commit: 2783b786a ("agent: Do not overwrite a key file by a shadow key
file.") broke keytotpm because you can no longer overwrite a
non-shadowed secret key, now you must first delete it. Fix KEYTOTPM
by deleting the key before writing it.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
v2: update the logic around replacing the private key to actually do
the replacement.
agent/divert-tpm2.c | 33 ++++++++++++++++++++++++++++-----
1 file changed, 28 insertions(+), 5 deletions(-)
diff --git a/agent/divert-tpm2.c b/agent/divert-tpm2.c
index b2f884f93..e7c6a8aae 100644
--- a/agent/divert-tpm2.c
+++ b/agent/divert-tpm2.c
@@ -26,9 +26,10 @@ divert_tpm2_pksign (ctrl_t ctrl,
static gpg_error_t
agent_write_tpm2_shadow_key (ctrl_t ctrl, const unsigned char *grip,
- unsigned char *shadow_info)
+ unsigned char *shadow_info,
+ gcry_sexp_t s_key)
{
- gpg_error_t err;
+ gpg_error_t err, err1;
unsigned char *shdkey;
unsigned char *pkbuf;
size_t len;
@@ -44,7 +45,14 @@ agent_write_tpm2_shadow_key (ctrl_t ctrl, const
unsigned char *grip,
xfree (pkbuf);
if (err)
{
- log_error ("shadowing the key failed: %s\n", gpg_strerror
(err));
+ log_error ("shadowing the tpm key failed: %s\n", gpg_strerror
(err));
+ return err;
+ }
+
+ err = agent_delete_key (ctrl, NULL, grip, 1, 0);
+ if (err)
+ {
+ log_error ("failed to delete unshadowed key: %s\n", gpg_strerror
(err));
return err;
}
@@ -53,7 +61,22 @@ agent_write_tpm2_shadow_key (ctrl_t ctrl, const
unsigned char *grip,
NULL, NULL, NULL, 0);
xfree (shdkey);
if (err)
- log_error ("error writing key: %s\n", gpg_strerror (err));
+ {
+ log_error ("error writing tpm key: %s\n", gpg_strerror (err));
+
+ len = gcry_sexp_sprint(s_key, GCRYSEXP_FMT_CANON, NULL, 0);
+ pkbuf = xtrymalloc(len);
+ if (!pkbuf)
+ return GPG_ERR_ENOMEM;
+
+ gcry_sexp_sprint(s_key, GCRYSEXP_FMT_CANON, pkbuf, len);
+ err1 = agent_write_private_key (grip, pkbuf, len, 1 /*force*/,
+ NULL, NULL, NULL, 0);
+ xfree(pkbuf);
+ if (err1)
+ log_error ("error trying to restore private key: %s\n",
+ gpg_strerror (err1));
+ }
return err;
}
@@ -68,7 +91,7 @@ divert_tpm2_writekey (ctrl_t ctrl, const unsigned
char *grip,
ret = agent_tpm2d_writekey(ctrl, &shadow_info, s_skey);
if (!ret) {
- ret = agent_write_tpm2_shadow_key (ctrl, grip, shadow_info);
+ ret = agent_write_tpm2_shadow_key (ctrl, grip, shadow_info,
s_skey);
xfree (shadow_info);
}
return ret;
--
2.35.3
_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-devel
file.") broke keytotpm because you can no longer overwrite a
non-shadowed secret key, now you must first delete it. Fix KEYTOTPM
by deleting the key before writing it.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
v2: update the logic around replacing the private key to actually do
the replacement.
agent/divert-tpm2.c | 33 ++++++++++++++++++++++++++++-----
1 file changed, 28 insertions(+), 5 deletions(-)
diff --git a/agent/divert-tpm2.c b/agent/divert-tpm2.c
index b2f884f93..e7c6a8aae 100644
--- a/agent/divert-tpm2.c
+++ b/agent/divert-tpm2.c
@@ -26,9 +26,10 @@ divert_tpm2_pksign (ctrl_t ctrl,
static gpg_error_t
agent_write_tpm2_shadow_key (ctrl_t ctrl, const unsigned char *grip,
- unsigned char *shadow_info)
+ unsigned char *shadow_info,
+ gcry_sexp_t s_key)
{
- gpg_error_t err;
+ gpg_error_t err, err1;
unsigned char *shdkey;
unsigned char *pkbuf;
size_t len;
@@ -44,7 +45,14 @@ agent_write_tpm2_shadow_key (ctrl_t ctrl, const
unsigned char *grip,
xfree (pkbuf);
if (err)
{
- log_error ("shadowing the key failed: %s\n", gpg_strerror
(err));
+ log_error ("shadowing the tpm key failed: %s\n", gpg_strerror
(err));
+ return err;
+ }
+
+ err = agent_delete_key (ctrl, NULL, grip, 1, 0);
+ if (err)
+ {
+ log_error ("failed to delete unshadowed key: %s\n", gpg_strerror
(err));
return err;
}
@@ -53,7 +61,22 @@ agent_write_tpm2_shadow_key (ctrl_t ctrl, const
unsigned char *grip,
NULL, NULL, NULL, 0);
xfree (shdkey);
if (err)
- log_error ("error writing key: %s\n", gpg_strerror (err));
+ {
+ log_error ("error writing tpm key: %s\n", gpg_strerror (err));
+
+ len = gcry_sexp_sprint(s_key, GCRYSEXP_FMT_CANON, NULL, 0);
+ pkbuf = xtrymalloc(len);
+ if (!pkbuf)
+ return GPG_ERR_ENOMEM;
+
+ gcry_sexp_sprint(s_key, GCRYSEXP_FMT_CANON, pkbuf, len);
+ err1 = agent_write_private_key (grip, pkbuf, len, 1 /*force*/,
+ NULL, NULL, NULL, 0);
+ xfree(pkbuf);
+ if (err1)
+ log_error ("error trying to restore private key: %s\n",
+ gpg_strerror (err1));
+ }
return err;
}
@@ -68,7 +91,7 @@ divert_tpm2_writekey (ctrl_t ctrl, const unsigned
char *grip,
ret = agent_tpm2d_writekey(ctrl, &shadow_info, s_skey);
if (!ret) {
- ret = agent_write_tpm2_shadow_key (ctrl, grip, shadow_info);
+ ret = agent_write_tpm2_shadow_key (ctrl, grip, shadow_info,
s_skey);
xfree (shadow_info);
}
return ret;
--
2.35.3
_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-devel