mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-08 12:44:23 +01:00
sm: Don't mark a cert as de-vs compliant if it leads to SHA-1 sigs.
* sm/keylist.c (print_compliance_flags): Also check the diges_also. -- A certificate with algorithm sha1WithRSAEncryption can be de-vs compliant (e.g. if the next in the chain used sha256WithRSAEncryption to sign it and RSA is long enough) but flagging it as such is useless because that certificate can't be used because it will create signatures using the non-compliant SHA-1 algorithm. Well, it could be used for encryption. But also evaluating the key-usage flags here would make it harder for the user to understand why certain certificates are listed as de-vs compliant and others are not. Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
parent
0173b249cf
commit
2c75af9f65
13
sm/keylist.c
13
sm/keylist.c
@ -384,16 +384,21 @@ static void
|
||||
print_compliance_flags (ksba_cert_t cert, int algo, unsigned int nbits,
|
||||
estream_t fp)
|
||||
{
|
||||
int any = 0;
|
||||
int indent = 0;
|
||||
int hashalgo;
|
||||
|
||||
if (gnupg_pk_is_compliant (CO_DE_VS, algo, NULL, nbits, NULL))
|
||||
{
|
||||
es_fputs (gnupg_status_compliance_flag (CO_DE_VS), fp);
|
||||
any++;
|
||||
hashalgo = gcry_md_map_name (ksba_cert_get_digest_algo (cert));
|
||||
if (gnupg_digest_is_compliant (CO_DE_VS, hashalgo))
|
||||
{
|
||||
es_fputs (gnupg_status_compliance_flag (CO_DE_VS), fp);
|
||||
indent = 1;
|
||||
}
|
||||
}
|
||||
|
||||
if (opt.with_key_screening)
|
||||
print_pk_screening (cert, 1+any, fp);
|
||||
print_pk_screening (cert, 1+indent, fp);
|
||||
}
|
||||
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user