gpg: Add option --assert-pubkey_algo.

* g10/keyid.c (parse_one_algo_string): New. (compare_pubkey_string_part): New. (compare_pubkey_string): New. * g10/verify.c (check_assert_signer_list): New. * g10/mainproc.c (check_sig_and_print): Call check_assert_pubkey_algo. * g10/options.h (opt): Add field assert_pubkey_algos. * g10/gpg.c (oAssertPubkeyAlgo): New. (opts): Add "--assert-pubkey_algo". (assert_pubkey_algo_false): New. (main): Parse option. (g10_exit): Reorder RC modifications. Check assert_pubkey_algo_false. * common/status.h (ASSERT_PUBKEY_ALGOS): new. * common/t-support.h (LEAN_T_SUPPORT): Use a simplified version if this macro is set. * g10/gpgv.c (oAssertPubkeyAlgo): New. (opts): Add "--assert-pubkey_algo". (assert_pubkey_algo_false): New. (main): Parse option. (g10_exit): Check assert_pubkey_algo_false. * g10/t-keyid.c: New. * g10/Makefile.am: Add t-keyid. * g10/test-stubs.c: Add assert_pubkey_algos and assert_signer_list and remove from other tests. (check_assert_signer_list): Ditto. (check_assert_pubkey_algo): Ditto. -- GnuPG-bug-id: 6946
2025-07-02 22:46:30 +02:00 · 2024-02-10 14:24:50 +01:00 · 2024-02-10 14:24:50 +01:00 · 302afcb6f6
commit 302afcb6f6
parent 5842eee805
20 changed files with 424 additions and 58 deletions
--- a/g10/verify.c
+++ b/g10/verify.c
@ -333,7 +333,7 @@ check_assert_signer_list (const char *mainpkhex, const char *pkhex)
              assert_signer_true = 1;
              write_status_text (STATUS_ASSERT_SIGNER, item->d);
              if (!opt.quiet)
-                log_info ("signer '%s' matched\n", item->d);
+                log_info ("asserted signer '%s'\n", item->d);
              goto leave;
            }
        }
@ -388,7 +388,7 @@ check_assert_signer_list (const char *mainpkhex, const char *pkhex)
                  assert_signer_true = 1;
                  write_status_text (STATUS_ASSERT_SIGNER, p);
                  if (!opt.quiet)
-                    log_info ("signer '%s' matched '%s', line %d\n",
+                    log_info ("asserted signer '%s' (%s:%d)\n",
                              p, fname, lnr);
                  goto leave;
                }
@ -405,3 +405,32 @@ check_assert_signer_list (const char *mainpkhex, const char *pkhex)
 leave:
  es_fclose (fp);
 }
+
+
+/* This function shall be called with the signer's public key
+ * algorithm ALGOSTR iff a signature is fully valid.  If the option
+ * --assert-pubkey-algo is active the functions checks whether the
+ * signing key's algo is valid according to that list; in this case a
+ * global flag is set.  */
+void
+check_assert_pubkey_algo (const char *algostr, const char *pkhex)
+{
+  if (!opt.assert_pubkey_algos)
+    return;  /* Nothing to do.  */
+
+  if (compare_pubkey_string (algostr, opt.assert_pubkey_algos))
+    {
+      write_status_strings (STATUS_ASSERT_PUBKEY_ALGO,
+                            pkhex, " 1 ", algostr, NULL);
+      if (!opt.quiet)
+        log_info ("asserted signer '%s' with algo %s\n", pkhex, algostr);
+    }
+  else
+    {
+      if (!opt.quiet)
+        log_info ("denied signer '%s' with algo %s\n", pkhex, algostr);
+      assert_pubkey_algo_false = 1;
+      write_status_strings (STATUS_ASSERT_PUBKEY_ALGO,
+                            pkhex, " 0 ", algostr, NULL);
+    }
+}