diff options
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | doc/ChangeLog | 4 | ||||
| -rw-r--r-- | doc/gpg.sgml | 11 | ||||
| -rw-r--r-- | g10/ChangeLog | 27 | ||||
| -rw-r--r-- | g10/apdu.c | 3 | ||||
| -rw-r--r-- | g10/app-common.h | 6 | ||||
| -rw-r--r-- | g10/app-openpgp.c | 2 | ||||
| -rw-r--r-- | g10/card-util.c | 478 | ||||
| -rw-r--r-- | g10/cardglue.c | 19 | ||||
| -rw-r--r-- | g10/cardglue.h | 6 | ||||
| -rw-r--r-- | g10/keydb.h | 1 | ||||
| -rw-r--r-- | g10/keyedit.c | 77 | ||||
| -rw-r--r-- | g10/keygen.c | 28 | ||||
| -rw-r--r-- | g10/keyid.c | 29 | ||||
| -rw-r--r-- | g10/main.h | 1 |
15 files changed, 580 insertions, 116 deletions
@@ -10,8 +10,8 @@ Noteworthy changes in version 1.3.7 for smartcards. * New command "addcardkey" in the key edit menu to add subkeys to - a smartcard. The serial number of the card is show in secret - key listings. + a smartcard. New command "keytocard" to transfer a key to a smartcard. + The serial number of the card is show in secret key listings. * -K may now be used as an alias for --list-secret-keys. diff --git a/doc/ChangeLog b/doc/ChangeLog index deb9a7730..618c21ec5 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,7 @@ +2004-09-23 Werner Koch <wk@g10code.com> + + * gpg.sgml: Document "addcardkey" and "keytocard". + 2004-09-20 Werner Koch <wk@g10code.com> * gpg.sgml: Document -K. diff --git a/doc/gpg.sgml b/doc/gpg.sgml index f5bb0695f..84a957e72 100644 --- a/doc/gpg.sgml +++ b/doc/gpg.sgml @@ -415,6 +415,17 @@ Add a subkey to this key.</para></listitem></varlistentry> Generate a key on a card and add it to this key.</para></listitem></varlistentry> <varlistentry> + <term>keytocard</term> + <listitem><para> +Transfer the selected secret key (or the primary key if no key has +been selected) to a smartcard. The secret key in the keyring will be +replaced by a stub if the key could be stored successfully on the card +and you use the save command later. Only certain key types may be +transferred to the card. A sub menu allows you to select on what card +to store the key. Note that it is not possible to get that key back +from the card - if the card gets broken your secret key will be lost +unless you have a backup somewhere.</para></listitem></varlistentry> + <varlistentry> <term>delkey</term> <listitem><para> Remove a subkey.</para></listitem></varlistentry> diff --git a/g10/ChangeLog b/g10/ChangeLog index 81e4c27fb..667115d2a 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,3 +1,30 @@ +2004-09-23 Werner Koch <wk@g10code.com> + + * apdu.c (open_pcsc_reader): Do not print empty reader string. + + * keygen.c (ask_algo): Allow creation of AUTH keys. + + * keyid.c (usagestr_from_pk): New. + + * app-openpgp.c (app_openpgp_storekey): Call flush_cache. + + * keyedit.c (keyedit_menu): New command "keytocard" + (keyedit_menu): Bad hack for the not_with_sk element. + (show_key_with_all_names): Print the usage. + (find_pk_from_sknode): New. + + * card-util.c (card_store_subkey): New. + (copy_mpi): New. + * cardglue.c (agent_openpgp_storekey): New. + +2004-09-22 Werner Koch <wk@g10code.com> + + * card-util.c (card_generate_subkey, generate_card_keys): Factored + common code out to ... + (get_info_for_key_operation, check_pin_for_key_operation) + (restore_forced_chv1, replace_existing_key_p) + (show_card_key_info): ... new functions. + 2004-09-21 David Shaw <dshaw@jabberwocky.com> * mainproc.c (check_sig_and_print), keyedit.c (show_prefs, diff --git a/g10/apdu.c b/g10/apdu.c index 228fdec61..fceb4f396 100644 --- a/g10/apdu.c +++ b/g10/apdu.c @@ -1119,7 +1119,8 @@ open_pcsc_reader (const char *portstr) { if (!*p && !p[1]) break; - log_info ("detected reader `%s'\n", p); + if (*p) + log_info ("detected reader `%s'\n", p); if (nreader < (strlen (p)+1)) { log_error ("invalid response from pcsc_list_readers\n"); diff --git a/g10/app-common.h b/g10/app-common.h index c61bcca60..8392b485d 100644 --- a/g10/app-common.h +++ b/g10/app-common.h @@ -143,6 +143,7 @@ int app_openpgp_cardinfo (app_t app, unsigned char **fpr1, unsigned char **fpr2, unsigned char **fpr3); +#endif /* GNUPG_MAJOR_VERSION != 1 */ int app_openpgp_storekey (app_t app, int keyno, unsigned char *template, size_t template_len, time_t created_at, @@ -153,6 +154,8 @@ int app_openpgp_storekey (app_t app, int keyno, int app_openpgp_readkey (app_t app, int keyno, unsigned char **m, size_t *mlen, unsigned char **e, size_t *elen); +#if GNUPG_MAJOR_VERSION == 1 +#else /*-- app-nks.c --*/ int app_select_nks (app_t app); @@ -160,8 +163,7 @@ int app_select_nks (app_t app); int app_select_dinsig (app_t app); -#endif - +#endif /* GNUPG_MAJOR_VERSION != 1 */ #endif /*GNUPG_SCD_APP_COMMON_H*/ diff --git a/g10/app-openpgp.c b/g10/app-openpgp.c index ba34aca04..096e66e78 100644 --- a/g10/app-openpgp.c +++ b/g10/app-openpgp.c @@ -432,7 +432,6 @@ store_fpr (int slot, int keynumber, u32 timestamp, *p++ = nbits; memcpy (p, e, elen); p += elen; - log_printhex ("fprbuf:", buffer, n+3); gcry_md_hash_buffer (GCRY_MD_SHA1, fpr, buffer, n+3); xfree (buffer); @@ -1551,6 +1550,7 @@ app_openpgp_storekey (APP app, int keyno, if (rc) goto leave; + flush_cache (app); rc = iso7816_put_data (app->slot, (app->card_version > 0x0007? 0xE0 : 0xE9) + keyno, diff --git a/g10/card-util.c b/g10/card-util.c index 194bd83e2..c5cd344b6 100644 --- a/g10/card-util.c +++ b/g10/card-util.c @@ -43,6 +43,39 @@ #define CONTROL_D ('D' - 'A' + 1) +#if GNUPG_MAJOR_VERSION == 1 +#define GET_NBITS(a) mpi_get_nbits (a) +#else +#define GET_NBITS(a) gcry_mpi_get_nbits (a) +#endif + + +static int +copy_mpi (MPI a, unsigned char *buffer, size_t len, size_t *ncopied) +{ + int rc; +#if GNUPG_MAJOR_VERSION == 1 + unsigned char *tmp; + unsigned int n; + + tmp = mpi_get_secure_buffer (a, &n, NULL); + if (n > len) + rc = G10ERR_GENERAL; + else + { + rc = 0; + memcpy (buffer, tmp, n); + *ncopied = n; + } + xfree (tmp); +#else /* GNUPG_MAJOR_VERSION != 1 */ + rc = gcry_mpi_print (GCRYMPI_FMT_USG, buffer, len, ncopied, a); +#endif /* GNUPG_MAJOR_VERSION != 1 */ + if (rc) + log_error ("mpi_copy failed: %s\n", gpg_strerror (rc)); + return rc; +} + /* Change the PIN of a an OpenPGP card. This is an interactive function. */ @@ -749,26 +782,125 @@ toggle_forcesig (void) } -static void -generate_card_keys (const char *serialno) +/* Helper for the key generation/edit functions. */ +static int +get_info_for_key_operation (struct agent_card_info_s *info) { - struct agent_card_info_s info; int rc; - int forced_chv1; - memset (&info, 0, sizeof info); - rc = agent_scd_getattr ("KEY-FPR", &info); - if (!rc) - rc = agent_scd_getattr ("SERIALNO", &info); + memset (info, 0, sizeof *info); + rc = agent_scd_getattr ("SERIALNO", info); + if (rc || !info->serialno || strncmp (info->serialno, "D27600012401", 12) + || strlen (info->serialno) != 32 ) + { + log_error (_("key operation not possible: %s\n"), + rc ? gpg_strerror (rc) : _("not an OpenPGP card")); + return rc? rc: -1; + } + rc = agent_scd_getattr ("KEY-FPR", info); if (!rc) - rc = agent_scd_getattr ("CHV-STATUS", &info); + rc = agent_scd_getattr ("CHV-STATUS", info); if (!rc) - rc = agent_scd_getattr ("DISP-NAME", &info); + rc = agent_scd_getattr ("DISP-NAME", info); if (rc) + log_error (_("error getting current key info: %s\n"), gpg_strerror (rc)); + return rc; +} + + +/* Helper for the key generation/edit functions. */ +static int +check_pin_for_key_operation (struct agent_card_info_s *info, int *forced_chv1) +{ + int rc = 0; + + *forced_chv1 = !info->chv1_cached; + if (*forced_chv1) + { /* Switch of the forced mode so that during key generation we + don't get bothered with PIN queries for each + self-signature. */ + rc = agent_scd_setattr ("CHV-STATUS-1", "\x01", 1); + if (rc) + { + log_error ("error clearing forced signature PIN flag: %s\n", + gpg_strerror (rc)); + *forced_chv1 = 0; + } + } + + if (!rc) { - log_error ("error getting current key info: %s\n", gpg_strerror (rc)); - return; + /* Check the PIN now, so that we won't get asked later for each + binding signature. */ + rc = agent_scd_checkpin (info->serialno); + if (rc) + log_error ("error checking the PIN: %s\n", gpg_strerror (rc)); } + return rc; +} + +/* Helper for the key generation/edit functions. */ +static void +restore_forced_chv1 (int *forced_chv1) +{ + int rc; + + if (*forced_chv1) + { /* Switch back to forced state. */ + rc = agent_scd_setattr ("CHV-STATUS-1", "", 1); + if (rc) + { + log_error ("error setting forced signature PIN flag: %s\n", + gpg_strerror (rc)); + } + } +} + +/* Helper for the key generation/edit functions. */ +static void +show_card_key_info (struct agent_card_info_s *info) +{ + tty_fprintf (NULL, "Signature key ....:"); + print_sha1_fpr (NULL, info->fpr1valid? info->fpr1:NULL); + tty_fprintf (NULL, "Encryption key....:"); + print_sha1_fpr (NULL, info->fpr2valid? info->fpr2:NULL); + tty_fprintf (NULL, "Authentication key:"); + print_sha1_fpr (NULL, info->fpr3valid? info->fpr3:NULL); + tty_printf ("\n"); +} + + +/* Helper for the key generation/edit functions. */ +static int +replace_existing_key_p (struct agent_card_info_s *info, int keyno) +{ + assert (keyno >= 0 && keyno <= 3); + + if ((keyno == 1 && info->fpr1valid) + || (keyno == 2 && info->fpr2valid) + || (keyno == 3 && info->fpr3valid)) + { + tty_printf ("\n"); + log_info ("WARNING: such a key has already been stored on the card!\n"); + tty_printf ("\n"); + if ( !cpr_get_answer_is_yes( "cardedit.genkeys.replace_key", + _("Replace existing key? "))) + return -1; + } + return 0; +} + + + +static void +generate_card_keys (const char *serialno) +{ + struct agent_card_info_s info; + int forced_chv1; + + if (get_info_for_key_operation (&info)) + return; + if ( (info.fpr1valid && !fpr_is_zero (info.fpr1)) || (info.fpr2valid && !fpr_is_zero (info.fpr2)) || (info.fpr3valid && !fpr_is_zero (info.fpr3))) @@ -793,39 +925,14 @@ generate_card_keys (const char *serialno) tty_printf ("\n"); } - forced_chv1 = !info.chv1_cached; - if (forced_chv1) - { /* Switch of the forced mode so that during key generation we - don't get bothered with PIN queries for each - self-signature. */ - rc = agent_scd_setattr ("CHV-STATUS-1", "\x01", 1); - if (rc) - { - log_error ("error clearing forced signature PIN flag: %s\n", - gpg_strerror (rc)); - return; - } - } - - /* Check the PIN now, so that we won't get asked later for each - binding signature. */ - rc = agent_scd_checkpin (serialno); - if (rc) - log_error ("error checking the PIN: %s\n", gpg_strerror (rc)); - else - generate_keypair (NULL, info.serialno); + if (check_pin_for_key_operation (&info, &forced_chv1)) + goto leave; + + generate_keypair (NULL, info.serialno); + leave: agent_release_card_info (&info); - if (forced_chv1) - { /* Switch back to forced state. */ - rc = agent_scd_setattr ("CHV-STATUS-1", "", 1); - if (rc) - { - log_error ("error setting forced signature PIN flag: %s\n", - gpg_strerror (rc)); - return; - } - } + restore_forced_chv1 (&forced_chv1); } @@ -837,34 +944,12 @@ card_generate_subkey (KBNODE pub_keyblock, KBNODE sec_keyblock) struct agent_card_info_s info; int okay = 0; int forced_chv1 = 0; - int rc; int keyno; - memset (&info, 0, sizeof info); - rc = agent_scd_getattr ("SERIALNO", &info); - if (rc || !info.serialno || strncmp (info.serialno, "D27600012401", 12) - || strlen (info.serialno) != 32 ) - { - log_error (_("cannot generate key: %s\n"), - rc ? gpg_strerror (rc) : _("not an OpenPGP card")); - goto leave; - } - rc = agent_scd_getattr ("KEY-FPR", &info); - if (!rc) - rc = agent_scd_getattr ("CHV-STATUS", &info); - if (rc) - { - log_error ("error getting current key info: %s\n", gpg_strerror (rc)); - goto leave; - } - - tty_fprintf (NULL, "Signature key ....:"); - print_sha1_fpr (NULL, info.fpr1valid? info.fpr1:NULL); - tty_fprintf (NULL, "Encryption key....:"); - print_sha1_fpr (NULL, info.fpr2valid? info.fpr2:NULL); - tty_fprintf (NULL, "Authentication key:"); - print_sha1_fpr (NULL, info.fpr3valid? info.fpr3:NULL); - tty_printf ("\n"); + if (get_info_for_key_operation (&info)) + return 0; + + show_card_key_info (&info); tty_printf (_("Please select the type of key to generate:\n")); @@ -889,54 +974,239 @@ card_generate_subkey (KBNODE pub_keyblock, KBNODE sec_keyblock) tty_printf(_("Invalid selection.\n")); } - if ((keyno == 1 && info.fpr1valid) - || (keyno == 2 && info.fpr2valid) - || (keyno == 3 && info.fpr3valid)) + if (replace_existing_key_p (&info, keyno)) + goto leave; + + if (check_pin_for_key_operation (&info, &forced_chv1)) + goto leave; + + okay = generate_card_subkeypair (pub_keyblock, sec_keyblock, + keyno, info.serialno); + + leave: + agent_release_card_info (&info); + restore_forced_chv1 (&forced_chv1); + return okay; +} + + +/* Store the subkey at NODE into the smartcard and modify NODE to + carry the serrialno stuff instead of the actual secret key + parameters. */ +int +card_store_subkey (KBNODE node, int use) +{ + struct agent_card_info_s info; + int okay = 0; + int rc; + int keyno, i; + PKT_secret_key *copied_sk = NULL; + PKT_secret_key *sk; + size_t n; + MPI rsa_n, rsa_e, rsa_p, rsa_q; + unsigned int nbits; + unsigned char *template = NULL; + unsigned char *tp; + unsigned char m[128], e[4]; + size_t mlen, elen; + const char *s; + int allow_keyno[3]; + + assert (node->pkt->pkttype == PKT_SECRET_KEY + || node->pkt->pkttype == PKT_SECRET_SUBKEY); + sk = node->pkt->pkt.secret_key; + + if (get_info_for_key_operation (&info)) + return 0; + + show_card_key_info (&info); + + if (!is_RSA (sk->pubkey_algo) || nbits_from_sk (sk) != 1024 ) { + tty_printf ("You may only store a 1024 bit RSA key on the card\n"); tty_printf ("\n"); - log_info ("WARNING: such a key has already been stored on the card!\n"); - tty_printf ("\n"); - if ( !cpr_get_answer_is_yes( "cardedit.genkeys.replace_key", - _("Replace existing key? "))) - goto leave; + goto leave; } - forced_chv1 = !info.chv1_cached; - if (forced_chv1) - { /* Switch of the forced mode so that during key generation we - don't get bothered with PIN queries for each - self-signature. */ - rc = agent_scd_setattr ("CHV-STATUS-1", "\x01", 1); - if (rc) + allow_keyno[0] = (!use || (use & (PUBKEY_USAGE_SIG))); + allow_keyno[1] = (!use || (use & (PUBKEY_USAGE_ENC))); + allow_keyno[2] = (!use || (use & (PUBKEY_USAGE_SIG|PUBKEY_USAGE_AUTH))); + + tty_printf (_("Please select where to store the key:\n")); + + if (allow_keyno[0]) + tty_printf (_(" (1) Signature key\n")); + if (allow_keyno[1]) + tty_printf (_(" (2) Encryption key\n")); + if (allow_keyno[2]) + tty_printf (_(" (3) Authentication key\n")); + + for (;;) + { + char *answer = cpr_get ("cardedit.genkeys.storekeytype", + _("Your selection? ")); + cpr_kill_prompt(); + if (*answer == CONTROL_D || !*answer) { - log_error ("error clearing forced signature PIN flag: %s\n", - gpg_strerror (rc)); - forced_chv1 = 0; + xfree (answer); goto leave; } + keyno = *answer? atoi(answer): 0; + xfree(answer); + if (keyno >= 1 && keyno <= 3 && allow_keyno[keyno-1]) + break; /* Okay. */ + tty_printf(_("Invalid selection.\n")); + } + + if (replace_existing_key_p (&info, keyno)) + goto leave; + + /* Unprotect key. */ + switch (is_secret_key_protected (sk) ) + { + case 0: /* Not protected. */ + break; + case -1: + log_error (_("unknown key protection algorithm\n")); + goto leave; + default: + if (sk->protect.s2k.mode == 1001) + { + log_error (_("secret parts of key are not available\n")); + goto leave; + } + if (sk->protect.s2k.mode == 1002) + { + log_error (_("secret key already stored on a card\n")); + goto leave; + } + /* We better copy the key before we unprotect it. */ + copied_sk = sk = copy_secret_key (NULL, sk); + rc = check_secret_key (sk, 0); + if (rc) + goto leave; + } + + /* Some basic checks on the key parameters. */ + rsa_n = sk->skey[0]; + rsa_e = sk->skey[1]; + rsa_p = sk->skey[3]; + rsa_q = sk->skey[4]; + + nbits = GET_NBITS (rsa_n); + if (nbits != 1024) + { + log_error (_("length of RSA modulus is not %d\n"), 1024); + goto leave; + } + nbits = GET_NBITS (rsa_e); + if (nbits < 2 || nbits > 32) + { + log_error (_("public exponent too large (more than 32 bits)\n")); + goto leave; + } + nbits = GET_NBITS (rsa_p); + if (nbits != 512) + { + log_error (_("length of an RSA prime is not %d\n"), 512); + goto leave; + } + nbits = GET_NBITS (rsa_q); + if (nbits != 512) + { + log_error (_("length of an RSA prime is not %d\n"), 512); + goto leave; } - /* Check the PIN now, so that we won't get asked later for each - binding signature. */ - rc = agent_scd_checkpin (info.serialno); + + /* We need the modulus later to calculate the fingerprint. */ + rc = copy_mpi (rsa_n, m, 128, &n); if (rc) - log_error ("error checking the PIN: %s\n", gpg_strerror (rc)); - else - okay = generate_card_subkeypair (pub_keyblock, sec_keyblock, - keyno, info.serialno); + goto leave; + assert (n == 128); + mlen = 128; + + /* Build the private key template as described in section 4.3.3.6 of + the OpenPGP card specs: + 0xC0 <length> public exponent + 0xC1 <length> prime p + 0xC2 <length> prime q + */ + template = tp = xmalloc_secure (1+2 + 1+1+4 + 1+1+(512/8) + 1+1+(512/8)); + *tp++ = 0xC0; + *tp++ = 4; + rc = copy_mpi (rsa_e, tp, 4, &n); + if (rc) + goto leave; + assert (n <= 4); + memcpy (e, tp, n); /* Save a copy of the exponent for later use. */ + elen = n; + if (n != 4) + { + memmove (tp+4-n, tp, 4-n); + memset (tp, 0, 4-n); + } + tp += 4; + + *tp++ = 0xC1; + *tp++ = 64; + rc = copy_mpi (rsa_p, tp, 64, &n); + if (rc) + goto leave; + assert (n == 64); + tp += 64; + + *tp++ = 0xC2; + *tp++ = 64; + rc = copy_mpi (rsa_q, tp, 64, &n); + if (rc) + goto leave; + assert (n == 64); + tp += 64; + assert (tp - template == 138); + + rc = agent_openpgp_storekey (keyno, + template, tp - template, + sk->timestamp, + m, mlen, + e, elen); + + if (rc) + goto leave; + xfree (template); + template = NULL; + + /* Get back to the maybe protected original secret key. */ + if (copied_sk) + { + free_secret_key (copied_sk); + copied_sk = NULL; + } + sk = node->pkt->pkt.secret_key; + + /* Get rid of the secret key parameters and store the serial numer. */ + n = pubkey_get_nskey (sk->pubkey_algo); + for (i=pubkey_get_npkey (sk->pubkey_algo); i < n; i++) + { + mpi_free (sk->skey[i]); + sk->skey[i] = NULL; + } + i = pubkey_get_npkey (sk->pubkey_algo); + sk->skey[i] = mpi_set_opaque (NULL, xstrdup ("dummydata"), 10); + sk->is_protected = 1; + sk->protect.s2k.mode = 1002; + s = info.serialno; + for (sk->protect.ivlen=0; sk->protect.ivlen < 16 && *s && s[1]; + sk->protect.ivlen++, s += 2) + sk->protect.iv[sk->protect.ivlen] = xtoi_2 (s); + + okay = 1; leave: + if (copied_sk) + free_secret_key (copied_sk); + xfree (template); agent_release_card_info (&info); - if (forced_chv1) - { /* Switch back to forced state. */ - rc = agent_scd_setattr ("CHV-STATUS-1", "", 1); - if (rc) - { - log_error ("error setting forced signature PIN flag: %s\n", - gpg_strerror (rc)); - return okay; - } - } return okay; } diff --git a/g10/cardglue.c b/g10/cardglue.c index cff025cb3..a446a30a3 100644 --- a/g10/cardglue.c +++ b/g10/cardglue.c @@ -827,3 +827,22 @@ agent_scd_checkpin (const char *serialnobuf) return app->fnc.check_pin (app, serialnobuf, pin_cb, NULL); } + +/* Wrapper to call the store key helper function of app-openpgp.c. */ +int +agent_openpgp_storekey (int keyno, + unsigned char *template, size_t template_len, + time_t created_at, + const unsigned char *m, size_t mlen, + const unsigned char *e, size_t elen) +{ + APP app; + + app = current_app? current_app : open_card (); + if (!app) + return gpg_error (GPG_ERR_CARD); + + return app_openpgp_storekey (app, keyno, template, template_len, + created_at, m, mlen, e, elen, + pin_cb, NULL); +} diff --git a/g10/cardglue.h b/g10/cardglue.h index 764064ece..812d44e2e 100644 --- a/g10/cardglue.h +++ b/g10/cardglue.h @@ -183,6 +183,12 @@ int agent_scd_change_pin (int chvno); /* Send a CHECKPIN command. */ int agent_scd_checkpin (const char *serialnobuf); +/* Call the store key utility command. */ +int agent_openpgp_storekey (int keyno, + unsigned char *template, size_t template_len, + time_t created_at, + const unsigned char *m, size_t mlen, + const unsigned char *e, size_t elen); #endif /*ENABLE_CARD_SUPPORT*/ #endif /*GNUPG_G10_CARDGLUE_H*/ diff --git a/g10/keydb.h b/g10/keydb.h index e3f53a336..1eca3af5c 100644 --- a/g10/keydb.h +++ b/g10/keydb.h @@ -258,6 +258,7 @@ const char *expirestr_from_pk( PKT_public_key *pk ); const char *expirestr_from_sk( PKT_secret_key *sk ); const char *expirestr_from_sig( PKT_signature *sig ); const char *revokestr_from_pk( PKT_public_key *pk ); +const char *usagestr_from_pk( PKT_public_key *pk ); const char *colon_strtime (u32 t); const char *colon_datestr_from_pk (PKT_public_key *pk); const char *colon_datestr_from_sk (PKT_secret_key *sk); diff --git a/g10/keyedit.c b/g10/keyedit.c index 0a9b47b58..4070d2fac 100644 --- a/g10/keyedit.c +++ b/g10/keyedit.c @@ -95,6 +95,34 @@ struct sign_attrib { }; +/* Given a node SEC_NODE with a secret key or subkey, locate the + corresponding public key from pub_keyblock. */ +static PKT_public_key * +find_pk_from_sknode (KBNODE pub_keyblock, KBNODE sec_node) +{ + KBNODE node = pub_keyblock; + PKT_secret_key *sk; + PKT_public_key *pk; + + if (sec_node->pkt->pkttype == PKT_SECRET_KEY + && node->pkt->pkttype == PKT_PUBLIC_KEY) + return node->pkt->pkt.public_key; + if (sec_node->pkt->pkttype != PKT_SECRET_SUBKEY) + return NULL; + sk = sec_node->pkt->pkt.secret_key; + for (; node; node = node->next) + if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY) + { + pk = node->pkt->pkt.public_key; + if (pk->keyid[0] == sk->keyid[0] && pk->keyid[1] == sk->keyid[1]) + return pk; + } + + return NULL; +} + + + /* TODO: Fix duplicated code between here and the check-sigs/list-sigs code in keylist.c. */ static int @@ -1191,14 +1219,14 @@ keyedit_menu( const char *username, STRLIST locusr, cmdTOGGLE, cmdSELKEY, cmdPASSWD, cmdTRUST, cmdPREF, cmdEXPIRE, cmdENABLEKEY, cmdDISABLEKEY, cmdSHOWPREF, cmdSETPREF, cmdUPDPREF, cmdPREFKS, cmdINVCMD, cmdSHOWPHOTO, cmdUPDTRUST, cmdCHKTRUST, - cmdADDCARDKEY, - cmdNOP }; + cmdADDCARDKEY, cmdKEYTOCARD, + cmdNOP }; static struct { const char *name; enum cmdids id; int need_sk; - int not_with_sk; + int not_with_sk; /* but 2 == must use SK */ const char *desc; - } cmds[] = { + } cmds[] = { { N_("quit") , cmdQUIT , 0,0, N_("quit this menu") }, { N_("q") , cmdQUIT , 0,0, NULL }, { N_("save") , cmdSAVE , 0,0, N_("save and quit") }, @@ -1226,7 +1254,8 @@ keyedit_menu( const char *username, STRLIST locusr, { N_("addkey") , cmdADDKEY , 1,1, N_("add a secondary key") }, #ifdef ENABLE_CARD_SUPPORT { N_("addcardkey"), cmdADDCARDKEY , 1,1, N_("add a key to a smartcard") }, -#endif /* ENABLE_CARD_SUPPORT */ + { N_("keytocard"), cmdKEYTOCARD , 1,2, N_("move a key to a smartcard")}, +#endif /*ENABLE_CARD_SUPPORT*/ { N_("delkey") , cmdDELKEY , 0,1, N_("delete a secondary key") }, { N_("addrevoker"),cmdADDREVOKER,1,1, N_("add a revocation key") }, { N_("delsig") , cmdDELSIG , 0,1, N_("delete signatures") }, @@ -1256,6 +1285,7 @@ keyedit_menu( const char *username, STRLIST locusr, KBNODE sec_keyblock = NULL; KEYDB_HANDLE sec_kdbhd = NULL; KBNODE cur_keyblock; + KBNODE node; char *answer = NULL; int redisplay = 1; int modified = 0; @@ -1379,7 +1409,8 @@ keyedit_menu( const char *username, STRLIST locusr, tty_printf(_("Need the secret key to do this.\n")); cmd = cmdNOP; } - else if( cmds[i].not_with_sk && sec_keyblock && toggle ) { + else if( (cmds[i].not_with_sk == 1 && sec_keyblock && toggle) + ||(cmds[i].not_with_sk == 2 && sec_keyblock && !toggle)) { tty_printf(_("Please use the command \"toggle\" first.\n")); cmd = cmdNOP; } @@ -1543,6 +1574,38 @@ keyedit_menu( const char *username, STRLIST locusr, merge_keys_and_selfsig( keyblock ); } break; + + case cmdKEYTOCARD: + node = NULL; + switch ( count_selected_keys (sec_keyblock) ) + { + case 0: + if (cpr_get_answer_is_yes("keyedit.keytocard.use_primary", + _("Really move the primary key? "))) + node = sec_keyblock; + break; + case 1: + for (node = sec_keyblock; node; node = node->next ) + { + if (node->pkt->pkttype == PKT_SECRET_SUBKEY + && node->flag & NODFLG_SELKEY) + break; + } + break; + default: + tty_printf(_("You must select exactly one key.\n")); + break; + } + if (node) + { + PKT_public_key *xxpk = find_pk_from_sknode (keyblock, node); + if (card_store_subkey (node, xxpk?xxpk->pubkey_usage:0)) + { + redisplay = 1; + sec_modified = 1; + } + } + break; #endif /* ENABLE_CARD_SUPPORT */ case cmdDELKEY: { @@ -2176,6 +2239,8 @@ show_key_with_all_names( KBNODE keyblock, int only_marked, int with_revoker, tty_printf(_("expired: %s"),expirestr_from_pk(pk)); else tty_printf(_("expires: %s"),expirestr_from_pk(pk)); + tty_printf(" "); + tty_printf(_("usage: %s"),usagestr_from_pk(pk)); tty_printf("\n"); if( node->pkt->pkttype == PKT_PUBLIC_KEY ) diff --git a/g10/keygen.c b/g10/keygen.c index 44cfc00ec..23bbed1ee 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -1177,6 +1177,14 @@ ask_algo (int addmode, unsigned int *r_usage) tty_printf( _(" (%d) RSA (encrypt only)\n"), 5 ); if (opt.expert) tty_printf( _(" (%d) RSA (sign and encrypt)\n"), 6 ); + if (opt.expert && addmode) + tty_printf( _(" (%d) RSA (auth only)\n"), 7 ); + if (opt.expert) + tty_printf( _(" (%d) RSA (sign and auth)\n"), 8 ); + if (opt.expert && addmode) + tty_printf( _(" (%d) RSA (encrypt and auth)\n"), 9 ); + if (opt.expert) + tty_printf( _(" (%d) RSA (sign, encrypt and auth)\n"), 10 ); for(;;) { answer = cpr_get("keygen.algo",_("Your selection? ")); @@ -1187,6 +1195,26 @@ ask_algo (int addmode, unsigned int *r_usage) algo = 0; /* create both keys */ break; } + else if( algo == 10 && opt.expert ) { + algo = PUBKEY_ALGO_RSA; + *r_usage = PUBKEY_USAGE_ENC | PUBKEY_USAGE_SIG | PUBKEY_USAGE_AUTH; + break; + } + else if( algo == 9 && opt.expert && addmode) { + algo = PUBKEY_ALGO_RSA; + *r_usage = PUBKEY_USAGE_ENC | PUBKEY_USAGE_AUTH; + break; + } + else if( algo == 8 && opt.expert ) { + algo = PUBKEY_ALGO_RSA; + *r_usage = PUBKEY_USAGE_SIG | PUBKEY_USAGE_AUTH; + break; + } + else if( algo == 7 && opt.expert && addmode) { + algo = PUBKEY_ALGO_RSA; + *r_usage = PUBKEY_USAGE_AUTH; + break; + } else if( algo == 6 && opt.expert ) { algo = PUBKEY_ALGO_RSA; *r_usage = PUBKEY_USAGE_ENC | PUBKEY_USAGE_SIG; diff --git a/g10/keyid.c b/g10/keyid.c index 9d987179d..9c5138605 100644 --- a/g10/keyid.c +++ b/g10/keyid.c @@ -535,6 +535,35 @@ revokestr_from_pk( PKT_public_key *pk ) return mk_datestr (buffer, atime); } + +const char * +usagestr_from_pk( PKT_public_key *pk ) +{ + static char buffer[10]; + int i = 0; + unsigned int use = pk->pubkey_usage; + + if ( use & PUBKEY_USAGE_SIG ) + { + if (pk->is_primary) + buffer[i++] = 'C'; + buffer[i++] = 'S'; + } + + if ( use & PUBKEY_USAGE_ENC ) + buffer[i++] = 'E'; + + if ( (use & PUBKEY_USAGE_AUTH) ) + buffer[i++] = 'A'; + + while (i < 4) + buffer[i++] = ' '; + + buffer[i] = 0; + return buffer; +} + + const char * colon_strtime (u32 t) { diff --git a/g10/main.h b/g10/main.h index c84a059e3..0205f7e00 100644 --- a/g10/main.h +++ b/g10/main.h @@ -262,6 +262,7 @@ void change_pin (int no); void card_status (FILE *fp, char *serialno, size_t serialnobuflen); void card_edit (STRLIST commands); int card_generate_subkey (KBNODE pub_keyblock, KBNODE sec_keyblock); +int card_store_subkey (KBNODE node, int use); #endif #endif /*G10_MAIN_H*/ |