From 0ad3411b0720909ebf3c3b4709ab1631b9fac7e4 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Tue, 9 Dec 2008 10:43:22 +0000
Subject: Check algo usage.

---
 g10/ChangeLog |  9 +++++++--
 g10/keygen.c  | 58 +++++++++++++++++++++++++++++++++++++++-------------------
 2 files changed, 46 insertions(+), 21 deletions(-)

diff --git a/g10/ChangeLog b/g10/ChangeLog
index 3747350d2..dfee13c28 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,8 @@
+2008-12-09  Werner Koch  <wk@g10code.com>
+
+	* keygen.c (proc_parameter_file): Check that key and subkey usages
+	are allowed.
+
 2008-11-18  David Shaw  <dshaw@jabberwocky.com>
 
 	* trustdb.c (validate_one_keyblock): Fix the trust signature
@@ -330,8 +335,8 @@
 
 2007-01-31  David Shaw  <dshaw@jabberwocky.com>
 
-	* keygen.c (do_generate_keypair, proc_parameter_file,
-	generate_keypair, generate_subkeypair): Pass a timestamp through
+	* keygen.c (do_generate_keypair, proc_parameter_file)
+	(generate_keypair, generate_subkeypair): Pass a timestamp through
 	to all the gen_xxx functions.
 
 	* keyedit.c (sign_uids): Another multiple to single timestamp
diff --git a/g10/keygen.c b/g10/keygen.c
index 9bc18777e..aac4c7c74 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -2196,42 +2196,62 @@ proc_parameter_file( struct para_data_s *para, const char *fname,
       return -1;
     }
 
-  err=parse_parameter_usage (fname, para, pKEYUSAGE);
-  if(err==0)
+  err = parse_parameter_usage (fname, para, pKEYUSAGE);
+  if (!err)
     {
       /* Default to algo capabilities if key-usage is not provided */
-      r=xmalloc_clear(sizeof(*r));
-      r->key=pKEYUSAGE;
-      r->u.usage=openpgp_pk_algo_usage(algo);
-      r->next=para;
-      para=r;
+      r = xmalloc_clear(sizeof(*r));
+      r->key = pKEYUSAGE;
+      r->u.usage = openpgp_pk_algo_usage(algo);
+      r->next = para;
+      para = r;
     }
-  else if(err==-1)
+  else if (err == -1)
     return -1;
+  else
+    {
+      r = get_parameter (para, pKEYUSAGE);
+      if (r && (r->u.usage & ~openpgp_pk_algo_usage (algo)))
+        {
+          log_error ("%s:%d: specified Key-Usage not allowed for algo %d\n",
+                     fname, r->lnr, algo);
+          return -1;
+        }
+    }
 
   r = get_parameter( para, pSUBKEYTYPE );
   if(r)
     {
-      algo=get_parameter_algo( para, pSUBKEYTYPE);
-      if(check_pubkey_algo(algo))
+      algo = get_parameter_algo (para, pSUBKEYTYPE);
+      if (check_pubkey_algo (algo))
 	{
-	  log_error("%s:%d: invalid algorithm\n", fname, r->lnr );
+	  log_error ("%s:%d: invalid algorithm\n", fname, r->lnr );
 	  return -1;
 	}
 
-      err=parse_parameter_usage (fname, para, pSUBKEYUSAGE);
-      if(err==0)
+      err = parse_parameter_usage (fname, para, pSUBKEYUSAGE);
+      if (!err)
 	{
 	  /* Default to algo capabilities if subkey-usage is not
 	     provided */
-	  r=xmalloc_clear(sizeof(*r));
-	  r->key=pSUBKEYUSAGE;
-	  r->u.usage=openpgp_pk_algo_usage(algo);
-	  r->next=para;
-	  para=r;
+	  r = xmalloc_clear (sizeof(*r));
+	  r->key = pSUBKEYUSAGE;
+	  r->u.usage = openpgp_pk_algo_usage (algo);
+	  r->next = para;
+	  para = r;
 	}
-      else if(err==-1)
+      else if (err == -1)
 	return -1;
+      else
+        {
+          r = get_parameter (para, pSUBKEYUSAGE);
+          if (r && (r->u.usage & ~openpgp_pk_algo_usage (algo)))
+            {
+              log_error ("%s:%d: specified Subkey-Usage not allowed"
+                         " for algo %d\n", fname, r->lnr, algo);
+              return -1;
+            }
+        }
     }
 
   if( get_parameter_value( para, pUSERID ) )
-- 
cgit v1.2.3