diff options
Diffstat (limited to 'common')
| -rw-r--r-- | common/compliance.c | 12 | ||||
| -rw-r--r-- | common/compliance.h | 8 | ||||
| -rw-r--r-- | common/sexputil.c | 17 | ||||
| -rw-r--r-- | common/util.h | 1 |
4 files changed, 36 insertions, 2 deletions
diff --git a/common/compliance.c b/common/compliance.c index 49aada144..7dbbbd399 100644 --- a/common/compliance.c +++ b/common/compliance.c @@ -96,6 +96,7 @@ gnupg_initialize_compliance (int gnupg_module_name) * both are compatible from the point of view of this function. */ int gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo, + unsigned int algo_flags, gcry_mpi_t key[], unsigned int keylength, const char *curvename) { @@ -148,6 +149,10 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo, result = (keylength == 2048 || keylength == 3072 || keylength == 4096); + /* rsaPSS was not part of the evaluation and thus we don't + * claim compliance. */ + if ((algo_flags & PK_ALGO_FLAG_RSAPSS)) + result = 0; break; case is_dsa: @@ -197,7 +202,8 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo, * they produce, and liberal in what they accept. */ int gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance, - enum pk_use_case use, int algo, gcry_mpi_t key[], + enum pk_use_case use, int algo, + unsigned int algo_flags, gcry_mpi_t key[], unsigned int keylength, const char *curvename) { int result = 0; @@ -228,6 +234,10 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance, default: log_assert (!"reached"); } + /* rsaPSS was not part of the evaluation and thus we don't + * claim compliance. */ + if ((algo_flags & PK_ALGO_FLAG_RSAPSS)) + result = 0; break; case PUBKEY_ALGO_DSA: diff --git a/common/compliance.h b/common/compliance.h index 2076e79cb..21bd230c2 100644 --- a/common/compliance.h +++ b/common/compliance.h @@ -48,11 +48,17 @@ enum pk_use_case PK_USE_SIGNING, PK_USE_VERIFICATION, }; +/* Flags to distinguish public key algorithm variants. */ +#define PK_ALGO_FLAG_RSAPSS 1 /* Use rsaPSS padding. */ + + int gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo, + unsigned int algo_flags, gcry_mpi_t key[], unsigned int keylength, const char *curvename); int gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance, - enum pk_use_case use, int algo, gcry_mpi_t key[], + enum pk_use_case use, int algo, + unsigned int algo_flags, gcry_mpi_t key[], unsigned int keylength, const char *curvename); int gnupg_cipher_is_compliant (enum gnupg_compliance_mode compliance, cipher_algo_t cipher, diff --git a/common/sexputil.c b/common/sexputil.c index 1633022ce..9a79c0573 100644 --- a/common/sexputil.c +++ b/common/sexputil.c @@ -642,6 +642,23 @@ pubkey_algo_string (gcry_sexp_t s_pkey, enum gcry_pk_algos *r_algoid) } +/* Map a pubkey algo id from gcrypt to a string. This is the same as + * gcry_pk_algo_name but makes sure that the ECC algo identifiers are + * not all mapped to "ECC". */ +const char * +pubkey_algo_to_string (int algo) +{ + if (algo == GCRY_PK_ECDSA) + return "ECDSA"; + else if (algo == GCRY_PK_ECDH) + return "ECDH"; + else if (algo == GCRY_PK_EDDSA) + return "EdDSA"; + else + return gcry_pk_algo_name (algo); +} + + /* Map a hash algo id from gcrypt to a string. This is the same as * gcry_md_algo_name but the returned string is lower case, as * expected by libksba and it avoids some overhead. */ diff --git a/common/util.h b/common/util.h index 5002039d6..fd8a7dc81 100644 --- a/common/util.h +++ b/common/util.h @@ -221,6 +221,7 @@ int get_pk_algo_from_key (gcry_sexp_t key); int get_pk_algo_from_canon_sexp (const unsigned char *keydata, size_t keydatalen); char *pubkey_algo_string (gcry_sexp_t s_pkey, enum gcry_pk_algos *r_algoid); +const char *pubkey_algo_to_string (int algo); const char *hash_algo_to_string (int algo); /*-- convert.c --*/ |