mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
sm: Flag Brainpool curves as compliant for all other operations.
* sm/fingerprint.c (gpgsm_get_key_algo_info2): Rename to (gpgsm_get_key_algo_info): this. Remove the old wrapper. Adjust all callers. * sm/decrypt.c (gpgsm_decrypt): Pass the curve to the compliance checker. * sm/encrypt.c (gpgsm_encrypt): Ditto. * sm/sign.c (gpgsm_sign): Ditto. * sm/verify.c (gpgsm_verify): Ditto. -- GnuPG-bug-id: 6253
This commit is contained in:
parent
97708e2ac7
commit
2c3c049fd8
@ -1065,6 +1065,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
|
||||
int recp;
|
||||
estream_t in_fp = NULL;
|
||||
struct decrypt_filter_parm_s dfparm;
|
||||
char *curve = NULL;
|
||||
|
||||
memset (&dfparm, 0, sizeof dfparm);
|
||||
|
||||
@ -1309,14 +1310,15 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
|
||||
|
||||
pkfpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
|
||||
pkalgostr = gpgsm_pubkey_algo_string (cert, NULL);
|
||||
pk_algo = gpgsm_get_key_algo_info (cert, &nbits);
|
||||
xfree (curve);
|
||||
pk_algo = gpgsm_get_key_algo_info (cert, &nbits, &curve);
|
||||
if (!opt.quiet)
|
||||
log_info (_("encrypted to %s key %s\n"), pkalgostr, pkfpr);
|
||||
|
||||
/* Check compliance. */
|
||||
if (!gnupg_pk_is_allowed (opt.compliance,
|
||||
PK_USE_DECRYPTION,
|
||||
pk_algo, 0, NULL, nbits, NULL))
|
||||
pk_algo, 0, NULL, nbits, curve))
|
||||
{
|
||||
char kidstr[10+1];
|
||||
|
||||
@ -1334,7 +1336,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
|
||||
dfparm.is_de_vs =
|
||||
(dfparm.is_de_vs
|
||||
&& gnupg_pk_is_compliant (CO_DE_VS, pk_algo, 0,
|
||||
NULL, nbits, NULL));
|
||||
NULL, nbits, curve));
|
||||
|
||||
oops:
|
||||
if (rc)
|
||||
@ -1512,6 +1514,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
|
||||
log_error ("message decryption failed: %s <%s>\n",
|
||||
gpg_strerror (rc), gpg_strsource (rc));
|
||||
}
|
||||
xfree (curve);
|
||||
ksba_cms_release (cms);
|
||||
gnupg_ksba_destroy_reader (b64reader);
|
||||
gnupg_ksba_destroy_writer (b64writer);
|
||||
|
10
sm/encrypt.c
10
sm/encrypt.c
@ -758,11 +758,12 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
|
||||
unsigned char *encval;
|
||||
unsigned int nbits;
|
||||
int pk_algo;
|
||||
char *curve = NULL;
|
||||
|
||||
/* Check compliance. */
|
||||
pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits);
|
||||
pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits, &curve);
|
||||
if (!gnupg_pk_is_compliant (opt.compliance, pk_algo, 0,
|
||||
NULL, nbits, NULL))
|
||||
NULL, nbits, curve))
|
||||
{
|
||||
char kidstr[10+1];
|
||||
|
||||
@ -777,9 +778,12 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
|
||||
/* Fixme: When adding ECC we need to provide the curvename and
|
||||
* the key to gnupg_pk_is_compliant. */
|
||||
if (compliant
|
||||
&& !gnupg_pk_is_compliant (CO_DE_VS, pk_algo, 0, NULL, nbits, NULL))
|
||||
&& !gnupg_pk_is_compliant (CO_DE_VS, pk_algo, 0, NULL, nbits, curve))
|
||||
compliant = 0;
|
||||
|
||||
xfree (curve);
|
||||
curve = NULL;
|
||||
|
||||
rc = encrypt_dek (dek, cl->cert, pk_algo, &encval);
|
||||
if (rc)
|
||||
{
|
||||
|
@ -430,7 +430,7 @@ gpgsm_p12_export (ctrl_t ctrl, const char *name, estream_t stream, int rawmode)
|
||||
|
||||
if (rawmode == 0)
|
||||
ctrl->pem_name = "PKCS12";
|
||||
else if (gpgsm_get_key_algo_info (cert, NULL) == GCRY_PK_ECC)
|
||||
else if (gpgsm_get_key_algo_info (cert, NULL, NULL) == GCRY_PK_ECC)
|
||||
ctrl->pem_name = "EC PRIVATE KEY";
|
||||
else if (rawmode == 1)
|
||||
ctrl->pem_name = "PRIVATE KEY";
|
||||
|
@ -222,7 +222,7 @@ gpgsm_get_keygrip_hexstring (ksba_cert_t cert)
|
||||
* algorithm is used the name or OID of the curve is stored there; the
|
||||
* caller needs to free this value. */
|
||||
int
|
||||
gpgsm_get_key_algo_info2 (ksba_cert_t cert, unsigned int *nbits, char **r_curve)
|
||||
gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits, char **r_curve)
|
||||
{
|
||||
gcry_sexp_t s_pkey;
|
||||
int rc;
|
||||
@ -299,18 +299,11 @@ gpgsm_get_key_algo_info2 (ksba_cert_t cert, unsigned int *nbits, char **r_curve)
|
||||
}
|
||||
|
||||
|
||||
int
|
||||
gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits)
|
||||
{
|
||||
return gpgsm_get_key_algo_info2 (cert, nbits, NULL);
|
||||
}
|
||||
|
||||
|
||||
/* Return true if CERT is an ECC key. */
|
||||
int
|
||||
gpgsm_is_ecc_key (ksba_cert_t cert)
|
||||
{
|
||||
return GCRY_PK_ECC == gpgsm_get_key_algo_info2 (cert, NULL, NULL);
|
||||
return GCRY_PK_ECC == gpgsm_get_key_algo_info (cert, NULL, NULL);
|
||||
}
|
||||
|
||||
|
||||
|
@ -339,8 +339,7 @@ unsigned long gpgsm_get_short_fingerprint (ksba_cert_t cert,
|
||||
unsigned long *r_high);
|
||||
unsigned char *gpgsm_get_keygrip (ksba_cert_t cert, unsigned char *array);
|
||||
char *gpgsm_get_keygrip_hexstring (ksba_cert_t cert);
|
||||
int gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits);
|
||||
int gpgsm_get_key_algo_info2 (ksba_cert_t cert, unsigned int *nbits,
|
||||
int gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits,
|
||||
char **r_curve);
|
||||
int gpgsm_is_ecc_key (ksba_cert_t cert);
|
||||
char *gpgsm_pubkey_algo_string (ksba_cert_t cert, int *r_algoid);
|
||||
|
@ -562,7 +562,7 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
|
||||
if (*truststring)
|
||||
es_fputs (truststring, fp);
|
||||
|
||||
algo = gpgsm_get_key_algo_info2 (cert, &nbits, &curve);
|
||||
algo = gpgsm_get_key_algo_info (cert, &nbits, &curve);
|
||||
es_fprintf (fp, ":%u:%d:%s:", nbits, algo, fpr+24);
|
||||
|
||||
ksba_cert_get_validity (cert, 0, t);
|
||||
|
@ -640,6 +640,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
|
||||
certlist_t cl;
|
||||
int release_signerlist = 0;
|
||||
int binary_detached = detached && !ctrl->create_pem && !ctrl->create_base64;
|
||||
char *curve = NULL;
|
||||
|
||||
audit_set_type (ctrl->audit, AUDIT_TYPE_SIGN);
|
||||
|
||||
@ -778,7 +779,8 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
|
||||
unsigned int nbits;
|
||||
int pk_algo;
|
||||
|
||||
pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits);
|
||||
xfree (curve);
|
||||
pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits, &curve);
|
||||
cl->pk_algo = pk_algo;
|
||||
|
||||
if (opt.forced_digest_algo)
|
||||
@ -839,7 +841,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
|
||||
}
|
||||
|
||||
if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pk_algo, 0,
|
||||
NULL, nbits, NULL))
|
||||
NULL, nbits, curve))
|
||||
{
|
||||
char kidstr[10+1];
|
||||
|
||||
@ -1205,6 +1207,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
|
||||
gpg_strerror (rc), gpg_strsource (rc) );
|
||||
if (release_signerlist)
|
||||
gpgsm_release_certlist (signerlist);
|
||||
xfree (curve);
|
||||
ksba_cms_release (cms);
|
||||
gnupg_ksba_destroy_writer (b64writer);
|
||||
keydb_release (kh);
|
||||
|
@ -468,7 +468,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
|
||||
|
||||
pkfpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
|
||||
pkalgostr = gpgsm_pubkey_algo_string (cert, NULL);
|
||||
pkalgo = gpgsm_get_key_algo_info2 (cert, &nbits, &pkcurve);
|
||||
pkalgo = gpgsm_get_key_algo_info (cert, &nbits, &pkcurve);
|
||||
/* Remap the ECC algo to the algo we use. Note that EdDSA has
|
||||
* already been mapped. */
|
||||
if (pkalgo == GCRY_PK_ECC)
|
||||
@ -504,7 +504,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
|
||||
|
||||
/* Check compliance. */
|
||||
if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION,
|
||||
pkalgo, pkalgoflags, NULL, nbits, NULL))
|
||||
pkalgo, pkalgoflags, NULL, nbits, pkcurve))
|
||||
{
|
||||
char kidstr[10+1];
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user