From ef50fdf82a459894ed3da7b9be83f89658f1eaba Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 4 Jul 2018 08:59:12 +0200
Subject: gpg: Extra check for sign usage when verifying a data signature.

* g10/sig-check.c (check_signature_end_simple): Check sign usage.
--

Without this patch the signature verification fails only due to the
missing back signature.  This check better explains what went wrong.

GnuPG-bug-id: 4014
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 214b0077264e35c079e854a8b6374704aea45cd5)
---
 g10/sig-check.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/g10/sig-check.c b/g10/sig-check.c
index e5de025ca..6b9feebfd 100644
--- a/g10/sig-check.c
+++ b/g10/sig-check.c
@@ -479,8 +479,17 @@ check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig,
                   sig->sig_class, pk->pubkey_usage);
       return rc;
     }
-  /* Fixme: Should we also check the signing capability here for data
-   * signature?  */
+
+  /* For data signatures check that the key has sign usage.  */
+  if (IS_SIG (sig) && !(pk->pubkey_usage & PUBKEY_USAGE_SIG))
+    {
+      rc = gpg_error (GPG_ERR_WRONG_KEY_USAGE);
+      if (!opt.quiet)
+        log_info (_("bad data signature from key %s: %s (0x%02x, 0x%x)\n"),
+                  keystr_from_pk (pk), gpg_strerror (rc),
+                  sig->sig_class, pk->pubkey_usage);
+      return rc;
+    }
 
   /* Make sure the digest algo is enabled (in case of a detached
    * signature).  */
-- 
cgit v1.2.3