From 6de1ec3ba59fa54ab60b2923ba9caa77fc9d5281 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Fri, 26 Mar 2021 14:27:00 +0100
Subject: [PATCH] agent: Add debug output for failed RSA signature verification

* agent/pksign.c (agent_pksign_do): Support ECC and DSA verification
and print some debug info in the error case.
--

Note that the addition of do_encode_dsa has no immediate effect
because we use the code only for RSA.  However, for debugging it can
be useful to change the code to check also other created signatures.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 agent/pksign.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/agent/pksign.c b/agent/pksign.c
index 00b31ee45..b877addb0 100644
--- a/agent/pksign.c
+++ b/agent/pksign.c
@@ -554,6 +554,8 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
                                      "(data (flags raw) (value %b))",
                                      (int)datalen, data);
             }
+          else if (algo == GCRY_PK_DSA || algo == GCRY_PK_ECC)
+            err = do_encode_dsa (data, datalen, algo, sexp_key, &s_hash);
           else if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1)
             err = do_encode_raw_pkcs1 (data, datalen,
                                        gcry_pk_get_nbits (sexp_key), &s_hash);
@@ -569,6 +571,12 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
         {
           log_error (_("checking created signature failed: %s\n"),
                      gpg_strerror (err));
+          if (DBG_CRYPTO)
+            {
+              gcry_log_debugsxp ("verify s_hsh", s_hash);
+              gcry_log_debugsxp ("verify s_sig", s_sig);
+              gcry_log_debugsxp ("verify s_key", sexp_key);
+            }
           gcry_sexp_release (s_sig);
           s_sig = NULL;
         }