| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
| |
| |
| | |
* scd/app-nks.c (keygripstr_from_pk_file): Set r_algo if not in cache.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* dirmngr/crlcache.c (finish_sig_check): Use raw value for the data.
--
This had the usual signed/unsigned problem. By using the modern form
we enforce Libgcrypt internal parsing as unsigned integer.
(cherry picked from commit 868dabb4027a03f4ce39be3c143b480bccde1a63)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* dirmngr/validate.c (pk_algo_from_sexp): Make public. Support ECC.
* dirmngr/ocsp.c (check_signature): Remove hash preparation out to ...
(check_signature_core): here. This changes the arg s_hash to md.
Support ECDSA.
--
The test was done with my qualified signature certificate from the
Telesec and their responder http://tqrca1.ocsp.telesec.de/ocspr .
See also libksba commit rK24992a4a7a61d93759e1dbd104b845903d4589bf
(cherry picked from commit 890e9849b58e91fb7e0ad8d3b11d19363fca2d8a)
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* dirmngr/crlcache.c (finish_sig_check): Support ECDSA.
* dirmngr/validate.c (check_cert_sig): Ditto. Remove the never
used support for DSA.
(cherry picked from commit de87c8e1ead72ea67789ffa4375f9dd3e4f9e2fa)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* sm/gpgsm.h (struct certlist_s): Add helper field pk_algo.
* sm/sign.c (gpgsm_sign): Store the public key algo. Take the hash
algo from the curve. Improve diagnostic output in verbose mode.
--
GnuPG-bug-id: 4098, 6253
Signed-off-by: Werner Koch <[email protected]>
Backported-from-master: f44d395bdfec464b1e2a0a1aef39561e6e48a45c
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* sm/certcheck.c (do_encode_md): Take care of nistp521.
--
This curve is a bit odd in that it does not match a common hash digest
length. We fix that here for just this case instead of writing more
general code to support all allowed cases (i.e. hash shorter than Q).
Signed-off-by: Werner Koch <[email protected]>
Backported-from-master: 596212e71abf33b30608348b782c093dace83110
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* common/sexputil.c (pubkey_algo_to_string): New.
* sm/certcheck.c (do_encode_md): Replace GCRY_PK_ECDSA by GCRY_PK_ECC.
* sm/certreqgen-ui.c (check_keygrip): Add all ECC algorithms.
* sm/gpgsm.c (our_pk_test_algo): Also allow EdDSA.
* sm/verify.c (gpgsm_verify): Map ECC algo to ECDSA. Use new pubkey
algo name function
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit 34b628db4618a8712536aea695f934b0286e7b18)
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* sm/certcheck.c (gpgsm_check_cert_sig): Map ECDSA OIDs.
* sm/misc.c (transform_sigval): Add ECC support.
--
GnuPG-bug-id: 6253
|
| | |
| |
| |
| | |
* agent/trustlist.c (agent_marktrusted): Use gnupg_access.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* g10/trustdb.c (check_regexp): Kludge to match user-ids with only an
mbox.
--
(Also re-indented the function)
GnuPG-bug-id: 6238
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* g10/kbnode.c (new_kbnode2): New.
* g10/import.c (delete_inv_parts): New arg r_otherrevsigs to store
misplaced revocations.
(import_revoke_cert): Allow to pass an entire list.
(import_one): Import revocations found by delete_inv_parts.
--
It might be useful to distribute revocations of old keys along with
new keys. This is in particicualrr useful for WKD stored keys. This
patch allows to put unrelated standalone revocations into a key. For
example they can simply appended to a keyblock. Right now it is a bit
inaesthetic to see diagnostics about misplaced or bad revocation
signatures.
Backported-from-master: 7aaedfb10767c74f3e6868dd1563cbbf1282ab2f
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
* tests/openpgp/samplekeys/ed25519-cv25519-sample-2.asc: New.
* tests/openpgp/samplekeys/ed25519-cv25519-sample-1.asc: Add AEAD
preference.
* tests/openpgp/defs.scm (tr:gpgstatus): New.
(create-legacy-gpghome): Also import .key private keys.
* tests/openpgp/encrypt.scm: Add OCB tests.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* g10/armor.c (is_armored): Add PKT_ENCRYPTED_AEAD.
--
With this fix it is now possible to feed a vanilla packet of type 20
without first forcing gpg to assume binary mode.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* common/compliance.h (enum gnupg_co_extra_infos): New.
* common/compliance.c (vsd_allow_ocb): New.
(gnupg_cipher_is_compliant): Allow OCB if flag is set.
(gnupg_cipher_is_allowed): Ditto.
(gnupg_set_compliance_extra_info): Change to take two args. Adjust
callers.
* g10/gpg.c (compatibility_flags): Add "vsd-allow-ocb".
(main): And set it.
* g10/options.h (COMPAT_VSD_ALLOW_OCB): NEw.
--
This is a temporary flag until the new mode has been evaluated and can
always be enabled.
GnuPG-bug-id: 6263
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* g10/gpg.c (oCompatibilityFlags): New.
(opts): Add option.
(compatibility_flags): New list.
(main): Set flags and print help.
* g10/options.h (opt): Add field compatibility_flags.
--
No flags are yet defined but it is good to have the framework.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* g10/build-packet.c (do_encrypted_aead): New.
(do_symkey_enc): Handle version 5.
(build_packet): Support the ENCRYPTED_AEAD packet.
* g10/cipher.c (MIN_PARTIAL_SIZE): Remove unused macro.
(AEAD_ENC_BUFFER_SIZE): New macro.
(my_iobuf_write): New.
(write_header): Rename to write_cfb_header. Adjust caller.
(set_ocb_nonce_and_ad): New.
(write_ocb_header): New.
(write_ocb_auth_tag): New.
(write_ocb_final_chunk): New.
(do_ocb_flush): New.
(do_ocb_free): New.
(cipher_filter_ocb): New.
* g10/filter.h (cipher_filter_context_t): Add fields for AEAD.
* g10/encrypt.c (encrypt_symmetric): For the use of a session key in
OCB mode.
(encrypt_seskey): Revamp to support OCB.
(use_aead): New.
(encrypt_simple): Support OCB.
(write_symkey_enc): Ditto.
(encrypt_crypt): Ditto.
(encrypt_filter): Handle OCB.
* g10/options.h (opt): Add field force_ocb.
* g10/gpg.c (oForceOCB): New.
(opts): New option "--force-ocb".
(main): Set force_ocb option.
* g10/gpgcompose.c (encrypt_seskey): New.
* g10/keygen.c (aead_available): New global var.
(keygen_set_std_prefs): Set AEAD feature by default in GNUPG mode. Add
parings of aead feature flag.
(keygen_get_std_prefs): Set aead flag.
(add_feature_aead): New.
(keygen_upd_std_prefs): Set OCB as preference if AEAD is enabled.
* g10/pkclist.c (select_aead_from_pklist): New.
(warn_missing_aead_from_pklist): New.
(select_mdc_from_pklist): Remove this unused function.
--
This extends the long available OCB and EAX decryption feature. Due
to the meanwhile expired patent on OCB there is no more reason for
using EAX. Thus we forcefully use OCB if the AEAD feature flag is set
on a key.
In GNUPG mode new keys are now created with the AEAD feature flag set.
Option --rfc4880 is one way to disable this.
GnuPG-bug-id: 6263
|
| | |
| |
| |
| |
| |
| |
| | |
* sm/sign.c (gpgsm_sign): Add new capability.
--
It might be better to have this. No concrete bug report, though.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* sm/gpgsm.h (COMPAT_ALLOW_ECC_ENCR): New.
* sm/gpgsm.c (compatibility_flags): Add new flag.
* sm/encrypt.c (encrypt_dek): Allw ECC only if flag is set.
--
ECC encryption was not part of the original VS evaluation. Until this
has been re-evaluated we hide this feature behind this flag.
GnuPG-bug-id: 6253
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* sm/decrypt.c (hash_ecc_cms_shared_info): Make global.
* sm/encrypt.c (ecdh_encrypt): New.
(encrypt_dek): Add arg PK_ALGO and support ECDH.
(gpgsm_encrypt): Pass PK_ALGO.
--
Note: This has only been tested with a messages created and decrypted
by GnuPG.
GnuPG-bug-id: 4098
Signed-off-by: Werner Koch <[email protected]>
Backported-from-master: d5051e31a8fc07c339253c6b82426e0d0115a20a
GnuPG-bug-id: 6253
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* sm/certlist.c (cert_usage_p): Allow keyAgreement for ECC.
* sm/fingerprint.c (gpgsm_is_ecc_key): New.
--
For ECC encryption keys keyAgreement is the keyUsage we want.
GnuPG-bug-id: 6253
|
| | |
| |
| |
| | |
* sm/certlist.c (USE_MODE_): New. Use them for easier reading.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* scd/app-nks.c (do_sign): Handle ECC for NKS cards
--
Backported-from-master: 959c627892121ce9707bfa36f2510216b4f6f247
GnuPG-bug-id: 6252
|
| | |
| |
| |
| |
| |
| | |
--
This is helpful for backporting other changes.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* scd/app-nks.c (do_learn_status_core): Use new flag.
* scd/app-sc-hsm.c (do_learn_status): Ditto.
--
The flag was already backported to some apps but not to these.
|
| | |
| |
| |
| | |
--
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* m4/gpg-error.m4: Update from libgpg-error 1.46.
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
* sm/certreqgen.c (create_request): Create AKI and SKI by default.
--
GnuPG-bug-id: 4098, 6253
Signed-off-by: Werner Koch <[email protected]>
Backported-from-master: 44676819f2873705b78849e7b2fd22214b691642
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* sm/fingerprint.c (gpgsm_get_key_algo_info): Factor code out to ...
(gpgsm_get_key_algo_info2): new.
* sm/keylist.c (list_cert_colon): Put curve into field 17
(list_cert_raw): Print the unified key algotithm string instead of the
algo and size.
(list_cert_std): Ditto.
--
It is important to known whether a 256 bit ECC uses a NIST or a
Brainpool curve.
Signed-off-by: Werner Koch <[email protected]>
Backported-from-master: 5c29d25e6c7c0a5a63ab4c46d4624217307adb78
GnuPG-bug-id: 6253
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* sm/decrypt.c (hash_ecc_cms_shared_info): New.
(ecdh_derive_kek): New global function.
(ecdh_decrypt): New with support for
dhSinglePass-stdDH-sha1kdf-scheme.
(prepare_decryption): Support ECDH. Add args pk_algo and nbits.
(gpgsm_decrypt): Pass size of curve to prepare_decryption. Lift some
variables from an inner code block.
--
This has been compiled from these commits in master:
Backported-from-master: 95d83cf906177fe9f00e88ae42d4c118c7db4371
(sm: Support decryption of ECDH data)
Backported-from-master: ee6d29f1797e06977ae3d2edae9edc1165c6f144
(sm: Support decryption of ECDH data using a smartcard.)
Backported-from-master: 68b857df13c8a4e6cae5e3a29fd065bf90764547
(sm: Allow decryption using dhSinglePass-stdDH-sha1kdf-scheme.)
GnuPG-bug-id: 6253
Signed-off-by: Werner Koch <[email protected]>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* sm/certreqgen.c (pKEYCURVE): New.
(read_parameters): Add pKEYCURVE handling.
(proc_parameters): Support ECC key generation.
--
GnuPG-bug-id: 4888, 6253
Signed-off-by: NIIBE Yutaka <[email protected]>
(cherry picked from commit 49ea53b755f0fef468055a1493e790735908f865)
|
| |/
|
|
|
|
|
|
|
|
|
|
| |
* sm/certreqgen.c (proc_parameters): Remove checking GCRY_PK_RSA.
--
This is an initial change to support ECC key generation.
GnuPG-bug-id: 4888, 6253
Signed-off-by: NIIBE Yutaka <[email protected]>
Backported-from-master: 238707db8b05a385af5419e606ea5110ace31d2b
|
| |
|
|
|
|
|
|
|
|
|
| |
* scd/app-nks.c (filelist): Tweak 0x4531.
--
Actually the certificate has no encryption usage but we should also
tell that via KEYINFO so that this key is never tried to create an
encryption certificate.
(cherry picked from commit 3a2fb1c30633373d17880469e0b84ab2a9524585)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* scd/app-nks.c (find_fid_by_keyref): Factor keyref parsing out to ...
(parse_keyref): new.
(do_readcert): Use new function instead of partly duplicated code.
Make detection of keygrip more robust.
(do_readkey): Make detection of keygrip more robust.
(do_with_keygrip): Use get_nks_tag.
--
Also added a couple of comments.
(cherry picked from commit b92b3206e72b635fd815eaf85e7acc67c2a52ffe)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* scd/app-nks.c (find_fid_by_keyref): Disable the cache for now.
(readcert_from_ef): Considere an all zero certificate as not found.
(do_sign): Support ECC and the ESIGN application.
--
This allows me to create qualified signatures using my Telesec card.
There is of course more work to do but this is the first step.
Note: The design of the FID cache needs to be reconsidered. Until
that the lookup here has been disabled. The do_sign code should be
revamped to be similar to what we do in app-p15.
GnuPG-bug-id: 5219, 4938, 6252
Backported-from-master: 07eaf006c2763a6b40d2734b1c6704da466e0ed0
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* scd/app-nks.c (set_usage_string): New.
(do_learn_status_core, do_readkey): Use set_usage_string.
(do_with_keygrip): Add USAGE to call send_keyinfo,
using set_usage_string.
* scd/command.c (send_keyinfo): Add arg usage.
--
Signed-off-by: NIIBE Yutaka <[email protected]>
Backported-from-master: 5264d3f58e8a8362900c3518bdd683ff9a23cccc
GnuPG-bug-id: 6252
This backports only the NKS parts of the original patch
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* scd/app-nks.c (keygripstr_from_pk_file): Fix ignored error.
(get_nks_tag): New.
(do_learn_status_core): Use it. Make sure not to mange the
KEYPAIRINFO line if no usage is known.
(do_readkey): Output the KEYPAIRINFO for the keygrip case.
--
Note that this only handles the most common case of providing a
keygrip. $AUTHKEYID and ODLM are not yet supported.
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit 63320ba2f8147ee86f4406c9590f6b28cad4771d)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* scd/app-nks.c (do_sign): Handle plain SHA-2 digests and verify
encoding of ASN.1 encoded hashes.
--
This makes it possible to create CSRs for NetKey card keys which are
signed with SHA256 by default.
GnuPG-bug-id: 5184
(cherry picked from commit 8fe976d5b9a0f2902868737dd502c749565222a6)
|
| |
|
|
|
|
|
|
|
|
|
| |
* scd/app-nks.c (do_readkey): Allow KEYGRIP access.
Support NKS-IDLM.XXXX keyref.
--
GnuPG-bug-id: 5150
Signed-off-by: NIIBE Yutaka <[email protected]>
(cherry picked from commit 3b392630881350baabeba16fa760bad04be94d03)
|
| |
|
|
|
|
|
|
| |
* scd/app-nks.c (pubkey_from_pk_file): New.
(keygripstr_from_pk_file): Use pubkey_from_pk_file.
Signed-off-by: NIIBE Yutaka <[email protected]>
(cherry picked from commit b7c087375d84c31ab8a645cd81e6b1e6185cb30d)
|
| |
|
|
|
|
|
|
|
|
| |
* scd/app-nks.c (do_readcert): Support KEYGRIP.
--
GnuPG-bug-id: 5150
Signed-off-by: NIIBE Yutaka <[email protected]>
(cherry picked from commit 4020cd9d656264bec5e7fb5e45c5e06eff8656c3)
|
| |
|
|
|
|
|
|
| |
* scd/app-nks.c (iterate_over_filelist): New.
(do_with_keygrip): Use iterate_over_filelist.
Signed-off-by: NIIBE Yutaka <[email protected]>
(cherry picked from commit 6c4365847666cefac73ccc743a99fac473da2186)
|
| |
|
|
|
|
|
|
|
|
|
| |
* scd/app-nks.c (keygripstr_from_pk_file): Distinguish by APP_ID.
--
GnuPG-bug-id: 5150, 5161
Signed-off-by: NIIBE Yutaka <[email protected]>
Backported-from-master: 87d2c579cc38c1d2787945650125fb0e0336652c
Fixes-commit: 00f594e3ecb26b010e87d5491b648369e7a92408
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* scd/app-nks.c (filelist): Use special value -1 for IDLM pubkeys.
(keygripstr_from_pk_file): Handle special value.
(do_readcert): Ditto.
(do_writecert): Ditto.
--
This allows to get information about the keys from the card. However
the do_readkey still requires a fallback to readcert. This does not
work because there are no certificates yet on the card. The fix is to
fully implement do_readkey.
(cherry picked from commit 806547d9d243b26c2275fc00c645ee39d258b49b)
|
| |
|
|
|
|
|
|
|
|
| |
* scd/app-nks.c (keygripstr_from_pk_file): Identify by cfid if
available.
--
GnuPG-bug-id: 5150, 6252
Signed-off-by: NIIBE Yutaka <[email protected]>
Backported-from-master: 920154370834ad8d947aed19c9d914a27dde6baa:
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* scd/app-nks.c (do_learn_status_core): Emit the algo string as part
of a KEYPAIRINFO.
(struct fid_cache_s): Add field algostr.
(flush_fid_cache): Release it.
(keygripstr_from_pk_file): Fill it and add it to the cache. Use a
single exit label. Set algostr.
--
Signed-off-by: Werner Koch <[email protected]>
Backported-from-master: 26da47ae53d51e16ae6867cd419ddbf124a94933
Backported-from-master: 006944b856ee2202905290e8a2f5523a7877d444
GnuPG-bug-id: 6252, 5144
This has been backported to keep this, and only this, module in sync
with master. All other changes from the original patch have been
stripped.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* scd/iso7816.c (CMD_UPDATE_BINARY): New.
(iso7816_update_binary): New.
* scd/app-nks.c (do_deinit): Factor some code out to...
(flush_fid_cache): new.
(do_writecert): New.
(app_select_nks): Register new handler.
--
This has been backported only to make the following backpoorts easier.
The code is only used in 2.3; for details see the original commit
message.
Signed-off-by: Werner Koch <[email protected]>
Backported-from-master: c1663c690b29d2dea8bc782c42de5eca08a24cc9
GnuPG-bug-id: 6252
|
| |
|
|
|
|
|
|
|
|
| |
* scd/app-nks.c (filelist): Add a dedicated key entry for ESIGN.
(do_readcert): Test for the app_id.
--
Signed-off-by: Werner Koch <[email protected]>
Backported-from-master: 07aef873ebc77241e9a2be225537319f6fc15a41
GnuPG-bug-id: 6252
|
| |
|
|
|
|
|
|
|
| |
* scd/app-nks.c (do_change_pin): Change computation of 'remaining'.
--
Signed-off-by: Werner Koch <[email protected]>
Backported-from-master: 2429e8559844e27de478d7e90834a714b3748834
GnuPG-bug-id: 6252
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* scd/app-nks.c (NKS_APP_IDLM): New.
(struct app_local_s): Replace NKS_VERSION by the global APPVERSION.
(do_learn_status): Always send CHV-STATUS.
(find_fid_by_keyref): Basic support for IDLM only use.
(do_learn_status_core): Ditto.
(do_readcert): Ditto.
(verify_pin): Ditto.
(parse_pwidstr): Ditto.
(do_with_keygrip): Ditto.
(switch_application): Ditto.
(app_select_nks): Fallback to IDLM.
--
Backported-from-master: 1f6a39092fe4b5f02bc4741a0a23d102d30f4063
GnuPG-bug-id: 6252
Also not directly required for the Signature Card 2.0, it is easier to
port this patch as well.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* scd/app-nks.c (get_dispserialno): Move more to the top.
(do_getattr): Add $DISPSERIALNO and SERIALNO. Make CHV-STATUS work
with NKS15.
(verify_pin): Use dedicated min. PIN lengths.
(parse_pwidstr): Support NKS15
--
GnuPG-bug-id: 4938
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit aecc008acb64ebbb6c667c4a128af4e61da57f84)
|
