[svn] GnuPG - r5072 - in trunk: . doc g10 scd

svn author wk cvs at cvs.gnupg.org
Thu Jul 9 16:54:19 CEST 2009 

Author: wk
Date: 2009-07-09 16:54:18 +0200 (Thu, 09 Jul 2009)
New Revision: 5072

Modified:
   trunk/NEWS
   trunk/doc/DETAILS
   trunk/g10/ChangeLog
   trunk/g10/card-util.c
   trunk/scd/ChangeLog
   trunk/scd/app-openpgp.c
Log:
Support writing of existing keys with non-matching key sizes.


Modified: trunk/g10/ChangeLog
===================================================================
--- trunk/g10/ChangeLog	2009-07-09 09:12:01 UTC (rev 5071)
+++ trunk/g10/ChangeLog	2009-07-09 14:54:18 UTC (rev 5072)
@@ -1,5 +1,8 @@
 2009-07-09  Werner Koch  <wk at g10code.com>
 
+	* card-util.c (card_store_subkey): Do not restrict to 1024 bit keys.
+	Print an error message on write errors.
+
 	* gpg.c (main): Remove the SHA-1 default from the personal digest
 	list.  This was used in the past as a hack to avoid preferring
 	RMD-160.

Modified: trunk/scd/ChangeLog
===================================================================
--- trunk/scd/ChangeLog	2009-07-09 09:12:01 UTC (rev 5071)
+++ trunk/scd/ChangeLog	2009-07-09 14:54:18 UTC (rev 5072)
@@ -1,3 +1,11 @@
+2009-07-09  Werner Koch  <wk at g10code.com>
+
+	* app-openpgp.c (change_keyattr): New.
+	(do_writekey): Call it.
+	
+	* app-openpgp.c (does_key_exist): Add arg GENERATING.  Change
+	callers.
+
 2009-06-30  Werner Koch  <wk at g10code.com>
 
 	* ccid-driver.c (ccid_transceive): Set RESYNCING flag.

Modified: trunk/NEWS
===================================================================
--- trunk/NEWS	2009-07-09 09:12:01 UTC (rev 5071)
+++ trunk/NEWS	2009-07-09 14:54:18 UTC (rev 5072)
@@ -13,6 +13,11 @@
 
  * New option --re-import for GPGSM's IMPORT server command.
 
+ * Enhanced writing of existing keys to OpenPGP v2 cards.
+
+ * Add hack to the internal CCID driver to allow the use of some
+   Omnikey based card readers with 2048 bit keys.
+
  * Minor bug fixes.
 
 

Modified: trunk/doc/DETAILS
===================================================================
--- trunk/doc/DETAILS	2009-07-09 09:12:01 UTC (rev 5071)
+++ trunk/doc/DETAILS	2009-07-09 14:54:18 UTC (rev 5072)
@@ -503,8 +503,9 @@
 	"char" is the character displayed with no --status-fd enabled, with
 	the linefeed replaced by an 'X'.  "cur" is the current amount
 	done and "total" is amount to be done; a "total" of 0 indicates that
-	the total amount is not known.	100/100 may be used to detect the
-	end of operation.
+	the total amount is not known.	The condition 
+           TOATL && CUR == TOTAL
+        may be used to detect the end of an operation.
         Well known values for WHAT:
              "pk_dsa"   - DSA key generation
              "pk_elg"   - Elgamal key generation

Modified: trunk/g10/card-util.c
===================================================================
--- trunk/g10/card-util.c	2009-07-09 09:12:01 UTC (rev 5071)
+++ trunk/g10/card-util.c	2009-07-09 14:54:18 UTC (rev 5072)
@@ -1,5 +1,5 @@
 /* card-util.c - Utility functions for the OpenPGP card.
- *	Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc.
+ * Copyright (C) 2003, 2004, 2005, 2009 Free Software Foundation, Inc.
  *
  * This file is part of GnuPG.
  *
@@ -1393,7 +1393,8 @@
 
   show_card_key_info (&info);
 
-  if (!is_RSA (sk->pubkey_algo) || nbits_from_sk (sk) != 1024 )
+  if (!is_RSA (sk->pubkey_algo) 
+      || (!info.is_v2 && nbits_from_sk (sk) != 1024) )
     {
       tty_printf ("You may only store a 1024 bit RSA key on the card\n");
       tty_printf ("\n");
@@ -1461,7 +1462,10 @@
 
   rc = save_unprotected_key_to_card (sk, keyno);
   if (rc)
-    goto leave;
+    {
+      log_error (_("error writing key to card: %s\n"), gpg_strerror (rc));
+      goto leave;
+    }
 
   /* Get back to the maybe protected original secret key.  */
   if (copied_sk)

Modified: trunk/scd/app-openpgp.c
===================================================================
--- trunk/scd/app-openpgp.c	2009-07-09 09:12:01 UTC (rev 5071)
+++ trunk/scd/app-openpgp.c	2009-07-09 14:54:18 UTC (rev 5072)
@@ -213,6 +213,7 @@
                             void *pincb_arg,
                             const void *indata, size_t indatalen,
                             unsigned char **outdata, size_t *outdatalen);
+static void parse_algorithm_attribute (app_t app, int keyno);
 
 
 
@@ -2144,9 +2145,10 @@
 
 /* Check whether a key already exists.  KEYIDX is the index of the key
    (0..2).  If FORCE is TRUE a diagnositic will be printed but no
-   error returned if the key already exists. */
+   error returned if the key already exists.  The flag GENERATING is
+   only used to print correct messages. */
 static gpg_error_t
-does_key_exist (app_t app, int keyidx, int force)
+does_key_exist (app_t app, int keyidx, int generating, int force)
 {
   const unsigned char *fpr;
   unsigned char *buffer;
@@ -2178,8 +2180,10 @@
     }
   else if (i!=20)
     log_info (_("existing key will be replaced\n"));
+  else if (generating)
+    log_info (_("generating new key\n"));
   else
-    log_info (_("generating new key\n"));
+    log_info (_("writing new key\n"));
   return 0;
 }
 
@@ -2340,7 +2344,64 @@
 }
 
 
+/* Helper for do_writekley to change the size of a key.  Not ethat
+   this deletes the entire key without asking.  */
+static gpg_error_t
+change_keyattr (app_t app, int keyno, unsigned int nbits,
+                gpg_error_t (*pincb)(void*, const char *, char **),
+                void *pincb_arg)
+{
+  gpg_error_t err;
+  unsigned char *buffer;
+  size_t buflen;
+  void *relptr;
 
+  assert (keyno >=0 && keyno <= 2);
+
+  if (nbits > 3072)
+    return gpg_error (GPG_ERR_TOO_LARGE);
+
+  /* Read the current attributes into a buffer.  */
+  relptr = get_one_do (app, 0xC1+keyno, &buffer, &buflen, NULL);
+  if (!relptr)
+    return gpg_error (GPG_ERR_CARD);
+  if (buflen < 6 || buffer[0] != 1)
+    {
+      /* Attriutes too short or not an RSA key.  */
+      xfree (relptr);
+      return gpg_error (GPG_ERR_CARD);
+    }
+  
+  /* We only change n_bits and don't touch anything else.  Before we
+     do so, we round up NBITS to a sensible way in the same way as
+     gpg's key generation does it.  This may help to sort out problems
+     with a few bits too short keys.  */
+  nbits = ((nbits + 31) / 32) * 32;
+  buffer[1] = (nbits >> 8);
+  buffer[2] = nbits;
+
+  /* Prepare for storing the key.  */
+  err = verify_chv3 (app, pincb, pincb_arg);
+  if (err)
+    {
+      xfree (relptr);
+      return err;
+    }
+
+  /* Change the attribute.  */
+  err = iso7816_put_data (app->slot, 0, 0xC1+keyno, buffer, buflen);
+  xfree (relptr);
+  if (err)
+    log_error ("error changing size of key %d to %u bits\n", keyno+1, nbits);
+  else
+    log_info ("size of key %d changed to %u bits\n", keyno+1, nbits);
+  flush_cache (app);
+  parse_algorithm_attribute (app, keyno);
+  return err;
+}
+
+
+
 /* Handle the WRITEKEY command for OpenPGP.  This function expects a
    canonical encoded S-expression with the secret key in KEYDATA and
    its length (for assertions) in KEYDATALEN.  KEYID needs to be the
@@ -2385,7 +2446,7 @@
   else
     return gpg_error (GPG_ERR_INV_ID);
   
-  err = does_key_exist (app, keyno, force);
+  err = does_key_exist (app, keyno, 0, force);
   if (err)
     return err;
 
@@ -2515,6 +2576,14 @@
   if (opt.verbose)
     log_info ("RSA modulus size is %u bits (%u bytes)\n", 
               nbits, (unsigned int)rsa_n_len);
+  if (nbits && nbits != maxbits
+      && app->app_local->extcap.algo_attr_change)
+    {
+      /* Try to switch the key to a new length.  */
+      err = change_keyattr (app, keyno, nbits, pincb, pincb_arg);
+      if (!err)
+        maxbits = app->app_local->keyattr[keyno].n_bits;
+    }
   if (nbits != maxbits)
     {
       log_error (_("RSA modulus missing or not of size %d bits\n"), 
@@ -2696,7 +2765,7 @@
   app->app_local->pk[keyno].read_done = 0;
 
   /* Check whether a key already exists.  */
-  rc = does_key_exist (app, keyno, force);
+  rc = does_key_exist (app, keyno, 1, force);
   if (rc)
     return rc;

More information about the Gnupg-commits mailing list