SSH and smartcard regression

NIIBE Yutaka gniibe at fsij.org
Tue Oct 6 08:18:44 CEST 2015 

On 10/06/2015 09:47 AM, Ben Kibbey wrote:
> Since commit cfbe6ba9cf I've been having trouble using the ssh-agent
> part of gpg-agent with a smartcard. Reverting the commit fixes things.
[...]
> And heres the gpg-agent log:
> 
> ssh request handler for request_identities (11) ready
> ssh request handler for sign_request (13) started
> DBG: detected card with S/N D276000124010200000500000B130000
> starting a new PIN Entry
> checking created signature failed: Invalid object
> ssh sign request failed: Invalid object <gcrypt>

Thanks a lot for your report.  That's my badness.  I wrongly thought
as if gcry_pk_verify accepted shadowed private key (used for
smartcard).

Here is a fix.  It is pushed by RSA authentication with smartcard
(Gnuk Token).


commit 4a5bd1720f5a3dbb26f5daeb03725cae29be7e24
Author: NIIBE Yutaka <gniibe at fsij.org>
Date:   Tue Oct 6 15:10:25 2015 +0900

    agent: Fix verification of signature for smartcard.

    * agent/pksign.c (agent_pksign_do): Use public key smartcard.

    --

    Since gcry_pk_verify can't handle shadowed private key, public
    key SEXP should be prepared for smartcard.

diff --git a/agent/pksign.c b/agent/pksign.c
index 243c49d..e079c3f 100644
--- a/agent/pksign.c
+++ b/agent/pksign.c
@@ -291,6 +291,7 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
 {
   gcry_sexp_t s_skey = NULL, s_sig = NULL;
   gcry_sexp_t s_hash = NULL;
+  gcry_sexp_t s_pkey = NULL;
   unsigned char *shadow_info = NULL;
   unsigned int rc = 0;		/* FIXME: gpg-error? */
   const unsigned char *data;
@@ -331,6 +332,13 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
       int is_ECDSA = 0;
       int is_EdDSA = 0;

+      rc = agent_public_key_from_file (ctrl, ctrl->keygrip, &s_pkey);
+      if (rc)
+        {
+          log_error ("failed to read the public key\n");
+          goto leave;
+        }
+
       if (agent_is_eddsa_key (s_skey))
         is_EdDSA = 1;
       else
@@ -497,7 +505,7 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
                                ctrl->digest.raw_value);
         }

-      rc = gcry_pk_verify (s_sig, s_hash, s_skey);
+      rc = gcry_pk_verify (s_sig, s_hash, s_pkey? s_pkey: s_skey);

       if (rc)
         {
@@ -512,6 +520,7 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,

   *signature_sexp = s_sig;

+  gcry_sexp_release (s_pkey);
   gcry_sexp_release (s_skey);
   gcry_sexp_release (s_hash);
   xfree (shadow_info);
--

More information about the Gnupg-devel mailing list