aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* card: Add password change menu for NKS cards.Werner Koch2020-06-251-4/+52
| | | | | | | | | * tools/gpg-card.c (cmd_passwd): Add menu for NKS. Add option --reset. -- Note that the resetting does not yet work due to some bug in app-scd.c
* sm: Fix support verification of nistp521 signatures.Werner Koch2020-06-251-1/+1
| | | | | | | | * sm/certcheck.c (do_encode_md): Fix obvious bug. -- Fixes-commit: 596212e71abf33b30608348b782c093dace83110 Signed-off-by: Werner Koch <[email protected]>
* agent: separate out daemon handling infrastructure for reuseJames Bottomley2020-06-247-583/+759
| | | | | | | | | | | | | | | | | | | | | | | | | | | * agent/call-scd.c: Factor re-usable code out to ... * agent/call-daemon.c: new. Store infos in an array to allow for other backend daemons. * agent/Makefile.am (gpg_agent_SOURCES): Add new file. * agent/agent.h: Include assuan.h. (enum daemon_type): New. (opt): Replace scdaemon_program by daemon_program array. Replace scd_local by a array d_local. Change users accordingly. -- The model I'm using for a TPM daemon is the current scdaemon. That includes start and stop handlers plus liveness checks and an assuan socket generator. To avoid massive code duplication (and save me a lot of effort), I've elected to strip this code out of call-scd.c into a generic framework which can then be reused as is by the TPM handling daemon. Signed-off-by: James Bottomley <[email protected]> Co-authored-by: Werner Koch <[email protected]> Modified original patch for 2.2 heavily to fit the new framework used in master (gnupg 2.3) Signed-off-by: Werner Koch <[email protected]>
* gpgconf: Fix regression in --launch and --kill from MarchWerner Koch2020-06-242-3/+7
| | | | | | | | | | | | * tools/gpgconf.h (gc_component_id_t): Align order with gc_component array. -- Fixes-commit: b4f1159a5bd7b2799d7d35e883e0632ebf3339c8 gpgconf: Rewrite the gpgconf-comp module from 2020-03-12 Signed-off-by: Werner Koch <[email protected]>
* agent: expose shadow key typeJames Bottomley via Gnupg-devel2020-06-244-17/+90
| | | | | | | | | | -- For TPM support it is necessary to indroduce another type of shadow key, so allow other agent functions to extract the type so they can make the right decisions based on it. Signed-off-by: James Bottomley <[email protected]> Minor editorial changes by wk
* gpg,agent: Support Ed448 signing.NIIBE Yutaka2020-06-248-99/+148
| | | | | | | | | | | | | | | | | | | * agent/pksign.c (do_encode_eddsa): First argument is NBITs, so that it can support Ed448, as well as Ed25519. (agent_pksign_do): Follow the change. * agent/sexp-secret.c (fixup_when_ecc_private_key): No fix-up needed for Ed448, it's only for classic curves. * common/openpgp-oid.c (oidtable): Add Ed448. * common/sexputil.c (get_pk_algo_from_key): Ed448 is only for EdDSA. * g10/export.c (match_curve_skey_pk): Ed448 is for EdDSA. * g10/keygen.c (gen_ecc): Support Ed448 with the name of "ed448". (ask_algo, parse_key_parameter_part): Handle "ed448". * g10/pkglue.c (pk_verify): Support Ed448. (pk_check_secret_key): Support Ed448. * g10/sign.c (hash_for): Defaults to SHA512 for Ed448. (make_keysig_packet): Likewise. Signed-off-by: NIIBE Yutaka <[email protected]>
* ecc: Use "cv448" to specify key using X448.NIIBE Yutaka2020-06-235-15/+23
| | | | | | | | | | | | | * common/openpgp-oid.c (oidtable): Use "cv448". (oid_cv448): Rename from oid_x448. (openpgp_oidbuf_is_cv448, openpgp_oid_is_cv448): Likewise. * common/util.h (openpgp_oid_is_cv448): Follow the change. * g10/ecdh.c (pk_ecdh_generate_ephemeral_key): Likewise. * g10/keygen.c (gen_ecc, ask_algo): Use "cv448". (parse_key_parameter_part): Likewise. * g10/pkglue.c (get_data_from_sexp): Fix for debug output. Signed-off-by: NIIBE Yutaka <[email protected]>
* agent: Use get_pk_algo_from_key.NIIBE Yutaka2020-06-192-159/+1
| | | | | | | | * agent/findkey.c (key_parms_from_sexp, is_eddsa): Remove. (agent_pk_get_algo): Remove. * agent/pksign.c (agent_pksign_do): Use get_pk_algo_from_key. Signed-off-by: NIIBE Yutaka <[email protected]>
* agent: Clean up for getting info from SEXP.NIIBE Yutaka2020-06-193-59/+23
| | | | | | | | | | * agent/agent.h (agent_is_dsa_key, agent_is_eddsa_key): Remove. (agent_pk_get_algo): New. * agent/findkey.c (agent_pk_get_algo): New. * agent/pksign.c (do_encode_dsa): Use generic GCRY_PK_ECC. (agent_pksign_do): Use agent_pk_get_algo. Signed-off-by: NIIBE Yutaka <[email protected]>
* agent: A little clean up.NIIBE Yutaka2020-06-191-2/+0
| | | | | | | | | | | * agent/findkey.c (agent_is_eddsa_key): Remove dead case. -- There is no possibility the call of key_parms_from_sexp returns "eddsa". Signed-off-by: NIIBE Yutaka <[email protected]>
* agent: Fix regression in 'd' fixup code for shadowed keys.Werner Koch2020-06-171-0/+2
| | | | | | | | | * agent/sexp-secret.c (fixup_when_ecc_private_key): Ignore shadowed keys. -- Fixes-commit: 47c1c329ed823a562185f86e98ac903605104f11 Signed-off-by: Werner Koch <[email protected]>
* sm: Support verification of nistp521 signatures.Werner Koch2020-06-171-5/+8
| | | | | | | | | | | * sm/certcheck.c (do_encode_md): Take care of nistp521. -- That curve is a bit odd in that it does not match a common hash digest length. We fix that here for just this case instead of writing more general code to support all allowed cases (i.e. hash shorter than Q). Signed-off-by: Werner Koch <[email protected]>
* gpg: Fix for new SOS changes when used with Libgcrypt < 1.8.6.Werner Koch2020-06-091-0/+27
| | | | | | | | | | * g10/free-packet.c (is_mpi_copy_broken): New. (my_mpi_copy): Mix gcry_mpi_copy. -- Note that in this case it is better to do a runtime check. Signed-off-by: Werner Koch <[email protected]>
* gpg: Extend the TRUST_ status lines.Werner Koch2020-06-092-22/+63
| | | | | | | | | * g10/pkclist.c (write_trust_status): Add arg mbox. (check_signatures_trust): Appenmd mbox to the status lines. -- GnuPG-bug-id: 4735 Signed-off-by: Werner Koch <[email protected]>
* gpg: Use bytes for ECDH.NIIBE Yutaka2020-06-094-60/+64
| | | | | | | | | | | | | | | * g10/ecdh.c (extract_secret_x): Use byte * instead of MPI. (prepare_ecdh_with_shared_point): Use char * instead of MPI. (pk_ecdh_encrypt_with_shared_point): Likewise. (pk_ecdh_decrypt): Likewise. * g10/pkglue.h (pk_ecdh_encrypt_with_shared_point, pk_ecdh_decrypt): Change declaration. * g10/pkglue.c (get_data_from_sexp): New. (pk_encrypt): Use get_data_from_sexp instead of get_mpi_from_sexp. Follow the change of pk_ecdh_encrypt_with_shared_point. * g10/pubkey-enc.c (get_it): Follow the change of pk_ecdh_decrypt. Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Add X448 support.NIIBE Yutaka2020-06-094-2/+70
| | | | | | | | | | | | | * common/openpgp-oid.c (oidtable): Add X448. (oid_x448,openpgp_oidbuf_is_x448,openpgp_oid_is_x448): New. * common/util.h (openpgp_oid_is_x448): New. * g10/ecdh.c (gen_k): Add handling of opaque MPI and support endianness. (pk_ecdh_generate_ephemeral_key): X448 requires opaque MPI. * g10/keygen.c (gen_ecc): Add support for X448. (ask_algo, parse_key_parameter_part): Likewise. Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg,ecc: Handle external representation as SOS with opaque MPI.NIIBE Yutaka2020-06-099-59/+316
| | | | | | | | | | | | | | | | | | | | * g10/pkglue.h (sexp_extract_param_sos): New. * g10/build-packet.c (sos_write): New. (do_key, do_pubkey_enc, do_signature): Use sos_write for ECC. * g10/export.c (cleartext_secret_key_to_openpgp): Use sexp_extract_param_sos. (transfer_format_to_openpgp): Use opaque MPI for ECC. * g10/keygen.c (ecckey_from_sexp): Use sexp_extract_param_sos. * g10/keyid.c (hash_public_key): Handle opaque MPI for SOS. * g10/parse-packet.c (sos_read): New. (parse_pubkeyenc,parse_signature,parse_key): Use sos_read for ECC. * g10/pkglue.c (sexp_extract_param_sos): New. (pk_verify): Handle opaque MPI for SOS. (pk_encrypt): Use sexp_extract_param_sos. * g10/seskey.c (encode_session_key): Use opaque MPI. * g10/sign.c (do_sign): Use sexp_extract_param_sos. Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: If possible TRUST values now depend on signer's UID or --sender.Werner Koch2020-06-086-49/+204
| | | | | | | | | | | | | | * g10/mainproc.c (check_sig_and_print): Add failsafe check for PK. Pass KEYBLOCK down do check_signatures_trust. Protect existsing error ocde in case the signature expired. * g10/pkclist.c (is_in_sender_list): New. (check_signatures_trust): Add args keyblock and pk. Add new uid based checking code. * g10/test-stubs.c, g10/gpgv.c: Adjust stubs. -- GnuPG-bug-id: 4735 Signed-off-by: Werner Koch <[email protected]>
* build: Fix recent commit for SOURCE_DATE_EPOCH.Werner Koch2020-06-083-4/+4
| | | | | | | | | | -- Fixes-commit: 074ab108e768b2f946d789c1f3a7f14a65e07c52 which was recently pushed to make use of $SOURCE_DATE_EPOCH as fallback. Also fixes two typos
* doc: Minor code comment fixes.Werner Koch2020-06-086-6/+10
| | | | --
* agent: Fix the condition to detect leading 0x00 problem.NIIBE Yutaka2020-06-081-5/+16
| | | | | | | * agent/sexp-secret.c (fixup_when_ecc_private_key): Use curve name to identify the issue. Signed-off-by: NIIBE Yutaka <[email protected]>
* agent,ecc: Use of opaque MPI for ECC, fixup 'd'.NIIBE Yutaka2020-06-055-16/+151
| | | | | | | | | | | * agent/Makefile.am: Add sexp-secret.c. * agent/agent.h: New function declarations. * agent/sexp-secret.c: New. * agent/findkey.c (agent_key_from_file): Use sexp_sscan_private_key. * agent/protect-tool.c (read_and_unprotect): Fix up private part, calling fixup_when_ecc_private_key. Signed-off-by: NIIBE Yutaka <[email protected]>
* agent: For ECC, use opaque MPI for key representation.NIIBE Yutaka2020-06-051-20/+69
| | | | | | | | | | * agent/cvt-openpgp.c (scan_pgp_format): New with SOS support. (do_unprotect): Use scan_pgp_format, handle opaque MPI for ECC. (convert_from_openpgp_main): Use opaque MPI for ECC. (apply_protection): Set GCRYMPI_FLAG_USER1 flag for encrypted secret. (extract_private_key): Use "/qd" for ECC, opaque MPI. Signed-off-by: NIIBE Yutaka <[email protected]>
* agent,ssh: Tighten condition for EdDSA.NIIBE Yutaka2020-06-051-2/+1
| | | | | | | * agent/command-ssh.c (ssh_key_to_blob): Prepare for non-prefixed point representation of EdDSA. Signed-off-by: NIIBE Yutaka <[email protected]>
* agent: Remove duplicated code for EdDSA.NIIBE Yutaka2020-06-051-30/+10
| | | | | | | * agent/command-ssh.c (ssh_receive_key): Curve is "Ed25519". Use sexp_key_construct always. Signed-off-by: NIIBE Yutaka <[email protected]>
* agent: Clean up do_encode_md.NIIBE Yutaka2020-06-051-13/+3
| | | | | | * agent/pksign.c (do_encode_md): Directly use sexp_build. Signed-off-by: NIIBE Yutaka <[email protected]>
* doc: Minor enhancement for reproducibility.Werner Koch2020-06-031-0/+2
| | | | | | | | * doc/Makefile.am (defsincdate): In no repo mode and with SOURCE_DATE_EPOCH set, use that instead of blanking the date. -- GnuPG-bug-id: 4947
* card: Improve openpgp key writing in "writecert".Werner Koch2020-06-033-4/+114
| | | | | | | | | | * tools/card-keys.c (struct export_key_status_parm_s): New. (export_key_status_cb): New. (get_minimal_openpgp_key): New. * tools/gpg-card.c (cmd_writecert): Allow writing a keyblock directly from an existing gpg key. Signed-off-by: Werner Koch <[email protected]>
* gpg: Improve generation of keys stored on card (brainpool,cv25519).Werner Koch2020-06-031-28/+48
| | | | | | | | | | | | | | | | | | | | | | | | | * g10/keygen.c (ask_key_flags_with_mask): Allow more than ECDH for legacy curves. (ask_algo): Tweak mapping of ECC to OpenPGP algos (parse_key_parameter_part): Ditto. (generate_subkeypair): Create the subkey with the time stored on the card. -- This fixes two problems with generating keys from a card: 1. The key usage is now set correctly for brainpool curves. 2. The add-key and --quick-add-key commands now also take the creation time from the time stored on the card. Without that we would need to update the creation time and fingerprint already stored on the card which is a no-go if another key has already been created using that on-card key. Note: To create a key on a card without an OpenPGP keyblock use gpg-card. Signed-off-by: Werner Koch <[email protected]>
* sm: Fix recently introduced regression in CSR creation.Werner Koch2020-06-031-1/+5
| | | | | | | | * sm/certreqgen.c (create_request): Also set SIGKEYLEN. -- Fixes-commit: 44676819f2873705b78849e7b2fd22214b691642 Signed-off-by: Werner Koch <[email protected]>
* scd: Fix condition for C5 data object for newer Yubikey.NIIBE Yutaka2020-05-291-1/+1
| | | | | | | * scd/app-openpgp.c (compare_fingerprint): Relax the condition. GnuPG-bug-id: 4957 Signed-off-by: NIIBE Yutaka <[email protected]>
* card: Allow to store and retrieve keyblocks in OpenPGP cards.Werner Koch2020-05-282-6/+92
| | | | | | | | | | | | * tools/gpg-card.c: Include tlv.h. (cmd_writecert): Add option --openpgp. (cmd_readcert): Ditto. -- We use the CERT object for this and encapsulate the key block in a CMS object. Signed-off-by: Werner Koch <[email protected]>
* card: New command "apdu"Werner Koch2020-05-284-9/+108
| | | | | | | | | | | | | | | * tools/card-call-scd.c (scd_apdu): Add optional arg 'options'. * tools/gpg-card.c (cmd_apdu): New. (enum cmdids): Add cmdAPDU. (dispatch_command): Add command "apdu". (interactive_loop): Ditto. -- This command is hidden because it can be used to brick a card. The command is basically the same as sending "scd apdu" in gpg-connect-agent but here we do full decoding and printing in hex. Signed-off-by: Werner Koch <[email protected]>
* card: Update card info after "generate".Werner Koch2020-05-271-0/+8
| | | | | | * tools/gpg-card.c (cmd_generate): Re-read the card on success. Signed-off-by: Werner Koch <[email protected]>
* scd:openpgp: New KEY-STATUS attribute.Werner Koch2020-05-272-1/+18
| | | | * scd/app-openpgp.c (do_getattr): Return KEY-STATUS
* card: Add command "bye"Werner Koch2020-05-272-1/+2
| | | | | * tools/gpg-card.c: Add command "bye" as alias for "quit". * tools/gpg-connect-agent.c (main): Add "/quit" as alias for "/bye"
* card: Take care of removed and re-inserted cards.Werner Koch2020-05-272-4/+19
| | | | | | | | * tools/gpg-card.c (cmd_list): Take care of the need_sn_cmd flag. (cmd_factoryreset): Clear that flag. (dispatch_command): Set flag after a reset and after a CARD_NOT_PRESENT error. --
* card: Implement UID command and print capabilities.Werner Koch2020-05-263-6/+131
| | | | | | | | | | | * tools/card-call-scd.c (learn_status_cb): Return the full value for UIF. Add info about SM, MCL3, and PD. * tools/gpg-card.h (struct card_info_s): Add corresponding fields. * tools/gpg-card.c (list_openpgp): Print capabilities. Print the permanent flag for UIF. (cmd_uif): Implement. Signed-off-by: Werner Koch <[email protected]>
* scd:openpgp: Add attribute "UIF" for convenience.Werner Koch2020-05-261-5/+11
| | | | | | | | | | | | * scd/app-openpgp.c (do_getattr): New attrubute "UIF". (do_learn_status): Use that. -- Actually this is not just convenience but will make it easier to add new keys to an openpgp card - we will need to change this only at one place. Signed-off-by: Werner Koch <[email protected]>
* scd: Fix Yubikey app switching problemWerner Koch2020-05-261-4/+12
| | | | | | | | | | | | | | * scd/app.c (select_all_additional_applications_internal): Re-select first app. Add arg 'ctrl'. -- Usually keygrip based access to the Yubikey does a switching back and forth and thus keeps the card and scdaemon's internal state in sync. However, if we do only a listing scdaemon did not reselect the first application (e.g. OpenPGP) after adding other applications (e.g. PIV) and thus led to wrong info returned in a listing. Signed-off-by: Werner Koch <[email protected]>
* gpg: Clean up ECDH code path (5).NIIBE Yutaka2020-05-223-117/+136
| | | | | | | | | | | * g10/ecdh.c (pk_ecdh_encrypt_with_shared_point): Now, it's only for encrytion. (pk_ecdh_decrypt): Use prepare_ecdh_with_shared_point and move decrypt code path in original pk_ecdh_encrypt_with_shared_point here. * g10/pkglue.h (pk_ecdh_encrypt_with_shared_point): Change API. * g10/pkglue.c (pk_encrypt): Follow the change. Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Clean up ECDH code path (4).NIIBE Yutaka2020-05-221-167/+186
| | | | | | | | * g10/ecdh.c (prepare_ecdh_with_shared_point): New. (pk_ecdh_encrypt_with_shared_point): Fixing error paths for closing the cipher handle, use prepare_ecdh_with_shared_point. Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Clean up ECDH code path (3).NIIBE Yutaka2020-05-221-36/+52
| | | | | | | * g10/ecdh.c (derive_kek): New. (pk_ecdh_encrypt_with_shared_point): Use derive_kek. Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Clean up ECDH code path (2).NIIBE Yutaka2020-05-221-65/+72
| | | | | | | | * g10/ecdh.c (build_kdf_params): New. (pk_ecdh_encrypt_with_shared_point): Use build_kdf_params, and check things before extract_secret_x. Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Clean up ECDH code path (1).NIIBE Yutaka2020-05-221-49/+61
| | | | | | | * g10/ecdh.c (extract_secret_x): New. (pk_ecdh_encrypt_with_shared_point): Use extract_secret_x. Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: dns: Fix allocation of string buffer in stack.NIIBE Yutaka2020-05-202-26/+32
| | | | | | | | | | | | | | | | | | | | | * dirmngr/dns.h (dns_strsection, dns_strclass) (dns_strtype): Change APIs. * dirmngr/dns.c (dns_p_lines): Use __dst for dns_strsection. (dns_rr_print): Use __dst for dns_strclass and dns_strtype. (dns_trace_dump): Likewise. (dns_ai_print): Use __dst for dns_strtype. (dns_strsection): Add an argument __dst for storage. (dns_strclass, dns_strtype): Likewise. (parse_packet): Use __dst for dns_strsection. (send_query): Use __dst for dns_strtype. (isection): Use __dst for dns_strsection. (iclass): Use __dst for dns_strclass. (itype): Use __dst for dns_strtype. GnuPG-bug-id: 4934 Reported-by: Tomas Mraz Fixes-commit: 455ef62d29a112de05897139716265d07e4c6ae3 Signed-off-by: NIIBE Yutaka <[email protected]>
* sm: Create ECC certificates with AKI and SKI by default.Werner Koch2020-05-192-33/+145
| | | | | | | | * sm/certreqgen.c (create_request): Create AKI and SKI by default. -- GnuPG-bug-id: 4098 Signed-off-by: Werner Koch <[email protected]>
* common: New function to extract Q from an ECC key.Werner Koch2020-05-192-1/+93
| | | | | | * common/sexputil.c (get_ecc_q_from_canon_sexp): New. Signed-off-by: Werner Koch <[email protected]>
* sm: Support creation of EdDSA certificates.Werner Koch2020-05-184-63/+183
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * sm/misc.c (transform_sigval): Support EdDSA. * sm/certreqgen.c (create_request): Support EdDSA cert creation. * sm/certcheck.c (gpgsm_check_cert_sig): Map some ECC algo OIDs to hash algos. * sm/call-agent.c (struct sethash_inq_parm_s): New. (sethash_inq_cb): New. (gpgsm_agent_pksign): Add mode to pass plain data for EdDSA. -- Tested using a parameter file Key-Type: EdDSA Key-Length: 1024 Key-Grip: 09D9AE3D494F7888C93BE5106AD8A734A87617F0 Key-Usage: sign Serial: random Name-DN: CN=dummy test ed25519 where the keygrip is from a gpg generated Ed25519 key. ECDSA was tested using Key-Type: ECDSA Key-Length: 1024 Key-Grip: 8E06A180EFFE4C65B812150CAF19BF30C0689A4C Key-Usage: sign Serial: random Name-DN: CN=dummy test nistp256 and RSA using Key-Type: RSA Key-Length: 2048 Key-Grip: C6A6390E9388CDBAD71EAEA698233FE5E04F001E Key-Usage: sign Serial: random Name-DN: CN=dummy test rsa The command used in all cases is gpgsm -v --gen-key --batch a.parm >a.crt gpgsm -v --import <a.crt More support, in particular in the user interface, is required and will follow soon. GnuPG-bug-id: 4888 Signed-off-by: Werner Koch <[email protected]>
* agent: Allow to use SETHASH for arbitrary data.Werner Koch2020-05-187-30/+102
| | | | | | | | | | | | | | | | | | | * agent/agent.h (struct server_control_s): Add field digest.data. * agent/gpg-agent.c (agent_deinit_default_ctrl): Free that field. * agent/command.c (reset_notify): Ditto. (start_command_handler): ditto. (cmd_sethash): Add new option --inquire. * agent/call-scd.c (agent_card_pksign): For now return an error if inquire mode was used. * agent/command-ssh.c (ssh_handler_sign_request): Make sure digest.data is cleared. * agent/divert-scd.c (divert_pksign): Implement inquire mode. * agent/pksign.c (agent_pksign_do): Ditto. -- This is required to support EdDSA according to RFC8410. GnuPG-bug-id: 4888
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-10 02:25:31 +0000