summaryrefslogtreecommitdiffstats
path: root/scd (follow)
Commit message (Collapse)AuthorAgeFilesLines
* scd: New option to APDU command to return the ATR as data.Werner Koch2020-08-271-2/+16
| | | | | | | | | | * scd/command.c (cmd_apdu): Add new option --data-atr. * tools/gpg-card.c (cmd_apdu): Use that here. Also fix the --exlen option and do not print the statusword in atr mode. * tools/card-call-scd.c (scd_apdu): Detect atr mode anddon't assume a status word. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd: Fix reading of the ATR for card type detection.Werner Koch2020-08-271-1/+1
| | | | | | | | | | | * scd/app.c (app_new_register): Do not use apdu_get_slot. -- apdu_get_slot() may only be used after the APP has been initialized. Thus we need to pass teh slot here directly. Fixes-commit: 9f148360a2bf04672b43ef7cec48e21d44b06ae1 Signed-off-by: Werner Koch <wk@gnupg.org>
* scd: Add heuristics to identify cardtype.NIIBE Yutaka2020-08-272-3/+23
| | | | | | | | | | | * scd/app-common.h (cardtype_t): Add CARDTYPE_GNUK and CARDTYPE_ZEITCONTROL. * scd/app.c (strcardtype): Handle CARDTYPE_GNUK and CARDTYPE_ZEITCONTROL. (app_new_register): Detect Gnuk and Zeit Control implementation by examining its ATR string. Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd: Add condition for VERIFY with 0x82.NIIBE Yutaka2020-08-271-4/+9
| | | | | | | | | | | | | * scd/app-openpgp.c (verify_chv2): Check availability of keys in question. -- With buggy Gnuk (<= 1.2.15), when no encr/auth keys are available, it fails decrementing the signature error counter. This change can avoid the issue. Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd: Fix possible uninitialized variables.NIIBE Yutaka2020-08-192-8/+8
| | | | | | | | * scd/app-openpgp.c (do_change_pin): Initialize resultlen2. (do_change_pin): Don't call wipe_and_free on the error path. Initialize bufferlen2. Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd: Log info about CCIDs with permission problems.Werner Koch2020-08-121-3/+13
| | | | | | | * scd/apdu.c (open_ccid_reader): Add arg r_cciderr. (apdu_open_reader): Print a note on EPERM of the USB device. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd: Map some error codes from libusb to ccid-driver error codes.Werner Koch2020-08-125-12/+57
| | | | | | | | | | | | | | | * scd/ccid-driver.h (CCID_DRIVER_ERR_USB_*): New error codes. * scd/apdu.h: New SW_HOST error codes. * scd/apdu.c (host_sw_string): Print them * scd/ccid-driver.c (map_libusb_error): New. (ccid_open_usb_reader, bulk_in, abort_cmd): Map libusb error codes. * scd/iso7816.c (map_sw): Map new codes to gpg-error. -- This change will help to get low level error conditions from hipher application code. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:piv: Allow signing using PSS.Werner Koch2020-08-101-1/+10
| | | | | | | | | * scd/app-piv.c (do_sign): Allow for PSS. -- This has been tested with Scute and Openvpn. Signed-off-by: Werner Koch <wk@gnupg.org>
* agent: Add option --pss to pksign to be used by smartcards.Werner Koch2020-08-101-1/+3
| | | | | | | | | | | | | | | * agent/command.c (cmd_sethash): Add option --pss and allow for --hash=null. * agent/agent.h (struct server_control_s): Add digest.is_pss and zero where needed. * agent/pksign.c (agent_pksign_do): Allow for PSS with cards. * scd/command.c (cmd_pksign): Add for --hash=none. -- This is not a full implementaion of PSS but allows scdaemon card drivers to detect already PSS formatted data. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd: Silence compiler warning.NIIBE Yutaka2020-07-311-3/+3
| | | | | | * scd/app-openpgp.c (build_ecc_privkey_template): Fix allocation size. Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd: Fix closing reader and reeleasing context in PC/SC.NIIBE Yutaka2020-07-171-0/+7
| | | | | | | | | | * scd/apdu.c (close_pcsc_reader): Unlock the reader_table_lock. (apdu_dev_list_finish): Release the context when no readers. -- Fixes-commit: 46d185f60397f68830bfdfb99627b29aea5016f1 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd: PC/SC: Don't release the context when it's in use.NIIBE Yutaka2020-07-171-1/+1
| | | | | | | | | | * scd/apdu.c (close_pcsc_reader): Check if it's not in the loop. -- GnuPG-bug-id: 4998 Reported-by: Kevin Locke Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd:nks: Implement writecert for the Signature card v2.Werner Koch2020-07-023-8/+133
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * scd/iso7816.c (CMD_UPDATE_BINARY): New. (iso7816_update_binary): New. * scd/app-nks.c (do_deinit): Factor some code out to... (flush_fid_cache): new. (do_writecert): New. (app_select_nks): Register new handler. -- This can be used with gpg-card to write the 3 extra certificates of a Telesec TCOS Signature Card v2. The card with the qualified signature is distributed with the keys for encryption and advanced signatures but without the certificates. The certificates can be downloaded from the website after an mail confirmation. Unpacked the downloaded zipfile has these certificates: auth_zert.crt sig_zert.crt enc_zert.crt Using gpg-card issue these commands: writecert NKS-NKS3.4531 <sig_zert.crt writecert NKS-NKS3.45B1 <enc_zert.crt writecert NKS-NKS3.4571 <auth_zert.crt Don't mix that up, tight now there is no checking that the certificates match the public key. I also need to write another patch to actually implement signing and encryption with these nistp256 certificates. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:nks: Fix certificate read problem with TCOS signature card v2.Werner Koch2020-06-301-0/+2
| | | | | | | * scd/app-nks.c (filelist): Add a dedicated key entry for ESIGN. (do_readcert): Test for the app_id. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd: Change how the removed card flag is set.Werner Koch2020-06-301-13/+14
| | | | | | | | | | | | * scd/command.c (cmd_serialno): Set/clear card removed flags for all connections using the current card. -- This seems to solve the problems I had in gpg-card and ssh. I am not sure why the old code was done this way - maybe an oversight when adding support for multiple cards. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd: Shorten cardio debug output for all zeroes.Werner Koch2020-06-291-4/+33
| | | | | | | * scd/apdu.c (all_zero_p): New. (send_le): Use it. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:nks: Fix remaining tries warning in --reset mode.Werner Koch2020-06-251-9/+10
| | | | | | * scd/app-nks.c (do_change_pin): Chnage computaion of 'remaining'. Signed-off-by: Werner Koch <wk@gnupg.org>
* build: Fix recent commit for SOURCE_DATE_EPOCH.Werner Koch2020-06-081-1/+1
| | | | | | | | | | -- Fixes-commit: 074ab108e768b2f946d789c1f3a7f14a65e07c52 which was recently pushed to make use of $SOURCE_DATE_EPOCH as fallback. Also fixes two typos
* scd: Fix condition for C5 data object for newer Yubikey.NIIBE Yutaka2020-05-291-1/+1
| | | | | | | * scd/app-openpgp.c (compare_fingerprint): Relax the condition. GnuPG-bug-id: 4957 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd:openpgp: New KEY-STATUS attribute.Werner Koch2020-05-271-1/+10
| | | | * scd/app-openpgp.c (do_getattr): Return KEY-STATUS
* scd:openpgp: Add attribute "UIF" for convenience.Werner Koch2020-05-261-5/+11
| | | | | | | | | | | | * scd/app-openpgp.c (do_getattr): New attrubute "UIF". (do_learn_status): Use that. -- Actually this is not just convenience but will make it easier to add new keys to an openpgp card - we will need to change this only at one place. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd: Fix Yubikey app switching problemWerner Koch2020-05-261-4/+12
| | | | | | | | | | | | | | * scd/app.c (select_all_additional_applications_internal): Re-select first app. Add arg 'ctrl'. -- Usually keygrip based access to the Yubikey does a switching back and forth and thus keeps the card and scdaemon's internal state in sync. However, if we do only a listing scdaemon did not reselect the first application (e.g. OpenPGP) after adding other applications (e.g. PIV) and thus led to wrong info returned in a listing. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:nks: Add framework to support IDKey cards.Werner Koch2020-05-071-51/+124
| | | | | | | | | | | | | | | * scd/app-nks.c (NKS_APP_IDLM): New. (struct app_local_s): Replace NKS_VERSION by the global APPVERSION. (do_learn_status): Always send CHV-STATUS. (find_fid_by_keyref): Basic support for IDLM only use. (do_learn_status_core): Ditto. (do_readcert): Ditto. (verify_pin): Ditto. (parse_pwidstr): Ditto. (do_with_keygrip): Ditto. (switch_application): Ditto. (app_select_nks): Fallback to IDLM. --
* scd:nks: Get the PIN prompts right for the Signature CardWerner Koch2020-05-071-56/+136
| | | | | | | | | | | | * scd/app-nks.c (get_dispserialno): Move more to the top. (do_getattr): Add $DISPSERIALNO and SERIALNO. Make CHV-STATUS work with NKS15. (verify_pin): Use dedicated min. PIN lengths. (parse_pwidstr): Support NKS15 -- GnuPG-bug-id: 4938 Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:nks: Support decryption using ECDH.Werner Koch2020-05-071-75/+307
| | | | | | | | | | | | | | | | | * scd/app-nks.c (struct fid_cache_s): Add field 'algo'. (keygripstr_from_pk_file): Add arg 'r_algo' to return the algo. (find_fid_by_keyref): Ditto. (get_dispserialno): New. (make_prompt): New. (verify_pin): Provide better prompts. (do_decipher): Support ECDH. (parse_pwidstr): Add hack tospecify any pwid.. (do_change_pin): Support Signature Card V2.0 (NKS15) style NullPIN. Provide a better prompt. -- GnuPG-bug-id: 4938 Signed-off-by: Werner Koch <wk@gnupg.org>
* scd: Extend an internal function to also return the algo.Werner Koch2020-05-058-17/+24
| | | | | | | | * scd/app-help.c (app_help_get_keygrip_string_pk): Add optional arg r_algo. Change all callers. (app_help_get_keygrip_string): Ditto. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:nks: Add do_with_keygrip and implement a cache.Werner Koch2020-05-041-90/+349
| | | | | | | | | | | | * scd/app-nks.c (struct fid_cache_s): New. (struct app_local_s): Add field 'fid_cache'. (do_deinit): Release the cache. (keygripstr_from_pk_file): Implement the cache. (find_fid_by_keyref): New (do_sign, do_decipher): Use new function. (do_with_keygrip): New. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:nks: Allow retrieving certificates from a Signature Card v.20Werner Koch2020-04-171-164/+299
| | | | | | | | | | * scd/app-nks.c: Major rework to support non-RSA cards. -- This is a fist step so support this ECC card. The code has been reworked while taking care that old cards should keep on working. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd: Detect missing card in "getinfo all_active_apps".Werner Koch2020-04-171-0/+5
| | | | | | | | | * scd/app.c (send_card_and_app_list): Detect no app case. -- This is a minor nug fix to return a better error message. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:p15: Return a display S/N via Assuan.Werner Koch2020-04-091-21/+54
| | | | | | | | * scd/app-p15.c (make_pin_prompt): Factor some code out to ... (get_dispserialno): this. (do_getattr): Use new fucntion for a $DISPSERIALNO. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:p15: Show a pretty PIN prompt.Werner Koch2020-04-071-13/+197
| | | | | | | | | | | | | | | | | | | | * scd/app-p15.c (struct prkdf_object_s): New fields common_name and serial_number. (release_prkdflist): Free them. (keygrip_from_prkdf): Parse cert and set them. (any_control_or_space): New. (make_pin_prompt): New. (verify_pin): Construct a pretty PIN prompt. (do_sign): Remove debug output. -- The D-Trust card has the SerialNumber part of the Subject printed on the front matter, we assume this is also possible with other cards and thus we show this as serial number. The holder of the card is also extracted from the card's subject. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd: Return GPG_ERR_BAD_PIN on 0x63Cn status word.Werner Koch2020-04-071-0/+2
| | | | | | | | | | * scd/iso7816.c (map_sw): Detect 0x63Cn status code. -- I really wonder when that got lost and we ended up with a simple card error. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd: Factor common PIN status check out.Werner Koch2020-04-074-82/+57
| | | | | | | | | | | | | | * scd/iso7816.h (ISO7816_VERIFY_ERROR): New. (ISO7816_VERIFY_NO_PIN): New. (ISO7816_VERIFY_BLOCKED): New. (ISO7816_VERIFY_NULLPIN): New. (ISO7816_VERIFY_NOT_NEEDED): New. * scd/iso7816.c (iso7816_verify_status): New. * scd/app-nks.c (get_chv_status): Use new function. * scd/app-piv.c (get_chv_status): Ditto. (verify_chv): Ditto. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:p15: Fix decrypt followed by sign problem for D-Trust cards.Werner Koch2020-04-073-14/+91
| | | | | | | | | | | | | | | | | * scd/iso7816.c (iso7816_select_mf): New. * scd/app-p15.c (card_product_t): New. (struct app_local_s): Add field 'card_product'. (read_ef_tokeninfo): Detect D-Trust card. (prepare_verify_pin): Switch to D-Trust AID. (do_decipher): Restore a SE for D-TRust cards. Chnage the passing indicator to 0x81. -- Using what I learned from a USB trace running the Governikus Signer Software on Windows this fixes the left over problem with the new D-Trust card support. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:p15: Emit MANUFACTURER, $ENCRKEYID, $SIGNKEYID.Werner Koch2020-04-031-18/+62
| | | | | | | | | * scd/app-p15.c (read_ef_tokeninfo): Store manufacturer_id. (do_getattr): Implement MANUFACTURER, $ENCRKEYID and $SIGNKEYID. (send_keypairinfo): Also print usage flags. -- Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:openpgp: New attribute "MANUFACTURER".Werner Koch2020-04-031-0/+50
| | | | | | | | | | | | * scd/app-openpgp.c (get_manufacturer): New.. (do_getattr): Add new attribute "MANUFACTURER". (do_learn_status): Always print it. -- This will make it easy to maintain the list of OpenPGP vendors at just one place. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:p15: Implement do_with_keygrip and capabilities.Werner Koch2020-04-021-34/+48
| | | | | | | | * scd/app-p15.c (prepare_verify_pin): Allow use without an AODF. (verify_pin): Ditto. (do_with_keygrip): Implement capability restrictions. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:p15: Rename some variables and functions for clarity.Werner Koch2020-04-021-28/+28
| | | | | | * scd/app-p15.c: Rename keyinfo to prkdf. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd: Use Gcrypt usage constants for the do_with_keygrip capabilities.Werner Koch2020-04-023-8/+17
| | | | | | | | | | | | * scd/command.c (cmd_keyinfo): Use Gcrypt constants for CAP. * scd/app-openpgp.c (do_with_keygrip): Adjust for them. * scd/app-piv.c (do_with_keygrip): Ditto. -- That makes it easier to read. An open question is whether we should allow several capabilities and whether they are the ORed or ANDed. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd: New command DEVINFO.NIIBE Yutaka2020-04-023-62/+203
| | | | | | | | | | | | | | | * scd/app.c (notify_cond): New condition variable. (app_send_devinfo, app_wait): New. (scd_update_reader_status_file): Kick NOTIFY_COND. (initialize_module_command): Initialize NOTIFY_COND. * scd/command.c (struct server_local_s): Add watching_status. (cmd_devinfo): New. (register_commands): Add DEVINFO command. (send_client_notifications): Write status change to DEVINFO channel. * scd/scdaemon.h (app_wait, app_send_devinfo): New. GnuPG-bug-id: 4864 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd:p15: Cache the PIN.Werner Koch2020-04-011-0/+8
| | | | | | | | | | | * scd/app-p15.c (struct prkdf_object_s): Add flag pin_verified. (verify_pin): Make use of it. -- Theee is still a problem with the APDUs we send: Switching between signing and decryption does work but not in the other way. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:p15: Run a keygrip_from_prkdf before verify_pinWerner Koch2020-04-011-9/+18
| | | | | | | | | | | | | * scd/app-p15.c (do_sign): Move keygrip_from_prkdf before PIN verification. (do_decipher): Add keygrip_from_prkdf. -- This is required because that function may change the current file which is set by prepare_verify_pin right before MSE. HAs alredy been done on the backport to 2.2 Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:p15: Support decryption with CardOS 5 cards.Werner Koch2020-04-011-2/+100
| | | | | | | | | | | * scd/app-p15.c (do_decipher): New. -- tested using the D-TRUSt card and a SCR3310 reader. The Kobil KAAN Advanced, I used for the signing tests could not be used because it supports only Short APDU Level exchange. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:p15: Factor PIN verification out to a new function.Werner Koch2020-04-011-192/+224
| | | | | | | | * scd/app-p15.c (do_sign): Factor code out to ... (prepare_verify_pin, verify_pin): new functions. -- Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:p15: Support signing with CardOS 5 cards.Werner Koch2020-03-318-98/+368
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * scd/app-help.c (app_help_get_keygrip_string_pk): Add optional arg r_pkey and change all callers. (app_help_get_keygrip_string): Ditto. * scd/app-p15.c (struct cdf_object_s): Use bit flags (struct aodf_object_s): Ditto. Add field 'fid'. (struct prkdf_object_s): Ditto. Add fields keygrip, keyalgo, and keynbits. (parse_certid): Allow a keygrip instead of a certid aka keyref. (read_ef_aodf): Store the FID. (keygripstr_from_prkdf): Rename to ... (keygrip_from_prkdf): this. Remove arg r_gripstr and implement cache. Change callers to directly use the values from the object. Also store the algo and length of the key ion the object. (keyref_from_keyinfo): New. Factored out code. (do_sign): Support SHA-256 and >2048 bit RSA keys. (do_with_keygrip): New. (app_select_p15): Register new function. -- This has been tested with a D-Trust card featuring 3072 bit keys. Note that non-repudiation key for a qualified signature does not yet work because we do not yet support rsaPSS padding. Thus a gpgsm --learn shows a couple of Bad Signature errors for this key. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:p15: Read certificates in extended mode.Werner Koch2020-03-311-2/+4
| | | | | | | * scd/app-p15.c (readcert_by_cdf): Allow reading in extended mode. -- Signed-off-by: Werner Koch <wk@gnupg.org>
* scd: Add function for binary read in extended mode.Werner Koch2020-03-312-4/+17
| | | | | | | * scd/iso7816.c (iso7816_read_binary): Factor code out to ... (iso7816_read_binary_ext): new function. Add arg extended_mode. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:p15: Improve diagnosticsWerner Koch2020-03-311-164/+202
| | | | | | | | | | -- This removes almost all log_debug calls and uses opt.verbose and log_info to show card information. Also avoid too long and thus harder to read lines. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:p15: Detect CardOS 5 cards and print some basic infos.Werner Koch2020-03-301-15/+150
| | | | | | | | | | | | | | | | | | | | * scd/app-p15.c (read_ef_odf): Detect the home_DF on the fly. Silence the garbage warning for null bytes. (print_tokeninfo_tokenflags): New. (read_ef_tokeninfo): Print manufacturer, label, and flags. (app_select_p15): No need to use the app_get_slot macro. (CARD_TYPE_CARDOS_50): New const. (card_atr_list): Detect CardOS 5.0 -- The card under test is a "Test-Signaturkarte D-TRUST Card 3.1" for a mere 49 Euro and no specs available. D-Trust is a branch of the German Bundesdruckerei. Compare that to Telesec and Yubikey who have always been nice enough to send bunches of sample cards without a need to wade through lots of forms and not even asking for money. Guess which cards I prefer. Signed-off-by: Werner Koch <wk@gnupg.org>
* scd:openpgp: Allow PKSIGN with keygrip also for OPENPGP.3.Werner Koch2020-03-271-5/+18
| | | | | | | | | | | | | | * scd/app-openpgp.c (check_keyidstr): Add optional arg r_use_auth to test also for OpenPGP.3. (do_sign): Enable that new mode. -- This is very useful to allow gpgsm to use a certificate based on the OpenPGP card's authentication key. That key is usually used for ssh but it makes sense to use it also for user certificate based authentication. Signed-off-by: Werner Koch <wk@gnupg.org>