Skip to content

Commit

Permalink
Add option for scdaemon to prompt user to ack card.
Browse files Browse the repository at this point in the history
This is useful, e.g., for Yubikeys configured with fixed touch
policy.
  • Loading branch information
joel-u410 committed Nov 16, 2021
1 parent 25ae80b commit 1512c7b
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 0 deletions.
26 changes: 26 additions & 0 deletions scd/app-openpgp.c
Original file line number Diff line number Diff line change
Expand Up @@ -5327,6 +5327,9 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo,
wipe_and_free (pinvalue, pinlen);
}

// Prompt to touch/ack the card.
if (opt.ack_prompt)
pincb (pincb_arg, _("--ack"), NULL);

if (app->app_local->cardcap.ext_lc_le
&& app->app_local->keyattr[0].key_type == KEY_TYPE_RSA
Expand All @@ -5350,6 +5353,10 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo,
cache_pin (app, ctrl, 1, NULL);
}

// Dismiss prompt after signing (or timing out)
if (opt.ack_prompt)
pincb (pincb_arg, NULL, NULL);

return rc;
}

Expand Down Expand Up @@ -5422,9 +5429,19 @@ do_auth (app_t app, ctrl_t ctrl, const char *keyidstr,
exmode = 0;
le_value = 0;
}

// Prompt to touch/ack the card.
if (opt.ack_prompt)
pincb (pincb_arg, _("--ack"), NULL);

rc = iso7816_internal_authenticate (app_get_slot (app), exmode,
indata, indatalen, le_value,
outdata, outdatalen);

// Dismiss prompt after authenticating (or timing out)
if (opt.ack_prompt)
pincb (pincb_arg, NULL, NULL);

if (gpg_err_code (rc) == GPG_ERR_TIMEOUT)
clear_chv_status (app, ctrl, 1);
}
Expand Down Expand Up @@ -5617,10 +5634,19 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
else
exmode = le_value = 0;

// Prompt to touch/ack the card.
if (opt.ack_prompt)
pincb (pincb_arg, _("--ack"), NULL);

rc = iso7816_decipher (app_get_slot (app), exmode,
indata, indatalen, le_value, padind,
outdata, outdatalen);
xfree (fixbuf);

// Dismiss prompt after deciphering (or timing out)
if (opt.ack_prompt)
pincb (pincb_arg, NULL, NULL);

if (!rc && app->app_local->keyattr[1].key_type == KEY_TYPE_ECC)
{
unsigned char prefix = 0;
Expand Down
4 changes: 4 additions & 0 deletions scd/scdaemon.c
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,7 @@ enum cmd_and_opt_values
oDenyAdmin,
oDisableApplication,
oApplicationPriority,
oAckPrompt,
oEnablePinpadVarlen,
oListenBacklog
};
Expand Down Expand Up @@ -170,6 +171,7 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_s (oDisableApplication, "disable-application", "@"),
ARGPARSE_s_s (oApplicationPriority, "application-priority",
N_("|LIST|change the application priority to LIST")),
ARGPARSE_s_n (oAckPrompt, "ack-prompt", N_("display ACK prompt while waiting for card")),
ARGPARSE_s_i (oListenBacklog, "listen-backlog", "@"),


Expand Down Expand Up @@ -610,6 +612,8 @@ main (int argc, char **argv )

case oDisablePinpad: opt.disable_pinpad = 1; break;

case oAckPrompt: opt.ack_prompt = 1; break;

case oAllowAdmin: /* Dummy because allow is now the default. */
break;
case oDenyAdmin: opt.allow_admin = 0; break;
Expand Down
1 change: 1 addition & 0 deletions scd/scdaemon.h
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ struct
int disable_ccid; /* Disable the use of the internal CCID driver. */
int disable_pinpad; /* Do not use a pinpad. */
int enable_pinpad_varlen; /* Use variable length input for pinpad. */
int ack_prompt; /* Display ACK prompt to user when waiting for card. */
int allow_admin; /* Allow the use of admin commands for certain
cards. */
int pcsc_shared; /* Use shared PC/SC access. */
Expand Down

4 comments on commit 1512c7b

@joel-u410
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To enable YubiKey touch prompts:

  1. Apply this patch
  2. Rebuild scdaemon
  3. Add this line to your ~/.gnupg/scdaemon.conf:
    ack-prompt
    
  4. Restart gpg-agent

@gvengel
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great! Do you have plans to submit upstream?

@joel-u410
Copy link
Author

@joel-u410 joel-u410 commented on 1512c7b Jan 13, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did submit the patch upstream - here and discussion here - but unfortunately they have not accepted it. It looks like they have implemented a different approach which is not based on using the Yubikey hardware confirmation but, instead, adds a software-based confirmation step to take the place of the Yubikey tap.

@joel-u410
Copy link
Author

@joel-u410 joel-u410 commented on 1512c7b Jan 13, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They had requested the patch to be submitted via the mailing list after I posted it via the web; I tried joining the mailing list but was unsuccessful (never received moderator approval to join). At that point I did not have the time to continue pursuing acceptance of the patch, and just running my own patched build has been working fine for me. 🤷‍♂️

Please sign in to comment.