aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Release 2.2.21gnupg-2.2.21Werner Koch2020-07-091-2/+10
|
* po: Auto updateWerner Koch2020-07-0925-883/+1194
| | | | --
* po: Minor update to the Hungarian translationNagy Ferenc László2020-07-091-10/+6
| | | | --
* po: Update the German translationWerner Koch2020-07-091-37/+49
| | | | | | -- Signed-off-by: Werner Koch <[email protected]>
* gpg: Print a note if no args are given to --delete-keyWerner Koch2020-07-091-1/+4
| | | | | | | | | | | | -- It is a bit surprising that nothing happens if no key is specified to --delete-key et al. Although this is common Unix behaviour the use might have expected that it behaves like --export and deletes all keys. Sure we don't do the latter, so a short notice will help. GnuPG-bug-id: 4959 Signed-off-by: Werner Koch <[email protected]>
* Do not use the pinentry's qualitybarWerner Koch2020-07-083-3/+3
| | | | | | | | | | | | | | | | * agent/genkey.c (agent_ask_new_passphrase): No qualitybar. * g10/call-agent.c (agent_get_passphrase): Ditto. * sm/call-agent.c (gpgsm_agent_ask_passphrase): Ditto. -- The concept of a passphrase quality indicator is anyway questionable because user are smart enough to trick them out and they also tend to limit the actually used entropy. Except for the red/green switching (to show whether constraints are fulfilled) our qualitybar is pretty bad and thus worse than none. Signed-off-by: Werner Koch <[email protected]>
* gpg: Use integrated passphrase repeat entry also for -c.Werner Koch2020-07-083-7/+33
| | | | | | | | * g10/call-agent.c (agent_get_passphrase): Add arg newsymkey. * g10/passphrase.c (passphrase_get): Add arg newsymkey. (passphrase_to_dek): Pass it on. Signed-off-by: Werner Koch <[email protected]>
* agent: New option --newsymkey for GET_PASSPHRASEWerner Koch2020-07-084-97/+354
| | | | | | | | | | | | | | | | * agent/call-pinentry.c (do_getpin): New. (agent_askpin): Use do_getpin. (agent_get_passphrase): Add arg pininfo. Use do_getpin. * agent/genkey.c (check_passphrase_constraints): New arg no_empty. * agent/command.c (reenter_passphrase_cmp_cb): New. (cmd_get_passphrase): Add option --newsymkey. -- This new option allows to present a passphrase with the usual repeat box as it is used by gpg-agent's internal key generation. Signed-off-by: Werner Koch <[email protected]> Backported-from-master: eace4bbe1ded8b01f9ad52ebc1871f2fd13c3a08
* gpg: Fix flaw in symmetric algorithm selection in mixed mode.Werner Koch2020-07-073-19/+10
| | | | | | | | | | | | | | | | | | * g10/encrypt.c (setup_symkey): Use default_cipher_algo function instead of the fallback s2k_cipher_algo. Fix error code. (encrypt_simple): Use setup_symkey. -- Aside of removing code duplication this patch fixes the flaw that the S2K cipher algorithm was used when mixing public key and symmetric encryption or signatures with symmetric encrypion. The default_algorithm function should be used here so that the command line option --cipher-algo and --personal-cipher-preferences have an effect. Signed-off-by: Werner Koch <[email protected]> Backported-from-master: 6864bba78e76a1ff72aec140ae9f4e752454c463
* po: Update Japanese Translation.NIIBE Yutaka2020-07-071-35/+44
| | | | | | -- Signed-off-by: NIIBE Yutaka <[email protected]>
* sm: Exclude rsaPSS from de-vs compliance mode.Werner Koch2020-07-0319-122/+286
| | | | | | | | | | | | | | | | | | | | | | | | | * common/compliance.h (PK_ALGO_FLAG_RSAPSS): New. * common/compliance.c (gnupg_pk_is_compliant): Add arg alog_flags and test rsaPSS. Adjust all callers. * common/util.c (pubkey_algo_to_string): New. (gnupg_pk_is_allowed): Ditto. * sm/misc.c (gpgsm_ksba_cms_get_sig_val): New wrapper function. (gpgsm_get_hash_algo_from_sigval): New. * sm/certcheck.c (gpgsm_check_cms_signature): Change type of sigval arg. Add arg pkalgoflags. Use the PK_ALGO_FLAG_RSAPSS. * sm/verify.c (gpgsm_verify): Use the new wrapper and new fucntion to also get the algo flags. Pass algo flags along. Change some of the info output to be more like current master. -- Signed-off-by: Werner Koch <[email protected]> This backport from master commit 969abcf40cdfc65f3ee859c5e62889e1a8ccde91 also includes some changes taken from commit a759fa963a42e0652134130029217270b6d5d00b (sm: Improve readability of the data verification output.) Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Silence annoying warning for missing default ldap server file.Werner Koch2020-07-021-5/+8
| | | | | | | * dirmngr/dirmngr.c (parse_ldapserver_file): Add arg ignore_enoent. (main): Use that arg for the default file. Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Fix case handling of "ldapi" scheme.Werner Koch2020-07-021-1/+1
| | | | | | | | * dirmngr/ldap-parse-uri.c (ldap_uri_p): s/'i'/'I'. -- GnuPG-bug-id: 4758 Signed-off-by: Werner Koch <[email protected]>
* sm: Print the serial number of a cert also in decimal.Werner Koch2020-06-264-3/+92
| | | | | | | | | | | | * sm/certdump.c: Include membuf.h. (gpgsm_print_serial_decimal): New. * sm/keylist.c (list_cert_raw): Print s/n also in decimal (list_cert_std): Ditto. -- Many CA's print the serial number in decimal on their cards. Signed-off-by: Werner Koch <[email protected]>
* doc: Minor enhancement for reproducibility.Werner Koch2020-06-031-0/+2
| | | | | | | | * doc/Makefile.am (defsincdate): In no repo mode and with SOURCE_DATE_EPOCH set, use that instead of blanking the date. -- GnuPG-bug-id: 4947
* common: Add missing error code GPG_ERR_WRONG_NAME.Werner Koch2020-06-032-2/+11
| | | | | | | | | | | | | * configure.ac: Require libgpg-error 1.25. * common/util.h: Define some extra error codes. -- This actually defines a few more error ocdes in case they are used by backported code. The requirement chnaged to 1.25 because erro codes from there are also required. GnuPG-bug-id: 4965 Signed-off-by: Werner Koch <[email protected]>
* Prepare news for 2.2.21Werner Koch2020-06-021-0/+31
| | | | --
* scd: Fix condition for C5 data object for newer Yubikey.NIIBE Yutaka2020-05-291-1/+1
| | | | | | | | | | | | * scd/app-openpgp.c (compare_fingerprint): Relax the condition. -- Cherry-picked from master commit of: f3df8dbb696fed192501fa7f741c2e0e0936a3d5 GnuPG-bug-id: 4957 Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: dns: Fix allocation of string buffer in stack.NIIBE Yutaka2020-05-212-26/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | * dirmngr/dns.h (dns_strsection, dns_strclass) (dns_strtype): Change APIs. * dirmngr/dns.c (dns_p_lines): Use __dst for dns_strsection. (dns_rr_print): Use __dst for dns_strclass and dns_strtype. (dns_trace_dump): Likewise. (dns_ai_print): Use __dst for dns_strtype. (dns_strsection): Add an argument __dst for storage. (dns_strclass, dns_strtype): Likewise. (parse_packet): Use __dst for dns_strsection. (send_query): Use __dst for dns_strtype. (isection): Use __dst for dns_strsection. (iclass): Use __dst for dns_strclass. (itype): Use __dst for dns_strtype. -- Backport master commit of: 30eef28bc0f5deaa1b4b7f04293a6527524280a9 GnuPG-bug-id: 4934 Reported-by: Tomas Mraz Fixes-commit: ff7d01fc6d396fc3b8d37baa9bd4cdebc8853648 Signed-off-by: NIIBE Yutaka <[email protected]>
* common: Change argument order of log_printhex.Werner Koch2020-05-1226-76/+84
| | | | | | | | | | | | * common/logging.c (log_printhex): Chnage order of args. Make it printf alike. Change all callers. * configure.ac: Add -Wno-format-zero-length -- This makes it consistent with modern libgpgrt logging and thus eases back porting from newer GnuPG versions which use libgpgrt logging. Signed-off-by: Werner Koch <[email protected]>
* sm: Always allow authorityInfoAccess lookup if CRLs are also enabled.Werner Koch2020-04-162-9/+19
| | | | | | | | | * sm/certchain.c (find_up): Disable external lookups in offline mode. Always allow AKI lookup if CRLs are also enabled. -- GnuPG-bug-id: 4898 Signed-off-by: Werner Koch <[email protected]>
* sm: Lookup missing issuers first using authorityInfoAccess.Werner Koch2020-04-164-26/+180
| | | | | | | | | | | | | | | | * sm/call-dirmngr.c (gpgsm_dirmngr_lookup): Add optional arg URL and adjust all callers. * sm/certchain.c (oidstr_caIssuers): New. (struct find_up_store_certs_s): Add additional fields. (find_up_store_certs_cb): Store the fingerprint. (find_up_via_auth_info_access): New. (find_up): Try the AIA URI first. -- Note that --auto-issuer-key-retrieve is required to use that. GnuPG-bug-id: 4898 Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Allow http URLs with "LOOKUP --url"Werner Koch2020-04-161-20/+103
| | | | | | | | * dirmngr/crlfetch.c (read_cert_via_http): New. (fetch_cert_by_url): Implement http scheme. -- Signed-off-by: Werner Koch <[email protected]>
* gpg: Add missing options --no-include-key-block.Werner Koch2020-04-161-0/+1
| | | | | | | | | | | * g10/gpg.c (opts): Add it. -- This got lost when backporting from master. Fixes-commit: 95b42278cafe7520d87168fb993ba715699e6bb6 GnuPG-bug-id: 4856 Signed-off-by: Werner Koch <[email protected]>
* gpg: Make AEAD modes subject to compliance checks.Werner Koch2020-04-161-10/+13
| | | | | | | | | * g10/decrypt-data.c (decrypt_data): Move aead algo detection up. -- Note that the AEAD modes are not yet approved for --compliance=de-vs Signed-off-by: Werner Koch <[email protected]>
* gpg: Show AEAD preferencesWerner Koch2020-04-163-5/+49
| | | | | | | | | | | | | * g10/packet.h (preftype_t): Add PREFTYPE_AEAD. * g10/keyedit.c (show_prefs): Print AEAD preferences. * g10/getkey.c (fixup_uidnode): Set AEAD flags. (merge_selfsigs): Ditto. -- Although we are not able to create such keys we should be abale to show them. Signed-off-by: Werner Koch <[email protected]>
* gpg: Support decryption of the new AEAD packetWerner Koch2020-04-1610-70/+909
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * common/openpgpdefs.h (aead_algo_t): New. (pkttype_t): Add PKT_ENCRYPTED_AEAD. * g10/decrypt-data.c (struct decode_filter_context_s): Add fields for AEAD. (aead_set_nonce_and_ad): New. (aead_checktag): New. (decrypt_data): Support AEAD. (aead_underflow): New. (aead_decode_filter): New. * g10/dek.h (DEK): Add field use_aead. Turn use_mdc, algo_info_printed, and symmetric into bit flags. * g10/mainproc.c (struct mainproc_context): Add field seen_pkt_encrypted_aead. (release_list): Clear it. (have_seen_pkt_encrypted_aead): New. (symkey_decrypt_seskey): Support AEAD. (proc_symkey_enc): Ditto. (proc_encrypted): Ditto. (proc_plaintext): Ditto. * g10/misc.c (MY_GCRY_CIPHER_MODE_EAX): New. (openpgp_aead_test_algo): New. (openpgp_aead_algo_name): New. (openpgp_aead_algo_info): New. * g10/packet.h (PKT_symkey_enc): Add field use_aead. (PKT_user_id): Add field flags.aead (PKT_public_key): Ditto. (PKT_encrypted): Add fields for AEAD. * g10/parse-packet.c (parse): Handle PKT_ENCRYPTED_AEAD. (parse_symkeyenc): Support AEAD. (parse_encrypted): Ditto. (dump_sig_subpkt): Dump AEAD preference packet. (parse_encrypted_aead): New. -- This patch allows to decrypt data encrypted using the new AEAD mechanism as specified in rfc4880bis. Although preferences are used to enable this new mode, it is useful to have at least a decryption option in case a user switches between GnuPG 2.2 and newer versions. The new AEAD mechanism is much faster than the current CFB+MDC and thus 2.2 will allow faster decryption of symmetric only decryption. This patch is based on the current master (2.3) code base and includes a few other patches. In particular commit 44be675b759d27bac310c2de8bae1b7882a26b65 (gpg: More check for symmetric key encryption.) is included. Signed-off-by: Werner Koch <[email protected]>
* gpg: Improve symmetric decryption speed by about 25%Werner Koch2020-04-151-77/+58
| | | | | | | | | | | | | | | | | | | | | | | | | | * g10/decrypt-data.c (mdc_decode_filter, decode_filter): Fatcor buffer filling code out to ... (fill_buffer): new. -- This patch includes the master commit d989373f1a46139ed0fbc4d4a91069b78617ad9 and 5d6c080522e1666943b75c99124fb69b985b6941 Benchmarking on our usual X220 shows for a 1.3GiB non-compressed non-armored AES encrypted file (ECDH encrypted but the symmetric decryption takes the majority of the time, reading from stdin writing to /dev/null): | | before | after | |------------+-----------+-----------| | real | 0m15.006s | 0m11.849s | | user | 0m14.304s | 0m11.259s | | sys | 0m0.640s | 0m0.537s | | throughput | 90 MiB/s | 115 MiB/s | Signed-off-by: Werner Koch <[email protected]>
* gpg: Reformat parts of decrypt-data.cWerner Koch2020-04-151-101/+125
| | | | | | | | | | | | * g10/decrypt-data.c (struct decode_filter_context_s): Rename 'defer' to 'holdback' and 'defer_filled' to 'holdbacklen'. Increase size of holdback to allow for future AEAD decryption. Turn 'partial' and 'eof_seen' into bit fields. (decrypt_data): Replace write_status_text by write_Status_printf. Indent parts of the code. -- Signed-off-by: Werner Koch <[email protected]>
* sm,dirmngr: Restrict allowed parameters used with rsaPSS.Werner Koch2020-04-153-2/+87
| | | | | | | | | | | | | | | * sm/certcheck.c (extract_pss_params): Check the used PSS params. * dirmngr/crlcache.c (finish_sig_check): Ditto. * dirmngr/validate.c (check_cert_sig): Ditto. -- GnuPG-bug-id: 4538 # ------------------------ >8 ------------------------ See https://www.metzdowd.com/pipermail/cryptography/2019-November/035449.html Signed-off-by: Werner Koch <[email protected]>
* sm: Support rsaPSS verification also for CMS signatures.Werner Koch2020-04-153-41/+113
| | | | | | | | | * sm/certcheck.c (gpgsm_check_cert_sig): Factor PSS parsing out to ... (extract_pss_params): new. (gpgsm_check_cms_signature): Implement PSS. -- GnuPG-bug-id: 4538
* dirmngr: Support rsaPSS also in the general validate module.Werner Koch2020-04-152-45/+132
| | | | | | | | | | | | | | | | | | * dirmngr/validate.c (hash_algo_from_buffer): New. (uint_from_buffer): New. (check_cert_sig): Support rsaPSS. * sm/certcheck.c (gpgsm_check_cert_sig): Fix small memory leak on error. -- Yes, I know that there is a lot of code duplication. In fact some of the code is ugly and it would be better if we enhance Libgcrypt to guarantee that returned memory buffers via gcry_sexp_extract_param are allways Nul terminated and we should also enhance that function to directly extract into an unsigned int or char *. GnuPG-bug-id: 4538 Signed-off-by: Werner Koch <[email protected]>
* sm,dirmngr: Support rsaPSS signature verification.Werner Koch2020-04-152-60/+307
| | | | | | | | | | | | | | | | * sm/certcheck.c (hash_algo_from_buffer): New. (uint_from_buffer): New. (gpgsm_check_cert_sig): Handle PSS. * dirmngr/crlcache.c (hash_algo_from_buffer): New. (uint_from_buffer): New. (start_sig_check): Detect PSS and extract hash algo. New arg to return a PSS flag. (finish_sig_check): New arg use_pss. Extract PSS args and use them. (crl_parse_insert): Pass use_pss flag along. -- GnuPG-bug-id: 4538 Signed-off-by: Werner Koch <[email protected]>
* common: New function to map hash algo names.Werner Koch2020-04-152-0/+42
| | | | | | | | | * common/sexputil.c (hash_algo_to_string): New. -- Libgcrypt expects lowercase names and it is cumbersome to downcase those retrieved via gcry_md_algo_name. It is easier and also faster to use a dedicated map function.
* scd:p15: Return a display S/N via Assuan.Werner Koch2020-04-151-21/+54
| | | | | | | | * scd/app-p15.c (make_pin_prompt): Factor some code out to ... (get_dispserialno): this. (do_getattr): Use new fucntion for a $DISPSERIALNO. Signed-off-by: Werner Koch <[email protected]>
* scd:p15: Show a pretty PIN prompt.Werner Koch2020-04-151-10/+200
| | | | | | | | | | | | | | | | | | | | | | | | * scd/app-p15.c (struct prkdf_object_s): New fields common_name and serial_number. (release_prkdflist): Free them. (keygrip_from_prkdf): Parse cert and set them. (any_control_or_space): New. (make_pin_prompt): New. (verify_pin): Construct a pretty PIN prompt. (do_sign): Remove debug output. -- The D-Trust card has the SerialNumber part of the Subject printed on the front matter, we assume this is also possible with other cards and thus we show this as serial number. The holder of the card is also extracted from the card's subject. Signed-off-by: Werner Koch <[email protected]> Backported from master. Signed-off-by: Werner Koch <[email protected]>
* scd: Return GPG_ERR_BAD_PIN on 0x63Cn status word.Werner Koch2020-04-152-0/+3
| | | | | | | | | | | * scd/iso7816.c (map_sw): Detect 0x63Cn status code. -- I really wonder when that got lost and we ended up with a simple card error. Signed-off-by: Werner Koch <[email protected]> Backported from master.
* scd: Factor common PIN status check out.Werner Koch2020-04-154-42/+49
| | | | | | | | | | | | | | | | | | * scd/iso7816.h (ISO7816_VERIFY_ERROR): New. (ISO7816_VERIFY_NO_PIN): New. (ISO7816_VERIFY_BLOCKED): New. (ISO7816_VERIFY_NULLPIN): New. (ISO7816_VERIFY_NOT_NEEDED): New. * scd/iso7816.c (iso7816_verify_status): New. * scd/app-nks.c (get_chv_status): Use new function. -- Signed-off-by: Werner Koch <[email protected]> Backported from master: - Removed the non-existant app-piv.c patches. Signed-off-by: Werner Koch <[email protected]>
* scd:p15: Fix decrypt followed by sign problem for D-Trust cards.Werner Koch2020-04-155-14/+197
| | | | | | | | | | | | | | | | | | | | | | | | | | | * scd/iso7816.c (iso7816_select_mf): New. * scd/app-p15.c (card_product_t): New. (struct app_local_s): Add field 'card_product'. (read_ef_tokeninfo): Detect D-Trust card. (prepare_verify_pin): Switch to D-Trust AID. (do_decipher): Restore a SE for D-TRust cards. Change the padding indicator to 0x81. * common/percent.c (percent_data_escape): new. Taken from master. -- Using what I learned from a USB trace running the Governikus Signer Software on Windows this fixes the left over problem with the new D-Trust card support. Signed-off-by: Werner Koch <[email protected]> Backported from master. This required to add the percent_data_escape function we introduced in master on 2018-07-02: commit 58baf40af641f8cbf597e508a292e85ae94688f1 common: New function percent_data_escape. Signed-off-by: Werner Koch <[email protected]>
* scd:p15: Emit MANUFACTURER, $ENCRKEYID, $SIGNKEYID.Werner Koch2020-04-151-19/+62
| | | | | | | | | | | | | * scd/app-p15.c (read_ef_tokeninfo): Store manufacturer_id. (do_getattr): Implement MANUFACTURER, $ENCRKEYID and $SIGNKEYID. (send_keypairinfo): Also print usage flags. -- Signed-off-by: Werner Koch <[email protected]> Backported from master. Signed-off-by: Werner Koch <[email protected]>
* gpg: Use the new MANUFACTURER attribute.Werner Koch2020-04-153-43/+20
| | | | | | | | | | | | | | | | | | | * g10/call-agent.h (struct agent_card_info_s): Add manufacturer fields. * g10/call-agent.c (agent_release_card_info): Release them. (learn_status_cb): Parse MANUFACTURER attribute. * g10/card-util.c (get_manufacturer): Remove. (current_card_status): Use new attribute. -- This does away with the duplicated OpenPGP vendor tables; they are now at a better place (app-openpgp.c). Signed-off-by: Werner Koch <[email protected]> Backported from master: - Removed the gpg-card stuff. Signed-off-by: Werner Koch <[email protected]>
* scd:openpgp: New attribute "MANUFACTURER".Werner Koch2020-04-152-0/+82
| | | | | | | | | | | | | | | | | | * scd/app-openpgp.c (get_manufacturer): New.. (do_getattr): Add new attribute "MANUFACTURER". (do_learn_status): Always print it. -- This will make it easy to maintain the list of OpenPGP vendors at just one place. Signed-off-by: Werner Koch <[email protected]> Backported from master: .. or well in master and 2.2 Signed-off-by: Werner Koch <[email protected]>
* scd:p15: Rename some variables and functions for clarity.Werner Koch2020-04-151-20/+20
| | | | | | | | | | | * scd/app-p15.c: Rename keyinfo to prkdf. Signed-off-by: Werner Koch <[email protected]> Backported from master. Removed the do_with_keygrip related parts because that function is not available. Signed-off-by: Werner Koch <[email protected]>
* scd:p15: Cache the PIN.Werner Koch2020-04-151-0/+8
| | | | | | | | | | | * scd/app-p15.c (struct prkdf_object_s): Add flag pin_verified. (verify_pin): Make use of it. -- Theee is still a problem with the APDUs we send: Switching between signing and decryption does work but not in the other way. Signed-off-by: Werner Koch <[email protected]>
* gpg: ECDH: Accept longer padding.NIIBE Yutaka2020-04-081-4/+1
| | | | | | | | | | | | | | | | | * g10/pubkey-enc.c (get_it): Remove check which mandates shorter padding. -- Cherry-picked master commit of: fd79cadf7ba5ce45dfb5e266975f58bf5c7ce145 According to the section 8 of RFC 6637, the sender MAY use 21 bytes of padding for AES-128 to provide 40-byte "m". Reported-by: Metin Savignano GnuPG-bug-id: 4908 Signed-off-by: NIIBE Yutaka <[email protected]>
* scd:p15: Add missing keygrip retrieval for decryption.Werner Koch2020-04-011-0/+8
| | | | | | | | | | * scd/app-p15.c (do_decipher): Get the keygrip. -- This was lost during the backport. Fixes-commit: 4af38ea5e450b3eb79af98b9876b2b968110a459 Signed-off-by: Werner Koch <[email protected]>
* scd:p15: Support decryption with CardOS 5 cards.Werner Koch2020-04-011-2/+99
| | | | | | | | | | | | | | | * scd/app-p15.c (do_decipher): New. -- tested using the D-TRUSt card and a SCR3310 reader. The Kobil KAAN Advanced, I used for the signing tests could not be used because it supports only Short APDU Level exchange. Signed-off-by: Werner Koch <[email protected]> Back ported from master. Signed-off-by: Werner Koch <[email protected]>
* scd:p15: Factor PIN verification out to a new function.Werner Koch2020-04-011-189/+224
| | | | | | | | | | | | * scd/app-p15.c (do_sign): Factor code out to ... (prepare_verify_pin, verify_pin): new functions. -- Signed-off-by: Werner Koch <[email protected]> Bakc ported from master Signed-off-by: Werner Koch <[email protected]>
* scd:p15: Support signing with CardOS 5 cards.Werner Koch2020-04-016-101/+290
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * scd/app-help.c (app_help_get_keygrip_string_pk): Add optional arg r_pkey and change all callers. (app_help_get_keygrip_string): Ditto. * scd/app-p15.c (struct cdf_object_s): Use bit flags (struct aodf_object_s): Ditto. Add field 'fid'. (struct prkdf_object_s): Ditto. Add fields keygrip, keyalgo, and keynbits. (parse_certid): Allow a keygrip instead of a certid aka keyref. (read_ef_aodf): Store the FID. (keygripstr_from_prkdf): Rename to ... (keygrip_from_prkdf): this. Remove arg r_gripstr and implement cache. Change callers to directly use the values from the object. Also store the algo and length of the key ion the object. (keyref_from_keyinfo): New. Factored out code. (do_sign): Support SHA-256 and >2048 bit RSA keys. common/scd:p15: Support signing with CardOS 5 cards. * common/util.h (KEYGRIP_LEN): New. -- This has been tested with a D-Trust card featuring 3072 bit keys. Note that non-repudiation key for a qualified signature does not yet work because we do not yet support rsaPSS padding. Thus a gpgsm --learn shows a couple of Bad Signature errors for this key. Signed-off-by: Werner Koch <[email protected]> Back ported from master: - Removed do_with_keygrip - Added KEYGRIP_LEN - app_help_get_keygrip_string_pk actually added. - Move keygrip_from_prkdf in do_sign before the verification. It used to work in master only because there it is implictly called prior to signing by do_with_keygrip Signed-off-by: Werner Koch <[email protected]>
* scd:p15: Read certificates in extended mode.Werner Koch2020-04-012-1/+17
| | | | | | | | | | | | * scd/app-p15.c (readcert_by_cdf): Allow reading in extended mode. * scd/app-common.h (app_get_slot): New. -- Signed-off-by: Werner Koch <[email protected]> (Back ported from master) Added app_get_slot.
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-18 16:52:24 +0000