aboutsummaryrefslogtreecommitdiffstats
path: root/doc/DETAILS (follow)
Commit message (Collapse)AuthorAgeFilesLines
* gpg: New export option "mode1003".Werner Koch2022-12-021-0/+8
| | | | | | | | | | | | | | | | | | | | | | * agent/command.c (cmd_export_key): Add option --mode1003. (command_has_option): Ditto. * g10/build-packet.c (do_key): Implement mode 1003. * g10/parse-packet.c (parse_key): Ditto. * g10/options.h (EXPORT_MODE1003): New.o * g10/call-agent.c (agent_export_key): Add arg mode1003. * g10/export.c (parse_export_options): Add "mode1003" (secret_key_to_mode1003): New. (receive_seckey_from_agent): Add arg mode1003. (do_export_one_keyblock): Pass option down. -- This option allows to export a secret key in GnuPG's native format. Thus no re-encryption is required and further the public key parameters are also authenticated if a protection passphrase has been used. Note that --import is not yet able to handle this new mode. Although old version of GnuPG will bail out with "invalid packet" if a mode1003 exported secret key is seen.
* dirmngr: Silence ocsp debug output.Werner Koch2022-11-251-0/+4
| | | | | | | * dirmngr/ocsp.c (check_signature_core): No debug output -- Also typo and doc fixes.
* agent: Allow trustlist on Windows in Unicode homedirs.Werner Koch2022-11-101-8/+13
| | | | * agent/trustlist.c (agent_marktrusted): Use gnupg_access.
* doc: Keep list of RFCs only in DETAILSWerner Koch2022-09-161-1/+9
| | | | --
* gpg: Support key flags for RENC, TIME, and GROUP.Werner Koch2022-09-071-0/+17
| | | | | | | | | | | | | | | | | | * g10/packet.h (PUBKEY_USAGE_RENC): New. (PUBKEY_USAGE_TIME): New. (PUBKEY_USAGE_GROUP): New. * g10/getkey.c (parse_key_usage): Set the new key flags. * g10/keyedit.c (show_key_with_all_names_colon): Show the new key flags. * g10/keyid.c (usagestr_from_pk): Ditto * g10/keylist.c (print_capabilities): Ditto. * g10/keygen.c (parse_usagestr): Parse line and set new flags. (quickgen_set_para): Show flags. -- See draft-koch-openpgp-2015-rfc4880bis-00 for the current version. Actually these flags have been in the draft for years now. This patch is a first step to make use of them.
* dirmngr: Support ECDSA for OCSP.Werner Koch2022-02-271-0/+2
| | | | | | | | | | | | * dirmngr/validate.c (pk_algo_from_sexp): Make public. Support ECC. * dirmngr/ocsp.c (check_signature): Remove hash preparation out to ... (check_signature_core): here. This changes the arg s_hash to md. Support ECDSA. -- The test was done with my qualified signature certificate from the Telesec and their responder http://tqrca1.ocsp.telesec.de/ocspr . See also libksba commit rK24992a4a7a61d93759e1dbd104b845903d4589bf
* gpg: Remove stale ultimately trusted keys from the trustdb.Werner Koch2021-11-131-1/+1
| | | | | | | | | | | | | | | | * g10/tdbdump.c (export_ownertrust): Skip records marked with the option --trusted-key. (import_ownertrust): Clear the trusted-key flag. * g10/tdbio.h (struct trust_record): Add field flags. * g10/tdbio.c (tdbio_dump_record): Improve output. (tdbio_read_record, tdbio_write_record): Handle flags. * g10/trustdb.c (verify_own_keys): Clear stale trusted-keys and set the flag for new --trusted-keys. (tdb_update_ownertrust): Add arg as_trusted_key. Update callers. -- GnuPG-bug-id: 5685 Signed-off-by: Werner Koch <[email protected]>
* sm: Support AES-GCM decryption.Werner Koch2021-06-021-0/+2
| | | | | | | | | | | | * tests/cms/samplemsgs/: Add sample messages. * sm/gpgsm.c (main): Use gpgrt_fcancel on decryption error. * sm/decrypt.c (decrypt_gcm_filter): New. (gpgsm_decrypt): Use this filter if requested. Check authtag. -- Note that the sample message pwri-sample.gcm.p7m is broken: The authtag is duplicated to the authEncryptedContentInfo. I used a temporary code during testing hack to that test message out.
* A few minor code cleanups and typo fixes.Werner Koch2021-05-111-0/+1
| | | | | | | | | | * agent/command-ssh.c (ssh_handler_request_identities): Remove double check of ERR. * g10/getkey.c (get_pubkey_byname): Remove double use of break. * g10/pkglue.c (pk_encrypt): Handle possible NULL-ptr access due to failed malloc. Signed-off-by: Werner Koch <[email protected]>
* scd:p15: Fix last commit and improve D-TRUST detection.Werner Koch2021-04-251-1/+3
| | | | | | | | * scd/app-p15.c (read_p15_info): Improve D-TRUST card detection. (do_getattr): Fix faulty code for the last commit. Append the product name to MANUFACTURER. Signed-off-by: Werner Koch <[email protected]>
* doc: Typo fixWerner Koch2021-04-231-1/+1
| | | | --
* scd:p15: Support attribute KEY-FPR.Werner Koch2021-04-161-0/+3
| | | | | | | | | | | | | * scd/app-p15.c: Include openpgpdefs.h. (struct prkdf_object_s): Add fields have_keytime and ecdh_kdf. (read_p15_info): Set ecdh_kdf. (keygrip_from_prkdf): Flag that we have the keytime. (send_keypairinfo): Send the key time only if valid. (send_key_fpr_line): New. (send_key_fpr): New. (do_getattr): Add KEY-FPR. Signed-off-by: Werner Koch <[email protected]>
* doc: Add some error locations to DETAILS.Werner Koch2021-04-061-0/+18
| | | | | | | -- This should actually be enhanced to describe all error locations as known by GPGME.
* scd:p15: Return labels for keys and certificates.Werner Koch2021-03-301-6/+28
| | | | | | | * scd/app-p15.c (send_certinfo): Extend certinfo. (do_getattr): Support KEY-LABEL. Signed-off-by: Werner Koch <[email protected]>
* scd:p15: Return the creation time of the keys.Werner Koch2021-03-301-0/+7
| | | | | | | | * scd/app-p15.c (struct prkdf_object_s): Add keytime and keyalgostr. (keygrip_from_prkdf): Set them. (send_keypairinfo): Extend KEYPAIRINFO. Signed-off-by: Werner Koch <[email protected]>
* doc: Always use --edit-key and not just the --edit abbreviation.Werner Koch2021-03-111-1/+1
| | | | | | -- Reported-by: Carl Michael Skog
* scd:p15: Support special extended usage flags for OpenPGP keys.Werner Koch2021-03-101-0/+5
| | | | | | | | | | | | | | | | | | * scd/app-p15.c (struct gpgusage_flags_s): New. (struct prkdf_object_s): Add field gpgusage. (struct app_local_s): Add field any_gpgusage. (dump_gpgusage_flags): New. (read_p15_info): Parse athe gpgusage flags. (do_getattr): Take care of the gpgusage flags. -- This features allows to mark keys to be used for OpenPGP. This is done by putting additional extended key infos into the certificate stored on the cards. Only if any such extended key usage is detected for a stored certificate this new mode chimes in. This feature gives the card issuer a high flexibility on how to make sure certain keys are used with OpenPGP.
* dirmngr: Support new gpgNtds parameter in LDAP keyserver URLs.Werner Koch2021-02-171-1/+8
| | | | | | | | | | | | | | | | | | | | | | | | * dirmngr/ldap-parse-uri.c (ldap_parse_uri): Support a new gpgNtds extension. * dirmngr/ks-engine-ldap.c (my_ldap_connect): Do ldap_init always with hostname - which is NULL and thus the same if not given. Fix minor error in error code handling. -- Note that "gpgNtds" is per RFC-4512 case insensitive and has not yet been officially regisetered. Thus for correctness the OID can be used: 1.3.6.1.4.1.11591.2.5 LDAP URL extensions 1.3.6.1.4.1.11591.2.5.1 gpgNtds=1 (auth. with current user) Note that the value must be 1; all other values won't enable AD authentication and are resevered for future use. This has been cherry-picked from the 2.2 branch, commit 55f46b33df08e8e0ea520ade5f73b321bc01d705 Signed-off-by: Werner Koch <[email protected]>
* card: Run factory-reset in locked stated.Werner Koch2020-11-091-0/+1
| | | | | | | | | | | | | | | | * scd/command.c (reset_notify): Add option --keep-lock. (do_reset): Add arg keep_lock. (cmd_lock): Send progress status. * g10/call-agent.c (agent_scd_apdu): Add more pseudo APDUs. * g10/card-util.c (send_apdu): Ditto. (factory_reset): Use lock commands. -- This is required so that for example Kleopatra does not detect the RESET and issues a SERIALNO of its own, thus conflicting with our SERIALNO undefined. Signed-off-by: Werner Koch <[email protected]>
* keyboxd: Extend PUBKEY_INFO status line with an uid ordinal.Werner Koch2020-09-221-1/+5
| | | | | | | | | | | | | | | | | | | | * kbx/backend-sqlite.c (table_definitions): Add column UINO to userids. (be_sqlite_local_s): Add fields select_col_uidno and select_col_subkey. (run_select_statement): Also select subkey or uidno column. (be_sqlite_search): Return their values. (store_into_userid): Store the UIDNO. * kbx/backend-support.c (be_return_pubkey): Extend PUBKEY_INFO. -- For an existing database adding the new column to the table userid is straightforward. However if the original version of the schema used an integer for the keyid column, that column has likely be renamed. Make sure that the NOT NULL constraint has also be removed; check the SQLite documentation on how this can be done. Signed-off-by: Werner Koch <[email protected]>
* scd: Extend KEYPAIRINFO with an algorithm string.Werner Koch2020-09-211-4/+5
| | | | | | | | | | | | | | | | | | | | | | * scd/app-openpgp.c (send_keypair_info): Emit the algo string as part of a KEYPAIRINFO. * scd/command.c (do_readkey): Ditto. * scd/app-piv.c (do_readkey): Ditto. * scd/app-nks.c (do_learn_status_core): Ditto. (struct fid_cache_s): Add field algostr. (flush_fid_cache): Release it. (keygripstr_from_pk_file): Fill it and add it to the cache. Use a single exit label. * scd/app-help.c (app_help_get_keygrip_string_pk): Add new arg r_algostr. Change all callers. -- This is helpful so that callers do not need to parse the key for this basic information. Use "scd readkey --info-only" to return the info status line instead of the key material; using just --info returns the info in addition to the key material. Signed-off-by: Werner Koch <[email protected]>
* doc: Some documentation updates.Werner Koch2020-09-211-0/+6
| | | | | | -- Also fixed some typos and documented soon to be used OIDs
* keyboxd: Add ephemeral and revoked flag to the sqlite backend.Werner Koch2020-09-111-1/+5
| | | | | | | | | | | | | | | | * kbx/backend-support.c (be_return_pubkey): Add args is_ephemeral and is_revoked. Adjust callers. * kbx/backend-sqlite.c: Alter table pubkey to add new columns. (run_select_statement): Add new column to all selects. (be_sqlite_search): Return the new flags. -- For existing test databases the new column can be added with: alter table pubkey add ephemeral integer not null default 0; alter table pubkey add revoked integer not null default 0; Signed-off-by: Werner Koch <[email protected]>
* scd: Parse "Algorithm Information" data object in scdaemon.NIIBE Yutaka2020-09-041-0/+6
| | | | | | | | * scd/app-openpgp.c (data_objects): 0x00FA for binary data. (do_getattr): Parse the data and send it in status lines. (get_algorithm_attribute_string): New. Signed-off-by: NIIBE Yutaka <[email protected]>
* doc: Fix typosGavin L. Rebeiro2020-08-281-1/+1
| | | | --
* doc: Add a list of RFCS to DETAIL.Werner Koch2020-08-131-0/+13
| | | | --
* gpgconf: New option --chuid.Werner Koch2020-08-061-1/+1
| | | | | | | | * tools/gpgconf.c (oChUid, opts): New option --chuid. (main): Implement. -- Signed-off-by: Werner Koch <[email protected]>
* sm: Also show the SHA-256 fingerprint.Werner Koch2020-08-041-2/+3
| | | | | | | | * sm/keylist.c (list_cert_colon): Emit a new "fp2" record. (list_cert_raw): Print the SHA2 fingerprint. (list_cert_std): Ditto. Signed-off-by: Werner Koch <[email protected]>
* gpg: Extend the TRUST_ status lines.Werner Koch2020-06-091-11/+32
| | | | | | | | | * g10/pkclist.c (write_trust_status): Add arg mbox. (check_signatures_trust): Appenmd mbox to the status lines. -- GnuPG-bug-id: 4735 Signed-off-by: Werner Koch <[email protected]>
* card: Allow to store and retrieve keyblocks in OpenPGP cards.Werner Koch2020-05-281-0/+2
| | | | | | | | | | | | * tools/gpg-card.c: Include tlv.h. (cmd_writecert): Add option --openpgp. (cmd_readcert): Ditto. -- We use the CERT object for this and encapsulate the key block in a CMS object. Signed-off-by: Werner Koch <[email protected]>
* scd:openpgp: New KEY-STATUS attribute.Werner Koch2020-05-271-0/+8
| | | | * scd/app-openpgp.c (do_getattr): Return KEY-STATUS
* sm: Print the key types as standard key algorithm strings.Werner Koch2020-05-071-2/+2
| | | | | | | | | | | | | | | | * sm/fingerprint.c (gpgsm_get_key_algo_info): Factor code out to ... (gpgsm_get_key_algo_info2): new. (gpgsm_pubkey_algo_string): New. * sm/keylist.c (list_cert_colon): Put curve into field 17 (list_cert_raw): Print the unified key algotithm string instead of the algo and size. (list_cert_std): Ditto. -- It is important to known whether a 256 bit ECC uses a NIST or a Brainpool curve. Signed-off-by: Werner Koch <[email protected]>
* scd: Factor common PIN status check out.Werner Koch2020-04-071-1/+1
| | | | | | | | | | | | | | * scd/iso7816.h (ISO7816_VERIFY_ERROR): New. (ISO7816_VERIFY_NO_PIN): New. (ISO7816_VERIFY_BLOCKED): New. (ISO7816_VERIFY_NULLPIN): New. (ISO7816_VERIFY_NOT_NEEDED): New. * scd/iso7816.c (iso7816_verify_status): New. * scd/app-nks.c (get_chv_status): Use new function. * scd/app-piv.c (get_chv_status): Ditto. (verify_chv): Ditto. Signed-off-by: Werner Koch <[email protected]>
* scd:openpgp: New attribute "MANUFACTURER".Werner Koch2020-04-031-0/+7
| | | | | | | | | | | | * scd/app-openpgp.c (get_manufacturer): New.. (do_getattr): Add new attribute "MANUFACTURER". (do_learn_status): Always print it. -- This will make it easy to maintain the list of OpenPGP vendors at just one place. Signed-off-by: Werner Koch <[email protected]>
* doc: Correction of typo in documentation of KEY_CONSIDEREDNick Piper2020-02-181-1/+1
| | | | Signed-off-by: Daniel Kahn Gillmor <[email protected]>
* scd:openpgp: Return key creation time as part of KEYPARIINFO.Werner Koch2020-02-131-0/+14
| | | | | | | | | | | | | * scd/app-openpgp.c (send_keypair_info): Reaturn the key creation time as part of a KEYPAIRINFO. (do_readkey): Do not return the KEY-TIME anymore. -- Sending the KEY_TIME status as part of a READKEY command was only recently added. It is better to merge that into the KEYPAIRINFO line. Another patch with chnage this for the consumers of that info. Signed-off-by: Werner Koch <[email protected]>
* kbx: Redefine the UBID which is now the primary fingerprint.Werner Koch2019-11-281-5/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * common/util.h (UBID_LEN): New. Use it at all places. * kbx/keybox-blob.c (create_blob_finish): Do not write the UBID item. * kbx/keybox-dump.c (print_ubib): Remove. (_keybox_dump_blob): Do not print the now removed ubid flag. * kbx/keybox-search-desc.h (struct keydb_search_desc): Use constants for the size of the ubid and grip. * kbx/keybox-search.c (blob_cmp_ubid): New. (has_ubid): Make it a simple wrapper around blob_cmp_ubid. (keybox_get_data): Add arg 'r_ubid'. * kbx/frontend.h (enum kbxd_store_modes): New. * kbx/kbxserver.c (cmd_store): Add new option --insert. * kbx/backend-cache.c (be_cache_initialize): New. (be_cache_add_resource): Call it here. * kbx/backend-kbx.c (be_kbx_seek): Remove args 'fpr' and 'fprlen'. (be_kbx_search): Get the UBID from keybox_get_data. * kbx/backend-support.c (be_fingerprint_from_blob): Replace by ... (be_ubid_from_blob): new. Change all callers. * kbx/frontend.c (kbxd_add_resource): Temporary disable the cache but use the new cache init function. (kbxd_store): Replace arg 'only_update' by 'mode'. Seek using the ubid. Take care of the mode. -- It turned out that using the hash of the entire blob was not helpful. Thus we redefine the Unique-Blob-ID (UBID) as the primary fingerprint of the blob. In case this is a v5 OpenPGP key a left truncated version of the SHA-256 hash is used; in all other cases the full SHA-1 hash. Using a SHA-256 hash does not make sense because v4 keys are and will for some time be the majority of keys and thus padding them with zeroes won't make any difference. Even if fingerprint collisions can eventually be created we will assume that the keys are bogus and that it does not make sense to store its twin also in our key storage. We can also easily extend the update code to detect a collision and reject the update. Signed-off-by: Werner Koch <[email protected]>
* dirmngr,gpg: Better diagnostic in case of bad TLS certificates.Werner Koch2019-11-181-4/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | * doc/DETAILS: Specify new status code "NOTE". * dirmngr/ks-engine-http.c (ks_http_fetch): Print a NOTE status for a bad TLS certificate. * g10/call-dirmngr.c (ks_status_cb): Detect this status. -- For example a gpg -v --locate-external-keys [email protected] now yields gpg: Note: server uses an invalid certificate gpg: (further info: bad cert for 'posteo.net': \ Hostname does not match the certificate) gpg: error retrieving '[email protected]' via WKD: Wrong name gpg: error reading key: Wrong name (without -v the "further info" line is not shown). Note that even after years Posteo is not able to provide a valid certificate for their .net addresses. Anyway, this help to show the feature. Signed-off-by: Werner Koch <[email protected]>
* doc: Improved description of status PLAINTEXT_LENGTH.Werner Koch2019-11-071-1/+4
| | | | | | -- GnuPG-bug-id: 4741
* Merge branch 'switch-to-gpgk' into masterWerner Koch2019-09-271-0/+12
|\ | | | | | | | | | | | | | | | | | | | | | | -- Resolved Conflicts: * common/asshelp.c: Keep the new code in master for spawing under Windows. * g10/Makefile.am: Keep all new file. * g10/photoid.c: Pass CTRL to pct_expando. Signed-off-by: Werner Koch <[email protected]>
| * kbx,gpg: Allow lookup using a UBID.Werner Koch2019-09-271-4/+5
| | | | | | | | | | | | | | | | | | | | | | | | * common/userids.c (classify_user_id): Detect UBIDs. * kbx/backend-cache.c (blob_table_put): Store the public key type. (be_cache_search): Add search mode for UBIDs. * kbx/backend.h (struct db_request_part_s): Add cache.seqno_ubid. * g10/keydb.c (keydb_search_desc_dump): Fix printing of keygrip. Add ubid printing. * g10/call-keyboxd.c (keydb_search): Support search by UBID. Signed-off-by: Werner Koch <[email protected]>
| * doc: Minor doc updates and a typo fix.Werner Koch2019-09-251-6/+6
| | | | | | | | --
| * kbx: Add framework for the SEARCH commandWerner Koch2019-08-061-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * kbx/backend-kbx.c: New. * kbx/backend-support.c: New. * kbx/backend.h: New. * kbx/frontend.c: New. * kbx/frontend.h: New. * kbx/kbxserver.c: Implement SEARCH and NEXT command. * kbx/keybox-search-desc.h (enum pubkey_types): New. * kbx/keybox-search.c (keybox_get_data): New. * kbx/keyboxd.c (main): Add a standard resource. Signed-off-by: Werner Koch <[email protected]>
* | doc: Fix description of the field 11.NIIBE Yutaka2019-07-161-2/+3
|/ | | | | | | * doc/DETAILS: Fix. GnuPG-bug-id: 4105 Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Allow direct key generation from card with --full-gen-key.Werner Koch2019-04-021-0/+1
| | | | | | | | | | | | | | | * g10/call-agent.c (agent_scd_readkey): New. * g10/keygen.c (ask_key_flags): Factor code out to .. (ask_key_flags_with_mask): new. (ask_algo): New mode 14. -- Note that this new menu 14 is always displayed. The usage flags can be changed only in --expert mode, though. Creating and using signing keys works but decryption does not yet work; we will need to tweak a couple of other places for that. Tested with a Yubikey's PIV app. Signed-off-by: Werner Koch <[email protected]>
* doc: fix spelling mistakesDaniel Kahn Gillmor2018-10-241-6/+6
| | | | Signed-off-by: Daniel Kahn Gillmor <[email protected]>
* gpg: Print revocation reason for "rvs" records.Werner Koch2018-06-211-0/+9
| | | | | | | | | | | | | | | | | | | | * g10/import.c (get_revocation_reason): New. (list_standalone_revocation): Extend function. -- Note that this function extends the "rvs" field signature-class (field 11) with the revocation reason. GPGME does not yet parse this but it can be expected that the comma delimiter does not break other parsers. A new field is added to the "rvs" (and in future also the "rev") record to carry a record specific comment. Hopefully all parsers meanwhile learned the lesson from other new fields and don't bail out on more fields than they know about. This is partial solution to GnuPG-bug-id: 1173 Signed-off-by: Werner Koch <[email protected]>
* gpg: Let --show-keys print revocation certificates.Werner Koch2018-06-211-6/+8
| | | | | | | | | * g10/import.c (list_standalone_revocation): New. (import_revoke_cert): Call new function. -- GnuPG-bug-id: 4018 Signed-off-by: Werner Koch <[email protected]>
* doc: Add a hint about gpgsm and DECRYPTION_INFO.Werner Koch2018-05-291-1/+2
| | | | --
* Merge branch 'STABLE-BRANCH-2-2' into masterWerner Koch2018-05-131-5/+25
|\ | | | | | | | | | | | | | | | | | | -- Resolved Conflicts: NEWS - removed configure.ac - removed Signed-off-by: Werner Koch <[email protected]>
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-23 22:21:48 +0000