[git] GnuPG - branch, master, updated. gnupg-2.2.7-386-gc1000c6
by Werner Koch
cvs at cvs.gnupg.org
Thu Feb 21 17:33:40 CET 2019
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, master has been updated
via c1000c673814e552923cf1361346d7dfeee55608 (commit)
via 7317aeb3f448c98dcfa9c04f49b9a69d81c26776 (commit)
via 5e21ef2d556ca65b7869bf16ab465f3511601e1e (commit)
from 3384ba6c1c421cfa674dbd8294dc655d7320534e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit c1000c673814e552923cf1361346d7dfeee55608
Author: Werner Koch <wk at gnupg.org>
Date: Thu Feb 21 17:32:39 2019 +0100
sm: Fix certificate creation with key on card.
* sm/certreqgen.c (create_request): Fix for certmode.
--
When using an existing key from a card for certificate signing (in
contrast to the default of generating a CSR), the code tried to use
the same key for signing instead of the Signing-Key parameter. It is
perfectly okay to use the regular signing path via gpg-agent for
certificate creation - only self-signed certificates with a key on the
card require the direct use of the card key (via "SCD PKSIGN").
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/sm/certreqgen.c b/sm/certreqgen.c
index 01fba30..d5c857b 100644
--- a/sm/certreqgen.c
+++ b/sm/certreqgen.c
@@ -1314,7 +1314,7 @@ create_request (ctrl_t ctrl,
log_info ("about to sign the %s for key: &%s\n",
certmode? "certificate":"CSR", hexgrip);
- if (carddirect)
+ if (carddirect && !certmode)
rc = gpgsm_scd_pksign (ctrl, carddirect, NULL,
gcry_md_read (md, mdalgo),
gcry_md_get_algo_dlen (mdalgo),
commit 7317aeb3f448c98dcfa9c04f49b9a69d81c26776
Author: Werner Koch <wk at gnupg.org>
Date: Thu Feb 21 12:43:07 2019 +0100
card: Print usage info for each key.
* tools/card-call-scd.c (learn_status_cb): Handle extended
KEYPARIRINFO.
* tools/card-tool.h (struct key_info_s): Add field 'usage'.
* tools/gpg-card-tool.c (list_one_kinfo): Show usage flags.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/tools/card-call-scd.c b/tools/card-call-scd.c
index 8610da8..83e9ba0 100644
--- a/tools/card-call-scd.c
+++ b/tools/card-call-scd.c
@@ -890,28 +890,59 @@ learn_status_cb (void *opaque, const char *line)
else if (!memcmp (keyword, "KEYPAIRINFO", keywordlen))
{
/* The format of such a line is:
- * KEYPARINFO <hexgrip> <keyref>
+ * KEYPAIRINFO <hexgrip> <keyref> [usage]
*/
- const char *hexgrp = line;
+ char *hexgrp, *usage;
- while (*line && !spacep (line))
- line++;
- while (spacep (line))
- line++;
+ line_buffer = pline = xstrdup (line);
- keyref = line;
+ hexgrp = pline;
+ while (*pline && !spacep (pline))
+ pline++;
+ while (spacep (pline))
+ pline++;
+
+ keyref = pline;
+ while (*pline && !spacep (pline))
+ pline++;
+ if (*pline)
+ {
+ *pline++ = 0;
+ while (spacep (pline))
+ pline++;
+ usage = pline;
+ while (*pline && !spacep (pline))
+ pline++;
+ *pline = 0;
+ }
+ else
+ usage = "";
/* Check whether we already have an item for the keyref. */
kinfo = find_kinfo (parm, keyref);
if (!kinfo) /* New entry. */
kinfo = create_kinfo (parm, keyref);
- else /* Existing entry - clear the grip. */
- memset (kinfo->grip, 0, sizeof kinfo->grip);
+ else /* Existing entry - clear grip and usage */
+ {
+ memset (kinfo->grip, 0, sizeof kinfo->grip);
+ kinfo->usage = 0;
+ }
/* Set or update the grip. Note that due to the
* calloc/memset an erroneous too short grip will be nul
* padded on the right. */
unhexify_fpr (hexgrp, kinfo->grip, sizeof kinfo->grip);
+ /* Parse and set the usage. */
+ for (; *usage; usage++)
+ {
+ switch (*usage)
+ {
+ case 's': kinfo->usage |= GCRY_PK_USAGE_SIGN; break;
+ case 'c': kinfo->usage |= GCRY_PK_USAGE_CERT; break;
+ case 'a': kinfo->usage |= GCRY_PK_USAGE_AUTH; break;
+ case 'e': kinfo->usage |= GCRY_PK_USAGE_ENCR; break;
+ }
+ }
}
break;
diff --git a/tools/card-tool.h b/tools/card-tool.h
index f83ebf9..5598ae5 100644
--- a/tools/card-tool.h
+++ b/tools/card-tool.h
@@ -127,7 +127,7 @@ struct key_info_s
unsigned char fprlen; /* Use length of the next item. */
unsigned char fpr[32]; /* The binary fingerprint of length FPRLEN. */
u32 created; /* The time the key was created. */
-
+ unsigned int usage; /* Usage flags. (GCRY_PK_USAGE_*) */
char keyref[1]; /* String with the keyref (e.g. OPENPGP.1). */
};
typedef struct key_info_s *key_info_t;
diff --git a/tools/gpg-card-tool.c b/tools/gpg-card-tool.c
index a13a6bd..eb723d7 100644
--- a/tools/gpg-card-tool.c
+++ b/tools/gpg-card-tool.c
@@ -621,6 +621,7 @@ list_one_kinfo (key_info_t firstkinfo, key_info_t kinfo, estream_t fp)
key_info_t ki;
const char *s;
gcry_sexp_t s_pkey;
+ int any;
if (firstkinfo && kinfo)
{
@@ -630,8 +631,25 @@ list_one_kinfo (key_info_t firstkinfo, key_info_t kinfo, estream_t fp)
tty_fprintf (fp, "[none]\n");
goto leave;
}
+
print_keygrip (fp, kinfo->grip);
- tty_fprintf (fp, " keyref .....: %s\n", kinfo->keyref);
+ tty_fprintf (fp, " keyref .....: %s", kinfo->keyref);
+ if (kinfo->usage)
+ {
+ any = 0;
+ tty_fprintf (fp, " (");
+ if ((kinfo->usage & GCRY_PK_USAGE_SIGN))
+ { tty_fprintf (fp, "sign"); any=1; }
+ if ((kinfo->usage & GCRY_PK_USAGE_CERT))
+ { tty_fprintf (fp, "%scert", any?",":""); any=1; }
+ if ((kinfo->usage & GCRY_PK_USAGE_AUTH))
+ { tty_fprintf (fp, "%sauth", any?",":""); any=1; }
+ if ((kinfo->usage & GCRY_PK_USAGE_ENCR))
+ { tty_fprintf (fp, "%sencr", any?",":""); any=1; }
+ tty_fprintf (fp, ")");
+ }
+ tty_fprintf (fp, "\n");
+
if (!scd_readkey (kinfo->keyref, &s_pkey))
{
char *tmp = pubkey_algo_string (s_pkey);
commit 5e21ef2d556ca65b7869bf16ab465f3511601e1e
Author: Werner Koch <wk at gnupg.org>
Date: Thu Feb 21 09:24:37 2019 +0100
scd: Extend KEYPAIRINFO by key usage info.
* scd/app-openpgp.c (send_keypair_info): Append usage string.
* scd/app-piv.c (struct data_object_s): Remove column 'binary'. Add
column 'usage'.
(dump_all_do): Adjust for removed 'binary'.
(send_keypair_and_cert_info): Append usage string.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c
index d7243cc..b6ead64 100644
--- a/scd/app-openpgp.c
+++ b/scd/app-openpgp.c
@@ -1785,6 +1785,7 @@ send_keypair_info (app_t app, ctrl_t ctrl, int key)
unsigned char grip[20];
char gripstr[41];
char idbuf[50];
+ const char *usage;
err = get_public_key (app, keyno);
if (err)
@@ -1802,10 +1803,19 @@ send_keypair_info (app_t app, ctrl_t ctrl, int key)
bin2hex (grip, 20, gripstr);
+ switch (keyno)
+ {
+ case 0: usage = "sc"; break;
+ case 1: usage = "e"; break;
+ case 2: usage = "sa"; break;
+ default: usage = ""; break;
+ }
+
sprintf (idbuf, "OPENPGP.%d", keyno+1);
send_status_info (ctrl, "KEYPAIRINFO",
gripstr, 40,
idbuf, strlen (idbuf),
+ usage, strlen (usage),
NULL, (size_t)0);
leave:
diff --git a/scd/app-piv.c b/scd/app-piv.c
index 9e355b4..edb00bf 100644
--- a/scd/app-piv.c
+++ b/scd/app-piv.c
@@ -90,52 +90,88 @@ struct data_object_s
unsigned int acr_contact:2; /* 0=always, 1=VCI, 2=PIN, 3=PINorOCC */
unsigned int acr_contactless:2; /* 0=always, 1=VCI, 2=VCIandPIN,
3=VCIand(PINorOCC) */
- unsigned int binary:1; /* Data is not human readable. */
unsigned int dont_cache:1; /* Data item will not be cached. */
unsigned int flush_on_error:1; /* Flush cached item on error. */
unsigned int keypair:1; /* Has a public key for a keypair. */
- char keyref[3]; /* The key reference. */
- char *oidsuffix; /* Suffix of the OID, prefix is "2.16.840.1.101.3.7." */
- char *desc; /* Description of the DO. */
+ const char keyref[3]; /* The key reference. */
+ const char *oidsuffix; /* Suffix of the OID. */
+ const char *usage; /* Usage string for a keypair or NULL. */
+ const char *desc; /* Description of the DO. */
};
typedef struct data_object_s *data_object_t;
static struct data_object_s data_objects[] = {
- { 0x5FC107, 1, 0,1, 1, 0,0, 0, "", "1.219.0", "Card Capability Container"},
- { 0x5FC102, 1, 0,0, 1, 0,0, 0, "", "2.48.0", "Cardholder Unique Id" },
- { 0x5FC105, 1, 0,1, 1, 0,0, 1, "9A", "2.1.1", "Cert PIV Authentication" },
- { 0x5FC103, 1, 2,2, 1, 0,0, 0, "", "2.96.16", "Cardholder Fingerprints" },
- { 0x5FC106, 1, 0,1, 1, 0,0, 0, "", "2.144.0", "Security Object" },
- { 0x5FC108, 1, 2,2, 1, 0,0, 0, "", "2.96.48", "Cardholder Facial Image" },
- { 0x5FC101, 1, 0,0, 1, 0,0, 1, "9E", "2.5.0", "Cert Card Authentication"},
- { 0x5FC10A, 0, 0,1, 1, 0,0, 1, "9C", "2.1.0", "Cert Digital Signature" },
- { 0x5FC10B, 0, 0,1, 1, 0,0, 1, "9D", "2.1.2", "Cert Key Management" },
- { 0x5FC109, 0, 3,3, 0, 0,0, 0, "", "2.48.1", "Printed Information" },
- { 0x7E, 0, 0,0, 1, 0,0, 0, "", "2.96.80", "Discovery Object" },
- { 0x5FC10C, 0, 0,1, 1, 0,0, 0, "", "2.96.96", "Key History Object" },
- { 0x5FC10D, 0, 0,1, 1, 0,0, 0, "82", "2.16.1", "Retired Cert Key Mgm 1" },
- { 0x5FC10E, 0, 0,1, 1, 0,0, 0, "83", "2.16.2", "Retired Cert Key Mgm 2" },
- { 0x5FC10F, 0, 0,1, 1, 0,0, 0, "84", "2.16.3", "Retired Cert Key Mgm 3" },
- { 0x5FC110, 0, 0,1, 1, 0,0, 0, "85", "2.16.4", "Retired Cert Key Mgm 4" },
- { 0x5FC111, 0, 0,1, 1, 0,0, 0, "86", "2.16.5", "Retired Cert Key Mgm 5" },
- { 0x5FC112, 0, 0,1, 1, 0,0, 0, "87", "2.16.6", "Retired Cert Key Mgm 6" },
- { 0x5FC113, 0, 0,1, 1, 0,0, 0, "88", "2.16.7", "Retired Cert Key Mgm 7" },
- { 0x5FC114, 0, 0,1, 1, 0,0, 0, "89", "2.16.8", "Retired Cert Key Mgm 8" },
- { 0x5FC115, 0, 0,1, 1, 0,0, 0, "8A", "2.16.9", "Retired Cert Key Mgm 9" },
- { 0x5FC116, 0, 0,1, 1, 0,0, 0, "8B", "2.16.10", "Retired Cert Key Mgm 10" },
- { 0x5FC117, 0, 0,1, 1, 0,0, 0, "8C", "2.16.11", "Retired Cert Key Mgm 11" },
- { 0x5FC118, 0, 0,1, 1, 0,0, 0, "8D", "2.16.12", "Retired Cert Key Mgm 12" },
- { 0x5FC119, 0, 0,1, 1, 0,0, 0, "8E", "2.16.13", "Retired Cert Key Mgm 13" },
- { 0x5FC11A, 0, 0,1, 1, 0,0, 0, "8F", "2.16.14", "Retired Cert Key Mgm 14" },
- { 0x5FC11B, 0, 0,1, 1, 0,0, 0, "90", "2.16.15", "Retired Cert Key Mgm 15" },
- { 0x5FC11C, 0, 0,1, 1, 0,0, 0, "91", "2.16.16", "Retired Cert Key Mgm 16" },
- { 0x5FC11D, 0, 0,1, 1, 0,0, 0, "92", "2.16.17", "Retired Cert Key Mgm 17" },
- { 0x5FC11E, 0, 0,1, 1, 0,0, 0, "93", "2.16.18", "Retired Cert Key Mgm 18" },
- { 0x5FC11F, 0, 0,1, 1, 0,0, 0, "94", "2.16.19", "Retired Cert Key Mgm 19" },
- { 0x5FC120, 0, 0,1, 1, 0,0, 0, "95", "2.16.20", "Retired Cert Key Mgm 20" },
- { 0x5FC121, 0, 2,2, 1, 0,0, 0, "", "2.16.21", "Cardholder Iris Images" },
- { 0x7F61, 0, 0,0, 1, 0,0, 0, "", "2.16.22", "BIT Group Template" },
- { 0x5FC122, 0, 0,0, 1, 0,0, 0, "", "2.16.23", "SM Cert Signer" },
- { 0x5FC123, 0, 3,3, 1, 0,0, 0, "", "2.16.24", "Pairing Code Ref Data" },
+ { 0x5FC107, 1, 0,1, 0,0, 0, "", "1.219.0", NULL,
+ "Card Capability Container"},
+ { 0x5FC102, 1, 0,0, 0,0, 0, "", "2.48.0", NULL,
+ "Cardholder Unique Id" },
+ { 0x5FC105, 1, 0,1, 0,0, 1, "9A", "2.1.1", "a",
+ "Cert PIV Authentication" },
+ { 0x5FC103, 1, 2,2, 0,0, 0, "", "2.96.16", NULL,
+ "Cardholder Fingerprints" },
+ { 0x5FC106, 1, 0,1, 0,0, 0, "", "2.144.0", NULL,
+ "Security Object" },
+ { 0x5FC108, 1, 2,2, 0,0, 0, "", "2.96.48", NULL,
+ "Cardholder Facial Image" },
+ { 0x5FC101, 1, 0,0, 0,0, 1, "9E", "2.5.0", "a",
+ "Cert Card Authentication"},
+ { 0x5FC10A, 0, 0,1, 0,0, 1, "9C", "2.1.0", "sc",
+ "Cert Digital Signature" },
+ { 0x5FC10B, 0, 0,1, 0,0, 1, "9D", "2.1.2", "e",
+ "Cert Key Management" },
+ { 0x5FC109, 0, 3,3, 0,0, 0, "", "2.48.1", NULL,
+ "Printed Information" },
+ { 0x7E, 0, 0,0, 0,0, 0, "", "2.96.80", NULL,
+ "Discovery Object" },
+ { 0x5FC10C, 0, 0,1, 0,0, 0, "", "2.96.96", NULL,
+ "Key History Object" },
+ { 0x5FC10D, 0, 0,1, 0,0, 0, "82", "2.16.1", "e",
+ "Retired Cert Key Mgm 1" },
+ { 0x5FC10E, 0, 0,1, 0,0, 0, "83", "2.16.2", "e",
+ "Retired Cert Key Mgm 2" },
+ { 0x5FC10F, 0, 0,1, 0,0, 0, "84", "2.16.3", "e",
+ "Retired Cert Key Mgm 3" },
+ { 0x5FC110, 0, 0,1, 0,0, 0, "85", "2.16.4", "e",
+ "Retired Cert Key Mgm 4" },
+ { 0x5FC111, 0, 0,1, 0,0, 0, "86", "2.16.5", "e",
+ "Retired Cert Key Mgm 5" },
+ { 0x5FC112, 0, 0,1, 0,0, 0, "87", "2.16.6", "e",
+ "Retired Cert Key Mgm 6" },
+ { 0x5FC113, 0, 0,1, 0,0, 0, "88", "2.16.7", "e",
+ "Retired Cert Key Mgm 7" },
+ { 0x5FC114, 0, 0,1, 0,0, 0, "89", "2.16.8", "e",
+ "Retired Cert Key Mgm 8" },
+ { 0x5FC115, 0, 0,1, 0,0, 0, "8A", "2.16.9", "e",
+ "Retired Cert Key Mgm 9" },
+ { 0x5FC116, 0, 0,1, 0,0, 0, "8B", "2.16.10", "e",
+ "Retired Cert Key Mgm 10" },
+ { 0x5FC117, 0, 0,1, 0,0, 0, "8C", "2.16.11", "e",
+ "Retired Cert Key Mgm 11" },
+ { 0x5FC118, 0, 0,1, 0,0, 0, "8D", "2.16.12", "e",
+ "Retired Cert Key Mgm 12" },
+ { 0x5FC119, 0, 0,1, 0,0, 0, "8E", "2.16.13", "e",
+ "Retired Cert Key Mgm 13" },
+ { 0x5FC11A, 0, 0,1, 0,0, 0, "8F", "2.16.14", "e",
+ "Retired Cert Key Mgm 14" },
+ { 0x5FC11B, 0, 0,1, 0,0, 0, "90", "2.16.15", "e",
+ "Retired Cert Key Mgm 15" },
+ { 0x5FC11C, 0, 0,1, 0,0, 0, "91", "2.16.16", "e",
+ "Retired Cert Key Mgm 16" },
+ { 0x5FC11D, 0, 0,1, 0,0, 0, "92", "2.16.17", "e",
+ "Retired Cert Key Mgm 17" },
+ { 0x5FC11E, 0, 0,1, 0,0, 0, "93", "2.16.18", "e",
+ "Retired Cert Key Mgm 18" },
+ { 0x5FC11F, 0, 0,1, 0,0, 0, "94", "2.16.19", "e",
+ "Retired Cert Key Mgm 19" },
+ { 0x5FC120, 0, 0,1, 0,0, 0, "95", "2.16.20", "e",
+ "Retired Cert Key Mgm 20" },
+ { 0x5FC121, 0, 2,2, 0,0, 0, "", "2.16.21", NULL,
+ "Cardholder Iris Images" },
+ { 0x7F61, 0, 0,0, 0,0, 0, "", "2.16.22", NULL,
+ "BIT Group Template" },
+ { 0x5FC122, 0, 0,0, 0,0, 0, "", "2.16.23", NULL,
+ "SM Cert Signer" },
+ { 0x5FC123, 0, 3,3, 0,0, 0, "", "2.16.24", NULL,
+ "Pairing Code Ref Data" },
{ 0 }
/* Other key reference values without a data object:
* "00" Global PIN (not cleared by application switching)
@@ -396,7 +432,10 @@ dump_all_do (int slot)
}
else
{
- if (data_objects[i].binary)
+ if (data_objects[i].tag == 0x5FC109)
+ log_info ("DO '%s': '%.*s'\n", data_objects[i].desc,
+ (int)buflen, buffer);
+ else
{
log_info ("DO '%s': ", data_objects[i].desc);
if (buflen > 16 && opt.verbose < 2)
@@ -407,10 +446,6 @@ dump_all_do (int slot)
else
log_printhex (buffer, buflen, "");
}
- else
- log_info ("DO '%s': '%.*s'\n",
- data_objects[i].desc,
- (int)buflen, buffer);
}
xfree (buffer); buffer = NULL;
@@ -1079,15 +1114,19 @@ send_keypair_and_cert_info (app_t app, ctrl_t ctrl, data_object_t dobj,
char *keygripstr = NULL;
int got_cert;
char idbuf[50];
+ const char *usage;
err = get_keygrip_by_tag (app, dobj->tag, &keygripstr, &got_cert);
if (err)
goto leave;
+ usage = dobj->usage? dobj->usage : "";
+
snprintf (idbuf, sizeof idbuf, "PIV.%s", dobj->keyref);
send_status_info (ctrl, "KEYPAIRINFO",
keygripstr, strlen (keygripstr),
idbuf, strlen (idbuf),
+ usage, strlen (usage),
NULL, (size_t)0);
if (!only_keypair && got_cert)
{
diff --git a/scd/command.c b/scd/command.c
index 237faf0..b4098e4 100644
--- a/scd/command.c
+++ b/scd/command.c
@@ -354,7 +354,7 @@ static const char hlp_learn[] =
"\n"
"are implemented. These strings are aliases for the AID\n"
"\n"
- " S KEYPAIRINFO <hexstring_with_keygrip> <hexstring_with_id>\n"
+ " S KEYPAIRINFO <hexstring_with_keygrip> <hexstring_with_id> [<usage>]\n"
"\n"
"If there is no certificate yet stored on the card a single 'X' is\n"
"returned as the keygrip. In addition to the keypair info, information\n"
-----------------------------------------------------------------------
Summary of changes:
scd/app-openpgp.c | 10 ++++
scd/app-piv.c | 129 ++++++++++++++++++++++++++++++++------------------
scd/command.c | 2 +-
sm/certreqgen.c | 2 +-
tools/card-call-scd.c | 49 +++++++++++++++----
tools/card-tool.h | 2 +-
tools/gpg-card-tool.c | 20 +++++++-
7 files changed, 156 insertions(+), 58 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list