diff options
author | Werner Koch <wk@gnupg.org> | 2020-03-27 19:35:27 +0100 |
---|---|---|
committer | Werner Koch <wk@gnupg.org> | 2020-03-27 19:37:29 +0100 |
commit | 4c4999b8185ace55eb5f3a6fa7d3dc0a77267b63 (patch) | |
tree | bb51f2d55e2ff0bc6ced30e384ff278e3c2b60ab /scd | |
parent | gpgsm: Fix the previous commit. (diff) | |
download | gnupg2-4c4999b8185ace55eb5f3a6fa7d3dc0a77267b63.tar.xz gnupg2-4c4999b8185ace55eb5f3a6fa7d3dc0a77267b63.zip |
scd:openpgp: Allow PKSIGN with keygrip also for OPENPGP.3.
* scd/app-openpgp.c (check_keyidstr): Add optional arg r_use_auth to
test also for OpenPGP.3.
(do_sign): Enable that new mode.
--
This is very useful to allow gpgsm to use a certificate based on the
OpenPGP card's authentication key. That key is usually used for ssh
but it makes sense to use it also for user certificate based
authentication.
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'scd')
-rw-r--r-- | scd/app-openpgp.c | 23 |
1 files changed, 18 insertions, 5 deletions
diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c index 8f47b8a8f..ec2c04756 100644 --- a/scd/app-openpgp.c +++ b/scd/app-openpgp.c @@ -4755,9 +4755,12 @@ check_against_given_fingerprint (app_t app, const char *fpr, int key) When KEYNO is 0 and KEYIDSTR is for a keygrip, the keygrip should be to be compared is the first one (keygrip for signing). + When KEYNO is 1, KEYIDSTR is for a keygrip, and R_USE_AUTH is not + NULL, OpenPGP.1 is first tested and then OpenPGP.3. In the latter + case 1 is stored at R_USE_AUTH */ static int -check_keyidstr (app_t app, const char *keyidstr, int keyno) +check_keyidstr (app_t app, const char *keyidstr, int keyno, int *r_use_auth) { int rc; const char *s; @@ -4765,6 +4768,9 @@ check_keyidstr (app_t app, const char *keyidstr, int keyno) const char *fpr = NULL; unsigned char tmp_sn[20]; /* Actually 16 bytes but also for the fpr. */ + if (r_use_auth) + *r_use_auth = 0; + if (strlen (keyidstr) < 32) return gpg_error (GPG_ERR_INV_ID); else @@ -4780,6 +4786,13 @@ check_keyidstr (app_t app, const char *keyidstr, int keyno) keygrip_str = app->app_local->pk[keyno?keyno-1:0].keygrip_str; if (!strncmp (keygrip_str, keyidstr, 40)) return 0; + else if (keyno == 1 && r_use_auth + && !strncmp (app->app_local->pk[2].keygrip_str, + keyidstr, 40)) + { + *r_use_auth = 1; + return 0; + } else return gpg_error (GPG_ERR_INV_ID); } @@ -4902,7 +4915,7 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo, use_auth = 1; else { - rc = check_keyidstr (app, keyidstr, 1); + rc = check_keyidstr (app, keyidstr, 1, &use_auth); if (rc) return rc; } @@ -5057,7 +5070,7 @@ do_auth (app_t app, ctrl_t ctrl, const char *keyidstr, ; else { - rc = check_keyidstr (app, keyidstr, 3); + rc = check_keyidstr (app, keyidstr, 3, NULL); if (rc) return rc; } @@ -5112,7 +5125,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr, ; else { - rc = check_keyidstr (app, keyidstr, 2); + rc = check_keyidstr (app, keyidstr, 2, NULL); if (rc) return rc; } @@ -5338,7 +5351,7 @@ do_check_pin (app_t app, ctrl_t ctrl, const char *keyidstr, if (!keyidstr || !*keyidstr) return gpg_error (GPG_ERR_INV_VALUE); - rc = check_keyidstr (app, keyidstr, 0); + rc = check_keyidstr (app, keyidstr, 0, NULL); if (rc) return rc; |