From 54c56230e305a38d6fd0c3bf1262172fd5fbcb87 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 21 Feb 2019 17:32:39 +0100
Subject: sm: Fix certificate creation with key on card.

* sm/certreqgen.c (create_request): Fix for certmode.
--

When using an existing key from a card for certificate signing (in
contrast to the default of generating a CSR), the code tried to use
the same key for signing instead of the Signing-Key parameter.  It is
perfectly okay to use the regular signing path via gpg-agent for
certificate creation - only self-signed certificates with a key on the
card require the direct use of the card key (via "SCD PKSIGN").

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit c1000c673814e552923cf1361346d7dfeee55608)
---
 sm/certreqgen.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sm/certreqgen.c b/sm/certreqgen.c
index 44318702a..ee7ae0158 100644
--- a/sm/certreqgen.c
+++ b/sm/certreqgen.c
@@ -1312,7 +1312,7 @@ create_request (ctrl_t ctrl,
           log_info ("about to sign the %s for key: &%s\n",
                     certmode? "certificate":"CSR", hexgrip);
 
-          if (carddirect)
+          if (carddirect && !certmode)
             rc = gpgsm_scd_pksign (ctrl, carddirect, NULL,
                                    gcry_md_read (md, mdalgo),
                                    gcry_md_get_algo_dlen (mdalgo),
-- 
cgit v1.2.3