summaryrefslogtreecommitdiffstats
path: root/scd
diff options
context:
space:
mode:
authorWerner Koch <wk@gnupg.org>2020-03-27 19:35:27 +0100
committerWerner Koch <wk@gnupg.org>2020-03-27 19:37:29 +0100
commit4c4999b8185ace55eb5f3a6fa7d3dc0a77267b63 (patch)
treebb51f2d55e2ff0bc6ced30e384ff278e3c2b60ab /scd
parentgpgsm: Fix the previous commit. (diff)
downloadgnupg2-4c4999b8185ace55eb5f3a6fa7d3dc0a77267b63.tar.xz
gnupg2-4c4999b8185ace55eb5f3a6fa7d3dc0a77267b63.zip
scd:openpgp: Allow PKSIGN with keygrip also for OPENPGP.3.
* scd/app-openpgp.c (check_keyidstr): Add optional arg r_use_auth to test also for OpenPGP.3. (do_sign): Enable that new mode. -- This is very useful to allow gpgsm to use a certificate based on the OpenPGP card's authentication key. That key is usually used for ssh but it makes sense to use it also for user certificate based authentication. Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'scd')
-rw-r--r--scd/app-openpgp.c23
1 files changed, 18 insertions, 5 deletions
diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c
index 8f47b8a8f..ec2c04756 100644
--- a/scd/app-openpgp.c
+++ b/scd/app-openpgp.c
@@ -4755,9 +4755,12 @@ check_against_given_fingerprint (app_t app, const char *fpr, int key)
When KEYNO is 0 and KEYIDSTR is for a keygrip, the keygrip should
be to be compared is the first one (keygrip for signing).
+ When KEYNO is 1, KEYIDSTR is for a keygrip, and R_USE_AUTH is not
+ NULL, OpenPGP.1 is first tested and then OpenPGP.3. In the latter
+ case 1 is stored at R_USE_AUTH
*/
static int
-check_keyidstr (app_t app, const char *keyidstr, int keyno)
+check_keyidstr (app_t app, const char *keyidstr, int keyno, int *r_use_auth)
{
int rc;
const char *s;
@@ -4765,6 +4768,9 @@ check_keyidstr (app_t app, const char *keyidstr, int keyno)
const char *fpr = NULL;
unsigned char tmp_sn[20]; /* Actually 16 bytes but also for the fpr. */
+ if (r_use_auth)
+ *r_use_auth = 0;
+
if (strlen (keyidstr) < 32)
return gpg_error (GPG_ERR_INV_ID);
else
@@ -4780,6 +4786,13 @@ check_keyidstr (app_t app, const char *keyidstr, int keyno)
keygrip_str = app->app_local->pk[keyno?keyno-1:0].keygrip_str;
if (!strncmp (keygrip_str, keyidstr, 40))
return 0;
+ else if (keyno == 1 && r_use_auth
+ && !strncmp (app->app_local->pk[2].keygrip_str,
+ keyidstr, 40))
+ {
+ *r_use_auth = 1;
+ return 0;
+ }
else
return gpg_error (GPG_ERR_INV_ID);
}
@@ -4902,7 +4915,7 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo,
use_auth = 1;
else
{
- rc = check_keyidstr (app, keyidstr, 1);
+ rc = check_keyidstr (app, keyidstr, 1, &use_auth);
if (rc)
return rc;
}
@@ -5057,7 +5070,7 @@ do_auth (app_t app, ctrl_t ctrl, const char *keyidstr,
;
else
{
- rc = check_keyidstr (app, keyidstr, 3);
+ rc = check_keyidstr (app, keyidstr, 3, NULL);
if (rc)
return rc;
}
@@ -5112,7 +5125,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
;
else
{
- rc = check_keyidstr (app, keyidstr, 2);
+ rc = check_keyidstr (app, keyidstr, 2, NULL);
if (rc)
return rc;
}
@@ -5338,7 +5351,7 @@ do_check_pin (app_t app, ctrl_t ctrl, const char *keyidstr,
if (!keyidstr || !*keyidstr)
return gpg_error (GPG_ERR_INV_VALUE);
- rc = check_keyidstr (app, keyidstr, 0);
+ rc = check_keyidstr (app, keyidstr, 0, NULL);
if (rc)
return rc;