sm: Exclude rsaPSS from de-vs compliance mode.

* common/compliance.h (PK_ALGO_FLAG_RSAPSS): New. * common/compliance.c (gnupg_pk_is_compliant): Add arg alog_flags and test rsaPSS. Adjust all callers. (gnupg_pk_is_allowed): Ditto. * sm/misc.c (gpgsm_ksba_cms_get_sig_val): New wrapper function. (gpgsm_get_hash_algo_from_sigval): New. * sm/certcheck.c (gpgsm_check_cms_signature): Change type of sigval arg. Add arg pkalgoflags. Use the PK_ALGO_FLAG_RSAPSS. * sm/verify.c (gpgsm_verify): Use the new wrapper and new fucntion to also get the algo flags. Pass algo flags along. Signed-off-by: Werner Koch <[email protected]>
author: Werner Koch <[email protected]> 2020-07-03 13:47:55 +0000
committer: Werner Koch <[email protected]> 2020-07-03 14:15:29 +0000
commit: 969abcf40cdfc65f3ee859c5e62889e1a8ccde91 (patch)
tree: 85bb8618a5c78574db04cad63d91328cba652ffd /sm/certcheck.c
parent: scd:nks: Implement writecert for the Signature card v2. (diff)
download: gnupg-969abcf40cdfc65f3ee859c5e62889e1a8ccde91.tar.gz
gnupg-969abcf40cdfc65f3ee859c5e62889e1a8ccde91.zip
1 files changed, 20 insertions, 53 deletions
diff --git a/sm/certcheck.c b/sm/certcheck.c
index d04a86588..450e589bb 100644
--- a/sm/certcheck.c
+++ b/sm/certcheck.c
@@ -606,69 +606,40 @@ gpgsm_check_cert_sig (ksba_cert_t issuer_cert, ksba_cert_t cert)
 
 
 int
-gpgsm_check_cms_signature (ksba_cert_t cert, ksba_const_sexp_t sigval,
-                           gcry_md_hd_t md, int mdalgo, int *r_pkalgo)
+gpgsm_check_cms_signature (ksba_cert_t cert, gcry_sexp_t s_sig,
+                           gcry_md_hd_t md, int mdalgo,
+                           unsigned int pkalgoflags, int *r_pkalgo)
 {
   int rc;
   ksba_sexp_t p;
-  gcry_sexp_t s_sig, s_hash, s_pkey, l1;
+  gcry_sexp_t s_hash, s_pkey;
   size_t n;
-  const char *s;
-  int i;
   int pkalgo;
   int use_pss;
   unsigned int saltlen = 0;
 
-
   if (r_pkalgo)
     *r_pkalgo = 0;
 
-  n = gcry_sexp_canon_len (sigval, 0, NULL, NULL);
-  if (!n)
-    {
-      log_error ("libksba did not return a proper S-Exp\n");
-      return gpg_error (GPG_ERR_BUG);
-    }
-  rc = gcry_sexp_sscan (&s_sig, NULL, (char*)sigval, n);
-  if (rc)
+  /* Check whether rsaPSS is needed.  This information is indicated in
+   * the SIG-VAL and already provided to us by the caller so that we
+   * do not need to parse this out. */
+  use_pss = !!(pkalgoflags & PK_ALGO_FLAG_RSAPSS);
+  if (use_pss)
     {
-      log_error ("gcry_sexp_scan failed: %s\n", gpg_strerror (rc));
-      return rc;
-    }
+      int algo;
 
-  /* Check whether rsaPSS is needed.  This is indicated in the SIG-VAL
-   * using a flag.  Only if we found that flag, we extract the PSS
-   * parameters for SIG-VAL.  */
-  use_pss = 0;
-  l1 = gcry_sexp_find_token (s_sig, "flags", 0);
-  if (l1)
-    {
-      /* Note that the flag parser assumes that the list of flags
-       * contains only strings and in particular not sublist.  This is
-       * always the case or current libksba. */
-      for (i=1; (s = gcry_sexp_nth_data (l1, i, &n)); i++)
-        if (n == 3 && !memcmp (s, "pss", 3))
-          {
-            use_pss = 1;
-            break;
-          }
-      gcry_sexp_release (l1);
-      if (use_pss)
+      rc = extract_pss_params (s_sig, &algo, &saltlen);
+      if (rc)
         {
-          int algo;
-
-          rc = extract_pss_params (s_sig, &algo, &saltlen);
-          if (rc)
-            {
-              gcry_sexp_release (s_sig);
-              return rc;
-            }
-          if (algo != mdalgo)
-            {
-              log_error ("PSS hash algo mismatch (%d/%d)\n", mdalgo, algo);
-              gcry_sexp_release (s_sig);
-              return gpg_error (GPG_ERR_DIGEST_ALGO);
-            }
+          gcry_sexp_release (s_sig);
+          return rc;
+        }
+      if (algo != mdalgo)
+        {
+          log_error ("PSS hash algo mismatch (%d/%d)\n", mdalgo, algo);
+          gcry_sexp_release (s_sig);
+          return gpg_error (GPG_ERR_DIGEST_ALGO);
         }
     }
 
@@ -678,7 +649,6 @@ gpgsm_check_cms_signature (ksba_cert_t cert, ksba_const_sexp_t sigval,
     {
       log_error ("libksba did not return a proper S-Exp\n");
       ksba_free (p);
-      gcry_sexp_release (s_sig);
       return gpg_error (GPG_ERR_BUG);
     }
   if (DBG_CRYPTO)
@@ -689,7 +659,6 @@ gpgsm_check_cms_signature (ksba_cert_t cert, ksba_const_sexp_t sigval,
   if (rc)
     {
       log_error ("gcry_sexp_scan failed: %s\n", gpg_strerror (rc));
-      gcry_sexp_release (s_sig);
       return rc;
     }
 
@@ -719,7 +688,6 @@ gpgsm_check_cms_signature (ksba_cert_t cert, ksba_const_sexp_t sigval,
                          gcry_pk_get_nbits (s_pkey), s_pkey, &frame);
       if (rc)
         {
-          gcry_sexp_release (s_sig);
           gcry_sexp_release (s_pkey);
           return rc;
         }
@@ -732,7 +700,6 @@ gpgsm_check_cms_signature (ksba_cert_t cert, ksba_const_sexp_t sigval,
   rc = gcry_pk_verify (s_sig, s_hash, s_pkey);
   if (DBG_X509)
     log_debug ("gcry_pk_verify: %s\n", gpg_strerror (rc));
-  gcry_sexp_release (s_sig);
   gcry_sexp_release (s_hash);
   gcry_sexp_release (s_pkey);
   return rc;
author	Werner Koch <[email protected]>	2020-07-03 13:47:55 +0000
committer	Werner Koch <[email protected]>	2020-07-03 14:15:29 +0000
commit	969abcf40cdfc65f3ee859c5e62889e1a8ccde91 (patch)
tree	85bb8618a5c78574db04cad63d91328cba652ffd /sm/certcheck.c
parent	scd:nks: Implement writecert for the Signature card v2. (diff)
download	gnupg-969abcf40cdfc65f3ee859c5e62889e1a8ccde91.tar.gz gnupg-969abcf40cdfc65f3ee859c5e62889e1a8ccde91.zip