gpgsm: Support ECDSA in de-vs mode.

* common/compliance.h (PK_ALGO_FLAG_ECC18): New. * common/compliance.c (gnupg_pk_is_allowed): Implement. * sm/decrypt.c (gpgsm_decrypt): Pass new flag. * sm/sign.c (gpgsm_sign): Ditto. * sm/verify.c (gpgsm_verify): Ditto. -- GnuPG-bug-id: 6802
2024-05-27 21:41:23 +02:00 · 2023-11-08 17:09:04 +01:00 · 2023-11-08 17:09:04 +01:00 · 77fb089835
commit 77fb089835
parent 7340d4ecd7
6 changed files with 18 additions and 6 deletions
--- a/2
+++ b/2
@ -32,7 +32,7 @@ Noteworthy changes in version 2.2.42 (unreleased)
  * gpg: Fix the "keytocard" command for moving ECC keys with
    non-standard ECDH parameters to OpenPGP cards.  [rG92af3f88a9]

-  * gpgsm: Support ECC certificates.  [T6253]
+  * gpgsm: Support ECC certificates.  [T6253, T6802]

  * gpgsm: Print PROGRESS status lines.  Add new --input-size-hint.
    [T6534]
--- a/common/compliance.c
+++ b/common/compliance.c
@ -261,6 +261,13 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance,
  if (! initialized)
    return 1;

+  /* Map the the generic ECC algo to ECDSA if requested.  */
+  if ((algo_flags & PK_ALGO_FLAG_ECC18)
+      && algo == GCRY_PK_ECC
+      && (use == PK_USE_VERIFICATION
+          || use == PK_USE_SIGNING))
+    algo = GCRY_PK_ECDSA;
+
  switch (compliance)
    {
    case CO_DE_VS:
@ -285,7 +292,6 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance,
 	    default:
 	      log_assert (!"reached");
 	    }
-          (void)algo_flags;
 	  break;

 	case PUBKEY_ALGO_DSA:
@ -306,7 +312,7 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance,
 	  result = (use == PK_USE_DECRYPTION);
          break;

-	case PUBKEY_ALGO_ECDH:
+	case PUBKEY_ALGO_ECDH:  /* Same value as GCRY_PK_ECC, i.e. 18  */
 	case GCRY_PK_ECDH:
 	  if (use == PK_USE_DECRYPTION)
            result = 1;
@ -557,6 +563,9 @@ gnupg_rng_is_compliant (enum gnupg_compliance_mode compliance)
  int *result;
  int res;

+  /* #warning debug code ahead */
+  /* return 1; */
+
  result = get_compliance_cache (compliance, 1);

  if (result && *result != -1)
--- a/common/compliance.h
+++ b/common/compliance.h
@ -52,6 +52,7 @@ enum pk_use_case

 /* Flags to distinguish public key algorithm variants.  */
 #define PK_ALGO_FLAG_RSAPSS 1    /* Use rsaPSS padding. */
+#define PK_ALGO_FLAG_ECC18  256  /* GCRY_PK_ECC is used in a generic way.  */


 int gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
--- a/sm/decrypt.c
+++ b/sm/decrypt.c
@ -1327,7 +1327,8 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
                  /* Check compliance.  */
                  if (!gnupg_pk_is_allowed (opt.compliance,
                                            PK_USE_DECRYPTION,
-                                            pk_algo, 0, NULL, nbits, curve))
+                                            pk_algo, PK_ALGO_FLAG_ECC18,
+                                            NULL, nbits, curve))
                    {
                      char  kidstr[10+1];

--- a/sm/sign.c
+++ b/sm/sign.c
@ -732,8 +732,8 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
          goto leave;
        }

-      if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pk_algo, 0,
-                                NULL, nbits, curve))
+      if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pk_algo,
+                                PK_ALGO_FLAG_ECC18, NULL, nbits, curve))
        {
          char  kidstr[10+1];

--- a/sm/verify.c
+++ b/sm/verify.c
@ -503,6 +503,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
      audit_log_i (ctrl->audit, AUDIT_DATA_HASH_ALGO, algo);

      /* Check compliance.  */
+      pkalgoflags |= PK_ALGO_FLAG_ECC18;
      if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION,
                                 pkalgo, pkalgoflags, NULL, nbits, pkcurve))
        {