aboutsummaryrefslogtreecommitdiffstats
path: root/sm (follow)
Commit message (Collapse)AuthorAgeFilesLines
* gpgsm: Set validity flag in keylisting to n for untrusted root cert.Werner Koch2023-11-271-0/+2
| | | | | | | | * sm/keylist.c (list_cert_colon): Map not_trusted to 'n' for non-root certs like we do for root certs. -- GnuPG-bug-id: 6841
* gpg,gpgsm: Hide password in debug output also for asked passwords.Werner Koch2023-11-141-0/+5
| | | | | | | | | | | | | * g10/call-agent.c (agent_get_passphrase): Call assuan_begin_confidential and assuan_end_confidential. * sm/call-agent.c (gpgsm_agent_ask_passphrase): Ditto. -- GnuPG-bug-id: 6654 The drawback of this solution is that we don't see any IPC lines from the assuan_transact. Everything else would require larger changes to libassuan.
* gpgsm: Re-introduce the bad passphrase hint for pkcs#12.Werner Koch2023-11-141-0/+2
| | | | | | * sm/minip12.c (parse_bag_encrypted_data): Set the badpass flag. (parse_shrouded_key_bag): Ditto. --
* gpg,sm: Set confidential in assuan communication for password.NIIBE Yutaka2023-11-101-0/+2
| | | | | | | | | | | | | | * g10/call-agent.c (default_inq_cb): Call assuan_begin_confidential and assuan_end_confidential. * sm/call-agent.c (default_inq_cb): Likewise. -- Cherry pick from master commit of: ec1446f9446506b5fbdf90cdeb9cbe1f410a657e GnuPG-bug-id: 6654 Signed-off-by: NIIBE Yutaka <[email protected]>
* gpgsm: Support ECDSA in de-vs mode.Werner Koch2023-11-083-3/+5
| | | | | | | | | | | * common/compliance.h (PK_ALGO_FLAG_ECC18): New. * common/compliance.c (gnupg_pk_is_allowed): Implement. * sm/decrypt.c (gpgsm_decrypt): Pass new flag. * sm/sign.c (gpgsm_sign): Ditto. * sm/verify.c (gpgsm_verify): Ditto. -- GnuPG-bug-id: 6802
* gpgsm: Cleanup of legacy variable name use.Werner Koch2023-11-082-117/+89
| | | | | | | | | | * sm/encrypt.c (gpgsm_encrypt): Unify use of RC and ERR. * sm/sign.c (gpgsm_sign): ditto. -- Initially we didn't used the gpg_error_t thingy and while migrating we sometimes used RC and ERR for tracking the error. This is pretty error prone and thus we better remove it (after 20 years).
* sm: Flag Brainpool curves as compliant for all other operations.Werner Koch2023-10-247-23/+25
| | | | | | | | | | | | | | * sm/fingerprint.c (gpgsm_get_key_algo_info2): Rename to (gpgsm_get_key_algo_info): this. Remove the old wrapper. Adjust all callers. * sm/decrypt.c (gpgsm_decrypt): Pass the curve to the compliance checker. * sm/encrypt.c (gpgsm_encrypt): Ditto. * sm/sign.c (gpgsm_sign): Ditto. * sm/verify.c (gpgsm_verify): Ditto. -- GnuPG-bug-id: 6253
* sm: Flag Brainpool curves as compliant.Werner Koch2023-10-241-3/+3
| | | | | | | | * sm/keylist.c (print_compliance_flags): Add arg curve. (list_cert_colon): Pass curve to the compliance check. -- GnuPG-bug-id: 6253
* sm: Another partly rewrite of minip12.cWerner Koch2023-10-241-180/+330
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize. Remove pop_count. Rename offset to length. (dump_tag_info, _dump_tag_info): Rewrite. (dump_tlv_ctx, _dump_tlv_ctx): Rewrite. (tlv_new): Init origbuffer. (_tlv_peek): Add arg ti. (tlv_peek): New. (tlv_peek_null): New. (_tlv_push): Rewrite. (_tlv_pop): Rewrite. (tlv_next): New macro. Move old code to ... (_tlv_next): this. Add arg lno. Pop remaining end tags. (tlv_popped): Remove. (tlv_expect_object): Handle ndef. (tlv_expect_octet_string): Ditto. (parse_bag_encrypted_data): Use nesting level to control the inner loop. (parse_shrouded_key_bag): Likewise. (parse_bag_data): Handle surplus octet strings. (p12_parse): Ditto. * sm/minip12.c (decrypt_block): Strip the padding. (tlv_expect_top_sequence): Remove. Replace callers by tlv_expect_sequence. * tests/samplekeys/t6752-ov-user-ff.p12: New sample key. * tests/samplekeys/Description-p12: Add its description -- This patch improves the BER parser by simplifying it. Now tlv_next pops off and thus closes all containers regardless on whether they are length bounded or ndef. tlv_set_pending is now always used to undo the effect of a tlv_next in a loop condition which was terminated by a nesting level change. Instead of using the length as seen in the decrypted container we now remove the padding and let the BER parser do its work. This might have a negative effect on pkcs#12 objects which are not correctly padded but we don't have any example of such broken objects. GnuPG-bug-id: 6752
* sm: Minor robustness fix for a regression test.Werner Koch2023-10-171-1/+4
| | | | | | | | | * sm/t-minip12.c (run_one_test): Don't hash if we have no parameters at all. -- This fix handles the case that an empty result array is returned by minip12.c
* sm: Support import of PKCS#12 encoded ECC private keys.Werner Koch2023-10-171-31/+76
| | | | | | | | | | | * sm/import.c (parse_p12): Support ECC import. -- Although I extended the parser and its test the actual import missed the required code. GnuPG-bug-id: 6253 Backported-from-master: 8dfef5197af9f655697e0095c6613137d51c91e7
* sm: Support more HMAC algos in the pkcs#12 parser.Werner Koch2023-10-062-15/+128
| | | | | | | | | | | | | | | | | | | | | | | | * sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos. (digest_algo_from_oid): New. (set_key_iv_pbes2): Add arg digest_algo. (crypt_block): Ditto. (decrypt_block): Ditto. (parse_bag_encrypted_data): Parse the optional prf part and get the hmac algorithm. (parse_shrouded_key_bag): Ditto. (p12_build): Pass SHA1 for digest_algo. * sm/t-minip12.c (run_one_test): Print failed values in verbose mode. * tests/samplekeys/nistp256-openssl-self-signed.p12: New. * tests/samplekeys/Description-p12: Add this one. * tests/Makefile.am (EXTRA_DIST): Ditto. -- This supports the modern algorithms, i.e. using SHA256 for the KDF which is the default in openssl unless the -legacy option is used. GnuPG-bug-id: 6536
* sm: Improve the octet string cramming for pkcs#12Werner Koch2023-10-051-17/+62
| | | | | | | | | | | | | | | | | | | * sm/minip12.c (need_octet_string_cramming): New. (tlv_expect_object, tlv_expect_octet_string): Run the test before cramming. * sm/minip12.c (ENABLE_DER_STRUCT_DUMPING): New but undefined macro for debug purposes. (bag_decrypted_data_p, bag_data_p): Use macro to allow dumping. -- This bug was exhibited by importing a gpgsm exported EC certificate. We use an extra test instead of retrying to allow retruning an error from malloc failure. And well, for easier reading of the code. GnuPG-bug-id: 6536 (cherry picked from commit c1f78634ec3927ddcfdc4687bc6e408c658a0ece)
* agent: Add trustlist flag "de-vs".Werner Koch2023-09-072-0/+3
| | | | | | | | | | | | | | | | | * agent/trustlist.c (struct trustitem_s): Add field de_vs. (read_one_trustfile): Parse it. (istrusted_internal): Emit TRUSTLISTFLAG status line. * sm/gpgsm.h (struct rootca_flags_s): Add field de_vs. * sm/call-agent.c (istrusted_status_cb): Detect the flags. * sm/sign.c (write_detached_signature): Remove unused vars. -- Right now this flag has no effect; we first need to specify the exact behaviour. GnuPG-bug-id: 5079 (cherry picked from commit a5360ae4c7bfe6df6754409d5bd5c5a521ae5e6f)
* agent: New flag "qual" for the trustlist.txt.Werner Koch2023-09-073-2/+9
| | | | | | | | | | | | | * agent/trustlist.c (struct trustitem_s): Add flag "qual". (read_one_trustfile): Rename arg "allow_include" to "systrust" and change callers. Parse new flag "qual". (istrusted_internal): Print all flags. * sm/call-agent.c (istrusted_status_cb): Detect the "qual" flag. * sm/gpgsm.h (struct rootca_flags_s): Add flag "qualified". * sm/certchain.c (do_validate_chain): Take care of the qualified flag. -- (cherry picked from commit 7c8c6060616ab91f5490e91a0fb9efc9aee9f58e)
* gpgsm: Create binary detached sigs with definite form length octets.Werner Koch2023-09-071-4/+250
| | | | | | | | | | | * sm/sign.c: Include tlv.h. (write_detached_signature): New, (gpgsm_sign): Fixup binary detached signatures. -- This helps some other software to verify detached signatures. (cherry picked from commit 8996b0b655952fa6b5bb678a92d3106f72f80f2a)
* gpgsm: Strip trailing zeroes from detached signatures.Werner Koch2023-09-071-2/+8
| | | | | | | | | | | | | | | | | | * common/ksba-io-support.c: Include tlv.h (struct reader_cb_parm_s): Add new fields. (starts_with_sequence): New. (simple_reader_cb): Handle stripping. * common/ksba-io-support.h (GNUPG_KSBA_IO_STRIP): New. (gnupg_ksba_create_reader): Handle the new flag. * sm/verify.c (gpgsm_verify): Use the new flag for detached signatures. -- Note that this works only if --assume-binary is given. The use case for the feature is PDF signature checking where the PDF specs require that the detached signature is padded with zeroes. (cherry picked from commit 2a13f7f9dc75265ece649e30fecd3dc694b1240e)
* gpgsm: Add --always-trust feature.Werner Koch2023-08-315-7/+58
| | | | | | | | | | | | | | | | | | | * sm/gpgsm.h (opt): Re-purpose unused flag always_trust. (struct server_control_s): Add "always_trust". (VALIDATE_FLAG_BYPASS): New. * sm/gpgsm.c (oAlwaysTrust): New. (opts): Add "--always-trust" (main): Set option. * sm/server.c (option_handler): Add option "always-trust". (reset_notify): Clear that option. (cmd_encrypt): Ditto. (cmd_getinfo): Add sub-command always-trust. * sm/certchain.c (gpgsm_validate_chain): Handle VALIDATE_FLAG_BYPASS. * sm/certlist.c (gpgsm_add_to_certlist): Set that flag for recipients in always-trust mode. -- GnuPG-bug-id: 6559
* gpgsm: Avoid warnings due to enum conversionsWerner Koch2023-08-281-3/+3
| | | | | * sm/decrypt.c (pwri_parse_pbkdf2): Use int instead of gcry_md_algos. (pwri_decrypt): Ditto for gcry_cipher_algos.
* sm: Fix use of value NONE in gnupg_isotime_t type.NIIBE Yutaka2023-08-285-7/+13
| | | | | | | | | | | | | | | * common/gettime.h (GNUPG_ISOTIME_NONE): New. * sm/call-dirmngr.c (gpgsm_dirmngr_isvalid): Use it. * sm/certlist.c (gpgsm_add_to_certlist): Likewise. * sm/import.c (check_and_store): Likewise. * sm/keylist.c (list_cert_colon, list_cert_raw): Likewise. (list_cert_std): Likewise. * sm/sign.c (gpgsm_sign): Likewise. -- Signed-off-by: NIIBE Yutaka <[email protected]> (cherry picked from commit 05fdaa1737523fad72b6ffb9e7a90d5344ff64a5)
* sm: Complete rewrite of the PKCS#12 parserWerner Koch2023-07-055-774/+2108
| | | | | | | | | | | | | | | | | | | * sm/minip12.c: Reworked most of the parser. (p12_set_verbosity): Add arg debug and change all callers. * sm/t-minip12.c: New. * sm/Makefile.am (module_maint): Add it. * tests/samplekeys/Description-p12: New. * tests/samplekeys/t5793-openssl.pfx: New from T5793. * tests/samplekeys/t5793-test.pfx: Ditto. * tests/samplekeys/Description-p12: Add them. * tests/Makefile.am (EXTRA_DIST): Add samplekeys. -- GnuPG-bug-id: 6536 Backported_from: 101433dfb42b333e48427baf9dd58ac4787c9786 Backported_from: 5f694dc0be994e8cd3bc009139d1349f3b1fcf62
* sm: Remove duplicated code.Werner Koch2023-07-051-81/+28
| | | | | | * sm/minip12.c (struct tag_info): Change type of length and nhdr. (dump_tag_info): Adjust. (parse_tag): Re-implement using the parse_ber_header.
* gpgsm: Support SENDCERT_SKI for --call-dirmngrWerner Koch2023-07-051-9/+36
| | | | | | | * sm/call-dirmngr.c (run_command_inq_cb): Support SENDCERT_SKI. * dirmngr/crlcache.c (crl_cache_insert): Print the CRL name along with the unknown OID nortice.
* gpgsm: New option --input-size-hint.Werner Koch2023-07-057-0/+23
| | | | | | | | | | | | | | | | | | * sm/gpgsm.c (oInputSizeHint): New. (opts): Add "--input-size-hint". (main): Set option. * sm/server.c (option_handler): Add option "input-size-hint". * sm/gpgsm.h (struct server_control_s): Add field input_size_hint. * sm/encrypt.c (gpgsm_encrypt): Set the toatl file size. * sm/decrypt.c (gpgsm_decrypt): Ditto. * sm/sign.c (gpgsm_sign): Ditto. * sm/verify.c (gpgsm_verify): Ditto. -- This option allows to set a value for the progress output line. Note that as of now there is no other way to set the file size. GnuPG-bug-id: 6534
* gpgsm: Print PROGRESS status lines.Werner Koch2023-07-056-3/+58
| | | | | | | | | | | | | | | | | | | | | | | | | * common/ksba-io-support.c (struct writer_cb_parm_s): Add field progress. (struct gnupg_ksba_io_s): Add field is_writer. (update_write_progress): New. (base64_writer_cb, plain_writer_cb): Call update_write_progress. (base64_finish_write): Ditto. (gnupg_ksba_create_writer): Set is_writer. (gnupg_ksba_set_progress_cb): New. (gnupg_ksba_set_total): New. * common/ksba-io-support.h (gnupg_ksba_progress_cb_t): New type. * sm/server.c (gpgsm_status2): Return error from statusfp writes. (gpgsm_progress_cb): New. * sm/decrypt.c (gpgsm_decrypt): Set progress handler. * sm/encrypt.c (gpgsm_encrypt): Ditto. * sm/sign.c (gpgsm_sign): Ditto. * sm/verify.c (gpgsm_verify): Ditto. -- GnuPG-bug-id: 6534 Backported-from: c58067415fe93fbd5d3de2594ccca4761ad25103 Backported-from: a88aeee12990478c218abff7f38728e47ee824bc
* sm: Emit STATUS_FAILURE for non-implemented commands.Werner Koch2023-05-262-5/+13
| | | | * sm/gpgsm.c (main): Do it here.
* w32: Add missing manifests and set a requestedExecutionLevel.Werner Koch2023-05-252-7/+15
| | | | | | | | | | | | | | | | | | | | | | | * agent/gpg-agent.w32-manifest.in: New. * dirmngr/dirmngr-client-w32info.rc: New. * dirmngr/dirmngr-client.w32-manifest.in: New. * dirmngr/dirmngr-w32info.rc: New. * dirmngr/dirmngr.w32-manifest.in: New. * dirmngr/dirmngr_ldap-w32info.rc: New. * dirmngr/dirmngr_ldap.w32-manifest.in: New. * g10/gpgv-w32info.rc: New. * g10/gpgv.w32-manifest.in: New. * kbx/keyboxd.w32-manifest.in: New. * scd/scdaemon.w32-manifest.in: New. * sm/gpgsm.w32-manifest.in: New. -- This avoids the use of the VirtualStore uner Windows. GnuPG-bug-id: 6503 Backported from 2.4; some manifest files already existed in 2.2 but not in 2.4
* kbx: Use custom estream bufferingWerner Koch2023-05-101-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * kbx/keybox-init.c (ll_buffer_size): New var intialized to 128k (stream_buffers): New var. (keybox_set_buffersize): New. (_keybox_ll_open, _keybox_ll_close): Implement buffering. * sm/gpgsm.c (oKbxBufferSize): New. (opts): Add option --kbx-buffer-size. (main): Call keybox_set_buffersize. * g10/gpg.c: Include keybox.h. * (oKbxBufferSize): New. (opts): Add option --kbx-buffer-size. (main): Call keybox_set_buffersize. -- Commit message from 2.4: Running a test on Windows using a pubring.kbx with Total number of blobs: 2098 openpgp: 1294 x509: 803 and a size of 42MiB with gpgsm -k --with-validation --disable-dirmngr --kbx-buffer-size N >nul gives these performance figures using procmon | N(k) | file events | time(s) | |------+-------------+---------| | 0 | 4900000 | 86 | | 16 | 2456000 | 58 | | 32 | 1233000 | 43 | | 64 | 622000 | 37 | | 128 | 317000 | 32 | | 256 | 164000 | 31 | | 512 | 88000 | 30 | Using _open instead of CreateFile give the same number of file events but increased the time slight by one second for the measured buffer size of 64k and 128k. Benchmarks for gpg have not been conducted.
* gpgsm: Cache the non-existence of the policy file.Werner Koch2023-05-101-2/+17
| | | | | | | | | * sm/certchain.c (check_cert_policy): Add simple static cache. -- It is quite common that a policy file does not exist. Thus we can avoid the overhead of trying to open it over and over again just to assert that it does not exists.
* gpg,gpgsm: Extend the use of allow-ecc-encr and vsd-allow-ocbWerner Koch2023-03-241-1/+2
| | | | | | | | * g10/keygen.c (keygen_set_std_prefs): Set OCB only with VSD compatibility flag. * sm/certreqgen.c (proc_parameters): All ECC generation only with allow-ecc-encr. --
* gpgsm: Improve cert lookup callback from dirmngr.Werner Koch2023-02-263-5/+13
| | | | | | | | | | | | | | | | | * sm/gpgsm.h (FIND_CERT_ALLOW_AMBIG): New. (FIND_CERT_WITH_EPHEM): New. * sm/certlist.c (gpgsm_find_cert): Replace arg allow_ambiguous by a generic flags arg. Implement the new flag FIND_CERT_WITH_EPHEM. * sm/call-dirmngr.c (inq_certificate): Return also ephemeral marked certs. -- The dirmngr may need to get a certificate from gpgsm's store in the course of verifying a CRL. In some cases the certificate is still marked as epehemeral - this needs to be returned as well. This _may_ also fix GnuPG-bug-id: 4436
* sm: Fix issuer certificate look error due to legacy error code.Werner Koch2023-02-248-101/+115
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * sm/certchain.c (find_up): Get rid of the legacy return code -1 and chnage var name rc to err. (gpgsm_walk_cert_chain): Change var name rc to err. (do_validate_chain): Get rid of the legacy return code -1. * sm/keydb.c (keydb_search): Replace return code -1 by GPG_ERR_NOT_FOUND. (keydb_set_cert_flags): Replace return code -1 by GPG_ERR_NOT_FOUND. * sm/certchain.c (find_up_search_by_keyid): Ditto. (find_up_external, find_up, find_up_dirmngr): Ditto. (gpgsm_walk_cert_chain): Ditto. (get_regtp_ca_info): Ditto. * sm/certlist.c (gpgsm_add_to_certlist): Ditto. (gpgsm_find_cert): Ditto. * sm/delete.c (delete_one): Ditto. * sm/export.c (gpgsm_export): Ditto. (gpgsm_p12_export): Ditto. * sm/import.c (gpgsm_import_files): Ditto. * sm/keylist.c (list_cert_colon): Ditto. (list_internal_keys): Ditto. * sm/sign.c (add_certificate_list): Ditto. -- This bug was detected while fixing GnuPG-bug-id: 4757 Backported-from-master: 473b83d1b9efe51fcca68708580597dddf3f50b7 Some extra code has been taken from commit ed6ebb696e4063dc664d7ee74fc492025881c459
* sm: Support generation of card-based ECDSA CSR.Damien Goutte-Gattat via Gnupg-devel2023-01-131-16/+43
| | | | | | | | | | | | | | | | | | * sm/call-agent.c (gpgsm_scd_pksign): Identify type of signing key and format resulting S-expression accordingly. -- Current GpgSM implementation assumes card-based keys are RSA keys. This patch introduces support for ECDSA keys. GnuPG-bug-id: 4092 Signed-off-by: Damien Goutte-Gattat <[email protected]> (cherry picked from commit 74e9b579ca273fc07be090bb5fb7800a97b1b452) - Removed already applied changes from the original commit. - Allow for SHA384 and SHA512 Signed-off-by: Werner Koch <[email protected]>
* sm: Fix regression due to the new ECC cert generationWerner Koch2023-01-131-1/+5
| | | | | | | * sm/certreqgen.c (create_request): Also set SIGKEYLEN. -- Fixes-commit: ed62b74a175ef092fd3ac8b2d54b3213fe56af5b
* sm: Fix compliance checking for ECC signature verification.Werner Koch2023-01-122-4/+19
| | | | | | | | | | | | | | * common/compliance.c (gnupg_pk_is_compliant): Also consider the gcrypt vids for ECDSA et al. (gnupg_pk_is_allowed): Ditto. * sm/verify.c (gpgsm_verify): Consider the curve. Print a compliance notice for a non-compliant key. * sm/certchain.c (gpgsm_validate_chain): Silence the "switching to chain model". -- Backported-from-master: 338a5ecaa1f11abf24514c8df994170bdb1018f4
* Merge branch 'STABLE-BRANCH-2-2.40' into STABLE-BRANCH-2-2Werner Koch2022-12-231-2/+3
|\ | | | | | | --
| * gpgsm: Silence the "non-critical certificate policy not allowed".Werner Koch2022-12-061-2/+3
| | | | | | | | | | | | | | * sm/certchain.c (check_cert_policy): Print non-critical policy warning only in verbose mode. (cherry picked from commit 4f1b9e3abb337470e5e4809b3a7f2df33f5a63a4)
* | gpgsm: Change default algo to AES-256.Werner Koch2022-11-301-1/+1
| | | | | | | | * sm/gpgsm.c (DEFAULT_CIPHER_ALGO): Change.
* | gpgsm: Fix colon outout of ECC encryption certificatesWerner Koch2022-11-151-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | * sm/keylist.c (print_capabilities): Add arg algo and use it to check for ECC capabilities. (list_cert_colon): Call with algo. -- This will mark certificates with only keyAgreement usage correctly in the --with-colons listing. (cherry picked from commit f5c3f13609361dfeb03722161b1fc93f5a33dcae)
* | gpgsm: Support signing using ECDSA.Werner Koch2022-11-152-33/+53
| | | | | | | | | | | | | | | | | | | | | | * sm/gpgsm.h (struct certlist_s): Add helper field pk_algo. * sm/sign.c (gpgsm_sign): Store the public key algo. Take the hash algo from the curve. Improve diagnostic output in verbose mode. -- GnuPG-bug-id: 4098, 6253 Signed-off-by: Werner Koch <[email protected]> Backported-from-master: f44d395bdfec464b1e2a0a1aef39561e6e48a45c
* | gpgsm: Support verification of nistp521 signatures.Werner Koch2022-11-151-5/+8
| | | | | | | | | | | | | | | | | | | | | | | | * sm/certcheck.c (do_encode_md): Take care of nistp521. -- This curve is a bit odd in that it does not match a common hash digest length. We fix that here for just this case instead of writing more general code to support all allowed cases (i.e. hash shorter than Q). Signed-off-by: Werner Koch <[email protected]> Backported-from-master: 596212e71abf33b30608348b782c093dace83110
* | gpgsm: Cleanup the use of GCRY_PK_ECC and GCRY_PK_ECDSA.Werner Koch2022-11-144-6/+11
| | | | | | | | | | | | | | | | | | | | | | | | * common/sexputil.c (pubkey_algo_to_string): New. * sm/certcheck.c (do_encode_md): Replace GCRY_PK_ECDSA by GCRY_PK_ECC. * sm/certreqgen-ui.c (check_keygrip): Add all ECC algorithms. * sm/gpgsm.c (our_pk_test_algo): Also allow EdDSA. * sm/verify.c (gpgsm_verify): Map ECC algo to ECDSA. Use new pubkey algo name function Signed-off-by: Werner Koch <[email protected]> (cherry picked from commit 34b628db4618a8712536aea695f934b0286e7b18)
* | gpgsm: Some more ECC support backported.Werner Koch2022-11-142-25/+94
| | | | | | | | | | | | | | | | * sm/certcheck.c (gpgsm_check_cert_sig): Map ECDSA OIDs. * sm/misc.c (transform_sigval): Add ECC support. -- GnuPG-bug-id: 6253
* | gpg: Add compatibility flag "vsd-allow-ocb"Werner Koch2022-10-311-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * common/compliance.h (enum gnupg_co_extra_infos): New. * common/compliance.c (vsd_allow_ocb): New. (gnupg_cipher_is_compliant): Allow OCB if flag is set. (gnupg_cipher_is_allowed): Ditto. (gnupg_set_compliance_extra_info): Change to take two args. Adjust callers. * g10/gpg.c (compatibility_flags): Add "vsd-allow-ocb". (main): And set it. * g10/options.h (COMPAT_VSD_ALLOW_OCB): NEw. -- This is a temporary flag until the new mode has been evaluated and can always be enabled. GnuPG-bug-id: 6263
* | gpgsm: Also announce AES256-CBC in signatures.Werner Koch2022-10-281-7/+10
| | | | | | | | | | | | | | * sm/sign.c (gpgsm_sign): Add new capability. -- It might be better to have this. No concrete bug report, though.
* | gpgsm: New compatibility flag "allow-ecc-encr".Werner Koch2022-10-283-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | * sm/gpgsm.h (COMPAT_ALLOW_ECC_ENCR): New. * sm/gpgsm.c (compatibility_flags): Add new flag. * sm/encrypt.c (encrypt_dek): Allw ECC only if flag is set. -- ECC encryption was not part of the original VS evaluation. Until this has been re-evaluated we hide this feature behind this flag. GnuPG-bug-id: 6253
* | sm: Support encryption using ECDH keys.Werner Koch2022-10-283-15/+311
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * sm/decrypt.c (hash_ecc_cms_shared_info): Make global. * sm/encrypt.c (ecdh_encrypt): New. (encrypt_dek): Add arg PK_ALGO and support ECDH. (gpgsm_encrypt): Pass PK_ALGO. -- Note: This has only been tested with a messages created and decrypted by GnuPG. GnuPG-bug-id: 4098 Signed-off-by: Werner Koch <[email protected]> Backported-from-master: d5051e31a8fc07c339253c6b82426e0d0115a20a GnuPG-bug-id: 6253
* | gpgsm: Allow ECC encryption keys with just keyAgreement specified.Werner Koch2022-10-283-3/+13
| | | | | | | | | | | | | | | | | | | | * sm/certlist.c (cert_usage_p): Allow keyAgreement for ECC. * sm/fingerprint.c (gpgsm_is_ecc_key): New. -- For ECC encryption keys keyAgreement is the keyUsage we want. GnuPG-bug-id: 6253
* | gpgsm: Use macro constants for cert_usage_p.Werner Koch2022-10-281-15/+27
| | | | | | | | * sm/certlist.c (USE_MODE_): New. Use them for easier reading.
* | gpgsm: Create ECC certificates with AKI and SKI by default.Werner Koch2022-10-201-32/+145
| | | | | | | | | | | | | | | | | | * sm/certreqgen.c (create_request): Create AKI and SKI by default. -- GnuPG-bug-id: 4098, 6253 Signed-off-by: Werner Koch <[email protected]> Backported-from-master: 44676819f2873705b78849e7b2fd22214b691642
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-22 14:51:05 +0000