agent: Fix verification of signature for smartcard.

* agent/pksign.c (agent_pksign_do): Use public key smartcard.

--

Since gcry_pk_verify can't handle shadowed private key, public
key SEXP should be prepared for smartcard.

1 files changed, 10 insertions, 1 deletions

diff --git a/agent/pksign.c b/agent/pksign.c
index 243c49df9..e079c3f60 100644
--- a/agent/pksign.c
+++ b/agent/pksign.c
@@ -291,6 +291,7 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
 {
   gcry_sexp_t s_skey = NULL, s_sig = NULL;
   gcry_sexp_t s_hash = NULL;
+  gcry_sexp_t s_pkey = NULL;
   unsigned char *shadow_info = NULL;
   unsigned int rc = 0;		/* FIXME: gpg-error? */
   const unsigned char *data;
@@ -331,6 +332,13 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
       int is_ECDSA = 0;
       int is_EdDSA = 0;
 
+      rc = agent_public_key_from_file (ctrl, ctrl->keygrip, &s_pkey);
+      if (rc)
+        {
+          log_error ("failed to read the public key\n");
+          goto leave;
+        }
+
       if (agent_is_eddsa_key (s_skey))
         is_EdDSA = 1;
       else
@@ -497,7 +505,7 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
                                ctrl->digest.raw_value);
         }
 
-      rc = gcry_pk_verify (s_sig, s_hash, s_skey);
+      rc = gcry_pk_verify (s_sig, s_hash, s_pkey? s_pkey: s_skey);
 
       if (rc)
         {
@@ -512,6 +520,7 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
 
   *signature_sexp = s_sig;
 
+  gcry_sexp_release (s_pkey);
   gcry_sexp_release (s_skey);
   gcry_sexp_release (s_hash);
   xfree (shadow_info);