gpg: New option --require-pqc-encryption

* g10/gpg.c (oRequirePQCEncryption): New.
(opts): Add option.
(main): Set option.
* g10/mainproc.c (print_pkenc_list): Print a warning.
* g10/options.h (flags): Add flag require_pqc_encryption.
* g10/getkey.c (finish_lookup): Skip non-pqc keys if the option is
set.
--

GnuPG-bug-id: 6815

1 files changed, 17 insertions, 0 deletions

diff --git a/g10/getkey.c b/g10/getkey.c
index ce59628a0..f2d1e7d7b 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -3779,6 +3779,16 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact,
 	      continue;
 	    }
 
+          if (opt.flags.require_pqc_encryption
+              && (req_usage & PUBKEY_USAGE_ENC)
+              && pk->pubkey_algo != PUBKEY_ALGO_KYBER)
+            {
+	      if (DBG_LOOKUP)
+		log_debug ("\tsubkey is not quantum-resistant\n");
+              continue;
+            }
+
+
           if (want_secret)
             {
               int secret_key_avail = agent_probe_secret_key (NULL, pk);
@@ -3857,6 +3867,13 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact,
 	  if (DBG_LOOKUP)
 	    log_debug ("\tprimary key has expired\n");
 	}
+      else if (opt.flags.require_pqc_encryption
+               && (req_usage & PUBKEY_USAGE_ENC)
+               && pk->pubkey_algo != PUBKEY_ALGO_KYBER)
+        {
+          if (DBG_LOOKUP)
+            log_debug ("\tprimary key is not quantum-resistant\n");
+        }
       else /* Okay.  */
 	{
 	  if (DBG_LOOKUP)