Hacks to support RSA-2048.

ChangeLog

@@ -1,3 +1,10 @@
+2009-06-19  Werner Koch  <wk@g10code.com>
+
+	* src/agent.c (MAX_SIGNATURE_LEN): Increase size to cope with 2048
+	bit RSA.
+	(scute_agent_sign): Add a hack for 2048 bit RSA.
+	* tests/t-auth.c (sign_with_object): Increase SIZE to 256.
+
 2009-06-19  Marcus Brinkmann  <marcus@g10code.de>
 
 	* libtool.m4: Removed.

NEWS

@@ -3,6 +3,7 @@ Noteworthy changes in version 1.3.0 (unreleased)
 
  * Scute can read certificates directly from the OpenPGP 2.0 cards.
 
+
 Noteworthy changes in version 1.2.0 (2008-09-02)
 ------------------------------------------------
 
@@ -33,7 +34,7 @@ Noteworthy changes in version 1.0.0 (2006-11-11)
  * Initial release.
 
 
- Copyright 2006 g10 Code GmbH
+ Copyright 2006, 2009 g10 Code GmbH
 
  This file is free software; as a special exception the author gives
  unlimited permission to copy and/or distribute it, with or without

README

@@ -418,15 +418,25 @@ and reopening the security device manager.
 Copyright and License
 =====================
 
-Scute is copyrighted by g10 Code GmbH and licensed under the GPL with
-a special exception for Mozilla.
+Scute is copyrighted by g10 Code GmbH and licensed under the GNU
+General Pubic License version 2 or later with this exception:
+
+  In addition, as a special exception, g10 Code GmbH gives permission
+  to link this library: with the Mozilla Foundation's code for
+  Mozilla (or with modified versions of it that use the same license
+  as the "Mozilla" code), and distribute the linked executables.  You
+  must obey the GNU General Public License in all respects for all of
+  the code used other than "Mozilla".  If you modify the software, you
+  may extend this exception to your version of the software, but you
+  are not obligated to do so.  If you do not wish to do so, delete this
+  exception statement from your version and from all source files.
 
 
 g10 Code GmbH
 marcus@g10code.com
 
 
- Copyright 2006 g10 Code GmbH
+ Copyright 2006, 2009 g10 Code GmbH
 
  This file is free software; as a special exception the author gives
  unlimited permission to copy and/or distribute it, with or without

src/agent.c

@@ -854,7 +854,8 @@ scute_agent_check_status (void)
 }
 
 
-#define MAX_SIGNATURE_LEN 256
+/* Enough space to hold a 2048 bit RSA signature in an S-expression.  */
+#define MAX_SIGNATURE_LEN 350
 
 struct signature
 {
@@ -880,11 +881,13 @@ pksign_cb (void *opaque, const void *buffer, size_t length)
 }
 
 
-#define SIG_PREFIX "(7:sig-val(3:rsa(1:s128:"
+#define SIG_PREFIX   "(7:sig-val(3:rsa(1:s128:"
+#define SIG_PREFIX_2 "(7:sig-val(3:rsa(1:s256:"
 #define SIG_PREFIX_LEN (sizeof (SIG_PREFIX) - 1)
 #define SIG_POSTFIX ")))"
 #define SIG_POSTFIX_LEN (sizeof (SIG_POSTFIX) - 1)
 #define SIG_LEN 128
+#define SIG_LEN_2 128
 
 /* Call the agent to learn about a smartcard.  */
 gpg_error_t
@@ -905,7 +908,8 @@ scute_agent_sign (char *grip, unsigned char *data, int len,
 
   if (sig_result == NULL)
     {
-      *sig_len = SIG_LEN;
+      /* FIXME:  We return the largest supported size - is that correct?  */
+      *sig_len = SIG_LEN_2;
       return 0;
     }
 
@@ -925,7 +929,7 @@ scute_agent_sign (char *grip, unsigned char *data, int len,
     snprintf (&pretty_data[2 * i], 3, "%02X", data[i]);
   pretty_data[2 * len] = '\0';
 
-  snprintf (cmd, sizeof (cmd), "sethash --hash=tls-md5sha1 %s", pretty_data);
+  snprintf (cmd, sizeof (cmd), "SETHASH --hash=tls-md5sha1 %s", pretty_data);
   err = assuan_transact (agent_ctx, cmd, NULL, NULL, default_inq_cb,
 			 NULL, NULL, NULL);
   if (err)
@@ -936,16 +940,30 @@ scute_agent_sign (char *grip, unsigned char *data, int len,
   if (err)
     return err;
 
-  if (sig.len != SIG_PREFIX_LEN + SIG_LEN + SIG_POSTFIX_LEN)
-    return gpg_error (GPG_ERR_BAD_SIGNATURE);
-  if (memcmp (sig.data, SIG_PREFIX, SIG_PREFIX_LEN))
-    return gpg_error (GPG_ERR_BAD_SIGNATURE);
-  if (memcmp (sig.data + sig.len - SIG_POSTFIX_LEN,
-	      SIG_POSTFIX, SIG_POSTFIX_LEN))
-    return gpg_error (GPG_ERR_BAD_SIGNATURE);
-
-  memcpy (sig_result, sig.data + SIG_PREFIX_LEN, SIG_LEN);
-  *sig_len = SIG_LEN;
+  /* FIXME: we need a real parser to cope with all kind of S-expressions.  */
+  if (sig.len == SIG_PREFIX_LEN + SIG_LEN_2 + SIG_POSTFIX_LEN)
+    {
+      if (memcmp (sig.data, SIG_PREFIX_2, SIG_PREFIX_LEN))
+        return gpg_error (GPG_ERR_BAD_SIGNATURE);
+      if (memcmp (sig.data + sig.len - SIG_POSTFIX_LEN,
+                  SIG_POSTFIX, SIG_POSTFIX_LEN))
+        return gpg_error (GPG_ERR_BAD_SIGNATURE);
+      memcpy (sig_result, sig.data + SIG_PREFIX_LEN, SIG_LEN_2);
+      *sig_len = SIG_LEN_2;
+    }
+  else
+    {
+      if (sig.len != SIG_PREFIX_LEN + SIG_LEN + SIG_POSTFIX_LEN)
+        return gpg_error (GPG_ERR_BAD_SIGNATURE);
+      if (memcmp (sig.data, SIG_PREFIX, SIG_PREFIX_LEN))
+        return gpg_error (GPG_ERR_BAD_SIGNATURE);
+      if (memcmp (sig.data + sig.len - SIG_POSTFIX_LEN,
+                  SIG_POSTFIX, SIG_POSTFIX_LEN))
+        return gpg_error (GPG_ERR_BAD_SIGNATURE);
+      memcpy (sig_result, sig.data + SIG_PREFIX_LEN, SIG_LEN);
+      *sig_len = SIG_LEN;
+    }
+  
   
   return 0;
 }

src/slots.c

@@ -992,7 +992,8 @@ session_set_signing_key (slot_iterator_t id, session_iterator_t sid,
 }
 
 
-/* Set the signing key for session SID in slot ID to KEY.  */
+/* FIXME: The dscription is wrong:
+   Set the signing key for session SID in slot ID to KEY.  */
 CK_RV
 session_sign (slot_iterator_t id, session_iterator_t sid,
 	      CK_BYTE_PTR pData, CK_ULONG ulDataLen,

src/versioninfo.rc.in

@@ -34,7 +34,7 @@ BEGIN
     BEGIN
         BLOCK "040904b0"
         BEGIN
-            VALUE "Comments", "Provided under the terms of the GNU Lesser General Public License.\0"
+            VALUE "Comments", "Provided under the terms of the GNU Lesser General Public License version 2 or later with a special exception for Mozilla based software.\0"
             VALUE "CompanyName", "g10 Code GmbH\0"
             VALUE "FileDescription", "SCUTE - The GnuPG PKCS#11 interface\0"
             VALUE "FileVersion", "@LIBSCUTE_LT_CURRENT@.@LIBSCUTE_LT_AGE@.@LIBSCUTE_LT_REVISION@.@BUILD_REVISION@\0"

tests/t-auth.c

@@ -66,7 +66,7 @@ sign_with_object (CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object)
   CK_RV err;
   CK_MECHANISM mechanism = { CKM_RSA_PKCS, NULL_PTR, 0 };
   CK_BYTE data[36] = "01234567890123456789012345678901234";
-  CK_BYTE sig[128];
+  CK_BYTE sig[256];
   CK_ULONG sig_len = sizeof (sig);
 
   err = C_SignInit (session, &mechanism, object);