (ecdh_params): Use CIPHER_ALGO_AES256
for 384-bit key.

--

Avoiding CIPHER_ALGO_AES192 is intentional here.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-03-14 08:23:38 +09:00
NIIBE Yutaka
af3efd149f g10: Fix symmetric cipher algo constant for ECDH.
* g10/ecdh.c (kek_params_table): Use CIPHER_ALGO_AES192 for
ECC strength 384, according to RFC-6637.

--

Reported-by: Trevor Bentley
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-03-13 09:12:14 +09:00
Werner Koch
8d4af54ddd
card: Print card version. Check for bad Yubikeys.
* scd/app.c (app_new_register): Set card version for Yubikeys.
(app_write_learn_status): Print CARDVERSION and APPVERSION.
* tools/card-call-scd.c (learn_status_cb): Detect them.
* tools/gpg-card.h (struct card_info_s): Add appversion and
cardversion.
* tools/gpg-card.c (list_openpgp): Remove version printing from serial
number.
(print_a_version): New.
(list_card): Print card and app version.
(cmd_generate): Do not allow broken Yubikeys.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-05 17:40:08 +01:00
Werner Koch
64caa6a082
scd: Rename a shared info field name.
* scd/app-piv.c (app_select_piv):
* scd/app-common.h (struct app_ctx_s): Rename 'card_version' to
'cardversion'.  Rename all users.  Add 'appversion'.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-05 17:17:39 +01:00
Werner Koch
e897e1e255
scd:piv: Implement import of private keys for Yubikeys.
* scd/app-piv.c (concat_tlv_list): Add arg 'secure' and adjust
 callers.
(writekey_rsa, writekey_ecc): New.
(do_writekey): New.
(do_writecert): Provide a better error message for an empty cert.
(app_select_piv): Register do_writekey.
* scd/iso7816.c (iso7816_send_apdu): New.
* scd/app-common.h (APP_WRITEKEY_FLAG_FORCE): New.
* agent/command.c (cmd_keytocard): Make the timestamp optional.
* tools/card-call-scd.c (inq_writekey_parms): Remove.
(scd_writekey): Rewrite.
* tools/gpg-card.c (cmd_writekey): New.
(enum cmdids): Add cmdWRITEKEY.
(dispatch_command, interactive_loop): Call cmd_writekey.
--

This has been tested with gpgsm and RSA keys.  For ECC keys only
partly tested using the sample OpenPGP nistp256 and nistp384 keys
because gpgsm does not yet support ECC certificates and thus we can't
write the certificates to the cert object after a writekey.  Note that
they nevertheless show up in "gpgcard list" because gpg-card searches
for them in gpg and gpgsm.  However, this does not work completely.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-05 15:49:20 +01:00
Werner Koch
51df13d9ec
scd:piv: Add feature to read Yubikey attestation certificates.
* scd/app-piv.c (do_readcert): Add hack to read Yubikey attestaions.
--

Use
  gpg-card 'readcert PIV.ATST.9A >x.crt'
to store the attestation certificate for 9A into X.CRT.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-01 14:04:29 +01:00
Werner Koch
696d4c290d
scd:piv: Allow writecert to only write matching certs.
* scd/app-piv.c (do_readkey): Read the key from the cert here instead
of letting the upper layer do this.
(do_writecert): Check that the cert matches the key and that a key has
already been generated.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-01 12:58:56 +01:00
Werner Koch
c2235d994d
scd: Simplify the app_readkey parameters.
* scd/app-help.c (app_help_pubkey_from_cert): New.
* scd/command.c (cmd_readkey): Refactor to use that new function and
handle the --advanced flag only here.
* scd/app.c (app_readkey): Remove parm advanced.
* scd/app-common.h (struct app_ctx_s): Remove parm advanced from the
readkey member.
* scd/app-nks.c (do_readkey): Adjust for removed parm.
* scd/app-piv.c (do_readkey): Ditto.
* scd/app-openpgp.c (do_readkey): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-26 17:01:46 +01:00
Werner Koch
a481d17432
scd: PIV: Always require a PIN for signing with 9C.
* scd/app-piv.c (verify_chv): Add arg 'force'.
(do_sign): Use force for 0x9c.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-25 11:29:54 +01:00
NIIBE Yutaka
611faf1579 scd: internal driver: Submit SET_INTERFACE control transfer.
* scd/ccid-driver.c (ccid_open_usb_reader): Alway submit SET_INTERFACE
control transfer.

--

This handling is not mondatory, but it's better to do so, because
there are card reader with pinpad and token with ack button, which
support user interaction.

User interaction status should be reset at open time.  The status
should be reset when the session is closed/stopped.  In practice,
since cleanup routine in a driver may not be called properly, it's
good to submit SET_INTERFACE at open time.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-22 20:05:09 +09:00
Werner Koch
5e21ef2d55
scd: Extend KEYPAIRINFO by key usage info.
* scd/app-openpgp.c (send_keypair_info): Append usage string.
* scd/app-piv.c (struct data_object_s): Remove column 'binary'.  Add
column 'usage'.
(dump_all_do): Adjust for removed 'binary'.
(send_keypair_and_cert_info): Append usage string.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-21 12:41:10 +01:00
Werner Koch
5ecc7a0260
scd: Don't let the "undefined" app cause a conflict error.
* scd/app.c (check_conflict): Ignore "undefined".

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-21 08:51:53 +01:00
NIIBE Yutaka
2013cb5ee6 scd: Clear CHV status on timeout error.
* scd/app-openpgp.c (clear_chv_status): New.
(do_change_pin): Use clear_chv_status.
(do_sign): Call clear_chv_status on GPG_ERR_TIMEOUT.
(do_auth, do_decipher): Likewise.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-21 15:50:43 +09:00
NIIBE Yutaka
bd15aa34ab scd: Handle ack button timeout as GPG_ERR_TIMEOUT.
* scd/apdu.h (SW_ACK_TIMEOUT): New.
* scd/iso7816.c (map_sw): Return GPG_ERR_TIMEOUT for SW_ACK_TIMEOUT.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-21 15:16:11 +09:00
Werner Koch
43b14b4cc2
scd: Implement decryption for PIV cards.
* scd/app-piv.c (do_decipher): New.
--

Note that ECDH decryption has not been tested due to the lack of ECC
support in gpgsm.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-11 15:32:54 +01:00
Werner Koch
b283869440
scd: For PIV cards used NO_AUTH instead of BAD_PIN.
* common/util.h (GPG_ERR_NO_AUTH, GPG_ERR_BAD_AUTH): Add replacement
codes for gpgrt < 1.36.
* scd/app-piv.c (auth_adm_key):
(do_genkey, do_writecert): Use better error codes.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-11 09:07:54 +01:00
Werner Koch
53beea56af
scd: Implement RSA signing for PIV cards.
* scd/app-piv.c (concat_tlv_list): New.
(get_key_algorithm_by_dobj): Rename args for clarity.
(do_auth): factor all code out to ...
(do_sign): new.  Implement RSA signing.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-08 17:03:32 +01:00
Werner Koch
b349adc5c0
scd: Allow generating ECC curves on PIV cards.
* scd/app-piv.c (genkey_parse_ecc): New.
(get_keygrip_by_tag): Call that one.
(do_readkey): Call that one.
* scd/command.c (cmd_genkey): Add option --algo.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-08 11:53:34 +01:00
Werner Koch
5bf1212000
scd: Store a new PIV public key in the certificate DO.
* scd/app-piv.c (struct genkey_result_s): Remove type and all users.
(send_keypair_and_cert_info): Print certinfo only if we got a cert..
(readcert_by_tag): Add arg r_mechanism and implement reading of public
keys.
(get_keygrip_by_tag): Use a public key to compute the keygrip.
(do_readcert): Make sure to only return a certificate.
(do_readkey): Read public key from the DO if a certificate is missing.
(get_key_algorithm_by_dobj): Get the algorithm also from a public key.
(does_key_exist): String changes.
(do_genkey): Remove result caching and store public key in the DO.
--

This removes the result cache and instead stores the public key in the
certificate object.  This allows to properly list public keys at any
time after generating a key and before a new certificate is stored
there.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-07 16:14:09 +01:00
Werner Koch
fcec5b40e5
card: Support reading and writing PIV certificates
* scd/app-piv.c (add_tlv): New.
(put_data): New.
(do_writecert): New.
(do_setattr): Remove usused special mode 0.
* tools/gpg-card-tool.c (cmd_writecert): Allow other cards than
OPENPGP.
(cmd_readcert): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-07 11:05:22 +01:00
Werner Koch
b5b1f72158
scd: Add genkey command to app-piv (rsa-only)
* scd/app-piv.c (struct genkey_result_s): new.
(struct app_local_s): add member genkey_results.
(do_deinit): Free that one.
(flush_cached_data): Extend to delete all items.
(keyref_from_dobj): New.
(do_readkey): New.
(do_auth): Use keyref_from_dobj.
(does_key_exist): New.
(genkey_parse_rsa): New.
(do_genkey): New.
--

We need to extend the GENKEY in command.c to support other algos.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-06 20:47:07 +01:00
Werner Koch
9a9cb0257a
scd: Make app_genkey and supporting ISO function more flexible.
* scd/app.c (app_genkey): Add arg keytype.
* scd/app-common.h (struct app_ctx_s): Fitto for the genkey member.
* scd/command.c (cmd_genkey): Adjust for change.
* scd/iso7816.c (do_generate_keypair): Replace arg read_only by new
args p1 and p2.
(iso7816_read_public_key): Adjust for this.
(iso7816_generate_keypair): Add new args p1 and p2.
* scd/app-openpgp.c (do_genkey): Adjust for changes.
--

The OpenPGP card creates keys according to parameters read from a data
object.  Other cards we are about to implement require a direct
specification of the requested keytype.  This patch implements the
required changes.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-06 14:07:42 +01:00
Werner Koch
c26af8ac26
scd: Fix parameter name of app_change_key.
* scd/app-common.h (APP_GENKEY_FLAG_FORCE): New.
* scd/app.c (app_change_pin): Rename arg reset_mode to flags and
change from int to unsigned int.
--

This is basically a documentation fix.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-06 13:08:37 +01:00
Werner Koch
e9e876cb55
scd: Implement PIN changing and unblocking for PIV cards.
* scd/app-piv.c: Some refactoring
(do_change_chv): Implement.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-06 09:46:23 +01:00
Werner Koch
3231ecdafd
scd: Allow standard keyref scheme for app-openpgp.
* scd/app-openpgp.c (do_change_pin): Allow prefixing the CHVNO with
"OPENPGP."
* tools/card-call-scd.c (scd_change_pin): Change API to use strings.
* tools/gpg-card-tool.c (cmd_passwd): Adjust for change.
(cmd_unblock): Ditto.
--

The generic keyref allows for better error detection in case a keyref
is send to a wrong card.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-05 15:01:45 +01:00
Werner Koch
1d57450f3e
scd: Add DES authentication for PIV card.
* scd/app-piv.c (flush_cached_data): New.
(auth_adm_key): New.
(set_adm_key): New.
(do_setattr): New.
* scd/command.c (MAXLEN_SETATTRDATA): New.
(cmd_setattr): Add an inquire option.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-01-31 14:26:17 +01:00
Werner Koch
79bed504e5
card: Support factory reset for Yubikey PIV application.
* scd/app-common.h (struct app_ctx_s): Add field cardtype.
* scd/app.c (app_new_register): Set cardtype for yubikey.
(app_getattr): Add CARDTYPE.
(app_write_learn_status): Emit new attribute.
* scd/app-piv.c (do_getattr): Add CHV-USAGE.
(do_learn_status): Emit it.
* tools/card-tool.h (struct card_info_s): Add field cardtype.
* tools/card-call-scd.c (learn_status_cb): Parse "CARDTYPE".

* tools/gpg-card-tool.c (list_piv): Print PIN usage policy.
(list_card): Print card type.
(cmd_factoryreset): Implement for Yubikey with PIV.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-01-29 13:46:52 +01:00
Werner Koch
9325c92284
card: Print keyinfo for PIV cards.
* scd/app-piv.c (do_learn_status): Print CHV-STATUS.
* tools/card-tool.h (struct card_info_s): Rename chvretry to chvinfo.
* tools/card-call-scd.c (learn_status_cb): Depend CHV-STATUS on app
type.
* tools/gpg-card-tool.c (list_piv): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-01-29 09:32:20 +01:00
Werner Koch
0415b80227
scd: Improve app selection for app "undefined".
* scd/app.c (app_new_register): Don't bail out early in undefined
mode.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-01-25 19:12:32 +01:00
Werner Koch
c9f4c1f0de
scd: Fix flushing of CA-FPR data objects
* scd/app-openpgp.c (do_setattr): Add new table item to flush a
different tag.

--

For whatever reasons the OpenPGP card reads the 3 CA fingerprints from
one object but sets them individually using 3 different tags.  The
cache flushing was not prepared for this and so a changed CA
fingerprint showed only up after a card reset.  This patch fixes it.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-01-25 09:38:44 +01:00
NIIBE Yutaka
fec75a3868 scd: Support PASSWD --clear for OpenPGP card.
* scd/app-openpgp.c (do_change_pin): Implement handling
APP_CHANGE_FLAG_CLEAR.

--

It is specified in the specification version 3.1 or later.  Some
version 2 cards (including Gnuk) support this feature.  Any version 1
card has no support for this feature.

For CHVNO = 1, it clears for both of 81 and 82; That is, user's key
usages for signing and others (decryption and auth).
For CHVNO = 3, it clears for 83, admin key.

For CHVNO = 2, it clears 82; That is, user's key usages
others (decryption and auth).

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-01-23 12:12:54 +09:00
Werner Koch
fa9d703de5
scd: Support CHV-STATUS and CHECKPIN for PIV.
* scd/app-piv.c (parse_pin_keyref): New.
(get_chv_status): New.
(do_getattr): Add name CHV-STATUS.
(verify_pin): Add arg keyref to support other PINs.
(do_change_pin): New.  Right now limited to --clear.
(do_check_pin): New.
(app_select_piv): Register new commands.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-01-21 15:01:45 +01:00
Werner Koch
29929e6552
scd: Add option --clear to PASSWD.
* scd/command.c (cmd_passwd): Add option --clear.
(send_status_printf): New.
* scd/app-common.h (APP_CHANGE_FLAG_CLEAR): New.
* scd/app-nks.c (do_change_pin): Return an error if that option is
used.
* scd/app-openpgp.c (do_change_pin): Ditto.
--

Card application may support this option to clear the PIN verification
status of a specific PIN.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-01-21 14:06:51 +01:00
Werner Koch
ec56996029
scd: Add very basic support for PIV cards.
* scd/app-piv.c: New.
* scd/Makefile.am (card_apps): Add app-piv.c
* scd/app.c (app_new_register): Try to get a Yubikey serial number.
Detect the PIV application.
(get_supported_applications): Add "piv".
--

Right now this allows the use of the authentication key (9A) for SSH
authentication.  More support will follow soon.

Tested with Yubikey-5.
2019-01-20 11:45:57 +01:00
Werner Koch
70bb5c7931
scd: One new and one improved 7816 function.
* scd/apdu.c (apdu_send_direct): New arg R_SW.
* scd/command.c (cmd_apdu): Ditto.
* scd/iso7816.c (iso7816_apdu_direct): New arg R_SW.
(iso7816_general_authenticate): New.
* scd/app-nks.c (get_chv_status, get_nks_version): Pass NULL for new
arg.
--

iso7816_general_authenticate will be used for the PIV card support.
The new arg to iso7816_apdu_direct and apdu_send_direct allows to get
the raw status word back without the need to handle an output buffer.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-01-20 11:41:23 +01:00
NIIBE Yutaka
5ab3bc422a scd: Fix for USB INTERRUPT transfer.
* scd/ccid-driver.c (intr_cb): When LIBUSB_TRANSFER_NO_DEVICE,
just handle this event as failure.

--

It used to try another interrupt transfer request to make sure
if it fails again.

GnuPG-bug-id: 4308
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-01-07 14:08:51 +09:00
Werner Koch
405feca2bd
scd: Add two variants to the set of ISO7816 functions.
* scd/iso7816.c (iso7816_select_application_ext): New.
(iso7816_get_data_odd): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-01-03 15:18:15 +01:00
Werner Koch
cca2b87e79
scd: Support "READKEY --advanced" for all cards.
* scd/command.c (cmd_readkey): Reformat for advanced mode.
--

The --advanced option used to work only if the driver supported that
but not if we extracted the public key from an x.509 certificate.
This patch fixes that.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-01-03 15:17:04 +01:00
Werner Koch
3d766924b4
doc: Typo fix in code comment
--
2019-01-02 16:15:25 +01:00
NIIBE Yutaka
e6b7e0ff99 scd: Fix description string.
* scd/app-openpgp.c (data_objects): Capitalize the word for usage.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2018-12-18 10:26:57 +09:00