/* card-util.c - Utility functions for the OpenPGP card.
- * Copyright (C) 2003, 2004, 2005, 2009 Free Software Foundation, Inc.
+ * Copyright (C) 2003-2005, 2009 Free Software Foundation, Inc.
+ * Copyright (C) 2003-2005, 2009 Werner Koch
*
* This file is part of GnuPG.
*
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ * along with this program; if not, see <https://www.gnu.org/licenses/>.
*/
#include <config.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
-#include <assert.h>
#ifdef HAVE_LIBREADLINE
# define GNUPG_LIBREADLINE_H_INCLUDED
# include <readline/readline.h>
#if GNUPG_MAJOR_VERSION != 1
# include "gpg.h"
#endif /*GNUPG_MAJOR_VERSION != 1*/
-#include "util.h"
-#include "i18n.h"
-#include "ttyio.h"
-#include "status.h"
+#include "../common/util.h"
+#include "../common/i18n.h"
+#include "../common/ttyio.h"
+#include "../common/status.h"
#include "options.h"
#include "main.h"
#include "keyserver-internal.h"
}
-/* Change the PIN of a an OpenPGP card. This is an interactive
+/* Change the PIN of an OpenPGP card. This is an interactive
function. */
void
change_pin (int unblock_v2, int allow_admin)
struct agent_card_info_s info;
int rc;
- rc = agent_learn (&info);
+ rc = agent_scd_learn (&info, 0);
if (rc)
{
log_error (_("OpenPGP card not available: %s\n"),
if (strlen (answer) != 1)
continue;
- rc = 0;
if (*answer == '1')
{
/* Change PIN. */
case 0x0001: return "PPC Card Systems";
case 0x0002: return "Prism";
case 0x0003: return "OpenFortress";
- case 0x0004: return "Wewid AB";
+ case 0x0004: return "Wewid";
case 0x0005: return "ZeitControl";
+ case 0x0006: return "Yubico";
+ case 0x0007: return "OpenKMS";
+ case 0x0008: return "LogoEmail";
+ case 0x0009: return "Fidesmo";
+ case 0x000A: return "Dangerous Things";
case 0x002A: return "Magrathea";
+ case 0x0042: return "GnuPG e.V.";
+ case 0x1337: return "Warsaw Hackerspace";
+ case 0x2342: return "warpzone"; /* hackerspace Muenster. */
+ case 0x4354: return "Confidential Technologies"; /* cotech.de */
+ case 0x63AF: return "Trustica";
+ case 0xBD0E: return "Paranoidlabs";
case 0xF517: return "FSIJ";
- /* 0x00000 and 0xFFFF are defined as test cards per spec,
- 0xFFF00 to 0xFFFE are assigned for use with randomly created
+ /* 0x0000 and 0xFFFF are defined as test cards per spec,
+ 0xFF00 to 0xFFFE are assigned for use with randomly created
serial numbers. */
case 0x0000:
case 0xffff: return "test card";
static void
-print_sha1_fpr (estream_t fp, const unsigned char *fpr)
+print_shax_fpr (estream_t fp, const unsigned char *fpr, unsigned int fprlen)
{
int i;
if (fpr)
{
- for (i=0; i < 20 ; i+=2, fpr += 2 )
+ /* FIXME: Fix formatting for FPRLEN != 20 */
+ for (i=0; i < fprlen ; i+=2, fpr += 2 )
{
if (i == 10 )
tty_fprintf (fp, " ");
static void
-print_sha1_fpr_colon (estream_t fp, const unsigned char *fpr)
+print_shax_fpr_colon (estream_t fp,
+ const unsigned char *fpr, unsigned int fprlen)
{
int i;
if (fpr)
{
- for (i=0; i < 20 ; i++, fpr++)
+ for (i=0; i < fprlen ; i++, fpr++)
es_fprintf (fp, "%02X", *fpr);
}
es_putc (':', fp);
static void
+print_keygrip (estream_t fp, const unsigned char *grp)
+{
+ int i;
+
+ if (opt.with_keygrip)
+ {
+ tty_fprintf (fp, " keygrip ....: ");
+ for (i=0; i < 20 ; i++, grp++)
+ tty_fprintf (fp, "%02X", *grp);
+ tty_fprintf (fp, "\n");
+ }
+}
+
+
+static void
print_name (estream_t fp, const char *text, const char *name)
{
tty_fprintf (fp, "%s", text);
if (fp)
print_utf8_buffer2 (fp, name, strlen (name), '\n');
else
- tty_print_utf8_string2 (name, strlen (name), 0);
+ tty_print_utf8_string2 (NULL, name, strlen (name), 0);
}
else
tty_fprintf (fp, _("[not set]"));
else if (fp)
print_utf8_buffer2 (fp, given, strlen (given), '\n');
else
- tty_print_utf8_string2 (given, strlen (given), 0);
+ tty_print_utf8_string2 (NULL, given, strlen (given), 0);
if (opt.with_colons)
es_putc (':', fp);
else if (fp)
print_utf8_buffer2 (fp, buf, strlen (buf), '\n');
else
- tty_print_utf8_string2 (buf, strlen (buf), 0);
+ tty_print_utf8_string2 (NULL, buf, strlen (buf), 0);
xfree (buf);
}
else
/* Return true if the SHA1 fingerprint FPR consists only of zeroes. */
static int
-fpr_is_zero (const char *fpr)
+fpr_is_zero (const char *fpr, unsigned int fprlen)
{
int i;
- for (i=0; i < 20 && !fpr[i]; i++)
+ for (i=0; i < fprlen && !fpr[i]; i++)
;
- return (i == 20);
+ return (i == fprlen);
}
-/* Return true if the SHA1 fingerprint FPR consists only of 0xFF. */
+/* Return true if the fingerprint FPR consists only of 0xFF. */
static int
-fpr_is_ff (const char *fpr)
+fpr_is_ff (const char *fpr, unsigned int fprlen)
{
int i;
- for (i=0; i < 20 && fpr[i] == '\xff'; i++)
+ for (i=0; i < fprlen && fpr[i] == '\xff'; i++)
;
- return (i == 20);
+ return (i == fprlen);
}
/* Print all available information about the current card. */
-void
-card_status (estream_t fp, char *serialno, size_t serialnobuflen)
+static void
+current_card_status (ctrl_t ctrl, estream_t fp,
+ char *serialno, size_t serialnobuflen)
{
struct agent_card_info_s info;
PKT_public_key *pk = xcalloc (1, sizeof *pk);
+ kbnode_t keyblock = NULL;
int rc;
unsigned int uval;
const unsigned char *thefpr;
+ unsigned int thefprlen;
int i;
if (serialno && serialnobuflen)
*serialno = 0;
- rc = agent_learn (&info);
+ rc = agent_scd_learn (&info, 0);
if (rc)
{
if (opt.with_colons)
}
if (opt.with_colons)
+ es_fprintf (fp, "Reader:%s:", info.reader? info.reader : "");
+ else
+ tty_fprintf (fp, "Reader ...........: %s\n",
+ info.reader? info.reader : "[none]");
+ if (opt.with_colons)
es_fprintf (fp, "AID:%s:", info.serialno? info.serialno : "");
else
tty_fprintf (fp, "Application ID ...: %s\n",
if (!serialno)
;
- else if (strlen (serialno)+1 > serialnobuflen)
+ else if (strlen (info.serialno)+1 > serialnobuflen)
log_error ("serial number longer than expected\n");
else
strcpy (serialno, info.serialno);
es_fprintf (fp, "forcepin:%d:::\n", !info.chv1_cached);
for (i=0; i < DIM (info.key_attr); i++)
- if (info.key_attr[0].algo)
+ if (info.key_attr[i].algo == PUBKEY_ALGO_RSA)
es_fprintf (fp, "keyattr:%d:%d:%u:\n", i+1,
info.key_attr[i].algo, info.key_attr[i].nbits);
+ else if (info.key_attr[i].algo == PUBKEY_ALGO_ECDH
+ || info.key_attr[i].algo == PUBKEY_ALGO_ECDSA
+ || info.key_attr[i].algo == PUBKEY_ALGO_EDDSA)
+ es_fprintf (fp, "keyattr:%d:%d:%s:\n", i+1,
+ info.key_attr[i].algo, info.key_attr[i].curve);
es_fprintf (fp, "maxpinlen:%d:%d:%d:\n",
info.chvmaxlen[0], info.chvmaxlen[1], info.chvmaxlen[2]);
es_fprintf (fp, "pinretry:%d:%d:%d:\n",
info.chvretry[0], info.chvretry[1], info.chvretry[2]);
es_fprintf (fp, "sigcount:%lu:::\n", info.sig_counter);
+ if (info.extcap.kdf)
+ {
+ es_fprintf (fp, "kdf:%s:\n", info.kdf_do_enabled ? "on" : "off");
+ }
+ if (info.extcap.bt)
+ {
+ es_fprintf (fp, "uif:%d:%d:%d:\n",
+ info.uif[0], info.uif[1], info.uif[2]);
+ }
for (i=0; i < 4; i++)
{
}
es_fputs ("cafpr:", fp);
- print_sha1_fpr_colon (fp, info.cafpr1valid? info.cafpr1:NULL);
- print_sha1_fpr_colon (fp, info.cafpr2valid? info.cafpr2:NULL);
- print_sha1_fpr_colon (fp, info.cafpr3valid? info.cafpr3:NULL);
+ print_shax_fpr_colon (fp, info.cafpr1len? info.cafpr1:NULL,
+ info.cafpr2len);
+ print_shax_fpr_colon (fp, info.cafpr2len? info.cafpr2:NULL,
+ info.cafpr2len);
+ print_shax_fpr_colon (fp, info.cafpr3len? info.cafpr3:NULL,
+ info.cafpr3len);
es_putc ('\n', fp);
es_fputs ("fpr:", fp);
- print_sha1_fpr_colon (fp, info.fpr1valid? info.fpr1:NULL);
- print_sha1_fpr_colon (fp, info.fpr2valid? info.fpr2:NULL);
- print_sha1_fpr_colon (fp, info.fpr3valid? info.fpr3:NULL);
+ print_shax_fpr_colon (fp, info.fpr1len? info.fpr1:NULL, info.fpr1len);
+ print_shax_fpr_colon (fp, info.fpr2len? info.fpr2:NULL, info.fpr2len);
+ print_shax_fpr_colon (fp, info.fpr3len? info.fpr3:NULL, info.fpr3len);
es_putc ('\n', fp);
es_fprintf (fp, "fprtime:%lu:%lu:%lu:\n",
(unsigned long)info.fpr1time, (unsigned long)info.fpr2time,
(unsigned long)info.fpr3time);
+ es_fputs ("grp:", fp);
+ print_shax_fpr_colon (fp, info.grp1, sizeof info.grp1);
+ print_shax_fpr_colon (fp, info.grp2, sizeof info.grp2);
+ print_shax_fpr_colon (fp, info.grp3, sizeof info.grp3);
+ es_putc ('\n', fp);
}
else
{
print_isoname (fp, "Name of cardholder: ", "name", info.disp_name);
print_name (fp, "Language prefs ...: ", info.disp_lang);
- tty_fprintf (fp, "Sex ..............: %s\n",
- info.disp_sex == 1? _("male"):
- info.disp_sex == 2? _("female") : _("unspecified"));
+ tty_fprintf (fp, "Salutation .......: %s\n",
+ info.disp_sex == 1? _("Mr."):
+ info.disp_sex == 2? _("Mrs.") : "");
print_name (fp, "URL of public key : ", info.pubkey_url);
print_name (fp, "Login data .......: ", info.login_data);
if (info.private_do[0])
print_name (fp, "Private DO 3 .....: ", info.private_do[2]);
if (info.private_do[3])
print_name (fp, "Private DO 4 .....: ", info.private_do[3]);
- if (info.cafpr1valid)
+ if (info.cafpr1len)
{
tty_fprintf (fp, "CA fingerprint %d .:", 1);
- print_sha1_fpr (fp, info.cafpr1);
+ print_shax_fpr (fp, info.cafpr1, info.cafpr1len);
}
- if (info.cafpr2valid)
+ if (info.cafpr2len)
{
tty_fprintf (fp, "CA fingerprint %d .:", 2);
- print_sha1_fpr (fp, info.cafpr2);
+ print_shax_fpr (fp, info.cafpr2, info.cafpr2len);
}
- if (info.cafpr3valid)
+ if (info.cafpr3len)
{
tty_fprintf (fp, "CA fingerprint %d .:", 3);
- print_sha1_fpr (fp, info.cafpr3);
+ print_shax_fpr (fp, info.cafpr3, info.cafpr3len);
}
tty_fprintf (fp, "Signature PIN ....: %s\n",
info.chv1_cached? _("not forced"): _("forced"));
{
tty_fprintf (fp, "Key attributes ...:");
for (i=0; i < DIM (info.key_attr); i++)
- tty_fprintf (fp, " %u%c",
- info.key_attr[i].nbits,
- info.key_attr[i].algo == 1? 'R':
- info.key_attr[i].algo == 17? 'D': '?');
+ if (info.key_attr[i].algo == PUBKEY_ALGO_RSA)
+ tty_fprintf (fp, " rsa%u", info.key_attr[i].nbits);
+ else if (info.key_attr[i].algo == PUBKEY_ALGO_ECDH
+ || info.key_attr[i].algo == PUBKEY_ALGO_ECDSA
+ || info.key_attr[i].algo == PUBKEY_ALGO_EDDSA)
+ {
+ const char *curve_for_print = "?";
+
+ if (info.key_attr[i].curve)
+ {
+ const char *oid;
+ oid = openpgp_curve_to_oid (info.key_attr[i].curve, NULL);
+ if (oid)
+ curve_for_print = openpgp_oid_to_curve (oid, 0);
+ }
+ tty_fprintf (fp, " %s", curve_for_print);
+ }
tty_fprintf (fp, "\n");
}
tty_fprintf (fp, "Max. PIN lengths .: %d %d %d\n",
tty_fprintf (fp, "PIN retry counter : %d %d %d\n",
info.chvretry[0], info.chvretry[1], info.chvretry[2]);
tty_fprintf (fp, "Signature counter : %lu\n", info.sig_counter);
+ if (info.extcap.kdf)
+ {
+ tty_fprintf (fp, "KDF setting ......: %s\n",
+ info.kdf_do_enabled ? "on" : "off");
+ }
+ if (info.extcap.bt)
+ {
+ tty_fprintf (fp, "UIF setting ......: Sign=%s Decrypt=%s Auth=%s\n",
+ info.uif[0] ? "on" : "off", info.uif[1] ? "on" : "off",
+ info.uif[2] ? "on" : "off");
+ }
tty_fprintf (fp, "Signature key ....:");
- print_sha1_fpr (fp, info.fpr1valid? info.fpr1:NULL);
- if (info.fpr1valid && info.fpr1time)
- tty_fprintf (fp, " created ....: %s\n",
- isotimestamp (info.fpr1time));
+ print_shax_fpr (fp, info.fpr1len? info.fpr1:NULL, info.fpr1len);
+ if (info.fpr1len && info.fpr1time)
+ {
+ tty_fprintf (fp, " created ....: %s\n",
+ isotimestamp (info.fpr1time));
+ print_keygrip (fp, info.grp1);
+ }
tty_fprintf (fp, "Encryption key....:");
- print_sha1_fpr (fp, info.fpr2valid? info.fpr2:NULL);
- if (info.fpr2valid && info.fpr2time)
- tty_fprintf (fp, " created ....: %s\n",
- isotimestamp (info.fpr2time));
+ print_shax_fpr (fp, info.fpr2len? info.fpr2:NULL, info.fpr2len);
+ if (info.fpr2len && info.fpr2time)
+ {
+ tty_fprintf (fp, " created ....: %s\n",
+ isotimestamp (info.fpr2time));
+ print_keygrip (fp, info.grp2);
+ }
tty_fprintf (fp, "Authentication key:");
- print_sha1_fpr (fp, info.fpr3valid? info.fpr3:NULL);
- if (info.fpr3valid && info.fpr3time)
- tty_fprintf (fp, " created ....: %s\n",
- isotimestamp (info.fpr3time));
+ print_shax_fpr (fp, info.fpr3len? info.fpr3:NULL, info.fpr3len);
+ if (info.fpr3len && info.fpr3time)
+ {
+ tty_fprintf (fp, " created ....: %s\n",
+ isotimestamp (info.fpr3time));
+ print_keygrip (fp, info.grp3);
+ }
tty_fprintf (fp, "General key info..: ");
- thefpr = (info.fpr1valid? info.fpr1 : info.fpr2valid? info.fpr2 :
- info.fpr3valid? info.fpr3 : NULL);
- /* If the fingerprint is all 0xff, the key has no asssociated
+ thefpr = (info.fpr1len? info.fpr1 : info.fpr2len? info.fpr2 :
+ info.fpr3len? info.fpr3 : NULL);
+ thefprlen = (info.fpr1len? info.fpr1len : info.fpr2len? info.fpr2len :
+ info.fpr3len? info.fpr3len : 0);
+ /* If the fingerprint is all 0xff, the key has no associated
OpenPGP certificate. */
- if ( thefpr && !fpr_is_ff (thefpr)
- && !get_pubkey_byfprint (pk, thefpr, 20))
+ if ( thefpr && !fpr_is_ff (thefpr, thefprlen)
+ && !get_pubkey_byfprint (ctrl, pk, &keyblock, thefpr, thefprlen))
{
- kbnode_t keyblock = NULL;
-
- print_pubkey_info (fp, pk);
-
-#if GNUPG_MAJOR_VERSION == 1
- if ( !get_seckeyblock_byfprint (&keyblock, thefpr, 20) )
- print_card_key_info (fp, keyblock);
- else if ( !get_keyblock_byfprint (&keyblock, thefpr, 20) )
- {
- release_kbnode (keyblock);
- keyblock = NULL;
-
- if (!auto_create_card_key_stub (info.serialno,
- info.fpr1valid? info.fpr1:NULL,
- info.fpr2valid? info.fpr2:NULL,
- info.fpr3valid? info.fpr3:NULL))
- {
- if ( !get_seckeyblock_byfprint (&keyblock, thefpr, 20) )
- print_card_key_info (fp, keyblock);
- }
- }
-
-#else /* GNUPG_MAJOR_VERSION != 1 */
- if (!get_keyblock_byfprint (&keyblock, thefpr, 20))
+ print_pubkey_info (ctrl, fp, pk);
+ if (keyblock)
print_card_key_info (fp, keyblock);
-#endif /* GNUPG_MAJOR_VERSION != 1 */
-
- release_kbnode (keyblock);
}
else
tty_fprintf (fp, "[none]\n");
}
+ release_kbnode (keyblock);
free_public_key (pk);
agent_release_card_info (&info);
}
+/* Print all available information for specific card with SERIALNO.
+ Print all available information for current card when SERIALNO is NULL.
+ Or print for all cards when SERIALNO is "all". */
+void
+card_status (ctrl_t ctrl, estream_t fp, const char *serialno)
+{
+ int err;
+ strlist_t card_list, sl;
+ char *serialno0, *serialno1;
+ int all_cards = 0;
+
+ if (serialno == NULL)
+ {
+ current_card_status (ctrl, fp, NULL, 0);
+ return;
+ }
+
+ if (!strcmp (serialno, "all"))
+ all_cards = 1;
+
+ err = agent_scd_serialno (&serialno0, NULL);
+ if (err)
+ {
+ if (gpg_err_code (err) != GPG_ERR_ENODEV && opt.verbose)
+ log_info (_("error getting serial number of card: %s\n"),
+ gpg_strerror (err));
+ /* Nothing available. */
+ return;
+ }
+
+ err = agent_scd_cardlist (&card_list);
+
+ for (sl = card_list; sl; sl = sl->next)
+ {
+ if (!all_cards && strcmp (serialno, sl->d))
+ continue;
+
+ err = agent_scd_serialno (&serialno1, sl->d);
+ if (err)
+ {
+ if (opt.verbose)
+ log_info (_("error getting serial number of card: %s\n"),
+ gpg_strerror (err));
+ continue;
+ }
+
+ current_card_status (ctrl, fp, NULL, 0);
+ xfree (serialno1);
+
+ if (!all_cards)
+ goto leave;
+ }
+
+ /* Select the original card again. */
+ err = agent_scd_serialno (&serialno1, serialno0);
+ xfree (serialno1);
+
+ leave:
+ xfree (serialno0);
+ free_strlist (card_list);
+}
+
+
static char *
get_one_name (const char *prompt1, const char *prompt2)
{
trim_spaces (url);
cpr_kill_prompt ();
- if (strlen (url) > 254 )
- {
- tty_printf (_("Error: URL too long "
- "(limit is %d characters).\n"), 254);
- xfree (url);
- return -1;
- }
-
rc = agent_scd_setattr ("PUBKEY-URL", url, strlen (url), NULL );
if (rc)
log_error ("error setting URL: %s\n", gpg_strerror (rc));
log_error("error retrieving URL from card: %s\n",gpg_strerror(rc));
else
{
- struct keyserver_spec *spec=NULL;
-
rc=agent_scd_getattr("KEY-FPR",&info);
if(rc)
log_error("error retrieving key fingerprint from card: %s\n",
gpg_strerror(rc));
else if (info.pubkey_url && *info.pubkey_url)
+ {
+ strlist_t sl = NULL;
+
+ add_to_strlist (&sl, info.pubkey_url);
+ rc = keyserver_fetch (ctrl, sl, KEYORG_URL);
+ free_strlist (sl);
+ }
+ else if (info.fpr1len)
{
- spec=parse_keyserver_uri(info.pubkey_url,1,NULL,0);
- if(spec && info.fpr1valid)
- {
- /* This is not perfectly right. Currently, all card
- fingerprints are 20 digits, but what about
- fingerprints for a future v5 key? We should get the
- length from somewhere lower in the code. In any
- event, the fpr/keyid is not meaningful for straight
- HTTP fetches, but using it allows the card to point
- to HKP and LDAP servers as well. */
- rc = keyserver_import_fprint (ctrl, info.fpr1, 20, spec);
- free_keyserver_spec(spec);
- }
- }
- else if (info.fpr1valid)
- {
- rc = keyserver_import_fprint (ctrl, info.fpr1, 20, opt.keyserver);
+ rc = keyserver_import_fprint (ctrl, info.fpr1, info.fpr1len,
+ opt.keyserver, 0);
}
}
+ agent_release_card_info (&info);
return rc;
}
-/* Read data from file FNAME up to MAXLEN characters. On error return
- -1 and store NULL at R_BUFFER; on success return the number of
- bytes read and store the address of a newly allocated buffer at
- R_BUFFER. */
+#define MAX_GET_DATA_FROM_FILE 16384
+
+/* Read data from file FNAME up to MAX_GET_DATA_FROM_FILE characters.
+ On error return -1 and store NULL at R_BUFFER; on success return
+ the number of bytes read and store the address of a newly allocated
+ buffer at R_BUFFER. */
static int
-get_data_from_file (const char *fname, size_t maxlen, char **r_buffer)
+get_data_from_file (const char *fname, char **r_buffer)
{
estream_t fp;
char *data;
#endif
if (!fp)
{
- tty_printf (_("can't open `%s': %s\n"), fname, strerror (errno));
+ tty_printf (_("can't open '%s': %s\n"), fname, strerror (errno));
return -1;
}
- data = xtrymalloc (maxlen? maxlen:1);
+ data = xtrymalloc (MAX_GET_DATA_FROM_FILE);
if (!data)
{
tty_printf (_("error allocating enough memory: %s\n"), strerror (errno));
return -1;
}
- if (maxlen)
- n = es_fread (data, 1, maxlen, fp);
- else
- n = 0;
+ n = es_fread (data, 1, MAX_GET_DATA_FROM_FILE, fp);
es_fclose (fp);
if (n < 0)
{
- tty_printf (_("error reading `%s': %s\n"), fname, strerror (errno));
+ tty_printf (_("error reading '%s': %s\n"), fname, strerror (errno));
xfree (data);
return -1;
}
#endif
if (!fp)
{
- tty_printf (_("can't create `%s': %s\n"), fname, strerror (errno));
+ tty_printf (_("can't create '%s': %s\n"), fname, strerror (errno));
return -1;
}
if (length && es_fwrite (buffer, length, 1, fp) != 1)
{
- tty_printf (_("error writing `%s': %s\n"), fname, strerror (errno));
+ tty_printf (_("error writing '%s': %s\n"), fname, strerror (errno));
es_fclose (fp);
return -1;
}
{
for (args++; spacep (args); args++)
;
- n = get_data_from_file (args, 254, &data);
+ n = get_data_from_file (args, &data);
if (n < 0)
return -1;
}
n = strlen (data);
}
- if (n > 254 )
- {
- tty_printf (_("Error: Login data too long "
- "(limit is %d characters).\n"), 254);
- xfree (data);
- return -1;
- }
-
rc = agent_scd_setattr ("LOGIN-DATA", data, n, NULL );
if (rc)
log_error ("error setting login data: %s\n", gpg_strerror (rc));
int n;
int rc;
- assert (nr >= 1 && nr <= 4);
+ log_assert (nr >= 1 && nr <= 4);
do_name[11] = '0' + nr;
if (args && (args = strchr (args, '<'))) /* Read it from a file */
{
for (args++; spacep (args); args++)
;
- n = get_data_from_file (args, 254, &data);
+ n = get_data_from_file (args, &data);
if (n < 0)
return -1;
}
n = strlen (data);
}
- if (n > 254 )
- {
- tty_printf (_("Error: Private DO too long "
- "(limit is %d characters).\n"), 254);
- xfree (data);
- return -1;
- }
-
rc = agent_scd_setattr (do_name, data, n, NULL );
if (rc)
log_error ("error setting private DO: %s\n", gpg_strerror (rc));
{
for (args++; spacep (args); args++)
;
- n = get_data_from_file (args, 16384, &data);
+ n = get_data_from_file (args, &data);
if (n < 0)
return -1;
}
int rc;
data = cpr_get ("cardedit.change_sex",
- _("Sex ((M)ale, (F)emale or space): "));
+ _("Salutation (M = Mr., F = Mrs., or space): "));
if (!data)
return -1;
trim_spaces (data);
rc = agent_scd_setattr ("DISP-SEX", str, 1, NULL );
if (rc)
- log_error ("error setting sex: %s\n", gpg_strerror (rc));
+ log_error ("error setting salutation: %s\n", gpg_strerror (rc));
xfree (data);
write_sc_op_status (rc);
return rc;
char *data;
const char *s;
int i, c, rc;
- unsigned char fpr[20];
+ unsigned char fpr[MAX_FINGERPRINT_LEN];
+ int fprlen;
data = cpr_get ("cardedit.change_cafpr", _("CA fingerprint: "));
if (!data)
trim_spaces (data);
cpr_kill_prompt ();
- for (i=0, s=data; i < 20 && *s; )
+ for (i=0, s=data; i < MAX_FINGERPRINT_LEN && *s; )
{
while (spacep(s))
s++;
fpr[i++] = c;
s += 2;
}
+ fprlen = i;
xfree (data);
- if (i != 20 || *s)
+ if ((fprlen != 20 && fprlen != 32) || *s)
{
tty_printf (_("Error: invalid formatted fingerprint.\n"));
return -1;
rc = agent_scd_setattr (fprno==1?"CA-FPR-1":
fprno==2?"CA-FPR-2":
- fprno==3?"CA-FPR-3":"x", fpr, 20, NULL );
+ fprno==3?"CA-FPR-3":"x", fpr, fprlen, NULL );
if (rc)
log_error ("error setting cafpr: %s\n", gpg_strerror (rc));
write_sc_op_status (rc);
show_card_key_info (struct agent_card_info_s *info)
{
tty_fprintf (NULL, "Signature key ....:");
- print_sha1_fpr (NULL, info->fpr1valid? info->fpr1:NULL);
+ print_shax_fpr (NULL, info->fpr1len? info->fpr1:NULL, info->fpr1len);
tty_fprintf (NULL, "Encryption key....:");
- print_sha1_fpr (NULL, info->fpr2valid? info->fpr2:NULL);
+ print_shax_fpr (NULL, info->fpr2len? info->fpr2:NULL, info->fpr2len);
tty_fprintf (NULL, "Authentication key:");
- print_sha1_fpr (NULL, info->fpr3valid? info->fpr3:NULL);
+ print_shax_fpr (NULL, info->fpr3len? info->fpr3:NULL, info->fpr3len);
tty_printf ("\n");
}
static int
replace_existing_key_p (struct agent_card_info_s *info, int keyno)
{
- assert (keyno >= 0 && keyno <= 3);
+ log_assert (keyno >= 0 && keyno <= 3);
- if ((keyno == 1 && info->fpr1valid)
- || (keyno == 2 && info->fpr2valid)
- || (keyno == 3 && info->fpr3valid))
+ if ((keyno == 1 && info->fpr1len)
+ || (keyno == 2 && info->fpr2len)
+ || (keyno == 3 && info->fpr3len))
{
tty_printf ("\n");
log_info ("WARNING: such a key has already been stored on the card!\n");
if ( !cpr_get_answer_is_yes( "cardedit.genkeys.replace_key",
_("Replace existing key? (y/N) ")))
return -1;
+ return 1;
}
return 0;
}
return;
shown = 1;
tty_printf
- (_("NOTE: There is no guarantee that the card "
- "supports the requested size.\n"
- " If the key generation does not succeed, "
- "please check the\n"
- " documentation of your card to see what "
- "sizes are allowed.\n"));
+ (_("Note: There is no guarantee that the card supports the requested\n"
+ " key type or size. If the key generation does not succeed,\n"
+ " please check the documentation of your card to see which\n"
+ " key types and sizes are supported.\n")
+ );
}
/* Ask for the size of a card key. NBITS is the current size
- configured for the card. KEYNO is the number of the key used to
- select the prompt. Returns 0 to use the default size (i.e. NBITS)
- or the selected size. */
+ configured for the card. Returns 0 to use the default size
+ (i.e. NBITS) or the selected size. */
static unsigned int
-ask_card_keysize (int keyno, unsigned int nbits)
+ask_card_rsa_keysize (unsigned int nbits)
{
unsigned int min_nbits = 1024;
- unsigned int max_nbits = 3072; /* GnuPG limit due to Assuan. */
+ unsigned int max_nbits = 4096;
char *prompt, *answer;
unsigned int req_nbits;
for (;;)
{
- prompt = xasprintf
- (keyno == 0?
- _("What keysize do you want for the Signature key? (%u) "):
- keyno == 1?
- _("What keysize do you want for the Encryption key? (%u) "):
- _("What keysize do you want for the Authentication key? (%u) "),
- nbits);
+ prompt = xasprintf (_("What keysize do you want? (%u) "), nbits);
answer = cpr_get ("cardedit.genkeys.size", prompt);
cpr_kill_prompt ();
req_nbits = *answer? atoi (answer): nbits;
"RSA", min_nbits, max_nbits);
}
else
+ return req_nbits;
+ }
+}
+
+/* Ask for the key attribute of a card key. CURRENT is the current
+ attribute configured for the card. KEYNO is the number of the key
+ used to select the prompt. Returns NULL to use the default
+ attribute or the selected attribute structure. */
+static struct key_attr *
+ask_card_keyattr (int keyno, const struct key_attr *current)
+{
+ struct key_attr *key_attr = NULL;
+ char *answer = NULL;
+ int algo;
+
+ tty_printf (_("Changing card key attribute for: "));
+ if (keyno == 0)
+ tty_printf (_("Signature key\n"));
+ else if (keyno == 1)
+ tty_printf (_("Encryption key\n"));
+ else
+ tty_printf (_("Authentication key\n"));
+
+ tty_printf (_("Please select what kind of key you want:\n"));
+ tty_printf (_(" (%d) RSA\n"), 1 );
+ tty_printf (_(" (%d) ECC\n"), 2 );
+
+ for (;;)
+ {
+ xfree (answer);
+ answer = cpr_get ("cardedit.genkeys.algo", _("Your selection? "));
+ cpr_kill_prompt ();
+ algo = *answer? atoi (answer) : 0;
+
+ if (!*answer || algo == 1 || algo == 2)
+ break;
+ else
+ tty_printf (_("Invalid selection.\n"));
+ }
+
+ if (algo == 0)
+ goto leave;
+
+ key_attr = xmalloc (sizeof (struct key_attr));
+
+ if (algo == 1)
+ {
+ unsigned int nbits, result_nbits;
+
+ if (current->algo == PUBKEY_ALGO_RSA)
+ nbits = current->nbits;
+ else
+ nbits = 2048;
+
+ result_nbits = ask_card_rsa_keysize (nbits);
+ if (result_nbits == 0)
+ {
+ if (current->algo == PUBKEY_ALGO_RSA)
+ {
+ xfree (key_attr);
+ key_attr = NULL;
+ }
+ else
+ result_nbits = nbits;
+ }
+
+ if (key_attr)
+ {
+ key_attr->algo = PUBKEY_ALGO_RSA;
+ key_attr->nbits = result_nbits;
+ }
+ }
+ else
+ {
+ const char *curve;
+ const char *oid_str;
+
+ if (current->algo == PUBKEY_ALGO_RSA)
+ {
+ if (keyno == 1)
+ /* Encryption key */
+ algo = PUBKEY_ALGO_ECDH;
+ else /* Signature key or Authentication key */
+ algo = PUBKEY_ALGO_ECDSA;
+ curve = NULL;
+ }
+ else
{
- tty_printf (_("The card will now be re-configured "
- "to generate a key of %u bits\n"), req_nbits);
- show_keysize_warning ();
- return req_nbits;
+ algo = current->algo;
+ curve = current->curve;
+ }
+
+ curve = ask_curve (&algo, NULL, curve);
+ if (curve)
+ {
+ key_attr->algo = algo;
+ oid_str = openpgp_curve_to_oid (curve, NULL);
+ key_attr->curve = openpgp_oid_to_curve (oid_str, 0);
+ }
+ else
+ {
+ xfree (key_attr);
+ key_attr = NULL;
}
}
+
+ leave:
+ if (key_attr)
+ {
+ if (key_attr->algo == PUBKEY_ALGO_RSA)
+ tty_printf (_("The card will now be re-configured"
+ " to generate a key of %u bits\n"), key_attr->nbits);
+ else if (key_attr->algo == PUBKEY_ALGO_ECDH
+ || key_attr->algo == PUBKEY_ALGO_ECDSA
+ || key_attr->algo == PUBKEY_ALGO_EDDSA)
+ tty_printf (_("The card will now be re-configured"
+ " to generate a key of type: %s\n"), key_attr->curve),
+
+ show_keysize_warning ();
+ }
+
+ return key_attr;
}
-/* Change the size of key KEYNO (0..2) to NBITS and show an error
- message if that fails. */
+
+/* Change the key attribute of key KEYNO (0..2) and show an error
+ * message if that fails. */
static gpg_error_t
-do_change_keysize (int keyno, unsigned int nbits)
+do_change_keyattr (int keyno, const struct key_attr *key_attr)
{
- gpg_error_t err;
+ gpg_error_t err = 0;
char args[100];
- snprintf (args, sizeof args, "--force %d 1 %u", keyno+1, nbits);
+ if (key_attr->algo == PUBKEY_ALGO_RSA)
+ snprintf (args, sizeof args, "--force %d 1 rsa%u", keyno+1,
+ key_attr->nbits);
+ else if (key_attr->algo == PUBKEY_ALGO_ECDH
+ || key_attr->algo == PUBKEY_ALGO_ECDSA
+ || key_attr->algo == PUBKEY_ALGO_EDDSA)
+ snprintf (args, sizeof args, "--force %d %d %s",
+ keyno+1, key_attr->algo, key_attr->curve);
+ else
+ {
+ log_error (_("public key algorithm %d (%s) is not supported\n"),
+ key_attr->algo, gcry_pk_algo_name (key_attr->algo));
+ return gpg_error (GPG_ERR_PUBKEY_ALGO);
+ }
+
err = agent_scd_setattr ("KEY-ATTR", args, strlen (args), NULL);
if (err)
- log_error (_("error changing size of key %d to %u bits: %s\n"),
- keyno+1, nbits, gpg_strerror (err));
+ log_error (_("error changing key attribute for key %d: %s\n"),
+ keyno+1, gpg_strerror (err));
return err;
}
static void
-generate_card_keys (void)
+key_attr (void)
+{
+ struct agent_card_info_s info;
+ gpg_error_t err;
+ int keyno;
+
+ err = get_info_for_key_operation (&info);
+ if (err)
+ {
+ log_error (_("error getting card info: %s\n"), gpg_strerror (err));
+ return;
+ }
+
+ if (!(info.is_v2 && info.extcap.aac))
+ {
+ log_error (_("This command is not supported by this card\n"));
+ goto leave;
+ }
+
+ for (keyno = 0; keyno < DIM (info.key_attr); keyno++)
+ {
+ struct key_attr *key_attr;
+
+ if ((key_attr = ask_card_keyattr (keyno, &info.key_attr[keyno])))
+ {
+ err = do_change_keyattr (keyno, key_attr);
+ xfree (key_attr);
+ if (err)
+ {
+ /* Error: Better read the default key attribute again. */
+ agent_release_card_info (&info);
+ if (get_info_for_key_operation (&info))
+ goto leave;
+ /* Ask again for this key. */
+ keyno--;
+ }
+ }
+ }
+
+ leave:
+ agent_release_card_info (&info);
+}
+
+
+static void
+generate_card_keys (ctrl_t ctrl)
{
struct agent_card_info_s info;
int forced_chv1;
int want_backup;
- int keyno;
if (get_info_for_key_operation (&info))
return;
else
want_backup = 0;
- if ( (info.fpr1valid && !fpr_is_zero (info.fpr1))
- || (info.fpr2valid && !fpr_is_zero (info.fpr2))
- || (info.fpr3valid && !fpr_is_zero (info.fpr3)))
+ if ( (info.fpr1len && !fpr_is_zero (info.fpr1, info.fpr1len))
+ || (info.fpr2len && !fpr_is_zero (info.fpr2, info.fpr2len))
+ || (info.fpr3len && !fpr_is_zero (info.fpr3, info.fpr3len)))
{
tty_printf ("\n");
- log_info (_("NOTE: keys are already stored on the card!\n"));
+ log_info (_("Note: keys are already stored on the card!\n"));
tty_printf ("\n");
if ( !cpr_get_answer_is_yes ("cardedit.genkeys.replace_keys",
_("Replace existing keys? (y/N) ")))
{
tty_printf ("\n");
tty_printf (_("Please note that the factory settings of the PINs are\n"
- " PIN = `%s' Admin PIN = `%s'\n"
+ " PIN = '%s' Admin PIN = '%s'\n"
"You should change them using the command --change-pin\n"),
"123456", "12345678");
tty_printf ("\n");
}
+
if (check_pin_for_key_operation (&info, &forced_chv1))
goto leave;
- /* If the cards features changeable key attributes, we ask for the
- key size. */
- if (info.is_v2 && info.extcap.aac)
- {
- unsigned int nbits;
-
- for (keyno = 0; keyno < DIM (info.key_attr); keyno++)
- {
- nbits = ask_card_keysize (keyno, info.key_attr[keyno].nbits);
- if (nbits && do_change_keysize (keyno, nbits))
- {
- /* Error: Better read the default key size again. */
- agent_release_card_info (&info);
- if (get_info_for_key_operation (&info))
- goto leave;
- /* Ask again for this key size. */
- keyno--;
- }
- }
- /* Note that INFO has not be synced. However we will only use
- the serialnumber and thus it won't harm. */
- }
-
- generate_keypair (NULL, info.serialno, want_backup);
+ generate_keypair (ctrl, 1, NULL, info.serialno, want_backup);
leave:
agent_release_card_info (&info);
/* This function is used by the key edit menu to generate an arbitrary
subkey. */
gpg_error_t
-card_generate_subkey (KBNODE pub_keyblock)
+card_generate_subkey (ctrl_t ctrl, kbnode_t pub_keyblock)
{
gpg_error_t err;
struct agent_card_info_s info;
tty_printf(_("Invalid selection.\n"));
}
- if (replace_existing_key_p (&info, keyno))
+ if (replace_existing_key_p (&info, keyno) < 0)
{
err = gpg_error (GPG_ERR_CANCELED);
goto leave;
if (err)
goto leave;
- /* If the cards features changeable key attributes, we ask for the
- key size. */
- if (info.is_v2 && info.extcap.aac)
- {
- unsigned int nbits;
-
- ask_again:
- nbits = ask_card_keysize (keyno-1, info.key_attr[keyno-1].nbits);
- if (nbits && do_change_keysize (keyno-1, nbits))
- {
- /* Error: Better read the default key size again. */
- agent_release_card_info (&info);
- err = get_info_for_key_operation (&info);
- if (err)
- goto leave;
- goto ask_again;
- }
- /* Note that INFO has not be synced. However we will only use
- the serialnumber and thus it won't harm. */
- }
-
- err = generate_card_subkeypair (pub_keyblock, keyno, info.serialno);
+ err = generate_card_subkeypair (ctrl, pub_keyblock, keyno, info.serialno);
leave:
agent_release_card_info (&info);
int
card_store_subkey (KBNODE node, int use)
{
- log_info ("FIXME: card_store_subkey has not yet been implemented\n");
-/* struct agent_card_info_s info; */
-/* int okay = 0; */
-/* int rc; */
-/* int keyno, i; */
-/* PKT_secret_key *copied_sk = NULL; */
-/* PKT_secret_key *sk; */
-/* size_t n; */
-/* const char *s; */
-/* int allow_keyno[3]; */
-/* unsigned int nbits; */
-
-
-/* assert (node->pkt->pkttype == PKT_SECRET_KEY */
-/* || node->pkt->pkttype == PKT_SECRET_SUBKEY); */
-/* sk = node->pkt->pkt.secret_key; */
-
-/* if (get_info_for_key_operation (&info)) */
-/* return 0; */
-
-/* if (!info.extcap.ki) */
-/* { */
-/* tty_printf ("The card does not support the import of keys\n"); */
-/* tty_printf ("\n"); */
-/* goto leave; */
-/* } */
-
-/* show_card_key_info (&info); */
-
-/* nbits = nbits_from_sk (sk); */
-
-/* if (!is_RSA (sk->pubkey_algo) || (!info.is_v2 && nbits != 1024) ) */
-/* { */
-/* tty_printf ("You may only store a 1024 bit RSA key on the card\n"); */
-/* tty_printf ("\n"); */
-/* goto leave; */
-/* } */
-
-/* allow_keyno[0] = (!use || (use & (PUBKEY_USAGE_SIG))); */
-/* allow_keyno[1] = (!use || (use & (PUBKEY_USAGE_ENC))); */
-/* allow_keyno[2] = (!use || (use & (PUBKEY_USAGE_SIG|PUBKEY_USAGE_AUTH))); */
-
-/* tty_printf (_("Please select where to store the key:\n")); */
-
-/* if (allow_keyno[0]) */
-/* tty_printf (_(" (1) Signature key\n")); */
-/* if (allow_keyno[1]) */
-/* tty_printf (_(" (2) Encryption key\n")); */
-/* if (allow_keyno[2]) */
-/* tty_printf (_(" (3) Authentication key\n")); */
-
-/* for (;;) */
-/* { */
-/* char *answer = cpr_get ("cardedit.genkeys.storekeytype", */
-/* _("Your selection? ")); */
-/* cpr_kill_prompt(); */
-/* if (*answer == CONTROL_D || !*answer) */
-/* { */
-/* xfree (answer); */
-/* goto leave; */
-/* } */
-/* keyno = *answer? atoi(answer): 0; */
-/* xfree(answer); */
-/* if (keyno >= 1 && keyno <= 3 && allow_keyno[keyno-1]) */
-/* { */
-/* if (info.is_v2 && !info.extcap.aac */
-/* && info.key_attr[keyno-1].nbits != nbits) */
-/* { */
-/* tty_printf ("Key does not match the card's capability.\n"); */
-/* } */
-/* else */
-/* break; /\* Okay. *\/ */
-/* } */
-/* else */
-/* tty_printf(_("Invalid selection.\n")); */
-/* } */
-
-/* if (replace_existing_key_p (&info, keyno)) */
-/* goto leave; */
-
-/* /\* Unprotect key. *\/ */
-/* switch (is_secret_key_protected (sk) ) */
-/* { */
-/* case 0: /\* Not protected. *\/ */
-/* break; */
-/* case -1: */
-/* log_error (_("unknown key protection algorithm\n")); */
-/* goto leave; */
-/* default: */
-/* if (sk->protect.s2k.mode == 1001) */
-/* { */
-/* log_error (_("secret parts of key are not available\n")); */
-/* goto leave; */
-/* } */
-/* if (sk->protect.s2k.mode == 1002) */
-/* { */
-/* log_error (_("secret key already stored on a card\n")); */
-/* goto leave; */
-/* } */
-/* /\* We better copy the key before we unprotect it. *\/ */
-/* copied_sk = sk = copy_secret_key (NULL, sk); */
-/* rc = 0/\*check_secret_key (sk, 0)*\/; */
-/* if (rc) */
-/* goto leave; */
-/* } */
-
-/* #warning code save_unprotected_key_to_card */
-/* /\* rc = save_unprotected_key_to_card (sk, keyno); *\/ */
-/* /\* if (rc) *\/ */
-/* /\* { *\/ */
-/* /\* log_error (_("error writing key to card: %s\n"), gpg_strerror (rc)); *\/ */
-/* /\* goto leave; *\/ */
-/* /\* } *\/ */
-
-/* /\* Get back to the maybe protected original secret key. *\/ */
-/* if (copied_sk) */
-/* { */
-/* free_secret_key (copied_sk); */
-/* copied_sk = NULL; */
-/* } */
-/* sk = node->pkt->pkt.secret_key; */
-
-/* /\* Get rid of the secret key parameters and store the serial numer. *\/ */
-/* n = pubkey_get_nskey (sk->pubkey_algo); */
-/* for (i=pubkey_get_npkey (sk->pubkey_algo); i < n; i++) */
-/* { */
-/* gcry_mpi_release (sk->skey[i]); */
-/* sk->skey[i] = NULL; */
-/* } */
-/* i = pubkey_get_npkey (sk->pubkey_algo); */
-/* sk->skey[i] = gcry_mpi_set_opaque (NULL, xstrdup ("dummydata"), 10*8); */
-/* sk->is_protected = 1; */
-/* sk->protect.s2k.mode = 1002; */
-/* s = info.serialno; */
-/* for (sk->protect.ivlen=0; sk->protect.ivlen < 16 && *s && s[1]; */
-/* sk->protect.ivlen++, s += 2) */
-/* sk->protect.iv[sk->protect.ivlen] = xtoi_2 (s); */
-
-/* okay = 1; */
-
-/* leave: */
-/* if (copied_sk) */
-/* free_secret_key (copied_sk); */
-/* agent_release_card_info (&info); */
-/* return okay; */
- return -1;
+ struct agent_card_info_s info;
+ int okay = 0;
+ unsigned int nbits;
+ int allow_keyno[3];
+ int keyno;
+ PKT_public_key *pk;
+ gpg_error_t err;
+ char *hexgrip;
+ int rc;
+ gnupg_isotime_t timebuf;
+
+ log_assert (node->pkt->pkttype == PKT_PUBLIC_KEY
+ || node->pkt->pkttype == PKT_PUBLIC_SUBKEY);
+
+ pk = node->pkt->pkt.public_key;
+
+ if (get_info_for_key_operation (&info))
+ return 0;
+
+ if (!info.extcap.ki)
+ {
+ tty_printf ("The card does not support the import of keys\n");
+ tty_printf ("\n");
+ goto leave;
+ }
+
+ nbits = nbits_from_pk (pk);
+
+ if (!info.is_v2 && nbits != 1024)
+ {
+ tty_printf ("You may only store a 1024 bit RSA key on the card\n");
+ tty_printf ("\n");
+ goto leave;
+ }
+
+ allow_keyno[0] = (!use || (use & (PUBKEY_USAGE_SIG|PUBKEY_USAGE_CERT)));
+ allow_keyno[1] = (!use || (use & (PUBKEY_USAGE_ENC)));
+ allow_keyno[2] = (!use || (use & (PUBKEY_USAGE_SIG|PUBKEY_USAGE_AUTH)));
+
+ tty_printf (_("Please select where to store the key:\n"));
+
+ if (allow_keyno[0])
+ tty_printf (_(" (1) Signature key\n"));
+ if (allow_keyno[1])
+ tty_printf (_(" (2) Encryption key\n"));
+ if (allow_keyno[2])
+ tty_printf (_(" (3) Authentication key\n"));
+
+ for (;;)
+ {
+ char *answer = cpr_get ("cardedit.genkeys.storekeytype",
+ _("Your selection? "));
+ cpr_kill_prompt();
+ if (*answer == CONTROL_D || !*answer)
+ {
+ xfree (answer);
+ goto leave;
+ }
+ keyno = *answer? atoi(answer): 0;
+ xfree(answer);
+ if (keyno >= 1 && keyno <= 3 && allow_keyno[keyno-1])
+ {
+ if (info.is_v2 && !info.extcap.aac
+ && info.key_attr[keyno-1].nbits != nbits)
+ {
+ tty_printf ("Key does not match the card's capability.\n");
+ }
+ else
+ break; /* Okay. */
+ }
+ else
+ tty_printf(_("Invalid selection.\n"));
+ }
+
+ if ((rc = replace_existing_key_p (&info, keyno)) < 0)
+ goto leave;
+
+ err = hexkeygrip_from_pk (pk, &hexgrip);
+ if (err)
+ goto leave;
+
+ epoch2isotime (timebuf, (time_t)pk->timestamp);
+ rc = agent_keytocard (hexgrip, keyno, rc, info.serialno, timebuf);
+
+ if (rc)
+ log_error (_("KEYTOCARD failed: %s\n"), gpg_strerror (rc));
+ else
+ okay = 1;
+ xfree (hexgrip);
+
+ leave:
+ agent_release_card_info (&info);
+ return okay;
+}
+
+
+
+/* Direct sending of an hex encoded APDU with error printing. */
+static gpg_error_t
+send_apdu (const char *hexapdu, const char *desc, unsigned int ignore)
+{
+ gpg_error_t err;
+ unsigned int sw;
+
+ err = agent_scd_apdu (hexapdu, &sw);
+ if (err)
+ tty_printf ("sending card command %s failed: %s\n", desc,
+ gpg_strerror (err));
+ else if (!hexapdu || !strcmp (hexapdu, "undefined"))
+ ;
+ else if (ignore == 0xffff)
+ ; /* Ignore all status words. */
+ else if (sw != 0x9000)
+ {
+ switch (sw)
+ {
+ case 0x6285: err = gpg_error (GPG_ERR_OBJ_TERM_STATE); break;
+ case 0x6982: err = gpg_error (GPG_ERR_BAD_PIN); break;
+ case 0x6985: err = gpg_error (GPG_ERR_USE_CONDITIONS); break;
+ default: err = gpg_error (GPG_ERR_CARD);
+ }
+ if (!(ignore && ignore == sw))
+ tty_printf ("card command %s failed: %s (0x%04x)\n", desc,
+ gpg_strerror (err), sw);
+ }
+ return err;
+}
+
+
+/* Do a factory reset after confirmation. */
+static void
+factory_reset (void)
+{
+ struct agent_card_info_s info;
+ gpg_error_t err;
+ char *answer = NULL;
+ int termstate = 0;
+ int i;
+
+ /* The code below basically does the same what this
+ gpg-connect-agent script does:
+
+ scd reset
+ scd serialno undefined
+ scd apdu 00 A4 04 00 06 D2 76 00 01 24 01
+ scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
+ scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
+ scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
+ scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
+ scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
+ scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
+ scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
+ scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
+ scd apdu 00 e6 00 00
+ scd apdu 00 44 00 00
+ scd reset
+ /echo Card has been reset to factory defaults
+
+ but tries to find out something about the card first.
+ */
+
+ err = agent_scd_learn (&info, 0);
+ if (gpg_err_code (err) == GPG_ERR_OBJ_TERM_STATE
+ && gpg_err_source (err) == GPG_ERR_SOURCE_SCD)
+ termstate = 1;
+ else if (err)
+ {
+ log_error (_("OpenPGP card not available: %s\n"), gpg_strerror (err));
+ goto leave;
+ }
+
+ if (!termstate)
+ {
+ log_info (_("OpenPGP card no. %s detected\n"),
+ info.serialno? info.serialno : "[none]");
+ if (!(info.status_indicator == 3 || info.status_indicator == 5))
+ {
+ /* Note: We won't see status-indicator 3 here because it is not
+ possible to select a card application in termination state. */
+ log_error (_("This command is not supported by this card\n"));
+ goto leave;
+ }
+
+ tty_printf ("\n");
+ log_info (_("Note: This command destroys all keys stored on the card!\n"));
+ tty_printf ("\n");
+ if (!cpr_get_answer_is_yes ("cardedit.factory-reset.proceed",
+ _("Continue? (y/N) ")))
+ goto leave;
+
+
+ answer = cpr_get ("cardedit.factory-reset.really",
+ _("Really do a factory reset? (enter \"yes\") "));
+ cpr_kill_prompt ();
+ trim_spaces (answer);
+ if (strcmp (answer, "yes"))
+ goto leave;
+
+ /* We need to select a card application before we can send APDUs
+ to the card without scdaemon doing anything on its own. */
+ err = send_apdu (NULL, "RESET", 0);
+ if (err)
+ goto leave;
+ err = send_apdu ("undefined", "dummy select ", 0);
+ if (err)
+ goto leave;
+
+ /* Select the OpenPGP application. */
+ err = send_apdu ("00A4040006D27600012401", "SELECT AID", 0);
+ if (err)
+ goto leave;
+
+ /* Do some dummy verifies with wrong PINs to set the retry
+ counter to zero. We can't easily use the card version 2.1
+ feature of presenting the admin PIN to allow the terminate
+ command because there is no machinery in scdaemon to catch
+ the verify command and ask for the PIN when the "APDU"
+ command is used. */
+ /* Here, the length of dummy wrong PIN is 32-byte, also
+ supporting authentication with KDF DO. */
+ for (i=0; i < 4; i++)
+ send_apdu ("0020008120"
+ "40404040404040404040404040404040"
+ "40404040404040404040404040404040", "VERIFY", 0xffff);
+ for (i=0; i < 4; i++)
+ send_apdu ("0020008320"
+ "40404040404040404040404040404040"
+ "40404040404040404040404040404040", "VERIFY", 0xffff);
+
+ /* Send terminate datafile command. */
+ err = send_apdu ("00e60000", "TERMINATE DF", 0x6985);
+ if (err)
+ goto leave;
+ }
+
+ /* Send activate datafile command. This is used without
+ confirmation if the card is already in termination state. */
+ err = send_apdu ("00440000", "ACTIVATE DF", 0);
+ if (err)
+ goto leave;
+
+ /* Finally we reset the card reader once more. */
+ err = send_apdu (NULL, "RESET", 0);
+
+ /* Then, connect the card again. */
+ if (!err)
+ {
+ char *serialno0;
+
+ err = agent_scd_serialno (&serialno0, NULL);
+ if (!err)
+ xfree (serialno0);
+ }
+
+ leave:
+ xfree (answer);
+ agent_release_card_info (&info);
+}
+
+
+#define USER_PIN_DEFAULT "123456"
+#define ADMIN_PIN_DEFAULT "12345678"
+#define KDF_DATA_LENGTH_MIN 90
+#define KDF_DATA_LENGTH_MAX 110
+
+/* Generate KDF data. */
+static gpg_error_t
+gen_kdf_data (unsigned char *data, int single_salt)
+{
+ const unsigned char h0[] = { 0x81, 0x01, 0x03,
+ 0x82, 0x01, 0x08,
+ 0x83, 0x04 };
+ const unsigned char h1[] = { 0x84, 0x08 };
+ const unsigned char h2[] = { 0x85, 0x08 };
+ const unsigned char h3[] = { 0x86, 0x08 };
+ const unsigned char h4[] = { 0x87, 0x20 };
+ const unsigned char h5[] = { 0x88, 0x20 };
+ unsigned char *p, *salt_user, *salt_admin;
+ unsigned char s2k_char;
+ unsigned int iterations;
+ unsigned char count_4byte[4];
+ gpg_error_t err = 0;
+
+ p = data;
+
+ s2k_char = encode_s2k_iterations (0);
+ iterations = S2K_DECODE_COUNT (s2k_char);
+ count_4byte[0] = (iterations >> 24) & 0xff;
+ count_4byte[1] = (iterations >> 16) & 0xff;
+ count_4byte[2] = (iterations >> 8) & 0xff;
+ count_4byte[3] = (iterations & 0xff);
+
+ memcpy (p, h0, sizeof h0);
+ p += sizeof h0;
+ memcpy (p, count_4byte, sizeof count_4byte);
+ p += sizeof count_4byte;
+ memcpy (p, h1, sizeof h1);
+ salt_user = (p += sizeof h1);
+ gcry_randomize (p, 8, GCRY_STRONG_RANDOM);
+ p += 8;
+
+ if (single_salt)
+ salt_admin = salt_user;
+ else
+ {
+ memcpy (p, h2, sizeof h2);
+ p += sizeof h2;
+ gcry_randomize (p, 8, GCRY_STRONG_RANDOM);
+ p += 8;
+ memcpy (p, h3, sizeof h3);
+ salt_admin = (p += sizeof h3);
+ gcry_randomize (p, 8, GCRY_STRONG_RANDOM);
+ p += 8;
+ }
+
+ memcpy (p, h4, sizeof h4);
+ p += sizeof h4;
+ err = gcry_kdf_derive (USER_PIN_DEFAULT, strlen (USER_PIN_DEFAULT),
+ GCRY_KDF_ITERSALTED_S2K, DIGEST_ALGO_SHA256,
+ salt_user, 8, iterations, 32, p);
+ p += 32;
+ if (!err)
+ {
+ memcpy (p, h5, sizeof h5);
+ p += sizeof h5;
+ err = gcry_kdf_derive (ADMIN_PIN_DEFAULT, strlen (ADMIN_PIN_DEFAULT),
+ GCRY_KDF_ITERSALTED_S2K, DIGEST_ALGO_SHA256,
+ salt_admin, 8, iterations, 32, p);
+ }
+
+ return err;
+}
+
+/* Setup KDF data object which is used for PIN authentication. */
+static void
+kdf_setup (const char *args)
+{
+ struct agent_card_info_s info;
+ gpg_error_t err;
+ unsigned char kdf_data[KDF_DATA_LENGTH_MAX];
+ int single = (*args != 0);
+
+ memset (&info, 0, sizeof info);
+
+ err = agent_scd_getattr ("EXTCAP", &info);
+ if (err)
+ {
+ log_error (_("error getting card info: %s\n"), gpg_strerror (err));
+ return;
+ }
+
+ if (!info.extcap.kdf)
+ {
+ log_error (_("This command is not supported by this card\n"));
+ goto leave;
+ }
+
+ err = gen_kdf_data (kdf_data, single);
+ if (err)
+ goto leave_error;
+
+ err = agent_scd_setattr ("KDF", kdf_data,
+ single ? KDF_DATA_LENGTH_MIN : KDF_DATA_LENGTH_MAX,
+ NULL);
+ if (err)
+ goto leave_error;
+
+ err = agent_scd_getattr ("KDF", &info);
+
+ leave_error:
+ if (err)
+ log_error (_("error for setup KDF: %s\n"), gpg_strerror (err));
+
+ leave:
+ agent_release_card_info (&info);
}
+static void
+uif (int arg_number, const char *arg_rest)
+{
+ struct agent_card_info_s info;
+ int feature_available;
+ gpg_error_t err;
+ char name[100];
+ unsigned char data[2];
+
+ memset (&info, 0, sizeof info);
+
+ err = agent_scd_getattr ("EXTCAP", &info);
+ if (err)
+ {
+ log_error (_("error getting card info: %s\n"), gpg_strerror (err));
+ return;
+ }
+
+ feature_available = info.extcap.bt;
+ agent_release_card_info (&info);
+
+ if (!feature_available)
+ {
+ log_error (_("This command is not supported by this card\n"));
+ tty_printf ("\n");
+ return;
+ }
+
+ snprintf (name, sizeof name, "UIF-%d", arg_number);
+ if ( !strcmp (arg_rest, "off") )
+ data[0] = 0x00;
+ else if ( !strcmp (arg_rest, "on") )
+ data[0] = 0x01;
+ else if ( !strcmp (arg_rest, "permanent") )
+ data[0] = 0x02;
+
+ data[1] = 0x20;
+ err = agent_scd_setattr (name, data, 2, NULL);
+ if (err)
+ log_error (_("error for setup UIF: %s\n"), gpg_strerror (err));
+}
\f
/* Data used by the command parser. This needs to be outside of the
function scope to allow readline based command completion. */
cmdQUIT, cmdADMIN, cmdHELP, cmdLIST, cmdDEBUG, cmdVERIFY,
cmdNAME, cmdURL, cmdFETCH, cmdLOGIN, cmdLANG, cmdSEX, cmdCAFPR,
cmdFORCESIG, cmdGENERATE, cmdPASSWD, cmdPRIVATEDO, cmdWRITECERT,
- cmdREADCERT, cmdUNBLOCK,
+ cmdREADCERT, cmdUNBLOCK, cmdFACTORYRESET, cmdKDFSETUP,
+ cmdKEYATTR, cmdUIF,
cmdINVCMD
};
{ "fetch" , cmdFETCH , 0, N_("fetch the key specified in the card URL")},
{ "login" , cmdLOGIN , 1, N_("change the login name")},
{ "lang" , cmdLANG , 1, N_("change the language preferences")},
- { "sex" , cmdSEX , 1, N_("change card holder's sex")},
+ { "salutation",cmdSEX , 1, N_("change card holder's salutation")},
+ { "sex" ,cmdSEX , 1, NULL }, /* Backward compatibility. */
{ "cafpr" , cmdCAFPR , 1, N_("change a CA fingerprint")},
{ "forcesig", cmdFORCESIG, 1, N_("toggle the signature force PIN flag")},
{ "generate", cmdGENERATE, 1, N_("generate new keys")},
{ "passwd" , cmdPASSWD, 0, N_("menu to change or unblock the PIN")},
{ "verify" , cmdVERIFY, 0, N_("verify the PIN and list all data")},
- { "unblock" , cmdUNBLOCK,0, N_("unblock the PIN using a Reset Code") },
+ { "unblock" , cmdUNBLOCK,0, N_("unblock the PIN using a Reset Code")},
+ { "factory-reset", cmdFACTORYRESET, 1, N_("destroy all keys and data")},
+ { "kdf-setup", cmdKDFSETUP, 1, N_("setup KDF for PIN authentication")},
+ { "key-attr", cmdKEYATTR, 1, N_("change the key attribute")},
+ { "uif", cmdUIF, 1, N_("change the User Interaction Flag")},
/* Note, that we do not announce these command yet. */
{ "privatedo", cmdPRIVATEDO, 0, NULL },
{ "readcert", cmdREADCERT, 0, NULL },
int cmd_admin_only;
tty_printf("\n");
- if (redisplay )
+ if (redisplay)
{
if (opt.with_colons)
{
- card_status (es_stdout, serialnobuf, DIM (serialnobuf));
+ current_card_status (ctrl, es_stdout,
+ serialnobuf, DIM (serialnobuf));
fflush (stdout);
}
else
{
- card_status (NULL, serialnobuf, DIM (serialnobuf));
+ current_card_status (ctrl, NULL,
+ serialnobuf, DIM (serialnobuf));
tty_printf("\n");
}
redisplay = 0;
for (i=0; cmds[i].name; i++ )
if(cmds[i].desc
&& (!cmds[i].admin_only || (cmds[i].admin_only && allow_admin)))
- tty_printf("%-10s %s\n", cmds[i].name, _(cmds[i].desc) );
+ tty_printf("%-14s %s\n", cmds[i].name, _(cmds[i].desc) );
break;
case cmdADMIN:
break;
case cmdGENERATE:
- generate_card_keys ();
+ generate_card_keys (ctrl);
break;
case cmdPASSWD:
change_pin (1, allow_admin);
break;
+ case cmdFACTORYRESET:
+ factory_reset ();
+ break;
+
+ case cmdKDFSETUP:
+ kdf_setup (arg_string);
+ break;
+
+ case cmdKEYATTR:
+ key_attr ();
+ break;
+
+ case cmdUIF:
+ if ( arg_number < 1 || arg_number > 3 )
+ tty_printf ("usage: uif N [on|off|permanent]\n"
+ " 1 <= N <= 3\n");
+ else
+ uif (arg_number, arg_rest);
+ break;
+
case cmdQUIT:
goto leave;
projects / gnupg.git / blobdiff