diff options
| author | Werner Koch <wk@gnupg.org> | 2019-03-05 15:49:20 +0100 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2019-03-05 15:49:20 +0100 |
| commit | e897e1e255ef9870dfd1639d6f4e97bdf4e83b34 (patch) | |
| tree | 5571c7633161ca25697fa7222ea8ec64f50091ce /agent | |
| parent | gpg: Make invalid primary key algos obvious in key listings. (diff) | |
| download | gnupg2-e897e1e255ef9870dfd1639d6f4e97bdf4e83b34.tar.xz gnupg2-e897e1e255ef9870dfd1639d6f4e97bdf4e83b34.zip | |
scd:piv: Implement import of private keys for Yubikeys.
* scd/app-piv.c (concat_tlv_list): Add arg 'secure' and adjust
callers.
(writekey_rsa, writekey_ecc): New.
(do_writekey): New.
(do_writecert): Provide a better error message for an empty cert.
(app_select_piv): Register do_writekey.
* scd/iso7816.c (iso7816_send_apdu): New.
* scd/app-common.h (APP_WRITEKEY_FLAG_FORCE): New.
* agent/command.c (cmd_keytocard): Make the timestamp optional.
* tools/card-call-scd.c (inq_writekey_parms): Remove.
(scd_writekey): Rewrite.
* tools/gpg-card.c (cmd_writekey): New.
(enum cmdids): Add cmdWRITEKEY.
(dispatch_command, interactive_loop): Call cmd_writekey.
--
This has been tested with gpgsm and RSA keys. For ECC keys only
partly tested using the sample OpenPGP nistp256 and nistp384 keys
because gpgsm does not yet support ECC certificates and thus we can't
write the certificates to the cert object after a writekey. Note that
they nevertheless show up in "gpgcard list" because gpg-card searches
for them in gpg and gpgsm. However, this does not work completely.
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'agent')
| -rw-r--r-- | agent/call-scd.c | 3 | ||||
| -rw-r--r-- | agent/command.c | 14 |
2 files changed, 14 insertions, 3 deletions
diff --git a/agent/call-scd.c b/agent/call-scd.c index 1189bd477..4c0186d74 100644 --- a/agent/call-scd.c +++ b/agent/call-scd.c @@ -1088,7 +1088,8 @@ agent_card_writekey (ctrl_t ctrl, int force, const char *serialno, char line[ASSUAN_LINELENGTH]; struct inq_needpin_parm_s parms; - (void)serialno; + (void)serialno; /* NULL or a number to check for the correct card. + * But is is not implemented. */ err = start_scd (ctrl); if (err) diff --git a/agent/command.c b/agent/command.c index 62b701467..5e2b6df2b 100644 --- a/agent/command.c +++ b/agent/command.c @@ -2486,8 +2486,8 @@ cmd_delete_key (assuan_context_t ctx, char *line) static const char hlp_keytocard[] = "KEYTOCARD [--force] <hexgrip> <serialno> <keyref> [<timestamp>]\n" "\n" - "TIMESTAMP is required for OpenPGP and defaults to the Epoch." - ; + "TIMESTAMP is required for OpenPGP and defaults to the Epoch. The\n" + "SERIALNO is used for checking; use \"-\" to disable the check."; static gpg_error_t cmd_keytocard (assuan_context_t ctx, char *line) { @@ -2527,8 +2527,18 @@ cmd_keytocard (assuan_context_t ctx, char *line) goto leave; } + /* Note that checking of the s/n is currently not implemented but we + * want to provide a clean interface if we ever implement it. */ serialno = argv[1]; + if (!strcmp (serialno, "-")) + serialno = NULL; + keyref = argv[2]; + + /* FIXME: Default to the creation time as stored in the private + * key. The parameter is here so that gpg can make sure that the + * timestamp as used for key creation (and thus the openPGP + * fingerprint) is used. */ timestamp_str = argc > 3? argv[3] : "19700101T000000"; if ((timestamp = isotime2epoch (timestamp_str)) == (time_t)(-1)) |