diff options
| author | Werner Koch <[email protected]> | 2020-07-03 13:47:55 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2020-07-03 14:15:29 +0000 |
| commit | 969abcf40cdfc65f3ee859c5e62889e1a8ccde91 (patch) | |
| tree | 85bb8618a5c78574db04cad63d91328cba652ffd /common/compliance.c | |
| parent | scd:nks: Implement writecert for the Signature card v2. (diff) | |
| download | gnupg-969abcf40cdfc65f3ee859c5e62889e1a8ccde91.tar.gz gnupg-969abcf40cdfc65f3ee859c5e62889e1a8ccde91.zip | |
sm: Exclude rsaPSS from de-vs compliance mode.
* common/compliance.h (PK_ALGO_FLAG_RSAPSS): New.
* common/compliance.c (gnupg_pk_is_compliant): Add arg alog_flags and
test rsaPSS. Adjust all callers.
(gnupg_pk_is_allowed): Ditto.
* sm/misc.c (gpgsm_ksba_cms_get_sig_val): New wrapper function.
(gpgsm_get_hash_algo_from_sigval): New.
* sm/certcheck.c (gpgsm_check_cms_signature): Change type of sigval
arg. Add arg pkalgoflags. Use the PK_ALGO_FLAG_RSAPSS.
* sm/verify.c (gpgsm_verify): Use the new wrapper and new fucntion to
also get the algo flags. Pass algo flags along.
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to 'common/compliance.c')
| -rw-r--r-- | common/compliance.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/common/compliance.c b/common/compliance.c index b7d4d4970..c6a20b886 100644 --- a/common/compliance.c +++ b/common/compliance.c @@ -96,6 +96,7 @@ gnupg_initialize_compliance (int gnupg_module_name) * both are compatible from the point of view of this function. */ int gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo, + unsigned int algo_flags, gcry_mpi_t key[], unsigned int keylength, const char *curvename) { @@ -148,6 +149,10 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo, result = (keylength == 2048 || keylength == 3072 || keylength == 4096); + /* rsaPSS was not part of the evaluation and thus we don't + * claim compliance. */ + if ((algo_flags & PK_ALGO_FLAG_RSAPSS)) + result = 0; break; case is_dsa: @@ -197,7 +202,8 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo, * they produce, and liberal in what they accept. */ int gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance, - enum pk_use_case use, int algo, gcry_mpi_t key[], + enum pk_use_case use, int algo, + unsigned int algo_flags, gcry_mpi_t key[], unsigned int keylength, const char *curvename) { int result = 0; @@ -228,6 +234,10 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance, default: log_assert (!"reached"); } + /* rsaPSS was not part of the evaluation and thus we don't + * claim compliance. */ + if ((algo_flags & PK_ALGO_FLAG_RSAPSS)) + result = 0; break; case PUBKEY_ALGO_DSA: |