« back to all changes in this revision
Viewing changes to scd/command.c
- browse files at revision 17
- compare with another revision
- download diff
- download tarball
- view history from revision 17
- Committer: Bazaar Package Importer
- Author(s): Marc Deslauriers
- Date: 2011-05-25 14:27:35 UTC
- mfrom: (1.1.15 upstream) (7.1.7 sid)
- Revision ID: james.westby@ubuntu.com-20110525142735-jccyw0fopnyv728q
Tags: 2.0.17-2ubuntu1
* Merge from debian unstable. Remaining changes:
- Add udev rules to give gpg access to some smartcard readers;
Debian #543217.
. debian/gnupg2.dev: udev rules to set ACLs on SCM smartcard readers.
. debian/rules: Call dh_installudev.
- debian/control: Rename Vcs-* to XS-Debian-Vcs-*.
- Add udev rules to give gpg access to some smartcard readers;
Debian #543217.
. debian/gnupg2.dev: udev rules to set ACLs on SCM smartcard readers.
. debian/rules: Call dh_installudev.
- debian/control: Rename Vcs-* to XS-Debian-Vcs-*.
- files added:
- .pc/debian-changes-2.0.17-2
- .pc/debian-changes-2.0.17-2ubuntu1
- files removed:
- .pc/01-gnupg2-rename.diff/doc
- .pc/02-encode-s2k.diff
- .pc/02-encode-s2k.diff/agent
- .pc/03-gpgsm-realloc.diff
- .pc/03-gpgsm-realloc.diff/kbx
- .pc/debian-changes-2.0.14-2
- files modified:
- .pc/01-gnupg2-rename.diff/configure.ac
added
removed
scd/command.c
30
30
# include <pth.h>
31
31
#endif
32
32
33
#include "scdaemon.h"
33
34
#include <assuan.h>
34
35
#include "scdaemon.h"
36
35
#include <ksba.h>
37
36
#include "app-common.h"
38
37
#include "apdu.h" /* Required for apdu_*_reader (). */
71
70
&& (c)->reader_slot == locked_session->ctrl_backlink->reader_slot)
72
71
73
72
73
/* Flag indicating that the reader has been disabled. */
74
static int reader_disabled;
75
76
74
77
/* This structure is used to keep track of open readers (slots). */
75
78
struct slot_status_s
76
79
{
339
342
}
340
343
341
344
342
static void
343
reset_notify (assuan_context_t ctx)
345
static gpg_error_t
346
reset_notify (assuan_context_t ctx, char *line)
344
347
{
345
348
ctrl_t ctrl = assuan_get_pointer (ctx);
346
349
350
(void) line;
351
347
352
do_reset (ctrl, 1);
353
return 0;
348
354
}
349
355
350
356
351
static int
357
static gpg_error_t
352
358
option_handler (assuan_context_t ctx, const char *key, const char *value)
353
359
{
354
360
ctrl_t ctrl = assuan_get_pointer (ctx);
392
398
393
399
/* Try to open the reader. */
394
400
if (ss->slot == -1)
395
ss->slot = apdu_open_reader (opt.reader_port);
401
{
402
int no_service_flag;
403
ss->slot = apdu_open_reader (opt.reader_port, &no_service_flag);
404
if (no_service_flag)
405
{
406
log_info ("no card services - disabling scdaemon\n");
407
reader_disabled = 1;
408
}
409
}
396
410
397
411
/* Return the slot_table index. */
398
412
return 0;
401
415
/* If the card has not yet been opened, do it. Note that this
402
416
function returns an Assuan error, so don't map the error a second
403
417
time. */
404
static assuan_error_t
418
static gpg_error_t
405
419
open_card (ctrl_t ctrl, const char *apptype)
406
420
{
407
421
gpg_error_t err;
408
422
int slot;
409
423
424
if (reader_disabled)
425
return gpg_error (GPG_ERR_NOT_OPERATIONAL);
426
410
427
/* If we ever got a card not present error code, return that. Only
411
428
the SERIALNO command and a reset are able to clear from that
412
429
state. */
439
456
slot = get_reader_slot ();
440
457
ctrl->reader_slot = slot;
441
458
if (slot == -1)
442
err = gpg_error (GPG_ERR_CARD);
459
err = gpg_error (reader_disabled? GPG_ERR_NOT_OPERATIONAL: GPG_ERR_CARD);
443
460
else
444
461
{
445
462
/* Fixme: We should move the apdu_connect call to
464
481
}
465
482
466
483
467
/* SERIALNO [APPTYPE]
468
469
Return the serial number of the card using a status reponse. This
470
function should be used to check for the presence of a card.
471
472
If APPTYPE is given, an application of that type is selected and an
473
error is returned if the application is not supported or available.
474
The default is to auto-select the application using a hardwired
475
preference system. Note, that a future extension to this function
476
may allow to specify a list and order of applications to try.
477
478
This function is special in that it can be used to reset the card.
479
Most other functions will return an error when a card change has
480
been detected and the use of this function is therefore required.
481
482
Background: We want to keep the client clear of handling card
483
changes between operations; i.e. the client can assume that all
484
operations are done on the same card unless he calls this function.
485
*/
486
static int
484
static const char hlp_serialno[] =
485
"SERIALNO [<apptype>]\n"
486
"\n"
487
"Return the serial number of the card using a status reponse. This\n"
488
"function should be used to check for the presence of a card.\n"
489
"\n"
490
"If APPTYPE is given, an application of that type is selected and an\n"
491
"error is returned if the application is not supported or available.\n"
492
"The default is to auto-select the application using a hardwired\n"
493
"preference system. Note, that a future extension to this function\n"
494
"may allow to specify a list and order of applications to try.\n"
495
"\n"
496
"This function is special in that it can be used to reset the card.\n"
497
"Most other functions will return an error when a card change has\n"
498
"been detected and the use of this function is therefore required.\n"
499
"\n"
500
"Background: We want to keep the client clear of handling card\n"
501
"changes between operations; i.e. the client can assume that all\n"
502
"operations are done on the same card unless he calls this function.";
503
static gpg_error_t
487
504
cmd_serialno (assuan_context_t ctx, char *line)
488
505
{
489
506
ctrl_t ctrl = assuan_get_pointer (ctx);
493
510
time_t stamp;
494
511
495
512
/* Clear the remove flag so that the open_card is able to reread it. */
496
if (ctrl->server_local->card_removed)
513
if (!reader_disabled && ctrl->server_local->card_removed)
497
514
{
498
515
if ( IS_LOCKED (ctrl) )
499
516
return gpg_error (GPG_ERR_LOCKED);
519
536
}
520
537
521
538
522
523
524
/* LEARN [--force] [--keypairinfo]
525
526
Learn all useful information of the currently inserted card. When
527
used without the force options, the command might do an INQUIRE
528
like this:
529
530
INQUIRE KNOWNCARDP <hexstring_with_serialNumber> <timestamp>
531
532
The client should just send an "END" if the processing should go on
533
or a "CANCEL" to force the function to terminate with a Cancel
534
error message.
535
536
With the option --keypairinfo only KEYPARIINFO lstatus lines are
537
returned.
538
539
The response of this command is a list of status lines formatted as
540
this:
541
542
S APPTYPE <apptype>
543
544
This returns the type of the application, currently the strings:
545
546
P15 = PKCS-15 structure used
547
DINSIG = DIN SIG
548
OPENPGP = OpenPGP card
549
NKS = NetKey card
550
551
are implemented. These strings are aliases for the AID
552
553
S KEYPAIRINFO <hexstring_with_keygrip> <hexstring_with_id>
554
555
If there is no certificate yet stored on the card a single "X" is
556
returned as the keygrip. In addition to the keypair info, information
557
about all certificates stored on the card is also returned:
558
559
S CERTINFO <certtype> <hexstring_with_id>
560
561
Where CERTTYPE is a number indicating the type of certificate:
562
0 := Unknown
563
100 := Regular X.509 cert
564
101 := Trusted X.509 cert
565
102 := Useful X.509 cert
566
110 := Root CA cert in a special format (e.g. DINSIG)
567
111 := Root CA cert as standard X509 cert.
568
569
For certain cards, more information will be returned:
570
571
S KEY-FPR <no> <hexstring>
572
573
For OpenPGP cards this returns the stored fingerprints of the
574
keys. This can be used check whether a key is available on the
575
card. NO may be 1, 2 or 3.
576
577
S CA-FPR <no> <hexstring>
578
579
Similar to above, these are the fingerprints of keys assumed to be
580
ultimately trusted.
581
582
S DISP-NAME <name_of_card_holder>
583
584
The name of the card holder as stored on the card; percent
585
escaping takes place, spaces are encoded as '+'
586
587
S PUBKEY-URL <url>
588
589
The URL to be used for locating the entire public key.
590
591
Note, that this function may even be used on a locked card.
592
*/
593
static int
539
static const char hlp_learn[] =
540
"LEARN [--force] [--keypairinfo]\n"
541
"\n"
542
"Learn all useful information of the currently inserted card. When\n"
543
"used without the force options, the command might do an INQUIRE\n"
544
"like this:\n"
545
"\n"
546
" INQUIRE KNOWNCARDP <hexstring_with_serialNumber> <timestamp>\n"
547
"\n"
548
"The client should just send an \"END\" if the processing should go on\n"
549
"or a \"CANCEL\" to force the function to terminate with a Cancel\n"
550
"error message.\n"
551
"\n"
552
"With the option --keypairinfo only KEYPARIINFO lstatus lines are\n"
553
"returned.\n"
554
"\n"
555
"The response of this command is a list of status lines formatted as\n"
556
"this:\n"
557
"\n"
558
" S APPTYPE <apptype>\n"
559
"\n"
560
"This returns the type of the application, currently the strings:\n"
561
"\n"
562
" P15 = PKCS-15 structure used\n"
563
" DINSIG = DIN SIG\n"
564
" OPENPGP = OpenPGP card\n"
565
" NKS = NetKey card\n"
566
"\n"
567
"are implemented. These strings are aliases for the AID\n"
568
"\n"
569
" S KEYPAIRINFO <hexstring_with_keygrip> <hexstring_with_id>\n"
570
"\n"
571
"If there is no certificate yet stored on the card a single 'X' is\n"
572
"returned as the keygrip. In addition to the keypair info, information\n"
573
"about all certificates stored on the card is also returned:\n"
574
"\n"
575
" S CERTINFO <certtype> <hexstring_with_id>\n"
576
"\n"
577
"Where CERTTYPE is a number indicating the type of certificate:\n"
578
" 0 := Unknown\n"
579
" 100 := Regular X.509 cert\n"
580
" 101 := Trusted X.509 cert\n"
581
" 102 := Useful X.509 cert\n"
582
" 110 := Root CA cert in a special format (e.g. DINSIG)\n"
583
" 111 := Root CA cert as standard X509 cert.\n"
584
"\n"
585
"For certain cards, more information will be returned:\n"
586
"\n"
587
" S KEY-FPR <no> <hexstring>\n"
588
"\n"
589
"For OpenPGP cards this returns the stored fingerprints of the\n"
590
"keys. This can be used check whether a key is available on the\n"
591
"card. NO may be 1, 2 or 3.\n"
592
"\n"
593
" S CA-FPR <no> <hexstring>\n"
594
"\n"
595
"Similar to above, these are the fingerprints of keys assumed to be\n"
596
"ultimately trusted.\n"
597
"\n"
598
" S DISP-NAME <name_of_card_holder>\n"
599
"\n"
600
"The name of the card holder as stored on the card; percent\n"
601
"escaping takes place, spaces are encoded as '+'\n"
602
"\n"
603
" S PUBKEY-URL <url>\n"
604
"\n"
605
"The URL to be used for locating the entire public key.\n"
606
" \n"
607
"Note, that this function may even be used on a locked card.";
608
static gpg_error_t
594
609
cmd_learn (assuan_context_t ctx, char *line)
595
610
{
596
611
ctrl_t ctrl = assuan_get_pointer (ctx);
658
673
659
674
660
675
661
/* READCERT <hexified_certid>|<keyid>
662
663
Note, that this function may even be used on a locked card.
664
*/
665
static int
676
static const char hlp_readcert[] =
677
"READCERT <hexified_certid>|<keyid>\n"
678
"\n"
679
"Note, that this function may even be used on a locked card.";
680
static gpg_error_t
666
681
cmd_readcert (assuan_context_t ctx, char *line)
667
682
{
668
683
ctrl_t ctrl = assuan_get_pointer (ctx);
692
707
}
693
708
694
709
695
/* READKEY <keyid>
696
697
Return the public key for the given cert or key ID as an standard
698
S-Expression.
699
700
Note, that this function may even be used on a locked card.
701
*/
702
static int
710
static const char hlp_readkey[] =
711
"READKEY <keyid>\n"
712
"\n"
713
"Return the public key for the given cert or key ID as a standard\n"
714
"S-expression.\n"
715
"\n"
716
"Note, that this function may even be used on a locked card.";
717
static gpg_error_t
703
718
cmd_readkey (assuan_context_t ctx, char *line)
704
719
{
705
720
ctrl_t ctrl = assuan_get_pointer (ctx);
775
790
776
791
777
792
778
779
/* SETDATA <hexstring>
780
781
The client should use this command to tell us the data he want to
782
sign. */
783
static int
793
static const char hlp_setdata[] =
794
"SETDATA <hexstring> \n"
795
"\n"
796
"The client should use this command to tell us the data he want to sign.";
797
static gpg_error_t
784
798
cmd_setdata (assuan_context_t ctx, char *line)
785
799
{
786
800
ctrl_t ctrl = assuan_get_pointer (ctx);
873
887
}
874
888
875
889
876
/* PKSIGN [--hash=[rmd160|sha{1,224,256,384,512}|md5]] <hexified_id>
877
878
The --hash option is optional; the default is SHA1.
879
880
*/
881
static int
890
static const char hlp_pksign[] =
891
"PKSIGN [--hash=[rmd160|sha{1,224,256,384,512}|md5]] <hexified_id>\n"
892
"\n"
893
"The --hash option is optional; the default is SHA1.";
894
static gpg_error_t
882
895
cmd_pksign (assuan_context_t ctx, char *line)
883
896
{
884
897
ctrl_t ctrl = assuan_get_pointer (ctx);
945
958
return rc;
946
959
}
947
960
948
/* PKAUTH <hexified_id>
949
961
950
*/
951
static int
962
static const char hlp_pkauth[] =
963
"PKAUTH <hexified_id>";
964
static gpg_error_t
952
965
cmd_pkauth (assuan_context_t ctx, char *line)
953
966
{
954
967
ctrl_t ctrl = assuan_get_pointer (ctx);
995
1008
return rc;
996
1009
}
997
1010
998
/* PKDECRYPT <hexified_id>
999
1011
1000
*/
1001
static int
1012
static const char hlp_pkdecrypt[] =
1013
"PKDECRYPT <hexified_id>";
1014
static gpg_error_t
1002
1015
cmd_pkdecrypt (assuan_context_t ctx, char *line)
1003
1016
{
1004
1017
ctrl_t ctrl = assuan_get_pointer (ctx);
1040
1053
}
1041
1054
1042
1055
1043
/* GETATTR <name>
1044
1045
This command is used to retrieve data from a smartcard. The
1046
allowed names depend on the currently selected smartcard
1047
application. NAME must be percent and '+' escaped. The value is
1048
returned through status message, see the LEARN command for details.
1049
1050
However, the current implementation assumes that Name is not escaped;
1051
this works as long as noone uses arbitrary escaping.
1052
1053
Note, that this function may even be used on a locked card.
1054
*/
1055
static int
1056
static const char hlp_getattr[] =
1057
"GETATTR <name>\n"
1058
"\n"
1059
"This command is used to retrieve data from a smartcard. The\n"
1060
"allowed names depend on the currently selected smartcard\n"
1061
"application. NAME must be percent and '+' escaped. The value is\n"
1062
"returned through status message, see the LEARN command for details.\n"
1063
"\n"
1064
"However, the current implementation assumes that Name is not escaped;\n"
1065
"this works as long as noone uses arbitrary escaping. \n"
1066
"\n"
1067
"Note, that this function may even be used on a locked card.";
1068
static gpg_error_t
1056
1069
cmd_getattr (assuan_context_t ctx, char *line)
1057
1070
{
1058
1071
ctrl_t ctrl = assuan_get_pointer (ctx);
1079
1092
}
1080
1093
1081
1094
1082
/* SETATTR <name> <value>
1083
1084
This command is used to store data on a a smartcard. The allowed
1085
names and values are depend on the currently selected smartcard
1086
application. NAME and VALUE must be percent and '+' escaped.
1087
1088
However, the current implementation assumes that NAME is not
1089
escaped; this works as long as noone uses arbitrary escaping.
1090
1091
A PIN will be requested for most NAMEs. See the corresponding
1092
setattr function of the actually used application (app-*.c) for
1093
details. */
1094
static int
1095
static const char hlp_setattr[] =
1096
"SETATTR <name> <value> \n"
1097
"\n"
1098
"This command is used to store data on a a smartcard. The allowed\n"
1099
"names and values are depend on the currently selected smartcard\n"
1100
"application. NAME and VALUE must be percent and '+' escaped.\n"
1101
"\n"
1102
"However, the current implementation assumes that NAME is not\n"
1103
"escaped; this works as long as noone uses arbitrary escaping.\n"
1104
"\n"
1105
"A PIN will be requested for most NAMEs. See the corresponding\n"
1106
"setattr function of the actually used application (app-*.c) for\n"
1107
"details.";
1108
static gpg_error_t
1095
1109
cmd_setattr (assuan_context_t ctx, char *orig_line)
1096
1110
{
1097
1111
ctrl_t ctrl = assuan_get_pointer (ctx);
1131
1145
}
1132
1146
1133
1147
1134
1135
/* WRITECERT <hexified_certid>
1136
1137
This command is used to store a certifciate on a smartcard. The
1138
allowed certids depend on the currently selected smartcard
1139
application. The actual certifciate is requested using the inquiry
1140
"CERTDATA" and needs to be provided in its raw (e.g. DER) form.
1141
1142
In almost all cases a a PIN will be requested. See the related
1143
writecert function of the actually used application (app-*.c) for
1144
details. */
1145
static int
1148
static const char hlp_writecert[] =
1149
"WRITECERT <hexified_certid>\n"
1150
"\n"
1151
"This command is used to store a certifciate on a smartcard. The\n"
1152
"allowed certids depend on the currently selected smartcard\n"
1153
"application. The actual certifciate is requested using the inquiry\n"
1154
"\"CERTDATA\" and needs to be provided in its raw (e.g. DER) form.\n"
1155
"\n"
1156
"In almost all cases a a PIN will be requested. See the related\n"
1157
"writecert function of the actually used application (app-*.c) for\n"
1158
"details.";
1159
static gpg_error_t
1146
1160
cmd_writecert (assuan_context_t ctx, char *line)
1147
1161
{
1148
1162
ctrl_t ctrl = assuan_get_pointer (ctx);
1193
1207
}
1194
1208
1195
1209
1196
1197
/* WRITEKEY [--force] <keyid>
1198
1199
This command is used to store a secret key on a a smartcard. The
1200
allowed keyids depend on the currently selected smartcard
1201
application. The actual keydata is requested using the inquiry
1202
"KEYDATA" and need to be provided without any protection. With
1203
--force set an existing key under this KEYID will get overwritten.
1204
The keydata is expected to be the usual canonical encoded
1205
S-expression.
1206
1207
A PIN will be requested for most NAMEs. See the corresponding
1208
writekey function of the actually used application (app-*.c) for
1209
details. */
1210
static int
1210
static const char hlp_writekey[] =
1211
"WRITEKEY [--force] <keyid> \n"
1212
"\n"
1213
"This command is used to store a secret key on a a smartcard. The\n"
1214
"allowed keyids depend on the currently selected smartcard\n"
1215
"application. The actual keydata is requested using the inquiry\n"
1216
"\"KEYDATA\" and need to be provided without any protection. With\n"
1217
"--force set an existing key under this KEYID will get overwritten.\n"
1218
"The keydata is expected to be the usual canonical encoded\n"
1219
"S-expression.\n"
1220
"\n"
1221
"A PIN will be requested for most NAMEs. See the corresponding\n"
1222
"writekey function of the actually used application (app-*.c) for\n"
1223
"details.";
1224
static gpg_error_t
1211
1225
cmd_writekey (assuan_context_t ctx, char *line)
1212
1226
{
1213
1227
ctrl_t ctrl = assuan_get_pointer (ctx);
1260
1274
}
1261
1275
1262
1276
1263
1264
/* GENKEY [--force] [--timestamp=<isodate>] <no>
1265
1266
Generate a key on-card identified by NO, which is application
1267
specific. Return values are application specific. For OpenPGP
1268
cards 2 status lines are returned:
1269
1270
S KEY-FPR <hexstring>
1271
S KEY-CREATED-AT <seconds_since_epoch>
1272
S KEY-DATA [p|n] <hexdata>
1273
1274
--force is required to overwrite an already existing key. The
1275
KEY-CREATED-AT is required for further processing because it is
1276
part of the hashed key material for the fingerprint.
1277
1278
If --timestamp is given an OpenPGP key will be created using this
1279
value. The value needs to be in ISO Format; e.g.
1280
"--timestamp=20030316T120000" and after 1970-01-01 00:00:00.
1281
1282
The public part of the key can also later be retrieved using the
1283
READKEY command.
1284
1285
*/
1286
static int
1277
static const char hlp_genkey[] =
1278
"GENKEY [--force] [--timestamp=<isodate>] <no>\n"
1279
"\n"
1280
"Generate a key on-card identified by NO, which is application\n"
1281
"specific. Return values are application specific. For OpenPGP\n"
1282
"cards 2 status lines are returned:\n"
1283
"\n"
1284
" S KEY-FPR <hexstring>\n"
1285
" S KEY-CREATED-AT <seconds_since_epoch>\n"
1286
" S KEY-DATA [p|n] <hexdata>\n"
1287
"\n"
1288
"--force is required to overwrite an already existing key. The\n"
1289
"KEY-CREATED-AT is required for further processing because it is\n"
1290
"part of the hashed key material for the fingerprint.\n"
1291
"\n"
1292
"If --timestamp is given an OpenPGP key will be created using this\n"
1293
"value. The value needs to be in ISO Format; e.g.\n"
1294
"\"--timestamp=20030316T120000\" and after 1970-01-01 00:00:00.\n"
1295
"\n"
1296
"The public part of the key can also later be retrieved using the\n"
1297
"READKEY command.";
1298
static gpg_error_t
1287
1299
cmd_genkey (assuan_context_t ctx, char *line)
1288
1300
{
1289
1301
ctrl_t ctrl = assuan_get_pointer (ctx);
1336
1348
}
1337
1349
1338
1350
1339
/* RANDOM <nbytes>
1340
1341
Get NBYTES of random from the card and send them back as data.
1342
1343
Note, that this function may be even be used on a locked card.
1344
*/
1345
static int
1351
static const char hlp_random[] =
1352
"RANDOM <nbytes>\n"
1353
"\n"
1354
"Get NBYTES of random from the card and send them back as data.\n"
1355
"This usually involves EEPROM write on the card and thus excessive\n"
1356
"use of this command may destroy the card.\n"
1357
"\n"
1358
"Note, that this function may be even be used on a locked card.";
1359
static gpg_error_t
1346
1360
cmd_random (assuan_context_t ctx, char *line)
1347
1361
{
1348
1362
ctrl_t ctrl = assuan_get_pointer (ctx);
1351
1365
unsigned char *buffer;
1352
1366
1353
1367
if (!*line)
1354
return set_error (GPG_ERR_ASS_PARAMETER, "number of requested bytes missing");
1368
return set_error (GPG_ERR_ASS_PARAMETER,
1369
"number of requested bytes missing");
1355
1370
nbytes = strtoul (line, NULL, 0);
1356
1371
1357
1372
if ((rc = open_card (ctrl, NULL)))
1377
1392
return rc;
1378
1393
}
1379
1394
1395
1380
1396
1381
/* PASSWD [--reset] [--nullpin] <chvno>
1382
1383
Change the PIN or, if --reset is given, reset the retry counter of
1384
the card holder verfication vector CHVNO. The option --nullpin is
1385
used for TCOS cards to set the initial PIN. The format of CHVNO
1386
depends on the card application. */
1387
static int
1397
static const char hlp_passwd[] =
1398
"PASSWD [--reset] [--nullpin] <chvno>\n"
1399
"\n"
1400
"Change the PIN or, if --reset is given, reset the retry counter of\n"
1401
"the card holder verfication vector CHVNO. The option --nullpin is\n"
1402
"used for TCOS cards to set the initial PIN. The format of CHVNO\n"
1403
"depends on the card application.";
1404
static gpg_error_t
1388
1405
cmd_passwd (assuan_context_t ctx, char *line)
1389
1406
{
1390
1407
ctrl_t ctrl = assuan_get_pointer (ctx);
1428
1445
}
1429
1446
1430
1447
1431
/* CHECKPIN <idstr>
1432
1433
Perform a VERIFY operation without doing anything else. This may
1434
be used to initialize a the PIN cache earlier to long lasting
1435
operations. Its use is highly application dependent.
1436
1437
For OpenPGP:
1438
1439
Perform a simple verify operation for CHV1 and CHV2, so that
1440
further operations won't ask for CHV2 and it is possible to do a
1441
cheap check on the PIN: If there is something wrong with the PIN
1442
entry system, only the regular CHV will get blocked and not the
1443
dangerous CHV3. IDSTR is the usual card's serial number in hex
1444
notation; an optional fingerprint part will get ignored. There
1445
is however a special mode if the IDSTR is sffixed with the
1446
literal string "[CHV3]": In this case the Admin PIN is checked
1447
if and only if the retry counter is still at 3.
1448
1449
For Netkey:
1450
1451
Any of the valid PIN Ids may be used. These are the strings:
1452
1453
PW1.CH - Global password 1
1454
PW2.CH - Global password 2
1455
PW1.CH.SIG - SigG password 1
1456
PW2.CH.SIG - SigG password 2
1457
1458
For a definitive list, see the implementation in app-nks.c.
1459
Note that we call a PW2.* PIN a "PUK" despite that since TCOS
1460
3.0 they are technically alternative PINs used to mutally
1461
unblock each other.
1462
1463
*/
1464
static int
1448
static const char hlp_checkpin[] =
1449
"CHECKPIN <idstr>\n"
1450
"\n"
1451
"Perform a VERIFY operation without doing anything else. This may\n"
1452
"be used to initialize a the PIN cache earlier to long lasting\n"
1453
"operations. Its use is highly application dependent.\n"
1454
"\n"
1455
"For OpenPGP:\n"
1456
"\n"
1457
" Perform a simple verify operation for CHV1 and CHV2, so that\n"
1458
" further operations won't ask for CHV2 and it is possible to do a\n"
1459
" cheap check on the PIN: If there is something wrong with the PIN\n"
1460
" entry system, only the regular CHV will get blocked and not the\n"
1461
" dangerous CHV3. IDSTR is the usual card's serial number in hex\n"
1462
" notation; an optional fingerprint part will get ignored. There\n"
1463
" is however a special mode if the IDSTR is sffixed with the\n"
1464
" literal string \"[CHV3]\": In this case the Admin PIN is checked\n"
1465
" if and only if the retry counter is still at 3.\n"
1466
"\n"
1467
"For Netkey:\n"
1468
"\n"
1469
" Any of the valid PIN Ids may be used. These are the strings:\n"
1470
"\n"
1471
" PW1.CH - Global password 1\n"
1472
" PW2.CH - Global password 2\n"
1473
" PW1.CH.SIG - SigG password 1\n"
1474
" PW2.CH.SIG - SigG password 2\n"
1475
"\n"
1476
" For a definitive list, see the implementation in app-nks.c.\n"
1477
" Note that we call a PW2.* PIN a \"PUK\" despite that since TCOS\n"
1478
" 3.0 they are technically alternative PINs used to mutally\n"
1479
" unblock each other.";
1480
static gpg_error_t
1465
1481
cmd_checkpin (assuan_context_t ctx, char *line)
1466
1482
{
1467
1483
ctrl_t ctrl = assuan_get_pointer (ctx);
1494
1510
}
1495
1511
1496
1512
1497
/* LOCK [--wait]
1498
1499
Grant exclusive card access to this session. Note that there is
1500
no lock counter used and a second lock from the same session will
1501
be ignored. A single unlock (or RESET) unlocks the session.
1502
Return GPG_ERR_LOCKED if another session has locked the reader.
1503
1504
If the option --wait is given the command will wait until a
1505
lock has been released.
1506
*/
1507
static int
1513
static const char hlp_lock[] =
1514
"LOCK [--wait]\n"
1515
"\n"
1516
"Grant exclusive card access to this session. Note that there is\n"
1517
"no lock counter used and a second lock from the same session will\n"
1518
"be ignored. A single unlock (or RESET) unlocks the session.\n"
1519
"Return GPG_ERR_LOCKED if another session has locked the reader.\n"
1520
"\n"
1521
"If the option --wait is given the command will wait until a\n"
1522
"lock has been released.";
1523
static gpg_error_t
1508
1524
cmd_lock (assuan_context_t ctx, char *line)
1509
1525
{
1510
1526
ctrl_t ctrl = assuan_get_pointer (ctx);
1538
1554
}
1539
1555
1540
1556
1541
/* UNLOCK
1542
1543
Release exclusive card access.
1544
*/
1545
static int
1557
static const char hlp_unlock[] =
1558
"UNLOCK\n"
1559
"\n"
1560
"Release exclusive card access.";
1561
static gpg_error_t
1546
1562
cmd_unlock (assuan_context_t ctx, char *line)
1547
1563
{
1548
1564
ctrl_t ctrl = assuan_get_pointer (ctx);
1566
1582
}
1567
1583
1568
1584
1569
/* GETINFO <what>
1570
1571
Multi purpose command to return certain information.
1572
Supported values of WHAT are:
1573
1574
version - Return the version of the program.
1575
pid - Return the process id of the server.
1576
1577
socket_name - Return the name of the socket.
1578
1579
status - Return the status of the current slot (in the future, may
1580
also return the status of all slots). The status is a list of
1581
one-character flags. The following flags are currently defined:
1582
'u' Usable card present. This is the normal state during operation.
1583
'r' Card removed. A reset is necessary.
1584
These flags are exclusive.
1585
1586
reader_list - Return a list of detected card readers. Does
1587
currently only work with the internal CCID driver.
1588
1589
deny_admin - Returns OK if admin commands are not allowed or
1590
GPG_ERR_GENERAL if admin commands are allowed.
1591
1592
app_list - Return a list of supported applications. One
1593
application per line, fields delimited by colons,
1594
first field is the name.
1595
*/
1596
1597
static int
1585
static const char hlp_getinfo[] =
1586
"GETINFO <what>\n"
1587
"\n"
1588
"Multi purpose command to return certain information. \n"
1589
"Supported values of WHAT are:\n"
1590
"\n"
1591
"version - Return the version of the program.\n"
1592
"pid - Return the process id of the server.\n"
1593
"\n"
1594
"socket_name - Return the name of the socket.\n"
1595
"\n"
1596
"status - Return the status of the current slot (in the future, may\n"
1597
"also return the status of all slots). The status is a list of\n"
1598
"one-character flags. The following flags are currently defined:\n"
1599
" 'u' Usable card present. This is the normal state during operation.\n"
1600
" 'r' Card removed. A reset is necessary.\n"
1601
"These flags are exclusive.\n"
1602
"\n"
1603
"reader_list - Return a list of detected card readers. Does\n"
1604
" currently only work with the internal CCID driver.\n"
1605
"\n"
1606
"deny_admin - Returns OK if admin commands are not allowed or\n"
1607
" GPG_ERR_GENERAL if admin commands are allowed.\n"
1608
"\n"
1609
"app_list - Return a list of supported applications. One\n"
1610
" application per line, fields delimited by colons,\n"
1611
" first field is the name.";
1612
static gpg_error_t
1598
1613
cmd_getinfo (assuan_context_t ctx, char *line)
1599
1614
{
1600
1615
int rc = 0;
1674
1689
}
1675
1690
1676
1691
1677
/* RESTART
1678
1679
Restart the current connection; this is a kind of warm reset. It
1680
deletes the context used by this connection but does not send a
1681
RESET to the card. Thus the card itself won't get reset.
1682
1683
This is used by gpg-agent to reuse a primary pipe connection and
1684
may be used by clients to backup from a conflict in the serial
1685
command; i.e. to select another application.
1686
*/
1687
1688
static int
1692
static const char hlp_restart[] =
1693
"RESTART\n"
1694
"\n"
1695
"Restart the current connection; this is a kind of warm reset. It\n"
1696
"deletes the context used by this connection but does not send a\n"
1697
"RESET to the card. Thus the card itself won't get reset. \n"
1698
"\n"
1699
"This is used by gpg-agent to reuse a primary pipe connection and\n"
1700
"may be used by clients to backup from a conflict in the serial\n"
1701
"command; i.e. to select another application.";
1702
static gpg_error_t
1689
1703
cmd_restart (assuan_context_t ctx, char *line)
1690
1704
{
1691
1705
ctrl_t ctrl = assuan_get_pointer (ctx);
1706
1720
}
1707
1721
1708
1722
1709
/* DISCONNECT
1710
1711
Disconnect the card if it is not any longer used by other
1712
connections and the backend supports a disconnect operation.
1713
*/
1714
static int
1723
static const char hlp_disconnect[] =
1724
"DISCONNECT\n"
1725
"\n"
1726
"Disconnect the card if it is not any longer used by other\n"
1727
"connections and the backend supports a disconnect operation.";
1728
static gpg_error_t
1715
1729
cmd_disconnect (assuan_context_t ctx, char *line)
1716
1730
{
1717
1731
ctrl_t ctrl = assuan_get_pointer (ctx);
1724
1738
1725
1739
1726
1740
1727
/* APDU [--atr] [--more] [--exlen[=N]] [hexstring]
1728
1729
Send an APDU to the current reader. This command bypasses the high
1730
level functions and sends the data directly to the card. HEXSTRING
1731
is expected to be a proper APDU. If HEXSTRING is not given no
1732
commands are set to the card but the command will implictly check
1733
whether the card is ready for use.
1734
1735
Using the option "--atr" returns the ATR of the card as a status
1736
message before any data like this:
1737
S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1
1738
1739
Using the option --more handles the card status word MORE_DATA
1740
(61xx) and concatenates all reponses to one block.
1741
1742
Using the option "--exlen" the returned APDU may use extended
1743
length up to N bytes. If N is not given a default value is used
1744
(currently 4096).
1745
*/
1746
static int
1741
static const char hlp_apdu[] =
1742
"APDU [--atr] [--more] [--exlen[=N]] [hexstring]\n"
1743
"\n"
1744
"Send an APDU to the current reader. This command bypasses the high\n"
1745
"level functions and sends the data directly to the card. HEXSTRING\n"
1746
"is expected to be a proper APDU. If HEXSTRING is not given no\n"
1747
"commands are set to the card but the command will implictly check\n"
1748
"whether the card is ready for use. \n"
1749
"\n"
1750
"Using the option \"--atr\" returns the ATR of the card as a status\n"
1751
"message before any data like this:\n"
1752
" S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1\n"
1753
"\n"
1754
"Using the option --more handles the card status word MORE_DATA\n"
1755
"(61xx) and concatenates all reponses to one block.\n"
1756
"\n"
1757
"Using the option \"--exlen\" the returned APDU may use extended\n"
1758
"length up to N bytes. If N is not given a default value is used\n"
1759
"(currently 4096).";
1760
static gpg_error_t
1747
1761
cmd_apdu (assuan_context_t ctx, char *line)
1748
1762
{
1749
1763
ctrl_t ctrl = assuan_get_pointer (ctx);
1823
1837
}
1824
1838
1825
1839
1826
/* KILLSCD - Commit suicide. */
1827
static int
1840
static const char hlp_killscd[] =
1841
"KILLSCD\n"
1842
"\n"
1843
"Commit suicide.";
1844
static gpg_error_t
1828
1845
cmd_killscd (assuan_context_t ctx, char *line)
1829
1846
{
1830
1847
ctrl_t ctrl = assuan_get_pointer (ctx);
1843
1860
{
1844
1861
static struct {
1845
1862
const char *name;
1846
int (*handler)(assuan_context_t, char *line);
1863
assuan_handler_t handler;
1864
const char * const help;
1847
1865
} table[] = {
1848
{ "SERIALNO", cmd_serialno },
1849
{ "LEARN", cmd_learn },
1850
{ "READCERT", cmd_readcert },
1851
{ "READKEY", cmd_readkey },
1852
{ "SETDATA", cmd_setdata },
1853
{ "PKSIGN", cmd_pksign },
1854
{ "PKAUTH", cmd_pkauth },
1855
{ "PKDECRYPT", cmd_pkdecrypt },
1866
{ "SERIALNO", cmd_serialno, hlp_serialno },
1867
{ "LEARN", cmd_learn, hlp_learn },
1868
{ "READCERT", cmd_readcert, hlp_readcert },
1869
{ "READKEY", cmd_readkey, hlp_readkey },
1870
{ "SETDATA", cmd_setdata, hlp_setdata },
1871
{ "PKSIGN", cmd_pksign, hlp_pksign },
1872
{ "PKAUTH", cmd_pkauth, hlp_pkauth },
1873
{ "PKDECRYPT", cmd_pkdecrypt,hlp_pkdecrypt },
1856
1874
{ "INPUT", NULL },
1857
1875
{ "OUTPUT", NULL },
1858
{ "GETATTR", cmd_getattr },
1859
{ "SETATTR", cmd_setattr },
1860
{ "WRITECERT", cmd_writecert },
1861
{ "WRITEKEY", cmd_writekey },
1862
{ "GENKEY", cmd_genkey },
1863
{ "RANDOM", cmd_random },
1864
{ "PASSWD", cmd_passwd },
1865
{ "CHECKPIN", cmd_checkpin },
1866
{ "LOCK", cmd_lock },
1867
{ "UNLOCK", cmd_unlock },
1868
{ "GETINFO", cmd_getinfo },
1869
{ "RESTART", cmd_restart },
1870
{ "DISCONNECT", cmd_disconnect },
1871
{ "APDU", cmd_apdu },
1872
{ "KILLSCD", cmd_killscd },
1876
{ "GETATTR", cmd_getattr, hlp_getattr },
1877
{ "SETATTR", cmd_setattr, hlp_setattr },
1878
{ "WRITECERT", cmd_writecert,hlp_writecert },
1879
{ "WRITEKEY", cmd_writekey, hlp_writekey },
1880
{ "GENKEY", cmd_genkey, hlp_genkey },
1881
{ "RANDOM", cmd_random, hlp_random },
1882
{ "PASSWD", cmd_passwd, hlp_passwd },
1883
{ "CHECKPIN", cmd_checkpin, hlp_checkpin },
1884
{ "LOCK", cmd_lock, hlp_lock },
1885
{ "UNLOCK", cmd_unlock, hlp_unlock },
1886
{ "GETINFO", cmd_getinfo, hlp_getinfo },
1887
{ "RESTART", cmd_restart, hlp_restart },
1888
{ "DISCONNECT", cmd_disconnect,hlp_disconnect },
1889
{ "APDU", cmd_apdu, hlp_apdu },
1890
{ "KILLSCD", cmd_killscd, hlp_killscd },
1873
1891
{ NULL }
1874
1892
};
1875
1893
int i, rc;
1876
1894
1877
1895
for (i=0; table[i].name; i++)
1878
1896
{
1879
rc = assuan_register_command (ctx, table[i].name, table[i].handler);
1897
rc = assuan_register_command (ctx, table[i].name, table[i].handler,
1898
table[i].help);
1880
1899
if (rc)
1881
1900
return rc;
1882
1901
}
1895
1914
scd_command_handler (ctrl_t ctrl, int fd)
1896
1915
{
1897
1916
int rc;
1898
assuan_context_t ctx;
1917
assuan_context_t ctx = NULL;
1899
1918
int stopme;
1900
1919
1920
rc = assuan_new (&ctx);
1921
if (rc)
1922
{
1923
log_error ("failed to allocate assuan context: %s\n",
1924
gpg_strerror (rc));
1925
scd_exit (2);
1926
}
1927
1901
1928
if (fd == -1)
1902
1929
{
1903
int filedes[2];
1930
assuan_fd_t filedes[2];
1904
1931
1905
filedes[0] = 0;
1906
filedes[1] = 1;
1907
rc = assuan_init_pipe_server (&ctx, filedes);
1932
filedes[0] = assuan_fdopen (0);
1933
filedes[1] = assuan_fdopen (1);
1934
rc = assuan_init_pipe_server (ctx, filedes);
1908
1935
}
1909
1936
else
1910
1937
{
1911
rc = assuan_init_socket_server_ext (&ctx, INT2FD(fd), 2);
1938
rc = assuan_init_socket_server (ctx, INT2FD(fd),
1939
ASSUAN_SOCKET_SERVER_ACCEPTED);
1912
1940
}
1913
1941
if (rc)
1914
1942
{
1982
2010
BUG ();
1983
2011
sl->next_session = ctrl->server_local->next_session;
1984
2012
}
1985
stopme = ctrl->server_local->stopme;
2013
stopme = ctrl->server_local->stopme || reader_disabled;
1986
2014
xfree (ctrl->server_local);
1987
2015
ctrl->server_local = NULL;
1988
2016
1989
2017
/* Release the Assuan context. */
1990
assuan_deinit_server (ctx);
2018
assuan_release (ctx);
1991
2019
1992
2020
if (stopme)
1993
2021
scd_exit (0);
Loggerhead is a web-based interface for Breezy
Version: 2.0.1