diff options
| author | Werner Koch <[email protected]> | 2018-07-04 06:59:12 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2018-07-04 07:01:52 +0000 |
| commit | ef50fdf82a459894ed3da7b9be83f89658f1eaba (patch) | |
| tree | 115755429f14a497689d1ad7a6ea90b428838076 | |
| parent | gpg: Print revocation reason for "rev" records. (diff) | |
| download | gnupg-ef50fdf82a459894ed3da7b9be83f89658f1eaba.tar.gz gnupg-ef50fdf82a459894ed3da7b9be83f89658f1eaba.zip | |
gpg: Extra check for sign usage when verifying a data signature.
* g10/sig-check.c (check_signature_end_simple): Check sign usage.
--
Without this patch the signature verification fails only due to the
missing back signature. This check better explains what went wrong.
GnuPG-bug-id: 4014
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit 214b0077264e35c079e854a8b6374704aea45cd5)
Diffstat (limited to '')
| -rw-r--r-- | g10/sig-check.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/g10/sig-check.c b/g10/sig-check.c index e5de025ca..6b9feebfd 100644 --- a/g10/sig-check.c +++ b/g10/sig-check.c @@ -479,8 +479,17 @@ check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig, sig->sig_class, pk->pubkey_usage); return rc; } - /* Fixme: Should we also check the signing capability here for data - * signature? */ + + /* For data signatures check that the key has sign usage. */ + if (IS_SIG (sig) && !(pk->pubkey_usage & PUBKEY_USAGE_SIG)) + { + rc = gpg_error (GPG_ERR_WRONG_KEY_USAGE); + if (!opt.quiet) + log_info (_("bad data signature from key %s: %s (0x%02x, 0x%x)\n"), + keystr_from_pk (pk), gpg_strerror (rc), + sig->sig_class, pk->pubkey_usage); + return rc; + } /* Make sure the digest algo is enabled (in case of a detached * signature). */ |