gpgsm: Allow ECC encryption keys with just keyAgreement specified.

* sm/certlist.c (cert_usage_p): Allow keyAgreement for ECC. * sm/fingerprint.c (gpgsm_is_ecc_key): New. -- For ECC encryption keys keyAgreement is the keyUsage we want.
2022-10-24 17:38:49 +02:00 · 2022-10-24 17:38:49 +02:00 · 6bd0dd762c
parent 50efcf2eb0
commit 6bd0dd762c
3 changed files with 11 additions and 1 deletions
--- a/sm/certlist.c
+++ b/sm/certlist.c
@ -170,7 +170,8 @@ cert_usage_p (ksba_cert_t cert, int mode, int silent)
    }

  encr_bits = (KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT);
-  if ((opt.compat_flags & COMPAT_ALLOW_KA_TO_ENCR))
+  if ((opt.compat_flags & COMPAT_ALLOW_KA_TO_ENCR)
+      || gpgsm_is_ecc_key (cert))
    encr_bits |= KSBA_KEYUSAGE_KEY_AGREEMENT;

  sign_bits = (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION);
--- a/sm/fingerprint.c
+++ b/sm/fingerprint.c
@ -306,6 +306,14 @@ gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits)
 }


+/* Return true if CERT is an ECC key.  */
+int
+gpgsm_is_ecc_key (ksba_cert_t cert)
+{
+  return GCRY_PK_ECC == gpgsm_get_key_algo_info2 (cert, NULL, NULL);
+}
+
+
 /* This is a wrapper around pubkey_algo_string which takes a KSBA
 * certificate instead of a Gcrypt public key.  Note that this
 * function may return NULL on error.  */
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@ -324,6 +324,7 @@ char *gpgsm_get_keygrip_hexstring (ksba_cert_t cert);
 int  gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits);
 int  gpgsm_get_key_algo_info2 (ksba_cert_t cert, unsigned int *nbits,
                               char **r_curve);
+int   gpgsm_is_ecc_key (ksba_cert_t cert);
 char *gpgsm_pubkey_algo_string (ksba_cert_t cert, int *r_algoid);
 gcry_mpi_t gpgsm_get_rsa_modulus (ksba_cert_t cert);
 char *gpgsm_get_certid (ksba_cert_t cert);