diff options
| author | Werner Koch <[email protected]> | 2018-07-04 06:59:12 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2018-07-04 07:01:10 +0000 |
| commit | 214b0077264e35c079e854a8b6374704aea45cd5 (patch) | |
| tree | c665b5729ffc037da01dd75ca95f9f4a0f668751 | |
| parent | g10: Fix memory leak for PKT_signature. (diff) | |
| download | gnupg-214b0077264e35c079e854a8b6374704aea45cd5.tar.gz gnupg-214b0077264e35c079e854a8b6374704aea45cd5.zip | |
gpg: Extra check for sign usage when verifying a data signature.
* g10/sig-check.c (check_signature_end_simple): Check sign usage.
--
Without this patch the signature verification fails only due to the
missing back signature. This check better explains what went wrong.
GnuPG-bug-id: 4014
Signed-off-by: Werner Koch <[email protected]>
| -rw-r--r-- | g10/sig-check.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/g10/sig-check.c b/g10/sig-check.c index fc6983993..a68e031f6 100644 --- a/g10/sig-check.c +++ b/g10/sig-check.c @@ -478,8 +478,17 @@ check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig, sig->sig_class, pk->pubkey_usage); return rc; } - /* Fixme: Should we also check the signing capability here for data - * signature? */ + + /* For data signatures check that the key has sign usage. */ + if (IS_SIG (sig) && !(pk->pubkey_usage & PUBKEY_USAGE_SIG)) + { + rc = gpg_error (GPG_ERR_WRONG_KEY_USAGE); + if (!opt.quiet) + log_info (_("bad data signature from key %s: %s (0x%02x, 0x%x)\n"), + keystr_from_pk (pk), gpg_strerror (rc), + sig->sig_class, pk->pubkey_usage); + return rc; + } /* Make sure the digest algo is enabled (in case of a detached * signature). */ |