sm: Exclude rsaPSS from de-vs compliance mode.

* common/compliance.h (PK_ALGO_FLAG_RSAPSS): New.
* common/compliance.c (gnupg_pk_is_compliant): Add arg alog_flags and
test rsaPSS.  Adjust all callers.
* common/util.c (pubkey_algo_to_string): New.
(gnupg_pk_is_allowed): Ditto.
* sm/misc.c (gpgsm_ksba_cms_get_sig_val): New wrapper function.
(gpgsm_get_hash_algo_from_sigval): New.
* sm/certcheck.c (gpgsm_check_cms_signature): Change type of sigval
arg.  Add arg pkalgoflags.  Use the PK_ALGO_FLAG_RSAPSS.
* sm/verify.c (gpgsm_verify): Use the new wrapper and new fucntion to
also get the algo flags.  Pass algo flags along.  Change some of the
info output to be more like current master.
--
Signed-off-by: Werner Koch <wk@gnupg.org>

This backport from master
commit 969abcf40c
also includes some changes taken from
commit a759fa963a
(sm: Improve readability of the data verification output.)

Signed-off-by: Werner Koch <wk@gnupg.org>

g10/encrypt.c

@@ -619,15 +619,15 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
         PKT_public_key *pk = pkr->pk;
         unsigned int nbits = nbits_from_pk (pk);
 
-        if (!gnupg_pk_is_compliant (opt.compliance,
-                                    pk->pubkey_algo, pk->pkey, nbits, NULL))
+        if (!gnupg_pk_is_compliant (opt.compliance, pk->pubkey_algo, 0,
+                                    pk->pkey, nbits, NULL))
           log_info (_("WARNING: key %s is not suitable for encryption"
                       " in %s mode\n"),
                     keystr_from_pk (pk),
                     gnupg_compliance_option_string (opt.compliance));
 
         if (compliant
-            && !gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, pk->pkey,
+            && !gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, 0, pk->pkey,
                                        nbits, NULL))
           compliant = 0;
       }

g10/keylist.c

@@ -1340,7 +1340,7 @@ print_compliance_flags (PKT_public_key *pk,
       es_fputs (gnupg_status_compliance_flag (CO_GNUPG), es_stdout);
       any++;
     }
-  if (gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, pk->pkey,
+  if (gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, 0, pk->pkey,
 			     keylength, curvename))
     {
       es_fprintf (es_stdout, any ? " %s" : "%s",

g10/mainproc.c

@@ -739,8 +739,8 @@ proc_encrypted (CTX c, PACKET *pkt)
           memset (pk, 0, sizeof *pk);
           pk->pubkey_algo = i->pubkey_algo;
           if (get_pubkey (c->ctrl, pk, i->kid) != 0
-              || ! gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, pk->pkey,
-                                          nbits_from_pk (pk), NULL))
+              || ! gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, 0,
+                                          pk->pkey, nbits_from_pk (pk), NULL))
             compliant = 0;
           release_public_key_parts (pk);
         }
@@ -2429,7 +2429,7 @@ check_sig_and_print (CTX c, kbnode_t node)
 
       /* Print compliance warning for Good signatures.  */
       if (!rc && pk && !opt.quiet
-          && !gnupg_pk_is_compliant (opt.compliance, pk->pubkey_algo,
+          && !gnupg_pk_is_compliant (opt.compliance, pk->pubkey_algo, 0,
                                      pk->pkey, nbits_from_pk (pk), NULL))
         {
           log_info (_("WARNING: This key is not suitable for signing"
@@ -2513,7 +2513,7 @@ check_sig_and_print (CTX c, kbnode_t node)
 
       /* Compute compliance with CO_DE_VS.  */
       if (pk && is_status_enabled ()
-          && gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, pk->pkey,
+          && gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, 0, pk->pkey,
                                     nbits_from_pk (pk), NULL)
           && gnupg_digest_is_compliant (CO_DE_VS, sig->digest_algo))
         write_status_strings (STATUS_VERIFICATION_COMPLIANCE_MODE,

g10/pubkey-enc.c

@@ -92,7 +92,7 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek)
         {
           /* Check compliance.  */
           if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_DECRYPTION,
-                                     sk->pubkey_algo,
+                                     sk->pubkey_algo, 0,
                                      sk->pkey, nbits_from_pk (sk), NULL))
             {
               log_info (_("key %s is not suitable for decryption"
@@ -133,7 +133,7 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek)
 
           /* Check compliance.  */
           if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_DECRYPTION,
-                                     sk->pubkey_algo,
+                                     sk->pubkey_algo, 0,
                                      sk->pkey, nbits_from_pk (sk), NULL))
             {
               log_info (_("key %s is not suitable for decryption"

g10/sig-check.c

@@ -164,7 +164,7 @@ check_signature2 (ctrl_t ctrl,
   else if (get_pubkey_for_sig (ctrl, pk, sig, forced_pk))
     rc = gpg_error (GPG_ERR_NO_PUBKEY);
   else if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION,
-                                 pk->pubkey_algo, pk->pkey,
+                                 pk->pubkey_algo, 0, pk->pkey,
                                  nbits_from_pk (pk),
                                  NULL))
     {

g10/sign.c

@@ -395,7 +395,8 @@ do_sign (ctrl_t ctrl, PKT_public_key *pksk, PKT_signature *sig,
       goto leave;
     }
 
-  if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pksk->pubkey_algo,
+  if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING,
+                             pksk->pubkey_algo, 0,
                              pksk->pkey, nbits_from_pk (pksk), NULL))
     {
       log_error (_("key %s may not be used for signing in %s mode\n"),