diff --git a/g10/pubkey-enc.c b/g10/pubkey-enc.c index 272562b18..d7ba95391 100644 --- a/g10/pubkey-enc.c +++ b/g10/pubkey-enc.c @@ -90,16 +90,19 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek) sk->pubkey_algo = k->pubkey_algo; /* We want a pubkey with this algo. */ if (!(rc = get_seckey (ctrl, sk, k->keyid))) { - /* Print compliance warning. */ - if (!gnupg_pk_is_compliant (opt.compliance, - sk->pubkey_algo, - sk->pkey, nbits_from_pk (sk), NULL)) - log_info (_("Note: key %s is not suitable for encryption" - " in %s mode\n"), - keystr_from_pk (sk), - gnupg_compliance_option_string (opt.compliance)); - - rc = get_it (ctrl, k, dek, sk, k->keyid); + /* Check compliance. */ + if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_DECRYPTION, + sk->pubkey_algo, + sk->pkey, nbits_from_pk (sk), NULL)) + { + log_info (_("key %s is not suitable for decryption" + " in %s mode\n"), + keystr_from_pk (sk), + gnupg_compliance_option_string (opt.compliance)); + rc = gpg_error (GPG_ERR_PUBKEY_ALGO); + } + else + rc = get_it (ctrl, k, dek, sk, k->keyid); } } else if (opt.skip_hidden_recipients) @@ -128,14 +131,17 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek) log_info (_("anonymous recipient; trying secret key %s ...\n"), keystr (keyid)); - /* Print compliance warning. */ - if (!gnupg_pk_is_compliant (opt.compliance, - sk->pubkey_algo, - sk->pkey, nbits_from_pk (sk), NULL)) - log_info (_("Note: key %s is not suitable for encryption" - " in %s mode\n"), - keystr_from_pk (sk), - gnupg_compliance_option_string (opt.compliance)); + /* Check compliance. */ + if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_DECRYPTION, + sk->pubkey_algo, + sk->pkey, nbits_from_pk (sk), NULL)) + { + log_info (_("key %s is not suitable for decryption" + " in %s mode\n"), + keystr_from_pk (sk), + gnupg_compliance_option_string (opt.compliance)); + continue; + } rc = get_it (ctrl, k, dek, sk, keyid); if (!rc) diff --git a/sm/decrypt.c b/sm/decrypt.c index cdce1d434..60ed14a64 100644 --- a/sm/decrypt.c +++ b/sm/decrypt.c @@ -480,19 +480,22 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp) unsigned int nbits; int pk_algo = gpgsm_get_key_algo_info (cert, &nbits); - /* Print compliance warning. */ - if (! gnupg_pk_is_compliant (opt.compliance, - pk_algo, NULL, nbits, NULL)) + /* Check compliance. */ + if (!gnupg_pk_is_allowed (opt.compliance, + PK_USE_DECRYPTION, + pk_algo, NULL, nbits, NULL)) { char kidstr[10+1]; snprintf (kidstr, sizeof kidstr, "0x%08lX", gpgsm_get_short_fingerprint (cert, NULL)); log_info - (_("Note: key %s is not suitable for encryption" + (_("key %s is not suitable for decryption" " in %s mode\n"), kidstr, gnupg_compliance_option_string (opt.compliance)); + rc = gpg_error (GPG_ERR_PUBKEY_ALGO); + goto oops; } /* Check that all certs are compliant with CO_DE_VS. */ @@ -504,9 +507,11 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp) oops: if (rc) - /* We cannot check compliance of certs that we - * don't have. */ - is_de_vs = 0; + { + /* We cannot check compliance of certs that we + * don't have. */ + is_de_vs = 0; + } xfree (issuer); xfree (serial); ksba_cert_release (cert);