From 1a5d95e7319e7e6f0dd11064a26cbbc371b05214 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 6 Apr 2018 11:04:04 +0200 Subject: [PATCH] gpg: Check that a key may do certifications. * g10/sig-check.c (check_signature_end_simple): Check key usage for certifications. (check_signature_over_key_or_uid): Request usage certification. -- GnuPG-bug-id: 3844 Signed-off-by: Werner Koch --- g10/sig-check.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/g10/sig-check.c b/g10/sig-check.c index 1a90fd326..e5de025ca 100644 --- a/g10/sig-check.c +++ b/g10/sig-check.c @@ -464,6 +464,24 @@ check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig, } } + /* For key signatures check that the key has a cert usage. We may + * do this only for subkeys because the primary may always issue key + * signature. The latter may not be reflected in the pubkey_usage + * field because we need to check the key signatures to extract the + * key usage. */ + if (!pk->flags.primary + && IS_CERT (sig) && !(pk->pubkey_usage & PUBKEY_USAGE_CERT)) + { + rc = gpg_error (GPG_ERR_WRONG_KEY_USAGE); + if (!opt.quiet) + log_info (_("bad key signature from key %s: %s (0x%02x, 0x%x)\n"), + keystr_from_pk (pk), gpg_strerror (rc), + sig->sig_class, pk->pubkey_usage); + return rc; + } + /* Fixme: Should we also check the signing capability here for data + * signature? */ + /* Make sure the digest algo is enabled (in case of a detached * signature). */ gcry_md_enable (digest, sig->digest_algo); @@ -893,6 +911,9 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer, signer_alloced = 2; } + if (IS_CERT (sig)) + signer->req_usage = PUBKEY_USAGE_CERT; + rc = get_pubkey (ctrl, signer, sig->keyid); if (rc) {